Skip to main content

Welcome to RecertHero!

Submit bugs, feature requests, and feedback

Legal

Privacy Policy

Effective May 25, 2026 · Last updated May 26, 2026

Riflebird Technologies LLC, doing business as RecertHero (“RecertHero,” “we,” “us,” or “our”) values your privacy. This Privacy Policy explains how we collect, use, share, and protect personal information when you use the RecertHero website at www.recerthero.comand related services (the “Service”), and the choices and rights you have. It applies to personal information we process as a controller. By using the Service you acknowledge this Policy; please also read our Terms of Use.

01Introduction

RecertHero is an independent aggregator and tracking tool for IT continuing-education opportunities. We are a Virginia limited liability company, and our principal contact for privacy questions is:

Riflebird Technologies LLC d/b/a RecertHero
c/o Virginia Registered Agent Services LLC
8401 Mayland Dr, Ste V
Richmond, Virginia 23294
United States
hello@recerthero.com

For the purposes of EU and UK data-protection law, RecertHero is the controller of personal information collected through the Service.

02Information we collect

Information you provide directly

  • Account information: email address, password (stored as a salted hash by our auth provider), and an optional display name, time zone, and the year you started in IT.
  • Authentication identifiers: if you sign in with Google or GitHub, the OAuth identifier returned by that provider and any profile data we explicitly request (typically email and name only).
  • Subscription and billing information: a Stripe customer identifier we receive after you start a paid subscription. We do not collect or store credit-card numbers ourselves; payment details are entered directly with Stripe, Inc., which acts as an independent processor under its own terms.
  • Service data: the certifications you indicate you hold and their renewal-cycle dates, the opportunities you save or mark complete, activity-log entries you create (including any notes or proof URLs you attach), folders you create, notification preferences you set.
  • Suggestions:when you use the “Suggest an opportunity” feature, the URL you submit, any description override you provide, and a Cloudflare Turnstile token used for anti-abuse.
  • Support correspondence: if you email us, the contents of your message and any attachments, and any contact details you choose to share.

Information collected automatically

  • Server logs: when you visit the Service we receive standard request data including IP address, user agent, referrer URL, request path, response status, and timing. We use this for debugging, security monitoring, and abuse detection (e.g., rate-limit enforcement). IP addresses associated with requests are retained in logs for up to seven (7) days through our hosting provider, then discarded.
  • Suggestion submitter IP: for spam and abuse prevention on the public Suggest form, we record the submitter IP alongside the suggested URL.
  • Product analytics: if you accept the consent banner on first visit, we use PostHog to record page views and interactions (e.g., button clicks, signup, checkout start). To avoid setting cookies we use memory-only persistence: anonymous identifiers live for the duration of a browser tab session and are not stored on your device. If you decline, PostHog is not initialized in your browser. See Section 8.
  • Traffic and performance metrics: we use Vercel Web Analytics and Speed Insights to measure traffic, route performance, and Web Vitals. Both are cookieless.
  • Error reports: if the Service throws an error we capture a stack trace plus contextual information (URL, user ID where available) using Sentry. Personal information is scrubbed where reasonably possible.

Information from third parties

  • Stripe sends us subscription-state events via webhook (e.g., subscription created, payment succeeded, payment failed) so we can grant or revoke Pro access. We receive a customer identifier and metadata about the subscription; we do not receive card data.
  • OAuth providers (Google, GitHub) send us the information you authorize during the sign-in flow.

03How we use information

We use the information described above to:

  • provide and operate the Service — render pages, sign you in, save your selections, compute credit progress and recommendations;
  • process payments and manage your subscription (via Stripe);
  • send transactional emails about your account (sign-in confirmations, password resets, billing receipts, trial-ending notices, account changes);
  • send optional product emails — weekly digests, session reminders, renewal warnings, pace alerts, saved-search matches, product updates — only if you opt in; one-click unsubscribe in every email;
  • improve the Service — analyze aggregate behavior, debug errors, measure performance, classify newly-indexed opportunities against certifications;
  • prevent abuse — enforce rate limits, validate captcha tokens, investigate fraud, ban accounts that violate the Terms;
  • comply with legal obligations and respond to lawful requests; and
  • enforce our agreements and protect our and others’ rights, property, or safety.

