CertKit Privacy Policy

This Agreement was last modified on

CertKit (the “Service”) operated by TrackJS, LLC (“TrackJS”, “we”, “us”) provides automated TLS certificate management services. We are committed to protecting the privacy of our customers and their data. We have prepared this Privacy Policy to describe our practices in gathering, securing, and using your information.

By creating an account or using the Service, you agree to the terms of this Privacy Policy and consent to the processing of your data in accordance with this Privacy Policy. Your data may be processed outside the country in which it was collected, where laws regarding processing of personal data may be less stringent than the laws in your country.

Information We Collect

CertKit collects and processes the following categories of data:

Account Information

When you create an account, we collect:

  • Email address
  • Username or display name
  • Password (stored in one-way hashed form)
  • Billing information (processed by our payment provider)

Certificate Data

To provide the Service, we collect and store:

  • Domain names for which you request certificates
  • TLS certificates issued on your behalf
  • Private keys generated for your certificates
  • Certificate Signing Requests (CSRs)
  • Domain validation records and ACME challenge data
  • Certificate metadata (issuance dates, expiration dates, renewal history)

Data We Collect Automatically

CertKit and our service providers collect certain technical information automatically when you visit our website or use the Service, including your browser type, operating system, referring URL, IP address, and other internet data. We gather this information using cookies and similar technologies.

Private Key Storage

CertKit generates and stores private keys on your behalf. This is a core function of our automated certificate management service. We implement the following security measures to protect your private keys:

  • Access to key storage is strictly limited to essential service operations
  • All access to key material is logged and monitored
  • Keys are stored in our secure Canadian infrastructure

Upon account termination, your private keys and certificate data will be deleted in accordance with our data retention practices described below.

If you require exclusive control of your private keys, we have custom options available. Contact us to learn more.

How We Use Your Information

We use the information we collect to:

  • Create and secure your account
  • Issue, renew, and manage TLS certificates on your behalf
  • Provide technical support and respond to your requests
  • Send service notifications (certificate expiration warnings, renewal confirmations)
  • Improve our website and Service
  • Comply with legal obligations

Information We Share

Certificate Authorities

To issue certificates, we submit your domain names to Let’s Encrypt, our certificate authority partner. Let’s Encrypt’s privacy policy governs their handling of this data. You can review their privacy policy at https://letsencrypt.org/privacy/.

Certificate Transparency Logs

All publicly-trusted TLS certificates are required to be submitted to Certificate Transparency (CT) logs. This means your domain names will appear in public CT logs, which are searchable by anyone. This is a requirement of the certificate ecosystem and not something we can disable for publicly-trusted certificates.

Service Providers

We share data with service providers who assist us in operating the Service, including:

  • Cloud infrastructure providers (hosting and storage)
  • Payment processors (billing information only)
  • Email service providers (transactional notifications)

These providers are contractually obligated to protect your data and use it only for the services they provide to us.

We may disclose your information if required by law, court order, or governmental authority, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

We will never sell your personal data to third parties.

Cookies and Tracking Technologies

CertKit uses cookies and similar technologies on our website.

Essential Cookies

These cookies are necessary for the website and Service to function properly, including maintaining your login session and security features.

Analytics and Advertising Cookies

We use third-party cookies from:

  • Google Ads — to measure the effectiveness of our advertising campaigns and serve relevant ads to you on other websites
  • Reddit Ads — to measure advertising effectiveness and serve relevant ads on Reddit

These third parties may collect information about your browsing activity across different websites over time. This information may be used to provide you with interest-based advertising.

To opt out of interest-based advertising, you can:

  • Visit the Digital Advertising Alliance’s opt-out page at https://optout.aboutads.info/
  • Adjust your browser settings to refuse cookies
  • Use your browser’s “Do Not Track” settings

Data Security

CertKit uses industry-standard security measures to protect your data, including:

  • Encryption of data in transit (TLS) and at rest
  • Access controls and authentication requirements
  • Regular security monitoring and logging
  • Secure infrastructure hosted in Canada

All payment information is transmitted via TLS and processed by our payment gateway provider. We do not store credit card numbers on our servers.

While we implement robust security measures, no method of transmission or storage is 100% secure. We cannot guarantee absolute security of your data.

Data Retention

We retain your data as follows:

  • Account information: Retained while your account is active and for a reasonable period thereafter to comply with legal obligations
  • Certificate data and private keys: Retained while your account is active; deleted within 30 days of account closure
  • Logs: Retained for up to 90 days for operational and security purposes

Upon account termination or deletion request, we will delete your personal data within 30 days, except where retention is required by law or for legitimate business purposes (such as resolving disputes or enforcing our agreements).

Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you
  • Correction: Request correction of inaccurate personal data
  • Deletion: Request deletion of your personal data
  • Export: Request a copy of your data in a portable format

To exercise these rights, contact us at hello@certkit.io. We will respond to your request within 30 days.

International Data Transfers

CertKit’s infrastructure is located in Canada. If you access the Service from outside Canada, your data will be transferred to and processed in Canada. Canada has been recognized by the European Commission as providing an adequate level of data protection.

Children’s Privacy

CertKit is not intended for use by individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website with a new “last modified” date. Your continued use of the Service after any changes constitutes your acceptance of the updated policy.

We encourage you to review this Privacy Policy periodically.

Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us:

Email: hello@certkit.io

Mail: TrackJS, LLC 2112 Broadway St NE STE 225 PMB 25 Minneapolis, MN 55413-3081 USA