AlertaCert
PricingSecuritySupport
Log inStart free
Privacy

Privacy Policy

Last updated: 11 de marzo de 2026

1. Who we are

AlertaCert is a software service offered by an individual operator. The service is aimed at accountants and accounting firms in Mexico, Colombia, Argentina, Brazil, Italy, and India. For data inquiries, write to privacy@alertacert.com.

As we do not yet have a registered legal entity, we act as the individual data controller. This policy accurately reflects how we currently operate.

2. What data we collect

Data you provide us

  • Account: full name, email, password (stored as a hash never in plain text), name of your organization.
  • Clients: client name, RFC/NIT/CUIT/CNPJ/PAN or other tax identifier, country, optional notes.
  • Certificates: digital certificate files (.p12, .cer, .key, .pem), their password (encrypted with AES-256-GCM before storing), automatically extracted metadata (expiration date, serial number, holder name, certificate type).
  • Documents: PDFs you upload for digital signing flows. They are stored temporarily and deleted when you delete the flow or your account.
  • Security devices: if you register an access key (passkey), we store the WebAuthn public key and device name. The private key never leaves your device.

Data we collect automatically

  • Audit log: when you perform sensitive actions (upload, download, signing, password reveal, team management), we record the action, your identifier, the time, and relevant metadata. This log is immutable and visible only to your organization's administrators.
  • Session metadata: managed by Supabase Auth via JWT tokens. We do not permanently store IPs.

What we do not collect

  • We don't use advertising tracking cookies or third-party analytics.
  • We don't read the content of your certificate files beyond the initial analysis to extract metadata (expiry, type, holder).
  • We don't store payment card data — that's handled directly by Stripe.

3. How we use your data

  • To provide the service: store and display your certificates, send expiry alerts, execute signing flows.
  • Authentication and security: verify your identity, manage sessions and access keys, apply rate limits.
  • Billing: process payments and manage subscriptions via Stripe.
  • Transactional communications: send you expiry alerts, signing notifications, account confirmation emails, and password recovery emails. Never marketing emails without your explicit consent.
  • Auditing: maintain an immutable record of actions for your organization's internal compliance.

4. Who we share your data with

We don't sell your data. The only third parties that access it are necessary infrastructure providers to operate the service:

ProviderPurposeData
SupabaseDatabase, authentication, storageAll encrypted account and file data
StripePayment processingEmail, subscription data. Never certificate files
ResendTransactional email sendingRecipient email, subject, notification content

Supabase operates on Amazon Web Services infrastructure. The storage region depends on your Supabase project configuration. You can review Supabase's privacy policy at supabase.com/privacy.

5. International data transfers

AlertaCert is an internationally operated service. Data is stored on Supabase (AWS) infrastructure. If you're in Brazil (LGPD), Italy (GDPR), or another market with international transfer regulations, your data may be processed outside your country of origin. By using the service, you accept this transfer as necessary to provide the described service.

For users in Italy (and the European Union in general), the legal basis for processing is the execution of a contract (Art. 6(1)(b) GDPR) and the legitimate interest in service security (Art. 6(1)(f) GDPR).

For users in Brazil, processing is based on contract execution and legitimate interest according to the Lei Geral de Proteção de Dados (LGPD).

6. How long we keep your data

  • Account and organization data: while your account is active.
  • Certificate files and documents: while they're in your account. When you delete a certificate or signing flow, we delete the file from storage (with best effort; may have up to 24h latency).
  • Audit log: retained while the organization exists. It's immutable by design — individual records cannot be deleted.
  • After account deletion: we delete data within 30 days, except where legally required to retain it.

7. Your rights

You have the right to:

  • Access: request a copy of your personal data.
  • Rectification: correct inaccurate data (name, email) from Settings → Profile.
  • Deletion: request deletion of your account and associated data by writing to privacy@alertacert.com.
  • Portability: certificate data can be exported in CSV from the Certificates section.
  • Opposition: you can object to data processing for purposes other than those essential to the service.

The ARCO rights (Mexico/LFPDPPP), LGPD rights (Brazil), and GDPR rights (Italy/EU) are exercised by written request to privacy@alertacert.comWe respond within a maximum period of 30 days.

Security

We apply technical measures described in detail on our Security page: AES-256-GCM encryption, authentication with passkeys, re-authentication for sensitive actions, Row-Level Security in the database, and file validation on upload.

No system is foolproof. In the event of a security breach affecting your data, we will notify you by email within a reasonable period.

Cookies

We use only session cookies necessary for authentication (managed by Supabase Auth). We do not use advertising tracking cookies, behavioral analytics, or third-party social media cookies.

Changes to this policy

If we make material changes, we will notify you by email with at least 14 days' notice. Continued use of the service after that period implies acceptance. The date of the last update is always visible at the beginning of this page.

Contact

For any privacy inquiry: privacy@alertacert.com

To report a security vulnerability: support@alertacert.com