Introduction

Certestic ("the platform") is an AI-powered IT certification training platform. This Privacy Policy explains how we collect, use, and protect your personal information when you use our services.

Your Rights: You have rights regarding your personal information, including the right to access, correct, and request deletion of your information. We comply with these rights as required by law.

By using Certestic, you agree to the collection, use, and disclosure of your personal information as described in this policy. If you do not agree, please do not use this platform.

Why We Collect Your Information

We collect and process your personal information for these purposes:

• Platform Operation: To provide you with access to the certification training platform and its features
• User Experience: To personalize your learning experience and track your progress
• Platform Improvement: To understand how the platform is used and improve its functionality
• Communication: To send you essential service-related communications
• Legal Requirements: To comply with applicable laws when required

We aim to collect only information that is necessary for these purposes.

Information We Collect

We collect the following types of personal information to operate this platform:

Information You Provide

When you register or use the platform:

• Identity Information: Full name, email address, username
• Account Information: Password (encrypted), profile preferences, account settings
• Payment Information: Credit card details, billing address, payment history (processed securely through third-party payment processors)
• Communication Data: Messages sent to our support team, feedback, survey responses
• Professional Information: Certification goals, professional background (optional)

Public Free Trials and Marketing Pages

When you access a public free trial, promotional landing page, or other marketing page that offers a trial experience, we may collect the information you choose to provide in order to deliver that experience, communicate with you about the trial, and prevent abuse or misuse of the service. Depending on the specific trial flow, we may ask for an email address, or allow access without requiring one if the trial is designed to be anonymous or low-friction.

If an email address is requested, we will clearly indicate whether it is required or optional at the point of collection. Even when no email address is provided, we may still collect limited technical information such as IP address, browser type, and device information to operate the trial, protect our services, and improve our products.

Information Collected Automatically

When you use our platform, we automatically collect:

• Usage Data: Pages visited, features used, time spent on platform, click patterns
• Performance Data: Exam attempts, scores, completion rates, study progress, learning analytics
• Technical Data: IP address, browser type, device information, operating system, screen resolution
• Log Data: Access times, error logs, system activity, security events
• Location Data: General geographic location based on IP address (country/city level only)

This automatic collection also applies when you visit our marketing pages or use a public trial experience, where we may use the information to measure traffic, improve product quality, detect suspicious activity, and maintain service reliability.

AI Training and Analytics Data

To provide AI-powered features, we collect and process:

• Learning Patterns: How you interact with questions, answer patterns, study behaviors
• Performance Metrics: Response times, accuracy rates, improvement trends
• Content Interactions: Which topics you focus on, difficulty preferences, study session data

Information We Do NOT Collect

We do not:

• Collect sensitive personal information (health, political opinions, religious beliefs) unless specifically relevant and consented to
• Collect information about you from third parties without your knowledge
• Use hidden tracking or surveillance methods
• Collect more information than necessary for our stated purposes

How We Use Your Personal Information

We use your personal information only for the purposes for which it was collected, or for directly related purposes you would reasonably expect. Specifically:

Primary Service Purposes

• Platform Operation: Providing access to our certification training platform and maintaining your account
• Public Trials and Marketing Pages: Operating free trials, promotional experiences, and lead-capture flows where applicable
• AI-Powered Features: Generating personalized practice exams, study recommendations, and performance analytics
• Progress Tracking: Monitoring your learning progress and providing detailed performance insights
• Content Delivery: Customizing your learning experience based on your goals and preferences
• Technical Support: Providing customer service and resolving technical issues

Administrative Purposes

• Account Management: Processing registrations, managing subscriptions, and handling payments
• Communication: Sending service updates, technical notices, and responding to inquiries
• Platform Communications: Delivering essential platform updates, feature announcements, security notifications, and service changes via our marketing email service providers
• Security: Detecting and preventing fraud, unauthorized access, and security breaches
• Legal Compliance: Meeting our legal obligations under New Zealand law

