Who we are
Perpetual is a blockchain-based credentialing platform operated by Human Logic Software LLC ("Human Logic Software LLC," "we," "us," or "our"), a company registered in the United Arab Emirates with its principal place of business at:
Human Logic Software LLC
Office 314, Zainal Mohebi Plaza, Al Karama
Dubai, United Arab Emirates
Contact: privacy@human-logic.com
For the purposes of the EU General Data Protection Regulation (GDPR), the UK General Data Protection Regulation (UK GDPR), and the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (UAE PDPL), Human Logic Software LLC is:
- A data controller in respect of personal data collected directly from our customers (issuing organisations and their authorised users), from website visitors, and from anyone who contacts us
- A data processor in respect of personal data that issuing organisations upload to the Perpetual platform for the purpose of issuing credentials to their recipients (in those cases, the issuing organisation is the data controller)
This distinction matters and is explained further in section 5.
Scope of this policy
This policy applies to:
- The Perpetual website at perpetual.academy and any subdomains
- The Perpetual application (the Issuer Portal, Admin Portal, Employer/Verifier Portal, Recipient Portal, and the Public Verification page)
- Any marketing communications, sales calls, support interactions, and demos conducted by Human Logic Software LLC in connection with Perpetual
This policy does not apply to:
- Third-party websites linked from Perpetual (you should review their privacy policies separately)
- The credentials themselves once they have been issued and shared by recipients to third parties of the recipient's choosing (the recipient controls those disclosures)
- Independent verification tools (such as the public BlockCerts verifier) that may be used to verify a Perpetual credential — those tools are operated by third parties under their own privacy policies
Quick summary
For those who want the substance without the legal precision, here is what this policy says in one page:
| What | Summary |
|---|---|
| What we collect | Account information from issuing organisations and their staff; recipient information that issuers upload to issue credentials; basic technical information from website visitors |
| Why we collect it | To operate the platform, issue credentials on behalf of issuing organisations, verify credentials, send essential service communications, comply with law, and improve the product |
| Who we share it with | Service providers (our subprocessors — listed in section 8); public blockchain networks and the Arweave decentralised storage network for the credential artifacts themselves; competent legal authorities where required by law |
| Where we store it | Primary infrastructure in Microsoft Azure; the credential artifacts themselves on Arweave (a permanent decentralised storage network); cryptographic anchors on the Ethereum public blockchain |
| How long we keep it | Account data for as long as your account is active, plus the periods required by law; credential artifacts on Arweave and on the blockchain are permanent and cannot be deleted by anyone, including us — this is explained fully in section 7 |
| Your rights | Access, correction, erasure (subject to the permanence of blockchain anchors and Arweave storage, explained in section 11), restriction, portability, objection, and the right to lodge a complaint with a supervisory authority |
| Contact | privacy@human-logic.com |
The information we collect
4.1 Information you give us directly
If you are an issuing organisation (or a user authorised by one):
- Your name, work email address, work phone number, and job title
- Your organisation's name, address, domain, and country of registration
- Your organisation's payment information (collected and stored by our payment processors — we do not directly store full card numbers)
- The username, password (stored as a one-way hash — never readable by us), and two-factor authentication device information for your account
- The content you upload to Perpetual to issue credentials: recipient names, recipient email addresses, course or programme details, grades or scores, dates, certificate template designs, and any other fields you choose to include
- Issuer DID configuration, including the public cryptographic keys associated with your organisation's domain
If you are a recipient of a Perpetual-issued credential:
- Your name, as supplied by the issuing organisation
- Your email address, as supplied by the issuing organisation
- The credential content itself (what was issued, by whom, when, and any additional fields the issuer chose to include)
- Any information you choose to add to your recipient profile (if you create one), such as a display name, a profile photo, or links to social profiles
If you are an employer, verifier, or member of the public verifying a credential:
- The credential identifier you verified
- Basic technical information about your request (date, time, browser type, IP address, referring URL) — used to detect abuse and to compile aggregate verification statistics for issuers
If you contact us:
- Your name, email address, and the content of your message
- Any other information you choose to provide
4.2 Information collected automatically
When you use the Perpetual website or application, we collect:
- Technical information — IP address, browser type and version, operating system, screen resolution, language preference, referring URL, and the pages you visited
- Usage information — actions you took within the application, features you used, and time spent
- Cookies and similar technologies — described in section 13
4.3 Information from third parties
If you sign in to Perpetual using Microsoft Entra ID (Azure AD), Google, or another single sign-on provider, we receive your name, email address, and a unique identifier from that provider. We do not receive your password.
If you purchase Perpetual through the Microsoft Commercial Marketplace, we receive your purchase confirmation, your Azure tenant ID, your billing country, and the plan you purchased — but not your payment card details, which remain with Microsoft.
