The use of certificates and the assurances are covered in the CAcert
“CAcert” describes this service and/or the CAcert Inc.
The privacy and security of your data is CAcert's primary
This Data Privacy pages gives you an overview how CAcert
processes your personal data.
1. CAcert's principles for processing personal data
CAcert complies to following principles of data privacy:
- CAcert collects, processes and uses personal data on its
websites under the data privacy regulations of the European
- CAcert processes personal data exclusively to allow you
the usage of internet services you need to register for. Under
no circumstances will CAcert transfer personal data for
marketing or advertisement reasons or without permission to
- Each CAcert member can decide which of his/her private
data will be shown to other CAcert members. Exemptions are only
made for Arbitrators from the internal Arbitration and persons
authorized by them who are allowed to see personal data (see 3.
- Persons who are not member of CAcert cannot see CAcert
member's personal data, if not ruled otherwise by an Arbitrator.
notations with the following definitions:
- “Personal Data” consists all
values about personal or objective circumstances linked to a
particular or determinable natural person.
- The Websites containing the CAcert services are jointly
called “CAcert Websites”.
- The users registered with the CAcert Websites are called
- Service offered on the CAcert Websites and you need to
register for are called “CAcert
- The personal data you must to declare during registration
are called “Registration Data”.
- The page of the CAcert Websites where you can see and
change your personal data is called “Profile”.
“Arbitrations” are ruled by
“Arbitrators” and binding for all CAcert Members.
3. Which data is saved by CAcert, for which purposes is
this data used by CAcert and its members and what happens to
3.1 Registration information
To use CAcert services is it necessary that CAcert collects and
processes personal data, so called registration
information. CAcert collects the following data:
- First Name, Middle Name, Last Name and Suffix (Middle
Name and Suffix are optional)
- Date of Birth
- Email Address
- Pass Phrase
- 5 Lost Pass Phrase Questions and the matching answers
- Client certificate used for login
Pass phrases, lost pass phrase questions, and the matching
answers are at no time and under no circumstances visible to
other ordinary CAcert members. CAcert Support Engineers are able
to see and change the questions and answers on request of the
user or based on an arbitration ruling. Questions and answers
will never be provided to third parties and/or offered to them.
Following registration information can made visible to
other CAcert Members:
- First Name and the first letter of the Last Name
3.2 Voluntary Information
Additionally to the registration information, voluntary
information can be provided. This information allows other
CAcert Members to get in touch. Voluntary information are:
- Preferred Language
- Additional Languages
- Contact Information (free text)
Voluntary information are – depending on the settings –
available for all CAcert Members. Additionally the first name
and the first letter of the last name are displayed.
Voluntary information can be changed on any time by
deleting them or changing the display information.
4. Data from an Assurance
When requesting an Assurer to perform an Assurance, following
information are shown to him, to verify the information given to
the Assurer in the Assurance:
- First Name, Middle Name, Last Name and Suffix
- Date of Birth
- Email Address
In addition, the Assurer enters:
- Date of Assurance
- Place of Assurance
- Number of assigned points
All information will be stored together with the reference
number of the Assurer.
CAcert offers newsletters to general information of CAcert,
gatherings, events and fairs. Which information, gatherings,
events and fair are send can be selected on registration and
changed any time on the “My Alert Settings” page.
“Cookies” are small files making it possible to save user
defined information on a PC or other (mobile) device during the
usage of CAcert Services. Cookies can be used to enhance the
CAcert Services do use so called “Session Cookies” on log in
(using Password Login or Certificate Login) to the CAcert Member
account to authenticate the user during his visit thought the
page. After the session ended, the Cookie will be deleted
Cookies can be disabled in the web browser or restricted to
selected websites. The browser can also inform if a Cookie is set.
It is possible to deleted Cookies on any time from the computer's
hard disk drive or the flash drive of any other device. The usage
of the CAcert Services might be limited, if Cession Cookies are
Third parties might set Cookies for the usage of CAcert
Applications that might be fully or partly offered by third
parties. To disallow the setting of Cookies by third parties, the
browser can be set not to do so.
7. Log Files
Every site request will be logged in a server log on the web
server. Following information is saved per data set for a maximum
period of six weeks:
- Caller's IP address, the current date and time, status,
the request, and the amount of data transferred.
- The product and version information of the caller's
Browser (User Agent).
CAcert is using the standardised “combined” log file format
of the Apache webserver.
The log files are used anonymised, i.e. without the
possibility to connect the data to a dedicated person, for
statistical purposes. This way CAcert is e.g. able to collect
information over the usage of the CAcert Websites over time and
the volume of data transferred. Moreover, CAcert is able to find
possible malfunction, e.g. wrong set links or bugs, from the log
files. The log files are therefore used to enhance the CAcert
websites. To protect CAcert, the CAcert Services, the CAcert
Websites, and the CAcert Members with their data, CAcert reserves
the right to use the data from log files to identify illegal
behaviour or those contrary to contract. Log files can be seen and
analysed only by CAcert's System Administrators if not ruled
otherwise by an administrator.
8. Minors and Other Not Authorised to Represent Themselves
Adults or deputies are responsible for the protection of the
minor's or unauthorised's privacy.
on the CAcert Websites with the link “Data Protection”.
Currently we are working on a new version of the Data Protection Policy.