Privacy Policy

VerifyCertificate.online ("we", "our", "us", or "the Platform") is a digital certificate verification service that enables registered educational institutes, training providers, and certification bodies ("Institutes") to publish and manage certificates, and allows any person ("Verifier") to verify the authenticity of such certificates by entering a unique certificate number.

We operate as both a Data Controller (for platform usage data and account data) and a Data Processor (for certificate data uploaded by registered Institutes).

Our registered correspondence address and data controller contact details are provided in Section 20 of this Policy.

This Privacy Policy applies to:

• All visitors to verifycertificate.online and its subdomains.
• All registered Institute accounts and their authorized users.
• All persons who submit certificate verification queries.
• All persons whose certificate data has been uploaded to our platform by a registered Institute.

This Policy does not apply to third-party websites linked from our platform. We encourage you to review the privacy policies of any third-party sites you visit.

3.1 Information Provided by Institutes

When an Institute registers and uses our platform, we collect:

• Institute name, address, registration number, and contact details.
• Authorized representative name, email address, and phone number.
• Login credentials (email and hashed password).
• Certificate data including: student/recipient name, course or program name, certificate number, date of issue, date of expiry (if applicable), grade or marks, and any custom fields configured by the Institute.
• Digital assets such as institute logo and certificate template images.
• Billing and payment information (processed via secure third-party payment gateways — we do not store card details).

3.2 Information Collected from Verifiers

When a person performs a certificate verification, we collect:

• The certificate number or unique ID entered for verification.
• IP address and approximate geolocation (country/city level).
• Browser type, operating system, and device type.
• Date and time of the verification request.
• Referring URL (if accessed via a link or QR code).

3.3 Automatically Collected Technical Data

We automatically collect certain technical information when you access our platform:

3.4 Information We Do Not Collect

We do not collect or process:

• Payment card numbers or banking credentials directly.
• Biometric data of any kind.
• Sensitive personal data such as religion, political views, or health information.
• Social media profile data unless explicitly provided.

We use the information collected for the following purposes:

4.1 Core Service Delivery

• To enable Institutes to upload, manage, and publish certificates.
• To allow Verifiers to search and verify certificate authenticity in real time.
• To generate and display verified certificate results securely.
• To provide QR-code based certificate verification functionality.

4.2 Account and Institute Management

• To create and manage Institute accounts and user access.
• To communicate account-related notifications, billing, and service updates.
• To process subscription payments and issue invoices.

4.3 Security and Fraud Prevention

• To detect, investigate, and prevent unauthorized access, abuse, or fraudulent certificate claims.
• To enforce our Terms of Service and applicable legal obligations.
• To maintain system integrity and prevent data breaches.

4.4 Analytics and Platform Improvement

• To analyse verification traffic patterns and platform usage (in aggregated, anonymized form).
• To improve platform performance, reliability, and user experience.

4.5 Legal and Compliance

• To comply with applicable laws, regulations, court orders, or government requests.
• To maintain audit trails as required by law or Institute agreements.

For users in the European Economic Area (EEA) and United Kingdom, we process personal data under the following legal bases as defined in the General Data Protection Regulation (GDPR) and UK GDPR:

Where processing is based on consent, you have the right to withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal.

We do not sell, rent, or trade personal data. We may share data only in the following limited circumstances:

6.1 With Registered Institutes

Institutes can view the verification logs for certificates they have uploaded, including the date, time, and approximate location of verification attempts. This helps Institutes monitor certificate usage and detect misuse.

6.2 With Service Providers (Data Processors)

We engage trusted third-party processors to assist in operating our platform. All processors are bound by Data Processing Agreements (DPAs) and are prohibited from using your data for any purpose other than providing services to us. These include:

• Cloud hosting and infrastructure providers.
• Email delivery service providers (for transactional emails only).
• Payment gateway providers (for Institute subscription billing).
• Analytics providers (using anonymized, aggregated data only).

6.3 Legal Obligations and Law Enforcement

We may disclose personal data if required to do so by law, court order, or government authority under applicable national or international law, including GDPR Article 6(1)(c) or equivalent legislation.

6.4 Business Transfers

In the event of a merger, acquisition, or sale of all or substantially all of our assets, personal data may be transferred to the successor entity, subject to equivalent privacy protections. We will notify affected users before any such transfer.

6.5 With Your Consent

We may share your data in any other manner with your explicit prior consent.

