Privacy Policy

CertVault ("CertVault", "we", "us", or "our") operates the CertVault platform at certvaultapp.com. CertVault enables workers to store and share professional certificates and compliance documents with employers worldwide.

For the purposes of the GDPR and UK GDPR, CertVault is the data controller of your personal data. For questions about how we handle your data, contact us at legal@certvaultapp.com.

Under the GDPR and UK GDPR, we must have a lawful basis for processing your personal data. The table below sets out the basis we rely on for each type of processing:

For Australian users, the corresponding basis is purpose-limitation under the Australian Privacy Principles (APP 3, APP 6).

Medical fitness certificates and immunisation records are special category personal data under GDPR Article 9 and equivalent laws. We only process this data when you have given us explicit, informed consent (recorded with a timestamp in our system) before any upload.

You may withdraw this consent at any time by deleting your medical/immunisation records and contacting us at legal@certvaultapp.com to request removal of your consent record.

We never share health records with anyone other than employers you explicitly choose to make your profile visible to.

The consent record stored at upload time includes a timestamp and acknowledgment that: (a) the file will be scanned for malware by VirusTotal (which may retain samples per its own policy); (b) the document's text content may be processed by Anthropic for OCR purposes; (c) consent can be withdrawn at any time by deleting the record and contacting legal@certvaultapp.com; and (d) the consent record (this acknowledgment + a timestamp) exists alongside your account and is removed in full when you close your CertVault account — we retain no audit trail of past consent.

• To provide and operate the Platform.
• To enable workers to store and share professional documents with employers.
• To enable employers to search for, view, and manage worker profiles.
• To send account-related notifications (password resets, document expiry reminders, platform updates).
• To process subscription payments securely via Stripe.
• For internal analytics and product improvement using aggregated or de-identified data where possible.
• To enforce our Terms of Service and protect platform integrity.
• To comply with our legal obligations.

We will not use your personal information for direct marketing without your separate consent. We do not serve third-party advertising and do not sell your data.

We share personal information with the following trusted sub-processors. Each is bound by a Data Processing Agreement (DPA) or equivalent contractual obligations to process your data only as directed by us:

VirusTotal scans every uploaded file for malware. VirusTotal may retain submitted file samples indefinitely for threat-intelligence purposes under their own privacy policy. Do not upload documents containing proprietary or confidential information that you would not want a third-party security vendor to retain.

Anthropic processes document text (for OCR-based certificate scanning on upload) and in-app assistant conversations to provide AI features. Under Anthropic's API Commercial Terms, data submitted via the API is not used to train Anthropic models. Data is retained per Anthropic's then-current API data-retention policy, which as at the date of this Privacy Policy is generally 30 days for non-abuse data, with extended retention only for abuse investigation. Anthropic may update this policy from time to time; the most current terms apply. Anthropic uses its own infrastructure subprocessors (including AWS and Google Cloud) — see trust.anthropic.com for their current list.

A core function of the Platform is enabling Workers to share their profile and documents with Employers. When you create a Worker account, your basic profile is included in employer search results so Employers can find you for genuine roles.

You control employer access at the relationship level rather than via a global on/off switch:

• Search visibility — Worker profiles are surfaced in employer search while the account is active (you have signed in or confirmed availability within roughly the last 7 days). Inactive accounts are excluded from search.
• Document access — An Employer only gains access to your uploaded documents after a hiring or contact relationship has been established (for example, you accept their contact request, or are otherwise added to their workforce). Until that point, only your basic profile fields are visible in search.
• Revoking access — You can revoke an individual Employer’s access to your documents at any time by deleting the hire or contact relationship from your dashboard. Removal takes effect immediately.
• Deleting documents — When you delete a document from your dashboard, it is permanently removed from storage and from any Employer’s view immediately.

Employers who have added you to their workforce (with your acceptance) continue to view your documents only while you remain in their workforce roster. We do not currently offer a global "hide profile" toggle; visibility is managed by maintaining or removing the relevant relationships.

Depending on your location, you have the following rights regarding your personal data. We respond to all requests without undue delay, and in any event within one month of receiving your request (extendable by a further two months for complex or numerous requests, with notice to you, in line with GDPR Article 12(3)). We will action urgent erasure requests as quickly as reasonably practicable.

To exercise any of these rights, contact us at legal@certvaultapp.com. We may need to verify your identity before acting on your request.

We take appropriate technical and organisational measures to protect your personal data from misuse, interference, loss, and unauthorised access:

• Encrypted data transmission (HTTPS/TLS).
• Row-level security (RLS) so users can only access their own data.
• Automated security scanning of all uploaded documents.
• Authentication and access controls with admin-only access to sensitive features.
• Consent timestamps recorded and stored for audit purposes.
• Regular security reviews of our infrastructure.

Authentication and account security

Passwords are validated at signup and password-reset by our authentication provider (Supabase Auth) and must be at least 8 characters long. We recommend choosing a passphrase of at least 12 characters that you do not reuse on other sites.

