Legal

Privacy Policy

Last updated: February 26, 2026

We built CertLister for organizations that care about their people's records. This policy explains plainly what data we collect, why, and how you can control it.

Overview

CertLister ("we," "our," or "us") operates the CertLister certificate management platform available at app.certlister.com and the marketing website at certlister.com. This Privacy Policy describes how we collect, use, and protect information when you use our services.

By creating an account or using CertLister, you agree to the practices described in this policy. If you do not agree, please do not use our services.

Data We Collect

Account Information

When you register for CertLister, we collect:

  • First and last name
  • Email address
  • Password (stored as a bcrypt hash — we never store plain-text passwords)
  • If you sign in with Google: your Google account ID, name, and email address

Organization Information

When you set up your organization, we may collect:

  • Organization name, email, website, and phone number
  • Mailing address
  • Organization logo (uploaded image)

Certificate & Training Records Data

The core data you manage in CertLister, including:

  • Recipient names and email addresses
  • Certificate numbers, issue dates, and expiry dates
  • Certificate categories and custom attributes you define
  • Generated certificate PDFs stored in Google Cloud Storage

You control this data entirely. We process it only to provide the CertLister service to you.

Billing Information

When you subscribe to a paid plan, payment is processed by Stripe. We do not store your full card number, CVV, or banking details on our servers. We store only:

  • Your Stripe customer ID and subscription ID
  • Your current plan, billing cycle, and subscription status

Usage Data

We automatically collect limited technical data when you use CertLister:

  • IP address (used for rate limiting and security; not stored long-term)
  • Browser type and operating system (from request headers)
  • Pages visited and actions taken within the app (logged for debugging and service improvement)
  • Timestamps of certificate creation, verification events, and account actions

Verification Logs (Pro plans)

On Pro plans, we log third-party certificate verification events, including the timestamp and the certificate that was verified. We do not collect personal data about the person performing the verification (only that the verification occurred).

How We Use Your Data

We use the data we collect to:

  • Provide the service — store, generate, and serve certificates; manage team accounts; process verification requests
  • Process payments — manage subscriptions and billing via Stripe
  • Send notifications — certificate expiry reminders, team invitations, and account alerts (only if you enable them)
  • Improve CertLister — analyze usage patterns to fix bugs and prioritize features
  • Ensure security — detect abuse, enforce rate limits, and protect accounts
  • Comply with legal obligations — respond to lawful requests and enforce our Terms of Service

We do not use your data for advertising. We do not sell, rent, or trade your personal information to any third party for marketing purposes.

Data Sharing

We do not sell your data. We share it only with the service providers necessary to operate CertLister:

Provider Purpose Data shared
Google Cloud Platform Database hosting, file storage, app hosting All app data (encrypted at rest)
Stripe Payment processing Name, email, payment details
Google OAuth Single sign-on (optional) Name, email, Google account ID
Email provider Transactional emails (invitations, reminders) Recipient email address and certificate data included in the email

We may also disclose your information if required by law, court order, or government authority, or to protect the rights, property, or safety of CertLister, our users, or the public.

Data Retention

We retain your data for as long as your account is active.

  • Active accounts — data is retained indefinitely while your account is open
  • Deleted accounts — when an organization admin deletes their account, all associated data (certificates, designs, files, users) is permanently deleted from our systems within 30 days
  • Backups — deleted data may persist in encrypted backups for up to 90 days before being purged
  • Billing records — we retain payment transaction records for 7 years as required by financial regulations

Security

We take security seriously:

  • All data is transmitted over HTTPS with TLS encryption
  • Data at rest is encrypted on Google Cloud Platform
  • Passwords are hashed using bcrypt — we never see or store your plain-text password
  • Authentication tokens are short-lived JWTs
  • Login attempts are rate-limited; accounts are locked after repeated failed attempts
  • Organization data is isolated — one organization cannot access another's data
  • File storage is organization-scoped with no public access by default

No system is perfectly secure. If you discover a security vulnerability, please report it to support@certlister.com.

Cookies & Sessions

CertLister uses a small number of cookies and browser storage mechanisms:

  • Authentication token — stored in localStorage to keep you signed in. This is not a cookie; it is not sent automatically with every request.
  • Session cookie — a server-side session cookie used for rate limiting and security (Redis-backed). This expires when you close your browser.
  • Preference storage — we store UI preferences (such as theme) in localStorage

We do not use third-party tracking cookies or advertising pixels. We do not use Google Analytics or similar tracking tools.

Your Rights

Depending on your location, you may have the following rights:

  • Access — request a copy of the personal data we hold about you
  • Correction — update your name or email in Settings → General
  • Export — download your certificate records as a CSV at any time from the app
  • Deletion — delete your account in Settings → Danger Zone. This permanently deletes your organization and all associated data.
  • Portability — export your data in CSV or PDF format before deletion
  • Objection — object to processing of your personal data in certain circumstances

To exercise any right or make a privacy-related request, email us at support@certlister.com. We will respond within 30 days.

If you are located in the European Economic Area (EEA) or the United Kingdom, you have additional rights under the GDPR and UK GDPR. You also have the right to lodge a complaint with your local data protection authority.

Children's Privacy

CertLister is a business tool intended for use by organizations and adults (18+). We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.

Note on recipient data: Organizations using CertLister to issue certificates to minors (e.g., school programs) are responsible for ensuring they have appropriate consent from parents or guardians before submitting that data to CertLister.

Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email (if you have notifications enabled) and update the "Last updated" date at the top of this page.

Continued use of CertLister after changes take effect constitutes acceptance of the updated policy.

Contact Us

If you have questions or concerns about this Privacy Policy or how we handle your data, please contact us:

We respond to all privacy inquiries within 30 days.

Questions about Terms of Service? Read our Terms →

Ready to get started?

Start free — no credit card required.

Get Started Free Contact Us