C
Certestic

Privacy Policy

Last updated: July 9, 2025

Introduction

Certestic ("this project," "the platform," or "I") is a personal side project operated by an individual developer. This Privacy Policy explains how I collect, use, and protect your personal information when you use this AI-powered IT certification training platform. As a personal project with limited resources, this policy reflects the practical realities of operating a small-scale educational platform.

Your Rights: You have rights regarding your personal information, including the right to access, correct, and request deletion of your information. I will honor these rights to the best of my ability as a solo developer.

By using Certestic, you acknowledge that this is a personal project and agree to the collection, use, and disclosure of your personal information as described in this policy. If you do not agree with this policy, please do not use this platform.

Why I Collect Your Information

As a personal project, I collect and process your personal information for these essential purposes:

  • Platform Operation: To provide you with access to the certification training platform and its features
  • User Experience: To personalize your learning experience and track your progress
  • Platform Improvement: To understand how the platform is used and improve its functionality (as time and resources permit)
  • Communication: To send you essential service-related communications
  • Legal Requirements: To comply with applicable laws when required

I aim to collect only information that is necessary for these purposes, though as a solo developer, data minimization practices may evolve over time.

Information I Collect

I collect the following types of personal information to operate this platform:

Information You Provide

When you register or use the platform:

  • Identity Information: Full name, email address, username
  • Account Information: Password (encrypted), profile preferences, account settings
  • Payment Information: Credit card details, billing address, payment history (processed securely through third-party payment processors)
  • Communication Data: Messages sent to our support team, feedback, survey responses
  • Professional Information: Certification goals, professional background (optional)

Information Collected Automatically

When you use our platform, we automatically collect:

  • Usage Data: Pages visited, features used, time spent on platform, click patterns
  • Performance Data: Exam attempts, scores, completion rates, study progress, learning analytics
  • Technical Data: IP address, browser type, device information, operating system, screen resolution
  • Log Data: Access times, error logs, system activity, security events
  • Location Data: General geographic location based on IP address (country/city level only)

AI Training and Analytics Data

To provide AI-powered features, we collect and process:

  • Learning Patterns: How you interact with questions, answer patterns, study behaviors
  • Performance Metrics: Response times, accuracy rates, improvement trends
  • Content Interactions: Which topics you focus on, difficulty preferences, study session data

Information We Do NOT Collect

In compliance with Privacy Principle 2 (collection from individual), we do not:

  • Collect sensitive personal information (health, political opinions, religious beliefs) unless specifically relevant and consented to
  • Collect information about you from third parties without your knowledge
  • Use hidden tracking or surveillance methods
  • Collect more information than necessary for our stated purposes

How We Use Your Personal Information (Privacy Principle 3)

Under Privacy Principle 3, we will only use your personal information for the purposes for which it was collected, or for a directly related purpose you would reasonably expect. We use your information for:

Primary Service Purposes

  • Platform Operation: Providing access to our certification training platform and maintaining your account
  • AI-Powered Features: Generating personalized practice exams, study recommendations, and performance analytics
  • Progress Tracking: Monitoring your learning progress and providing detailed performance insights
  • Content Delivery: Customizing your learning experience based on your goals and preferences
  • Technical Support: Providing customer service and resolving technical issues

Administrative Purposes

  • Account Management: Processing registrations, managing subscriptions, and handling payments
  • Communication: Sending service updates, technical notices, and responding to inquiries
  • Platform Communications: Delivering essential platform updates, feature announcements, security notifications, and service changes via our marketing email service providers
  • Security: Detecting and preventing fraud, unauthorized access, and security breaches
  • Legal Compliance: Meeting our legal obligations under New Zealand law

📬 Essential Platform Communications

By creating an account, you automatically consent to receiving platform update emails through our marketing email services. These communications include:

  • Critical security updates and notifications
  • New feature releases and platform improvements
  • Service maintenance schedules and downtime notices
  • Terms of service and privacy policy updates
  • Account status changes and billing notifications
  • Important certification and study-related announcements

Note: While you can unsubscribe from promotional content, essential service communications are required for platform operation and cannot be opted out of.

Platform Improvement (With Your Consent)

  • Product Development: Analyzing usage patterns to improve our platform and develop new features
  • AI Model Training: Using anonymized data to enhance our AI algorithms and question generation
  • Research: Conducting internal research to better understand learning patterns and certification success factors

Marketing (With Express Consent Only)

  • Promotional Communications: Sending information about new features, courses, or promotions (only if you opt-in)
  • Surveys and Feedback: Requesting your input on our services and user experience
  • Beta Testing: Inviting you to participate in testing new features (voluntary participation only)

Information Sharing and Disclosure (Privacy Principles 10 & 11)

✅ Privacy Protection Commitment

We do not sell, rent, or trade your personal information to third parties for marketing purposes.

