Privacy Policy
Last updated: March 25, 2026
1. Who We Are
CertBase is operated by Bunch ("we", "our", "us"). We are the data controller for personal information collected through certbase.io ("the Service"). For all privacy-related inquiries, contact us at info@bunch.ist.
2. Information We Collect
Information you provide
- Account information: email address and password when you create an account
- Profile information: display name and career preferences during onboarding
- Support communications: messages you send to us
Information collected automatically
- Usage data: practice session results, exam progress, question responses, bookmarks, and performance analytics
- Device and browser data: IP address, browser type, operating system, and device identifiers collected via Google Analytics
- Cookies: session cookies for authentication and analytics cookies for service improvement
Information from third parties
- Payment data: Paddle (our payment processor) handles all payment information. We do not store credit card numbers, billing addresses, or financial data on our servers. We receive only transaction IDs and purchase confirmations from Paddle.
3. How We Use Your Information
- Provide, maintain, and improve the Service
- Process purchases and manage your exam access
- Track your learning progress and generate performance analytics
- Personalize exam recommendations and learning paths
- Send transactional emails (purchase confirmations, password resets, email verification)
- Detect and prevent fraud, abuse, and unauthorized access
- Analyze aggregate usage patterns to improve our content and features
We do not use your data for advertising. We do not sell your personal information to third parties.
4. Third-Party Services
We use the following third-party services to operate CertBase:
| Service | Purpose | Data shared |
|---|---|---|
| Firebase Authentication | User login and account management | Email, password (hashed), IP address |
| Cloud Firestore | Database for user data and progress | Account info, exam progress, preferences |
| Google Analytics | Usage analytics and error monitoring | Device info, pages visited, anonymized IP |
| Paddle | Payment processing (Merchant of Record) | Email, payment details, billing address |
| Vercel | Website hosting and delivery | IP address, request logs |
Firebase and Google Analytics are operated by Google LLC (USA). Paddle is operated by Paddle.com Market Limited (UK). Vercel is operated by Vercel Inc. (USA). Your data may be transferred to and processed in these countries. These providers maintain appropriate safeguards for international data transfers.
5. Data Retention
- Account data: retained while your account is active, deleted within 30 days of account deletion request
- Exam progress: retained while your account is active
- Payment records: retained by Paddle per their legal obligations (typically 7 years for tax purposes)
- Analytics data: automatically aggregated and anonymized by Google after 14 months
- Server logs: automatically deleted after 30 days
6. Your Rights
Depending on your location, you may have the following rights regarding your personal data:
- Access: request a copy of the personal data we hold about you
- Correction: request correction of inaccurate or incomplete data
- Deletion: request deletion of your account and associated data
- Restriction: request restriction of processing in certain circumstances
- Portability: request your data in a machine-readable format
- Objection: object to processing based on legitimate interests
- Withdraw consent: withdraw consent for analytics at any time by disabling cookies in your browser
To exercise any of these rights, email us at info@bunch.ist. We will respond within 30 days.
7. Cookies
We use the following types of cookies:
- Essential cookies: required for authentication and core functionality. Cannot be disabled.
- Analytics cookies: Google Analytics cookies to understand how users interact with the Service. You can opt out by disabling cookies in your browser or using the Google Analytics Opt-out Browser Add-on.
8. Data Security
We implement appropriate technical and organizational measures to protect your personal information, including encryption in transit (TLS), secure authentication via Firebase, and access controls on our database. However, no method of electronic transmission or storage is 100% secure, and we cannot guarantee absolute security.
9. Children's Privacy
The Service is not intended for children under 16 years of age. We do not knowingly collect personal information from children under 16. If we become aware that we have collected data from a child under 16, we will delete it promptly.
10. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email or a notice on the Service. The "Last updated" date at the top reflects the most recent revision.
11. Contact
For privacy-related questions, data requests, or complaints, contact us at: