Privacy Policy

1. Data Controller

This Privacy Policy governs the processing of personal data by:

2. Data We Collect

• Account Information: Name, email address, username, phone number, and company name provided during registration.
• Authentication Data: Hashed passwords, OAuth tokens (for Google Sign-In).
• Usage Data: Scan configurations, job history, API usage logs, session data.
• Technical Data: IP address, browser type, operating system, device information, timestamps.
• Mobile-Specific Data: When you use our Android or iOS mobile apps, we additionally collect: device model and OS version (to render screens correctly), the Expo push notification token (only after you opt in, to deliver scan-complete and critical-issue alerts), and your in-app notification preferences. We do not collect contacts, photos, location, microphone audio, or any sensor data.
• Payment Data: If applicable, processed through third-party payment providers (Paddle on web, Google Play Billing on Android, Apple App Store on iOS). We do not store credit card details directly; we only retain the subscription identifier, purchase token, plan tier, and renewal date returned by these providers.

3. Purpose of Data Processing

• Providing and maintaining the certvo.com platform and its accessibility tools
• User account management and authentication
• Processing scan requests and delivering results
• Communicating service updates, security alerts, and support responses
• Improving platform performance
• Complying with legal obligations and preventing fraud

4. Legal Basis for Processing

• Contract Performance: To provide you with the services you signed up for.
• Legitimate Interest: For platform security, fraud prevention, and service improvement.
• Legal Obligation: To comply with applicable laws and regulations.
• Consent: For optional communications and cookies.

5. Data Sharing

We do not sell your personal data. We may share data with:

• Cloud Service Providers: For hosting and infrastructure.
• Payment Providers: Paddle acts as our Merchant of Record for web subscription billing. Google Play Billing handles in-app subscriptions on Android; Apple App Store handles iOS. These providers receive only the data they need to process payments (typically your billing email and the subscription product identifier).
• Authentication Providers: Google OAuth for social sign-in.
• Push Notification Delivery: Expo Push Notification Service (Expo / 650 Industries, Inc.) forwards push messages from our servers to your device. The Expo push token does not identify you personally and can be revoked at any time by disabling notifications in app settings.
• Legal Authorities: When required by law.

6. Data Retention

We retain your personal data for the duration of your account. Upon account deletion, all personal data is permanently removed within 30 days, except where retention is required by law.

7. Your Rights

Under GDPR and KVKK, you have the following rights:

• Right of Access: Request a copy of your personal data.
• Right to Rectification: Correct inaccurate or incomplete data.
• Right to Erasure: Request deletion of your personal data.
• Right to Data Portability: Request your data in machine-readable format.
• Right to Object: Object to data processing based on legitimate interests.
• Right to Withdraw Consent: Withdraw consent at any time.

To exercise these rights, contact support@certvo.com. We will respond within 30 days.

8. Cookies

We use essential cookies for authentication and session management. See our Cookie Policy for details.

9. Security

We implement industry-standard security measures including SSL/TLS encryption, secure password hashing, HSTS headers, CSRF protection, and regular security audits.

10. Mobile Apps — Permissions & Data Practices

Our Android and iOS apps request the following permissions:

• Internet: Required to communicate with our servers.
• Notifications (POST_NOTIFICATIONS): Used only if you opt in to scan-complete and critical-issue alerts. Can be revoked from your device settings at any time.
• In-App Billing (com.android.vending.BILLING, Android only): Required to process subscription upgrades through Google Play. Purchase tokens are sent to our servers solely to verify and activate your subscription.
• Wake Lock: Allows the app to keep the network connection alive briefly while a scan is launching, preventing dropped requests.

Our mobile apps do not include third-party advertising SDKs, third-party analytics SDKs, or any tracking that links your activity across other apps or websites. We do not request access to your contacts, photos, files, location, microphone, or camera.

11. Account & Data Deletion

You can request deletion of your account and all associated personal data at any time:

• From the web app: Settings → Account → Delete account.
• From the mobile app: Settings → Account → Delete account.
• By email: Send a request from your registered email address to support@certvo.com with the subject line "Delete account".

On deletion we remove: account record, scan history, screenshots, AI explanations, push tokens, billing identifiers, and team memberships. Anonymized aggregate statistics (e.g., total scans run per week) may be retained for service-performance analysis. Backups containing your data are purged on a rolling 30-day cycle. Records required by tax/accounting law (invoices, payment receipts) are retained for the statutory period.

12. Children

Our services are not directed to children under 13. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact support@certvo.com and we will delete it.

13. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated via email or platform notification.

14. Contact