Legal Docs Hub

Credentium Privacy Policy (EU Controller – Poland)

Effective date: 8 July 2026 (version 2.0; original publication 10 October 2025)

TL;DR (≈1 minute)
CloudTeam sp. z o.o. (“CloudTeam”, “we”) operates Credentium, a platform for designing, issuing, storing and verifying digital micro‑credentials compliant with EDC and eIDAS (each credential is sealed with a qualified electronic seal). Credentium includes: Issuer (for organizations to issue credentials), Wallet (for recipients to store/share), and a browser‑based Validator (to check sealed PDFs). We host in EU Microsoft Azure regions and use Amazon Cognito (AWS, EU region — Frankfurt) for authentication (a legacy Auth0 (EU) sign‑in path remains only during the ongoing migration). We don’t use ad tech and we do not set analytics cookies. Today we use only essential cookies plus a language‑preference cookie. PDF files uploaded to the Validator are automatically deleted after ~24 hours. We do not sell or share personal information for cross‑context behavioral advertising.


Table of Contents

1) Who we are (Controller)

Controller: CloudTeam spółka z ograniczoną odpowiedzialnością
Address: Plac Konesera 9, 03‑736 Warszawa, Poland
KRS: 0000276018 (registry court: Sąd Rejonowy dla m. st. Warszawy w Warszawie, XIV Wydział Gospodarczy KRS)
NIP: 5252388265
Share capital: 854,000.00 PLN
DPO: No Data Protection Officer appointed.
Privacy email: privacy@cloudteam.pl

CloudTeam is established in Poland (EU) and acts as controller for the Credentium platform as described below. In some product areas (especially the Issuer app), we also act as a processor for organizational customers—see Scope and Sharing.

Representative outside the EU/UK: Not applicable.


2) Scope & applicability

Services covered:

  • Issuer app (issuer.credentium.com) for designing and issuing credentials (B2B).

  • Wallet app (wallet.credentium.com) for recipients to store and share credentials.

  • PDF Validator (validate.credentium.com) for authenticity checks of sealed PDFs.

Who this applies to:

  • Issuer users/admins (your organization’s staff using the Issuer portal).

  • Credential recipients (individuals who receive a credential and optionally use the Wallet).

  • Viewers/verifiers who open a public link or upload a PDF to validate authenticity.

  • Website visitors to our product sites.

  • This Policy does not cover job applicants (no recruiting is run through this service).

Our roles:

  • For Issuer workspace data (recipients’ info uploaded by an Issuer), the Issuer is the controller and CloudTeam is the processor under a Data Processing Agreement (DPA).

  • For the Wallet, Validator, authentication, security, support, and our own websites, CloudTeam is the controller.

Additional note on scope (minors & consent): Some Issuers may award credentials to individuals under 18. For Issuer‑uploaded recipient data, the Issuer is the controller (CloudTeam acts as processor under the DPA). For any Wallet features that rely on consent, users under 16 must provide verifiable parental/guardian consent under Polish law.


3) Plain definitions

  • Personal Data: any information that identifies or can reasonably identify a person (e.g., name, email, credential details).

  • Controller: decides why and how personal data is processed.

  • Processor: processes personal data for a controller under instructions.

  • EDC (European Digital Credentials for Learning): an EU data format for credentials that improves interoperability and verification.

  • eIDAS & qualified electronic seal: EU rules and trust services; each credential we issue is sealed for integrity and legal recognizability.

  • Cookies/Local storage/Session storage: small files or browser storage used to operate the site, remember preferences or (if enabled) analyze usage.


4) Data we collect & sources

At a glance: We collect account and credential data, security/usage logs, and limited preferences. We do not use ad tech. We currently set essential cookies and one functional cookie (language).

A. Account & profile data (Issuer & Wallet)

  • Name, email, organization, role; login identifiers handled via Amazon Cognito (EU) (legacy Auth0 (EU) during the ongoing migration).

  • Source: you or your organization (Issuer), and the identity provider during sign‑in.

B. Credential issuance data (EDC metadata)

  • Recipient details added by Issuers (e.g., name, course/skill, dates, results), plus metadata needed for EDC and the qualified e‑seal.

  • Source: Issuer uploads (CSV/API/Moodle), or manual entry.

C. Wallet data & sharing settings

  • Stored credentials; visibility/public‑link settings; UI preference to hide revoked credentials (browser localStorage).

D. Validator data

  • PDF you upload for verification and technical results of signature/chain checks; PDFs are auto‑deleted after ~24h.

E. Device & usage data

  • IP address, device/browser type, security and operational logs, basic event telemetry. We do not set analytics or advertising cookies.

F. Support & communications

  • Content of requests, attachments, and contact details you provide.

G. Billing & payments

  • We do not run online payments. For B2B sales, we process business contact and invoice data exchanged via contract and invoicing.

H. Sources at a glance: you; your organization (Issuer); your device/browser; our identity provider (Amazon Cognito; legacy Auth0); and, when you use Validator, the file you upload.

Special categories: We do not seek special categories of data under Art. 9 GDPR. Issuers must not upload such data unless strictly necessary for their purpose and supported by a valid legal basis and notice to recipients.


