CertSafe

Legal

Privacy policy

Effective: TBD — pending counsel review

Draft template. This document is a working draft and has not been reviewed by counsel. Do not rely on it for legal purposes. Before launch we will replace this with a reviewed version. Questions in the meantime: hello@certsafe.ai.

This policy describes how CertSafe collects, uses, and protects personal information when you use the CertSafe website at certsafe.ai, the CertSafe mobile applications, and related services (collectively, the "Services").

CertSafe is operated by a company registered in the State of Utah, USA. If you have questions about this policy, email hello@certsafe.ai.

Information we collect

Information you provide

  • Account information: name, work email, company name, password (stored as a salted hash), and role.
  • Credential data: occupational tickets, permits, and competency cards that you or your employer upload, including issuing body, credential type, dates of issue and expiry, and supporting documents.
  • Communications: messages you send through the contact form, support channels, or by email.
  • Billing information: handled by our payment processor (Stripe). We do not store full payment card numbers on our systems.

Information we collect automatically

  • Usage data: pages viewed, features used, timestamps, and referring URLs.
  • Device data: device type, operating system, browser, and general location derived from IP address.
  • Log data: server logs that capture request and error information for security and debugging.

How we use information

  • To provide, operate, and improve the Services.
  • To send reminders about expiring credentials and other service-related notifications.
  • To verify credentials presented by workers to supervisors at the gate.
  • To respond to support requests and customer communications.
  • To detect, investigate, and prevent fraud and abuse.
  • To comply with legal obligations.

How we share information

We do not sell personal information. We share information only as described below:

  • With your employer or organisation. If your account is part of an organisation in CertSafe, the organisation's administrators may see your credential data and account information as needed to manage workforce readiness.
  • With verifiers at the gate. When you present a credential for verification, the verifier sees the credential name and status. They do not see underlying PII unless their role explicitly permits it.
  • With service providers (sub-processors). We use third-party services to operate CertSafe, including hosting (e.g. Vercel), database and authentication (e.g. Supabase), and payments (e.g. Stripe). These providers process information under our instructions and are bound by data-processing terms.
  • For legal reasons. We may disclose information when required by law, subpoena, or court order, or to protect rights, property, or safety.

Data retention

We retain personal information for as long as your account is active. If your account or your organisation's account is cancelled, we retain data for up to 30 days before deletion, unless a longer period is required by law or by the audit defensibility needs of your organisation. Enterprise customers can negotiate alternative retention windows in writing.

Your rights

Depending on your jurisdiction you may have rights to access, correct, delete, or export your personal information; to object to or restrict certain processing; and to lodge a complaint with a data protection authority. To exercise any of these rights, email hello@certsafe.ai.

International transfers

CertSafe is based in the United States. Information you provide may be processed in the United States or other countries where our service providers operate. We offer Canadian data residency to customers whose regulatory posture requires it; tell us during onboarding if this applies to you.

Security

We use industry-standard technical and organisational measures to protect personal information, including TLS in transit, encryption at rest, role-based access control, and a tamper-evident audit log of credential events. See our Security page for details and how to contact our security team.

Children's privacy

CertSafe is intended for use by adults (18+) in occupational settings. We do not knowingly collect personal information from children under 18. If you believe a child has provided personal information to us, contact hello@certsafe.ai and we will delete it.

Changes to this policy

We may update this policy from time to time. Material changes will be communicated to active customers by email and posted on this page with an updated effective date.

Contact

Privacy questions and rights requests: hello@certsafe.ai.

See also: Privacy · Terms · Security