Under Privacy Principles 10 and 11, we have strict limits on when and how we can disclose your personal information. We may only share your information in the following circumstances:

Service Providers (Limited Purpose Disclosure)

We may share your information with trusted service providers who assist us in operating our platform, subject to strict confidentiality agreements:

  • Cloud Infrastructure: Google Cloud Platform and Firebase (data stored in accordance with their privacy commitments)
  • Payment Processing: Secure payment processors for subscription management (they do not store your full payment details)
  • Email Services: Email service providers for essential communications only
  • Marketing Email Services: Third-party marketing email services (such as MailerLite or similar providers) for delivering platform updates, feature announcements, and service notifications
  • Analytics: Anonymized usage analytics to improve platform performance

📧 Marketing Email Service Notice

We use marketing email services to send important platform communications. By creating an account, you consent to receiving these essential updates.

Information Shared with Marketing Email Services:

  • Your email address and name for delivery purposes
  • Basic account status (active/inactive) for list management
  • Subscription preferences and communication settings
  • Anonymized engagement data (open rates, click rates) for service improvement

Service Provider Requirements: All service providers must:

  • Only use your information for the specific services they provide to us
  • Maintain appropriate security measures
  • Not disclose your information to other parties
  • Comply with applicable privacy laws

Legal Requirements (Limited Capacity)

As a personal project, I may disclose your information only when legally required:

  • Legal Orders: To comply with valid court orders or legal processes (though I may lack resources for complex legal responses)
  • Safety Concerns: To prevent serious harm or illegal activity when I become aware of it
  • Platform Protection: To protect the basic operation and security of the platform

Project Discontinuation

If I decide to discontinue this personal project:

  • I will attempt to provide 30 days' notice (resources permitting)
  • I will make reasonable efforts to delete or anonymize user data
  • No guarantee of data preservation or transfer to another service
  • Users are responsible for backing up their own data before discontinuation

With Your Explicit Consent

We may share your information for other purposes only with your explicit, informed consent. You can withdraw this consent at any time by contacting us.

Data Security (Privacy Principle 5)

Under Privacy Principle 5, we are required to protect your personal information with appropriate security safeguards. We implement comprehensive technical and organizational security measures:

Basic Security Measures (Personal Project)

  • Platform Security: Basic security measures provided by hosting platforms (Firebase/Google Cloud)
  • Standard Encryption: Standard HTTPS encryption for data transmission
  • Access Control: Basic authentication and authorization controls
  • Updates: Security updates applied when time and knowledge permit
  • Limited Monitoring: Basic automated monitoring where available

Personal Project Limitations

  • Solo Operation: No dedicated security team or 24/7 monitoring
  • Limited Expertise: Security measures depend on my personal knowledge and available time
  • Best Effort Response: Security incidents will be addressed on a best-effort basis
  • No Formal Procedures: No enterprise-level incident response procedures or security audits
  • Dependency on Providers: Security heavily relies on third-party service providers

Breach Notification (Best Effort)

If I become aware of a privacy breach, I will make reasonable efforts to:

  • Notify affected users via email when reasonably possible
  • Notify relevant authorities if required and I'm aware of the requirements
  • Take basic steps to secure the platform and prevent further breaches
  • Provide available information about the incident

Important Security Notice: As a personal project, security measures are basic and you should not store any sensitive, confidential, or critical information on this platform. Use this service at your own risk and maintain your own backups.

Data Retention (Privacy Principle 9)

Under Privacy Principle 9, we must not keep your personal information for longer than necessary. Our retention practices are:

Active Account Data

  • Account Information: Retained while your account is active and for 12 months after account closure
  • Learning Progress: Retained for the duration of your account to provide ongoing personalized recommendations
  • Usage Analytics: Retained in anonymized form for up to 5 years for platform improvement

Financial and Legal Records

  • Payment Information: Retained for 7 years as required by New Zealand financial record-keeping laws
  • Tax Records: Retained for 7 years as required by the Income Tax Act 2007
  • Legal Communications: Retained as long as necessary to defend against legal claims

Deletion Process

When retention periods expire or you request deletion:

  • Personal information is securely deleted or anonymized
  • Backups containing your information are automatically purged within 90 days
  • Some information may be retained in anonymized form for legitimate research purposes
  • We maintain records of deletions for audit purposes (without storing the deleted personal information)