Controller vs processor — and why it matters
When an issuing organisation uses Perpetual to issue credentials to its recipients, that organisation determines whose data is processed, what data is processed, and for what purpose. In privacy law terms, the issuing organisation is the controller of that data, and Human Logic Software LLC is acting as a processor on the organisation's behalf.
This means:
- We process recipient data only on the documented instructions of the issuing organisation (typically captured in our Data Processing Agreement, which is incorporated into the customer's contract)
- We do not use recipient data for our own purposes — for example, we do not market other products to recipients based on the credentials they hold
- Recipient rights requests (access, correction, erasure, etc.) should generally be directed first to the issuing organisation, although we will assist as required by law
When you create an account as an administrator of an issuing organisation, when you visit our website, or when you contact us directly, Human Logic Software LLC is the controller of that data and acts under this policy directly.
How we use your information
We use personal data for the purposes set out below. Where we are the controller, we rely on the legal bases identified in the panels at the end of each subsection.
6.1 To operate the Perpetual platform
- Authenticating you, maintaining your session, and securing your account
- Issuing, verifying, revoking, and listing credentials
- Providing customer support
- Sending essential service communications (account creation, password resets, billing receipts, security alerts, credential issuance confirmations)
6.2 To improve and develop the platform
- Analysing aggregated usage patterns to identify product improvements
- Diagnosing technical issues and fixing bugs
- Researching new features
6.3 To communicate with you about Perpetual
- Responding to your enquiries and providing pre-sales information
- Sending product updates and important platform announcements
- Sending optional marketing communications about Perpetual (you can opt out at any time)
6.4 To comply with legal obligations
- Responding to lawful requests from regulators, courts, and law enforcement
- Detecting, preventing, and addressing fraud, abuse, security issues, and violations of our Terms of Service
- Maintaining records required by tax, accounting, and corporate law
6.5 To process payments
- Calculating amounts owed, generating invoices, processing payments through our payment processors and through the Microsoft Commercial Marketplace, and remitting taxes where required
The Perpetual architecture — what is permanent, and why
Perpetual's architecture has direct, irreversible privacy implications that you have the right to understand before becoming a customer, a recipient, or a user.
7.1 What gets stored on Arweave (permanent decentralised storage)
When a credential is issued through Perpetual, the following items are stored on Arweave, a public decentralised storage network operated by no single company:
- The signed BlockCerts credential file (JSON), which contains: the recipient's name, the recipient's email address (where included by the issuer), the credential content (course, programme, qualification, grades, dates), and the issuer's public profile
- A rendered PDF of the credential certificate as designed by the issuer
- The issuer's public profile (organisation name, domain, public keys)
7.2 What gets stored on the public blockchain (Ethereum)
For each batch of credentials issued, only the following is recorded on the public blockchain:
- A single 32-byte cryptographic hash (the Merkle root) summarising the entire batch of credentials
- The transaction timestamp
- The issuer's wallet address (a pseudonymous public key)
Names, email addresses, credential content, and any other personal data are never written to the blockchain. What appears on-chain is a mathematical fingerprint of the batch, from which the original data cannot be reconstructed.
7.3 What cannot be deleted
Data written to Arweave and to the public blockchain cannot be deleted by anyone — including us.
Both Arweave and the public blockchain are, by design, append-only and decentralised. Data written to them cannot be deleted, modified, or backdated by anyone, including us, including the network operators, including a court order directed at us. This permanence is the architectural foundation of Perpetual.
7.4 What this means for your rights
The blockchain anchor — being only a 32-byte hash with no embedded personal data — is, in our analysis, not personal data in the GDPR sense once issued. It is a mathematical artifact that cannot, on its own, identify anyone.
The Arweave-stored credential does contain personal data, and a recipient's right to erasure under GDPR Article 17 will therefore interact with the permanence of that storage. We address this honestly:
- We cannot delete data from Arweave. No one can
- The credential is designed to be a portable artifact in the recipient's possession; the recipient controls whom they share it with
- The credential is encrypted in transit and is most useful only when actively presented by the recipient — it is not surfaced through a searchable directory
- If a recipient asks us to remove their credential, we will: (a) revoke the credential through CredentialStatusList so that every standards-compliant verifier shows it as revoked; (b) remove any indexing or search references we control; (c) delete any of the recipient's personal data that lives in our own databases; and (d) document the residual Arweave artifact as a known limitation of the underlying technology
Who we share your information with
We share personal data only in the circumstances described below.
8.1 Service providers (subprocessors)
We use a small number of carefully selected service providers to operate Perpetual. They process personal data on our instructions and under contracts that impose strict confidentiality and data protection obligations equivalent to our own.
