Skip to main content

Privacy Policy — Certified

Last updated: April 1, 2026

1. Introduction

This Privacy Policy explains how the Hypercerts Foundation ("Hypercerts Foundation", "we", "our", or "us") processes personal data in connection with the Certified services.

Certified consists of:

  • certified.app – a web application used to create and manage AT Protocol identities and configure related services
  • certified.one – infrastructure operating AT Protocol Personal Data Servers (PDS)

The Hypercerts Foundation operates these services as identity and data hosting infrastructure for the AT Protocol ecosystem.

This Privacy Policy explains:

  • what personal data we process
  • how we use that data
  • how data is stored and shared
  • your rights under applicable data protection laws

2. Data controller

For the purposes of the EU General Data Protection Regulation (GDPR), the data controller is:

Hypercerts Foundation
1209 Orange St.
Wilmington, DE 19801
United States

Phone: +1 302 658 7581
Contact: legal@hypercerts.org

For data stored on Personal Data Servers, the Hypercerts Foundation acts as an infrastructure provider operating the server environment in which user-controlled data is stored.

EU representative

In accordance with Article 27 of the GDPR, the Hypercerts Foundation has designated the following representative in the European Union:

Holke Brammer
Holzmarktstraße 25
10243 Berlin
Germany

legal@hypercerts.org

3. Personal data we process

The personal data processed by Certified depends on how you use the services.

Account information

When you create or manage an account using certified.app, we may process:

  • email address
  • account identifiers
  • authentication information
  • configuration settings for your AT Protocol identity

Data stored on Personal Data Servers

certified.one operates Personal Data Servers that store records associated with AT Protocol identities.

These records may include:

  • profile information
  • user-generated content
  • references to external resources
  • metadata associated with AT Protocol records

This data is stored at the direction of users and may contain personal data depending on how the user uses the service.

Technical and operational data

To operate the services, we may process:

  • IP addresses
  • system logs
  • device or browser information
  • timestamps of service interactions
  • security and abuse-prevention signals

System logs and security-related operational data may be retained for limited periods necessary to detect abuse, investigate incidents, and maintain service reliability.

4. How we use personal data

We process personal data only where necessary for the operation of the services.

This may include processing necessary to:

  • operate and maintain certified.app and certified.one
  • authenticate users and manage accounts
  • operate AT Protocol Personal Data Servers
  • ensure the stability and security of the infrastructure
  • detect and prevent abuse or malicious activity
  • comply with legal obligations

5. Legal basis for processing

Where the GDPR applies, personal data is processed on the following legal bases:

Contractual necessity

Processing necessary to provide the services requested by the user.

Legitimate interests

Processing necessary to:

  • maintain service security
  • prevent abuse
  • operate and improve infrastructure
  • ensure reliable system performance

Legal obligations

Processing required to comply with applicable laws or regulatory requirements.

Consent

Where applicable, certain processing may be based on your consent. Where consent is the legal basis, you have the right to withdraw consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

6. Data storage and infrastructure

The infrastructure supporting certified.one Personal Data Servers is currently hosted on cloud infrastructure located within the European Union.

Operational service providers may process limited data outside the European Union. Where this occurs, appropriate safeguards are implemented in accordance with applicable data protection laws.

7. Federated network architecture

Certified operates within the AT Protocol, a federated network architecture.

When users publish records through their Personal Data Server, those records may be:

  • replicated
  • cached
  • indexed
  • displayed

by independent servers or applications participating in the network.

Once data is shared through the federated network, the Hypercerts Foundation cannot control how third-party services process or store that information. Those services act as independent data controllers for any processing they perform.

8. Data sharing

We do not sell personal data.

Personal data may be shared only in limited circumstances, including:

  • with service providers that support the operation of the services and process data on our behalf, including Vercel Inc. (hosting and anonymous web analytics)
  • with third-party services that users choose to connect to their accounts
  • where required by law or legal process
  • where necessary to protect the security or integrity of the services

9. Cookies and tracking technologies

certified.app uses only cookies that are strictly necessary for the operation of the service, such as session management and authentication.

We do not use advertising cookies, third-party tracking pixels, or analytics cookies that track individual users across websites.

We use Vercel Web Analytics to collect anonymous, aggregated usage data such as page views, referrer information, and general device or browser type. Vercel Web Analytics does not use cookies and does not collect personal data or track individual users. This data is processed by Vercel Inc. (US) under Standard Contractual Clauses (SCCs) as the legal mechanism for international data transfers.

If our use of cookies or analytics changes in the future, we will update this policy and provide appropriate notice and controls.

10. Data retention

We retain personal data only for as long as necessary to operate the services and fulfill legal obligations.

Retention periods may vary depending on the type of data and applicable legal obligations.

To delete your account, contact us at support@hypercerts.org. We will delete account-related data from our infrastructure within a reasonable period, subject to:

  • legal retention requirements
  • system backups
  • technical limitations related to federated data replication

As described above, data previously shared through the AT Protocol network may continue to exist on third-party systems.

11. Security

We implement reasonable technical and organizational measures to protect the security of the services and the data stored on them.

However, no system can guarantee complete security. Users are responsible for protecting their account credentials and cryptographic keys associated with their AT Protocol identities.

12. Children's data

The services are not directed at individuals under the age of 16. The Hypercerts Foundation does not knowingly collect personal data from individuals under 16 years of age, or under the minimum age required to consent to data processing under applicable law in the user's jurisdiction.

If we become aware that personal data has been collected from an individual under the applicable minimum age without appropriate authorization, we will take steps to delete that data.

13. Your rights

Where applicable under data protection laws such as the GDPR, individuals may have the right to:

  • access their personal data
  • request correction of inaccurate data
  • request deletion of personal data
  • restrict or object to certain types of processing
  • request portability of data they have provided
  • withdraw consent, where processing is based on consent

Requests may be submitted to:

legal@hypercerts.org

We will respond to requests within one month, or inform you if an extension is necessary in accordance with applicable law.

14. International users

Certified is operated from infrastructure located primarily within the European Union but may be accessed globally.

If you access the services from outside the European Union, your data may be processed in jurisdictions outside your country of residence, subject to the safeguards described in Section 6.

15. Changes to this policy

We may update this Privacy Policy from time to time.

When changes are material, we will provide notice through certified.app or other appropriate communication channels.

The most recent version of this policy will always be available on the Certified website.

16. Contact

For privacy inquiries, data protection requests, or questions about this policy, contact:

Hypercerts Foundation
1209 Orange St.
Wilmington, DE 19801
United States

Phone: +1 302 658 7581
Email: legal@hypercerts.org