Privacy Policy

We collect the following categories of information:

1.1 Account information. When you create an account, we collect your email address, display name, and password. Passwords are stored as secure cryptographic hashes — we never store or have access to your plaintext password.

1.2 Study and usage data. We collect data generated through your use of the Service, including quiz responses, practice exam results, readiness scores, study progress, spaced-repetition scheduling data, and study set interactions.

1.3 User-generated content. Study materials you upload, questions you generate, and study sets you create are stored on our servers to provide the Service.

1.4 Payment information. If you subscribe to CertBench Pro, payment details (credit card number, billing address) are collected and processed directly by Stripe. We do not store your full payment card details on our servers. We receive only a transaction identifier, subscription status, and the last four digits of your card.

1.5 Device and usage analytics. We collect anonymized analytics data including page views, feature usage, session duration, browser type, operating system, and device type. This data is used in aggregate to improve the product and cannot be used to identify individual users.

1.6 Communications. If you contact us for support, we retain your messages and any information you provide to resolve your inquiry.

We use the information we collect to:

• Provide the Service — authenticate your account, deliver study content, calculate readiness scores, and generate adaptive study plans
• Process AI question generation — send your uploaded study materials to our AI provider for processing when you use the generation feature
• Process payments — manage your subscription and billing through Stripe
• Communicate with you — send transactional emails (account verification, password resets, billing receipts) and, with your consent, product updates
• Improve the Service — analyze aggregated, anonymized usage patterns to inform product development
• Ensure security — detect and prevent fraud, abuse, and unauthorized access
• Comply with legal obligations — respond to lawful requests from authorities and meet regulatory requirements

If you are located in the European Economic Area (EEA) or United Kingdom, we process your personal data under the following legal bases:

• Contract performance — processing necessary to provide the Service you signed up for (account data, study data, payment processing)
• Legitimate interests — improving the Service, ensuring security, and preventing fraud, where these interests are not overridden by your rights
• Consent — where you have opted in to receive marketing communications (you may withdraw consent at any time)
• Legal obligation — processing required to comply with applicable laws

When you use the AI question generation feature, your uploaded study materials are sent to our AI provider, Anthropic, for processing. Important details:

• Content is transmitted securely via encrypted connections (TLS)
• Anthropic processes content solely for the purpose of generating study questions and does not use it to train their AI models
• Your study materials are not shared with any other third party through the AI generation process
• AI-generated output may be stored as part of your study sets but is not used by Anthropic beyond the generation request

We do not sell, rent, or trade your personal information. We share data only with the following service providers, who process it on our behalf under contractual data-processing agreements:

• Supabase — database hosting, authentication, and file storage (US-based infrastructure)
• Vercel — application hosting and content delivery (global edge network)
• Stripe — payment processing for Pro subscribers (PCI DSS Level 1 compliant)
• Anthropic — AI-powered question generation

Public study sets. If you choose to make a study set public, its title, questions, and your display name are visible to other CertBench users and anyone with the share link. No other personal data is shared through public study sets.

Legal requirements. We may disclose your information if required to do so by law, or if we believe in good faith that disclosure is necessary to comply with legal process, protect our rights, or ensure user safety.

Your data may be processed in the United States and other countries where our service providers operate. If you are located outside the United States, your information will be transferred to, stored, and processed in the US. We ensure that such transfers comply with applicable data protection laws through appropriate safeguards, including standard contractual clauses where required.

We retain your information as follows:

• Account data — retained for as long as your account is active, plus 30 days after deletion to allow for account recovery
• Study data — retained for as long as your account is active and deleted upon account deletion
• Payment records — retained for 7 years after the last transaction to comply with tax and financial reporting requirements
• Analytics data — aggregated and anonymized data may be retained indefinitely for product improvement
• Support communications — retained for 2 years after resolution

We implement industry-standard security measures to protect your data, including:

• Encrypted connections (TLS/HTTPS) for all data in transit
• Encryption at rest for stored data
• Secure password hashing using modern cryptographic algorithms
• Row-level security (RLS) policies on our database, ensuring users can only access their own data
• Regular security reviews and dependency audits
• Payment information handled entirely by Stripe (PCI DSS Level 1 compliant) and never stored on our servers

While we take reasonable precautions, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.

Depending on your location, you may have the following rights regarding your personal data:

• Access — request a copy of the personal data we hold about you
• Correction — request that we correct inaccurate or incomplete data
• Deletion — request that we delete your personal data (you can also delete your account directly from your profile settings)
• Data portability — request your data in a structured, commonly used, machine-readable format
• Restriction — request that we restrict processing of your data in certain circumstances
• Objection — object to processing based on legitimate interests
• Withdraw consent — where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing

To exercise any of these rights, contact us at privacy@certbench.dev. We will respond to your request within 30 days. We may ask you to verify your identity before processing your request.

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to know — request details about the categories and specific pieces of personal information we collect, the purposes, and the third parties with whom it is shared
• Right to delete — request deletion of your personal information, subject to certain exceptions
• Right to non-discrimination — we will not discriminate against you for exercising your CCPA rights
• No sale of personal information — we do not sell personal information as defined under the CCPA

To submit a CCPA request, contact us at privacy@certbench.dev.

The Service is not directed to children under 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected data from a child under 16 without parental consent, we will promptly delete that information. If you believe a child under 16 has provided us with personal data, please contact us at privacy@certbench.dev.

Essential cookies. We use essential cookies for authentication and session management. These are strictly necessary for the Service to function and cannot be disabled.

Analytics. We use privacy-focused, cookie-free analytics to collect aggregated usage data. This does not involve tracking cookies or cross-site tracking.

No advertising cookies. We do not use advertising or third-party tracking cookies. We do not participate in ad networks or serve targeted advertisements.

The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy policies before providing them with your information.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. If we make material changes, we will provide at least 30 days' notice via email or a prominent notice within the Service before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

If you have questions about this Privacy Policy or how we handle your data, please contact us:

• General inquiries: support@certbench.dev
• Privacy-specific requests: privacy@certbench.dev
• Website: certbench.dev