CertentiaCertentia

Privacy Policy

Last updated: March 27, 2026

1. Who we are

Certentia ("we", "us", "our") provides an AI-assisted gap analysis platform for ISO 27001:2022 auditors. This policy explains how we collect, use, store, and protect your information when you use our service at certentia.io.

2. Information we collect

Account information

When you create an account we collect your email address and authentication credentials. We use Supabase Auth for authentication and do not store passwords directly.

Audit documents

You upload PDF and DOCX files for analysis. These documents are stored in encrypted cloud storage (Supabase Storage) and are only accessible to your account. We do not access, read, or review your documents except as necessary to provide the analysis service.

Analysis data

When you run an analysis, document text is sent to an AI model (currently Google Gemini) for processing. The AI evaluates your documents against ISO 27001:2022 controls and returns structured findings. We store these findings in your account.

Usage data

We collect basic usage analytics including page views, feature usage, and error logs to improve the service. We do not use third-party tracking scripts or sell usage data.

3. How we use your information

  • To provide and maintain the gap analysis service
  • To authenticate your account and enforce access controls
  • To process your documents through AI analysis
  • To store and display your audit findings, evidence, and auditor notes
  • To generate export reports (Excel) when you request them
  • To send transactional emails (account verification, password reset)
  • To monitor service health and fix bugs

4. AI processing and your data

Document text is sent to Google Gemini for AI analysis. We do not use your documents or analysis results to train AI models. Google's Gemini API has a data usage policy that does not use API inputs for model training. We send only the minimum text necessary for analysis and do not include your personal information in AI prompts.

5. Data storage and security

  • All data is hosted on Supabase infrastructure in the EU (Frankfurt, eu-central-1)
  • Documents and database records are encrypted at rest using AES-256
  • All connections use TLS 1.3 encryption in transit
  • Row-level security (RLS) policies ensure you can only access your own data
  • Service role credentials are never exposed to the browser
  • We perform regular security reviews and follow OWASP best practices

6. Data retention and deletion

Uploaded documents are automatically purged 30 days after upload. You can delete individual documents or entire audits at any time, which removes both the files from storage and the associated analysis data from the database.

If you delete your account, all associated data (audits, documents, findings, notes) is permanently removed within 30 days. You can request immediate deletion by contacting us.

7. Data sharing

We do not sell, rent, or share your personal information or audit documents with third parties, except:

  • AI processing: Document text is sent to Google Gemini API for analysis, subject to their data processing terms
  • Infrastructure providers: Supabase (database, storage, auth) and Vercel (hosting) process data on our behalf under their respective DPAs
  • Legal requirements: We may disclose data if required by law, court order, or to protect our legal rights

8. Your rights

You have the right to:

  • Export your audit findings at any time
  • Delete individual audits, documents, or your entire account
  • Withdraw consent and close your account

If you are in the EU/EEA, you may have additional rights under GDPR. Contact us at support@certentia.io to exercise any data protection rights.

9. Cookies

We use essential cookies only for authentication session management. We do not use advertising cookies, tracking pixels, or third-party analytics cookies.

10. Changes to this policy

We may update this policy from time to time. We will notify registered users of material changes via email. The "last updated" date at the top of this page reflects the most recent revision.

11. Contact

For privacy-related questions or data requests, contact us at support@certentia.io.