CertNudge Privacy Policy
Last updated: 14 July 2025
Quick Navigation
🛡️ Key Points 1. Purpose & Scope 2. Data Controller Information 3. Types of Personal Data 4. Lawful Bases for Processing 5. Special Category Data 6. Cookies & Similar Technologies 7. Analytics & Marketing 8. Automated Decision-Making 9. Data Sharing & Transfers 10. Data Retention 11. Security Measures 12. Your Rights 13. Children's Data 14. Complaints 15. Changes to this Policy 16. Contact InformationKey Points
Data Controller: IncaStack Ltd (CertNudge)
Data Location: UK/EEA servers
Purpose: Certificate tracking, reminders, and service provision
Analytics: With your consent for marketing; essential analytics always
Cookies: Used for functionality and analytics
Your Rights: Access, correct, delete, port, and object to data processing
Contact: support@certnudge.co.uk
Regulator: Information Commissioner's Office (ICO)
1. Purpose & Scope
This Privacy Policy explains how IncaStack Ltd (trading as "CertNudge") collects, uses, stores, and protects your personal data when you use our certificate tracking platform and related services.
This Policy applies to all users of CertNudge services, whether accessed via our website, mobile applications, or API integrations.
We are committed to protecting your privacy and complying with the UK General Data Protection Regulation (UK GDPR) as incorporated by the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR).
2. Data Controller Information
Data Controller: IncaStack Ltd
Trading Name: CertNudge
Registered Office: 9 Devonshire Drive, Duffield, DE56 4DD
Company Registration: England & Wales
Email: support@certnudge.co.uk
ICO Registration: [Registration number to be provided]
As the data controller, we determine the purposes and means of processing your personal data.
3. Types of Personal Data
We collect and process the following categories of personal data:
Account Data
- Name and email address
- Username and encrypted password
- Account preferences and settings
- Profile information (if provided)
Certificate Data
- Certificate names and descriptions
- Issue and expiry dates
- Certificate categories and types
- Uploaded certificate documents and images
- Notes and comments related to certificates
Payment Information
- Billing name and address
- Payment method details (processed by third-party payment processors)
- Transaction history and invoices
- VAT/tax information where applicable
Usage Data
- Login times and frequency
- Features used and interactions
- Device and browser information
- IP address and general location data
- Error logs and performance data
4. Lawful Bases for Processing
We process your personal data under the following lawful bases (Article 6, UK GDPR):
| Purpose | Lawful Basis | Data Types |
|---|---|---|
| Service provision and account management | Performance of contract | Account, certificate, usage data |
| Payment processing | Performance of contract | Payment information |
| Customer support | Performance of contract | Communication, account data |
| Service improvement | Legitimate interests | Usage, technical data |
| Marketing communications | Consent | Contact details, preferences |
| Legal compliance | Legal obligation | All data as required |
| Security and fraud prevention | Legitimate interests | Technical, usage data |
Legitimate Interests Assessment
Where we rely on legitimate interests, we have balanced our interests against your privacy rights. Our legitimate interests include providing secure and reliable services, improving user experience, preventing fraud and abuse, and operating our business efficiently.
5. Special Category Data
We do not intentionally collect special category personal data (sensitive data such as health, biometric, or political information). However, you may choose to upload certificates that contain such information.
If you upload documents containing special category data, you provide explicit consent for us to process this data solely for the purpose of providing our certificate tracking services.
You can withdraw this consent at any time by deleting the relevant documents from your account.
Important Note
Please be mindful when uploading certificate documents that may contain sensitive information. Only upload documents necessary for certificate tracking purposes.
7. Analytics & Marketing
7.1 Analytics
We use analytics tools to understand how our services are used and to improve user experience. This includes:
- Google Analytics (with IP anonymisation)
- Internal analytics systems
- Performance monitoring tools
7.2 Marketing Communications
With your consent, we may send you:
- Product updates and feature announcements
- Tips and best practices for certificate management
- Promotional offers and discounts
- Newsletters and industry insights
7.3 Opt-out Rights
You can opt out of marketing communications at any time by:
- Using the unsubscribe link in emails
- Updating your preferences in your account settings
- Contacting us directly
8. Automated Decision-Making
We do not make decisions based solely on automated processing that would significantly affect you. Any automated systems we use (such as reminder algorithms) are designed to assist and enhance our services, with human oversight available.