Your Privacy Rights

You have important rights regarding your personal information. These rights may vary depending on your jurisdiction, but generally include:

Right of Access

You have the right to request access to any personal information we hold about you:

  • What we will provide: A copy of your personal information in a commonly used format
  • Response time: We will respond within 20 working days (as required by law)
  • Cost: Access is free for the first request per year; reasonable charges may apply for additional requests
  • Verification: We may need to verify your identity before providing access
  • Limitations: We may refuse access only in specific circumstances permitted by law (e.g., if it would harm another person's privacy)

Right of Correction

You have the right to request correction of any personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading:

  • How to request: Contact us with details of the incorrect information
  • Our response: We will correct the information or explain why we believe it is accurate
  • Timeline: Corrections will be made within 20 working days
  • Third party notification: We will notify relevant third parties of any corrections where appropriate

Additional Rights

  • Data Portability: Request your personal information in a portable format
  • Deletion: Request deletion of your personal information (subject to legal retention requirements)
  • Restriction of Processing: Request that we limit how we use your information
  • Objection: Object to certain uses of your personal information
  • Withdrawal of Consent: Withdraw consent for any processing based on consent

Marketing and Communication Choices

  • Opt-out: Unsubscribe from marketing emails using the link in any email
  • Preferences: Update your communication preferences in your account settings
  • Essential communications: Some service-related communications cannot be opted out of while you have an active account

How to Exercise Your Rights

Contact our Privacy Officer:

Email: privacy@certestic.com

Subject Line: "Privacy Rights Request - [Your Request Type]"

Include: Your full name, email address, and detailed description of your request

Response Time: We will acknowledge your request within 5 working days and provide a full response within 20 working days

If You're Not Satisfied

If you're not satisfied with our response to your privacy request, you have the right to:

  • Contact our Privacy Officer to discuss your concerns
  • Make a complaint to the relevant privacy regulator (for New Zealand users, the Privacy Commissionerprivacy.org.nz)
  • Seek remedies through the Human Rights Review Tribunal

International Data Transfers (Privacy Principle 12)

🌐 Cross-Border Data Transfer Notice

Some of your personal information may be stored or processed outside New Zealand.

Under Privacy Principle 12, we can only transfer your personal information outside New Zealand in specific circumstances. Here's how we handle international transfers:

Where Your Data May Be Transferred

  • Google Cloud Platform: Data centers in Australia and Singapore (countries with comparable privacy protections)
  • Payment Processors: United States and European Union (under appropriate safeguards)
  • Email Services: United States (with contractual protections)

Safeguards We Use

We only transfer your information to countries or organizations that provide adequate protection:

  • Comparable Privacy Laws: Countries with privacy laws similar to New Zealand's
  • Contractual Safeguards: Binding agreements requiring equivalent protection
  • Industry Standards: Service providers with SOC 2 and ISO 27001 certifications
  • Data Processing Agreements: Specific terms requiring protection of your information

Your Control Over International Transfers

You have the right to:

  • Request information about where your data is stored and processed
  • Object to transfers to specific countries (though this may limit service availability)
  • Request that your data be stored only in New Zealand or Australia (additional fees may apply)

Children's Privacy and Parental Rights

Under applicable law and our terms of service:

  • Age Requirement: Certestic is intended for users 18 years and older
  • Under 16: We do not knowingly collect personal information from children under 16 without parental consent
  • Parental Rights: Parents can request access to, correction of, or deletion of their child's information
  • School Use: Educational institutions using our platform must have appropriate consent from parents/guardians

If you believe we have collected information from a child inappropriately, please contact our Privacy Officer immediately.

Jurisdiction-Specific Rights

While Certestic operates under New Zealand law, we recognize and respect the privacy rights of our global customers. Depending on your location, you may have additional rights under your local privacy legislation. We are committed to honoring these rights to the fullest extent reasonably practicable.

General Principle: Where your local privacy laws provide stronger protections than our base requirements, we will endeavor to comply with the higher standard. This includes processing grounds, retention periods, disclosure requirements, and individual rights.

