Privacy Policy

1. Introduction

Certivo ("we," "us," or "our") provides a cloud-based electronic signature platform designed for FDA 21 CFR Part 11 compliance. This Privacy Policy describes our practices regarding the collection, use, and disclosure of information through our website at certivo.io and our software platform (collectively, the "Service").

By using the Service, you agree to the processing of your information as described in this Privacy Policy. We process your data under various legal bases depending on the purpose (see Section 4.6). Where consent is required as a legal basis (such as for marketing communications), we will obtain your explicit consent separately. If you do not agree with this Privacy Policy, please do not use the Service.

2. Information We Collect

2.1 Information You Provide Directly

We collect information that you voluntarily provide to us when you:

• Create an Account: Full name, email address, organization name, password
• Use the Service: Documents you upload, signature data, workflow configurations, digital log entries
• Contact Us: Name, email, phone number, message content, support inquiries
• Subscribe: Billing information (processed by Stripe - see Section 2.5)
• Team Management: Information about team members you invite

2.2 Information Collected Automatically

When you use the Service, we automatically collect:

• Device Information: IP address, browser type, operating system, device identifiers
• Usage Data: Pages visited, features used, time spent, referring URLs
• Audit Trail Data: Timestamp, IP address, user agent, action performed (required for FDA 21 CFR Part 11 compliance)
• Cookies and Similar Technologies: See Section 3 below

2.3 Signature Event Metadata

When electronic signatures are executed, we collect and store (as required by FDA 21 CFR Part 11):

• Signer's full name
• Date and time of signature
• Meaning/purpose of signature
• IP address and geolocation
• Device and browser information
• Two-factor authentication verification data
• Signature method (typed, drawn, or uploaded)

2.4 Information from Third Parties

We may receive information from:

• Single Sign-On (SSO) Providers: If you authenticate via Google, Microsoft, or other providers, we receive basic profile information (name, email)
• Payment Processor (Stripe): Payment status, subscription tier, transaction history
• Analytics Providers: Aggregated usage statistics and performance metrics

2.5 Payment Information

We use Stripe as our payment processor. We do not store your full credit card numbers. Stripe collects and processes:

• Credit card information
• Billing address
• Payment transaction details

Stripe's privacy policy is available at stripe.com/privacy.

3. Cookies and Tracking Technologies

3.1 Types of Cookies We Use

We use cookies and similar tracking technologies to:

• Essential Cookies: Required for authentication, security, and core functionality
• Performance Cookies: Help us understand how users interact with the Service
• Functional Cookies: Remember your preferences and settings
• Analytics Cookies: Measure traffic and usage patterns (e.g., Google Analytics)

3.2 Managing Cookies

You can control cookies through your browser settings. However, disabling certain cookies may limit Service functionality. Essential cookies cannot be disabled as they are necessary for the Service to operate.

4. How We Use Your Information

We use collected information for the following purposes:

4.1 To Provide and Maintain the Service

• Create and manage your account
• Process electronic signatures
• Store and manage documents
• Generate audit trails and compliance reports
• Provide customer support

4.2 To Process Payments

• Process subscription payments
• Send billing invoices
• Manage subscription tiers and upgrades

4.3 To Communicate With You

• Send service-related notifications (signature requests, document updates)
• Respond to support inquiries
• Send account and security notifications
• Provide product updates and feature announcements (with your consent)

4.4 For Compliance and Security

• Comply with FDA 21 CFR Part 11 and other regulatory requirements
• Maintain audit trails for regulatory audits
• Detect and prevent fraud, abuse, and security incidents
• Enforce our Terms of Service

4.5 To Improve the Service

• Analyze usage patterns and trends
• Develop new features and functionality
• Conduct research and analytics (using aggregated, de-identified data)

4.6 Legal Basis for Processing (GDPR)

For users in the European Economic Area, we process personal data under the following legal bases:

• Contractual Necessity (Art. 6(1)(b)): Providing and maintaining the Service, processing electronic signatures, managing your account, processing payments, and sending service-related notifications
• Legal Obligation (Art. 6(1)(c)): Maintaining audit trails and compliance records as required by FDA 21 CFR Part 11 and other applicable regulations
• Legitimate Interest (Art. 6(1)(f)): Detecting and preventing fraud and security incidents, analyzing aggregated usage data to improve the Service, and enforcing our Terms of Service
• Consent (Art. 6(1)(a)): Sending marketing communications and product announcements. You may withdraw consent at any time by unsubscribing or contacting us

5. How We Share Your Information

We do not sell, rent, or trade your personal information. We may share your information in the following circumstances:

5.1 With Service Providers

We share information with trusted third-party service providers who assist us in operating the Service:

• Hosting: Amazon Web Services (AWS) - data storage and infrastructure
• Payment Processing: Stripe - subscription billing and payments
• Email Delivery: AWS SES / Cloudflare - transactional emails
• Analytics: Google Analytics (anonymized) - usage analytics
• Frontend Hosting: Vercel - website and application hosting

These providers are contractually obligated to protect your information and use it only for the purposes we specify.

