Certify

Legal

Privacy Policy

Last updated: May 30, 2026


Certify is operated by Limebit. This policy describes what data we collect, why we collect it, and how we protect it. We keep this short because we mean it.

What we collect

Account data

When you sign in, we store your email address. We use magic links — no password is ever created or stored. Session tokens are hashed before storage.

Practice data

We store your practice session results: which scenarios you completed, how you answered each question, and your domain scores. This data powers your score history and progress tracking. It is linked to your account and not shared with third parties.

Payment data

Payments are processed by Stripe. We store only your plan status and Stripe customer ID — we never handle or store raw card numbers. For payment questions, refer to Stripe’s Privacy Policy.

Usage data

We collect standard server logs: IP address, request path, timestamp, and HTTP status. These are retained for up to 30 days for debugging and are not used for advertising or profiling.

What we do not collect

  • We do not use third-party advertising cookies or tracking pixels.
  • We do not sell or rent your data to anyone.
  • We do not build behavioral profiles for ad targeting.

How we use your data

  • Authentication — your email is used to send sign-in links and, when applicable, account-related notifications.
  • Product functionality — practice results are stored so you can review your history, track progress, and resume sessions.
  • Billing — your plan status is used to gate feature access.
  • Service improvements — aggregate, anonymized usage patterns inform product decisions. Individual session data is not used for this purpose.

Data storage and security

Data is stored in Cloudflare D1 databases hosted in the United States. We use HTTPS for all traffic, hash session tokens at rest, and limit database access to application code only. We do not store plaintext secrets.

For Team and Enterprise plans, org data may be stored in isolated databases depending on your configuration.

Data retention

We retain your account and practice data for as long as your account is active. If you request deletion, we will remove your account and associated data within 30 days. Payment records required for tax compliance are retained as required by law.

Your rights

You may request a copy of your data, correction of inaccurate data, or deletion of your account at any time by emailing bolatan@limebit.org. We will respond within 30 days.

Cookies

We use a single session cookie to keep you signed in. We do not use tracking, advertising, or analytics cookies. No third-party cookies are set by Certify.

Children

Certify is intended for professional use by adults. We do not knowingly collect data from individuals under 16. If you believe a minor has created an account, contact us and we will delete it promptly.

Changes to this policy

If we make material changes, we will update the date at the top of this page and, where appropriate, notify you by email. Continued use of the service constitutes acceptance of the updated policy.

Contact

Questions about this policy: bolatan@limebit.org