Privacy Policy

Certn is operated by Andrew Ingram, operating as Certn(“Certn”, “we”, “us”), a sole proprietorship based in Colorado, United States. This privacy policy applies to the Certn website at certn.app and the Certn application at app.certn.app (together, the “Service”).

Who may use the Service. Certn is offered only to companies that are legally incorporated in the United States. By creating an account, you represent that you are using the Service on behalf of a US-incorporated company. We do not accept accounts from individuals, sole proprietorships, or companies incorporated outside the United States. If we discover that an account has been created in breach of this requirement, we will close it and delete the associated data.

For privacy questions, requests to access or delete your data, or any other inquiry under this policy, contact us at info@certn.app. We are the data controller for the information described below.

We only collect information that we need to run the Service. Here is the complete list.

2.1 Account information

When you create an account we collect:

• Your email address (used to log in, send you password resets, and contact you about the Service)
• A password (we never see your password in plain text; it is hashed by our authentication provider before storage)
• Your company name (used to label your workspace and on documents you generate)

2.2 Company and scoping information

When you complete onboarding and use the product, we store:

• Your answers to the scoping questionnaire (six questions about your business model, infrastructure, and the kind of data you handle, used to determine which SOC 2 controls apply to you)
• The list of applicable controls generated from those answers
• Settings like a company logo, a display name for exports, and your plan tier

2.3 Evidence and policy content (your SOC 2 data)

This is the core of what the product is for. When you use Certn you create and upload:

• Evidence files: documents you upload as proof of your controls. The Service accepts PDF, PNG, JPG, JPEG, GIF, WEBP, HEIC, CSV, XLSX, DOCX, PPTX, and TXT files, up to 10 MB per file. The contents are whatever you choose to upload (typical examples are screenshots of system settings, exported logs, signed agreements, training records, or vendor contracts).
• Notes you attach to each piece of evidence
• Policy documents you fill in using the built-in templates
• Folder names you create to organize your evidence

We treat all of this content as confidential to you. We do not read it, share it, or use it for any purpose other than displaying it back to you and including it in the audit packages you export. We do not use it to train AI models. We do not use it as input to any product analytics.

2.4 Communications

When you send us a message, we collect what you send:

• The contact form captures your name, email, company, topic, and message.
• The in-app support form captures your email, organization name, topic, message, the URL of the page you were on, and your browser user agent.
• The waitlist form captures your email, an optional note, and the page you signed up from.

2.5 Information collected automatically

• Session cookies placed by our authentication and hosting providers so we know you are logged in and so requests reach the right server. Essential. We use no analytics, advertising, or tracking cookies.
• Local browser storage for onboarding progress and dismissed in-app tips.
• Server access logs kept briefly by our hosting provider, including IP, time, and URL.

We use the information above to:

• Provide the Service
• Send you transactional emails
• Respond to your support requests
• Detect and fix bugs and security issues
• Comply with our legal obligations

We do not use your information for marketing emails, profiling, automated decision-making, or AI model training.

We do not sell your information. We share it only with the service providers below, each contractually required to use it only for the purposes we engage them for.

If we add or change a sub-processor, we will update this page and, where you have an active paid subscription, give you at least 30 days notice by email.

We may also disclose information if required by law or to protect the safety or rights of Certn, our users, or the public. We will tell you about any such request unless legally prohibited.

In the event of a merger, acquisition, or sale of Certn’s assets, your information may be transferred to the acquiring entity. You will be notified before that happens.

Your data is stored and processed in the United States. Supabase (our database, auth, and file storage), Resend (email), and Vercel (hosting) all operate from US data centres.

• Active accounts: for as long as the account is active.
• Cancelled paid subscriptions: data accessible for 30 days for export, then permanently deleted.
• Account deletion request: permanently deleted within 30 days. (Self-serve deletion is on the roadmap; for now, email info@certn.app.)
• Contact, support, and waitlist messages: typically 24 months.
• Backup copies with Supabase: up to 30 days after deletion before overwrite.
• Server access logs: typically 1 to 3 days.

• All connections use HTTPS (TLS 1.2 or higher).
• Data is encrypted at rest using AES-256.
• Access to your evidence files is restricted by row-level security policies in our database.
• File download links are short-lived signed URLs that expire within an hour.
• Passwords must be at least 8 characters with mixed case, numbers, and special characters.
• Access to production systems by our team is limited and logged.

Honest limits:

• Two-factor authentication (2FA) is not yet available. It is a near-term priority.
• We do not currently maintain a SOC 2 report ourselves. We are working toward one.

Report vulnerabilities to info@certn.app. We will respond within two business days. In the event of a personal data breach we will notify you and, where required, the relevant regulator within the timeframes required by law (no later than 72 hours where required).

You have the following rights over your personal information:

• Access: ask for a copy of what we hold about you
• Correction: ask us to fix inaccurate or incomplete information
• Deletion: ask us to delete your account and the personal information we hold
• Portability: ask for a machine-readable export (also available from Settings for evidence and policy content)
• Withdraw consent where we rely on consent
• Object to or restrict certain uses

To exercise any of these rights, email info@certn.app. We will respond within 30 days. We may need to verify your identity.

For California residents: you have rights under the CCPA including the rights listed above and the right not to be discriminated against for exercising them. We do not sell or share your personal information for cross-context behavioural advertising.

If you are not satisfied with how we have handled a request or complaint, you may also contact your state attorney general’s office or, in California, the California Privacy Protection Agency at cppa.ca.gov.

Certn is operated from Colorado, United States, and serves only US-incorporated companies. We do not knowingly accept users from the European Union, the United Kingdom, or any other jurisdiction outside the United States. If you are based outside the United States and have created an account, contact info@certn.app and we will close the account and delete the associated data.

Certn is a business product intended only for use by adults acting on behalf of a US-incorporated company. It is not intended for, and we do not knowingly collect personal information from, anyone under the age of 18. This aligns with our Terms of Service, which require users to be at least 18 years old. If you believe a minor has provided us with personal information, please contact us and we will delete it.

When we update this policy we change the “Last updated” date and bump the version. For material changes (new sub-processor, change in where your data is stored, new use of your information) we notify account holders by email at least 30 days before the changes take effect, and re-prompt for acceptance the next time you sign in. Past versions are available on request.

Andrew Ingram, operating as Certn
Email: info@certn.app