Privacy Policy

This Policy applies to use of Certfill by institutions issuing credentials, by recipients verifying credentials, and by anyone visiting our marketing pages. It does not cover third-party services you connect to, such as your email provider or single sign-on identity provider.

We collect only what is necessary to operate the service:

• Institution account information: administrator name, work email, organization details, and authentication credentials.
• Recipient data: names, email addresses, programme details, certificate identifiers, and any custom fields you choose to map. This data is uploaded by you (the institution).
• Certificate content: designs, templates, and the rendered certificates we generate on your behalf.
• Operational telemetry: non-identifying logs (request volume, error traces, basic device metadata) used to keep the service available and secure.

• To generate and deliver the certificates you issue.
• To make verification possible: anyone with a verification link can confirm a credential we issued.
• To authenticate institution users and protect against unauthorized access.
• To respond to support requests.
• To meet legal or regulatory obligations.

We do not use recipient data, certificate content, or institution-level metadata to train machine-learning models, build comparative datasets, or surface aggregated insights to other customers.

When an institution uploads a recipient list, that institution is the controller of the data. Certfill processes it on the institution's behalf. Recipients receive the email at the address the institution provided and can request correction or deletion of their record by contacting the issuing institution.

Where a recipient contacts us directly, we will route their request to the issuing institution within five business days.

Each certificate carries a unique, permanent verification URL. When a verifier visits that URL, they see only the information the issuing institution chose to publish, typically the recipient's name, programme, certificate identifier, and issue date. No login is required, and no data about the verifier is collected beyond standard server logs.

Institutions can configure which fields appear on the verification page. Sensitive fields stored for record-keeping (for example, internal IDs) are not displayed by default.

We do not sell your data. We share it only when:

• You explicitly request export or third-party integration.
• A subprocessor strictly required to deliver the service (e.g., transactional email) processes the minimum necessary data under a written data-processing agreement.
• We are compelled by valid legal process, in which case we will notify you unless prohibited by law.

A current list of subprocessors is available on request.

Account data is retained for the life of your subscription. Recipient data and certificate records are retained until you delete them or close your account, after which they are purged from production systems within 30 days and from backups within 90 days. Verification URLs may be preserved in a tombstoned state so that previously-issued credentials continue to resolve correctly with a clear "no longer active" response.

Institutions can export, edit, or delete recipient records from within the application. Account deletion and bulk data requests are available on request through the in-app support channel.

We follow the practices described in our Security page, including encryption in transit and at rest, least-privilege access, and tenant isolation enforced at the query layer.

Certfill is not directed to children under 16. If an institution issues credentials to minors, the institution is responsible for obtaining the appropriate parental or guardian consent.

We will notify institutions of material changes to this Policy at least 30 days in advance via email and in-app notice.