Privacy Policy

2. Information We Collect

We collect the following types of information:

a) Information You Provide Directly:

• Authentication Information: When you sign in using Google via Firebase Authentication, we receive details like your Full Name, Email, and UID. If you use email authentication, we store your email address, name, and a securely hashed version of your password. We use this information to personalize the service and associate certificates and blog content with your account.
• Google Drive Access: When you authorize Google Drive integration, we receive a limited access token (with the 'drive.file' scope) that only allows us to create and manage files created by our application. We store this token to provide continuous access to your saved certificates.
• Certificate Form Data: Information entered in the certificate request forms like event location, date, blood group, debate topic, number of trees planted, mobile/WhatsApp number as applicable. This information is used to generate your certificate and may be stored for verification purposes.
• Blog Content: If you create blog posts, we store the content, title, summary, images, and metadata associated with your posts.
• Contact Information: Any information provided when contacting us through our Contact page.
• Profile Pictures: If you upload a profile picture, we collect and store the image using the ImgBB service. Images are processed client-side before upload and stored securely with our image hosting provider.
• Email Certificate Requests: When you request certificates via email (for users without Google Drive access), we collect your email address and certificate details for delivery through our email service (SendPulse).

b) Information Collected Automatically:

• Device Fingerprinting: We collect device fingerprint data using FingerprintJS technology to create a unique identifier for your device. This includes browser characteristics, screen resolution, timezone, installed fonts, and other technical parameters. Device fingerprints help us prevent abuse, enforce usage limits, and enhance security by detecting suspicious activity patterns. The fingerprint is cached locally for up to one year and is used alongside other security measures.
• IP Address Detection: We automatically collect and cache your IP address using the icanhazip.com service to help with rate limiting, security monitoring, and fraud prevention. Your IP address is cached locally for up to one year and is used in conjunction with device fingerprinting to create a comprehensive security profile. We prefer IPv6 addresses when available but also support IPv4. This information helps us detect suspicious patterns, prevent abuse, and enforce usage limits more effectively.
• Usage Data (Firestore): Records of certificate generation requests and blog interactions including user ID, email, type of certificate, timestamps, status, and errors (if any). We maintain detailed logs of certificate generation attempts, completions, and failures to ensure service quality and security.
• Device Limit Data (Local Storage): Tracks the count of certificates generated on your browser/device and resets after about 24 hours. This helps prevent abuse of the service and ensures fair access for all users.
• Google Drive Tokens: For users who authorize Google Drive integration, we store access tokens in local storage to enable seamless saving of certificates to your Drive. These tokens are used only for accessing files our app creates.
• Mobile Number Usage: We track which mobile numbers have been used with which accounts to prevent abuse and ensure users are properly accessing their own certificates.
• Notification Preferences: Data about which notifications you've read or dismissed.
• Access Session Data (Session Storage): Temporarily stores timestamps (if a waiting room feature is enabled) which clear on session end.
• Technical Data (Implicit): Standard details like IP address, browser type, and access times are logged for security and debugging.

c) Cookies and Similar Technologies:

• Cookies: We use cookies for authentication, maintaining session states, enhancing user experience, tracking usage trends, and monitoring service performance. These cookies may be essential for the operation of our service or used to improve functionality.
• Firebase Authentication: Uses cookies to maintain your authentication state across sessions.
• Analytics: We use Firebase Analytics to collect anonymized data about how our service is used. This helps us understand usage patterns, identify areas for improvement, and monitor performance.
• Local Storage: We use local storage to store preferences, authentication tokens, and other data that persists between sessions.
• Session Storage: Used for temporary data that should only persist for the duration of your browser session.
• Device & Browser Data: Includes operating system, browser version, language preference, screen resolution, and device type, which helps us optimize our service for different devices and browsers.

