BCdiploma is a SaaS digital certification solution operated by Blockchain Certified Data SAS. We enable institutions (universities, schools, training organizations, public and private bodies) to issue, store and verify digital certificates and credentials, in particular for students and professionals.
Depending on the case:
- The client institution is the data controller for the personal data of its students, graduates and staff,
- BCdiploma acts as a data processor on behalf of that institution,
- For data collected directly on our websites (contact forms, support, prospecting), BCdiploma is the data controller.
- In all cases, the client institution retains ownership of the data it entrusts to us.
The data we process varies depending on your relationship with BCdiploma.
Website visitors
- Browsing data: IP address, pages viewed, visit duration, browser type.
- Form data: last name, first name, professional email address, organization, subject of request.
- Cookie and tracker data (with your consent): session identifiers, navigation events.
BCdiploma application users
- Account data: last name, first name, professional email address, role
- Usage data: connection and activity logs.
- Support data: exchanges with our team, feedback and satisfaction surveys.
- Billing data (for direct payment): billing details processed by our payment provider.
Certification holders (students, graduates)
- Certification data: last name, first name, title of the degree or certification, and any other data deemed useful by the issuing institution. BCdiploma does not directly create accounts for students or minors. Access to certificates is via a secure URL provided by the institution or by the certificate holder. For institutions subject to specific regulations (e.g. FERPA), BCdiploma acts as a technical provider acting on the institution's instructions and within the contractual framework agreed with it.
BCdiploma does not seek to collect special categories of data through the platform, unless expressly and deliberately decided by the institution acting as data controller.
We use personal data only for specific, explicit and legitimate purposes, in particular:
- Providing the BCdiploma service: issuing, hosting and displaying digital certificates and credentials, managing administrator accounts, configuring the platform.
- Securing and maintaining the platform: logging, incident detection, fraud and abuse prevention, improving the performance and availability of the service.
- Responding to requests: user support, commercial enquiries, information on service developments.
We do not use your data for behavioural advertising purposes and do not resell personal data. No advertising is displayed on the BCdiploma platform.
The legal bases applicable to these processing activities are as follows: the performance of the contract with the institution (service provision, account management); compliance with a legal obligation (retention of certain logs); our legitimate interests (platform security, support, B2B prospecting with professionals).
We only share the processing of your data with third parties necessary for the operation of our services or our B2B prospecting, and always within a contractual framework compliant with the GDPR.
The sub-processors engaged vary depending on your relationship with BCdiploma.
Website visitors
- Hosting: Microsoft Azure (EU and US)
- CRM: Hubspot (EU)
- Audience measurement: Google (US)
- B2B prospecting: Apollo.io (US)
- Marketing analytics: Funnel.io (EU)
BCdiploma application users
For the operation of our Digital Credentials service, these include our cloud infrastructure, customer relationship management, payment platform and analytics providers.
Active sub-processors depend on the plan subscribed to by your institution. The detailed list of active sub-processors for your institution is available and kept up to date at: https://docs.bcdiploma.com/legal/rgpd.html#data-recipients.
Certification holders (students, graduates)
- Hosting: Microsoft Azure (EU or US)
- Sending certificate notification emails: Brevo (EU)
In all cases, these providers act as sub-processors under contracts imposing confidentiality, security and GDPR compliance obligations. They do not use your data for their own marketing or advertising purposes.
Hosting
Our services are hosted in Microsoft Azure data centres. By default, BCdiploma production environments (certificate issuance and viewing platform) are located in the European Union, primarily in France and the Netherlands.
At the request of certain institutions, and where justified by their regulatory or operational constraints, we may host platform data in Microsoft Azure data centres located in the United States.
In that case:
- The choice of region is contractually agreed with the institution;
- Data flows between the European Union and the United States are governed by international transfer mechanisms compliant with the GDPR (e.g. standard contractual clauses or equivalent mechanisms in force);
When certain data must be transferred outside the European Economic Area (for example for a specialist provider), we ensure that the appropriate safeguards required by the GDPR are properly implemented (such as standard contractual clauses) in order to protect your rights.
Cookie and prospecting data
Navigation data collected via cookies or trackers may be processed:
- On our own servers hosted in Azure
- And by the providers listed in section 4, which may have infrastructure located inside or outside the EU.
When these providers process data outside the EEA, we ensure that appropriate safeguards are in place (standard contractual clauses, certifications, audits, etc.), and that they offer a level of data protection compliant with GDPR requirements.
We implement technical and organisational measures designed to protect the confidentiality, integrity and availability of data, in particular:
- Data encryption in transit (TLS 1.2 or higher) and at rest (AES-256);
- Strict access control, principle of least privilege, authentication via institutional SSO and multi-factor authentication (MFA) for sensitive administrator accounts;
- Environment segmentation (development, test, production) and secure development best practices;
- Regular backups, business continuity and disaster recovery procedures;
- Logging and security monitoring, security testing and regular audits;
- Risk, vulnerability and third-party supplier management.
We retain personal data only for as long as necessary for the purposes described in this policy.
- Certification data: Duration of the contract with the institution, then deletion upon request
- User accounts: Duration of the contract, then deletion within 24 months after the end of the contract
- Technical and security logs: 12 rolling months
- Contact, support and prospecting data: 5 years from the last contact
When you visit our websites or use our web application, we may place cookies or similar trackers on your device.
We primarily use:
- Strictly necessary cookies for the operation of the site and security (for example, to keep your session open);
- Functional cookies to remember your preferences (language, display settings);
- Audience measurement and B2B prospecting cookies, which allow us to analyze traffic on our pages and better target our prospecting activities with professionals.
We do not use cookies for behavioural advertising purposes. On your first visit, a banner allows you to accept or refuse non-essential cookies. You can change your choice at any time via the "Manage my cookies" link available at the bottom of each page. Refusing analytical and prospecting cookies does not affect access to the main features of the service.
You have rights over your personal data, in particular:
- Right of access to your data;
- Right to rectification of inaccurate or incomplete data;
- Right to erasure ("right to be forgotten");
- Right to restriction of processing;
- Right to object to certain processing activities;
- Right to data portability, where technically possible.
For data managed by your institution (for example your academic or certification data), please contact them directly to exercise your rights. We will assist the institution in handling your request.
For data for which BCdiploma is the controller (contact forms, support, prospecting), you can contact us as indicated below. We will respond to your request within the time limits provided by law, in principle one month.
You also have the right to lodge a complaint with the competent supervisory authority (in France, the CNIL).
For any question about this policy or about how we process your data, or to exercise your rights when BCdiploma is the data controller, you can contact us:
- Email: dpo@bcdiploma.com
- Postal address: Blockchain Certified Data SAS, 104 avenue Albert 1er, 92500 Rueil-Malmaison, France
- Phone: +33 1 84 19 92 58
Blockchain Certified Data has appointed a Data Protection Officer (DPO) with the CNIL.
We may be required to amend this privacy policy to take into account changes in our services or regulations. The current version is always available on the bcdiploma.com website; the date of the last update appears at the top of the document. In the event of a significant change (e.g. modification of our list of sub-processors), we will inform client institutions through the usual communication channels, namely the BCdiploma service status page.
Privacy Policy
Last updated: 11/02/2026
