Data Protection

CAcert Website Data Privacy Policy

The following Data Privacy Policy is sole for the CAcert Website.
The use of certificates and the assurances are covered in the CAcert
Privacy Policy.

“CAcert” describes this service and/or the CAcert Inc.

The privacy and security of your data is CAcert's primary

This Data Privacy pages gives you an overview how CAcert
processes your personal data.

1. CAcert's principles for processing personal data

CAcert complies to following principles of data privacy:

  • CAcert collects, processes and uses personal data on its
    websites under the data privacy regulations of the European
  • CAcert processes personal data exclusively to allow you
    the usage of internet services you need to register for. Under
    no circumstances will CAcert transfer personal data for
    marketing or advertisement reasons or without permission to
    third parties.
  • Each CAcert member can decide which of his/her private
    data will be shown to other CAcert members. Exemptions are only
    made for Arbitrators from the internal Arbitration and persons
    authorized by them who are allowed to see personal data (see 3.
    of this data privacy policy) of individual persons in special
  • Persons who are not member of CAcert cannot see CAcert
    member's personal data, if not ruled otherwise by an Arbitrator.

2. General definitions of this data privacy policy

CAcert's data privacy policy consists of several predefined
notations with the following definitions:

  • “Personal Data” consists all
    values about personal or objective circumstances linked to a
    particular or determinable natural person.
  • The Websites containing the CAcert services are jointly
    called “CAcert Websites”.
  • The users registered with the CAcert Websites are called
    “CAcert Members”.
  • Service offered on the CAcert Websites and you need to
    register for are called “CAcert
  • The personal data you must to declare during registration
    are called “Registration Data”.
  • The page of the CAcert Websites where you can see and
    change your personal data is called “Profile”.
  • “Arbitrations” are ruled by
    “Arbitrators” and binding for all CAcert Members.

3. Which data is saved by CAcert, for which purposes is
this data used by CAcert and its members and what happens to
personal data?

3.1 Registration information

To use CAcert services is it necessary that CAcert collects and
processes personal data, so called registration
information. CAcert collects the following data:

  • First Name, Middle Name, Last Name and Suffix (Middle
    Name and Suffix are optional)
  • Date of Birth
  • Email Address
  • Pass Phrase
  • 5 Lost Pass Phrase Questions and the matching answers
  • Client certificate used for login

Pass phrases, lost pass phrase questions, and the matching
answers are at no time and under no circumstances visible to
other ordinary CAcert members. CAcert Support Engineers are able
to see and change the questions and answers on request of the
user or based on an arbitration ruling. Questions and answers
will never be provided to third parties and/or offered to them.

Following registration information can made visible to
other CAcert Members:

  • First Name and the first letter of the Last Name

3.2 Voluntary Information

Additionally to the registration information, voluntary
information can be provided. This information allows other
CAcert Members to get in touch. Voluntary information are:

  • Preferred Language
  • Additional Languages
  • Contact Information (free text)
  • Location

Voluntary information are – depending on the settings –
available for all CAcert Members. Additionally the first name
and the first letter of the last name are displayed.

Voluntary information can be changed on any time by
deleting them or changing the display information.

4. Data from an Assurance

When requesting an Assurer to perform an Assurance, following
information are shown to him, to verify the information given to
the Assurer in the Assurance:

  • First Name, Middle Name, Last Name and Suffix
  • Date of Birth
  • Email Address

In addition, the Assurer enters:

  • Date of Assurance
  • Place of Assurance
  • Number of assigned points

All information will be stored together with the reference
number of the Assurer.

5. Newsletter

CAcert offers newsletters to general information of CAcert,
gatherings, events and fairs. Which information, gatherings,
events and fair are send can be selected on registration and
changed any time on the “My Alert Settings” page.

6. Cookies

“Cookies” are small files making it possible to save user
defined information on a PC or other (mobile) device during the
usage of CAcert Services. Cookies can be used to enhance the
user's security.

CAcert Services do use so called “Session Cookies” on log in
(using Password Login or Certificate Login) to the CAcert Member
account to authenticate the user during his visit thought the
page. After the session ended, the Cookie will be deleted

Cookies can be disabled in the web browser or restricted to
selected websites. The browser can also inform if a Cookie is set.
It is possible to deleted Cookies on any time from the computer's
hard disk drive or the flash drive of any other device. The usage
of the CAcert Services might be limited, if Cession Cookies are

Third parties might set Cookies for the usage of CAcert
Applications that might be fully or partly offered by third
parties. To disallow the setting of Cookies by third parties, the
browser can be set not to do so.

7. Log Files

Every site request will be logged in a server log on the web
server. Following information is saved per data set for a maximum
period of six weeks:

  • Caller's IP address, the current date and time, status,
    the request, and the amount of data transferred.
  • The product and version information of the caller's
    Browser (User Agent).

CAcert is using the standardised “combined” log file format
of the Apache webserver.
The log files are used anonymised, i.e. without the
possibility to connect the data to a dedicated person, for
statistical purposes. This way CAcert is e.g. able to collect
information over the usage of the CAcert Websites over time and
the volume of data transferred. Moreover, CAcert is able to find
possible malfunction, e.g. wrong set links or bugs, from the log
files. The log files are therefore used to enhance the CAcert
websites. To protect CAcert, the CAcert Services, the CAcert
Websites, and the CAcert Members with their data, CAcert reserves
the right to use the data from log files to identify illegal
behaviour or those contrary to contract. Log files can be seen and
analysed only by CAcert's System Administrators if not ruled
otherwise by an administrator.

8. Minors and Other Not Authorised to Represent Themselves

Adults or deputies are responsible for the protection of the
minor's or unauthorised's privacy.

9. Access to the Data Privacy Policy

This Data Privacy Policy can be viewed and printed any time
on the CAcert Websites with the link “Data Protection”.
Currently we are working on a new version of the Data Protection Policy.