Purpose Examples Legal basis (GDPR) Legitimate interests (if used)
Provide and operate services (Issuer, Wallet, Validator) Account creation, credential generation (with qualified e‑seal), Wallet storage/sharing, Validator checks Contract (Art. 6(1)(b)) or Legitimate interests for visitors Deliver the service you request; interoperable credentials (EDC).
Authentication & account management Sign‑in via Amazon Cognito (legacy Auth0 during migration), sessions, role management Contract; Legitimate interests (Art. 6(1)(f)) Keep accounts working and secure.
Security & fraud prevention CSRF/antiforgery tokens, abuse detection, incident response Legitimate interests; Legal obligation Protect users and infrastructure; prevent misuse.
Integrations & automation CSV/API, Moodle flows, webhooks Contract; Legitimate interests Interoperability and automation at your request.
Support & communications Respond to tickets, service updates Contract; Legitimate interests Provide help and keep you informed of product changes.
Compliance & legal Tax, audits, defense of claims Legal obligation; Legitimate interests Meet legal duties; defend/establish claims.

Legitimate‑interest balance (summary): we process only what’s necessary, apply security controls, and offer easy opt‑outs where appropriate. We don’t use your data for unrelated purposes.

Is providing data required? Consequences (Art. 13(2)(e))

Providing account identifiers (name, email) is necessary to create an account and deliver the service. If you do not provide required data, we cannot create your account or issue/store credentials. Providing support data is optional, but we may be unable to resolve your request without it.


6) Children’s data

Credentium is not directed to children. In Poland, a child under 16 cannot lawfully consent to information‑society services; if we need consent for a feature, we require parental/guardian consent for users under 16. If you believe we processed a child’s data without proper consent, contact us and we’ll take appropriate steps.


7) Automated decision-making & profiling

We do not make decisions that produce legal or similarly significant effects solely by automated means. We run automated checks (e.g., cryptographic validation, anti‑abuse). Security/anti‑abuse checks evaluate technical signals (e.g., rate limits, signature integrity). These do not by themselves determine legal effects; you may request human review of any outcome that affects you.


8) Sharing & recipients

We share data only as needed:

Processors (service providers)

  • Hosting & infrastructure (EU data centers).

  • Identity & authentication (Amazon Cognito; legacy Auth0 during the ongoing migration).

  • Qualified Trust Service Provider (QTSP) for the qualified e‑seal and time‑stamping.

  • Email delivery (Amazon SES, EU region) and support/CRM/billing tools used for B2B contracting and support.

  • Error monitoring (EU data residency; configured not to send personal data).

Other recipients

  • Professional advisors (legal, accounting), auditors.

  • Public authorities when required by law or to protect rights.

Issuer relationship

  • For Issuer workspaces, we process recipients’ data under the Issuer’s instructions (our DPA applies).

No advertising networks and no social tracking pixels.

Processors listing: We maintain an up‑to‑date list of our sub‑processors (name, purpose, location) here: https://legal.cloudteam.global/credentium/sub-processors. You can also contact privacy@cloudteam.pl to obtain the current list or a link to the live page.


9) International transfers

We primarily host and process in the EU/EEA. Some providers are global companies; support or maintenance access may occasionally involve restricted transfers outside the EEA.

Vendors owned outside the EEA. Where vendors are EU‑hosted but owned by non‑EEA groups (e.g., Amazon Web Services, Auth0/Okta, Sentry), restricted remote access may occur for support. We implement Standard Contractual Clauses (SCCs), conduct Transfer Impact Assessments, and apply supplementary measures. Details are available on request.

Safeguards:

  • Where required, we use European Commission SCCs (2021/914) and perform Transfer Impact Assessments.

  • We may rely on adequacy decisions where available.

  • You can request a copy of relevant safeguards via privacy@cloudteam.pl.


10) Retention

We keep personal data only as long as needed for the purpose collected, then delete or anonymize it.

Data category Typical retention
Account data (Issuer & Wallet) For the life of the account + 24 months for recordkeeping/claims.
Credential issuance records (EDC metadata & sealed PDFs) While the credential is valid or until the Issuer revokes/deletes it; supporting logs kept 24 months.
Validator uploads (PDFs) Auto‑deleted ~24 hours after upload.
Unprocessed (stale) issuance requests Automatically removed after 30 days by a scheduled cleanup job (with an audit trail).
Security/operational logs 12 months depending on system.
Support files & tickets 24 months after closure unless law requires longer.
Billing & invoices (B2B) As required by tax/accounting law (typically 5 years from the end of the fiscal year).

11) Security

We use technical and organizational measures including:

  • Encryption in transit and at rest, strict HTTPS and HSTS; cookies use Secure/SameSite/HttpOnly where appropriate.

  • Access controls & RBAC, least‑privilege, multi‑tenant isolation; API keys are stored only in salted, hashed form.

  • Logging & monitoring; serverless processing with durable, queue‑decoupled workflows for scale & resilience.

  • Privacy by design practices; the PDF Validator automatically deletes files after ~24h.

