Privacy Policy

1.1 Information You Provide Directly

We collect information that you voluntarily provide to us, including:

• Account Information: Full name, email address, password (stored in hashed form), organization name, job title/role, and phone number when you register for an account.
• Profile Information: Organizational details, branding assets (logos, colors), and professional information you add to your profile.
• Contact Form Data: Name, email address, and message content submitted through our contact forms.
• Survey & Feedback Data: Questions, responses, and feedback content created or submitted through the platform, including multiple choice answers, ratings, text responses, and checkbox selections.
• Certificate Recipient Data: Names, email addresses, course/event details, completion dates, and other information necessary for certificate generation and distribution.
• Event & Workshop Data: Event names, descriptions, dates, locations, attendee lists, and related organizational data.
• Billing Information: Payment card details, billing address, and transaction history (payment card details are processed and stored by our PCI-compliant third-party payment processors; we do not store full card numbers on our servers).
• Communication Data: Records of correspondence with our support team, including emails, chat messages, and phone call records.

1.2 Information Collected Automatically

When you access or use our Service, we automatically collect:

• Device Information: Device type, operating system, browser type and version, screen resolution, and device identifiers.
• Log Data: IP address, access times, pages viewed, referring URL, time spent on pages, click data, and other diagnostic data.
• Usage Analytics: Feature usage patterns, session duration, interaction data, and performance metrics.
• Certificate Delivery Tracking: Email open rates, certificate download tracking, and verification code usage for delivery confirmation purposes.
• Cookies and Similar Technologies: We use cookies, web beacons, and similar tracking technologies to collect information about your browsing activities (see Section 9).

1.3 Information from Third Parties

• LMS Integration Data: When you integrate with Learning Management Systems, we may receive student enrollment data, completion records, and related academic information.
• CSV/Bulk Upload Data: Recipient data uploaded by you via CSV files for bulk certificate generation, including names, emails, and custom fields.
• Third-Party Authentication: If you choose to sign in using third-party services (e.g., Google, Microsoft), we receive your basic profile information from those services.

We use the collected information for the following purposes:

• Service Delivery: To provide, operate, maintain, and improve our feedback collection, certificate generation, and analytics services.
• Account Management: To create and manage your account, process authentication, and manage role-based access control.
• Certificate Operations: To generate, customize, distribute, verify, and track certificates on behalf of your organization.
• Email Communications: To send automated certificate deliveries, service notifications, password resets, account updates, and responses to inquiries.
• Analytics & Insights: To provide data analytics, sentiment analysis, reporting, and actionable insights from feedback data.
• Billing & Payments: To process subscription payments, manage billing, and send invoices and payment receipts.
• Customer Support: To respond to your requests, resolve technical issues, and provide customer service.
• Service Improvement: To analyze usage patterns, identify trends, conduct research, and improve the functionality and user experience of our Service.
• Security: To detect, prevent, and address fraud, abuse, security threats, and technical issues.
• Legal Compliance: To comply with applicable laws, regulations, legal processes, or enforceable governmental requests.
• Marketing (with consent): To send promotional materials, newsletters, and product updates. You may opt out of marketing communications at any time.

If you are located in the European Economic Area (EEA), United Kingdom, or other jurisdictions that require a legal basis for processing personal data, we rely on the following:

• Contractual Necessity (Article 6(1)(b) GDPR): Processing is necessary for the performance of our contract with you — to provide the Service, manage your account, process payments, and generate certificates.
• Legitimate Interests (Article 6(1)(f) GDPR): Processing is necessary for our legitimate interests, including service improvement, security, fraud prevention, and analytics, provided these interests are not overridden by your data protection rights.
• Consent (Article 6(1)(a) GDPR): Where you have given explicit consent for specific processing activities, such as receiving marketing communications or the use of non-essential cookies.
• Legal Obligation (Article 6(1)(c) GDPR): Processing is necessary to comply with a legal obligation, such as tax reporting, anti-money laundering requirements, or responding to lawful requests from authorities.

You have the right to withdraw consent at any time where we rely on consent as the legal basis for processing. Withdrawal does not affect the lawfulness of processing based on consent before its withdrawal.

We do not sell your personal data. We may share your information in the following circumstances:

4.1 Service Providers

We share data with trusted third-party service providers who assist us in operating our Service, including:

• Email Delivery: For sending automated certificate emails and notifications (e.g., Web3Forms, email service providers).
• Payment Processing: For processing subscription payments (PCI-DSS compliant processors).
• Cloud Hosting: For secure data storage and infrastructure.
• Analytics: For understanding usage patterns and improving our Service.

All service providers are contractually bound to protect your data and process it only according to our instructions.

4.2 Organizational Sharing

Within your organization on the platform, data may be shared between users based on their assigned roles (Admin, Instructor, Student). Admins have access to organizational-level data; Instructors can access data for their assigned events; Students can view their own feedback submissions and certificates.

4.3 Certificate Verification

When a certificate is verified using its unique verification code, limited information (certificate holder's name, issuing organization, event name/course, and date of issuance) is displayed to the verifying party. This is a core function of the Service and does not require separate consent.

4.4 Legal Requirements

We may disclose your information if required by law, legal process, governmental request, or when we believe disclosure is necessary to:

• Comply with applicable laws, regulations, or valid legal processes.
• Protect the rights, property, or safety of FeedbackCert, our users, or the public.
• Detect, prevent, or address fraud, security issues, or technical problems.
• Enforce our Terms and Conditions.

4.5 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your personal data may be transferred as part of the transaction. We will notify you before your personal data becomes subject to a different privacy policy.

Our Service is operated from Pakistan. If you are accessing the Service from another country, your information may be transferred to, stored, and processed in Pakistan or other countries where our service providers operate.

