Skip to main content
Safecertus

Legal

Privacy Policy

Last updated: 2026-04-20

Safecertus Web Solutions ("Safecertus", "we", "our", or "us") operates the Safecertus Identity Provider, the Safecertus administration portal, and this marketing website (collectively, the "Service"). This Privacy Policy describes how we collect, use, disclose, and protect personal information when you or your organization uses the Service.

The Safecertus Authenticator mobile app has a dedicated privacy policy covering mobile-specific data handling.

1. Who is responsible for your data

When Safecertus provides the Identity Provider to an organization ("Customer"), the Customer is the data controller of the end-user identities stored in their tenant. Safecertus acts as a data processor on their behalf.

For personal data we collect directly (e.g., when you submit the contact form on this website), Safecertus is the controller.

2. Information we collect

2.1 Information you provide

  • Account identity. Email, full name, phone (optional), and password (hashed with Argon2 / bcrypt).
  • Tenant information. Organization name, domain, and role assignments created by administrators.
  • Contact form submissions. Name, work email, company, number of users, and the message body you send via the contact form on safecertus.com.
  • MFA enrolment data. Encrypted TOTP seeds and mobile device push tokens submitted during multi-factor authentication setup.

2.2 Information collected automatically

  • Session and authentication logs. Login attempts (success and failure), MFA approvals and rejections, refresh-token issuance, service grants and revocations.
  • Technical metadata. IP address, user-agent string, browser session identifier, and timestamps associated with the events above.
  • Audit trail. Administrative actions (user create / update / deactivate, tenant create / delete, service access grant / revoke) with actor, target, and before/after diff.

2.3 Information from third-party identity providers

If you choose to sign in with Google, Microsoft, or Apple, we receive the profile fields you approve on their consent screen — typically your email address, display name, and a stable provider user ID. We do not receive your third-party password.

3. Information we do not collect

Safecertus does not collect:

  • Precise geolocation (GPS).
  • Contacts, photos, or media from your device.
  • Financial or payment information (billing is handled by our payment processor).
  • Advertising identifiers or cross-app tracking data.
  • Any special-category data (health, biometrics beyond on-device, political opinion, etc.).

We do not sell personal information to third parties, and we do not use your data to train machine-learning models.

4. How we use information

We use collected information to:

  • Authenticate users and issue secure session tokens.
  • Enforce multi-factor authentication and tenant access policies.
  • Detect and prevent unauthorized access, brute-force attempts, and abuse.
  • Maintain audit and compliance records required by our Customers and applicable law.
  • Deliver operational communications (password reset, MFA setup, security alerts).
  • Respond to sales and support inquiries submitted through the contact form.
  • Improve the reliability, performance, and security of the Service.

5. Legal bases for processing (EEA / UK)

If you are located in the European Economic Area or the United Kingdom, we rely on the following legal bases under GDPR Article 6:

  • Contract. Processing necessary to deliver the Service to the Customer or the user.
  • Legitimate interests. Preventing fraud, securing systems, and improving the product.
  • Legal obligation. Compliance with tax, regulatory, and security-audit requirements.
  • Consent. Where explicitly requested (for example, optional marketing communications).

6. Sharing and disclosure

We do not sell personal information. We may share limited data with:

  • Your Customer organization. Tenant administrators see the identities and activity inside their tenant.
  • Sub-processors. Cloud infrastructure (Microsoft Azure), transactional email, and payment providers, each under a data-processing agreement.
  • Legal authorities. When required by law, subpoena, or a valid court order.
  • In a business transfer. If Safecertus is acquired, merged, or reorganized, personal data may transfer subject to the acquirer honoring this policy.

7. Data retention

We retain personal data for as long as the related tenant is active and for a bounded grace period afterward to satisfy audit and legal obligations. Specific retention windows:

  • Active accounts: for the life of the tenant.
  • Deactivated accounts: 180 days, then anonymized or deleted.
  • Authentication logs: 13 months for security analysis, then aggregated.
  • Contact form submissions: 24 months, then deleted.

8. Data security

We apply defence-in-depth controls, including:

  • TLS 1.2+ everywhere. HTTP listeners refused.
  • Passwords hashed with a modern, slow KDF (never plaintext, never reversible).
  • TOTP seeds encrypted at rest in Azure Key Vault.
  • Per-tenant data isolation at the database layer.
  • Short-lived access tokens with rotating refresh tokens bound to the issuing session.
  • Rate limiting and abuse detection on all public endpoints.
  • Full audit logging of administrative and sensitive operations.
  • Regular review of access to production by Safecertus personnel.

No system can guarantee absolute security, but we maintain industry-standard safeguards and disclose breaches to affected Customers and users in accordance with applicable law.

9. International data transfers

Safecertus infrastructure runs primarily in Microsoft Azure regions selected to balance performance and compliance requirements. Where personal data is transferred outside your country of residence, we rely on contractual safeguards (such as the EU Standard Contractual Clauses) and technical measures (encryption in transit and at rest).

10. Your rights

Depending on your jurisdiction, you may have rights to:

  • Access the personal data we hold about you.
  • Request correction or deletion.
  • Restrict or object to certain processing.
  • Receive a portable copy of your data.
  • Withdraw consent where processing relies on consent.
  • Lodge a complaint with your local data-protection authority.

If your account is managed by a Customer organization, requests are generally handled through that organization's administrator. You may also contact us directly at privacy@safecertus.com.

11. Cookies and tracking

The Safecertus portal uses strictly-necessary cookies to maintain authenticated sessions (sc_session_id) and issue refresh tokens (refreshToken). These cookies are HttpOnly, Secure, and scoped to safecertus.com.

The marketing website (safecertus.com) does not set tracking or advertising cookies and does not embed third-party analytics that identify you across sites. Static requests to our infrastructure may be logged for abuse prevention.

12. Children's privacy

The Service is intended for business use. It is not directed at children under 16 (or the equivalent minimum age in your jurisdiction) and we do not knowingly collect personal data from children.

13. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be announced through the Service or by email to tenant administrators. The "Last updated" date at the top of this page always reflects the current version. Continued use of the Service after changes constitutes acceptance of the updated policy.

14. Contact

Privacy questions, data-subject requests, and notice of security concerns: