Privacy Policy
Last updated: 25 February 2026 | Version 1.0
This policy applies to ChetiChain — a blockchain-based academic certificate management platform operated on behalf of participating universities in Tanzania. It covers how we collect, use, store, and protect personal data in accordance with the EU General Data Protection Regulation (GDPR 2016/679) and the Tanzania Personal Data Protection Act 2022 (PDPA).
1. Data Controller
The data controller for ChetiChain is the consortium of participating universities. Each issuing university acts as an independent data controller for the personal data of its own students. The system operator (ChetiChain engineering team) acts as a data processor on behalf of those universities.
Data Protection Officer contact: dpo@mychetichain.example
2. What Personal Data We Collect
| Category | Examples | Collected from |
|---|---|---|
| Student identity | Name, email, phone, student ID, university program | University registrar |
| Blockchain wallet | Ethereum address (custodial or self-managed) | Auto-generated or student-provided |
| Certificate metadata | Degree title, graduation date, GPA, honours | University academic records |
| Verifier contact details | Organisation name, email (self-registered) | Verifier (HR, agency, institution, or other organisation, self-registered) |
| Audit log | IP address, token verified, result, timestamp | Tier-2 verification requests |
| Cookies | Session cookie (JWT bearer token) | Admin / verifier login |
3. Legal Basis for Processing
- Contract (GDPR Art. 6(1)(b)): Processing student data is necessary to issue and manage their academic certificates.
- Legitimate interest (GDPR Art. 6(1)(f)): Logging Tier-2 verifications is in the legitimate interest of universities to detect fraudulent certificate use.
- Legal obligation (GDPR Art. 6(1)(c)): Maintaining security audit records may be required by applicable law.
- Consent (PDPA 2022 s.5): Student consent for certificate issuance is obtained by the issuing university before any data is entered into this system.
4. How Long We Keep Your Data
| Data type | Retention period |
|---|---|
| Student PII (name, email, phone) | Duration of enrolment + 10 years, then anonymised on request |
| IP addresses in verification log | 30 days, then automatically nullified |
| JWT revocation blacklist entries | Until token expiry, then purged automatically |
| Session cookies | 60 minutes (session), cleared on logout |
| On-chain certificate records | Indefinite — see blockchain immutability note below |
5. Blockchain Immutability Disclosure
Important: When a certificate is issued, a non-transferable ERC-721 token (soul-bound NFT) is created on a permissioned Ethereum blockchain. The token URI and associated manifest hash recorded on-chain cannot be deleted or modified after issuance.
The manifest hash is a cryptographic hash (SHA-256) of the certificate document; it does not directly identify a person. However, in conjunction with off-chain data, it may be linkable to an individual. By accepting issuance of a certificate, you acknowledge this limitation of the right to erasure (GDPR Art. 17(3)(b) — public interest in the archiving of authentic academic records).
6. Sharing Your Data
- Registered verifiers: Tier-2 verification reveals the student name and hash-match result to the authenticated verifier, and records the verification in an audit log accessible only to administrators.
- Hyperledger FireFly network: Certificate metadata is stored on a private IPFS instance accessible only to participating university nodes.
- No advertising or marketing sharing: We do not sell, rent, or share personal data with any third party for commercial purposes.
7. Your Rights
Under GDPR and the Tanzania PDPA 2022, you have the following rights:
- Access — request a copy of your personal data
- Rectification — correct inaccurate data
- Erasure — request deletion of your off-chain data (subject to the blockchain immutability limitation above)
- Portability — receive your data in a machine-readable format
- Objection — object to processing based on legitimate interest
- Restriction — request that processing be limited
To exercise any of these rights, contact your issuing university or email our DPO at dpo@mychetichain.example. We will respond within 30 days.
8. Cookies & Local Storage
| Name | Type | Purpose | Expiry |
|---|---|---|---|
| admin_token | httpOnly cookie | Admin session authentication | 60 minutes |
| verifier_token | httpOnly cookie | Verifier session authentication | 60 minutes |
| cookie_consent | localStorage | Remember cookie-banner dismissal | Persistent (cleared by browser reset) |
We use no tracking, advertising, or analytics cookies. The session cookies are strictly necessary for the operation of the admin and verifier portals and do not require separate consent under the ePrivacy Directive.
9. Security Measures
- TLS encryption in transit for all API communications
- Passwords hashed with bcrypt (cost factor 12)
- JWTs signed with HS256 and revoked on logout
- httpOnly cookies prevent JavaScript access to session tokens
- Student private keys encrypted in AES-128-CTR keystore (v3 format)
- Permissioned blockchain — only authorised university nodes participate
10. Contact & Complaints
For privacy questions or to exercise your rights, contact:
If you are not satisfied with our response, you may lodge a complaint with the Tanzania Communications Regulatory Authority (TCRA), which is the designated supervisory authority for the PDPA 2022 in Tanzania. EU residents may also contact their national data protection supervisory authority.
ChetiChain Privacy Policy · Version 1.0 · 25 February 2026 · Return to home