Privacy Policy

1. Introduction

Certivo ("we," "us," or "our") provides a cloud-based electronic signature platform designed for FDA 21 CFR Part 11 compliance. This Privacy Policy describes our practices regarding the collection, use, and disclosure of information through our website at certivo.io and our software platform (collectively, the "Service").

By using the Service, you consent to the data practices described in this Privacy Policy. If you do not agree with this Privacy Policy, please do not use the Service.

2. Information We Collect

2.1 Information You Provide Directly

We collect information that you voluntarily provide to us when you:

• Create an Account: Full name, email address, organization name, password
• Use the Service: Documents you upload, signature data, workflow configurations, digital log entries
• Contact Us: Name, email, phone number, message content, support inquiries
• Subscribe: Billing information (processed by Stripe - see Section 2.5)
• Team Management: Information about team members you invite

2.2 Information Collected Automatically

When you use the Service, we automatically collect:

• Device Information: IP address, browser type, operating system, device identifiers
• Usage Data: Pages visited, features used, time spent, referring URLs
• Audit Trail Data: Timestamp, IP address, user agent, action performed (required for FDA 21 CFR Part 11 compliance)
• Cookies and Similar Technologies: See Section 3 below

2.3 Signature Event Metadata

When electronic signatures are executed, we collect and store (as required by FDA 21 CFR Part 11):

• Signer's full name
• Date and time of signature
• Meaning/purpose of signature
• IP address and geolocation
• Device and browser information
• Two-factor authentication verification data
• Signature method (typed, drawn, or uploaded)

2.4 Information from Third Parties

We may receive information from:

• Single Sign-On (SSO) Providers: If you authenticate via Google, Microsoft, or other providers, we receive basic profile information (name, email)
• Payment Processor (Stripe): Payment status, subscription tier, transaction history
• Analytics Providers: Aggregated usage statistics and performance metrics

2.5 Payment Information

We use Stripe as our payment processor. We do not store your full credit card numbers. Stripe collects and processes:

• Credit card information
• Billing address
• Payment transaction details

Stripe's privacy policy is available at stripe.com/privacy.

3. Cookies and Tracking Technologies

3.1 Types of Cookies We Use

We use cookies and similar tracking technologies to:

• Essential Cookies: Required for authentication, security, and core functionality
• Performance Cookies: Help us understand how users interact with the Service
• Functional Cookies: Remember your preferences and settings
• Analytics Cookies: Measure traffic and usage patterns (e.g., Google Analytics)

3.2 Managing Cookies

You can control cookies through your browser settings. However, disabling certain cookies may limit Service functionality. Essential cookies cannot be disabled as they are necessary for the Service to operate.

4. How We Use Your Information

We use collected information for the following purposes:

4.1 To Provide and Maintain the Service

• Create and manage your account
• Process electronic signatures
• Store and manage documents
• Generate audit trails and compliance reports
• Provide customer support

4.2 To Process Payments

• Process subscription payments
• Send billing invoices
• Manage subscription tiers and upgrades

4.3 To Communicate With You

• Send service-related notifications (signature requests, document updates)
• Respond to support inquiries
• Send account and security notifications
• Provide product updates and feature announcements (with your consent)

4.4 For Compliance and Security

• Comply with FDA 21 CFR Part 11 and other regulatory requirements
• Maintain audit trails for regulatory audits
• Detect and prevent fraud, abuse, and security incidents
• Enforce our Terms of Service

4.5 To Improve the Service

• Analyze usage patterns and trends
• Develop new features and functionality
• Conduct research and analytics (using aggregated, de-identified data)

5. How We Share Your Information

We do not sell, rent, or trade your personal information. We may share your information in the following circumstances:

5.1 With Service Providers

We share information with trusted third-party service providers who assist us in operating the Service:

• Hosting: Amazon Web Services (AWS) - data storage and infrastructure
• Payment Processing: Stripe - subscription billing and payments
• Email Delivery: AWS SES / Cloudflare - transactional emails
• Analytics: Google Analytics (anonymized) - usage analytics
• Frontend Hosting: Vercel - website and application hosting

These providers are contractually obligated to protect your information and use it only for the purposes we specify.

