Effective date: 10 October 2025
TL;DR (≈1 minute)
CloudTeam sp. z o.o. (“CloudTeam”, “we”) operates Credentium, a platform for designing, issuing, storing and verifying digital micro‑credentials compliant with EDC and eIDAS (each credential is sealed with a qualified electronic seal). Credentium includes: Issuer (for organizations to issue credentials), Wallet (for recipients to store/share), and a browser‑based Validator (to check sealed PDFs). We host in EU Microsoft Azure regions and use Auth0 (EU) for authentication. We don’t use ad tech and we do not set analytics cookies. Today we use only essential cookies plus a language‑preference cookie. PDF files uploaded to the Validator are automatically deleted after ~24 hours. We do not sell or share personal information for cross‑context behavioral advertising.
Controller: CloudTeam spółka z ograniczoną odpowiedzialnością
Address: Plac Konesera 9, 03‑736 Warszawa, Poland
KRS: 0000276018 (registry court: Sąd Rejonowy dla m. st. Warszawy w Warszawie, XIV Wydział Gospodarczy KRS)
NIP: 5252388265
Share capital: 854,000.00 PLN
DPO: No Data Protection Officer appointed.
Privacy email: privacy@cloudteam.pl
CloudTeam is established in Poland (EU) and acts as controller for the Credentium platform as described below. In some product areas (especially the Issuer app), we also act as a processor for organizational customers—see Scope and Sharing.
Representative outside the EU/UK: Not applicable.
Services covered:
Issuer app (issuer.credentium.com) for designing and issuing credentials (B2B).
Wallet app (wallet.credentium.com) for recipients to store and share credentials.
PDF Validator (validate.credentium.com) for authenticity checks of sealed PDFs.
Who this applies to:
Issuer users/admins (your organization’s staff using the Issuer portal).
Credential recipients (individuals who receive a credential and optionally use the Wallet).
Viewers/verifiers who open a public link or upload a PDF to validate authenticity.
Website visitors to our product sites.
This Policy does not cover job applicants (no recruiting is run through this service).
Our roles:
For Issuer workspace data (recipients’ info uploaded by an Issuer), the Issuer is the controller and CloudTeam is the processor under a Data Processing Agreement (DPA).
For the Wallet, Validator, authentication, security, support, and our own websites, CloudTeam is the controller.
Additional note on scope (minors & consent): Some Issuers may award credentials to individuals under 18. For Issuer‑uploaded recipient data, the Issuer is the controller (CloudTeam acts as processor under the DPA). For any Wallet features that rely on consent, users under 16 must provide verifiable parental/guardian consent under Polish law.
Personal Data: any information that identifies or can reasonably identify a person (e.g., name, email, credential details).
Controller: decides why and how personal data is processed.
Processor: processes personal data for a controller under instructions.
EDC (European Digital Credentials for Learning): an EU data format for credentials that improves interoperability and verification.
eIDAS & qualified electronic seal: EU rules and trust services; each credential we issue is sealed for integrity and legal recognizability.
Cookies/Local storage/Session storage: small files or browser storage used to operate the site, remember preferences or (if enabled) analyze usage.
At a glance: We collect account and credential data, security/usage logs, and limited preferences. We do not use ad tech. We currently set essential cookies and one functional cookie (language).
A. Account & profile data (Issuer & Wallet)
Name, email, organization, role; login identifiers handled via Auth0 (EU).
Source: you or your organization (Issuer), and Auth0 during sign‑in.
B. Credential issuance data (EDC metadata)
Recipient details added by Issuers (e.g., name, course/skill, dates, results), plus metadata needed for EDC and the qualified e‑seal.
Source: Issuer uploads (CSV/API/Moodle), or manual entry.
C. Wallet data & sharing settings
Stored credentials; visibility/public‑link settings; UI preference to hide revoked credentials (browser localStorage).
D. Validator data
PDF you upload for verification and technical results of signature/chain checks; PDFs are auto‑deleted after ~24h.
E. Device & usage data
IP address, device/browser type, security and operational logs, basic event telemetry. We do not set analytics or advertising cookies.
F. Support & communications
Content of requests, attachments, and contact details you provide.
G. Billing & payments
We do not run online payments. For B2B sales, we process business contact and invoice data exchanged via contract and invoicing.
H. Sources at a glance: you; your organization (Issuer); your device/browser; Auth0; and, when you use Validator, the file you upload.
