Our Platform

Auth9, Inc. d/b/a Certree (“Certree,” “we,” “our,” or “us”) provides an online technology platform (“Platform”) that enables individuals to securely receive, review, store, and share documents and other content electronically. When you share content through our Platform, the recipient can trust that the content is a true and accurate copy of the original. For example, individuals can share employment and income information with potential future employers or other entities that require this information.

Certree puts you, the individual, in control. After all, it’s your data and you should decide what entities, including potential new employers, receive your sensitive information. And because this data is important, you should be able to review your data before it’s sent.

We’re a technology service provider, not a data company. What does that mean?

Certree is a service provider to companies (“Issuers”) who use the Platform to provide information and documents to individuals. For example, an employer may use the Platform to issue employment and income information to current and former employees. Once an Issuer has provided information to the individual, the individual can then securely share a certified digital copy of that content with any third party (“Data Recipient”). In some cases, the Data Recipient may be charged a service fee for using the Platform.

We do not provide or furnish any of the information that may be available through the Platform or stored in an individual’s User Account. In addition, Certree designed the Platform so that we can’t access the content you or an Issuer stores on the Platform. We also can’t provide third parties with access to an individual’s content, not even to law enforcement. Only the individual, through the individual’s password protected User Account, can provide third parties with access to all or specifically designated documents or content by generating a custom link to a digital document. Control rests entirely with the you, the individual.

Certification of Digital Content

Certree certifies the authenticity of digital content shared through the Platform. Since Certree is unable to view the content stored in an individual’s User Account, however, we do not verify the accuracy or validity of any facts or information. If, for example, the information contained in a specific document provided by an Issuer is false, Certree’s role is limited to certifying that the Data Recipient is receiving an accurate and unaltered copy of the original document with the potentially false information. This is by design to protect the security and privacy of your information. And of course, you can review all content for accuracy before anything is ever shared or sent to a Data Recipient.

We Don’t Sell Your Personal Information or Create Profiles About You

Unlike other companies, we don’t share or sell your Personal Information to advertisers, data brokers or other third parties. We don’t use your Personal Information or online activity to build profiles, place you in marketing segments, or serve targeted advertising. At Certree, we view you as a person, not a commodity. Certree generates revenue primarily from transaction fees paid by Data Recipients to use our Platform and obtain certified copies of documents.

About This Privacy Policy

This Privacy Policy describes Certree’s policies and practices regarding its collection and use of Personal Information through this website, Certree.com (“Site”), as well as through our Platform. (The Platform together with the Site are referred to as the “Services”).

This Privacy Policy focuses on Personal Information – information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual. As discussed below, most of the information stored on the Platform is encrypted and we don’t have the ability to decrypt the information. Accordingly, we can’t access, link, or associate that data to you or any other particular individual. Under many laws this may not be considered Personal Information.

The Services are directed to and provided for our customers in the United States. In addition, this Privacy Policy does not apply to any products, sites, applications or services that display, reference, or link to a different privacy statement.

Given our focus on people and trust, we understand that you care about your own personal privacy interests, and we take that seriously. Our goal is to let you know in a clear and easily accessible way how we collect, use, share, and protect your Personal Information. We’re committed to protecting your privacy and collecting only the minimum amount of information needed to provide our services as described below.

Personal Information We Collect or Receive

We collect, receive or store the following Personal Information:

Name and contact information. Your first and last name, personal email address, postal address, mobile phone number, and other similar contact information.

User Account Information. The user generated account name, password, or other login credentials. The Platform will also log communications with Issuers and Data Recipients so that individuals can keep track of the sources of their content over time as well as the parties they shared content with. This may include the name and email address for a particular Issuer or Data Recipient as well as the date of the communication and type of document sent or received.

Authentication Information Required by Issuers. Responses to identification and verification questions, which are selected and required by Issuers in order for you to gain access to your information. Each Issuer has their own requirements to authenticate requests for access to information. Required information may include:

• Full or partial social security number
• Employee ID number
• Other Government-issued identifier
• Employee email address
• Phone numbers
• Date of Birth
• Dates of Employment

Certree may store the hashes of this information. The Issuer, and not Certree, determines if the responses to the identification and verification questions are accurate.

Support Information. Information you provide when you contact Certree for support, such as the content of your communications with Certree. When you contact us, such as for customer support, phone conversations or chat sessions with our representatives may be monitored and recorded.

