Privacy Policy

1. Information We Collect

1.1 Information You Provide

API Registration. If you register for an API key, we collect your email address and display name or organization name.

Consumer Identity Registration. If you register a consumer identity to submit experience reports, we collect your display name, contact email address, and public key (ECDSA P-256) associated with your consumer identity. We do not retain your private key — it is generated, returned to you at registration, and immediately discarded on our end.

Experience Reports. When you submit experience reports for certified capabilities, we collect the report content, including capability identifier, outcome, environment details, and any optional details you provide. Reports are cryptographically signed with your consumer identity key.

Dispute Submissions. If you submit a dispute regarding a certification, we collect the dispute content, supporting evidence, and contact information.

1.2 Information Collected Automatically

Server Logs. Our hosting provider (Vercel) automatically collects standard server log data when you access the Website or API, which may include your IP address, browser type, referring URL, pages visited, and timestamps. These logs are managed by Vercel under their privacy policy.

Analytics. We may use privacy-focused analytics tools to understand how the Services are used. If analytics are active, we will update this section to identify the specific tool and what data it collects. Analytics data is used solely to improve the Services and is not sold or shared with third parties for advertising purposes.

API Usage Data. When you access the API, we log request metadata (endpoint, timestamp, API key identifier if authenticated, response status) for rate limiting, abuse prevention, and service improvement. We do not log the content of API responses.

1.3 Information We Do Not Collect

We do not collect payment information directly. We do not use advertising cookies or tracking pixels. We do not collect biometric data, precise geolocation, or device identifiers beyond what is included in standard server logs.

2. How We Use Information

• Providing the Services. Processing API requests, authenticating consumer identities, verifying report signatures, computing certification scores.
• Service Integrity. Detecting and preventing abuse, fraud, and manipulation of certification scores. Enforcing rate limits.
• Communication. Contacting you regarding your consumer identity, dispute resolutions, or material changes to the Services.
• Service Improvement. Understanding usage patterns to improve the Services, fix bugs, and plan new features.
• Legal Compliance. Complying with applicable laws, regulations, legal processes, or governmental requests.

3. How We Store and Protect Information

3.1 Storage

Service data (API keys, consumer identities, experience reports, certification data) is stored in Supabase (PostgreSQL) hosted in the United States. Supabase provides encryption at rest and in transit. Cryptographic signing keys used for certification artifacts are managed through AWS Key Management Service (KMS).

3.2 Security Measures

We implement reasonable security measures including encryption in transit (TLS) for all communications, encryption at rest for stored data, row-level security (RLS) policies in our database, and access controls limiting who can access production data. No method of transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

3.3 Retention

API keys and consumer identities are retained for as long as your account is active, plus a reasonable period after for audit purposes. Experience reports are retained indefinitely as part of the certification record. Server logs are retained according to our hosting provider's retention policy (typically 30 days). Dispute records are retained indefinitely as part of the certification history.

4. How We Share Information

We do not sell your personal information.

We may share aggregated, anonymized data that cannot reasonably identify you. We use third-party service providers (Vercel for hosting, Supabase for database, AWS for key management) who access your information only as necessary to perform services on our behalf. We may disclose information if required by law or if necessary to protect the rights, property, or safety of Fidensa, our users, or the public. If Fidensa is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction with prior notice.

5. Cookies and Tracking

As of the effective date of this policy, the Website does not set any first-party cookies. We do not use advertising trackers, retargeting pixels, or cross-site tracking mechanisms.

If we implement analytics, we will update this section to describe what cookies or identifiers are used, what data is collected, and how to opt out. Any analytics implementation will not involve selling data to third parties or serving advertisements.

If we introduce user accounts or session-based features in the future, we may use essential cookies necessary for the functioning of the Services. These will be described in an update to this section.

6. Your Rights

Depending on your jurisdiction, you may have the right to access, correct, delete, or obtain a portable copy of your personal information, or to object to certain processing. To exercise any of these rights, contact us at privacy@fidensa.com. We will respond within a reasonable timeframe.

7. Children's Privacy

The Services are not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have collected such information, we will take steps to delete it.

8. International Users

The Services are operated from the United States. If you access the Services from outside the United States, your information will be transferred to and processed in the United States. By using the Services, you consent to this transfer and processing.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by updating the "Last Updated" date at the top of this page. Your continued use of the Services after any changes constitutes your acceptance of the updated policy.

10. Contact

For questions about this Privacy Policy or to exercise your privacy rights, contact: privacy@fidensa.com