3. How We Use Your Information

We use your information for the following purposes:

• Service Operation: To authenticate users, maintain accounts, and process certificate generation requests. This includes verifying your identity, associating certificates with your account, and ensuring the proper functioning of our service.
• Certificate Population: To insert your provided data onto the certificate templates along with a unique QR code for verification purposes. The data you provide in certificate forms is directly used to generate certificates according to predefined templates.
• Certificate Storage: To save generated PDF certificates on Google Drive and maintain corresponding records in Firestore. When you authenticate with Google and authorize the drive.file scope, we can only access files our app creates, not your entire Drive. For Google-authenticated users, certificates are automatically saved to your Drive and never expire. For email-authenticated users, temporary links to certificates are provided with a 7-day expiration period unless explicitly saved to Google Drive.
• Certificate Validation: To enable QR code verification for certificates, allowing third parties to confirm their authenticity. Each certificate includes a QR code that links to our verification service, displaying the certificate's authenticity and details when scanned.
• Blog Services: To display, store, and manage blog posts, author information, and user interactions with blog content. If you create or interact with blog content, we process this information to deliver these services.
• Notifications: To send you important updates about the service, such as new features, maintenance notifications, or certificate processing status, through our in-app notification system.
• Enforcing Limits: To monitor and enforce daily certificate generation limits per device/user/mobile number using device fingerprinting, IP address tracking, and other security mechanisms. We track certificate generation attempts to prevent abuse and ensure fair usage of the service. This includes correlating mobile numbers with user accounts, device fingerprints, and IP addresses to prevent account switching, device switching, or IP switching to bypass limits.
• Security & Fraud Prevention: To help prevent fraudulent activity, ensure the proper use of the Service, and protect its integrity using device fingerprinting and IP address detection technology. This includes monitoring for suspicious activity, detecting multiple accounts from the same device or IP address, verifying the authenticity of certificate requests, and preventing unauthorized access to accounts. Combined device fingerprints and IP addresses help us identify and block potentially malicious users, automated systems, or coordinated abuse attempts.
• Rate Limiting & Traffic Management: To implement sophisticated rate limiting using both IP addresses and device fingerprints, ensuring fair access to our services and preventing abuse. This dual-layer approach helps us distinguish between legitimate users sharing IP addresses (such as in corporate or mobile networks) and malicious actors attempting to bypass restrictions.
• User Experience Personalization: To customize your experience based on your preferences, usage patterns, and account type (Google vs. email authentication). Google-authenticated users receive a different experience with automatic Drive integration, while email-authenticated users see reminders about certificate expiration.
• Service Improvement: To analyze aggregated, non-identifiable usage data to understand usage patterns and identify potential improvements. This helps us enhance the service based on actual user behavior and needs.
• Analytics & Diagnostics: To monitor system performance, usage patterns, and improve reliability using aggregated, anonymized data. This helps us identify and fix issues, optimize performance, and understand how our service is being used.
• Profile Picture Management: To store and display your profile picture across the service. Images are uploaded to our secure image hosting service and associated with your account for personalization.
• Email Certificate Delivery: To send generated certificates via email to users who don't have Google Drive access. We use your email address and certificate details to deliver certificates through our email service.
• Welcome Communications: To automatically send welcome emails to new users upon registration, helping them get started with our service and providing important information about features and usage.

4. How We Share Your Information

We do not sell your personal information. We only share your data in the following limited circumstances:

• With Google Services: We utilize Google services like Firebase (Authentication, Firestore), Google Drive (using the limited drive.file scope which only grants access to files created by our app), and potentially Google Slides API for hosting, authentication, data storage, and PDF generation/storage. When you authenticate with Google or authorize Google Drive access, your information is shared with Google according to their privacy policies.
• For Email Authentication: If you use email/password authentication, your email and securely hashed password are stored with Firebase Authentication. Email verification and password reset emails are sent through Firebase's email service.
• For Certificate Generation: Your certificate form data is processed by our certificate generation service to create personalized certificates. This may involve transmitting the data to our server-side functions hosted on platforms like Netlify.
• For QR Code Generation: Data necessary to create the QR code (like the verification link) is sent to external services (e.g., `api.qrserver.com`) solely for the purpose of generating the QR image. This information typically includes a unique identifier for certificate verification, not your personal details.
• For Certificate Verification: When a certificate's QR code is scanned, the embedded verification identifier is used by a verification service (e.g., hosted on Netlify) to display relevant details. This enables institutions to verify the authenticity of certificates you present.
• For Blog Content Storage: Blog images and content may be stored using cloud storage solutions such as Firebase Storage. If you create blog posts, your content and associated metadata are stored and displayed publicly.
• With Service Providers: We may share information with third-party vendors, consultants, and other service providers who need access to such information to carry out work on our behalf. These service providers have access to your information only to perform specific tasks and are obligated to protect your information.
• For Legal Reasons: We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., a court or a government agency), or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.
• Security Measures: All sensitive data is stored using encryption-at-rest where supported, and is transmitted using HTTPS (TLS 1.2+ encryption). Access to user data is strictly limited to authorized personnel, and we conduct periodic security reviews to identify and mitigate risks.
• Profile Picture Storage: Profile pictures are uploaded and stored using the ImgBB image hosting service. Images are processed client-side before upload and stored securely with our image hosting provider.
• Email Certificate Delivery: For users requesting certificates via email, certificate data and your email address are shared with our email service provider (SendPulse) for delivery purposes.
• Edge Function Processing: Certificate generation, email sending, and other server-side operations may be processed through Netlify Edge Functions, which may involve temporary data transmission to these services for processing.

