Privacy policy

Effective date: June 14, 2026

Last updated: June 14, 2026

This policy explains, in plain language, what information HelpWithCert collects, why we collect it, who we share it with, and the choices you have. We’ve tried to keep it readable. Where the law requires precise terms, we use them — and we define anything that isn’t everyday English.

A quick note on one term we use throughout: a “processor” (sometimes called a “service provider”) is a company we hire to handle data on our behalf and under our instructions — for example, the company that runs our database. They aren’t allowed to use your information for their own purposes.

Who we are

HelpWithCert is an IT-certification study platform and the home of Cert City, a browser-based 3D learning game. The site is operated by a single, US-based business.

Operator: Hak Tang (doing business as HelpWithCert)
Privacy contact email: [email protected]

We’re based in the United States. Our site can be reached from anywhere in the world, so this policy includes notes for visitors in California, the European Union, the United Kingdom, and Texas further down.

What we collect

We collect the following, and nothing more than we need to run the service:

Account information. When you create an account, we collect your email address and authentication details. Sign-in is handled by Supabase, our database and authentication processor. Your password is handled and stored by Supabase using industry-standard protection; we don’t see or store your raw password.
Age confirmation at sign-up. Accounts are for adults: you must be 18 or older to create one. At sign-up we ask your date of birth only to check your age — we verify you’re 18+ and do not store your date of birth.
Payment and subscription information. Payment is handled by Stripe, our payment processor. Stripe collects and processes your card details directly — we never receive or store your full card number. We share your email address with Stripe so it can send receipts and manage your subscription, and we keep only your subscription status and the identifiers (such as a Stripe customer or subscription ID) we need to manage access, billing, and renewals.
Study and usage information. Practice-exam attempts and scores, course progress, interactions with our AI study features, and general analytics such as page views.
AI feature content. When you use our AI study features (the AI tutor, the AI learning guide, AI quiz generation, and similar tools), the text you enter is sent to Anthropic’s API, which acts as our processor for AI features.
Technical and security information. To keep the service secure and prevent abuse, our systems process your IP address (for example, to rate-limit requests). When you sign up or log in, we also use Cloudflare Turnstile, a CAPTCHA that confirms you’re a real person; your browser interacts with Cloudflare and a verification token (along with basic technical signals such as your IP) is checked. We use this information for security, not to track you across other websites.
Information stored in your own browser. Most of your Cert City game state — in-game tokens, the headquarters you build — is saved in your browser’s localStorage, not on our servers. We also use a small number of cookies necessary to keep you signed in and the site working. We do not use third-party advertising or cross-site tracking cookies.

We do not collect your real-world street, city, or GPS location. The position coordinates that move your character around the Cert City map are in-game coordinates only — they say nothing about where you physically are.

How we use it

create and maintain your account and keep you signed in;
provide the study platform and the Cert City game, including saving your progress;
process payments and manage subscriptions and renewals (through Stripe);
power our AI study features and, where chat is enabled, moderate it (through Anthropic);
show other signed-in players your presence in the shared multiplayer hub (display name, character color, and position) so the world feels alive;
where you used a teacher or affiliate’s referral link or code, attribute your purchase to them so we can pay the agreed revenue share;
keep the service safe, prevent abuse, and meet our legal obligations, including the child-safety reporting duty described below; and
understand how the product is used so we can improve it.

We do not sell your personal information, and we do not share it for cross-context behavioral advertising (we don’t hand your data to other companies so they can target ads to you across the web).

The Cert City game, multiplayer, and chat

Single-player needs no account and stays in your browser. Anyone can play Cert City’s single-player mode without signing in. Your headquarters, tokens, and progress are saved in your browser’s localStorage — they are not sent to us or broadcast to anyone.
Multiplayer and chat require a signed-in account (18+). The only parts of Cert City that transmit anything to our servers are multiplayer presence and chat, and both require a logged-in account — so they are available only to adults 18 and over.
Multiplayer presence is live but not stored. So signed-in players can see each other in the shared hub, our multiplayer server (hosted on Railway) broadcasts, in real time, each player’s display name, character color, and on-map position/facing. This is held only in the server’s temporary memory while you’re connected and is not saved to any database. When you disconnect, it’s gone.
Display names are auto-generated. Every player gets a random, auto-generated display name (for example, “SwiftFox”). It is not chosen by you, not tied to your real identity, and not saved — a new one is generated each session.
Chat — safe by design, and currently off. Chat is limited to a fixed list of preset, pre-approved phrases and is available only to signed-in players. Behind the scenes the system sends only a number that points to a phrase on that list — never the free-typed words — so there’s nothing personal to store, and chat is not logged or retained by default. Chat is currently turned off. If we later enable free-text chat, it would be limited to signed-in (18+) accounts and screened by an automated moderation tool (which uses Anthropic to classify the text), and we would update this policy before that goes live.
One safety exception. We do not keep chat content — with a single exception required by law. If content appears to involve the sexual exploitation of a child, we are legally required to preserve it and report it (see below). That is the only situation in which chat content is retained.

Children’s privacy (COPPA)

Our accounts are for adults. You must be 18 or older to create a HelpWithCert account. We ask for a date of birth at sign-up, check it, and do not store it; we do not create accounts for, or knowingly collect personal information from, anyone under 18 — and certainly not from children under 13.

Cert City and younger visitors. Cert City’s single-player mode needs no account and can be opened by anyone, but it runs entirely in your browser: game progress is saved on your own device and is not sent to us. The only Cert City features that transmit anything to our servers — multiplayer presence and chat — require a logged-in (18+) account. Because of this design, we do not knowingly collect personal information from children under 13 through Cert City.

If we learn otherwise. If we discover we have collected personal information from a child under 13, we will delete it promptly. A parent or guardian who believes their child has provided us personal information can contact us at [email protected], and we will review and delete it.

The Children’s Online Privacy Protection Act (COPPA) is the US law governing the online collection of personal information from children under 13.

Reference: COPPA is codified at 15 U.S.C. §§ 6501–6506; the FTC’s implementing rule is the Children’s Online Privacy Protection Rule, 16 C.F.R. Part 312. See the FTC’s COPPA materials at ftc.gov and the rule text on eCFR.

Who we share with

We don’t sell your information. We share it with a small set of processors and recipients who help us run the service, each for a specific purpose:

Supabase — database and authentication. Stores your account, subscription status, and study/progress data, and handles sign-in. Acts as our processor.
Stripe — payment processor. Handles card details directly and receives your email address for purchases, subscriptions, renewals, receipts, and refunds.
Anthropic — AI processor. Receives the text you send to our AI study features (and, where free-text chat is later enabled, the messages our moderation tool checks) to generate responses or classify content. Anthropic processes this text under its commercial API terms, which provide that it does not use API inputs to train its models.
Cloudflare — hosting, content delivery, and bot protection. Serves and protects the website, and runs the Turnstile CAPTCHA on sign-up and login.
Railway — host of our Cert City multiplayer server. Relays live in-game presence (display name, color, position) between signed-in players; does not store it.
First-party analytics only. We count page views with our own counter (stored in our Supabase database) and rely on Cloudflare’s infrastructure-level analytics. We do not use third-party advertising or cross-site tracking analytics.

We may also disclose information if the law requires it, to enforce our terms, to protect the rights and safety of our users and others, or in connection with a business transfer, with notice where required.

Child-safety reporting. US federal law requires online services to report apparent child sexual exploitation to the National Center for Missing & Exploited Children (NCMEC). If we become aware of such content, we are required to report it and preserve the related material. We comply with this obligation.

Reference: the reporting and preservation duty is at 18 U.S.C. § 2258A. The REPORT Act (2024) extended the required preservation period for reported material to one year. See the statute on uscode.house.gov / Cornell LII.

Retention

We keep information only as long as we have a reason to:

Account and study data: while your account is active, and for a reasonable period afterward (generally no more than about 90 days) for legal, accounting, or security reasons; you can ask us to delete it sooner.
Payment and subscription records: kept as long as needed for billing, recordkeeping, and tax obligations (often up to about 7 years). (Card data is held by Stripe, not us.)
Chat content: not retained by default. The narrow exception is content preserved under the child-safety law above, kept for the period the law requires (currently one year) and reported as required.

You can ask us to delete your information at any time (see “Your rights and choices”). When information is no longer needed, we delete or de-identify it.

Your rights and choices

Wherever you live, you can access the personal information we hold about you, correct information that’s wrong, delete your account and associated personal information, and update your communication choices.

To make a request, email [email protected]. We’ll verify your identity before acting on certain requests. We won’t treat you unfairly for exercising these rights. Some information stays in your direct control: your Cert City build lives in your browser’s localStorage, so clearing your browser data removes it.

International and state notices

California (CCPA/CPRA). California residents have rights to know what personal information we collect and how we use it, to access and delete it, to correct it, and to limit certain uses of sensitive information. We do not sell personal information or share it for cross-context behavioral advertising. Use the contact details above; we won’t discriminate against you for exercising these rights.

European Union and United Kingdom (GDPR / UK GDPR). If you’re in the EU or UK, you have rights to access, correct, delete, restrict, and object to certain processing, and to data portability. We process data on legal bases such as performing our contract with you, your consent (where applicable), and our legitimate interests (such as keeping the service safe). Operating from the US means using our service involves transferring your data to the US. You may also complain to your local data-protection authority.

Texas (TDPSA and SCOPE Act). Texas has its own privacy and minors’-protection laws, including the Texas Data Privacy and Security Act and the SCOPE Act, which can give Texas residents rights similar to those above and impose specific duties regarding minors. Use the contact details above.

Security

We use reasonable administrative and technical safeguards to protect your information. We rely on established providers — such as Supabase, Stripe, and Cloudflare — that maintain their own protections, and our payment processing is designed so card data is handled by Stripe rather than stored by us. No method of storing or transmitting data over the internet is perfectly secure, so we can’t guarantee absolute security, but we work to protect your information and respond appropriately if a problem occurs.

Changes to this policy

We may update this policy as our service or the law changes. When we do, we’ll revise the “Last updated” date above, and for significant changes we’ll provide a more prominent notice. Please check back from time to time.

Contact us

Questions or privacy requests? Email [email protected].

We designed HelpWithCert and Cert City to collect as little as possible and to keep children’s data out of our systems by limiting all data-transmitting features to signed-in adult accounts.