Our Automated Systems
Our platform uses automated systems for certificate reminders and notifications, but these are designed to help you manage your certificates better, not to make decisions about you as a person.
10. Data Retention
We retain personal data only as long as necessary for the purposes set out in this Policy:
| Data Type | Retention Period | Reason |
|---|---|---|
| Account data | Until account deletion + 30 days | Service provision, backup recovery |
| Certificate data | Until deletion by user or account closure | Core service functionality |
| Payment records | 7 years from transaction | Legal and accounting requirements |
| Support communications | 3 years | Service improvement, dispute resolution |
| Usage analytics | 2 years (anonymised after 6 months) | Service improvement |
| Marketing data | Until consent withdrawn + 30 days | Marketing communications |
Deletion Process
When retention periods expire, we securely delete or anonymise personal data using industry-standard methods.
11. Security Measures
We implement comprehensive technical and organisational measures to protect your personal data:
11.1 Technical Safeguards
Encryption
Data encrypted in transit (TLS) and at rest (AES-256)
Security Testing
Regular security assessments and penetration testing
Access Controls
Multi-factor authentication and role-based access
Backup & Recovery
Automated backup and disaster recovery systems
11.2 Organisational Safeguards
- Staff training on data protection principles
- Data protection impact assessments
- Incident response procedures
- Regular policy reviews and updates
- Limited access on a need-to-know basis
11.3 Breach Notification
Data Breach Response
In the event of a data breach, we will notify the ICO and affected individuals as required by law, within 72 hours where feasible.
12. Your Rights
Under UK GDPR, you have the following rights regarding your personal data:
Right of Access (Article 15)
Request a copy of the personal data we hold about you.
Right to Rectification (Article 16)
Request correction of inaccurate or incomplete personal data.
Right to Erasure (Article 17)
Request deletion of your personal data in certain circumstances.
Right to Restrict Processing (Article 18)
Request limitation of how we process your personal data.
Right to Data Portability (Article 20)
Request your data in a portable format for transfer to another service.
Right to Object (Article 21)
Object to processing based on legitimate interests or for direct marketing.
How to Exercise Your Rights
To exercise your rights:
- Email us: support@certnudge.co.uk
- Use account settings: Many rights can be exercised directly in your account
- Write to us: At our registered office address
We will respond to your request within one month, or inform you if we need longer.
13. Children's Data
Age Restriction
Our services are not directed at individuals under 18 years of age. We do not knowingly collect personal data from children under 18.
If you believe we have inadvertently collected data from a child under 18, please contact us immediately and we will take steps to delete such information.
14. Complaints
If you have concerns about how we handle your personal data, please contact us first at support@certnudge.co.uk.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO):
Information Commissioner's Office
Website: www.ico.org.uk
Phone: 0303 123 1113
Address:
Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF
15. Changes to this Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements.
How We Notify You
We will notify you of material changes by:
- Email to your registered address
- Prominent notice on our website
- In-app notifications
The updated Policy will take effect 30 days after notification, unless you object or withdraw consent for changes requiring consent.
16. Contact Information
For any questions about this Privacy Policy or our data practices:
IncaStack Ltd (trading as CertNudge)
Data Protection Contact: support@certnudge.co.uk
Registered Office:
9 Devonshire Drive, Duffield, DE56 4DD
Phone: [To be provided]
Privacy Questions?
We're committed to transparency about how we handle your data. Contact us anytime with privacy-related questions or concerns.
Save for Your Records
Please save or print a copy of this Privacy Policy for your records. This Policy is also available at all times in your account settings.
Legal Disclaimer
This Privacy Policy is provided as a template and does not constitute legal advice. IncaStack Ltd recommends consulting with qualified legal professionals for specific legal guidance regarding data protection compliance.
Privacy Questions?
We're committed to protecting your privacy. Contact us for any questions about how we handle your data.
Contact Privacy Team