5. Data Storage and Security

We take the following measures to protect your information:

• Certificate Data Storage: Your certificate request data and associated metadata are securely stored using Firebase Firestore. Generated PDFs are stored in Google Drive (with your permission, using the restricted drive.file scope which only allows access to files our app creates), protected by Google's security infrastructure.
• Authentication Tokens: Google access tokens are stored in your browser's Local Storage for persistence between sessions. These tokens allow seamless access to your Drive-saved certificates and are only used to access files created by our application.
• Differential Certificate Storage: For Google-authenticated users, certificates are automatically saved to your Google Drive and never expire. For email-authenticated users, certificates are stored temporarily (7 days) unless explicitly saved to Google Drive.
• Mobile Number Security: Mobile/WhatsApp numbers entered during certificate generation are associated with specific user accounts to prevent abuse and unauthorized access to certificates.
• Blog Content Security: Blog images and media files are stored in Firebase Storage with appropriate access controls. Admin functionality is protected by role-based access controls.
• Local Data Storage: Device fingerprint data, IP address cache, device limit tracking data, notification preferences, and Google Drive tokens are stored locally in your browser's Local Storage. Device fingerprints and IP addresses are cached for up to one year to improve performance and reduce repeated detection attempts. This data helps maintain your settings and ensures proper service functionality.
• Session Storage: Temporary data like waiting room timestamps are stored in Session Storage and are automatically cleared when you close your browser.
• Authentication Security: User authentication is handled securely via Firebase Authentication (Google Sign-In and Email/Password). Passwords are never stored in plaintext and are securely hashed by Firebase Authentication.
• Transport Security: We use HTTPS (with TLS 1.2+ encryption) for all data transmission between your browser and our servers, protecting your information from interception during transit.
• Access Controls: Access to user data is strictly limited to authorized personnel and monitored via audit logs. We implement proper access controls to ensure that only authorized personnel can access user data for legitimate purposes.
• Security Reviews: We conduct periodic security reviews and threat modeling to identify and mitigate potential security risks.
• Risk Disclosure: Despite these measures, please be aware that no internet transmission or electronic storage method is 100% secure. While we strive to use commercially acceptable means to protect your personal information, we cannot guarantee its absolute security.

6. Data Retention

We retain different types of information for varying periods, based on the type of data and its purpose:

• Certificate Request Data:
  • For Google-authenticated users: Certificate data is retained indefinitely as long as you maintain your Google Drive access. Certificates saved to your Google Drive remain there until you delete them, even if you delete your account with our service.
  • For email-authenticated users: Certificate download links expire after 7 days unless you explicitly save them to Google Drive, but the underlying data used for QR code verification is retained for at least 2 years to ensure certificate verifiability.
• Certificate Form Data: Information entered into certificate forms is retained in our database for a minimum of 2 years to support certificate verification, audit requirements, and to prevent abuse through mobile number tracking.
• Authentication Data: Your account information is retained as long as you maintain an active account. If you delete your account, authentication data is removed from our active systems within 30 days, though some information may remain in backup systems for up to 90 days.
• Google Drive Access Tokens: Stored in local storage on your device until you clear your browser data, revoke access through Google, or manually log out.
• Local Usage Data: Device limit data in local storage is automatically reset approximately every 24 hours. Session data is cleared when you close your browser.
• Mobile/WhatsApp Numbers: We maintain an indefinite record of which mobile numbers have been used with which accounts to prevent abuse and ensure proper certificate ownership.
• Blog Content: Retained until you choose to delete it or request its removal, or until we determine it should be removed for legal or policy reasons.
• Notification Data: In-app notifications and their read/unread status are retained until you clear your notifications or delete your account.
• Usage Logs and Analytics: Retained for up to 180 days for performance monitoring, security analysis, and service improvement.
• Profile Pictures: Profile images are stored with our image hosting provider and retained until you delete them or delete your account. Images may be cached by our systems for up to 30 days after deletion.
• Email Certificate Data: Certificate data sent via email is retained for the same periods as regular certificate data (minimum 2 years for verification purposes).
• Welcome Email Records: Records of welcome emails sent are retained for up to 90 days for service improvement and abuse prevention.
• PWA Data: When you install our Progressive Web App, we may store data locally on your device for offline functionality and improved performance. This includes cached content and user preferences.

