1. Information We Collect

When you use AS2 Certify, we collect the following information:

Account Information

Name and email address (provided during signup)
Company name (optional)
Password (stored as a bcrypt hash; we never store plaintext passwords)

Testing Data

AS2 endpoint configurations (AS2 IDs, URLs)
Certificates uploaded for testing (encrypted at rest)
Test results and compliance reports
AI assistant conversation history (Pro, Pharma, Enterprise plans)

Usage Data

Monthly test counts and plan usage
Authentication events (login timestamps, not stored long-term)

2. How We Use Your Information

Providing the Service: Running AS2 connection tests, validating certificates, generating compliance reports
Account management: Authentication, subscription billing, usage tracking
AI Assistant: Processing your questions through OpenRouter to provide AS2 configuration guidance (conversation content is sent to OpenRouter's API; see Section 3)
Service improvement: Analyzing aggregate usage patterns to improve the platform
Communication: Sending transactional emails (account verification, password resets, billing notifications)

3. Data Sharing

We do not sell your personal information.

We share data with the following third-party service providers only as necessary to operate the Service:

Stripe: Payment processing. Receives your email and payment information.
OpenRouter: AI assistant. Receives your chat messages (we strip email addresses and mask certificate data before sending).
Amazon Web Services: Infrastructure hosting. Stores encrypted certificate files and compliance reports.

We may disclose information if required by law, subpoena, or court order, or to protect the rights, property, or safety of Branson Solutions LLC, our users, or the public.

4. Data Retention

Account data: Retained as long as your account is active
Test results: Retained based on your plan tier (Free: 0 days, Pro: 30 days, Pharma/Enterprise: 90 days)
Certificates: May be automatically deleted from storage after test completion
Compliance reports: Retained for 90 days, then automatically expired
Chat history: Retained for the duration of your subscription

When you delete your account, we remove your personal data within 30 days. Anonymized aggregate data may be retained for analytics.

5. Security

We implement industry-standard security measures to protect your data:

Passwords hashed with bcrypt (cost factor 12)
Certificates encrypted at rest with AWS S3 SSE-KMS
Private keys stored in AWS Secrets Manager
JWT access tokens with 1-hour expiry and refresh token rotation
Rate limiting on authentication endpoints
All data transmitted over TLS (HTTPS)
No sensitive data (passwords, tokens, certificate contents) in application logs

6. Your Rights

You have the right to:

Access your personal data stored in our systems
Update your account information through the Settings page
Delete your account and associated data by contacting us
Export your test results and compliance reports

To exercise any of these rights, contact us at support@as2certify.org.

7. Cookies and Local Storage

AS2 Certify uses browser local storage to persist your AI assistant session ID. We do not use third-party tracking cookies. Authentication tokens are stored in application memory and are not persisted in cookies or local storage.

8. Children's Privacy

The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on the Service and updating the "Last updated" date. Your continued use of the Service after changes are posted constitutes acceptance of the revised policy.

10. Contact

If you have questions about this Privacy Policy or how we handle your data, contact us at support@as2certify.org.