Privacy Policy

Last updated: June 2026

1. Who we are

Certvik is a compliance automation platform operated by Dataspec Patrick Reidin (DSPR), a company registered in Poland (NIP: 5842827033), with registered address at Tadeusza Wendy 8D, 80-299 Gdańsk, Poland (the "Company", "we", "us"). As the data controller under GDPR, we are responsible for your personal data. If you have questions about this policy, contact us at info@dataspec.pl.

2. What data we collect

When you sign in with Microsoft 365, we collect:

  • Your name and email address (from your Microsoft account)
  • Your Microsoft Entra tenant ID (to identify your organisation)
  • Your organisation name (from Microsoft Graph)
  • Security configuration metadata from your Microsoft 365 environment — such as MFA status, Conditional Access policies, device compliance records and audit logs

We do not access your email content, Teams messages, SharePoint files or any personal data belonging to your employees.

3. How we use your data

  • To provide and improve the Certvik service
  • To generate compliance assessments, reports and evidence packs
  • To send service emails (trial expiry reminders, billing notifications, product updates)
  • To comply with legal obligations

We do not sell your data or share it with third parties for marketing purposes.

4. Data storage and security

Your data is stored in the European Union. We use industry-standard encryption in transit (TLS) and at rest. Access to production data is restricted to authorised personnel only.

5. Data retention

We retain your data for as long as your account is active. If you cancel your subscription, your data is retained for 90 days before deletion. You may request earlier deletion by contacting info@dataspec.pl.

6. Your rights

Under GDPR and applicable data protection law, you have the right to access, correct, export or delete your personal data. To exercise any of these rights, contact info@dataspec.pl.

7. Cookies

We use two categories of cookies:

  • Strictly necessary cookies — session cookies required for authentication. These cannot be disabled as they are essential for the service to function.
  • Analytics cookies (optional) — with your consent, we use Google Analytics 4 to understand how visitors use our public website (page views, navigation patterns). This data is aggregated, anonymised (IP anonymisation enabled), and not linked to individual users. These are only set if you click "Accept analytics" on our cookie banner.

You can withdraw analytics consent at any time by clearing your browser cookies or local storage for certvik.com. We do not use advertising, marketing, or tracking cookies.

8. Third-party processors

We use the following sub-processors:

  • Supabase — database and authentication (EU hosting)
  • Stripe — payment processing
  • Resend — transactional email
  • Microsoft Azure — Microsoft 365 integration
  • Google Analytics 4 — website analytics (only with consent; data processed by Google LLC under EU Standard Contractual Clauses)

9. Changes to this policy

We may update this policy from time to time. We will notify you by email of any material changes. Continued use of Certvik after changes take effect constitutes acceptance of the updated policy.