Privacy Policy

    Last updated: June 2026

    1. Introduction

    MyCertStack ("we", "us", "our") is an independent educational platform for IT certification preparation. This Privacy Policy sets out what personal data we collect, how we use it, the legal bases we rely on, and the rights you have over your information. Use of the platform constitutes acceptance of the practices described in this document.

    2. Data Controller

    MyCertStack acts as the data controller for the personal information processed through the platform. Enquiries may be submitted through our Contact page.

    3. Information We Collect

    Account data:

    • Email address (required for account creation and login)
    • Display name and avatar (optional)
    • Authentication metadata (login timestamps, provider, password hash managed by our auth provider)

    Learning data: progress, completed lessons, quiz answers, scores, XP, streaks, bookmarks, certificates issued by the platform, and any feedback you submit (question reports, reviews).

    Billing data: payments are processed by a PCI-DSS compliant payment processor. We retain order metadata (plan, amount, invoice id) but do not store full card details.

    Technical data: IP address, browser and device user agent, and diagnostic logs required to operate the service and to detect abuse.

    4. Legal Bases for Processing (GDPR)

    • Performance of contract: provision of the learning platform you registered for.
    • Legitimate interest: security of the service, fraud prevention, and content improvement.
    • Legal obligation: accounting and tax records related to purchases.
    • Consent: optional communications for which you have explicitly opted in.

    5. Cookies & Session Data

    We use strictly necessary cookies and local storage to maintain your session, remember preferences (for example, light or dark theme), and protect against CSRF. We do not use advertising, profiling, or cross-site tracking cookies. Additional detail is available in our Cookie Policy.

    6. How We Use Your Information

    • To create and administer your account and entitlements.
    • To record and display your learning progress, XP, and achievements.
    • To issue certificates of completion generated by the platform.
    • To send transactional and account-related notifications (for example, password reset, purchase receipt).
    • To detect abuse, fraud, scraping, and violations of our Terms of Service.
    • To improve content accuracy using aggregated, anonymised usage signals.

    7. Sub-processors & Third-Party Services

    We rely on a limited number of infrastructure providers to operate the platform:

    • Cloud hosting and managed database (account, learning, and billing data)
    • Payment processing (purchases and subscriptions)
    • Transactional email delivery (account notifications and replies to your messages)

    Sub-processors receive only the data strictly required to perform their function and are bound by their own data-protection agreements.

    8. Data Sharing

    We do not sell, rent, or trade your personal data. Information is shared only with the sub-processors listed above, where required by law, or with your explicit consent. Aggregated, non-identifying statistics may be published for transparency or research.

    9. Data Retention

    Account and learning data are retained for the duration of your account. Billing records are kept for the period required by applicable tax law. On account deletion, personal data is removed or irreversibly anonymised within 30 days, save where retention is legally required.

    10. Data Security

    We apply standard safeguards, including TLS-encrypted transport, encrypted databases at rest, role-based access controls, row-level security on user data, least-privilege staff access, and monitoring for anomalous activity.

    11. International Transfers

    Our infrastructure providers may process data outside your country of residence. Where such transfers occur, they are governed by Standard Contractual Clauses or equivalent safeguards.

    12. Your Rights

    Subject to applicable law (including the GDPR and similar regimes), you have the right to:

    • Access the personal data we hold about you
    • Rectify inaccurate or incomplete information
    • Erase your account and associated personal data
    • Restrict or object to certain processing activities
    • Receive a portable copy of your data
    • Lodge a complaint with your local data-protection authority

    Most of these actions can be performed directly from your Account settings. For other requests, contact us and we will respond within 30 days.

    13. Children's Privacy

    The platform is not directed to children under the age of 16. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal information, contact us and we will remove it.

    14. Changes to This Policy

    This Privacy Policy may be updated from time to time. Material changes will be indicated on this page and, where appropriate, notified by email. The "Last updated" date above reflects the most recent revision.

    15. Contact Us

    For privacy-related enquiries or to exercise any of the rights listed above, contact us via our Contact page.