Legal

Privacy Policy

Last updated: January 26, 2026

Overview

CertVera is committed to protecting your privacy. This policy explains how we collect, use, and safeguard your information when you use our website, dashboard, and L402 API.

Key principle: CertVera is designed with privacy at its core. Our API requires no personal information at all. Our dashboard collects only the minimum data needed to provide the service - your name and email from your OAuth provider.

Information We Collect

Dashboard users - When you sign in via Google, LinkedIn, or Apple, we receive and store:

  • Your name (as provided by your OAuth provider)
  • Your email address
  • Your OAuth provider ID (for account linking)

We do not receive or store your password from any OAuth provider.

Uploaded documents - When you upload files through the dashboard, we store:

  • The file itself (encrypted in cloud storage)
  • The SHA-256 hash of the file
  • Upload timestamp and blockchain transaction data
  • Virus scan results

Automatically collected - We may collect standard server logs including IP addresses, browser type, and pages visited for security and analytics purposes.

How We Use Your Information

Your personal data is used exclusively to:

  • Provide and maintain the certification service
  • Send email notifications about your certifications (broadcast confirmation, blockchain confirmation)
  • Communicate important service updates or security notices
  • Prevent abuse and maintain platform security

We do not sell your personal information. We do not use your data for advertising or marketing to third parties.

API Privacy

The L402 API is designed for maximum privacy. It collects no personal information whatsoever. No accounts, no email, no names. The only data processed is the document hash you submit and the Lightning payment. Your document never touches our servers - only the hash.

Data Storage & Retention

Account data (name, email) is retained as long as your account is active. You may request account deletion at any time.

Uploaded files are stored encrypted in Google Cloud Storage. Files can be accessed only through time-limited signed URLs generated when you visit your dashboard.

Blockchain data - Document hashes and transaction IDs recorded on the Bitcoin blockchain are permanent and immutable by design. This data cannot be deleted as it exists on the public Bitcoin ledger.

Server logs are retained for up to 90 days for security purposes and then automatically deleted.

Sharing Your Information

CertVera does not share your personal data with third parties except:

  • Service providers - We use Google Cloud Storage for file hosting and SendGrid for email delivery. These providers process data only as necessary to provide their services.
  • Blockchain - Document hashes (not documents themselves) are published to the Bitcoin blockchain. Hashes cannot be reversed to reveal document contents.
  • Legal requirements - We may disclose information if required by law or to protect the rights, safety, or property of CertVera or its users.

Cookies & Analytics

CertVera uses the following cookies and tracking technologies:

  • Session cookies - Essential for maintaining your login session. These are deleted when you close your browser or log out.
  • Google Analytics - We use Google Analytics to understand how visitors use our site. This data is anonymized and aggregated.

We do not use advertising cookies or third-party tracking pixels.

Security

We implement industry-standard security measures to protect your information:

  • HTTPS encryption for all data in transit
  • Encrypted file storage with access-controlled signed URLs
  • OAuth-only authentication (no passwords stored)
  • Automated virus scanning on all uploaded files
  • Environment variables for all secrets and credentials

While we take security seriously, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security of your data.

Your Rights

You have the right to:

  • Access your personal data stored by CertVera
  • Correct inaccurate information (updates to name/email flow through your OAuth provider)
  • Delete your account and associated personal data
  • Export your certification records

To exercise any of these rights, contact us. We will respond within 30 days.

Note: Blockchain records (hashes and transaction IDs) cannot be deleted as they exist on the immutable Bitcoin ledger. However, these records contain only cryptographic hashes and cannot be linked to your identity without access to your CertVera account.

Changes to This Policy

We may update this privacy policy to reflect changes in our practices or for legal reasons. Material changes will be communicated via email to registered users. The "Last updated" date at the top indicates when the policy was most recently revised.

Contact

If you have questions about this Privacy Policy or how we handle your data, please visit our contact page.