1. Controller
HeiDoc V.O.F.
Ir Em Mélottestraat 33, 6291HD Vaals, The Netherlands
E-Mail: admin@gracert.eu
Tel.: +49 176 91359656
HeiDoc V.O.F. (hereinafter "GRA", "we", "us") operates the websites gracert.eu and check.gracert.eu. This Privacy Policy explains what personal data we collect, for what purposes, on what legal basis, and what rights you have as a data subject under Regulation (EU) 2016/679 (General Data Protection Regulation, GDPR).
2. Scope
This Privacy Policy applies to the publicly accessible websites www.gracert.eu and check.gracert.eu. The vendor portal at portal.gracert.eu is subject to a separate privacy notice provided to authorised vendors upon registration.
3. Data We Collect and Why
3.1 Server Log Files
When you visit our websites, your browser automatically transmits information that our web server stores in log files. This includes your IP address (anonymised after 7 days), the date and time of the request, the URL accessed, the HTTP status code, the amount of data transferred, the referring URL, and your browser and operating system.
Legal basis: Art. 6(1)(f) GDPR – legitimate interest in the secure and stable operation of our websites. Log files are deleted after 30 days at the latest.
3.2 Certificate Verification (check.gracert.eu)
When you use the certificate lookup tool, you enter a GRA Report Number. We log the report number queried, the date and time of the query, and the anonymised IP address of the requesting client. This log serves to detect abuse (e.g. automated scraping) and to provide vendors with aggregate lookup statistics.
Legal basis: Art. 6(1)(f) GDPR – legitimate interest in fraud prevention and service quality. Lookup logs are retained for 12 months.
3.3 Contact via E-Mail
If you contact us by e-mail, we process the data you provide (name, e-mail address, message content) solely to handle your enquiry and, where applicable, for follow-up correspondence.
Legal basis: Art. 6(1)(b) GDPR (pre-contractual measures) or Art. 6(1)(f) GDPR (legitimate interest in responding to enquiries). Data is deleted once the matter is resolved and no statutory retention obligation applies.
3.4 Consent Management (Uniconsent CMP)
We use the Uniconsent Consent Management Platform to manage your cookie and tracking preferences in accordance with the GDPR and the ePrivacy Directive. Uniconsent stores your consent choices in a cookie on your device. No personal data beyond your consent record is transferred to Uniconsent.
Legal basis: Art. 6(1)(c) GDPR – compliance with legal obligations (TCF/ePrivacy). The consent record is stored for 13 months.
3.5 Google Fonts
Our website loads fonts from Google Fonts (Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA). When the page loads, your browser establishes a connection to Google's servers, which may result in the transfer of your IP address to the United States. We use Google Fonts to ensure a consistent visual presentation.
Legal basis: Art. 6(1)(f) GDPR – legitimate interest in consistent typography. If you wish to prevent this transfer, you may block Google Fonts via your browser or a browser extension.
4. Cookies
We use only technically necessary cookies required for the operation of the website (e.g. session management, consent record). We do not use tracking, analytics, or advertising cookies without your prior consent. You can manage your preferences at any time via the consent banner or by adjusting your browser settings.
| Cookie Name | Purpose | Duration |
|---|---|---|
| uc_* | Uniconsent – stores your consent choices | 13 months |
| PHPSESSID | Session management (check.gracert.eu) | Session |
5. Data Sharing and Third Parties
We do not sell, rent, or trade your personal data. We share data only where strictly necessary:
- Hosting provider: Our web server is operated by a cPanel/WHM hosting provider located within the EU/EEA. The hosting provider processes server log data on our behalf under a data processing agreement (Art. 28 GDPR).
- Uniconsent: Consent management as described in Section 3.4.
- Google LLC: Font delivery as described in Section 3.5.
- Law enforcement: We may disclose data if required by applicable law or a court order.
6. International Transfers
Where data is transferred to recipients outside the European Economic Area (EEA), we ensure an adequate level of protection through the EU Standard Contractual Clauses (SCCs) or an adequacy decision by the European Commission. Google LLC participates in the EU–US Data Privacy Framework (adequacy decision of 10 July 2023).
7. Your Rights
Under the GDPR you have the following rights regarding your personal data:
- Right of access (Art. 15 GDPR) – you may request a copy of the personal data we hold about you.
- Right to rectification (Art. 16 GDPR) – you may request correction of inaccurate data.
- Right to erasure (Art. 17 GDPR) – you may request deletion of your data, subject to legal retention obligations.
- Right to restriction of processing (Art. 18 GDPR).
- Right to data portability (Art. 20 GDPR).
- Right to object (Art. 21 GDPR) – you may object to processing based on legitimate interests at any time.
- Right to withdraw consent (Art. 7(3) GDPR) – where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, please contact us at admin@gracert.eu. We will respond within one month (Art. 12(3) GDPR).
You also have the right to lodge a complaint with a supervisory authority. The lead supervisory authority for HeiDoc V.O.F. is the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, www.autoriteitpersoonsgegevens.nl).
8. Data Security
We implement appropriate technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. All connections to our websites are encrypted via TLS (HTTPS).
9. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. The current version is always available at www.gracert.eu/privacy-policy.html. The date of the last update is shown at the top of this page.