P
ProofIn

Privacy Policy

Last updated: April 16, 2026

ProofIn ("we", "our", or "us") operates the certificate verification platform at proofin.app. This Privacy Policy explains what information we collect, how we use it, and your rights regarding that information.

1. Information We Collect

Account and Organization Data

When you register as an organization owner or staff member, we collect your name, email address, password (stored as a secure hash — never in plain text), organization name and slug, and an optional profile avatar URL.

Certificate and Participant Data

When you issue certificates, we store the data you provide — participant names, email addresses, and any identifiers (such as student IDs) you choose to include. Each certificate receives a unique cryptographic hash for verification purposes.

Participant Verification Data

Participants who claim certificates verify their identity via one-time passwords (OTPs) sent to their email. We store only the HMAC-derived token and its expiry — the OTP value itself is never stored and is discarded after use.

Billing Data

Payments are processed by third-party gateways (Stripe for USD; Xendit for IDR). We do not store full card numbers or bank details. We retain only the customer and subscription IDs returned by those services to manage your subscription.

Usage and Log Data

We record an audit log of significant administrative actions (certificate issuance, member changes, etc.) scoped to your organization. We also collect standard server logs (IP address, request path, timestamp) for security and debugging.

2. How We Use Your Information

  • To provide and operate the ProofIn platform
  • To send OTP verification emails to participants
  • To process subscription payments and send billing receipts
  • To send transactional emails (email verification, staff invitations, payment failure alerts)
  • To maintain audit logs for your organization's compliance needs
  • To investigate abuse, enforce our Terms of Service, and maintain security
  • To improve the platform based on aggregate, anonymized usage patterns

3. Information Sharing

We do not sell your data. We share personal information only with the following service providers, and only to the extent necessary:

  • Resend — transactional email delivery (OTPs, invitations, receipts)
  • Stripe — payment processing for USD subscriptions
  • Xendit — payment processing for IDR subscriptions
  • PostgreSQL cloud hosting provider — secure database storage

We may also disclose information if required by law, court order, or to protect the rights and safety of ProofIn and its users.

4. Data Retention

We retain your account data for as long as your account is active. If you delete your account, your personal data will be deleted or anonymized within 30 days, except where retention is required by law or for billing dispute resolution (up to 7 years for financial records).

Audit log retention depends on your plan: 30 days on Starter, 1 year on Pro, unlimited on Enterprise.

5. Your Rights

Depending on your location, you may have the right to access, correct, delete, or export your personal data, and to object to or restrict certain processing. To exercise any of these rights, email hello@proofin.app. We will respond within 30 days.

6. Cookies

ProofIn uses a single HttpOnly session cookie (proofin:api.session_token) to authenticate your admin session. We do not use advertising cookies or third-party tracking scripts. The participant-facing app uses no cookies.

7. Security

We use industry-standard practices: HTTPS for all connections, bcrypt for password hashing, HMAC for OTP generation, and SHA-256 hashes for certificate verification. No security measure is perfect; in the event of a breach we will notify affected users within 72 hours as required by applicable law.

8. Children

ProofIn is not directed at children under 13. We do not knowingly collect personal data from children. Contact us if you believe a child has submitted data and we will delete it promptly.

9. Changes to This Policy

We may update this policy from time to time. Material changes will be announced via email to account owners at least 14 days before taking effect. Continued use of ProofIn after changes take effect constitutes acceptance of the revised policy.

10. Contact

Questions about this Privacy Policy? Email hello@proofin.app.