We do not sell your personal information. We do not share it with third parties for cross-context behavioral advertising. We do not use automated decision-making with legal or similarly significant effects on you.

We do use a third-party AI service (Anthropic / Claude) to classify newly-indexed opportunities against certifications. That processing is on opportunity metadata (URL, title, description, provider) — not on your personal information. Anthropic does not train on data submitted to its API.

If you are in the European Economic Area, United Kingdom, or Switzerland, the GDPR / UK GDPR requires us to identify a legal basis for each processing activity. We rely on:

  • Contract (Art. 6(1)(b)) — to provide the Service you have signed up for, including account creation, authentication, saving content, processing payments, and sending transactional emails.
  • Consent (Art. 6(1)(a)) — for optional product emails (digests, reminders, product updates) and for any processing that requires consent under applicable law. You may withdraw consent at any time from your account settings or by contacting us; withdrawal does not affect processing already carried out.
  • Legitimate interests (Art. 6(1)(f)) — for security and abuse prevention, server logs, aggregate analytics and Service improvement, classification of newly-indexed opportunities, and to respond to your support inquiries. We have balanced these interests against your rights and freedoms; you may object at any time as described in Section 11.
  • Legal obligation (Art. 6(1)(c)) — where we must process information to comply with law, e.g., tax records or responding to lawful requests.

We do not process special categories of personal data (Art. 9 GDPR).

05How we share information

We share personal information only as described below. We never sell it.

  • Service providers (subprocessors). We share information with vendors who help us operate the Service — hosting, database, authentication, payments, transactional email, error logging, product analytics. These providers act on our behalf, are bound by written contracts requiring confidentiality and appropriate security, and may use the information only for the purposes we instruct. See the list in Section 6.
  • Legal compliance and safety. We may disclose information when we believe in good faith that disclosure is necessary to comply with applicable law or a lawful request, to enforce our Terms, to detect or prevent fraud or abuse, or to protect the rights, property, or safety of RecertHero, our users, or others.
  • Business transfers. If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, personal information may be transferred as part of that transaction. We will notify you (e.g., by email and a notice on the Service) and any successor will be subject to a privacy policy no less protective of your information than this one, except where you consent otherwise.
  • With your direction. If you choose to share information through public features of the Service (e.g., a URL you publicly submit through Suggest), that information may be visible to others.

06Subprocessors

Our current subprocessors and the categories of personal information each receives:

  • Supabase, Inc. (U.S.) — authentication and database hosting. Receives all account and Service data.
  • Vercel, Inc. (U.S.) — application hosting, Web Analytics, Speed Insights. Receives request metadata (server logs) and cookieless usage metrics.
  • Stripe, Inc. (U.S.) — payment processing. Receives the card data you enter at checkout, your email, and subscription metadata.
  • Resend, Inc. (U.S.) — transactional and opt-in product email delivery. Receives recipient email addresses and message content.
  • PostHog, Inc. (U.S.) — product analytics. Receives cookieless interaction events and, for signed-in users, your account identifier (so we can attribute funnel events).
  • Functional Software, Inc. (Sentry) (U.S.) — error monitoring. Receives stack traces and contextual metadata when errors occur.
  • Cloudflare, Inc. (U.S.) — Turnstile captcha on the Suggest form. Receives a Turnstile token and the submitter IP for bot detection.
  • Anthropic, PBC (U.S.) — AI classification of newly-indexed opportunities. Receives opportunity metadata (URL, title, description, provider name) — not your personal information.

We may add or change subprocessors as the Service evolves. We will update this list to reflect material changes; for material changes that affect your rights, we will provide notice as described in Section 19.

07International data transfers

RecertHero and most of our subprocessors are located in the United States. If you are in the European Economic Area, United Kingdom, or another jurisdiction with cross-border transfer restrictions, your personal information will be transferred to and processed in the United States and other countries that may not provide the same level of data protection as your home jurisdiction.

Where required by law, transfers from the EEA, UK, or Switzerland to the United States or other third countries are carried out on the basis of:

  • the European Commission’s Standard Contractual Clauses(SCCs, 2021/914, as updated) or the UK’s International Data Transfer Addendum (IDTA) to the SCCs, executed with the relevant subprocessor; and/or
  • the EU-U.S. Data Privacy Framework (and UK/Swiss extensions) where the recipient is certified, in which case the transfer relies on that certification.

You may request a copy of the safeguards in place for a specific transfer by contacting us at hello@recerthero.com.

08Cookies and tracking

Strictly-necessary cookies

We set only the cookies and similar technologies that are strictly necessary to operate the Service:

  • a sign-in session cookie set by Supabase Auth so you stay signed in across pages;
  • a temporary checkout-session cookie set by Stripe during the payment flow.

Both expire when you sign out or finish checkout. We do not use cookies for advertising or cross-site tracking. Cloudflare Turnstile uses short-lived technical state on the Suggest form only to verify the captcha; it is not used for tracking.

Consent banner for behavioural analytics

We display a small consent banner on your first visit so you can choose whether we capture cookieless behavioural analytics through PostHog (autocapture of page views, button clicks, and form submits, plus a session identifier kept in memory only and never written to your device). If you Accept, PostHog initializes and we collect those events for the duration of each tab session. If you Decline, PostHog is not initialized in your browser and no behavioural events are captured. You can change your choice at any time by clearing the rh-analytics-consent key in your browser’s site-data settings.

Legitimate-interest telemetry

The following cookieless, server-side telemetry runs regardless of the consent choice above, under our legitimate interest in keeping the Service available and debuggable:

  • Vercel Web Analytics and Vercel Speed Insights — aggregate traffic counts and Web Vitals, cookieless and not joined to your account;
  • Sentry — error stack traces and minimal context when the application throws an exception, sets no cookies and personal information is scrubbed where reasonably possible.

If you would prefer to opt out of these as well, email us at hello@recerthero.com and we will exclude your account from analytics dashboards on request.

09Data retention

We retain personal information only for as long as we have a legitimate basis to do so:

  • Account data — for as long as your account is active. When you delete your account from settings, your profile, certifications, saves, folders, and activity log are deleted from our active database immediately. Encrypted database backups may retain a copy for up to thirty (30) days after deletion, after which they are purged on rotation.
  • Subscription records — Stripe customer and subscription metadata is retained for as long as needed for billing, tax, and audit purposes (typically up to seven (7) years to satisfy U.S. tax record-keeping requirements), even after account deletion.
  • Server and security logs — up to seven (7) days for general request logs; longer retention only where needed to investigate a specific security incident.
  • Audit log of administrative actions — kept for the lifetime of the platform for accountability and compliance.
  • Suggestion submitter IPs — up to ninety (90) days for spam-trail and abuse investigation; removed sooner where possible.
  • Email content — Resend keeps delivery metadata under its own retention policy; transactional message contents are not retained by us beyond what is necessary to send them.
  • Suggestions that we publish— retained indefinitely as part of the Service’s public index, subject to your right to request removal.

We may retain information longer where required by law, to resolve disputes, enforce our Terms, or pursue our legitimate interests.

10Security

We use technical and organizational measures designed to protect personal information against unauthorized access, alteration, disclosure, or destruction:

  • encryption in transit (TLS) for all traffic to and from the Service;
  • encryption at rest for our database and backups, provided by our hosting and database vendors;
  • passwords stored as salted hashes by our auth provider;
  • principle-of-least-privilege access controls and audit logging for administrative actions;
  • regular dependency updates and automated vulnerability scanning;
  • captcha and rate-limit defenses on public submission and authentication endpoints; and
  • incident-response procedures for handling and notifying affected users in the event of a breach.