Special categories: We do not seek special categories of data under Art. 9 GDPR. Issuers must not upload such data unless strictly necessary for their purpose and supported by a valid legal basis and notice to recipients.
Purpose | Examples | Legal basis (GDPR) | Legitimate interests (if used) |
|---|---|---|---|
Provide and operate services (Issuer, Wallet, Validator) | Account creation, credential generation (with qualified e‑seal), Wallet storage/sharing, Validator checks | Contract (Art. 6(1)(b)) or Legitimate interests for visitors | Deliver the service you request; interoperable credentials (EDC). |
Authentication & account management | Auth0 sign‑in, sessions, role management | Contract; Legitimate interests (Art. 6(1)(f)) | Keep accounts working and secure. |
Security & fraud prevention | CSRF/antiforgery tokens, abuse detection, incident response | Legitimate interests; Legal obligation | Protect users and infrastructure; prevent misuse. |
Integrations & automation | CSV/API, Moodle flows, webhooks | Contract; Legitimate interests | Interoperability and automation at your request. |
Support & communications | Respond to tickets, service updates | Contract; Legitimate interests | Provide help and keep you informed of product changes. |
Compliance & legal | Tax, audits, defense of claims | Legal obligation; Legitimate interests | Meet legal duties; defend/establish claims. |
Legitimate‑interest balance (summary): we process only what’s necessary, apply security controls, and offer easy opt‑outs where appropriate. We don’t use your data for unrelated purposes.
Providing account identifiers (name, email) is necessary to create an account and deliver the service. If you do not provide required data, we cannot create your account or issue/store credentials. Providing support data is optional, but we may be unable to resolve your request without it.
Credentium is not directed to children. In Poland, a child under 16 cannot lawfully consent to information‑society services; if we need consent for a feature, we require parental/guardian consent for users under 16. If you believe we processed a child’s data without proper consent, contact us and we’ll take appropriate steps.
We do not make decisions that produce legal or similarly significant effects solely by automated means. We run automated checks (e.g., cryptographic validation, anti‑abuse). Security/anti‑abuse checks evaluate technical signals (e.g., rate limits, signature integrity). These do not by themselves determine legal effects; you may request human review of any outcome that affects you.
We share data only as needed:
Processors (service providers)
Hosting & infrastructure (EU data centers).
Identity & authentication (OIDC/SSO).
Qualified Trust Service Provider (QTSP) for the qualified e‑seal.
Email/support/CRM/billing tools used for B2B contracting and support.
Other recipients
Professional advisors (legal, accounting), auditors.
Public authorities when required by law or to protect rights.
Issuer relationship
For Issuer workspaces, we process recipients’ data under the Issuer’s instructions (our DPA applies).
No advertising networks and no social tracking pixels.
Processors listing: We maintain an up‑to‑date list of our sub‑processors (name, purpose, location) here: https://legal.cloudteam.global/credentium/sub-processors. You can also contact privacy@cloudteam.pl to obtain the current list or a link to the live page.
We primarily host and process in the EU/EEA. Some providers are global companies; support or maintenance access may occasionally involve restricted transfers outside the EEA.
Vendors owned outside the EEA. Where vendors are EU‑hosted but owned by non‑EEA groups (e.g., Auth0/Okta), restricted remote access may occur for support. We implement Standard Contractual Clauses (SCCs), conduct Transfer Impact Assessments, and apply supplementary measures. Details are available on request.
Safeguards:
Where required, we use European Commission SCCs (2021/914) and perform Transfer Impact Assessments.
We may rely on adequacy decisions where available.
You can request a copy of relevant safeguards via privacy@cloudteam.pl.
We keep personal data only as long as needed for the purpose collected, then delete or anonymize it.
Data category | Typical retention |
|---|---|
Account data (Issuer & Wallet) | For the life of the account + 24 months for recordkeeping/claims. |
Credential issuance records (EDC metadata & sealed PDFs) | While the credential is valid or until the Issuer revokes/deletes it; supporting logs kept 24 months. |
Validator uploads (PDFs) | Auto‑deleted ~24 hours after upload. |
Security/operational logs | 12 months depending on system. |
Support files & tickets | 24 months after closure unless law requires longer. |
Billing & invoices (B2B) | As required by tax/accounting law (typically 5 years from the end of the fiscal year). |
We use technical and organizational measures including:
Encryption in transit and at rest, strict HTTPS and HSTS; cookies use Secure/SameSite/HttpOnly where appropriate.
