Privacy Policy

CESIOME is run by the operator of the CESIOME service during an initial commercial test phase. The controller for personal data processed through cesiome.com, cesiome.net, and related subdomains is the operator of the CESIOME service, reachable at cesiome@pm.me. The operator is planning to form a United States limited liability company after a 90-day test phase if the service proves commercially viable. Until that entity is formed and this policy is updated, the operator of the CESIOME service remains the controller for GDPR purposes.

CESIOME has not appointed a Data Protection Officer. Based on the present size, processing volume, risk profile, and absence of large-scale systematic monitoring or large-scale special-category processing, the mandatory DPO threshold in Article 37 GDPR is not met. Privacy requests, security notices, and Data Subject Access Requests should therefore be sent directly to cesiome@pm.me.

This Privacy Policy applies to the CESIOME service available at cesiome.com, cesiome.net, and all subdomains controlled by CESIOME. It covers the public declaration flow, certificate and share-video delivery, Reserved Entity intake, vault administration, abuse prevention, payment redirection, revocation checks, and related operational communications.

The service is governed by the EU General Data Protection Regulation, Regulation (EU) 2016/679, Romanian Law 190/2018 on processing of personal data (Legea 190/2018 privind masuri de punere in aplicare a Regulamentului GDPR), and applicable Romanian consumer protection rules under OG 21/1992 (Government Ordinance 21/1992 on consumer protection) and Legea 363/2007 (Law 363/2007 transposing EU Directive 2011/83/EU on consumer rights). Where users are located outside the European Union, CESIOME still applies the data-minimizing practices described here for the service as a whole, while mandatory local rules may also apply. Contractual and consumer-facing rules are described in the Terms of Service.

The standard declaration flow asks the user to enter a name, a declaration context, and to select a certificate tier. The name field is free text and accepts 1 to 100 characters for the policy purpose described here: it identifies the subject or label that the user wants rendered on the certificate. This may be a personal name, a studio name, a brand-like phrase, "Anonymous", or another user-provided identifier. The name is processed to render the certificate, create the post-payment certificate URL, generate the downloadable certificate image, and, when requested, prepare the share video.

The declaration context field is also free text and accepts 1 to 150 characters for the policy purpose described here. It describes what the user claims to value, such as consulting work, artistic labor, personal time, a private commitment, or another symbolic context. CESIOME uses this text to render the certificate, run moderation and Reserved Entity checks, compute revocation hashes, and generate the share-video captioning and certificate presentation. The context text is user generated content and is not verified by CESIOME.

The tier amount corresponds to the fixed-price certificate tier selected by the user: USD 99 (Declaration), USD 299 (Distinction), or USD 999 (Eminence). It is used to set the symbolic value displayed on the certificate, to calculate the payment checkout amount, and to update aggregate public counters when applicable. CESIOME also plans to collect an email address for certificate delivery. That email field is not yet collected in the current standard production flow, and when implemented it will be used only to deliver the certificate or related transactional notice, then deleted immediately after that delivery purpose is complete.

The standard flow does not require a CESIOME account, password, profile, date of birth, postal address, telephone number, or government identity document. Card numbers, wallet credentials, bank details, and full billing records are entered with the payment provider rather than directly into CESIOME. CESIOME may receive an order identifier, payment status, custom checkout metadata, and limited transaction information necessary to confirm delivery, handle refunds, and maintain financial records, but it does not need complete payment credentials to create the certificate.

The Reserved Tier exists for declarations involving major brands, public figures, institutions, or entities of significant public interest. When a declaration is diverted into this flow, CESIOME collects additional verification data so it can decide whether the requester has authority to proceed. The intake form may collect the entity name and entity URL, the representative's name and title, a corporate email address, the originally declared name and declaration context, a message explaining the request, and supporting files.

The supporting files are limited to a Certificate of Incorporation or Power of Attorney plus a government-issued identity document. The corporate document is used to connect the requesting person to the relevant entity. The identity document is used to reduce impersonation and fraud risk in high-risk requests. CESIOME also logs the IP address and User-Agent connected to the Reserved intake submission so an audit trail exists if a legal complaint, fraud complaint, or authority dispute arises later.

Reserved Tier data is materially more sensitive than the standard flow. It is handled under stricter access controls, and identity files are encrypted at rest using AES-256-GCM before storage. The Reserved review process is manual. Approval is not automatic, and rejection results in immediate deletion of rejected application records and uploaded identity files as described in the retention table below.