No system is perfectly secure. If you believe your account has been compromised, contact us immediately at hello@recerthero.com.

11Your rights

Depending on where you live, you may have one or more of the following rights with respect to your personal information:

  • Access / know. Confirm whether we process information about you and obtain a copy.
  • Correction / rectification. Correct inaccurate or incomplete information.
  • Deletion / erasure. Have information about you deleted, subject to exceptions for records we must keep by law.
  • Portability. Receive a copy in a structured, commonly used, machine-readable format and (where technically feasible) transmit it to another controller.
  • Restriction. Ask us to limit processing in certain circumstances.
  • Objection. Object to processing based on legitimate interests or for direct marketing.
  • Withdraw consent. Withdraw any consent you have given, without affecting processing already carried out.
  • Opt out of sale, sharing, and targeted advertising. We do not sell or share personal information for these purposes; see Section 18.
  • Limit use of sensitive personal information. We do not use sensitive personal information except as needed to provide the Service.
  • Non-discrimination. We will not deny service, charge different prices, or provide a different level of service because you exercised a privacy right.

How to exercise your rights

Most rights can be exercised directly from your account:

  • Access and portability:we provide an “Export everything (JSON)” option under Settings › Data & export (some export formats are being rolled out; until they are fully launched, email us and we will fulfill manually).
  • Correction: update your profile under Settings › Profile.
  • Deletion: delete your account under Settings › Delete account. This permanently removes your profile, saves, folders, activity log, and ledger entries from our active database.
  • Notification preferences: manage all opt-in emails under Settings › Notifications; each email also has a one-click unsubscribe.
  • Anything else (objection, restriction, withdrawing consent, complaints): email us at hello@recerthero.com with the subject “Privacy Request.”

We will verify your request using your account credentials or, if you do not have an account, by asking you to confirm details we already hold about you. We aim to respond within thirty (30) days; some jurisdictions may extend this period (e.g., CCPA allows 45 days with an additional 45-day extension on notice).

You may use an authorized agent to submit a request on your behalf; we may require written authorization and verification of identity. If we deny your request you may appeal by replying to our response with the subject “Privacy Appeal.”

12California disclosures (CCPA/CPRA)

This section provides additional disclosures required by the California Consumer Privacy Act as amended by the California Privacy Rights Act (collectively, “CCPA”).

Categories of personal information collected

In the past 12 months we have collected, for the purposes described in Section 3:

  • Identifiers (Cal. Civ. Code § 1798.140(v)(1)(A)) — email address, account identifier, IP address, Stripe customer identifier, OAuth identifier.
  • Customer records (§ 1798.140(v)(1)(B)) — display name, time zone, year started in IT, certifications held, opportunities saved, activity-log entries, billing identifier.
  • Commercial information (§ 1798.140(v)(1)(F)) — subscription history, billing history.
  • Internet or network activity (§ 1798.140(v)(1)(G)) — request logs, page views and interactions captured cookielessly by our analytics.
  • Inferences (§ 1798.140(v)(1)(K)) — credit progress and pace estimates derived from your activity log.

We do notcollect categories listed in § 1798.140(v)(1)(C) (legally protected characteristics), (D) (commercial transaction-history beyond our own billing), (E) (biometric information), (H) (geolocation beyond IP), (I) (audio/visual/thermal), (J) (professional or employment, beyond what you choose to provide), or (L) (education). We do not collect “sensitive personal information” (§ 1798.140(ae)) other than your account credentials, which we use solely to authenticate you.

Sources, purposes, and recipients

Sources from which we collect each category are described in Section 2; business purposes for collection are described in Section 3; categories of recipients with whom we share each category are described in Sections 5 and 6.

Retention

Retention periods for each category are described in Section 9.

Your CCPA rights

California residents have the rights described in Section 11, including the right to know, the right to delete, the right to correct, the right to portability, the right to opt out of sale and sharing for cross-context behavioral advertising (we do not sell or share), the right to limit use of sensitive personal information, and the right to non-discrimination. See Section 18 for our position on sale and sharing.

Shine the Light

California Civil Code § 1798.83 permits California residents to request information about a business’s disclosure of personal information to third parties for those third parties’ direct-marketing purposes. We do not disclose personal information to third parties for their direct-marketing purposes.

13Virginia disclosures (VCDPA)

The Virginia Consumer Data Protection Act gives Virginia residents the rights described in Section 11 (access, correction, deletion, portability, and the right to opt out of sale, of targeted advertising, and of certain profiling). We do not engage in sale or targeted advertising; we do not engage in profiling that produces legal or similarly significant effects.

If we deny your VCDPA request you may appeal by replying with the subject “Privacy Appeal.” If we deny your appeal you may contact the Virginia Attorney General at www.oag.state.va.us.

14Other U.S. states with comprehensive privacy laws

If you are a resident of a U.S. state with a comprehensive privacy law (including, as of the date of this Policy, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Tennessee, Indiana, Delaware, New Hampshire, New Jersey, Minnesota, Maryland, Nebraska, Kentucky, and others enacted from time to time), the rights described in Section 11apply to you to the extent granted by your state’s law. To exercise these rights, follow the instructions in Section 11 — we will route your request to the applicable framework.

If your state law provides an appeal process and we deny a request, we will explain how to appeal in our response.

15EU and UK disclosures

If you are in the European Economic Area, United Kingdom, or Switzerland, you have the rights described in Section 11 under the EU General Data Protection Regulation (Regulation (EU) 2016/679), the UK GDPR (as it forms part of UK law), and the Swiss Federal Act on Data Protection.

Our legal bases for each processing activity are explained in Section 4. Our international transfer safeguards are explained in Section 7.

You have the right to lodge a complaint with a supervisory authority — for example, your national or regional data protection authority in the EEA, the UK Information Commissioner’s Office (ico.org.uk), or the Swiss Federal Data Protection and Information Commissioner. We would, of course, prefer the opportunity to address your concern first — please contact us at hello@recerthero.com.

16Children’s privacy

The Service is intended for adults aged 18 or older. It is not directed to children, and we do not knowingly collect personal information from anyone under 18. If we learn we have collected information from a child under 18, we will delete it as soon as practicable. If you believe a child has provided us information, please email hello@recerthero.com.

17Do Not Track and Global Privacy Control

Some browsers send a “Do Not Track” (DNT) signal or an equivalent Global Privacy Control (GPC) signal. We do not sell or share personal information for cross-context behavioral advertising, so there is no opt-out for GPC to trigger. For users in jurisdictions where GPC is recognized as a valid opt-out signal (e.g., California), we will honor it as an opt-out of sale and sharing should we ever begin either activity.

18We do not sell or share personal information

RecertHero does not sell personal information and does not share personal information for cross-context behavioral advertising as those terms are defined under the CCPA or comparable laws. Because we do not engage in these activities, we do not display a “Do Not Sell or Share My Personal Information” link. If this changes, we will update this Policy and offer the required opt-out mechanism before any sale or sharing occurs.

19Changes to this Policy

We may update this Privacy Policy from time to time. If we make a material change, we will update the “Last updated” date at the top of this page and, for changes that affect your rights or our handling of your information in a material way, notify you by email to the address on your account at least thirty (30) days before the change takes effect. Your continued use of the Service after the effective date constitutes acceptance of the updated Policy.

20Contact

For any question, request, or complaint about this Privacy Policy or our handling of your personal information, please contact us at:

Riflebird Technologies LLC d/b/a RecertHero
c/o Virginia Registered Agent Services LLC
8401 Mayland Dr, Ste V
Richmond, Virginia 23294
United States
hello@recerthero.com