← Back to home

Privacy Policy

Last updated: 10 February 2026

1. Who We Are

CertBox is a digital certification platform operated in England. We are the data controller for the personal data processed through this Service. Contact: privacy@certbox.app.

2. Data We Collect

  • Account data: name, email address, phone number, role, country, company name
  • Property data: property addresses, postcodes, property types, owner information
  • Certificate data: certificate types, issue/expiry dates, form data, uploaded PDF files
  • Organisation data: organisation name, contact details, membership
  • Usage data: login times, features used, pages visited

3. Lawful Basis for Processing

  • Contract: processing necessary to provide the Service you signed up for
  • Legitimate interests: improving the Service, preventing fraud, ensuring security
  • Consent: marketing communications (you may withdraw consent at any time)
  • Legal obligation: where required to comply with applicable law

4. How We Use Your Data

We use your data to: provide and maintain the Service; authenticate your identity; generate and store certificates; enable sharing of certificates via share links; send transactional emails; and improve the Service.

5. Data Sharing

We do not sell your personal data. We share data with:

  • Infrastructure providers: self-hosted authentication, database, and storage services
  • Stripe: payment processing (for paid subscriptions)
  • Share link recipients: when you create a share link, the linked certificate data is accessible to anyone with the link

6. Data Retention

We retain your account and certificate data for as long as your account is active. Upon account deletion, we will delete your personal data within 30 days, except where retention is required by law. Shared certificate snapshots may persist until the share link expires.

7. International Transfers

Your data is stored on Google Cloud infrastructure. Where data is transferred outside the UK, we rely on appropriate safeguards including Standard Contractual Clauses and adequacy decisions.

8. Your Rights

Under UK GDPR, you have the right to:

  • Access your personal data
  • Rectify inaccurate data
  • Erase your data ("right to be forgotten")
  • Restrict processing
  • Data portability
  • Object to processing
  • Withdraw consent at any time

To exercise these rights, contact privacy@certbox.app. We will respond within one month.

9. Cookies

We use essential cookies required for authentication and Service functionality. We do not use third-party advertising or tracking cookies.

10. Security

We implement appropriate technical and organisational measures to protect your data, including encryption in transit (TLS), encryption at rest, access controls, and regular security reviews.

11. Children

The Service is not directed at individuals under 18. We do not knowingly collect personal data from children.

12. Changes to This Policy

We may update this policy from time to time. We will notify you of material changes via email or in-app notification.

13. Complaints

If you are not satisfied with our response to a privacy concern, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.