Privacy Policy — CertRealm

1. Who We Are

CertRealm is operated by CertRealm, LLC. ("CertRealm," "we," "us"). For personal data you provide while using the Service, CertRealm, LLC. acts as the data controller. Our payments are processed by Paddle.com, which acts as an independent controller for payment data it collects directly from you at checkout.

2. What We Collect

Account data: name, display name, email, chosen realm, password hash.
Progress data: XP, streaks, quest completions, lab attempts, exam scores.
Contributions: questions, labs, and comments you submit.
Support messages: anything you send us through the Support channel.
Subscription metadata: tier, status, billing period (we receive this from Paddle; full card details are handled by Paddle, not us).
Technical data: IP address, browser, device type, basic usage analytics.

3. How We Use It

To operate the Service, track progress, and personalize your experience.
To enable guild, leaderboard, and challenge features.
To send account-related emails (verification, password reset, key updates).
To grant access to paid features based on your subscription status.
To debug, prevent abuse, and improve content quality.

4. Legal Basis

We process your data based on the contract you enter when creating an account or subscribing (Art. 6(1)(b) GDPR), our legitimate interest in operating, securing, and improving the Service (Art. 6(1)(f) GDPR), legal obligations we are subject to (Art. 6(1)(c) GDPR), and your consent where required (Art. 6(1)(a) GDPR).

5. Sharing

We do not sell your personal data. We share data only with:

Infrastructure subprocessors: Supabase (hosting + database + auth), Cloudflare (CDN + edge runtime), Resend (transactional email), PostHog (product analytics), and Sentry (error monitoring) — all under data-processing contracts.
Paddle.com — our Merchant of Record for web purchases — processes payments, taxes, invoicing, and billing support.
RevenueCat + Apple / Google handle in-app purchases on iOS and Android. When you subscribe in the mobile app, Apple or Google is the merchant; we receive the purchase receipt via RevenueCat to grant access.
AI providers who power the Forge Master tutor (currently Google Gemini via the Lovable AI Gateway) — your prompts are sent solely to generate a response and are not used to train third-party models.
Professional advisers (legal, accounting) where reasonably necessary.
Authorities when required by law.
Other users — only your public profile fields (display name, realm, XP, guild membership) are visible.

6. Cookies and Local Storage

We use essential cookies and local storage to keep you signed in and remember preferences. We do not use third-party advertising trackers.

7. Data Retention

We keep your data while your account is active. If you delete your account, your personal data and contributions are removed within 30 days, except where retention is required by law.

8. Your Rights

You have the right to:

Access and download a copy of your data — use Export My Data inSettings to receive a JSON file with everything we hold about you.
Correct inaccurate data.
Delete your account and associated data — also available in Settings.
Object to certain processing or withdraw consent.
Lodge a complaint with your local data protection authority.

9. Security

We use industry-standard encryption in transit and at rest, hashed passwords, and row-level authorization. No system is perfectly secure — please use a strong, unique password.

10. Children

CertRealm is not directed at children under 13. If you believe a child has provided us data, contact us and we will delete it.

11. International Transfers

Your data may be processed in countries other than your own. We use appropriate safeguards (such as standard contractual clauses) when transferring data internationally.

12. Changes

We will notify you of material changes to this policy by email or in-app announcement before they take effect.

13. Contact

Reach our team through the Support page.