Access controls & RBAC, least‑privilege, multi‑tenant isolation.
Logging & monitoring; serverless/queue‑based processing for scale & resilience.
Privacy by design practices; the PDF Validator automatically deletes files after ~24h.
No system is 100% secure, but we work to prevent, detect and respond to incidents. If we reasonably believe your data was affected by a breach, we’ll notify you and regulators as required. If a personal data breach occurs, we will notify UODO within 72 hours where required and inform affected individuals when legally mandated.
If you’re in the EU/EEA or UK, you can: access, rectify, erase, restrict, object, port your data, and withdraw consent at any time (without affecting past lawful processing). We’ll respond within one month (extendable by two months for complex requests).
How to exercise:
Email us at privacy@cloudteam.pl.
For Issuer‑controlled data, we’ll notify the Issuer (controller) and assist them.
We may ask you to verify your identity and clarify scope.
Right to object (Art. 21): You may object to processing based on legitimate interests. If you object, we will stop unless we demonstrate compelling legitimate grounds overriding your interests, rights and freedoms, or the processing is needed for legal claims.
Complain to the Polish authority (UODO):
Prezes Urzędu Ochrony Danych Osobowych (UODO), ul. Stawki 2, 00‑193 Warszawa, Poland.
You may also complain to your local authority.
Accessibility: Need this Policy in another format (large print, plain text)? Contact us and we’ll help.
We do not run ads or behavioral targeting. If you opt in to receive product news, you can unsubscribe anytime (email footer or by contacting us). We don’t send marketing without a lawful basis (usually consent).
What we use today: Credentium sets only strictly necessary cookies (authentication, security, framework) and one functional cookie for language preference. We do not set analytics or advertising cookies. We also use limited localStorage and sessionStorage for UI preferences. The language‑preference cookie is used solely to provide the preference you chose and does not track you across sites.
Consent management:
Because we currently use only essential cookies (and a language‑preference cookie), we do not show a banner.
You can manage cookies via your browser controls.
We respect Global Privacy Control (GPC) signals; we do not set non‑essential cookies.
Name | Provider | Purpose | Category | Duration | Type |
|---|---|---|---|---|---|
| Credentium / ASP.NET Core | Authenticated session after Auth0 login | Strictly necessary | Session | 1P |
| Credentium / Auth0 | Nonce to secure OIDC flow (anti‑replay) | Strictly necessary | Minutes | 1P |
| Credentium / Auth0 | Correlation cookie for OIDC state | Strictly necessary | Minutes | 1P |
| ASP.NET Core | CSRF protection | Strictly necessary | Session | 1P |
| Blazor Server | Real‑time connection state | Strictly necessary | Session | 1P |
| Credentium | Language preference (e.g., | Functional | 1 year | 1P |
Third‑party cookies during login (on Auth0’s domain): auth0, auth0_compat, did, did_compat—essential for authentication and governed by Auth0’s policy.
Storage key | Where | Purpose | Category | Duration |
|---|---|---|---|---|
| Wallet | Remember “hide revoked” UI preference | Functional | Until cleared |
| Issuer & Wallet | Persist toast notifications within a session | Functional | Until tab closes |
Browser controls: You can delete cookies and site data via your browser settings. Blocking essential cookies will break sign‑in and core features.
No. We do not sell personal information and do not “share” it for cross‑context behavioral advertising (as defined by certain US state laws). We also do not use social media tracking pixels.
The terms “controller/processor/personal data” have the same meaning under UK GDPR.
Your rights mirror the EU list above.
You can complain to the Information Commissioner’s Office (ICO) in the UK.
No UK representative is appointed at this time.
Our platform may reference or link to third‑party services (e.g., Moodle integrations, LinkedIn sharing of badges, Auth0 login page). Those services are separate controllers with their own privacy terms. When you click or use them, their policies apply. We do not load social tracking pixels.
We update this Policy when our services or legal requirements change and will indicate the “Last updated” date above. We keep a version history and make prior versions available on request.
Email: privacy@cloudteam.pl
Postal mail: CloudTeam sp. z o.o., Plac Konesera 9, 03‑736 Warszawa, Poland
Accessibility: Need this Policy in another format (large print, plain text)? Contact us and we’ll help.
b0b94cb3aa4a29b5979e83ee8548ab5b66f6d0df8d58fd372f4f37ee88b4db28
Download the raw content and verify: sha256sum filename.html
(The downloaded file contains the exact content used for hash calculation)