This is a draft placeholder, not reviewed by legal counsel. It must be finalized by a qualified lawyer for your jurisdiction(s) before relying on it in production.

Privacy Policy

Version 2026-07-09

1. Who we are

aethercert ("we", "us") provides certificate lifecycle management software. This policy explains what personal data we collect from account holders and how we use it, for customers in the European Union, United Kingdom, United States, and Canada.

2. What we collect

  • Account data: email address, password (hashed), display name.
  • Organization data: company name, contact person, address, email, phone.
  • Billing data: processed and stored by Stripe, our payment processor - we store a Stripe customer/subscription reference, not card details.
  • Usage data: audit log entries (who did what, when) scoped to your organization.

3. Legal basis for processing (GDPR / UK GDPR)

We process account and organization data to perform our contract with you (providing the service you signed up for), and billing data to comply with our legal obligations. Where you've opted in, we process your email to send optional product updates based on your consent, which you can withdraw at any time in Settings.

4. Your rights

  • EU / UK (GDPR, UK GDPR): access, rectification, erasure, restriction, portability, and objection. Contact us to exercise these, or use the self-service tools in Settings > Account (download your data, delete your account).
  • California (CCPA/CPRA): right to know, delete, correct, and opt out of the sale or sharing of personal information. We do not sell personal information.
  • Canada (PIPEDA): right to access and request correction of your personal information, and to withdraw consent for optional processing.

5. Data retention

Account and organization data is retained while your account is active. Audit log entries are retained per your plan's event log retention period (7 days on Free, 1 year on Standard/MSP). Billing records may be retained longer where required by tax law, even after an account deletion request, per GDPR Art. 17(3)(b)'s legal-obligation exception.

6. International transfers

Our infrastructure providers (Supabase, Stripe) may process data outside your country. Where required, we rely on Standard Contractual Clauses or equivalent safeguards.

7. Contact

To exercise any of the above rights or ask a question, contact us at the address listed on our website.