CovidPass

i

Privacy Policy

Our privacy policy is based on the terms used by the European legislator for the adoption of the General Data Protection Regulation (GDPR).

General information

  • The whole process of generating the pass file happens locally in your browser. For the signing step, only a hashed representation of your data is sent to the server.
  • Your data is not stored beyond the active browser session and the site does not use cookies.
  • No data is sent to third parties.
  • We transmit your data securely over https.
  • Our server is hosted in Nuremberg, Germany.
  • The source code of this site is available on GitHub.
  • By default, Apple Wallet passes are accessible from the lock screen. This can be changed in the settings.
  • The server provider processes data to provide this site. In order to better understand what measures they take to protect your data, please also read their privacy policy and the data privacy FAQ.

Contact

Marvin Sextro
Wilhelm-Busch-Str. 8A
30167 Hannover
Email:  marvin.sextro@gmail.com
Website:  https://marvinsextro.de

Simplified explanation of the process

First, the following steps happen locally in your browser:

  • Recognizing and extracting the QR code data from your selected certificate
  • Decoding your personal and health-related data from the QR code payload
  • Assembling an incomplete pass file out of your data
  • Generating a file containing hashes of the data stored in the pass file
  • Sending only the file containing the hashes to our server

Second, the following steps happen on our server:

  • Receiving and checking the hashes which were generated locally
  • Signing the file containing the hashes
  • Sending the signature back

Finally, the following steps happen locally in your browser:

  • Assembling the signed pass file out of the incomplete file generated locally and the signature
  • Saving the file on your device

Locally processed data

The Digital Covid Certificate Schema contains a detailed specification of which data can be contained in the QR code and will be processed in your browser.

Server provider

Our server provider is

Hetzner Online GmbH
Industriestr. 25
91710 Gunzenhausen

The following data may be collected and stored in the server log files:

  • The browser types and versions used
  • The operating system used by the accessing system
  • The website from which an accessing system reaches our website (so-called referrers)
  • The date and time of access
  • The pseudonymised IP addresses

Your rights

In accordance with the GDPR you have the following rights:

  • Right of access to your data; You have the right to know what data has been collected about you and how it was processed.
  • Right to be forgotten; Erasure of your personal data.
  • Right of rectification; You have the right to correct inaccurate data.
  • Right of data portability; You have the right to transfer your data from one processing system into another.

Third parties linked