The Short Version: Your data stays with you. CertifyClouds runs entirely in your Azure environment. We don't access your secrets, credentials, or scanned data. The only communication with our servers is license validation.
1. Information We DO NOT Collect
CertifyClouds is designed with privacy in mind. We do NOT receive or have access to:
- Your Azure Key Vault secret values
- Your Azure credentials or tokens
- Individual secret, certificate, or key names
- Per-asset compliance scan results or violation detail
- Your audit log entries
- Any Azure resource metadata (tags, identifiers, etc.)
All CertifyClouds application data, including everything CertifyClouds reads from your Azure tenant, stays inside your environment in your managed database. We have no access to it.
Section 2 below describes the limited information our license server does receive (license key + version + optional aggregate operational counts) and how to disable each.
2. Information We DO Collect
License Validation
When CertifyClouds validates your license, we receive:
| Data | Purpose | Retention |
|---|---|---|
| License key | Verify valid license | Permanent (in our database) |
| Timestamp | Track validation requests | 90 days |
Optional: Update Checks
If update checking is enabled, we receive:
| Data | Purpose | Retention |
|---|---|---|
| Current version | Determine if update available | Not stored |
Update checks can be disabled by removing network access to license.certifyclouds.com.
Optional: Fleet Visibility (Aggregate Operational Counts)
When the ENABLE_FLEET_VISIBILITY setting is enabled (default on), the hourly license-validate heartbeat also carries aggregate operational counts alongside the license key + version. This helps us understand fleet health and identify customers who may need onboarding support.
What we receive: aggregate integer counts only. No asset names, no PII, no per-asset detail. Examples:
- Total vault / secret / certificate / key counts in your tenant
- Scans run in the last 30 days
- Rotation success rate (e.g. 47 succeeded / 50 attempted)
- Feature adoption counts (number of sync targets configured, alert rules count, SSO state on/off, etc.)
What we do NOT receive: Any individual secret / certificate / key names. Any vault names. Any compliance findings. Any audit log content. Any customer data.
Defensive limits: The license-server worker rejects payloads that are not a plain object or whose serialised JSON exceeds 4 KB. A malicious or outdated client cannot poison our license-server KV with surprise shapes or unbounded payloads.
Opt out: Advanced Settings → App Behaviour → Enable Fleet Visibility → off. Toggle takes effect on the next heartbeat. License validation continues to work normally without the stats payload.
| Data | Purpose | Retention |
|---|---|---|
| Aggregate operational counts | Customer-success outreach, fleet-health monitoring | Last-known value per license (overwritten each heartbeat) |
Optional: Transactional Email
When you contact us through the website contact form, or when CertifyClouds (deployed in your environment) sends operational emails such as licence-expiry warnings to the address you registered, those emails are delivered via SMTP2GO as a sub-processor. SMTP2GO is GDPR-compliant; their privacy policy is at smtp2go.com/privacy-policy.
3. How We Use Information
We use the limited information we collect to:
- Validate your license is active and not expired
- Prevent license key sharing or abuse
- Provide version update notifications
- Improve our service (aggregate, anonymized usage)
We do NOT use your information to:
- Sell to third parties
- Send marketing communications (unless you opt in)
- Profile your Azure environment
- Track your secret management practices
4. Data Storage and Security
License Server
Our license validation server (license.certifyclouds.com) is:
- Hosted on Cloudflare's global edge network
- Protected by DDoS mitigation
- Encrypted in transit (TLS 1.3)
- Minimal data retention (90 days for logs)
Your Environment
All CertifyClouds application data is stored in your environment:
- Your managed database (you control)
- Log files (you control)
We have no access to your environment or data.