Multi-factor authentication (MFA) is not currently available for end-user accounts. This is on our roadmap; in the interim, account security relies on a strong password and standard session-token protections. If you suspect your password has been exposed, reset it immediately via the "Forgot password" flow on the login page.

No method of transmission or storage is 100% secure. If you believe your account has been compromised, contact us immediately at support@certvaultapp.com.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we must:

• Notify the relevant supervisory authority within 72 hours of becoming aware of the breach (GDPR Art. 33 / UK GDPR).
• Notify affected individuals without undue delay where the breach is likely to result in high risk (GDPR Art. 34).
• Notify the OAIC and affected users under the Australian Notifiable Data Breaches scheme.
• Document all breaches in our internal breach register regardless of whether notification is required.

We retain your personal data for as long as your account is active or as needed to provide our services. Specific retention periods:

CertVault uses strictly necessary cookies only — specifically, a session cookie required to keep you signed in (managed by Supabase Auth). We do not use advertising, tracking, or analytics cookies.

Because we use only strictly necessary cookies, opt-in consent is not required under the EU ePrivacy Directive or UK PECR. However, we display a cookie notice on your first visit to explain this. You can view our full Cookie Policy for details.

The Platform is intended for users aged 18 and over. CertVault does not currently perform automated age verification at signup; eligibility is established by user self-attestation as part of the Terms of Service. If we become aware of an account belonging to a person under 18, we will close the account and delete associated personal information promptly.

We acknowledge that some industries we serve (notably trades and apprenticeships) include legitimate workers aged 16-17 who would have appropriate guardian consent. We are evaluating whether to lower the eligibility floor with appropriate guardian-consent flows in a future update; this Privacy Policy will be updated accordingly if so.

If you believe a child has provided us with personal information, please contact us at legal@certvaultapp.com.

If you are an Employer using CertVault to manage worker data, you are a data controller in your own right for the purposes of any personal data you access about workers through the Platform. CertVault acts as your data processor in this context.

We provide a Data Processing Agreement (DPA) for employers who require one for GDPR compliance. Contact legal@certvaultapp.com to request a signed copy.

We may update this Privacy Policy from time to time. We will notify registered users of material changes by email at least 30 days before they take effect. The current version is always available at certvaultapp.com/privacy, and the effective date at the top of this page will be updated accordingly. For material adverse changes that affect your rights, you may close your account before the effective date.

If you are a California resident, the California Consumer Privacy Act (as amended by the California Privacy Rights Act) provides you with the following rights in addition to those described in Section 8:

• Right to know what categories and specific pieces of personal information we collect, use, disclose, and (where applicable) sell or share.
• Right to delete personal information we hold about you, subject to limited exceptions.
• Right to correct inaccurate personal information.
• Right to opt out of the "sale" or "sharing" of personal information for cross-context behavioural advertising.
• Right to limit the use and disclosure of sensitive personal information.
• Right to non-discrimination for exercising any of these rights.

CertVault does not sell personal information for monetary value, and does not share personal information with third parties for cross-context behavioural advertising. We have not done so in the preceding 12 months and have no plans to do so. The only third parties that receive your personal data are the sub-processors we engage to deliver the service, listed in our DPA Section 5.

To exercise any of these rights, contact privacy@certvaultapp.com or legal@certvaultapp.com — the same channels used for GDPR and Australian Privacy Act requests apply. We may need to verify your identity before acting on your request, and will respond within the 45-day period required by the CCPA (extendable by 45 days where reasonably necessary, with notice to you).

You may also designate an authorised agent to make a request on your behalf, in accordance with California Civil Code § 1798.135.

For privacy-related inquiries, data subject requests, or complaints:

CertVault (Australian sole trader)
ABN: 51 371 573 935
2 Tandang Sora Street
Labason, Zamboanga Del Norte
Philippines 7117
Email: legal@certvaultapp.com

Data Protection Officer

CertVault has conducted a Data Protection Officer (DPO) assessment under GDPR Article 37(1) and determined that the appointment of a DPO is not required at current operational scale. The assessment is documented internally, available for inspection by relevant supervisory authorities on request, and is re-evaluated:

• Annually, regardless of operational changes.
• Upon a material increase in active worker accounts. CertVault reviews active-worker counts during the annual assessment and ad-hoc whenever growth materially changes the platform's risk profile.
• Upon a material increase in the volume of stored special-category data under GDPR Article 9 (in CertVault's case, primarily medical fitness certificates and immunisation records).
• Upon addition of a new processing purpose that involves sensitive data, or any new sub-processor that processes sensitive data on CertVault's behalf.
• Upon any actual or suspected personal data breach involving sensitive data.

For DPO-related inquiries or to request a copy of the assessment, contact legal@certvaultapp.com.

Supervisory Authorities

EU residents — contact your national data protection authority. A list is available at edpb.europa.eu.

UK residents — Information Commissioner's Office (ICO): ico.org.uk · 0303 123 1113

Australian residents — Office of the Australian Information Commissioner (OAIC): oaic.gov.au · 1300 363 992