1. Who We Are
CertBox is operated by Paddy Dewhurst, a sole trader based in England. We are the data controller for the personal data processed through this Service. Contact: privacy@certbox.app.
2. Data We Collect
- Account data: name, email address, phone number, role, country, company name
- Property data: property addresses, postcodes, property types, owner information
- Certificate data: certificate types, issue/expiry dates, form data, uploaded PDF files
- Organisation data: organisation name, contact details, membership
- Usage data: login times, features used, pages visited
3. Lawful Basis for Processing
- Contract: processing necessary to provide the Service you signed up for
- Legitimate interests: improving the Service, preventing fraud, ensuring security
- Consent: marketing communications (you may withdraw consent at any time)
- Legal obligation: where required to comply with applicable law
4. How We Use Your Data
We use your data to: provide and maintain the Service; authenticate your identity; generate and store certificates; enable sharing of certificates via share links; send transactional emails; and improve the Service.
5. Data Sharing
We do not sell your personal data. We share data with:
- Infrastructure providers: Hetzner (server hosting, Germany), Cloudflare (CDN and DNS)
- Supabase: database, authentication, and file storage (hosted on Hetzner, Germany)
- Stripe: payment processing (for paid subscriptions)
- Mailgun: transactional email delivery
- Sentry: error monitoring (text content is masked, no personal data is captured in error reports)
- Share link recipients: when you create a share link, the linked certificate data is accessible to anyone with the link
6. Data Retention
We retain your account and certificate data for as long as your account is active. Upon account deletion, we will delete your personal data within 30 days, except where retention is required by law. Shared certificate snapshots may persist until the share link expires.
7. International Transfers
Your data is stored on Hetzner servers located in Germany (EU). Static assets are served via Cloudflare's global CDN. Both the EU and Germany benefit from UK adequacy decisions. Where data is transferred outside the UK/EU, we rely on appropriate safeguards including Standard Contractual Clauses.
8. Your Rights
Under UK GDPR, you have the right to:
- Access your personal data
- Rectify inaccurate data
- Erase your data ("right to be forgotten")
- Restrict processing
- Data portability
- Object to processing
- Withdraw consent at any time
To exercise these rights, contact privacy@certbox.app. We will respond within one month.
9. Newsletter
If you subscribe to our newsletter, we collect and process the following data:
- Data collected: email address, consent status, consent text, timestamp of consent, and IP address at the time of consent
- Lawful basis: Consent (Article 6(1)(a) UK GDPR). You actively opt in by providing your email and checking the consent box
- Purpose: To send you weekly trade guides, regulation updates, and compliance tips
- Third-party processor: Mailgun (email delivery service). Your email address is shared with Mailgun solely for the purpose of delivering newsletter emails
- Retention: Your subscriber data is retained for as long as your subscription is active. Upon unsubscribing, we retain a record of your email and unsubscribe date for 12 months to prevent re-subscription errors, then delete it
- Right to withdraw: You can unsubscribe at any time by clicking the unsubscribe link in any newsletter email, or by contacting privacy@certbox.app
- Tracking: We track email opens and link clicks to measure newsletter performance. This data is aggregated and not used for individual profiling
10. Cookies
We use essential cookies required for authentication and Service functionality. We use Cloudflare Web Analytics to understand aggregate usage patterns. Cloudflare Web Analytics does not use cookies and does not track individual users across sessions or sites. No advertising or remarketing cookies are used.
11. Security
We implement appropriate technical and organisational measures to protect your data, including encryption in transit (TLS), encryption at rest, access controls, and regular security reviews.
12. Children
The Service is not directed at individuals under 18. We do not knowingly collect personal data from children.
13. Changes to This Policy
We may update this policy from time to time. We will notify you of material changes via email or in-app notification.
14. Complaints
If you are not satisfied with our response to a privacy concern, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.