In general, we retain your information only for as long as necessary to:

• Provide you with our services
• Comply with legal obligations
• Resolve disputes
• Enforce our agreements
• Support legitimate business operations
• Ensure certificate verification functionality

7. Your Rights and Choices

Depending on your location and applicable laws, you may have certain rights regarding your personal data. We provide several tools and options for you to manage your information:

• Access and Data Portability:
  • You can access your basic profile information through your account settings.
  • You can view your certificate generation history in the "My Certificates" section.
  • You can download your generated certificates as PDFs.
  • You can request a more comprehensive copy of your data by contacting us through our Contact page.
• Correction and Updates:
  • You can update your profile information (name, email) through account settings.
  • For corrections to specific certificate data or blog content that cannot be updated directly, please contact us.
  • Note that certificate data cannot be modified after generation as this would affect verification integrity.
• Deletion and Data Removal:
  • You can delete your account through the account settings, which will remove your personal information from our active systems.
  • You can request deletion of specific certificate records, though this may invalidate QR verification for those certificates.
  • Note that certificates saved to your Google Drive will remain there even after account deletion unless you manually remove them from your Drive.
  • Some information may be retained for legal, security, or operational purposes even after deletion requests.
• Managing Authentication:
  • You can switch between email and Google authentication methods.
  • You can update your password or email address in account settings.
  • You can revoke Google Drive access through your Google Account settings at any time.
• Managing Notifications: You can mark notifications as read or dismiss them through the notification interface in the application.
• Managing Local Storage: You can clear your browser's Local Storage to reset device limits and remove stored preferences, although server-side checks may still apply.
• Certificate Expiration Control: Email-authenticated users can extend certificate availability by saving certificates to Google Drive (requires Drive authorization).
• Objection and Restriction: You can object to or request restriction of processing of your personal data under certain circumstances by contacting us.
• Withdrawing Consent: Where we process data based on consent, you have the right to withdraw your consent at any time.

To exercise these rights or if you have any questions or concerns about your data, please visit our Contact page. We will respond to your request within a reasonable timeframe (typically within 30 days).

Please note that some requests may be limited by applicable law, legitimate business interests, or technical limitations. For example, we cannot delete information that is necessary for security purposes, legal compliance, or to maintain the integrity of our certificate verification system.

8. Children's Privacy

Our Service is not intended for individuals under the age of 13. We do not knowingly collect personally identifiable information from children under 13. If you are a parent or guardian and you are aware that your child has provided us with personal data, please contact us. If we become aware that we have collected personal data from children without verification of parental consent, we take steps to remove that information from our servers.

We encourage parents and legal guardians to monitor their children's internet usage and instruct them never to provide personal data without permission.

9. Links to Other Sites / Third-Party Services

Our Service relies on and may link to third-party services not operated by us (e.g., Google, verification hosts). If you click on a third-party link, you will be directed to that third party's site. We strongly advise you to review the Privacy Policy of every site you visit.

We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services.

• Google Privacy Policy: https://policies.google.com/privacy
• Content Delivery Networks (e.g., Netlify CDN, jsDelivr) may log requests and usage for performance monitoring.
• Embedded media content (e.g., Images, videos) may collect viewing stats and user data based on your browser settings.

10. Changes to This Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Effective Date" at the top.

You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.