Summary
CertSeal.com ("CertSeal", "we", "us") helps organizations design, issue, and verify digital credentials. This Privacy Policy explains what personal data we collect, why we collect it, how long we keep it, and the rights you have over it.
- We do not sell personal data.
- We act as a processor for credential recipient data on behalf of issuers.
- We act as a controller for issuer account, billing, and platform-usage data.
- All data is encrypted in transit and at rest, hosted on enterprise cloud infrastructure.
Scope
This policy applies to the CertSeal website (https://certseal.com), our web application (https://app.certseal.com), our APIs, and all related services (collectively, the "Service"). It applies to personal data of:
- Issuers — people who sign up for and administer a CertSeal account on behalf of an organization.
- Recipients — people who receive credentials issued through CertSeal by an issuer.
- Website visitors — people browsing our marketing site.
Data we collect
Issuer data (we are the controller)
- Account data — name, work email, password hash, role, organization name.
- Billing data — billing contact, address, tax ID, payment method tokens (handled by our PCI-DSS-compliant payment processor; we never see full card numbers).
- Usage data — pages visited, features used, error logs, IP address, device and browser metadata.
- Communications — support tickets, chat transcripts, survey responses, and emails you send us.
Recipient data (we are the processor)
- Credential metadata — name, email, course/program name, issue date, expiry date, scores, and any additional fields the issuer chooses to include.
- Verification logs — anonymized records of when and from where a credential is verified (used to detect fraud and provide analytics to the issuer).
- Engagement — opens, clicks, and shares of credentials delivered by email.
How we use data
- To provide, secure, and improve the Service.
- To issue, deliver, and verify credentials on behalf of issuers.
- To bill issuers for paid plans and prevent payment fraud.
- To provide customer support and respond to inquiries.
- To detect, prevent, and respond to security incidents and abuse.
- To send service-related notifications (downtime, security advisories, policy changes).
- To send product updates and marketing — only with consent, and you can unsubscribe at any time.
- To comply with legal obligations.
Legal bases (GDPR)
If you are in the European Economic Area, UK, or Switzerland, we rely on these legal bases:
- Contract — to provide the Service you signed up for.
- Legitimate interests — to secure the Service, prevent fraud, improve product quality, and run our business.
- Consent — for non-essential cookies and marketing emails.
- Legal obligation — to meet our tax, accounting, and regulatory duties.
Who we share data with
We share personal data only with:
- Sub-processors we engage to run the Service (hosting, email delivery, analytics, error monitoring, customer support, billing). A current list is available in our Data Processing Addendum.
- Issuers — recipient data is shared with the issuing organization, which controls how it is used after issuance.
- Verifiers — third parties verifying a credential see the credential's public attributes (recipient name, course, issuer, dates) and verification status.
- Authorities — where required by valid legal process. We push back on overbroad requests and notify affected users unless prohibited.
- Successors — in connection with a merger, acquisition, or sale of assets, with notice to affected users.
We do not sell or rent personal data, and we do not use it to train third-party AI models.
International transfers
CertSeal is operated from Singapore with infrastructure in the European Union and the United States. Where we transfer personal data across borders, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum, and the EU–US Data Privacy Framework where applicable.
Retention
- Issuer account data — kept for the life of the account, then 30 days after cancellation, after which it is deleted or anonymized.
- Recipient credential data — kept as long as the issuing organization keeps the credential active. Already-issued credentials remain verifiable indefinitely unless the issuer revokes or deletes them.
- Billing records — retained for at least 7 years as required by tax and accounting law.
- Support tickets — retained for 2 years for quality and training purposes.
- Server logs — security logs retained for up to 12 months, then deleted or aggregated.
Security
We protect personal data with administrative, technical, and physical safeguards including:
- TLS 1.2+ for all data in transit.
- AES-256 encryption for data at rest.
- Least-privilege access controls, single sign-on for staff, and mandatory hardware-key MFA.
- Daily encrypted backups with quarterly restore tests.
- Regular third-party penetration testing and a responsible-disclosure programme.
No system is perfectly secure. If you believe you have discovered a vulnerability, please email support@certseal.com.
Your rights
Depending on where you live, you may have the right to:
- Access the personal data we hold about you.
- Correct inaccurate or incomplete data.
- Delete your data ("right to erasure").
- Object to or restrict certain processing.
- Port your data to another service.
- Withdraw consent at any time, without affecting the lawfulness of past processing.
- Lodge a complaint with your local data protection authority.
To exercise any of these rights, email hello@certseal.com. For recipient data held on behalf of an issuer, please contact the issuing organization first; we will forward your request and assist as needed.
Children
The Service is not directed at children under 16 and we do not knowingly collect personal data from them. Issuers may use CertSeal to issue credentials to minors (e.g. K-12 schools) under their own legal basis and parental consent obligations, with CertSeal acting strictly as their processor.
Changes to this policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify active issuer accounts at least 30 days before the changes take effect. The "Last updated" date at the top of this page always reflects the most recent revision.
Contact us
Questions about this policy or how we handle your data? Email hello@certseal.com or write to us at:
CertSeal.com
Remote-first · HQ in Singapore
Questions about this document? Email hello@certseal.com — a real human will reply.