Privacy Policy — DRAFT v0.1 (2026-07-04)
Draft version. Under legal review before official launch.
Controller: MY PATH S.R.L., Iași, Romania — privacy@oidcheck.eu
What we process, and why
| Data | Purpose | Legal basis |
|---|---|---|
| Account email, name, organisation (OID) | account, review authorship, claim verification | contract (art. 6(1)(b)) |
| Review author identity (never published) | fraud prevention, legal compliance, DSA obligations | legitimate interest (6(1)(f)); legal obligation (6(1)(c)) |
| Claim evidence documents (mandates) | verifying organisation representatives | contract / legitimate interest |
| Token ledger & payment records | billing, accounting | contract; legal obligation |
| Reports of illegal content | DSA notice-and-action | legal obligation |
| Technical logs (IP, user agent) | security, abuse prevention | legitimate interest |
Organisation data (names, OIDs, countries, project participation) originates from public European Commission sources and concerns legal entities, not natural persons.
What we do NOT do
- We do not publish review authors' identities.
- We do not sell personal data or use it for advertising.
- We do not list organisations' staff members on profiles.
Retention
Account data: while the account exists + 3 years. Review authorship records: as long as the review is published + 5 years (defence of legal claims). Payment records: 10 years (Romanian accounting law). Claim documents: 2 years after decision.
Recipients
Hosting and infrastructure: Supabase, Vercel (EU regions where available; transfers safeguarded by SCCs). Payments: Stripe. We disclose author identity only under a binding legal order.
Your rights
Access, rectification, erasure, restriction, portability, objection — privacy@oidcheck.eu. Complaints: ANSPDCP (dataprotection.ro) or your local supervisory authority.
Personal data inside reviews
Reviews must concern organisations, not private individuals. Moderation removes personal data before publication. If you find personal data about you in a published review, use oidcheck.eu/report — removal requests under GDPR are handled within 30 days.