Platform Improvement (With Your Consent)

• Product Development: Analyzing usage patterns to improve our platform and develop new features
• AI Model Training: Using anonymized data to enhance our AI algorithms and question generation
• Research: Conducting internal research to better understand learning patterns and certification success factors

Marketing (With Express Consent Only)

• Promotional Communications: Sending information about new features, courses, or promotions (only if you opt-in)
• Surveys and Feedback: Requesting your input on our services and user experience
• Beta Testing: Inviting you to participate in testing new features (voluntary participation only)

Information Sharing and Disclosure

We have strict limits on when and how we can disclose your personal information. We may only share your information in the following circumstances:

Service Providers (Limited Purpose Disclosure)

We may share your information with trusted service providers who assist us in operating our platform, subject to strict confidentiality agreements:

• Cloud Infrastructure: Google Cloud Platform and Firebase (data stored in accordance with their privacy commitments)
• Payment Processing: Secure payment processors for subscription management (they do not store your full payment details)
• Email Services: Email service providers for essential communications only
• Marketing Email Services: Third-party marketing email services (such as MailerLite or similar providers) for delivering platform updates, feature announcements, and service notifications
• Analytics: Anonymized usage analytics to improve platform performance

Service Provider Requirements: All service providers must:

• Only use your information for the specific services they provide to us
• Maintain appropriate security measures
• Not disclose your information to other parties
• Comply with applicable privacy laws

Legal Requirements

We may disclose your information when legally required:

• Court Orders: To comply with valid court orders or legal processes
• Safety Concerns: To prevent serious harm or illegal activity
• Platform Security: To protect the security and operation of the platform

With Your Explicit Consent

We may share your information for other purposes only with your explicit, informed consent. You can withdraw this consent at any time by contacting us.

Cookie and Analytics Preferences

We use a cookie consent banner to ask for permission before loading Google Analytics on marketing pages. Your choice is stored locally in your browser, and you can update it at any time using the Cookie Preferences link in the footer.

Data Security

We implement technical and organizational security measures to protect your personal information:

Security Measures

• Encryption: HTTPS encryption for data transmission and encryption for sensitive data at rest
• Access Control: Authentication and authorization controls to restrict access
• Infrastructure Security: Security provided by Google Cloud Platform and Firebase
• Updates: Regular application of security patches and updates

Breach Notification

If we become aware of a privacy breach affecting your personal information, we will act promptly in accordance with applicable law:

• EU/GDPR users: We will notify the relevant supervisory authority within 72 hours of becoming aware of the breach where it is likely to result in a risk to your rights and freedoms. We will notify affected users without undue delay where the breach is likely to result in a high risk to your rights and freedoms.
• US users (CCPA and applicable state laws): We will notify affected users without unreasonable delay and no later than 30 days after discovery of the breach.
• New Zealand users (Privacy Act 2020): We will notify affected users and the Privacy Commissioner as soon as practicable after becoming aware of a notifiable privacy breach.
• All users: Breach notifications will include the nature of the breach, the likely consequences, the measures taken or proposed to address it, and the contact details of our Privacy Officer.
• Notify relevant authorities as required by applicable law
• Take immediate steps to secure the platform and prevent further breaches

Data Retention

We do not keep your personal information longer than necessary. Our retention practices are:

Active Account Data

• Account Information: Retained while your account is active and for 12 months after account closure
• Learning Progress: Retained for the duration of your account to provide ongoing personalized recommendations
• Usage Analytics: Retained in anonymized form for up to 5 years for platform improvement

Financial and Legal Records

• Payment Information: Retained for 7 years as required by New Zealand financial record-keeping laws
• Tax Records: Retained for 7 years as required by the Income Tax Act 2007
• Legal Communications: Retained as long as necessary to defend against legal claims

Deletion Process

When retention periods expire or you request deletion:

• Personal information is securely deleted or anonymized
• Backups containing your information are automatically purged within 90 days
• Some information may be retained in anonymized form for legitimate research purposes
• We maintain records of deletions for audit purposes (without storing the deleted personal information)