Marketing Data. Information such as your preferences for receiving communications about our activities, events, and publications, and details about how you engage with our communications.

Usage, Device, and Network-Related Information. This information, which typically is collected for any website that maintains logs, is automatically collected and includes the following:

• Date and time when the user accessed the Services
• Name of the domain and host from which the user gained access
• Internet address of the site from which the user linked directly to the Site
• Internet protocol (IP) address of the computer the user was using to access the Service
• User’s Internet browser software information
• User’s computer Operating System information
• General location information such as city, state or geographic area

Content Provided by The Issuers. An Issuer may upload information about or relating to an individual. Certree does not access, view, or use this information, other than as directed by the Issuer or the individual. This information is encrypted, and the Issuer’s key or individual’s key is required to decrypt the data. Certree is not able to decrypt the information.

Payment Information. There are no fees for an individual to set up a User Account. In some cases, however, there may be fees associated with downloading or copying certain documents or requesting a new link to a certified digital copy of a document. Please note that we use Stripe to process all online payments. Stripe is a payments platform that many of the largest online merchants use to accept payments in mobile apps and websites. Other than the last four digits of your credit or debit card, Certree does not receive information related to your financial or credit card account used to make purchases on our Site or through our Services. The last four digits are collected so that we can differentiate between different cards. You may review Stripe’s privacy and security policy here Link.

How We Collect Personal Information (Sources)

We collect information, including Personal Information, from two primary sources:

Individuals who create a User Account and use our Services to send, receive, and store digital content. Information collected directly from individuals includes name and contact information; User Account information; authentication information; support information; and marketing data.

Each individual decides what they wish to store in their Certree User Account. In addition to content, an individual may choose to store contact information, authentication information, or payment information in the User’s Account. Certree will not have access to that information.

Issuers who provide information about or relating to an individual. Information collected directly from Issuers includes name and contact information; authentication information; and other information that an individual may wish to store or share such as employment information, income verification, health information, or travel information. Certree will not have access to that information.

We also may collect limited Personal Information such as name and contact information from Data Recipients. In certain circumstances a Data Recipient may directly contact Certree in order to obtain information from an individual. Certree may then run a search to confirm if Certree is able to connect the Data Recipient with the particular individual.

Issuers and Data Recipients may also provide Certree with limited account and authentication information for their authorized employees who have access to the Platform. The terms and conditions for these accounts are covered by contracts in addition to this privacy policy.

Automated Data Collection

We use Twilio SendGrid as our email service provider. Through SendGrid, we may track when an individual receives an email, opens an email, clicks on a link in an email, or takes a similar action.

We use Microsoft Azure applications to help us analyze the use of our Services and diagnose technical issues.

Cookies and Other Tracking Technology

When you visit our Site or use our Services, they may ask your browser to store a small piece of data (text file) called a cookie on your device in order to remember information about you, such as your language preference or login information. These cookies are necessary for the Services to function and are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, registering for a User Account, logging in or filling in forms.

We may also use cookies to count visits and traffic sources so we can measure and improve the performance of our Services. They help us to know which pages are the most and least popular and see how visitors move around the Site. In some cases, when using our Services, you may be directed to other websites for such activities as surveys, to make payments, or to view content hosted on those sites. These websites may use their own cookies. We do not have control over the placement of cookies by other websites you visit, even if you are directed to them from our website.

We do not use third-party tracking cookies for profiling, marketing or advertising purposes.

Web browsers may offer users of our Services the ability to disable receiving certain types of cookies; however, if cookies are disabled, some features or functionality of our Services may not function correctly. To disable cookies through your browser, follow the instructions usually located within the “Help,” “Tools” or “Edit” menus in your browser. Please note that disabling a cookie or category of cookies does not delete the cookie from your browser unless manually completed through your browser function.

How We Use Personal Information

We use Personal Information for the following purposes and as otherwise described in this Privacy Policy or at the time of collection:

Operations and Legitimate Business Uses. We may use Personal Information to deliver products, information, or services, that you may request, including to:

• manage, operate and improve the performance of our Services;
• analyze the effectiveness and reliability of our products and services, modify and improve our products and Services, and develop new products and services;
• establish and maintain your User Account, facilitate your login to the Services, and recognize and remember you when you visit our Services;
• respond to your search requests for Issuers and Data Recipients;
• respond to search requests submitted by Issuers and Data Recipients;
• conduct aggregate analysis and develop business intelligence that enable us to operate, protect, make informed decisions, and report on the performance of our business operations; and
• perform accounting, auditing, and billing activities.