5. Data Sharing
We do not sell or rent your information. We share data only with the sub-processors below, and only as needed for the service to function:
| Sub-processor | Purpose | Privacy policy |
|---|---|---|
| Cloudflare | Edge / DDoS protection for the marketing site and the license server | cloudflare.com/privacypolicy |
| SMTP2GO | Transactional email delivery (contact-form replies, licence-expiry notices) | smtp2go.com/privacy-policy |
| Meta (Facebook) | Advertising-pixel attribution for paid social campaigns (when active; see §6) | facebook.com/privacy/policy |
We may additionally disclose data:
- Legal requirements: if required by law, subpoena, or legal process
- Business transfer: in connection with a merger or acquisition, with prior notice
6. Website Cookies, Analytics, and Visitor Identification
Important: This section applies only to our marketing website (certifyclouds.com). The CertifyClouds application deployed in your Azure environment contains no third-party tracking scripts.
Cookies set by the marketing site
| Cookie | Set by | Purpose | Category |
|---|---|---|---|
__cf_bm | Cloudflare | Bot management; distinguishes humans from bots | Strictly necessary |
cf_chl_* | Cloudflare Turnstile | CAPTCHA challenge on form submissions (contact / trial signup) | Strictly necessary |
cc_consent | certifyclouds.com | Records your cookie preference choice | Strictly necessary |
_fbp + Meta advertising pixel | Meta (Facebook) | Attribution for paid social campaigns; loaded only when an active campaign is running (see below) | Marketing; opt-in |
The strictly-necessary cookies above are required for site security and consent persistence. The Meta advertising pixel is only loaded after you accept marketing cookies via the consent banner, and only during periods when a paid social campaign is active.
Meta (Facebook) advertising pixel
When a paid Meta / Facebook campaign is active, we load the Meta advertising pixel on the marketing site to measure ad-attribution and reach (for example, how many of our LinkedIn or Facebook ad clicks land on the trial signup page). The pixel sends Meta:
- Pages visited on certifyclouds.com
- Standard events such as page-view and form-submit
- The browser-set first-party identifier (
_fbpcookie) so Meta can de-duplicate views by browser
Lawful basis: consent. The pixel does not load until you accept marketing cookies via the consent banner, and is not loaded at all outside an active paid campaign.
Meta's privacy policy is at facebook.com/privacy/policy.
Opting out
You can opt out of marketing-pixel tracking by:
- Declining marketing cookies on first visit (the consent banner appears once per browser; you can change your choice at any time using the Cookie Settings link in the footer)
- Using a browser privacy extension that blocks third-party scripts
- Adjusting your Facebook / Meta ad preferences at accountscenter.facebook.com/ad_preferences
- Contacting privacy@certifyclouds.com to request removal from our marketing lists
Note: Analytics and advertising-pixel tracking apply only to our marketing website, not to the CertifyClouds application deployed in your environment.
7. Your Rights (GDPR/UK GDPR)
Depending on your jurisdiction, you may have rights to:
- Access: Know what data we have about you
- Correction: Fix inaccurate data
- Deletion: Request deletion of your data
- Portability: Receive your data in portable format
- Objection: Object to certain processing
To exercise these rights, contact: privacy@certifyclouds.com
8. Data Retention
| Data Type | Retention Period |
|---|---|
| License records | Duration of license + 1 year |
| Validation logs | 90 days |
| Support communications | 2 years |
| Legal/compliance records | As required by law |
9. International Transfers
Our license server is hosted on Cloudflare's global network. Your license validation request may be processed in various countries. Cloudflare maintains appropriate safeguards for international data transfers.
10. Children's Privacy
CertifyClouds is a business software product. We do not knowingly collect information from children under 16. If you believe a child has provided information to us, contact privacy@certifyclouds.com.
11. Changes to This Policy
We may update this Privacy Policy periodically. The current version is always published at certifyclouds.com/privacy. The "Last Updated" date at the top of this page reflects the most recent revision; continued use of the site or service after a revision constitutes acceptance.
12. Contact Us
For privacy questions or concerns:
- Email: privacy@certifyclouds.com
- Website: https://certifyclouds.com
Summary
| Question | Answer |
|---|---|
| Do you see my secrets? | No |
| Do you store my Azure data? | No |
| What do you collect? | License key and validation timestamp only |
| Can I use this offline? | Yes, with cached license for a configurable grace period |
| Who has access to my scans? | Only you |
By using CertifyClouds, you acknowledge that you have read and understood this Privacy Policy.