Our current subprocessors include:
| Subprocessor | Purpose | Location |
|---|---|---|
| Microsoft Azure | Application hosting, database storage, content delivery | European Union (North Europe / West Europe) |
| Arweave | Permanent storage of credential artifacts | Decentralised global network |
| Ethereum public blockchain | Anchoring of credential batch hashes | Decentralised global network |
| Stripe | Payment processing (for direct customers) | United States, European Union |
| Microsoft Commercial Marketplace | Payment processing (for marketplace customers) | Global, per Microsoft's policies |
| Amazon Web Services SES | Transactional email delivery | European Union (eu-west-1) |
Customers will be given prior notice of any material changes to this subprocessor list by email.
8.2 The blockchain and Arweave networks
By design, the credential batch hash and the credential artifact are written to public decentralised networks. These networks are not service providers in the traditional sense — they are public infrastructure. We have no contract with the Ethereum network or with Arweave nodes. We rely on these networks because their permanence and decentralisation is the core feature of Perpetual.
What appears on the blockchain is a 32-byte hash with no personal data embedded. What appears on Arweave is the credential artifact itself.
8.3 Issuing organisations
If you are a recipient of a credential, the issuing organisation that issued your credential has access to:
- The credential they issued you
- Verification analytics for that credential (number of times verified, country of verification, anonymised user agents)
- Your name and email address as they originally provided them
8.4 Verifiers and the general public
If you are a recipient of a credential and you choose to share the verification link with a verifier (an employer, an admissions office, anyone), that verifier will see the credential and its content. The Public Verification page is publicly accessible by design — the entire point of a verifiable credential is that anyone holding the credential file or the verification URL can confirm its authenticity. You control who you share your credential with.
8.5 Legal authorities
We will disclose personal data to courts, regulators, law enforcement, or other competent authorities when we are legally required to do so, when we have a good-faith belief that doing so is necessary to comply with a legal obligation, or when necessary to protect the rights, property, or safety of Human Logic Software LLC, our users, or the public.
8.6 Business transfers
If Human Logic Software LLC is involved in a merger, acquisition, restructuring, or sale of assets, personal data may be transferred to the acquiring entity, subject to a continuation of substantially equivalent privacy protections.
We do not sell personal data to third parties.
International transfers
Personal data we collect may be transferred to, processed in, and stored in countries other than the country in which you are located. These countries may have data protection laws that are different from the laws in your country.
When we transfer personal data outside of the UAE, the EU/EEA, or the UK, we rely on appropriate safeguards, including:
- The European Commission's Standard Contractual Clauses (SCCs) and the UK Addendum
- The UAE PDPL's transfer mechanisms under Article 22
- Adequacy decisions where they apply
- Your explicit consent where lawful and appropriate
Perpetual is operated by Human Logic Software LLC from the United Arab Emirates, but the platform itself is hosted on Microsoft Azure infrastructure in the European Union (North Europe / West Europe regions). Customer and recipient data therefore primarily resides in the EU/EEA.
For data subjects located in the EU/EEA and the UK, this means that personal data processed by Perpetual remains within the EU/EEA for substantially all of its lifecycle, except where (a) it is written to the public blockchain or Arweave (which are global decentralised networks and cannot be regionally restricted), or (b) it is transmitted to subprocessors located outside the EU/EEA.
Note that the blockchain anchor and Arweave storage are global by nature and cannot be regionally restricted. This is explained further in section 7.
How long we keep your data
| Data type | Retention period |
|---|---|
| Account information for active customers | For as long as your account is active, plus any periods required by law |
| Account information after account closure | 90 days for account recovery; up to 7 years for accounting, tax, and legal compliance, then deleted or anonymised |
| Recipient data in our own databases | While the issuing organisation maintains its account; on termination, deleted within 90 days unless the issuer requests retention |
| Credential artifact on Arweave | Permanent — cannot be deleted (see section 7) |
| Credential batch hash on the blockchain | Permanent — cannot be deleted (see section 7) |
| Website visitor logs | Server access logs deleted after 30 days |
| Support and communication records | 3 years from the date of last contact |
| Marketing contact information | Until you unsubscribe, then 1 year for unsubscribe-list maintenance |
| Backups | Up to 90 days, then overwritten |
Your rights
Depending on where you live, you have the following rights in respect of your personal data:
11.1 Rights available to everyone we serve
- Access: to be told what personal data we hold about you and to receive a copy
- Correction: to ask us to correct inaccurate or incomplete data
- Erasure: to ask us to delete data, subject to the limitations of permanent storage explained in section 7 and any legal retention obligations
- Restriction: to ask us to limit how we use your data in certain circumstances
- Portability: to receive your data in a structured, machine-readable format, and to ask us to send it to another controller where technically feasible
- Objection: to object to certain processing, including direct marketing (which we will always honour)
- Withdrawal of consent: where we rely on consent, to withdraw it at any time
- Complaint: to lodge a complaint with the supervisory authority in your country
To exercise any of these rights, contact us at privacy@human-logic.com. We will respond within the timeframe required by applicable law (typically 30 days under GDPR, 30 days under UAE PDPL, and 45 days under the CCPA).