No system is 100% secure, but we work to prevent, detect and respond to incidents. If we reasonably believe your data was affected by a breach, we’ll notify you and regulators as required. If a personal data breach occurs, we will notify UODO within 72 hours where required and inform affected individuals when legally mandated.


12) Your privacy rights & how to use them

If you’re in the EU/EEA or UK, you can: access, rectify, erase, restrict, object, port your data, and withdraw consent at any time (without affecting past lawful processing). We’ll respond within one month (extendable by two months for complex requests).

How to exercise:

  • Email us at privacy@cloudteam.pl.

  • For Issuer‑controlled data, we’ll notify the Issuer (controller) and assist them.

  • We may ask you to verify your identity and clarify scope.

Right to object (Art. 21): You may object to processing based on legitimate interests. If you object, we will stop unless we demonstrate compelling legitimate grounds overriding your interests, rights and freedoms, or the processing is needed for legal claims.

Complain to the Polish authority (UODO):

  • Prezes Urzędu Ochrony Danych Osobowych (UODO), ul. Stawki 2, 00‑193 Warszawa, Poland.

  • You may also complain to your local authority.

Accessibility: Need this Policy in another format (large print, plain text)? Contact us and we’ll help.


13) Marketing choices

We do not run ads or behavioral targeting. If you opt in to receive product news, you can unsubscribe anytime (email footer or by contacting us). We don’t send marketing without a lawful basis (usually consent).


14) Cookies & similar technologies

What we use today: Credentium sets only strictly necessary cookies (authentication, security, framework) and one functional cookie for language preference. We do not set analytics or advertising cookies. We also use limited localStorage and sessionStorage for UI preferences. The language‑preference cookie is used solely to provide the preference you chose and does not track you across sites.

Consent management:

  • Because we currently use only essential cookies (and a language‑preference cookie), we do not show a banner.

  • You can manage cookies via your browser controls.

  • We respect Global Privacy Control (GPC) signals; we do not set non‑essential cookies.

Name Provider Purpose Category Duration Type
.AspNetCore.Cookies Credentium / ASP.NET Core Authenticated session after sign‑in (expires after at most 12 h) Strictly necessary Session 1P
.AspNetCore.OpenIdConnect.Nonce.* Credentium / Auth0 Nonce to secure OIDC flow (anti‑replay) — legacy Auth0 sign‑in only Strictly necessary Minutes 1P
.AspNetCore.Correlation.OpenIdConnect.* Credentium / Auth0 Correlation cookie for OIDC state — legacy Auth0 sign‑in only Strictly necessary Minutes 1P
.AspNetCore.Session Credentium (Wallet) Session state (30‑minute idle timeout) Strictly necessary Session 1P
.AspNetCore.Antiforgery.* ASP.NET Core CSRF protection Strictly necessary Session 1P
.AspNetCore.Blazor.Server.CircuitHost.* Blazor Server Real‑time connection state Strictly necessary Session 1P
.AspNetCore.Culture Credentium Language preference (e.g., pl/en) Functional 1 year 1P

Third‑party cookies during login: Sign‑in via Amazon Cognito happens on our own pages and does not set third‑party cookies. Only on the legacy Auth0 sign‑in path (being decommissioned), cookies are set on Auth0’s domain: auth0, auth0_compat, did, did_compat—essential for authentication and governed by Auth0’s policy.

Other browser storage

Storage key Where Purpose Category Duration
hideRevokedCredentials (localStorage) Wallet Remember “hide revoked” UI preference Functional Until cleared
toasts (sessionStorage) Issuer & Wallet Persist toast notifications within a session Functional Until tab closes

Browser controls: You can delete cookies and site data via your browser settings. Blocking essential cookies will break sign‑in and core features.


15) Do we sell or share personal information?

No. We do not sell personal information and do not “share” it for cross‑context behavioral advertising (as defined by certain US state laws). We also do not use social media tracking pixels.


16) Jurisdiction‑specific addenda

A. UK GDPR (if you are in the UK)

  • The terms “controller/processor/personal data” have the same meaning under UK GDPR.

  • Your rights mirror the EU list above.

  • You can complain to the Information Commissioner’s Office (ICO) in the UK.

  • No UK representative is appointed at this time.


Our platform may reference or link to third‑party services (e.g., Moodle integrations, LinkedIn sharing of badges, the legacy Auth0 login page during migration). Those services are separate controllers with their own privacy terms. When you click or use them, their policies apply. We do not load social tracking pixels.


18) Changes to this Policy

We update this Policy when our services or legal requirements change and will indicate the “Last updated” date above. We keep a version history and make prior versions available on request.


19) Contact us & accessibility

  • Email: privacy@cloudteam.pl

  • Postal mail: CloudTeam sp. z o.o., Plac Konesera 9, 03‑736 Warszawa, Poland

Accessibility: Need this Policy in another format (large print, plain text)? Contact us and we’ll help.

Document Hash (SHA-256):
5c2f6e0f5b71ae4bde6a2e451400350be21dc299dd8b28c76abab8be65a3e85d

Download the raw content and verify: sha256sum filename.html
(The downloaded file contains the exact content used for hash calculation)