Legal

Privacy policy

Effective March 19, 2026

CertPulse is a certificate monitoring service operated out of Slovakia (EU). This policy explains what data we collect, why we collect it, and what control you have over it.

We tried to keep this readable. If something is unclear, email us at privacy@certpulse.dev and we will clarify it.

1. What we collect

When you use CertPulse, we collect the following:

  • Account information. Your email address, name, and organization name. This comes through Clerk (our authentication provider) when you sign up.
  • Certificate metadata. Public certificate data from your connected cloud accounts: subject names, issuers, expiry dates, SANs, key types. This is the same information anyone can see by connecting to your endpoints. We never access or store private keys.
  • Scan results. TLS handshake data, certificate chain validation results, and compliance check outputs from our monitoring scans.
  • Usage data. Basic analytics: which features you use, how often you log in, pages you visit within the app. We use this to improve the product. We do not track you across other websites.
  • Billing information. Payment details are handled entirely by Stripe. We see your plan tier and billing status but never your card number.
  • Alert destinations. Email addresses, Slack webhook URLs, or other notification endpoints you configure for certificate alerts.

Legal basis: We process account data and alert destinations under GDPR Article 6(1)(b) (necessary for performing our contract with you). Usage analytics are processed under Article 6(1)(f) (legitimate interest in improving the service). You can opt out of analytics at any time.

2. What we don't collect

It is worth being explicit about what we do not touch:

  • Private keys. Never. We only read public certificate data. Your private keys stay on your infrastructure.
  • Certificate files. We don't download or store your .pem, .crt, or .pfx files. We read metadata from cloud APIs and TLS handshakes.
  • Raw cloud credentials. For AWS, we use IAM roles with cross-account assume-role. For Azure and GCP, we store encrypted service principal credentials. We never ask for root keys or admin passwords.

3. How we store your data

All customer data lives in Supabase (PostgreSQL) in an EU region.

  • Data is encrypted at rest (AES-256).
  • All connections use TLS 1.3 in transit.
  • Our application servers run on Fly.io in EU regions.
  • Backups are encrypted and stored within the same EU region.

4. Cloud credentials

This deserves its own section because credential handling matters.

When you connect a cloud account, we store the connection details (IAM role ARNs, Azure service principal IDs, GCP service account keys) in our database using envelope encryption with AES-256-GCM. The encryption keys are managed separately and rotated regularly.

These credentials are used exclusively for read-only certificate enumeration. We request the minimum permissions needed (typically certificate manager read access) and nothing more.

Cloud credentials are never exposed through our API, never logged, and never accessible to our support team in plaintext.

5. Third-party processors

We use the following services to run CertPulse. Each processes some portion of your data:

ServicePurposeData processed
ClerkAuthenticationEmail, name, session tokens
StripeBillingPayment info, billing address
ResendTransactional emailEmail addresses, alert content
Fly.ioApplication hostingAll application data (in transit)
CloudflareCDN, DNS, DDoS protectionIP addresses, request metadata
SupabaseDatabaseAll stored customer data

We have Data Processing Agreements (DPAs) with each of these providers. If you need a copy of our DPA or our sub-processor list in a formal format, email privacy@certpulse.dev.

6. Cookies

We only use cookies that are strictly necessary for the service to work:

  • Clerk session cookie. Keeps you logged in. Expires when your session ends or after the configured timeout.

That is it. No analytics cookies, no advertising cookies, no third-party trackers. Because we only use essential cookies, we do not need a cookie consent banner under the ePrivacy Directive.

7. Data retention

  • Account data is kept for as long as your account is active.
  • Scan results and certificate history are retained according to your plan tier (free plans: 30 days, paid plans: up to 12 months or as specified in your plan).
  • After account closure, we delete all your data within 30 days. This includes account information, certificate metadata, scan results, and encrypted cloud credentials.
  • Billing records may be retained longer if required by tax law (typically 10 years in the EU).

8. Your rights under GDPR

CertPulse is an EU-based company, so GDPR applies to all our users regardless of where you are located. You have the right to:

  • Access your personal data. We can provide a machine-readable export.
  • Rectify inaccurate data. You can update most information directly in your account settings.
  • Delete your data. You can delete your account from the settings page, or email us and we will do it for you.
  • Port your data. We can provide an export of your certificate inventory, scan history, and account information in JSON format.
  • Object to processing based on legitimate interest (e.g., usage analytics). We will stop unless we have a compelling reason to continue.
  • Lodge a complaint with your local data protection authority. In Slovakia, that is the Urad na ochranu osobnych udajov Slovenskej republiky (Office for Personal Data Protection of the Slovak Republic).

To exercise any of these rights, email privacy@certpulse.dev. We will respond within 30 days as required by GDPR.

9. International transfers

We keep data in the EU wherever possible. Some of our sub-processors (Clerk, Stripe, Cloudflare) are US-based companies. Where data is transferred outside the EU, it is covered by:

  • The EU-US Data Privacy Framework (for certified US companies), or
  • Standard Contractual Clauses (SCCs) approved by the European Commission.

10. Children

CertPulse is a B2B service for engineering teams. We do not knowingly collect data from anyone under 16. If you believe a child has created an account, contact us and we will delete it.

11. Changes to this policy

If we make material changes, we will email you at least 30 days before they take effect. Minor wording fixes (typos, clarifications that do not change meaning) may be made without notice. The "effective date" at the top of this page always reflects the latest version.

12. Contact

For anything related to this privacy policy or your personal data:

CertPulse

Slovakia, European Union

Email: privacy@certpulse.dev

General support: support@certpulse.dev