Privacy Policy

ManageCert is a domain hygiene monitoring service. We collect the minimum data needed to run the Service and send you alerts. We don't sell your data, run third-party advertising, or share data with anyone except the processors listed below.

• Account info: your email address (for sign-in via magic link). You can optionally provide your name in your profile.
• Monitored domains:the hostnames you add to your account, the results of our daily checks against them (TLS, WHOIS, DNS snapshots), and the history of alerts we've sent you for them.
• Alert preferences:which channels (email, Slack, Discord, custom webhook) you've enabled and any webhook URLs you've provided.
• Billing info: handled by Stripe. We store only your Stripe customer ID, subscription ID, tier, status, and renewal date. We never see or store your card details — those live with Stripe.
• Public checker queries: when anyone (signed in or not) uses /check, we store the hostname queried and the result, indefinitely, so we can serve the cached result page and have it indexable by search engines.
• Technical data: your IP address for rate limiting (stored briefly in Upstash for sliding-window counts), and standard request logs at our hosting provider (Vercel).

• To run the daily checks against your monitored domains.
• To send you alerts when something needs your attention.
• To process your subscription via Stripe.
• To rate-limit and CAPTCHA-gate the free /check endpoint against abuse.
• To respond to your support requests.
• To improve the Service.

We use the following third-party processors. Each handles a narrow slice of data on our behalf:

• Supabase — database + authentication (your account, domains, alert prefs, snapshots).
• Stripe — billing + payment method handling.
• Resend — outbound email delivery (alerts, magic links).
• Cloudflare Turnstile — anti-bot CAPTCHA on /check.
• Upstash — Redis store for rate-limit counters (IP addresses, short retention).
• Anthropic — generates plain-English explanations for alert messages. We send only a fingerprint of the alert class (alert type, severity, threshold, issuer/registrar string) — never your hostname, your email, or any per-customer data.
• Vercel — hosting and request logs.
• Public RDAP endpoints — when we look up WHOIS data for your monitored domains, we query the public RDAP registry for each TLD. These queries include the hostname being looked up.

We do not sell your data. We do not share it with advertisers.

We set strictly-necessary cookies for sign-in sessions (via Supabase Auth) and for Cloudflare Turnstile verification on /check. We do not use analytics cookies, tracking pixels, or advertising cookies.

• Account, domain, snapshot, and alert history: kept for the lifetime of your account.
• On account deletion: everything in our database is hard-deleted via cascade. Stripe customer records may be retained by Stripe per their retention rules and applicable tax/accounting law.
• Free /check results: retained indefinitely so we can serve cached and indexable result pages.
• Server-side request logs at Vercel: retained for ~30 days per Vercel's standard retention.

You can:

• Export your data as JSON anytime from Account settings.
• Delete your account anytime from Account settings (cascades through our database).
• Update your alert preferences and webhook URLs from Settings.
• Contact us at jr@managecert.com for any other privacy request.

We use HTTPS everywhere, store secrets only on servers (never in client code), enforce row-level security in our database so users can only see their own data, and require strong authentication on all internal accounts. No system is perfectly secure; if you discover a security issue, please email jr@managecert.com.

The Service is not directed at children under 13 and we do not knowingly collect data from them. If we learn we have collected data from a child under 13, we will delete it.

ManageCert is operated from the United States. By using the Service from outside the US, you consent to your data being processed in the US and any other regions where our processors operate.

We may update this Privacy Policy occasionally. Material changes will be announced via email and reflected by an updated “Last updated” date at the top.

Privacy questions or requests: jr@managecert.com.