European Union Users (GDPR Rights)

If you are located in the European Union, European Economic Area, or the United Kingdom, you have the following additional rights:

  • Right to Data Portability: Request your data in a structured, machine-readable format
  • Right to be Forgotten: Request deletion of your personal data under specific circumstances
  • Right to Restrict Processing: Limit how we process your data in certain situations
  • Right to Object: Object to processing based on legitimate interests or for direct marketing
  • Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent
  • Right to Lodge Complaints: File complaints with your local Data Protection Authority
  • Automated Decision-Making: Request human review of automated decisions that significantly affect you

Australian Users (Privacy Act 1988)

Australian customers have rights similar to our standard privacy protections, plus:

  • Access and Correction: Rights to access and correct personal information held about you
  • Complaints Process: Right to complain to the Australian Privacy Commissioner
  • Notifiable Data Breaches: We will notify you and the Commissioner of eligible data breaches
  • Direct Marketing: Right to opt-out of direct marketing communications

Canadian Users (PIPEDA/Provincial Laws)

  • Knowledge and Consent: Right to know why information is collected and how it will be used
  • Access Rights: Right to access personal information and request corrections
  • Complaints: Right to file complaints with the Privacy Commissioner of Canada or provincial commissioners
  • Breach Notification: Right to be notified of privacy breaches that pose real risk of significant harm

United States Users (State Privacy Laws)

Users in states with comprehensive privacy laws (California, Virginia, Colorado, Connecticut, Utah, etc.) may have additional rights:

  • Right to Know: Know what personal information is collected and how it is used
  • Right to Delete: Request deletion of personal information
  • Right to Opt-Out: Opt-out of sale/sharing of personal information and targeted advertising
  • Right to Non-Discrimination: Not be discriminated against for exercising privacy rights
  • Right to Correction: Request correction of inaccurate personal information

Other Jurisdictions

For users in other countries with privacy legislation (Brazil's LGPD, Japan's APPI, Singapore's PDPA, etc.), we will respect any additional privacy rights you have under your local laws to the extent reasonably practicable.

If you believe you have specific rights under your local privacy laws that are not addressed here, please contact our Privacy Officer who will work with you to understand and accommodate your rights where possible.

Exercise Your Rights

To exercise any of these rights, please contact our Privacy Officer at:

  • Email: privacy@certestic.com
  • Subject Line: "Privacy Rights Request"
  • Include: Your country of residence, specific right you wish to exercise, and verification details
  • Response Time: Please allow up to 30 days for response as this is managed by a solo developer

Limitation of Liability - Personal Project Disclaimers

⚠️ Important Notice - Personal Project Limitations

This platform is operated as a personal side project by an individual developer with limited resources, time, and expertise. Your use of this platform is at your own risk.

Personal Project Disclaimers

TO THE MAXIMUM EXTENT PERMITTED BY LAW, AS A PERSONAL PROJECT:

  • Best Effort Basis: I operate this platform on a best-effort basis in my spare time with no guarantee of continuous availability or support
  • Limited Resources: I have limited time, technical resources, and expertise to implement comprehensive data protection measures
  • No Service Level Guarantees: I make no warranties about uptime, data backup, recovery capabilities, or response times
  • Volunteer Effort: Privacy request processing depends on my availability and may experience significant delays
  • Platform Evolution: Features, security measures, and data practices may change as the project develops

Maximum Liability Limitation

TO THE FULLEST EXTENT PERMITTED BY LAW:

  • No Monetary Liability: My total liability for any privacy-related claims is limited to $0 (zero dollars), as this is provided as a free personal project
  • No Damages: I exclude all liability for direct, indirect, consequential, punitive, or any other damages arising from privacy issues
  • Use At Your Own Risk: You acknowledge that you use this platform entirely at your own risk
  • No Professional Standards: This platform is not held to commercial or professional data protection standards

Technical Limitations

As a solo developer, I cannot guarantee:

  • Enterprise-level security implementations
  • 24/7 monitoring or incident response
  • Professional data backup and recovery procedures
  • Immediate response to security vulnerabilities
  • Compliance with all international privacy regulations
  • Continuous platform availability or data access

User Responsibility and Indemnification

By using this platform, you agree to:

  • Assume All Risk: Accept full responsibility for any consequences of using this personal project
  • No Sensitive Data: Not upload or store any sensitive, confidential, or critical personal information
  • Backup Your Data: Maintain your own backups of any important information
  • Indemnify Developer: Hold harmless and indemnify the developer from any claims, damages, or losses arising from your use of the platform

Consumer Rights Notice

Important: While I limit liability to the maximum extent permitted, nothing in this policy excludes rights that cannot be excluded under applicable consumer protection laws. This is provided as a free personal project with no commercial warranties or guarantees.

Privacy Policy Effective Date

This Privacy Policy is effective as of July 9, 2025, and applies to all users of the Certestic platform.

This policy reflects the operational realities of a personal side project and complies with applicable privacy laws to the extent reasonably practicable for an individual developer.