Communicate with you about the Service, including by sending you announcements, updates, security alerts, and support and administrative messages and to respond to your requests, questions and feedback

Perform quality assurance activities that maintain the quality of Services provided to you; provide support and maintenance for the Services.

To manage security risks and prevent malicious activity, including to:

• detect security incidents and protect against malicious, deceptive, or illegal activities;
• debug to identify and repair errors that may impair existing intended functionality;
• verify your identity such as when you create a User Account or access our Services; or
• sending you security codes via email or SMS, and remembering devices from which you have previously logged in.

Research and development. We analyze use of the Services to analyze and improve the Service and to develop new products and services, including by studying user demographics and use of the Service.

Marketing and product-related communications. We may send you email marketing communications about Certree products and services, invite you to participate in surveys, or otherwise communicate with you for marketing purposes, provided that we do so in accordance with applicable law, including any consent requirements. For example, when you submit your contact information to us, we may use the information to contact you about a request from an Issuer or Data Recipient, send you information that you have requested, and include you on our marketing information campaigns. And as explained below, you may opt out of marketing communications at any time.

To comply with law. We may use your Personal Information as we believe necessary or appropriate to comply with applicable laws, lawful requests, and legal process, such as to respond to subpoenas or requests from government authorities. We occasionally receive requests for access to data from law enforcement, and we review each request with the goal of responding with the minimum amount of required information in response to legitimate, legally mandated requests. Because most of the data stored on the Certree Platform is encrypted, in most cases we are unable to provide any information about an individual or an individual’s User Account.

For compliance, fraud prevention, and safety. We may use Personal Information and disclose it to law enforcement, government authorities, and private parties as we believe necessary or appropriate to: protect our, your or others’ rights, privacy, safety or property (including by making and defending legal claims); enforce the terms and conditions that govern the Services; and protect, investigate and deter against fraudulent, harmful, unauthorized, unethical or illegal activity.

How We Share Personal Information

For the most part, we don’t.

Certree does not sell or rent your Personal Information or content in any way – ever.

Certree cannot decrypt or otherwise access the content of your User Account. We built our Platform so that only the individual can access the contents of the individual’s User Account and share the information with Data Recipients. Certree puts the individual in control of their information.

You may share a document or other content with a Data Recipient by granting the party authorization to access and view that document or content. You provide the Data Recipient with access to a document by sending them an email with a link to the specific document. Unless you grant such viewing authorization and direct Certree to disclose a particular document, Certree will not otherwise share any content or documents saved in your User Account.

In order to ensure that your transactions are completed efficiently we may follow up with Data Recipients to confirm receipt of your email and the content you intended to share with the Data Recipient. We may also communicate with Issuers to ensure that you have received the expected content.

We may also share Personal Information with certain of our service providers subject to contract terms that limit their use of Personal Information. We have service providers that provide services on our behalf, such as website hosting, data analysis, marketing service, information technology and related infrastructure, customer service, email delivery, and auditing services. These service providers may need to access Personal Information to perform their services. We authorize such service providers to use or disclose the Personal Information only to perform services on our behalf or comply with legal requirements. We require such service providers to contractually commit to protect the security and confidentiality of Personal Information they process on our behalf.

Your Choices

In this section, we describe the rights and choices available to individuals who visit or use our Services.

Access to Personal Information

If you have registered for a User Account with us, you may review Personal Information in your User Account by logging into the account. This includes your contact information, account information, and the content you’ve saved in your User Account. You control what content, documents, and information are saved in your User Account. Certree cannot access the content saved in your User Account.

Depending on the format of the content in your User Account, you may print and/or download your documents and content. Please note that Certree only certifies the authenticity of digital documents or content accessed directly from the Platform. Documents or other content saved or stored outside the Certree Platform may be modified and accordingly Certree cannot and will not certify the authenticity.

If you have not registered for an account with us, it is unlikely that we will be able to provide you with access to any Personal Information. In limited circumstances, we may be able to confirm that an Issuer has provided data about or related to you to the Certree Platform. That data is encrypted, and we would not be able to provide you, or anyone else, with access to that information.