Your Privacy Rights

You have important rights regarding your personal information. These rights may vary depending on your jurisdiction, but generally include:

Right of Access

You have the right to request access to any personal information we hold about you:

• What we will provide: A copy of your personal information in a commonly used format
• Response time: We will respond within 20 working days (as required by law)
• Cost: Access is free for the first request per year; reasonable charges may apply for additional requests
• Verification: We may need to verify your identity before providing access
• Limitations:We may refuse access only in specific circumstances permitted by law (e.g., if it would harm another person's privacy)

Right of Correction

You have the right to request correction of any personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading:

• How to request: Contact us with details of the incorrect information
• Our response: We will correct the information or explain why we believe it is accurate
• Timeline: Corrections will be made within 20 working days
• Third party notification: We will notify relevant third parties of any corrections where appropriate

Additional Rights

• Data Portability: Request your personal information in a portable format
• Deletion: Request deletion of your personal information (subject to legal retention requirements)
• Restriction of Processing: Request that we limit how we use your information
• Objection: Object to certain uses of your personal information
• Withdrawal of Consent: Withdraw consent for any processing based on consent

Marketing and Communication Choices

• Opt-out: Unsubscribe from marketing emails using the link in any email
• Preferences: Update your communication preferences in your account settings
• Essential communications: Some service-related communications cannot be opted out of while you have an active account

How to Exercise Your Rights

If You're Not Satisfied

If you're not satisfied with our response to your privacy request, you have the right to:

• Contact our Privacy Officer to discuss your concerns
• Make a complaint to the relevant privacy regulator (for New Zealand users, the Privacy Commissionerprivacy.org.nz)
• Seek remedies through the Human Rights Review Tribunal

International Data Transfers

Where Your Data May Be Transferred

• Google Cloud Platform: Data centers in Australia and Singapore (countries with comparable privacy protections)
• Payment Processors: United States and European Union (under appropriate safeguards)
• Email Services: United States (with contractual protections)

Safeguards We Use

We only transfer your information to countries or organizations that provide adequate protection:

• Comparable Privacy Laws:Countries with privacy laws similar to New Zealand's
• Contractual Safeguards: Binding agreements requiring equivalent protection
• Industry Standards: Service providers with SOC 2 and ISO 27001 certifications
• Data Processing Agreements: Specific terms requiring protection of your information

Your Control Over International Transfers

You have the right to:

• Request information about where your data is stored and processed
• Object to transfers to specific countries (though this may limit service availability)
• Request that your data be stored only in New Zealand or Australia (additional fees may apply)

Children's Privacy and Parental Rights

Under applicable law and our terms of service:

• Age Requirement: Certestic is intended for users 18 years and older
• Under 16: We do not knowingly collect personal information from children under 16 without parental consent
• Parental Rights:Parents can request access to, correction of, or deletion of their child's information
• School Use: Educational institutions using our platform must have appropriate consent from parents/guardians

If you believe we have collected information from a child inappropriately, please contact our Privacy Officer immediately.

Jurisdiction-Specific Rights

While Certestic operates under New Zealand law, we recognize and respect the privacy rights of our global customers. Depending on your location, you may have additional rights under your local privacy legislation. We are committed to honoring these rights to the fullest extent reasonably practicable.

General Principle: Where your local privacy laws provide stronger protections than our base requirements, we will endeavor to comply with the higher standard. This includes processing grounds, retention periods, disclosure requirements, and individual rights.

European Union Users (GDPR Rights)

Australian Users (Privacy Act 1988)

Canadian Users (PIPEDA/Provincial Laws)

United States Users (CCPA and State Privacy Laws)

Other Jurisdictions

Your Responsibilities

By using this platform, you agree to:

• Use the platform only for lawful purposes
• Not store sensitive or confidential information without understanding our security model
• Maintain your own backups of important information
• Notify us immediately of any security concerns or potential unauthorized access