11.2 Additional rights under the UAE PDPL
Residents of the UAE have, in addition to the above, the right to be informed of any breach of their personal data that is likely to result in significant harm, and to lodge a complaint with the UAE Data Office.
11.3 Additional rights under the EU/UK GDPR
EU and UK residents may lodge a complaint with their national data protection authority, including:
- For UK residents: the Information Commissioner's Office (ICO)
- For EU residents: the supervisory authority in the EU Member State of your habitual residence
11.4 Additional rights under US state laws
If you are a resident of California, Virginia, Colorado, Connecticut, Utah, or another US state with a comprehensive privacy law, you may have additional rights including the right to know the categories of personal information we have collected, the right to opt out of the sale or sharing of personal information (we do not sell personal information), and the right to non-discrimination for exercising your privacy rights.
11.5 FERPA — for US educational institutions
Where Perpetual is used by US educational institutions to issue credentials that constitute "education records" under the Family Educational Rights and Privacy Act (FERPA), Human Logic Software LLC operates as a "school official" with a "legitimate educational interest" under the institution's outsourcing exception (34 CFR § 99.31(a)(1)(i)(B)). We process student records only under the institution's instructions, do not disclose personally identifiable information from those records except as authorised by the institution or required by law, and provide students (and parents, where applicable) with access to their records through their issuing institution.
Children
Perpetual is not directed at children under 16 (or the equivalent age of digital consent in your jurisdiction). We do not knowingly collect personal data from children. Where issuing organisations use Perpetual to issue credentials to children — for example, in primary or secondary education — the issuing organisation acts as the controller and is responsible for obtaining parental or guardian consent as required by applicable law (including FERPA in the US and the GDPR in Europe).
If you believe we have collected personal data from a child without appropriate consent, please contact us at privacy@human-logic.com and we will delete it from the systems we control.
Cookies and similar technologies
We use a small number of cookies and similar technologies to operate the Perpetual website and application:
- Strictly necessary cookies — for authentication, session management, security, and load balancing. These cannot be disabled
- Functional cookies — to remember your preferences (language, RTL/LTR, theme)
We do not use analytics cookies, advertising cookies, retargeting pixels, or behavioural tracking.
You can manage cookies through your browser settings. Disabling strictly necessary cookies will prevent the application from functioning.
Security
We take the security of personal data seriously. Our measures include:
- TLS 1.3 for all data in transit
- Encryption at rest for data we store in our own systems
- One-way password hashing using current best-practice algorithms (Argon2 or bcrypt)
- Two-factor authentication, available on all accounts and mandatory for administrator accounts
- Role-based access control with the principle of least privilege
- Audit logs of administrative actions, retained for security review
- Regular security testing including penetration tests
- A formal incident response procedure with breach notification commitments
- Vendor security review for all subprocessors
- Staff training and confidentiality obligations
No security measure is perfect. If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority and (where required) affected individuals in accordance with applicable law.
Automated decision-making
We do not use personal data for automated decision-making that produces legal or similarly significant effects on individuals.
Changes to this policy
We may update this policy from time to time. When we do, we will:
- Update the "Last updated" date at the top
- For material changes, notify active customers and registered users by email at least 30 days before the change takes effect
Continued use of Perpetual after the effective date of a change constitutes acceptance of the updated policy.
Contact us
For any question about this policy or about how we handle your data:
Office 314, Zainal Mohebi Plaza, Al Karama
Dubai, United Arab Emirates
Region-specific additional notices
18.1 European Union and European Economic Area
For the purposes of GDPR, the legal bases on which we rely are stated in section 6. You may lodge a complaint with the supervisory authority in the EU Member State of your residence.
18.2 United Kingdom
For the purposes of the UK GDPR and the Data Protection Act 2018, you may lodge a complaint with the Information Commissioner's Office (ICO).
18.3 United Arab Emirates
For the purposes of UAE PDPL, you may lodge a complaint with the UAE Data Office.
18.4 United States — California
If you are a California resident, the categories of personal information we have collected in the past 12 months are set out in section 4. We do not sell or share personal information as those terms are defined under California law. You have the right to know, the right to delete, the right to correct, the right to limit use of sensitive personal information, and the right to non-discrimination. To exercise these rights, contact us as set out in section 17.
18.5 Other US States
If you are a resident of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, or any other US state with a comprehensive privacy law, you may have rights similar to those described in section 11.1 and in the California-specific section above. Contact us to exercise them.
End of policy