CertKit Privacy Policy

This Agreement was last modified on

CertKit (the “Service”) operated by TrackJS, LLC (“TrackJS”, “we”, “us”) provides automated TLS certificate management services. We are committed to protecting the privacy of our customers and their data. This Privacy Policy describes how we collect, use, share, and retain information when you use the Service.

By creating an account or using the Service, you agree to the terms of this Privacy Policy and consent to the processing of your data in accordance with this Privacy Policy. Your data may be processed outside the country in which it was collected, where laws regarding processing of personal data may be less stringent than the laws in your country.

For clarity, terms like “Customer Data” and “Certificate Data” may also be defined in our Terms of Service.

Information We Collect

We collect and process the following categories of data:

Account Information

When you create or manage an account, we collect:

  • Email address
  • Username or display name
  • Password (stored in one-way hashed form)
  • Billing information (processed by our payment provider; we do not store full payment card numbers)

Certificate Data

To provide the Service, we collect and store information associated with certificate issuance and lifecycle management, including:

  • Domain names and hostnames for which you request certificates
  • TLS certificates issued on your behalf
  • Private keys generated for your certificates
  • Certificate Signing Requests (CSRs)
  • Domain validation records and ACME challenge data
  • Certificate metadata (issuance dates, expiration dates, renewal history)
  • Service actions and outcomes related to issuance, renewal, deployment, and verification (audit and operational records)

Agent and Deployment Data

If you install and use the CertKit Agents, we collect and process data necessary to configure, operate, and troubleshoot certificate deployment within your environment, including:

  • Agent identifiers and host/system identifiers (such as hostname, instance ID, or similar identifiers you provide or configure)
  • Detected server software types (e.g., web server / proxy) and related configuration signals used to support deployment workflows
  • Deployment configuration you provide (such as target paths, file formats, ownership/permissions settings, and restart/reload commands)
  • Deployment and verification status (success/failure results, timestamps, and diagnostic logs)
  • Operational logs and audit trails associated with Agent activity

We do not need (and do not request) your general application data. The Agent and deployment data we process is intended to be limited to what is necessary to manage certificates and support the Service.

Data We Collect Automatically

CertKit and our service providers collect certain technical information automatically when you visit our website or use the Service, including browser type, operating system, referring URL, IP address, pages viewed, and usage interactions. We gather this information using cookies and similar technologies.

Public Data Sources (Certificate Transparency)

Publicly-trusted TLS certificates are required to be submitted to Certificate Transparency (CT) logs. This means your domain names and certificate details will appear in public CT logs, which are searchable by anyone. This is a requirement of the certificate ecosystem and not something we can disable for publicly-trusted certificates.

To provide discovery and monitoring features, the Service may also ingest and process CT log data related to domains and hostnames you configure in the Service.

Private Key Storage

CertKit generates and stores private keys on your behalf. This is a core function of our automated certificate management service. We implement security measures designed to protect key material, including:

  • Access to key storage is limited to essential service operations
  • Access to key material is logged and monitored
  • Keys are stored in our infrastructure (currently hosted in Canada)

Upon account termination, your private keys and certificate data will be deleted in accordance with our data retention practices described below.

If you require exclusive control of your private keys, we have custom options available. Contact us to learn more.

How We Use Your Information

We use the information we collect to:

  • Create, authenticate, and secure your account
  • Provide certificate issuance, renewal, deployment, verification, and monitoring features
  • Operate the Agents and support the deployment workflows you configure
  • Provide support, troubleshooting, and respond to your requests
  • Send service communications (e.g., certificate expiration warnings, renewal confirmations, operational alerts, and security notices)
  • Improve and maintain the Service (including performance, reliability, and security)
  • Detect, prevent, and respond to abuse, fraud, and security incidents
  • Comply with legal obligations and enforce our agreements

Information We Share

We do not sell your personal data.

We share data only as necessary to operate the Service, comply with law, or as described below.

