Skip to content
CertMapCertMap

Privacy Policy

As of: 2026-05-27

1. Data Controller

The controller responsible for data processing on this website in accordance with the GDPR is:

Threat-Informed Cybersecurity Solutions GmbH Ober-Saulheimer Str. 15 55291 Saulheim Germany

Register court: Amtsgericht Mainz, HRB 53346 VAT ID: DE 450829291

Email: kontakt@certmap.de

CertMap is operated commercially. A data protection officer has not been appointed as the legal requirements for a mandatory appointment are not met.

2. Website Provision and Hosting

When accessing CertMap, technical access data is automatically collected in server log files.

Hosting Provider

Hetzner Online GmbH, Germany. Processing takes place exclusively in German data centres based on a data processing agreement (Art. 28 GDPR).

Data Categories

IP address, date and time, requested URL, referrer URL, and user agent.

Purpose and Legal Basis

Secure operation and IT security pursuant to Art. 6(1)(f) GDPR.

Retention

Server log files are automatically deleted after 7 days.

IP Anonymisation

Within the application, IP addresses are only processed as a SHA-256 hash, truncated to 12 hex characters, for abuse prevention (rate limiting). Re-identification is therefore practically excluded.

Reach Measurement via Plausible Analytics

For general reach measurement and statistical evaluation we use Plausible Analytics, operated by Plausible Insights OÜ, Västra 24, 10141 Tallinn, Estonia.

Plausible is cookieless and does not perform device fingerprinting. Only aggregated, non-personal data is collected: page accessed, referrer, device category (desktop/mobile), browser and OS major version, and country of origin. Identification of individual users with this data is not possible.

Processing takes place exclusively within the EU. The IP address is briefly used to compute a daily-rotating, hashed visitor identifier and is not stored.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in reach measurement). As no personal identifiers are stored on or read from the end device, no consent under Sec. 25 TDDDG is required.

Plausible privacy policy: https://plausible.io/privacy

3. Local Storage (Cookies and Browser Storage)

We do not use tracking cookies. We only use technically necessary local storage areas of your browser in accordance with Sec. 25(2) No. 2 TDDDG.

Overview of cookies and storage entries

Name Type Purpose Lifetime When set
__Secure-certmap.session_token (production) or certmap.session_token (development) HTTP cookie (HttpOnly, Secure, SameSite=Lax, Path=/) Authenticated login session Up to 14 days, sliding refresh hourly on activity After successful sign-in
certmap-theme LocalStorage Theme preference (light/dark/system) Until browser storage is cleared or overwritten When you actively click the theme switcher
certmap-consent-llm LocalStorage Consent for optional AI analysis of job postings Until browser storage is cleared or you revoke in settings When you actively confirm the consent
Tool state (career-path selection, pendingSave) SessionStorage Temporary state across page navigations Until the browser tab is closed While using the interactive tools

We do not set tracking, advertising or third-party cookies. Plausible (analytics) operates without cookies, see Section 2.

Legal basis for all of the above: Sec. 25(2) No. 2 TDDDG (strictly necessary for a user-requested function) together with Art. 6(1)(b) GDPR (performance of a contract or pre-contractual measures).

4. User Account and Portfolio Features

You can optionally create a CertMap account to manage your own certifications, planned training, CPE activities (Continuing Professional Education) and associated costs.

Account Creation via Magic Code

Sign-in is passwordless via an eight-digit one-time code sent to your email address (Better-Auth Email-OTP, NIST SP 800-63B compliant).

Data processed: email address, sign-in timestamp, one-time code (hashed, short-lived), browser session token, IP address and user agent of the session (shown in the security area and used to detect suspicious activity).

Legal basis: Art. 6(1)(b) GDPR (contractual relationship for account usage).

Retention: account data is kept until you delete the account (self-service in settings or via email). Sessions expire automatically after at most 14 days and are extended hourly while in active use. After 8 hours without interaction you are signed out automatically. Security-relevant actions (account deletion) additionally require a fresh one-time code for confirmation.

Portfolio Contents

Within your account we store your own entries:

  • List of certifications you hold (slug, issue and expiry date, optional certificate number)
  • CPE activities (date, activity type, hours, optional cost and free-text description)
  • Cycle accounts and bookings automatically derived from your CPE activities
  • Optional settings such as hourly rate, current and target NICE role

Legal basis: Art. 6(1)(b) GDPR. The data does not leave our servers and is not shared with third parties.

Account Deletion and Hard Delete

You can delete your account at any time (Settings → Delete account). Deletion happens immediately and completely: all linked data (certifications, activities, cycle accounts, bookings, settings, consent history) is removed from the database via foreign-key cascade. In addition we manually delete your email correspondence from our M365 mailbox (see Section 7). There is no recovery window.

5. AI-Powered Features

CertMap uses AI processing for two optional features. Use is voluntary.

Affected Features

  • Job to Certifications (anonymous and inside your account): You enter a job description, the AI suggests matching certifications.
  • Certificate-PDF Extraction (account portal only): You upload a certificate PDF, the AI reads cert title, certificate number, issue date and holder name and proposes structured fields to add to your portal. You review the suggestions and accept or correct them.

