Privacy Policy

1. Information We Collect

Personal Information

When you use CertStudio, we may collect the following personal information:

• Account Information: Name, email address, password, and organization details
• Profile Information: Professional credentials, job title, and contact preferences
• Certificate Data: Recipient information, course details, and certification records
• Usage Data: How you interact with our platform, features used, and system performance

Technical Information

We automatically collect certain technical information when you visit our website:

• IP address and device information
• Browser type and version
• Operating system
• Log files and analytics data
• Cookies and similar tracking technologies

2. How We Use Your Information

Under UK GDPR, we must have a lawful basis for processing your personal information. We use your information for the following purposes with the corresponding lawful bases:

Lawful Bases for Processing

• Contract Performance (Article 6(1)(b)): To provide certificate management and generation services as part of our contract with you
• Legitimate Interests (Article 6(1)(f)): To improve our platform, prevent fraud, and ensure security. We balance our legitimate interests against your rights and freedoms
• Legal Obligation (Article 6(1)(c)): To comply with legal obligations, industry standards, and regulatory requirements
• Consent (Article 6(1)(a)): For marketing communications and non-essential cookies (where we have obtained your explicit consent)
• Vital Interests (Article 6(1)(d)): In rare cases, to protect someone's life or prevent serious harm

Specific Processing Activities

• Service Delivery: Processing based on contract performance to deliver certificate management services
• Account Management: Contract performance and legitimate interests to maintain secure accounts
• Communication: Contract performance for service-related communications; consent for marketing
• Platform Improvement: Legitimate interests to analyze usage patterns and enhance user experience
• Compliance and Security: Legal obligation and legitimate interests to meet regulations and protect against threats

Special Category Data

For healthcare training providers, we may process health-related training data under Article 9(2)(h) for health and social care purposes, and with appropriate safeguards under the Data Protection Act 2018.

3. Information Sharing and Disclosure

We do not sell, rent, or trade your personal information. We may share your information only in the following circumstances:

With Your Consent

We may share your information when you explicitly consent to such sharing.

Service Providers

We work with trusted third-party service providers who assist us in operating our platform:

• Cloud hosting and infrastructure providers
• Email delivery services
• Analytics and monitoring tools
• Customer support platforms

Legal Requirements

We may disclose your information if required by law or in response to valid legal requests from government authorities.

Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction.

4. Data Security

We implement industry-standard security measures to protect your information:

• Encryption: Data is encrypted in transit and at rest using SSL/TLS protocols
• Access Controls: Strict access controls and authentication mechanisms
• Regular Audits: Security assessments and vulnerability testing
• Monitoring: Continuous monitoring for suspicious activities
• Backup and Recovery: Regular data backups and disaster recovery procedures

While we strive to protect your information, no method of transmission over the internet is 100% secure. We cannot guarantee absolute security but are committed to protecting your data using best practices.

5. Data Retention

We retain your information for as long as necessary to provide our services and comply with legal obligations:

• Account Data: Retained for the duration of your account plus 3 years after closure
• Certificate Records: Retained for 7 years to support verification and compliance requirements
• Usage Data: Aggregated and anonymized data may be retained indefinitely for analytics
• Legal Requirements: Some data may be retained longer to comply with healthcare regulations

6. Your Rights and Choices

You have the following rights regarding your personal information. Under the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018, you have enhanced rights as detailed below:

Right of Access (Article 15)

You can request a copy of your personal information in a portable format, including details about how we process your data.

Right to Rectification (Article 16)

You can update or correct your personal information through your account settings or by contacting us directly.

Right to Erasure (Article 17)

You can request deletion of your personal information, subject to legal retention requirements and legitimate business needs.

Right to Restrict Processing (Article 18)

You can request that we limit how we process your personal information in certain circumstances.

Right to Data Portability (Article 20)

You can request your data in a structured, commonly used format for transfer to another service provider.

Right to Object (Article 21)

You can object to processing of your personal information for direct marketing or other purposes based on legitimate interests.

Rights Related to Automated Decision Making (Article 22)

You have rights regarding automated decision-making and profiling, though we do not currently engage in automated decision-making that significantly affects you.

Right to Withdraw Consent

Where processing is based on consent, you can withdraw your consent at any time.

Marketing Opt-Out

You can opt out of marketing communications at any time using the unsubscribe link in emails.

Cookie Controls

You can manage cookie preferences through your browser settings.

Exercising Your Rights

To exercise these rights, please contact us at privacy@certstudio.com. We will respond within one month (extendable to three months for complex requests) and will not charge a fee unless the request is manifestly unfounded or excessive.

Right to Lodge a Complaint

You have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's data protection supervisory authority, if you believe we have not handled your personal information in accordance with the law. You can contact the ICO at ico.org.uk or call their helpline on 0303 123 1113.

7. International Data Transfers

CertStudio is based in the United Kingdom and operates under UK GDPR and Data Protection Act 2018. Your information may be processed and stored in countries other than your own. We ensure that international transfers comply with UK data protection laws through:

Adequacy Decisions

We transfer data to countries that have been deemed to have adequate data protection laws by the UK government.

Standard Contractual Clauses (SCCs)

For transfers to countries without adequacy decisions, we use the UK's approved Standard Contractual Clauses to ensure appropriate safeguards.

Additional Safeguards

• Technical and organisational measures to protect data in transit and at rest
• Regular assessments of data protection laws in destination countries
• Binding corporate rules where applicable
• Certification schemes and codes of conduct

We conduct Transfer Impact Assessments (TIAs) to evaluate the effectiveness of these safeguards and ensure your data remains protected regardless of where it is processed.

8. Children's Privacy

CertStudio is not intended for use by children under 16 years of age. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16, we will take steps to delete such information.