We retain personal data only for as long as necessary for the purposes described in this Policy or as required by law:

After the applicable retention period, data is securely deleted or anonymized in accordance with our data destruction policy.

We implement comprehensive technical and organizational security measures to protect your data against unauthorized access, alteration, disclosure, or destruction:

Technical Measures

• Encryption in Transit: All data transmitted between your browser and our servers is protected using TLS 1.2/1.3 (256-bit SSL encryption).
• Encryption at Rest: Sensitive database fields are encrypted at rest using AES-256 encryption.
• Password Security: All Institute passwords are hashed using bcrypt with a minimum cost factor of 12. We never store plain-text passwords.
• CSRF Protection: All forms on our platform include CSRF tokens to prevent cross-site request forgery attacks.
• Rate Limiting: Certificate verification endpoints are rate-limited to prevent automated scraping and abuse.
• Access Controls: Role-based access control (RBAC) is enforced for all Institute account actions.
• Regular Security Audits: We conduct periodic vulnerability assessments and penetration testing.
• Firewall and DDoS Protection: Our infrastructure is protected by web application firewalls and DDoS mitigation systems.

Organizational Measures

• Access to personal data is restricted to authorized personnel on a need-to-know basis.
• All staff with access to personal data are bound by confidentiality obligations.
• We maintain an incident response plan for data breach scenarios.
• In the event of a data breach affecting your rights, we will notify affected parties within 72 hours as required by applicable law (including GDPR Article 33 and equivalent legislation).

We use a minimal and privacy-respecting approach to cookies:

We do not use:

• Advertising or retargeting cookies.
• Third-party tracking or analytics cookies that identify individuals.
• Social media tracking pixels.
• Google Analytics or similar user-identifying analytics tools.

Essential cookies cannot be disabled as they are strictly necessary for the platform to function. You may disable functional cookies through your browser settings, but this may affect your experience.

Depending on your location and applicable law, you may have the following rights regarding your personal data:

Rights Under GDPR (EEA / UK Users)

• Right of Access (Art. 15): Request a copy of the personal data we hold about you.
• Right to Rectification (Art. 16): Request correction of inaccurate or incomplete data.
• Right to Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations.
• Right to Restriction (Art. 18): Request that we restrict processing of your data in certain circumstances.
• Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format.
• Right to Object (Art. 21): Object to processing based on legitimate interests.
• Right to Withdraw Consent: Where processing is based on consent, withdraw it at any time.
• Right to Lodge a Complaint: File a complaint with your national data protection authority (e.g., ICO in the UK, CNIL in France).

Rights Under Other Applicable Laws

Regardless of your location, you have the right to:

• Request Information: Know what personal data is being processed and the basis for processing.
• Request Correction or Erasure: Request correction, completion, update, or erasure of personal data we hold about you.
• Lodge a Complaint: Contact your local data protection authority or consumer protection body if you believe your rights have been violated.
• Grievance Redressal: Submit a complaint to our Grievance Officer as described in Section 17.

How to Exercise Your Rights

Submit a request to privacy@verifycertificate.online with your name, contact details, and a description of your request. We will respond within 30 days (or 72 hours for urgent security matters). We may require identity verification before processing your request.

VerifyCertificate.online does not knowingly collect personal data directly from children under the age of 13 (or under 18 where required by local law).

Certificate data for minors (e.g., school students) may be uploaded by registered Institutes acting as the data controller for such information. In such cases, it is the sole responsibility of the Institute to ensure they have obtained appropriate parental or guardian consent as required by applicable law before submitting such data to our platform.

If we become aware that we have inadvertently collected personal data from a child without appropriate consent, we will take immediate steps to delete such data. If you believe a child's data has been submitted without consent, please contact us immediately at privacy@verifycertificate.online.

Our primary servers are located in a secure data centre. If you are accessing our platform from the European Economic Area (EEA), United Kingdom, or other regions with data protection laws, please be aware that your data may be transferred to and processed in the country where our servers are hosted.

For international transfers of personal data, we implement appropriate safeguards including:

• Standard Contractual Clauses (SCCs) approved by the European Commission where applicable.
• Data Processing Agreements with all third-party processors.
• Compliance with the adequacy assessment framework under GDPR Article 45 where applicable.

By using our platform, you consent to the transfer, storage, and processing of your data in the countries where our infrastructure and service providers operate, subject to the protections described in this Policy.