CESIOME automatically receives limited technical data when a browser contacts the service. IP address is processed for rate limiting, abuse prevention, security diagnostics, and fraud resistance. This is particularly important for moderation requests, Reserved Entity intake, vault authentication attempts, and high-value symbolic declarations that could be used to create misleading or abusive content at scale.

Vercel and Cloudflare may create server request logs that include IP address, request path, timestamp, and User-Agent. Those logs are used for hosting, debugging, DDoS defense, bot detection, routing, operational security, and incident response. CESIOME does not use those logs to build behavioral advertising profiles, and it does not sell or rent log data.

Cloudflare may set the __cf_bm cookie for bot management. This cookie helps distinguish ordinary browser traffic from automated abuse. It is described in more detail in the Cookie Policy. CESIOME does not use analytics cookies, marketing cookies, social media tracking pixels, or third-party advertising trackers in the current service.

CESIOME processes checkout and payment-related declaration data under Article 6(1)(b) GDPR, because that processing is necessary to perform the contract requested by the user: receiving the declaration, creating the checkout, rendering the personalized certificate, returning the certificate URL, and enabling the user to obtain the digital deliverable. Without this data CESIOME cannot provide the purchased digital content.

CESIOME processes moderation data, rate-limit keys, revocation hashes, security logs, and similar operational records under Article 6(1)(f) GDPR, legitimate interests. The legitimate interests are preventing misuse of symbolic certificates, reducing impersonation and defamation risk, preventing automated abuse, protecting the service from attacks, and preserving evidence necessary to handle complaints. The OpenAI moderation API receives both the name and the declaration context concatenated, because name-level impersonation and Reserved Entity references can only be detected when both fields are evaluated together. CESIOME does not send payment card data, email addresses, or Reserved Tier identity files to OpenAI for moderation.

CESIOME and its payment providers process financial and tax-related records under Article 6(1)(c), legal obligation, where records are needed to comply with tax, accounting, payment, chargeback, fraud, or consumer-law obligations. Reserved Tier identity documents may in some cases contain biometric data or special-category data embedded in an official identity document. Where such processing is necessary for substantial public-interest verification, anti-fraud review, or high-risk identity checks, CESIOME relies on Article 9(2)(g) GDPR to the limited extent applicable, with strict minimization, encryption, and short retention.

CESIOME uses third-party processors and service providers only where needed for payment, hosting, security, moderation, transactional delivery, storage, or operational integrity. The current and planned providers are listed below with their country, role, and transfer mechanism.

Some providers may act as independent controllers for parts of their service, especially payment providers that must comply with tax, anti-fraud, chargeback, accounting, and payment-network obligations. Where a provider acts as an independent controller, its own privacy policy and retention rules apply to the data it collects directly. Where a provider processes data on CESIOME's behalf, CESIOME relies on the provider's data processing terms, security commitments, and transfer safeguards.

• Stripe Inc., United States: fiat payment processor for cards, Apple Pay, Google Pay, Link, and other supported payment methods. The operator of the CESIOME service acts as merchant of record for fiat transactions; Stripe processes payments on CESIOME's behalf and calculates applicable VAT, including Romanian VAT (TVA), and sales taxes where applicable. For transfers to the United States, Standard Contractual Clauses under Article 46(2)(c) GDPR apply.
• NOWPayments OE, Estonia, European Union: crypto Merchant of Record or crypto payment processor for cryptocurrency payments when that channel is active. No transfer outside the European Union is intended for this provider in the legal role described here.
• OpenAI Inc, United States: moderation API provider. OpenAI receives the name and declaration context for content classification and Reserved Entity matching, but not the user's payment details, email address, government ID, or Reserved Tier files. Transfers to the United States rely on Standard Contractual Clauses under Article 46(2)(c) GDPR.
• Upstash Inc, United States or European Union depending on selected region: storage and rate-limit infrastructure. Upstash may store aggregate counters, one-way SHA-256 revocation hashes, IP rate-limit keys with short TTLs, vault user records, and AES-256-GCM encrypted Reserved records. SCCs apply if the selected processing region or support access involves the United States.
• Cloudflare Inc, global network with headquarters in the United States: CDN, DDoS mitigation, bot management, edge security, and the __cf_bm strictly necessary cookie. International transfers rely on SCCs and Cloudflare's transfer safeguards.
• Vercel Inc, United States: Next.js hosting, deployment, serverless execution, logs, and platform infrastructure. Transfers to the United States rely on Standard Contractual Clauses under Article 46(2)(c) GDPR.
• Resend Inc, United States: conditional transactional email provider when email delivery or Reserved intake notification features are implemented or configured. Resend may not yet be active in production for certificate delivery. If used for United States processing, SCCs apply.