9. Advanced Data Processing

Background Job Processing

We use background job processing systems to handle large-scale certificate generation and notification delivery:

• Processing Queue Data: Job status, processing logs, error tracking, and completion timestamps
• Batch Processing Records: Bulk generation tracking, progress monitoring, and performance metrics
• Retention: Processing logs are retained for 90 days for troubleshooting and system optimization
• Lawful Basis: Legitimate interests for system performance and contract performance for service delivery

Document Processing and Conversion

We process and convert documents using external libraries and services:

• Temporary Files: Documents are temporarily stored during processing and conversion
• Processing Metadata: File types, sizes, conversion logs, and processing timestamps
• External Processing: LibreOffice and ImageMagick for document conversion (processed locally)
• Security: Temporary files are encrypted and automatically deleted after processing

Notification Queue Management

Our automated notification system processes and tracks communications:

• Queue Data: Notification schedules, delivery status, recipient preferences
• Delivery Tracking: Email delivery confirmations, bounce handling, engagement metrics
• Analytics: Notification effectiveness, delivery rates, and recipient interactions
• Retention: Notification logs retained for 2 years for compliance and optimization

10. Public Certificate Verification

Verification System Data

Our public certificate verification system collects limited data to provide verification services:

• Verification Requests: Certificate IDs searched, verification timestamps, request IP addresses
• Access Logs: Verification page visits, search patterns, and system usage
• Analytics Data: Verification success rates, popular certificates, and system performance
• No Personal Data: We do not collect personal information from verification users

Lawful Basis and Retention

• Lawful Basis: Legitimate interests for providing verification services and preventing fraud
• Retention Period: Verification logs retained for 1 year for security and analytics
• Anonymization: IP addresses are anonymized after 30 days
• Public Information: Only certificate status (valid/expired/not found) is displayed publicly

11. Multi-Tenant Data Security

Account Data Isolation

We implement strict data isolation measures to ensure complete separation between different organizations:

• Technical Isolation: Database-level separation ensuring no cross-account data access
• Access Controls: Role-based permissions preventing unauthorized account access
• Audit Trails: Complete logging of all data access and administrative actions
• Testing: Regular security testing to verify isolation effectiveness

Administrative Access

Our administrative access is strictly controlled and monitored:

• Limited Access: Only authorized personnel have access to account data
• Purpose Limitation: Administrative access only for support, maintenance, and security
• Monitoring: All administrative actions are logged and regularly reviewed
• Data Minimization: Administrators access only data necessary for specific tasks

12. CSV Import and Bulk Data Processing

Bulk Data Import

When you upload CSV files for bulk certificate generation, we process your data as follows:

• Temporary Storage: CSV files are temporarily stored during processing and validation
• Data Validation: We validate data formats, required fields, and data integrity
• Error Handling: Processing errors and validation failures are logged for troubleshooting
• Field Mapping: We store your field mapping preferences to improve future imports

Data Quality and Responsibility

• User Responsibility: You are responsible for the accuracy and legitimacy of uploaded data
• Data Validation: We provide validation tools but cannot guarantee data accuracy
• Retention: CSV files are deleted after successful processing or 7 days, whichever is sooner
• Processing Logs: Import logs retained for 90 days for troubleshooting

13. File Storage and Security

Document Storage

We store various types of files and documents as part of our service:

• Template Files: Certificate templates in PDF, DOCX, and image formats
• Generated Certificates: Completed certificates and batch archives
• User Uploads: Logos, signatures, and other customization files
• Temporary Files: Processing intermediates and conversion files

Storage Security and Locations

• Encryption: All files encrypted at rest using AES-256 encryption
• Access Controls: File access restricted to authorized users and systems only
• Geographic Location: Files stored in secure UK-based data centers
• Backup Security: Regular encrypted backups with secure off-site storage

File Retention and Version Control

• Template Versions: All template versions retained for 3 years
• Generated Certificates: Stored for 7 years to support verification
• ZIP Archives: Batch download archives deleted after 7 days
• Temporary Files: Processing files deleted within 24 hours

14. Enhanced Analytics and Monitoring

Usage Analytics

We collect detailed analytics to improve our service and provide insights:

• Certificate Analytics: Generation volumes, template usage, completion rates
• User Behavior: Feature usage patterns, session durations, navigation paths
• System Performance: Processing times, error rates, system resource usage
• Notification Analytics: Delivery rates, engagement metrics, recipient responses

Performance Monitoring

• System Metrics: Server performance, database queries, response times
• Error Tracking: Application errors, failed operations, debugging information
• Security Monitoring: Access attempts, authentication events, suspicious activities
• Data Retention: Analytics data retained for 3 years; performance logs for 1 year

Data Anonymization

• Aggregated Data: Most analytics data is aggregated and anonymized
• Personal Data Removal: Individual identifiers removed from long-term analytics
• Research Use: Anonymized data may be used for service improvement research
• Third-Party Sharing: Only anonymized, aggregated data shared with service providers

15. Healthcare Data

For healthcare training providers, we understand the sensitive nature of health-related training data:

• We implement additional security measures for healthcare-related information
• We comply with relevant healthcare data protection regulations
• Training records are handled with appropriate confidentiality measures
• Access to healthcare training data is strictly controlled and logged

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable laws. We will:

• Post the updated policy on this page
• Update the "Last updated" date
• Notify users of material changes via email or platform notification
• Provide 30 days' notice for significant changes

Your continued use of CertStudio after changes become effective constitutes acceptance of the updated Privacy Policy.

17. Contact Information

If you have questions about this Privacy Policy or our data practices, please contact us:

We will respond to your inquiry within 30 days of receipt.