Certificate Authorities

To issue certificates, we submit your domain names and related validation information to the applicable Certificate Authority (for example, Let’s Encrypt). The Certificate Authority’s policies and privacy practices govern their handling of this data. You can review Let’s Encrypt’s privacy policy at https://letsencrypt.org/privacy/.

Service Providers (Subprocessors)

We use third-party service providers (sometimes called “subprocessors”) to help operate the Service, such as:

  • Cloud infrastructure providers (hosting and storage)
  • Payment processors (billing information only)
  • Email service providers (transactional notifications and service communications)
  • Logging/monitoring providers (operational and security telemetry)

These providers are contractually obligated to protect Customer Data and use it only to provide services to us.

We may disclose information if required by law, court order, subpoena, or governmental authority, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

Business Transfers

If TrackJS is involved in a merger, acquisition, bankruptcy, dissolution, reorganization, or sale of all or a portion of its assets, information may be transferred as part of that transaction, subject to standard confidentiality protections.

Cookies and Tracking Technologies

CertKit uses cookies and similar technologies on our website.

Essential Cookies

These cookies are necessary for the website and Service to function properly, including maintaining your login session and security features.

Analytics and Advertising Cookies

We use third-party cookies and similar technologies to measure campaign effectiveness and serve relevant ads, including:

  • Google Ads
  • Reddit Ads

These third parties may collect information about your browsing activity across different websites over time. This information may be used to provide you with interest-based advertising.

To opt out of interest-based advertising, you can:

  • Visit the Digital Advertising Alliance’s opt-out page at https://optout.aboutads.info/
  • Adjust your browser settings to refuse cookies
  • Use your browser’s “Do Not Track” settings (note: some services may not respond to these signals consistently)

Data Security

CertKit uses security measures designed to protect Customer Data, including:

  • Encryption of data in transit (TLS) and at rest
  • Access controls and authentication requirements
  • Regular security monitoring and logging
  • Secure infrastructure currently hosted in Canada

All payment information is transmitted via TLS and processed by our payment gateway provider. We do not store full credit card numbers on our servers.

While we implement safeguards designed to protect Customer Data, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

Data Retention

We retain data as follows:

  • Account information: retained while your account is active and for a reasonable period thereafter as necessary to comply with legal obligations and enforce our agreements
  • Certificate data and private keys: retained while your account is active; deleted within 30 days of account closure (unless retention is required by law)
  • Logs and audit records: retained for up to 90 days for operational and security purposes (some security-relevant records may be retained longer where reasonably necessary for fraud prevention, abuse detection, or legal compliance)

Upon account termination or deletion request, we will delete personal data within 30 days, except where retention is required by law or for legitimate business purposes (such as resolving disputes or enforcing our agreements).

Your Rights

Depending on your jurisdiction, you may have rights regarding personal data, including:

  • Access: request a copy of personal data we hold about you
  • Correction: request correction of inaccurate personal data
  • Deletion: request deletion of personal data
  • Export: request a copy of your data in a portable format

To exercise these rights, contact us at hello@certkit.io. We will respond within a reasonable time and generally within 30 days.

International Data Transfers

CertKit’s primary infrastructure is currently located in Canada. If you access the Service from outside Canada, your data may be transferred to and processed in Canada and other locations where we or our service providers operate.

Canada has been recognized by the European Commission as providing an adequate level of data protection for certain transfers under EU law. Where required, we use appropriate safeguards for international transfers.

Children’s Privacy

CertKit is not intended for use by individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately.

Changes to This Policy

We may update this Privacy Policy at any time by posting an updated version on our website. The date at the top of this policy reflects the most recent version. Your continued use of the Service after changes are posted constitutes your acceptance of the updated policy.

We encourage you to review this Privacy Policy periodically.

Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us:

Email: hello@certkit.io

Mail: TrackJS, LLC 2112 Broadway St NE STE 225 PMB 25 Minneapolis, MN 55413-3081 USA