Legal

Privacy notice

Last updated: 10 May 2026 · Effective from publication

This notice explains how ESTCA Association (a Dutch association registered at the Chamber of Commerce in Amsterdam, Netherlands) processes personal data on estca.eu. We process personal data in line with the EU General Data Protection Regulation (GDPR) and the Dutch implementing law (UAVG), and the UK GDPR where services are provided to UK residents.

Who is the controller

ESTCA Association is the data controller for personal data processed on this website. For all privacy enquiries, including access requests, contact contact@estca.eu.

What we collect on this site

We aim to collect as little personal data as possible.

  • Public register lookups. When you search the public register, we process the pet passport number you enter so we can return the certification status. We do not display owner contact information in the public result. The search query is processed in memory and not retained against your identity.
  • Server logs. Our hosting provider records request metadata (IP address, timestamp, user agent, response status) for security, rate limiting and abuse prevention. Logs are retained only as long as needed for these purposes (typically 30 days).
  • Analytics. We use Vercel Analytics, a privacy-respecting analytics service that does not use cookies, does not collect personal data, and aggregates page-view data without identifying individual visitors. No data is sold or shared with third parties for advertising.
  • Email correspondence. If you contact us at contact@estca.eu, we process your email address and the contents of your message in order to respond. Email correspondence is retained as required for service operation and standard governance, then deleted.

What we do not do

  • We do not use cookies for tracking or advertising.
  • We do not sell, rent or trade personal data to anyone.
  • We do not display owner contact information in public register results.
  • We do not profile visitors for marketing purposes.

Lawful basis

The lawful basis for the processing described above is our legitimate interest (Article 6(1)(f) GDPR) in operating a public verification register, securing the service against abuse, and responding to enquiries. For email correspondence the basis is the steps you take before entering into a service or governance interaction with us.

Certification and ingest

Day-to-day certification (trainer accreditation, dog assessment, issue of certificates) is operated separately at certified-estca.eu. That platform has its own privacy notice covering owner and dog data, training records, and assessment evidence.

The estca.eu register receives only the minimum information needed for public verification: passport reference, certification status, validity dates, certifying trainer name, and audit metadata. Owner contact data is not transferred to the public register.

Sub-processors

We use the following service providers to operate the site. Each is bound by a data processing agreement and processes data only on our documented instructions.

  • Vercel — site hosting, edge delivery and analytics (EU regions where available)
  • Supabase — database and authentication for the registry (EU region)

Retention

We retain personal data only as long as needed for the purpose it was collected, or as required by law. Server logs: 30 days. Email correspondence: as long as needed to handle the matter and meet governance obligations. Public register entries: for the lifetime of the certification plus the period required for accountability and appeal handling under Part F of ESTCA-STD-001.

International transfers

Where personal data is transferred outside the European Economic Area, transfers are protected by Standard Contractual Clauses or equivalent safeguards approved under Article 46 GDPR.

Your rights

Under the GDPR you have the right to access, rectify, erase, restrict or object to processing of your personal data, and the right to data portability where applicable. To exercise any of these rights, email contact@estca.eu. We will respond within one month.

You have the right to lodge a complaint with a supervisory authority if you believe your data has been mishandled. The Dutch Data Protection Authority is Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl).

Security

We use HTTPS across the site, modern security headers (HSTS, Content-Security-Policy, X-Frame-Options), and access controls on the registry and admin systems. Security researchers can find contact information at /.well-known/security.txt.

Changes to this notice

We may update this notice from time to time. The “Last updated” date at the top of this page reflects the most recent revision. Material changes will be flagged in the Articles section.

Contact

ESTCA Association · Amsterdam, Netherlands · contact@estca.eu