Some CESIOME processors are located in, or may provide support from, the United States or other countries outside the European Economic Area. For transfers to the United States, CESIOME relies primarily on Standard Contractual Clauses under Article 46(2)(c) GDPR, together with data-processing agreements, provider security commitments, and transfer impact analysis appropriate to the scale and risk of the service.

Following Schrems II, CESIOME applies supplementary measures where practical. These include TLS 1.3 in transit where supported by the provider connection, AES-256-GCM encryption at rest for Reserved Tier identity files, strict data minimization, and provider selection based on mature infrastructure controls. OpenAI receives the name and declaration context for moderation but not the payment credentials, email address, or government ID files as a minimization measure. Reserved files are encrypted before storage in the application storage layer.

Where UK or Swiss data-transfer rules apply, CESIOME will use the UK International Data Transfer Addendum, the UK IDTA, Swiss addenda, or substantially equivalent contractual safeguards as applicable. The service is intentionally small and data-minimal, but international infrastructure is unavoidable for modern hosting, payment, CDN, moderation, and email services.

CESIOME applies the storage limitation principle in Article 5(1)(e) GDPR. Personal data should not be kept longer than necessary for the purpose for which it was collected, unless a longer retention period is required by law, tax rules, chargeback handling, legal claims, or platform security. The planned retention periods are:

Where a provider is legally required to keep payment, tax, fraud, or accounting data longer than CESIOME would otherwise choose, that provider's retention schedule controls the records it holds. CESIOME does not receive full card numbers or bank credentials from payment providers.

Retention periods may be shortened where deletion is technically possible and no legal, fraud-prevention, chargeback, audit, or complaint-handling reason remains. They may also be extended where a dispute, security incident, legal request, authority inquiry, or threatened claim requires preservation of specific evidence. CESIOME aims to preserve only the specific record needed for the specific reason, rather than expanding retention across unrelated records.

CESIOME uses only the strictly necessary Cloudflare __cf_bm cookie for bot management and automated abuse prevention. It is not an analytics, marketing, social profiling, or advertising cookie. It supports the legitimate interest of keeping the service reachable and resistant to automated abuse.

Full cookie details, including provider, purpose, duration, legal basis, browser controls, and the strictly necessary ePrivacy exemption, are available in the Cookie Policy.

Subject to the limits and conditions in the GDPR, users may request access to personal data, rectification of inaccurate data, erasure, restriction of processing, data portability, and objection to processing based on legitimate interests. Users may also object to direct marketing, although CESIOME does not currently run marketing mailing lists from declaration data. Where processing is based on consent, users may withdraw consent without affecting processing that occurred before withdrawal.

CESIOME is intentionally accountless and partially anonymous. In many cases CESIOME cannot identify a user from a name or declaration alone, especially where only a one-way hash or public certificate URL exists. To exercise rights, send the certificate serial number, the relevant URL, or the Reserved intake request ID to cesiome@pm.me. CESIOME may ask for enough information to verify the requester without collecting more data than necessary.

Article 22 rights relating to automated decision-making are discussed below. If a declaration is rejected automatically by moderation, the user can request human review by email. CESIOME will respond within the GDPR time limits unless the request is manifestly unfounded, excessive, abusive, or impossible to verify.

CESIOME will normally respond to rights requests within one month of receipt. That period may be extended by two further months where a request is complex or multiple requests are submitted, in which case CESIOME will explain the extension. Requests are free of charge unless they are manifestly unfounded or excessive, in particular because of repetition. Where CESIOME cannot act on a request because it cannot identify the requester or no longer holds the relevant data, it will explain that limitation instead of inventing a link between records.

Users have the right to lodge a complaint with a supervisory authority. For Romania, the competent authority is ANSPDCP (Autoritatea Nationala de Supraveghere a Prelucrarii Datelor cu Caracter Personal), B-dul G-ral Gheorghe Magheru 28-30, Sector 1, 010336 Bucuresti, Romania, available at dataprotection.ro. Users located elsewhere in the European Union may also contact their national data protection authority.

