1. Who We Are
CertAstra ("we", "us", "our") is a compliance management platform. For the purposes of EU data protection law, CertAstra acts as the data controller for personal data collected through our website and platform. Our contact address for privacy matters is hello@certastra.com.
2. Data We Collect
We collect the following categories of personal data:
- Account data: Name, email address, password (stored as a secure hash), and organization details provided during registration
- Usage data: Pages visited, features used, actions taken within the platform, and timestamps
- Content data: Evidence files, audit responses, control notes, and other compliance content you upload or create
- Communication data: Messages you send to our support team
- Technical data: IP address, browser type and version, device information, and cookies
- Billing data: Payment method details (processed by our payment provider; we do not store full card numbers)
3. How We Use Your Data
We use your personal data to:
- Provide, operate, and improve the CertAstra platform
- Create and manage your account and organization
- Send transactional emails (account verification, audit assignments, evidence notifications)
- Process payments and manage subscriptions
- Respond to support requests and inquiries
- Detect and prevent fraud, abuse, and security incidents
- Comply with legal obligations
- Send product updates and announcements (you may opt out at any time)
4. Legal Basis for Processing (GDPR)
Under GDPR, we rely on the following legal bases:
- Contract performance: Processing necessary to provide the services you have subscribed to
- Legitimate interests: Improving our platform, preventing fraud, and ensuring security
- Legal obligation: Complying with applicable laws and regulations
- Consent: Marketing communications (you may withdraw consent at any time)
5. Data Sharing
We do not sell your personal data. We may share data with:
- Service providers: Hosting, email delivery, payment processing, and analytics partners who process data on our behalf under data processing agreements
- AI providers: When you use AI features, anonymized or pseudonymized content may be processed by AI providers under strict data processing terms
- Legal authorities: Where required by law, court order, or to protect the rights and safety of CertAstra and its users
- Business transfers: In connection with a merger, acquisition, or sale of assets, subject to standard confidentiality protections
6. Data Retention
We retain your personal data for as long as your account is active or as needed to provide services. Specifically:
- Account data is retained until account deletion plus 30 days
- Billing records are retained for 7 years to comply with financial regulations
- Activity logs are retained for 12 months
- You may request deletion of your data at any time (subject to legal retention requirements)
7. Data Security
We implement appropriate technical and organizational measures to protect your data, including:
- TLS/HTTPS encryption for all data in transit
- Encryption of sensitive data at rest
- Role-based access controls within the platform
- Regular security reviews and vulnerability assessments
- Secure password hashing using industry-standard algorithms
No system is completely secure. In the event of a data breach affecting your rights and freedoms, we will notify you and the relevant supervisory authority as required by law.
8. Your Rights (GDPR)
If you are in the European Economic Area, you have the following rights regarding your personal data:
- Access: Request a copy of the personal data we hold about you
- Rectification: Correct inaccurate or incomplete data
- Erasure: Request deletion of your data ("right to be forgotten")
- Restriction: Request that we limit processing of your data
- Portability: Receive your data in a structured, machine-readable format
- Objection: Object to processing based on legitimate interests
- Withdraw consent: Withdraw consent for marketing communications at any time
To exercise any of these rights, contact us at hello@certastra.com. We will respond within 30 days. You also have the right to lodge a complaint with your national data protection authority.
9. Cookies
We use cookies and similar tracking technologies to operate the platform. These include:
- Essential cookies: Required for authentication and platform functionality
- Analytics cookies: Help us understand how the platform is used (anonymized)
- Preference cookies: Remember your settings and preferences
You can control cookies through your browser settings. Disabling essential cookies may affect platform functionality.
10. International Transfers
CertAstra is hosted exclusively on Hetzner Cloud infrastructure in the EU (Helsinki, Finland and Nuremberg, Germany). All data processing occurs within the EU. No international transfers to third countries are made for core platform operations, meaning no Standard Contractual Clauses (SCCs) are required for the platform itself.
This means your compliance data, audit evidence, and personal information processed by CertAstra are never subject to US surveillance laws (FISA, CLOUD Act) or equivalent third-country legislation. CertAstra is Schrems II safe by design.
11. Children's Privacy
CertAstra is not directed at individuals under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes by email or via an in-app notice at least 14 days before changes take effect. The "Last updated" date at the top of this page reflects the most recent revision.
13. Contact and DPO
For privacy-related questions, requests, or complaints, please contact us:
- Email: hello@certastra.com
- Website: certastra.com
You also have the right to contact the Finnish Data Protection Ombudsman (tietosuoja.fi) if you have concerns about how we handle your data.