Registered Institutes using our platform act as independent Data Controllers for the certificate and student data they upload. By registering on VerifyCertificate.online, Institutes agree to:

• Upload only accurate, lawfully obtained, and authorized certificate data.
• Ensure they have obtained all necessary consents from students/recipients before submitting their personal data to our platform.
• Not upload sensitive personal data (health, religion, caste, biometrics) unless explicitly necessary and legally authorized.
• Promptly notify us of any corrections, deletions, or disputes relating to certificate data.
• Comply with all applicable data protection laws in their jurisdiction.
• Not use the platform for fraudulent, misleading, or unauthorized certificate issuance.
• Maintain confidentiality of their account credentials and notify us immediately of any unauthorized access.

VerifyCertificate.online is not liable for data uploaded by Institutes in violation of applicable law or our Terms of Service. However, we reserve the right to remove any data that we reasonably believe to be unlawful, inaccurate, or in violation of our policies.

If your personal data appears on a certificate published on our platform and you wish to:

• Correct inaccurate information — Contact the issuing Institute directly, or email us with supporting documentation.
• Request removal of your data — Submit a removal request to privacy@verifycertificate.online. Note that removal may affect the verifiability of your certificate. We will coordinate with the issuing Institute.
• Report a fraudulent certificate — Email us at abuse@verifycertificate.online with details and evidence. We treat all fraud reports with urgency.
• Request a copy of your data — Submit a data access request as described in Section 10.

VerifyCertificate.online does not use automated decision-making or profiling that produces legal or similarly significant effects on individuals as defined under GDPR Article 22.

The certificate verification result (Valid / Invalid / Expired / Not Found) is a direct database lookup — not an AI-driven decision — and is based solely on the data entered by the issuing Institute. No inference, scoring, or profiling of any individual is performed during the verification process.

If you believe a verification result is incorrect, you may contact the issuing Institute or submit a dispute to us at support@verifycertificate.online.

Our platform may contain links to third-party websites, Institute portals, or external resources. These links are provided for convenience only. We have no control over and accept no responsibility for the content, privacy practices, or data handling of any third-party site.

We use the following limited third-party services that may process certain data:

• Bootstrap CDN (jsDelivr): Loads UI stylesheet and scripts. No personal data is transmitted.
• Google Fonts: Loads typography. Google may log your IP address as part of font delivery. We are transitioning to self-hosted fonts to eliminate this.
• Payment Gateways: Used for Institute subscription billing. Governed by the gateway's own privacy policy. We do not receive or store card data.

We do not embed social media buttons, tracking pixels, or third-party advertising scripts on our platform.

We have appointed a Grievance Officer to handle privacy complaints and data-related concerns from users worldwide. If you have an unresolved privacy concern that has not been addressed satisfactorily, please contact our Grievance Officer:

Any user may submit a grievance regarding the processing of their personal data. We will acknowledge receipt within 48 hours and resolve the complaint within 30 days. Users who remain unsatisfied after our grievance process may escalate to their national data protection authority or relevant regulatory body.

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

• Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you, the sources of collection, and the purposes for which it is used.
• Right to Delete: Request deletion of personal information we have collected, subject to certain exceptions.
• Right to Correct: Request correction of inaccurate personal information.
• Right to Opt-Out of Sale or Sharing: We do not sell or share personal information for cross-context behavioral advertising. No opt-out is required.
• Right to Limit Use of Sensitive Personal Information: We do not collect sensitive personal information as defined under CPRA.
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

To exercise any of these rights, submit a verifiable consumer request to privacy@verifycertificate.online. We will respond within 45 days. You may designate an authorized agent to submit requests on your behalf.

Categories of Personal Information Collected (past 12 months): Identifiers (IP address), Internet or network activity (access logs), Certificate data submitted by Institutes (name, course, certificate number). We have not sold any personal information in the past 12 months.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the "Last Updated" date at the top of this page.
• Display a notice on our platform homepage for at least 14 days.
• Notify registered Institute accounts by email of any significant changes that affect their data or rights.

Your continued use of VerifyCertificate.online after the effective date of any updated Policy constitutes your acceptance of the revised Policy. If you do not agree with the updated Policy, you should discontinue use of our platform and may request deletion of your data as described in Section 10.

We encourage you to review this Policy periodically. All previous versions of this Policy are archived and available upon request.

For any privacy-related questions, requests, or concerns, please contact us through any of the following channels. We aim to respond to all enquiries within 2 business days.