Legal
Privacy Policy
Last updated: May 30, 2026
Certify is operated by Limebit. This policy describes what data we collect, why we collect it, and how we protect it. We keep this short because we mean it.
What we collect
Account data
When you sign in, we store your email address. We use magic links — no password is ever created or stored. Session tokens are hashed before storage.
Practice data
We store your practice session results: which scenarios you completed, how you answered each question, and your domain scores. This data powers your score history and progress tracking. It is linked to your account and not shared with third parties.
Payment data
Payments are processed by Stripe. We store only your plan status and Stripe customer ID — we never handle or store raw card numbers. For payment questions, refer to Stripe’s Privacy Policy.
Usage data
We collect standard server logs: IP address, request path, timestamp, and HTTP status. These are retained for up to 30 days for debugging and are not used for advertising or profiling.
What we do not collect
- We do not use third-party advertising cookies or tracking pixels.
- We do not sell or rent your data to anyone.
- We do not build behavioral profiles for ad targeting.
How we use your data
- Authentication — your email is used to send sign-in links and, when applicable, account-related notifications.
- Product functionality — practice results are stored so you can review your history, track progress, and resume sessions.
- Billing — your plan status is used to gate feature access.
- Service improvements — aggregate, anonymized usage patterns inform product decisions. Individual session data is not used for this purpose.
Data storage and security
Data is stored in Cloudflare D1 databases hosted in the United States. We use HTTPS for all traffic, hash session tokens at rest, and limit database access to application code only. We do not store plaintext secrets.
For Team and Enterprise plans, org data may be stored in isolated databases depending on your configuration.
Data retention
We retain your account and practice data for as long as your account is active. If you request deletion, we will remove your account and associated data within 30 days. Payment records required for tax compliance are retained as required by law.
Your rights
You may request a copy of your data, correction of inaccurate data, or deletion of your account at any time by emailing bolatan@limebit.org. We will respond within 30 days.
Cookies
We use a single session cookie to keep you signed in. We do not use tracking, advertising, or analytics cookies. No third-party cookies are set by Certify.
Children
Certify is intended for professional use by adults. We do not knowingly collect data from individuals under 16. If you believe a minor has created an account, contact us and we will delete it promptly.
Changes to this policy
If we make material changes, we will update the date at the top of this page and, where appropriate, notify you by email. Continued use of the service constitutes acceptance of the updated policy.
Contact
Questions about this policy: bolatan@limebit.org