Legal Compliance

Privacy Policy

Last Updated: December 15, 2025

Jump to Section

Introduction Data Collection Agent Telemetry Cookie Policy Data Retention Data Disclosure & Transfers Children's Privacy Third-Party Links Changes to Policy Contact Us

01. Introduction

At cert9, we treat your infrastructure metadata with the same operational rigor as our own. We are an infrastructure observability platform, not an ad network. Our business model is simple: you pay us to monitor your certificates, and we provide that service. We do not sell your data.

This Privacy Policy outlines what technical telemetry we collect from your clusters, how we process it, and the limited circumstances under which it is stored.

02. Data Collection

We collect two primary categories of data: Account Information (for billing and authentication) and Infrastructure Telemetry (for service delivery).

Account Data

Name and Email address (authentication)
Organization name
Billing address & payment method
User roles and access logs

Infrastructure Telemetry

Certificate metadata (Subject, SANs, Expiry, etc)
Kubernetes resource names and definations (Pods, Issuers, Certificates, Ingresses, etc)
Cluster identifiers (UIDs)
Agent health metrics
Connection and access logs

Privileged Data DisclaimerWe explicitly do not collect or transmit your private keys. Unless you explicitly request cert9 to generate a key pair on your behalf, the cert9 agent analyzes your existing private keys locally, and the private key material never leaves your infrastructure.

03. Agent Telemetry Example

Transparency is key. Below is an exact JSON representation of the payload the cert9 agent sends to our ingest API during a routine heartbeat.

POST /api/v1/telemetry/heartbeat

{
  "agent_id": "9a2f-4b1c-...",
  "timestamp": 1698154922,
  "cluster_meta": {
    "provider": "aws",
    "version": "1.27.4"
  },
  "inventory": [
    {
      "resource": "secret/tls-prod",
      "fingerprint": "sha256:e3b0c44...",
      "expiry": 1700000000,
      "sans": ["api.cert9.com"]
    }
  ]
}

04. Cookie Policy

We use minimal cookies necessary for the operation of the dashboard.

Name	Purpose	Duration
cert9_session	Authentication token for your logged-in session.	Session
theme_pref	Stores your UI preference (though we default to dark).	1 Year
__stripe_mid	Fraud prevention for payment processing.	1 Year

05. Data Retention

We retain infrastructure metadata for the duration of your active subscription to provide historical uptime analysis and renewal logs.

Active Accounts: Data is retained indefinitely to support historical reporting.
Cancelled Accounts: Data is soft-deleted after 30 days and hard-deleted from backups after 90 days.
Logs: Raw API access logs are retained for 30 days for security auditing purposes.

06. Data Disclosure & Transfers

Business Transactions

If the Company is involved in a merger, acquisition or asset sale, Your Personal Data may be transferred. We will provide notice before Your Personal Data is transferred and becomes subject to a different Privacy Policy.

Law Enforcement

Under certain circumstances, the Company may be required to disclose Your Personal Data if required to do so by law or in response to valid requests by public authorities (e.g. a court or a government agency).

Other Legal Requirements

The Company may disclose Your Personal Data in the good faith belief that such action is necessary to comply with a legal obligation, protect and defend the rights or property of the Company, prevent or investigate possible wrongdoing in connection with the Service, protect the personal safety of Users of the Service or the public, or protect against legal liability.

Transfer of Your Personal Data

Your information, including Personal Data, is processed at the Company's operating offices and in any other places where the parties involved in the processing are located. It means that this information may be transferred to — and maintained on — computers located outside of Your state, province, country or other governmental jurisdiction where the data protection laws may differ than those from Your jurisdiction. Your consent to this Privacy Policy followed by Your submission of such information represents Your agreement to that transfer.

07. Children's Privacy

Our Service does not address anyone under the age of 13. We do not knowingly collect personally identifiable information from anyone under the age of 13. If You are a parent or guardian and You are aware that Your child has provided Us with Personal Data, please contact Us. If We become aware that We have collected Personal Data from anyone under the age of 13 without verification of parental consent, We take steps to remove that information from Our servers.

08. Third-Party Links

Our Service may contain links to other websites that are not operated by Us. If You click on a third party link, You will be directed to that third party's site. We strongly advise You to review the Privacy Policy of every site You visit. We have no control over and assume no responsibility for the content, privacy policies or practices of any third party sites or services.

09. Changes to this Privacy Policy

We may update Our Privacy Policy from time to time. We will notify You of any changes by posting the new Privacy Policy on this page. We will let You know via email and/or a prominent notice on Our Service, prior to the change becoming effective and update the "Last Updated" date at the top of this Privacy Policy.

You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.

10. Contact Us

If you have any questions about this Privacy Policy, You can contact us:

By email: hello@cert9.com

Right to Erasure

You can request a full export of your organization's data at any time.