Privacy Notice
1. Who we are
Certisyn, Inc. ("Certisyn", "we", "our") is a Delaware corporation that operates a verification infrastructure platform for institutional reliance. This Privacy Notice describes how we process personal data when you use certisyn.com, app.certisyn.com, our APIs and our partner channels.
Privacy Officer: privacy@certisyn.com
Data Protection Officer (voluntary GDPR Art 37(4) designation): dpo@certisyn.com
Postal: Certisyn, Inc., Delaware, United States.
2. Personal data we process
When you visit certisyn.com we process minimal browsing data (IP address, device and browser metadata, referral source) on the basis of legitimate interests for site analytics. When you subscribe to updates we process your name, organisation, role and email on the basis of your consent. When you apply to our Partner Program we process your application information on the basis of contract performance. When your organisation engages Certisyn to perform a verification, we process the engagement-scope personal data as a processor on your organisation's instructions under a Data Processing Agreement.
3. Why we process it (lawful bases)
Lawful bases under Article 6 of the GDPR:
- Contract — performance of services to your organisation;
- Consent — newsletter, partner-update communications, optional cookies;
- Legitimate interest — site analytics in aggregate, partner-application evaluation, recruitment, press distribution, security monitoring;
- Legal obligation — record retention, tax, anti-money-laundering screening of counterparties.
4. How we share it
We share personal data with the sub-processors listed at certisyn.com/sub-processors (Supabase, Vercel, Cloudflare, GitHub, Anthropic, OpenAI, Stripe, Resend, Datadog, Doppler), each under a Data Processing Agreement. We share with regulators and law-enforcement authorities only where required by law and only to the extent required.
5. International transfers
Where personal data is transferred outside the European Economic Area, the United Kingdom, Switzerland or any jurisdiction with an adequacy decision, we rely on the European Commission's Standard Contractual Clauses 2021 (Module 2 or Module 3 as applicable) and, for UK data subjects, the UK International Data Transfer Agreement. Supplementary measures include encryption in transit and at rest, key custody outside the recipient jurisdiction where feasible, and statutory-warrant-canary publication.
6. How long we keep it
Site analytics: 13 months. Newsletter: until withdrawal of consent plus a 30-day reconciliation window. Partner application: 7 years from engagement conclusion. Recruitment: 12 months from application. Engagement-scope verification data: per controller instruction; default 7 years for institutional reliance evidence.
7. Your rights
Under the GDPR and equivalent laws you have the right to access, rectify, erase, restrict, port and object to processing of your personal data. To exercise any of these rights, send a request to privacy@certisyn.com or use the self-service portal at app.certisyn.com/privacy/request. We respond within 30 days. You may also lodge a complaint with your supervisory authority.
8. Cookies
We use a small set of strictly necessary cookies for session management and security. Additional analytics cookies are loaded only with your consent. Manage your preferences at any time via the cookie preference link in the site footer. See certisyn.com/cookies for the full list.
9. Changes
We may update this Notice. Material changes are notified to subscribed contacts and the effective date is updated. The current version is always available at certisyn.com/privacy.