Deletion of Personal Information

You control what documents, content, and information are saved in your User Account. You may delete an individual document, some or all of the content or your entire User Account at any time. When you delete your User Account, your Personal Information is deleted from our servers. Once your User Account is deleted, we will not be able to restore your account. In some cases, an Issuer may revoke your authorization to access or save information the Issuer provided to you through the Platform. Should that occur, please contact the Issuer directly. Certree has no ability to recover information revoked or deleted by an Issuer.

In some circumstances, limited information from a User Account may be retained for billing purposes or auditing purposes even after a User Account is deleted.

Correction of Inaccurate or Incomplete Personal Information

Certree is unable to process requests or inquiries regarding the accuracy of information, including Personal Information, on a given document. Inquiries must be submitted to the Issuer that furnished the document to the individual through the Platform.

Certree certifies the authenticity of the digital documents and content stored in your User Account. Therefore, you may not upload or modify any content provided by an Issuer. If you recognize any inaccuracies in the documentation uploaded to the Platform by an Issuer, please contact the Issuer directly to update your information. Certree does not have access to the information or documents that Issuers upload to the Service or that you store in your User Account. The Issuer is responsible for responding to any access or other rights requests from individuals related to Personal Information.

Opting Out of Receiving Electronic Communications

If you no longer want to receive marketing-related emails from us, you may opt-out via the unsubscribe link included in such emails. We will try to comply with your request(s) as soon as reasonably practicable. Please note that if you opt-out of receiving marketing-related emails from us, we may still send you other messages in connection with providing our Services

Do Not Track. Some Internet browsers may be configured to send “Do Not Track” signals to the online services that you visit. We currently do not respond to “Do Not Track” or similar signals. However, Certree does not use cookies or other technologies for interest-based advertising and never sells or shares your Personal Information for advertising or marketing.

Security of Personal Information

At Certree we care about your safety and security. We have an information security program that includes reasonable and appropriate administrative, technical, and physical measures to protect information within our company.

We use encryption technology to help ensure the confidentiality and integrity of information. In addition, we take steps to help ensure that we cannot access Personal Information other than your contact information. For example, we do not store a copy of your encryption key. The encryption key of Issuers who provide data to Certree is also inaccessible to Certree unless the Issuer directs Certree to process data on the Issuer’s behalf. Without the key, we cannot access the content in your User Account even if we want to. Encryption can’t stop every possible threat or attack, but we’ve taken strong measures to protect your security and privacy.

In some cases, we use a one-way hash instead of or in addition to encryption. This is the case when contact information or unique identifiers are used to match information with an individual who has a User Account. Because it’s a one-way hash, Certree cannot see the actual information (for example, the last four digits of your social security number).

All data maintained on the Certree Platform is stored on Microsoft Azure’s commercial cloud. This includes the use of Microsoft’s backup and disaster recovery solutions.

We’re in this Together-Please Be Responsible

When you sign up for a User Account you are required to create a strong password. You are responsible for maintaining the confidentiality of your User Account and password and for restricting access to your computer or device. It is a best practice not to reuse passwords on different sites. After you are logged in you may change your password at any time.

In addition, Certree provides you with the option to use two-factor authentication with the Services. We encourage you to enable and consistently use two-factor authentication for your User Account, particularly if you choose to store sensitive information. You should always exit from your User Account at the end of each session. Be extra cautious when using a computer that others may have access to.

Always be on the lookout for Phishing. Phishing occurs when a fraudster sends an email message or text appearing to be from a legitimate entity. The email is designed to trick users into providing personal information like credit card information, Social Security numbers, and login credentials.

If you receive a suspicious email, phone call, or text message from someone claiming to be Certree, please report the incident to abuse@certree.com. And remember:

• do not enter personal information in a suspicious website. Instead, contact us.
• do not click on any of the links in a suspicious email. Instead, forward it to us.

If you have reason to believe that your interaction with us is no longer secure, please immediately notify us.

We retain your Personal Information as long as we are providing the Services to you. Even after we stop providing Services directly or indirectly to you, and even if you close your account or complete a transaction, we may keep limited Personal Information in order to comply with our legal and regulatory obligations. We may also keep it to assist with our fraud monitoring, detection and prevention activities. We also keep Personal Information to comply with our tax, accounting, and financial reporting obligations. In all cases where we keep data, we do so in accordance with any limitation periods and records retention obligations that are imposed by applicable law.

