OIDCheck

Privacy Policy — DRAFT v0.1 (2026-07-04)

Draft version. Under legal review before official launch.

Controller: MY PATH S.R.L., Iași, Romania — privacy@oidcheck.eu

What we process, and why

DataPurposeLegal basis
Account email, name, organisation (OID)account, review authorship, claim verificationcontract (art. 6(1)(b))
Review author identity (never published)fraud prevention, legal compliance, DSA obligationslegitimate interest (6(1)(f)); legal obligation (6(1)(c))
Claim evidence documents (mandates)verifying organisation representativescontract / legitimate interest
Token ledger & payment recordsbilling, accountingcontract; legal obligation
Reports of illegal contentDSA notice-and-actionlegal obligation
Technical logs (IP, user agent)security, abuse preventionlegitimate interest

Organisation data (names, OIDs, countries, project participation) originates from public European Commission sources and concerns legal entities, not natural persons.

What we do NOT do

  • We do not publish review authors' identities.
  • We do not sell personal data or use it for advertising.
  • We do not list organisations' staff members on profiles.

Retention

Account data: while the account exists + 3 years. Review authorship records: as long as the review is published + 5 years (defence of legal claims). Payment records: 10 years (Romanian accounting law). Claim documents: 2 years after decision.

Recipients

Hosting and infrastructure: Supabase, Vercel (EU regions where available; transfers safeguarded by SCCs). Payments: Stripe. We disclose author identity only under a binding legal order.

Your rights

Access, rectification, erasure, restriction, portability, objection — privacy@oidcheck.eu. Complaints: ANSPDCP (dataprotection.ro) or your local supervisory authority.

Personal data inside reviews

Reviews must concern organisations, not private individuals. Moderation removes personal data before publication. If you find personal data about you in a published review, use oidcheck.eu/report — removal requests under GDPR are handled within 30 days.