5.2 With Your Consent

We may share information when you explicitly consent, such as:

• When you invite team members to your organization
• When you send signature requests to external signers
• When you share documents or workflows

5.3 For Legal Reasons

We may disclose information if required by law or in good faith belief that such action is necessary to:

• Comply with legal obligations (subpoenas, court orders)
• Respond to regulatory requests (FDA audits, inspections)
• Protect our rights, property, or safety
• Prevent fraud or abuse
• Investigate potential violations of our Terms of Service

5.4 Business Transfers

If Certivo is involved in a merger, acquisition, sale of assets, or bankruptcy, your information may be transferred as part of that transaction. We will notify you via email and/or prominent notice on our website before your information is transferred.

6. Data Security

We implement industry-standard security measures to protect your information:

6.1 Technical Safeguards

• Encryption at Rest: 256-bit AES encryption for stored data
• Encryption in Transit: TLS 1.2+ for all data transmission
• Access Controls: Role-based access control (RBAC)
• Authentication: Secure password hashing (bcrypt), multi-factor authentication (MFA)
• Audit Logging: Comprehensive logging of all system access and actions

6.2 Organizational Safeguards

• Regular security audits and penetration testing
• Employee background checks and security training
• SOC 2 Type II compliance program
• Incident response procedures
• Data backup and disaster recovery plans

6.3 No Absolute Security

While we implement robust security measures, no method of transmission or storage is 100% secure. We cannot guarantee absolute security but will notify you promptly of any data breach affecting your information, as required by law.

7. Data Retention

7.1 Retention Periods

• Active Paid Subscriptions: Data retained indefinitely (or as required by FDA 21 CFR Part 11 - minimum 25 years for regulated records)
• Trial Accounts: Data retained for 60 days after trial expiration, then permanently deleted
• Canceled Accounts: Data available for export for 60 days, then archived or deleted based on legal requirements
• Audit Trails: Retained for the life of the record (typically 25 years for FDA compliance)
• Marketing Communications: Retained until you unsubscribe

7.2 Legal Obligations

We may retain certain information longer if required by law, regulation, or to resolve disputes and enforce our agreements.

8. Your Privacy Rights

8.1 General Rights

You have the following rights regarding your personal information:

• Access: Request a copy of your personal information
• Correction: Update or correct inaccurate information
• Deletion: Request deletion of your information (subject to legal retention requirements)
• Export: Download your data in portable formats (PDF, CSV, JSON)
• Objection: Object to processing of your information for marketing purposes

8.2 GDPR Rights (EU Users)

If you are located in the European Economic Area (EEA), you have additional rights under the General Data Protection Regulation (GDPR):

• Data Portability: Receive your data in a structured, machine-readable format
• Restriction: Request restriction of processing in certain circumstances
• Withdraw Consent: Withdraw consent for processing at any time
• Lodge a Complaint: File a complaint with your local data protection authority

8.3 CCPA Rights (California Users)

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA):

• Know: What personal information we collect, use, and share
• Delete: Request deletion of personal information (subject to exceptions)
• Opt-Out: Opt-out of the sale of personal information (Note: We do not sell personal information)
• Non-Discrimination: Exercise your rights without discriminatory treatment

8.4 How to Exercise Your Rights

To exercise any of these rights, contact us at support@certivo.io or through your account settings. We will respond within 30 days (or as required by applicable law).

9. International Data Transfers

Your information may be transferred to and processed in the United States or other countries where our service providers operate. These countries may have different data protection laws than your jurisdiction.

For EEA users, we rely on:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions by the European Commission
• Other lawful transfer mechanisms under GDPR

10. Children's Privacy

The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately, and we will delete such information.

11. Third-Party Links

The Service may contain links to third-party websites or services not operated by us. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any personal information.

12. Do Not Track Signals

Some browsers include "Do Not Track" (DNT) features. Our Service does not currently respond to DNT signals. However, you can control cookies and tracking through your browser settings.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of material changes by:

• Posting the updated Privacy Policy on this page
• Updating the "Last Updated" date at the top
• Sending an email notification for significant changes
• Displaying a prominent notice in the Service

Continued use of the Service after changes constitutes acceptance of the updated Privacy Policy.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: