CertiPing ("we," "us," or "our") helps shops and warehouses avoid costly safety-certification fines by tracking expiry dates and sending automated reminders. This Privacy Policy explains how we collect, use, disclose, and safeguard personal information when you use certiping.com, the CertiPing web application, and related services (collectively, the "Service").
1. Information We Collect
| Category (CPRA §1798.140) | Examples | Source | Purpose |
|---|---|---|---|
| Identifiers | Work-email, name, phone number | You (signup, CSV import) | Account creation, login, email/SMS reminders |
| Employment-related data | Job title, company name | You | Display in dashboard, reminder context |
| Internet activity | IP address, browser agent, pages visited, error logs | Automatic | Security, debugging, analytics |
| Certification records ("Professional or employment information") | Cert type, expiry date, PDF scans | You | Display dashboard, send reminders, generate compliance reports |
We do not collect sensitive personal information as defined by CPRA (e.g., SSN, precise geo, biometric, medical, or financial account numbers).
2. Why We Use Your Information
- Provide and maintain the Service (create accounts, display dashboards).
- Send reminder emails and SMS notifications requested by your organization.
- Generate PDF compliance reports.
- Provide customer support and resolve technical issues you report.
- Improve reliability (debugging, analytics, error logging).
- Produce anonymized, aggregated statistics (e.g. number of certificates managed) to improve our service and communicate product trends.
- Security / fraud prevention (rate-limiting, detecting abuse).
- Comply with legal obligations (OSHA record retention, accounting).
We rely on the following lawful bases: performance of contract, legitimate interest (service improvement & security), and legal obligation.
3. How We Share Information
We never sell or rent personal information. We disclose data only to service providers under CPRA-compliant agreements:
| Service Provider | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, storage | USA / EU (user-selectable) |
| Vercel | Application hosting / CDN | USA / global |
| Postmark | Transactional email delivery | USA |
| Twilio | SMS notification delivery | USA |
| Cloudflare | Edge network, security, status page | Global |
Service providers may access data solely to provide services and must delete/return data upon termination.
We may also share data if required by law, to protect rights, or in connection with a corporate reorganization.
4. Cookies & Tracking
We use essential cookies for authentication and session management, plus optional analytics cookies (Google Analytics 4) if you consent via our banner. You can disable non-essential cookies at any time.
5. SMS Communications & Consent
SMS Opt-In Process
For Professional and Enterprise plan subscribers, we offer SMS notifications for certification expiration reminders. SMS notifications are optional and require explicit consent:
- Web Form Consent: Users opt-in via account settings or during plan subscription
- Employee Consent: Phone numbers collected during employee import with clear SMS consent
- Clear Disclosure: We explain message frequency, data rates, and opt-out procedures
SMS Message Types
- Certification expiration reminders (60/30/7/1-day notifications)
- Critical compliance alerts for expired certifications
- Account notifications (plan changes, billing updates)
SMS Opt-Out
You can opt-out of SMS notifications at any time by:
- Replying STOP to any SMS message
- Disabling SMS in your account settings
- Contacting support at [email protected]
SMS Data & Rates
- Standard message and data rates apply
- We do not charge for SMS notifications (included in subscription)
- Phone numbers are stored securely and used only for opted-in notifications
- We comply with TCPA (Telephone Consumer Protection Act) requirements
6. Your CPRA Rights
California residents have the right to:
- Know the categories and specific pieces of personal information we collect.
- Delete personal information we hold (subject to OSHA retention requirements).
- Correct inaccurate personal information.
- Opt-out of "sale" or "sharing" of personal data (we do neither).
- Limit use of sensitive personal information (not collected).
- Non-discrimination for exercising any of these rights.
Exercise Your Rights
Email [email protected] or use the "Privacy" link in your account settings. We will verify your identity via your work-email and respond within 45 days.
7. Data Retention & Deletion
- Account data is retained while your subscription is active.
- Certification documents are stored 3 years after expiry for OSHA audit trail, then auto-purged.
- Back-ups are retained 30 days.
Upon account closure we delete all data within 30 days, except where legal retention applies.
8. Security Measures
- TLS 1.3 encryption in transit, AES-256 at rest (Supabase).
- HSTS preload, CSP, and rate-limiting.
- Daily off-site backups with integrity checks.
- Role-based access; admin 2FA mandatory.
- Automated vulnerability scans (OWASP ZAP & Nuclei) run in CI; critical issues fixed <7 days.
- Public responsible-disclosure program inviting researchers to report vulnerabilities.
9. International Transfers
Data may be processed in the United States or the European Union. We rely on Standard Contractual Clauses (SCCs) for EU transfers.
10. Children's Privacy
The Service is not intended for anyone under 16. We do not knowingly collect personal information from children.
11. Changes to This Policy
We may update this Policy. We will post the new version and notify account owners via email 30 days before changes take effect.
12. Contact Us
Questions or requests? Email [email protected] or write to:
Wittyfairy Productions LLC (D.B.A. CertiPing)
1401 21st St Ste 8014
Sacramento, CA 95811 USA
Thank you for trusting CertiPing to keep your workforce compliant and your data secure.