Legal

Privacy Policy

Last updated: June 2, 2026

Certivu ("we", "our", "us") operates certivu.ai and related services. This Privacy Policy explains what information we collect, how we use it, and your rights regarding that information.

1. Information We Collect

Account information

When you register, we collect your email address, organization name, and a hashed password. We never store plaintext passwords.

Content hashes — not content

Certivu does not store the images, documents, or other files you sign or verify. We store only the SHA-3 cryptographic hash of the content, which cannot be reversed to reconstruct the original file.

Usage and billing data

We record signing events (timestamp, generator ID, content hash) for quota enforcement, audit logs, and billing. Verification events are logged in aggregate for rate limiting.

Technical data

Standard server logs include IP addresses, request paths, and timestamps. These are retained for 30 days for security and debugging purposes.

2. How We Use Your Information

  • Providing and operating the Certivu service
  • Authenticating your account and API keys
  • Enforcing plan quotas and processing billing via Stripe
  • Sending transactional emails (verification, password reset, quota alerts) via Resend
  • Detecting abuse and securing the platform
  • Complying with legal obligations

We do not sell your personal data to third parties.

3. Data Sharing

We share data only with:

  • Stripe — payment processing. Subject to Stripe's privacy policy.
  • Resend — transactional email delivery.
  • MongoDB Atlas — cloud database hosting. Data is encrypted at rest.
  • Fly.io — infrastructure hosting. Located in the United States.

We may disclose information when required by law, court order, or to protect the rights and safety of Certivu or its users.

4. Public Verification Data

Provenance records retrieved via GET /v1/records/:id or POST /v1/verify include the organization name, model name, and signing timestamp. This information is intentionally public — it is the trust signal Certivu provides. Do not register content under a generator if you do not want its provenance attributed to your organization.

5. Data Retention

  • Account data: retained while your account is active, deleted within 30 days of account deletion
  • Provenance records: retained indefinitely (they are the trust ledger)
  • Audit logs: retained for 2 years
  • Server logs: retained for 30 days

6. Security

We use industry-standard security measures including TLS in transit, encryption at rest, argon2id password hashing, and ML-DSA post-quantum signatures. See our Security Policy for details.

7. Your Rights

Depending on your jurisdiction, you may have rights to access, correct, delete, or export your personal data. To exercise these rights, contact us at support@certivu.ai.

8. Cookies

The dashboard uses a session cookie to maintain your login. We do not use third-party tracking cookies or analytics cookies.

9. Children

Certivu is not directed at children under 16. We do not knowingly collect data from children.

10. Changes to This Policy

We may update this policy. If we make material changes, we will notify you by email or by a notice in the dashboard. Continued use after notice constitutes acceptance.

11. Contact

Questions about this policy: support@certivu.ai