Privacy Policy

What we collect, why, and what we do not do with it.

Last updated: 15 July 2026

This policy explains how CertPost, operated by Kryptoplus Labs, handles personal data. We keep it short because we collect little. We do not sell your data, and we do not use it for advertising.

Who is responsible

The data controller for CertPost is Kryptoplus Labs Ltd, 3rd Floor, 86–90 Paul Street, London, England, EC2A 4NE, United Kingdom. For any privacy question, contact privacy@certpost.ai.

What we collect

  • Account data. Your email address, your name if you provide one, and a securely hashed password. Authentication is handled by our infrastructure provider; we never store your password in plain text.
  • Monitoring data you enter. The hostnames, domains, and ports you ask us to monitor, your alert thresholds, and the alert destinations you configure (email addresses or webhook URLs).
  • Observed certificate data.For each host you monitor we record technical facts about the certificate it serves, such as issuer, validity dates, fingerprint, subject alternative names, chain status, and the domain’s registration expiry and registrar. This is public information about your own systems, stored so we can detect changes and alert you.
  • Billing data. If you subscribe to a paid plan, our payment processor (Stripe) handles your card details. We do not see or store full card numbers. We keep a record of your subscription status and invoices.
  • Operational logs. Standard server logs and error reports needed to run and secure the service.

Why we use it

  • to provide the monitoring you asked for and send alerts;
  • to authenticate you and secure your account;
  • to take payment and manage subscriptions;
  • to send service messages, such as certificate alerts, the optional weekly digest, and important account or security notices;
  • to maintain, debug, and protect the service.

Our legal bases, where the GDPR applies, are performance of our contract with you (running the service and billing), our legitimate interests (security and service improvement), and consent where we ask for it.

Who we share it with

We share data only with the providers we need to run CertPost, and only for that purpose:

  • Supabase — database, authentication, and storage.
  • Vercel — application hosting.
  • Stripe — payment processing.
  • Our email provider — delivery of alerts and account email.

When you configure a webhook alert channel, the alert content you asked us to send is delivered to that destination, which you control. We also make outbound requests to public Certificate Transparency logs and RDAP registries to check your domains; these carry the hostname being checked, not your personal data. We do not sell personal data or share it with advertisers.

How long we keep it

We keep account and monitoring data for as long as your account is active. When you delete a monitor, its observed data is removed. When you delete your account, we delete your personal data within a reasonable period, except where we must retain limited records (for example, invoices) to meet legal or accounting obligations.

Your rights

Depending on where you live, you may have the right to access, correct, export, or delete your personal data, and to object to or restrict certain processing. You can edit your profile and delete your account from your settings, or contact privacy@certpost.ai and we will help. You also have the right to complain to your local data protection authority.

Security and international transfers

Access to your data is enforced at the database level so that one account cannot read another’s. Data is encrypted in transit. Our providers may process data in countries outside your own; where required, transfers are covered by appropriate safeguards such as standard contractual clauses.

Changes to this policy

If we make a material change we will notify you by email or an in-app notice. The “last updated” date above always reflects the current version.