For transfers of personal data from the EEA, UK, or Switzerland, we ensure adequate protection through:

• Standard Contractual Clauses (SCCs): EU-approved standard contractual clauses with our service providers.
• Adequacy Decisions: Transfers to countries recognized by the European Commission as providing adequate data protection.
• Additional Safeguards: Technical and organizational measures including encryption, access controls, and regular security assessments.

By using the Service, you acknowledge and consent to the transfer of your information to countries outside your country of residence, which may have different data protection rules.

We retain your personal data only for as long as necessary to fulfil the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.

• Account Data: Retained for the duration of your account plus 30 days after deletion request to allow for account recovery.
• Feedback & Survey Data: Retained for the duration of your subscription. Upon account termination, you may request data export before deletion.
• Certificate Records: Certificate verification data may be retained for up to 7 years after issuance to support ongoing verification needs of certificate holders and third parties.
• Billing & Transaction Data: Retained for up to 7 years to comply with tax and financial reporting obligations.
• Communication Records: Support correspondence is retained for up to 3 years.
• Log Data & Analytics: Aggregated and anonymized analytics data may be retained indefinitely. Identifiable log data is retained for up to 12 months.

When data is no longer needed, it is securely deleted or anonymized so that it can no longer be associated with you.

We implement comprehensive security measures to protect your personal data, including:

• Encryption: All data is encrypted in transit using TLS 1.2+ and at rest using AES-256 encryption.
• Access Controls: Role-based access controls, multi-factor authentication, and principle of least privilege for internal access.
• Password Security: All passwords are hashed using industry-standard algorithms (bcrypt/scrypt) and are never stored in plaintext.
• Infrastructure Security: Regular security audits, vulnerability assessments, and penetration testing.
• Employee Training: All team members undergo data protection and security awareness training.
• Incident Response: We maintain a data breach response plan and will notify affected users and relevant authorities within 72 hours of discovering a confirmed breach, as required by applicable law.

While we implement robust security measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security but are committed to using commercially acceptable means to protect your data.

Depending on your location, you may have the following rights regarding your personal data:

For All Users

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate or incomplete personal data.
• Deletion: Request deletion of your personal data, subject to legal retention requirements.
• Data Portability: Request your data in a structured, commonly used, and machine-readable format.
• Opt-Out of Marketing: Unsubscribe from marketing emails at any time using the link in the email or by contacting us.
• Account Deletion: Request permanent deletion of your account and associated data.

Additional Rights for EEA/UK Residents (GDPR)

• Right to Restrict Processing: Request limitation of processing of your personal data under certain conditions.
• Right to Object: Object to processing based on legitimate interests, including profiling.
• Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent.
• Right to Lodge a Complaint: File a complaint with your local supervisory authority (Data Protection Authority).

Additional Rights for California Residents (CCPA/CPRA)

• Right to Know: Request disclosure of specific pieces of personal information collected about you.
• Right to Delete: Request deletion of your personal information collected and retained by us.
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
• Right to Opt-Out of Sale: We do not sell personal information. If this changes, we will provide an opt-out mechanism.
• Right to Correct: Request correction of inaccurate personal information.
• Right to Limit Use of Sensitive Personal Information: Limit our use of sensitive personal information to that which is necessary.

Additional Rights for Other Jurisdictions

• Brazil (LGPD): Right to anonymization, blocking, or deletion of unnecessary data; data portability; information about sharing.
• South Africa (POPIA): Right to access, correction, deletion, and objection to processing of personal information.
• Australia (Privacy Act): Right to access, correction, and complaint to the OAIC.
• Canada (PIPEDA): Right to access, challenge accuracy, and withdraw consent.
• India (DPDP Act): Right to access, correction, erasure, and grievance redressal.

To exercise any of these rights, please contact us at support@feedbackcert.com. We will respond to your request within 30 days (or within the timeframe required by your applicable law). We may need to verify your identity before processing your request.

We use cookies and similar technologies to enhance your experience. The types of cookies we use include:

Managing Cookies: You can control and/or delete cookies through your browser settings. Most browsers allow you to refuse cookies or receive a warning before a cookie is stored. However, disabling essential cookies may prevent you from using certain features of the Service.

For users in the EEA/UK, we obtain your consent before placing non-essential cookies, in compliance with the ePrivacy Directive.

Our Service is not directed at individuals under the age of 16 (or the applicable minimum age of digital consent in your jurisdiction). We do not knowingly collect personal data from children under this age.

If you are a parent or guardian and believe that your child has provided us with personal data without your consent, please contact us at support@feedbackcert.com. We will take steps to delete such information promptly.

If an educational institution uses our Service to collect feedback from students under 16, that institution is responsible for obtaining the necessary parental consent and ensuring compliance with applicable child protection laws, including the U.S. Children's Online Privacy Protection Act (COPPA) and similar regulations.

Our Service integrates with or links to third-party services, including but not limited to:

• Web3Forms: For processing contact form submissions.
• Payment Processors: For handling subscription payments securely.
• LMS Platforms: For integrating with Learning Management Systems via API.
• Email Service Providers: For delivering certificate emails and notifications.
• Analytics Services: For measuring and analyzing platform usage.
• Cloud Infrastructure Providers: For hosting and data storage.

Each third-party service has its own privacy policy governing their use of your data. We encourage you to review the privacy policies of any third-party services you interact with. We are not responsible for the privacy practices of these third-party services.

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. We will:

• Update the "Last updated" date at the top of this Privacy Policy.
• Notify you of material changes via email or a prominent notice on our Service at least 30 days before the changes take effect.
• Where required by law, obtain your consent to any material changes to how we process your personal data.

Your continued use of the Service after any changes to this Privacy Policy constitutes your acceptance of the revised policy. We encourage you to review this Privacy Policy periodically.