5.2 With Your Consent

We may share information when you explicitly consent, such as:

• When you invite team members to your organization
• When you send signature requests to external signers
• When you share documents or workflows

5.3 For Legal Reasons

We may disclose information if required by law or in good faith belief that such action is necessary to:

• Comply with legal obligations (subpoenas, court orders)
• Respond to regulatory requests (FDA audits, inspections)
• Protect our rights, property, or safety
• Prevent fraud or abuse
• Investigate potential violations of our Terms of Service

5.4 Business Transfers

If Certivo is involved in a merger, acquisition, sale of assets, or bankruptcy, your information may be transferred as part of that transaction. We will notify you via email and/or prominent notice on our website before your information is transferred.

6. Data Security

We implement industry-standard security measures to protect your information:

6.1 Technical Safeguards

• Encryption at Rest: 256-bit AES encryption for stored data
• Encryption in Transit: TLS 1.2+ for all data transmission
• Access Controls: Role-based access control (RBAC)
• Authentication: Secure password hashing (bcrypt), multi-factor authentication (MFA)
• Audit Logging: Comprehensive logging of all system access and actions

6.2 Organizational Safeguards

• Regular security assessments
• Security awareness practices for team members
• Incident response procedures
• Data backup and disaster recovery plans

6.3 No Absolute Security

While we implement robust security measures, no method of transmission or storage is 100% secure. We cannot guarantee absolute security but will notify you promptly of any data breach affecting your information, as required by law.

7. Data Retention

7.1 Retention Periods

• Active Paid Subscriptions: Data retained for the duration of your active subscription, plus any applicable regulatory retention period (e.g., 25 years for FDA 21 CFR Part 11 regulated records)
• Trial Accounts: Data retained for 60 days after trial expiration, then permanently deleted
• Canceled Accounts: Data available for export for 60 days, then deleted unless a longer retention period is required by law or regulation
• Audit Trails: Retained for the life of the record (typically 25 years for FDA compliance)
• Marketing Communications: Retained until you unsubscribe

7.2 Legal Obligations

We may retain certain information longer if required by law, regulation, or to resolve disputes and enforce our agreements.

8. Your Privacy Rights

8.1 General Rights

You have the following rights regarding your personal information:

• Access: Request a copy of your personal information
• Correction: Update or correct inaccurate information
• Deletion: Request deletion of your information (subject to legal retention requirements)
• Export: Download your data in portable formats (PDF, CSV, JSON)
• Objection: Object to processing of your information for marketing purposes

8.2 GDPR Rights (EU Users)

If you are located in the European Economic Area (EEA), you have additional rights under the General Data Protection Regulation (GDPR):

• Data Portability: Receive your data in a structured, machine-readable format
• Restriction: Request restriction of processing in certain circumstances
• Withdraw Consent: Withdraw consent for processing at any time
• Lodge a Complaint: File a complaint with your local data protection authority

8.3 CCPA Rights (California Users)

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA):

• Know: What personal information we collect, use, and share
• Delete: Request deletion of personal information (subject to exceptions)
• Opt-Out: Opt-out of the sale of personal information (Note: We do not sell personal information)
• Non-Discrimination: Exercise your rights without discriminatory treatment

8.4 How to Exercise Your Rights

To exercise any of these rights, contact us at privacy@certivo.io or through your account settings. We will respond within 30 days (or as required by applicable law).

9. International Data Transfers

Your information may be transferred to and processed in the United States or other countries where our service providers operate. These countries may have different data protection laws than your jurisdiction.

For EEA users, we rely on:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Other lawful transfer mechanisms under GDPR

10. Children's Privacy

The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately, and we will delete such information.

11. Third-Party Links

The Service may contain links to third-party websites or services not operated by us. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any personal information.

12. Do Not Track and Global Privacy Control

Some browsers include "Do Not Track" (DNT) features. Our Service does not currently respond to DNT signals. However, you can control cookies and tracking through your browser settings.

We recognize and honor Global Privacy Control (GPC) signals as valid opt-out requests under the California Consumer Privacy Act (CCPA/CPRA). When we detect a GPC signal from your browser, we treat it as a request to opt out of the sale or sharing of your personal information. Note: We do not sell or share personal information for cross-context behavioral advertising.

13. Automated Decision-Making

We do not engage in automated profiling or algorithmic decision-making that produces legal or similarly significant effects on you. We do use rules-based security and operational measures, including:

• Account Security: Automatic account lockout after repeated failed login attempts to protect against unauthorized access
• Rate Limiting: Automatic throttling of excessive requests to maintain service stability and security
• Subscription Lifecycle: Automatic enforcement of trial expiration, grace periods, and data retention schedules as described in Section 7

These measures are based on fixed rules and thresholds, not on profiling or automated assessment of personal characteristics. If you believe you have been adversely affected by an automated decision, please contact us at privacy@certivo.io.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of material changes by:

• Posting the updated Privacy Policy on this page
• Updating the "Last Updated" date at the top
• Sending an email notification for significant changes
• Displaying a prominent notice in the Service

Continued use of the Service after changes constitutes acceptance of the updated Privacy Policy.

15. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: