Privacy Policy

Last updated: June 2025

1. Introduction

Yes-Cert (“we”, “our”, or “us”) is committed to protecting the personal data of our customers, their employees, and all users of the Yes-Cert platform. This Privacy Policy explains what data we collect, how we use it, and your rights under applicable data protection laws — including the EU General Data Protection Regulation (GDPR) and Thailand’s Personal Data Protection Act (PDPA).

2. Data We Collect

We collect the following categories of personal data:

  • Account information — name, email address, and hashed password when you register or are added by an administrator.
  • Organisation data — company name, billing address, and plan information.
  • Learning activity — course progress, quiz attempts, completion status, and certificates earned.
  • Usage data — browser type, device, IP address, and pages visited, collected automatically via server logs.
  • Payment data — billing records and Stripe transaction references. We do not store raw card numbers; payments are processed by Stripe.

3. How We Use Your Data

We use personal data to:

  • Provide and operate the Yes-Cert platform and its features.
  • Send account-related emails such as welcome messages, password resets, and certificate notifications.
  • Process subscription payments and manage billing.
  • Improve platform performance, reliability, and user experience.
  • Comply with legal obligations under GDPR, PDPA, and other applicable laws.

We do not sell your personal data to third parties, and we do not use it for advertising purposes.

4. Legal Basis for Processing (GDPR)

For users in the European Economic Area, we rely on the following legal bases:

  • Contract — processing necessary to deliver the service you or your organisation subscribed to.
  • Legitimate interests — security, fraud prevention, and platform improvement.
  • Legal obligation — where we are required to retain data by law.
  • Consent — where you have explicitly opted in (e.g., marketing communications).

5. Legal Basis for Processing (PDPA — Thailand)

For users in Thailand, we collect and use personal data under the lawful bases provided in the PDPA, including contractual necessity, legitimate interests, and legal obligation. You have the right to withdraw consent at any time where consent is the basis of processing, without affecting the lawfulness of processing carried out before withdrawal.

6. Data Sharing

We share data only with trusted sub-processors required to operate our service:

  • Neon — database hosting (PostgreSQL).
  • Vercel — application hosting and edge infrastructure.
  • Stripe — payment processing.
  • Cloudflare R2 — file and asset storage.

All sub-processors are contractually bound to handle data securely and in accordance with applicable law.

7. Data Retention

We retain personal data for as long as your organisation’s account is active or as needed to provide services. Upon account termination, data is deleted or anonymised within 90 days unless we are required to retain it longer by law (e.g., financial records for tax purposes).

8. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — ask us to correct inaccurate or incomplete data.
  • Erasure — request deletion of your data (“right to be forgotten”).
  • Restriction — ask us to limit processing of your data in certain circumstances.
  • Portability — receive your data in a structured, machine-readable format.
  • Objection — object to processing based on legitimate interests.

To exercise any of these rights, contact us at the address below. We will respond within 30 days.

9. Cookies

Yes-Cert uses a single session cookie to keep you logged in. We do not use third-party tracking cookies or advertising cookies. The session cookie is essential for the platform to function and cannot be disabled while using the service.

10. Security

We protect your data using industry-standard measures including encrypted connections (TLS), bcrypt-hashed passwords, HMAC-signed session tokens, and access controls that limit data access to authorised personnel only.

11. International Transfers

Our infrastructure is hosted primarily in the United States and European Union. Where data is transferred outside your country, we ensure appropriate safeguards are in place — such as Standard Contractual Clauses (SCCs) for transfers from the EEA, and equivalent mechanisms for transfers from Thailand.

12. Children’s Privacy

Yes-Cert is designed for workplace training and is not intended for use by anyone under the age of 16. We do not knowingly collect personal data from children.

13. Changes to This Policy

We may update this policy from time to time. When we do, we will revise the “Last updated” date at the top of this page. For significant changes, we will notify organisation administrators by email.

14. Contact Us

If you have questions about this policy or wish to exercise your data rights, please contact us and we will respond within 30 days.

← Back to Pricing