Data Transfer for Job Descriptions

Entered job descriptions are transmitted to Anthropic, PBC (USA). A server-side filter replaces recognised email addresses, phone numbers, IBAN, credit card numbers and social security numbers (SSN) with placeholders before transmission.

Note: Plain-text names (e.g. hiring manager names in job postings) are currently not filtered automatically. They are transmitted to Anthropic together with the job description.

Data Transfer for PDF Extraction

For text PDFs, only the readable text layer is transmitted to Anthropic. The same PII filter as for job descriptions runs before transmission. The holder name printed on the certificate is typically transmitted (no plain-name filter active).

For image PDFs (scans), no text layer is extracted. The full image content is processed by Anthropic's Vision feature. This transmits the holder name, certificate number, logo and all other visible information on the certificate to Anthropic in the USA. Before uploading an image PDF, this notice is displayed again and you confirm the transmission separately (granular consent under Art. 7(2) GDPR).

Legal Basis

Your explicit consent according to Art. 6(1)(a) in conjunction with Art. 49(1)(a) GDPR. Without consent, the AI features are not usable; all other functions (manual cert entry, comparison, portfolio) remain fully available.

Third-Country Transfer

As there is currently no adequacy decision for Anthropic, the transfer is based on your informed consent regarding the risks of access by US authorities.

Consent and Documentation (Anonymous Usage)

You can use the AI-supported job analysis without creating an account. In that case your consent is obtained and documented as follows:

  • Before the first analysis, a dialog with the information above on third-country transfer is displayed. You confirm consent actively by clicking.
  • The consent status is stored in your browser's LocalStorage (certmap-consent-llm) so the dialog does not reappear on every visit. This storage happens exclusively locally in your browser.
  • Server-side we store, at the moment of confirmation, a SHA-256-hashed and truncated (12 hex chars) IP identifier together with a timestamp as proof under Art. 7(1) GDPR. The hash does not allow re-identification of individual persons.
  • You can revoke consent at any time by clearing the LocalStorage entry or sending us a short email. The lawfulness of processing performed up to revocation remains unaffected.

For account-based use, you grant consent once at the first use of the AI feature and can revoke it at any time in the settings.

Storage

CertMap does not persist transmitted texts or PDF contents on its own servers (transient runtime processing only). From the PDF extraction, only the structured fields you actively confirm (cert slug, certificate number, date) are stored permanently in your account portal. Anthropic retains transmitted data according to its own policies for up to 30 days for security purposes (no training of AI models).

Certificate Number Notice

Certificate numbers are stored in your account portal and are a prerequisite for later verification against third parties. Certificate numbers alone, in conjunction with the respective provider verification portals (e.g. PECB, ISC2, GIAC), allow re-identification of your real name. CertMap does not pass certificate numbers to third parties.

No Automated Decision-Making

There is no automated decision-making with legal effect within the meaning of Art. 22 GDPR. The analysis results are non-binding orientation and have no legal consequences.

6. Consultation Inquiry and Payment Processing

Consultation Inquiry

If you are interested in a consultation you can contact us via an inquiry form. We process name, email address and voluntary information on your consultation topic. The data is used exclusively to process your inquiry and is stored via Microsoft 365 (see below).

Legal basis: Art. 6(1)(b) GDPR (pre-contractual measures) and Art. 6(1)(f) GDPR for purely informational inquiries.

Retention: 6 months after the end of correspondence if no engagement materialises; up to 36 months from the last interaction in case of an ongoing engagement.

Stripe (Payment)

Payments are processed via Stripe Payments Europe Ltd. (Ireland) or Stripe, Inc. (USA). Stripe is certified under the EU-US Data Privacy Framework. The legal basis is the fulfilment of the contract (Art. 6(1)(b) GDPR).

7. Microsoft 365 (Email Communication)

Email correspondence and inquiry data are processed via Microsoft Ireland Operations Ltd. Microsoft is certified under the EU-US Data Privacy Framework. To maintain data minimisation, confirmation emails to you are not stored in the server's Sent folder (saveToSentItems=false).

When you delete your account (see Section 4) we manually delete all email correspondence from the M365 mailbox including „Recoverable Items".

8. Your Rights

You have the following rights regarding personal data we process about you:

  • Right of access (Art. 15 GDPR): which data we hold about you
  • Right to rectification (Art. 16 GDPR): correction of inaccurate data
  • Right to erasure (Art. 17 GDPR): „right to be forgotten"
  • Right to restriction of processing (Art. 18 GDPR)
  • Right to data portability (Art. 20 GDPR): export of your data in a structured, common format
  • Right to object (Art. 21 GDPR) to processing based on legitimate interest
  • Right to withdraw consent with effect for the future

Please contact us at kontakt@certmap.de. Access and erasure requests are typically processed within 30 days.

Right to Lodge a Complaint with the Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR). The competent authority for us is:

The State Commissioner for Data Protection and Freedom of Information Rhineland-Palatinate Hintere Bleiche 34 55116 Mainz, Germany Email: poststelle@datenschutz.rlp.de https://www.datenschutz.rlp.de

Last updated: May 2026