Privacy Policy
1. Who we are
Certly is a Shopify app that helps B2B merchants collect and manage US resale and exemption certificates. This policy describes how we collect, use, and protect personal data when merchants install the Certly app on their Shopify store and when their customers upload certificates through Certly.
For privacy questions, contact us at privacy@certly.app.
2. What we collect
From merchants (you), via Shopify:
- Shop domain, email, and Shopify access token (for API access)
- Subscription / billing status (handled entirely by Shopify)
- App configuration you enter (states you collect tax in, reminder cadence, tags)
From your customers, when they upload a certificate:
- Customer email and Shopify customer ID
- The certificate file itself (PDF)
- Data extracted from the certificate by automated OCR: entity / business name, state, certificate number, certificate type, issue date, expiry date
We do not collect payment information from customers — Certly never handles credit cards. Merchant subscription payments are processed by Shopify.
3. How we use the data
- To display submitted certificates in the merchant's admin so they can review and approve them
- To update the customer's tax-exempt status and tags in Shopify when a certificate is approved
- To send the customer renewal reminder emails before their certificate expires
- To maintain an audit log of approvals, rejections, and revocations (required for tax compliance)
We do not use customer data for advertising, profiling, or any purpose unrelated to the service. We do not sell data.
4. Sub-processors we share data with
To operate Certly, we share data with the following providers:
- Shopify — authentication, customer data, billing
- Supabase — application database and file storage for uploaded certificates (encrypted at rest)
- Google (Gemini API) — runs OCR on uploaded certificate files. Google does not retain content sent to the Gemini API beyond the request lifecycle under its API terms.
- Resend — sends renewal reminder emails to customers
- Fly.io — hosts the Certly application
5. Where data is stored
Application data and uploaded files are stored in the United States. We use industry-standard encryption in transit (HTTPS) and at rest. Certificate files are stored with hashed filenames and access is restricted to authenticated requests on behalf of the owning merchant.
6. Data retention
- While the app is installed, certificate data is retained indefinitely so the merchant has an audit trail.
- When a merchant uninstalls Certly, we receive a Shopify webhook and delete shop-scoped data within 48 hours.
- We respond to Shopify's customer data erasure webhooks (
customers/redact,shop/redact) within the 30-day window Shopify requires.
7. Your rights (and your customers' rights)
Depending on your jurisdiction, you and your customers may have the right to access, correct, delete, or export personal data we hold, and to object to or restrict its processing.
- Merchants can delete all their shop data by uninstalling the app.
- Customers can request access or deletion via the merchant whose store they shop on (Shopify's data-request webhook routes the request to us).
- You can also email privacy@certly.app directly.
8. Cookies
Certly uses a session cookie from Shopify to authenticate merchant users inside the Shopify admin. We don't use any third-party tracking or analytics cookies on the merchant admin pages.
9. Children
Certly is a B2B tool used by businesses and their business customers. We don't knowingly collect data from anyone under 16.
10. Changes
We'll post a notice on this page when we make material changes to this policy and update the "last updated" date above.