Privacy policy

Certaby is the data controller for personal data collected through certaby.com. Reach our data-protection contact at dpo@certaby.com.

From you (the customer): your account email, your check history, the inputs you submit (FRNs, postcodes, names), and Stripe billing metadata. That's all. We don't track you across the web.

From upstream registers: whatever the official register returns for the entity you queried. We pass it through; we don't enrich it with anything they didn't publish.

To deliver and audit your checks (the PDF certificate's hash-verifiability requires us to retain inputs and outputs), to bill you correctly, to respond if you raise a support issue, and to comply with our own UK MLR / accounting obligations.

Check inputs + outputs: 7 years (matches the standard UK record-keeping period for AML/KYC). Account email + Stripe metadata: as long as your account is active + 6 years thereafter. Marketing emails: not relevant — we don't run a marketing list.

You can request access, correction, deletion, or export of your personal data at any time. Email dpo@certaby.com. We respond within one calendar month.

We use Stripe (billing), Cloudflare (hosting + email routing), AWS in eu-west-2 (compute + storage), Clerk (authentication), and Resend (transactional email). Each has its own UK GDPR-compliant DPA in place with us.