Privacy notice.
This notice explains who CertiFlow is, what personal data we handle, why, on what lawful basis, how long we keep it, and what rights you have. It applies to anyone who visits our website, holds a CertiFlow account, or whose data passes through the platform on behalf of a customer.
Last updated 2026-06-07
01 · Who we are
Direct Consulting Solutions SA.
CertiFlow is operated by Direct Consulting Solutions SA, a company registered in Geneva, Switzerland. We are the data controller for the personal data described in this notice.
For Swiss residents we are governed by the Federal Act on Data Protection (FADP 2023). For residents of the European Economic Area and the United Kingdom we are also governed by the GDPR and UK GDPR respectively. For other jurisdictions, additional local frameworks may apply.
Privacy contact: trust@certiflow.com
02 · What we collect, and from whom
Three audiences, three answers.
| Audience | What we hold |
|---|---|
| Website visitor | Aggregate visit counts via Vercel Web Analytics in privacy mode — no cookies, no IP, no persistent identifier. See the cookies page for the exact data points. |
| Account holder | Email address, password hash (held by Supabase Auth, never by us in plaintext), organisation name and jurisdiction at onboarding, the tier and modules you selected, and the Stripe customer reference once billing is configured. |
| Customer evidence | Encrypted ciphertext only. Under our Zero-Knowledge Encryption design, we do not hold a key that can decrypt customer evidence. We hold metadata (filename, size, upload timestamp, hash chain entry) which the customer knows we hold per the Data Processing Agreement Annex III. |
We do not collect or process special-category data (health, biometric, religious, political-opinion data) at any tier and have no plans to do so.
03 · Why we collect it (lawful basis)
- Contract performance. Account data and customer evidence are processed to deliver the CertiFlow service the customer has signed up for — GDPR Article 6(1)(b).
- Legitimate interest. Aggregate visit analytics, security monitoring, and abuse detection — GDPR Article 6(1)(f). The balancing test sits in our internal data protection record and is available to supervisory authorities on request.
- Legal obligation. Audit-log retention, financial records, sanctions screening — GDPR Article 6(1)(c).
- Consent. We do not currently rely on consent for any processing. If we ever introduce marketing email or optional product analytics that need consent, we will ask explicitly and you will be able to withdraw at any time.
04 · How long we keep it
- Account data. For the lifetime of the account plus 90 days after closure, then deleted from production. Audit-log metadata is retained per the compliance-frame retention period our customer is operating under (typically 7 years for SOC 2 evidence, 6 years for HIPAA).
- Customer evidence ciphertext. Until the customer deletes it through the application, or 30 days after account closure, whichever is sooner. Because evidence is under Zero-Knowledge Encryption, neither we nor a future buyer of our infrastructure can recover plaintext from residual ciphertext.
- Aggregate visitor analytics. 90 days at most. Vercel deletes raw event data on a rolling basis per their analytics policy.
- Billing and financial records. 10 years from the end of the financial year in which the transaction occurred, per Swiss commercial law and EU VAT recordkeeping requirements.
05 · Your rights
Depending on your jurisdiction, you have some or all of the following rights regarding data we hold about you:
- · Access — ask what we hold
- · Rectification — correct inaccurate data
- · Erasure — request deletion (subject to legal-retention overrides)
- · Restriction — pause processing pending review
- · Portability — receive your data in a machine-readable format
- · Objection — oppose processing based on legitimate interest
- · Withdraw consent — where consent was relied on
- · Lodge a complaint with your local supervisory authority (for Swiss residents: the FDPIC; for EU residents: your member state DPA; for UK residents: the ICO)
To exercise any of these rights, email trust@certiflow.com. We respond within 30 days, usually within five business days.
06 · International transfers
Our primary data residency is the European Union (Supabase Frankfurt). Backup infrastructure and Stripe payment processing transfer some data to the United States. For these transfers we rely on the Standard Contractual Clauses (SCCs) and supplementary measures including encryption-in-transit and at-rest, plus our Zero-Knowledge Encryption design which means transferred ciphertext is not legible to the receiving party.
A full list of sub-processors and their jurisdictions is published on the sub-processors page.
07 · Changes to this notice
We update this notice when our processing changes meaningfully. For material changes affecting existing account holders, we send a notification at least 30 days before the change takes effect. Minor edits (clarifications, typo fixes) are reflected here with an updated “Last updated” date.
Privacy contact
Privacy enquiries, data subject requests, and supervisory authority correspondence: trust@certiflow.com.
See also: our Cookies and analytics page, Data Processing Agreement, sub-processors list, and security architecture.