CESIOME encourages users to contact cesiome@pm.me first where practical, because many issues can be resolved quickly with a certificate serial number, order identifier, or Reserved intake ID. This does not limit the right to complain directly to a supervisory authority.

CESIOME is not intended for users under 16. This 16+ service rule is stated for purposes of the Romanian implementation of GDPR Article 8 and for CESIOME's own operational risk controls. The service involves public symbolic declarations, payment, and content that may generate reputational consequences, so younger users should not submit declarations.

If a parent, guardian, school, public authority, or affected person believes that a minor has submitted a declaration, contact cesiome@pm.me with the certificate serial number or URL. CESIOME will review the request and may revoke or remove the certificate where appropriate.

CESIOME applies technical and organizational measures proportionate to the current scale and risk of the service. Reserved identity files are encrypted at rest using AES-256-GCM before storage. Data in transit is protected by HTTPS and TLS 1.3 where supported by the client, Cloudflare, Vercel, and other network components. Admin vault access uses access controls, timing-safe HTTP Basic Auth comparison, and rate limiting to reduce brute-force risk.

Operational controls include data minimization, short retention for high-risk records, separation between public certificate rendering and Reserved identity review, limited internal access, provider selection based on security posture, and an internal incident response process. CESIOME also uses revocation hashes so complaint handling can occur without storing the full declaration in ordinary revocation records.

CESIOME is an early-stage service and is honest about its maturity. It does not currently hold ISO 27001, SOC 2, or equivalent external security certification. Security controls will be reviewed as the service grows, especially if the planned post-test company formation, higher transaction volume, or broader Reserved Entity workflows materially change the risk profile.

No internet service can guarantee absolute security. Users should not submit documents or declarations that are unnecessary for the service, and Reserved Tier applicants should redact non-required information from supporting documents where legally and practically possible, provided the documents still establish authority and identity. CESIOME's security model is based on collecting less data, retaining it for shorter periods, encrypting sensitive files, and limiting access to the workflows that require review.

If CESIOME becomes aware of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, it will notify ANSPDCP without undue delay and, where feasible, within 72 hours of becoming aware of the breach. If notification is delayed, CESIOME will explain the reasons for delay as required by the GDPR.

If a breach is likely to result in a high risk to the rights and freedoms of affected users, CESIOME will also communicate the breach to those users without undue delay, unless an exception applies, such as effective encryption rendering the affected data unintelligible or subsequent measures eliminating the high risk. For accountless users, communication may occur through available email data, order channels, public notice, or provider-mediated notice depending on what contact data exists.

CESIOME uses automated moderation to decide whether a declaration may proceed to purchase. This includes rule-based checks, Reserved Entity blacklist matching, and OpenAI moderation or intent-review APIs where configured. The moderation system may reject a declaration and prevent purchase, so it can have a meaningful effect on the user's ability to obtain the requested digital certificate.

The disclosed logic is threshold-based classification. Declarations flagged as harmful, illegal, abusive, defamatory, threatening, impersonating, reserved without verification, non-Latin where the service requires English, or otherwise likely to violate the Terms of Service are rejected or redirected to Reserved Entity intake. The model and rules do not decide legal truth; they are safety controls for a symbolic publishing product.

Users have the right to request human review of an automated rejection by contacting cesiome@pm.me. The request should include the declaration text, approximate time of submission, and any relevant explanation. CESIOME may still refuse a declaration after human review if it violates the Terms, creates legal risk, or requires Reserved Entity verification.

CESIOME may update this Privacy Policy as the service, provider list, payment channels, company structure, retention schedule, or legal obligations change. Material changes will be reflected by updating the "Last updated" date prominently at the top of this page. Where a change materially affects users whose contact information is available to CESIOME, direct notice may also be sent when practical.

Continued use of CESIOME after an updated policy is posted constitutes acceptance of the updated policy to the extent permitted by law. If a user does not agree with a material change, the user should stop using the service and may contact CESIOME about any existing certificate, Reserved intake record, or rights request.

For all privacy inquiries, Data Subject Access Requests, moderation review requests, deletion requests, complaint handling, Reserved Tier data questions, or security notices, contact CESIOME at cesiome@pm.me. Include the certificate serial number, order identifier, Reserved intake request ID, or relevant URL where available so CESIOME can locate the data without collecting unnecessary additional information.