Privacy Policy

Information We Collect

Account Information

When you sign up using a third-party authentication provider (Google, GitHub, or Apple), we receive and store:

• Your email address
• Your name (as provided by the authentication provider)
• Your profile picture URL (if available)
• A unique identifier from the authentication provider

Certificate Data

When you use Certman to manage certificates, we store:

• Certificate Authority (CA) configurations and certificates, including intermediate CA hierarchies
• Issued certificates and their metadata (common names, SANs, validity periods)
• Private keys (encrypted at rest using AES-256-GCM) for managed certificates
• Certificate Signing Requests (CSRs) for BYOK certificates

Zero-Trust Mode: If you enable zero-trust mode for a CA, your private key is encrypted using a combination of our server secret and your passphrase. We never store your passphrase—only a flag indicating that zero-trust is enabled. This means we cannot decrypt your CA private key or issue certificates on your behalf without your passphrase.

Usage Data

We automatically collect certain information about your use of Certman:

• IP addresses
• Browser type and version
• Pages visited and actions taken
• Timestamps of activity
• API usage statistics

How We Use Your Information

We use the collected information to:

• Provide and maintain the Certman service
• Authenticate your identity and manage your account
• Generate and manage certificates on your behalf
• Send important service notifications
• Improve our service and develop new features
• Detect and prevent fraud or abuse
• Comply with legal obligations

Data Security

We implement industry-standard security measures to protect your data:

• Encryption at Rest: All private keys are encrypted using AES-256 before storage
• Zero-Trust Option: CAs can be protected with a user-provided passphrase that we never store, ensuring we cannot access your private keys
• Encryption in Transit: All communications use TLS 1.3
• Tenant Isolation: Row-level security ensures complete data isolation between workspaces
• Audit Logging: All sensitive operations are logged with immutable audit trails
• Secure Authentication: We use OAuth 2.0 with established providers (no password storage)

Data Retention

We retain your data for as long as your account is active or as needed to provide you with our services. You can request deletion of your account and associated data at any time.

Audit logs are retained for a minimum of one year for security and compliance purposes.

Data Sharing

We do not sell your personal information. We may share your information only in the following circumstances:

• Service Providers: With third-party services that help us operate Certman (e.g., hosting, authentication)
• Legal Requirements: When required by law, subpoena, or legal process
• Protection: To protect our rights, privacy, safety, or property
• Business Transfers: In connection with a merger, acquisition, or sale of assets

Your Rights

You have the right to:

• Access your personal data
• Correct inaccurate data
• Request deletion of your data
• Export your certificates and data
• Object to certain processing of your data

Cookies

We use essential cookies to maintain your authentication session. We do not use tracking cookies or third-party advertising cookies.

Third-Party Services

Certman integrates with third-party services that have their own privacy policies:

• Supabase: Database and authentication infrastructure
• Vercel: Hosting and deployment
• Google, GitHub, Apple: Authentication providers

Children's Privacy

Certman is not intended for use by children under the age of 13. We do not knowingly collect personal information from children under 13.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any significant changes by posting the new policy on this page and updating the "Last updated" date.

Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us at privacy@certman.app.