International Data Transfers

We are headquartered in the United States and have service providers in other countries, and your Personal Information may be transferred to the United States or other locations outside of your state, province, or country where privacy laws may not be as protective as those in your state, province, or country. As of the effective date of this Privacy Policy, all Personal Information is stored on servers located in the United States.

Children

Our Services are not directed to, and we do not knowingly collect Personal Information from, anyone under the age of 13. If a parent or guardian becomes aware that his or her child has provided us with information without their consent, he or she should contact us. We will delete such information from our files as soon as reasonably practicable. We encourage parents with concerns to contact us.

Other Sites and Services

Certree does not restrict with whom you may share information. Once you share a document or other content with a Data Recipient, Certree cannot restrict how that entity uses your information.

Individuals may create a User Account directly through this Site. In some cases, an Issuer or Data Recipient may direct an individual to create a User Account. This Privacy Policy does not address the data collection or data processing practices of any other entity, including entities who contract with Certree to provide the Services on their behalf. Issuers and Data Recipients that use our Platform have their own policies regarding the collection, use, and disclosure of Personal Information. Certree is not responsible for our customers’ handling of such information. To learn about how a particular company handles Personal Information, we encourage you to read the company’s privacy statement or contact the company directly.

The Services may contain links to other websites, mobile applications, and other online services operated by third parties. These links are not an endorsement of, or representation that we are affiliated with, any third party. In addition, our content may be included on web pages or in mobile applications or online services that are not associated with us. We do not control third party websites, mobile applications or online services, and we are not responsible for their actions. Other websites, mobile applications and services follow different rules regarding the collection, use and sharing of your personal information. We encourage you to read the privacy policies of the other websites, mobile applications and online services you use.

Changes to This Privacy Policy

Efforts to bring new services, applications, and features may make it necessary to amend our Privacy Policy. If we make material changes to this Privacy Policy, we will notify you by updating the date of this Privacy Policy and posting it on the Service. We may, and if required by law will, also provide notification of changes in another way that we believe is reasonably likely to reach you, such as via e-mail (if you have a User Account and we have your contact information) or another manner through the Service.

Any modifications to this Privacy Policy will be effective upon our posting the new terms and/or upon implementation of the new changes on the Service (or as otherwise indicated at the time of posting). In all cases, your continued use of the Service after the posting of any modified Privacy Policy indicates your acceptance of the terms of the modified Privacy Policy.

Questions? Please Contact Us.

If you have any questions regarding our Privacy Policy or our privacy practices, we will do our best to answer them. We are committed to resolve complaints about your privacy and our collection or use of your Personal Information. Here’s how to contact us:

Email:
privacy@certree.com

If you’d like to send us physical mail, please send to:

Information for California Residents

This statement describes our business practices, both online and offline, regarding the collection, use, disclosure, and sale of Personal Information, and of the rights of consumers regarding their own Personal Information as required by the California Consumer Privacy Act of 2018, Civil Code sections 1798.100 et seq. and implementing regulations.

Certree does not sell Personal Information.

Your CCPA Rights and Choices

As a California consumer and subject to certain limitations under the CCPA, you have choices regarding our use and disclosure of your Personal Information. Because we encrypt Personal Information and do not retain the encryption keys, we are unable to decrypt the data. We do this to help ensure the privacy and security of your Personal Information. Accordingly, our obligations and ability to respond to requests pursuant to CCPA may be limited. Please read our full Privacy Policy for more information.

Exercising the right to know: You may request the following information about the Personal Information we have collected about you:

• the categories and specific pieces of Personal Information we have collected about you;
• the categories of sources from which we collected the Personal Information;
• the business or commercial purpose for which we collected the Personal Information;
• the categories of third parties with whom we shared the Personal Information; and
• the categories of Personal Information about you that we disclosed for a business purpose, and the categories of third parties to whom we disclosed that information for a business purpose.

Exercising the right to delete: You may request that we delete the Personal Information we have collected from you, subject to certain limitations under applicable law.

Non-discrimination: The CCPA provides that you may not be discriminated against for exercising these rights.

To submit a request to exercise any of the rights described above, please contact us. at CaliforniaPrivacy@certree.com

Last Updated and Effective Jan 18, 2023