Privacy Policy
Effective date: April 29, 2026
This Privacy Policy explains how Strata ("we", "us", "our") collects, uses, and protects your information when you use our platform ("Service"). We are committed to protecting your privacy and handling your data responsibly.
1. Information We Collect
| Category | Data collected | Purpose |
|---|---|---|
| Account information | Name, email address, organization name, hashed password | Account creation, authentication, communication |
| Billing information | Processed by Stripe; we store a Stripe customer ID but never store credit card numbers | Subscription billing and invoicing |
| Content you create | Certificate templates, events, submissions, checklists, schedules, CE activities, uploaded files | Providing the Service |
| Usage data | Number of certificates issued (reported to Stripe for metered billing) | Metered billing |
| Session data | Session cookies (authentication only; no tracking cookies) | Keeping you logged in |
| Audit logs | Actions performed in the platform (who did what, when) | Security, compliance, and troubleshooting |
2. How We Use Your Information
We use your information to:
- Provide, maintain, and improve the Service.
- Process payments and manage your subscription.
- Send transactional emails (welcome emails, certificate delivery, password resets).
- Respond to support requests.
- Detect and prevent fraud or abuse.
We do not use your data for advertising, sell your data to third parties, or use third-party analytics or tracking tools.
3. Third-Party Services
We use the following third-party services to operate the platform:
- Stripe — payment processing. Stripe's privacy policy: stripe.com/privacy
- Resend — transactional email delivery. Resend's privacy policy: resend.com/legal/privacy-policy
- Amazon Web Services (AWS) — cloud hosting and file storage. AWS's privacy policy: aws.amazon.com/privacy
- Render — application hosting. Render's privacy policy: render.com/privacy
4. Data Security
We take reasonable measures to protect your data, including:
- Encryption in transit (HTTPS/TLS for all connections).
- Passwords are hashed using industry-standard algorithms and are never stored in plaintext.
- Secure, HTTP-only session cookies.
- Role-based access controls and row-level security in the database.
- Audit logging of administrative actions.
5. Data Retention
- Active accounts: Your data is retained for the duration of your subscription.
- Deleted records: Soft-deleted records are retained for 90 days before permanent deletion.
- After cancellation: Your data is retained for 90 days to allow for export or reactivation, after which it is permanently deleted.
- Audit logs: Retained for 1 year for security and compliance purposes.
6. Your Rights
You have the right to:
- Access your data — available through the Service's interface and export features.
- Correct inaccurate data — editable through your account settings.
- Delete your data — cancel your subscription and request deletion by contacting us.
- Export your data — contact us to request a data export.
7. Children's Privacy
The Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If we learn that we have collected data from a child under 16, we will delete it promptly.
8. International Data Transfers
The Service is hosted in the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States. By using the Service, you consent to this transfer.
9. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email or through the Service. The "Effective date" at the top of this page indicates when the policy was last updated.
10. Contact
If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us at [email protected].
← Back to Sign Up