Privacy Policy

Last updated: January 2025

1. Who we are

CertiLab (the “Company”, “we”, “us”) is the data controller for personal data processed through our website and services. Contact: privacy@certilab.com. If applicable, you may contact our Data Protection Officer at dpo@certilab.com. [EEA/UK representative details if required.] This policy applies internationally.

2. Scope

This Policy applies to our websites, apps, practice tests, performance analytics, support, and related services offered globally to users in the EU/EEA, UK, US, and other regions.

3. Categories of data we collect

  • Identifiers: name, email, account ID, IP address, device IDs.
  • Usage data: pages visited, events, logs, approximate location.
  • Learning data: practice test attempts, results, timing, topic mastery.
  • Payments: payment tokens and status from our payment processor (no full card numbers stored by us).
  • Communications: support tickets, feedback, surveys.

Sources: directly from you, from your device/browser, and from service providers (e.g., payments, analytics).

4. Purposes and legal bases (GDPR/UK GDPR)

  • Provide and operate the services, accounts, and tests — Contract necessity.
  • Performance analytics and study recommendations — Legitimate interest or consent where required.
  • Service communications (results, updates, policy changes) — Contract/legal obligation.
  • Security, fraud prevention, debugging, and service improvement — Legitimate interest.
  • Marketing communications — Consent.
  • Billing, taxation, and compliance — Legal obligation.

Where processing is based on consent, you can withdraw it at any time through your account or by contacting us, without affecting prior processing.

5. Retention

  • Account and learning data: for the life of the account and up to 24 months after inactivity for support and legitimate interests.
  • Transaction and legal records: retained per applicable law (e.g., accounting/tax).

We apply data minimization and anonymization/pseudonymization when appropriate.

6. Sharing and recipients

We do not sell your personal data. We share data with service providers acting under contracts that restrict processing to our documented instructions (e.g., hosting, analytics, messaging, payments, support). Disclosures may occur to comply with law or to protect rights, safety, and security.

7. International transfers

When transferring data outside your jurisdiction (e.g., EEA/UK to third countries), we use appropriate safeguards such as Adequacy Decisions or Standard Contractual Clauses, plus supplementary measures as needed. You may request information about these safeguards.

8. Security

We implement technical and organizational measures appropriate to risk, including encryption in transit, access controls, least privilege, logging, and periodic testing. No method of transmission or storage is completely secure.

9. Automated decisions and profiling

We may use profiling to personalize difficulty and recommendations. We do not make solely automated decisions producing legal or similarly significant effects without an appropriate legal basis and safeguards.

10. Your rights (GDPR/UK GDPR)

You have the right to access, rectify, erase, restrict, object, data portability, and to withdraw consent. You may lodge a complaint with your local authority (e.g., AEPD, ICO). We respond within one month and verify your identity as needed.

11. U.S. state privacy disclosures (incl. California CPRA)

  • Right to know, delete, correct, and to not be discriminated against for exercising rights.
  • Disclosure of categories collected, purposes, sources, and sharing (as defined by law).
  • Opt-out of “sale” or “sharing” for cross‑context behavioral advertising (see specific link in terms page).
  • Retention periods by category are described in this Policy and/or our Data Retention Schedule.

Submit requests via privacy@certilab.com or our rights portal; we respond within 45 days (extendable) after verifying your request. Authorized agents may submit requests with proof of authority.

12. Children

Our services are not directed to children under 13, and we do not knowingly collect data from them. Where applicable law requires, parental consent is needed for minors. California residents aged 13–15 must opt in before any “sale” or “sharing” of personal information.

13. Changes to this Policy

We will post updates on this page with a new “Last updated” date and, where required, provide additional notice for material changes.

14. Contact

Questions or requests: privacy@certilab.com. If applicable, contact our DPO at dpo@certilab.com and our EEA/UK representative via the details provided in the imprint.