================================================================================

TERMS OF SERVICE — CrtMgr (crtmgr.com)

Effective Date: June 22, 2026
Last Updated: June 22, 2026

These Terms of Service (“Terms”) govern your access to and use of CrtMgr
(“the Service”, “we”, “us”, “our”), a web-based SSL/TLS certificate monitoring
and management platform operated at crtmgr.com and its subdomains:
app.crtmgr.com, audit.crtmgr.com, and api.crtmgr.com.

By creating an account or using the Service in any way, you agree to be bound
by these Terms. If you do not agree, you must not use the Service.

================================================================================

1. SERVICE DESCRIPTION

CrtMgr provides the following features (collectively, “the Service”):

1.1 SSL/TLS Certificate Monitoring
– Automated periodic scanning of SSL/TLS certificates for domains you
register in the Service.
– Display of certificate metadata: Common Name, Issuer, validity dates,
serial number, SHA-256 fingerprint, Subject Alternative Names (SANs),
public key type and size, and signature algorithm.
– Manual on-demand certificate scans, subject to rate limits (Section 5).

1.2 Expiry Notifications
– Email alerts sent before a monitored certificate expires.
– Configurable notification thresholds (default: 30, 7, and 1 day before
expiry).
– Requires a valid email address and properly configured SMTP delivery.

1.3 Domain Management
– Add, edit, and remove domains you own or are authorized to monitor.
– Organize domains with user-defined environment tags (e.g. “prod”,
“test”).
– Domain quotas apply (see Section 5.1).

1.4 Certificate Sharing
– Public links: stable URLs that display certificate details to anyone
with the link. No authentication required.
– Private links: token-based URLs for controlled sharing. Tokens can be
regenerated or disabled at any time.
– You control who has the URL; we do not restrict access to any URL
that is publicly reachable.

1.5 Private Certificate Management
– Upload PEM-formatted certificates for monitoring, independent of
live-domain scanning.
– The same monitoring, notification, and sharing features apply.

1.6 ACME / Let’s Encrypt Integration
– Create ACME accounts, API clients, and certificate orders through the
Service.
– Certificates are issued by Let’s Encrypt (a third-party Certificate
Authority) under its own terms (https://letsencrypt.org/repository/).

1.7 Public Utility API (api.crtmgr.com/api/v1/*)
– Diagnostic endpoints: IP detection, HTTP header inspection, status
code testing, request echoing, SSL certificate inspection.
– Rate-limited per calling IP address (see Section 5.2).
– Not intended for production-critical automation without prior
arrangement.

1.8 User Settings
– Theme preference (light, dark, auto).
– Language preference (English or Polish).
– Notification preferences and change-password functionality.
– Account deactivation with a grace period (see Section 9).

1.9 Contact & Support
– Public contact form at /contact.
– Best-effort response; no guaranteed response time.

================================================================================

2. USER ACCOUNTS AND RESPONSIBILITIES

2.1 Registration
You must provide a valid email address and choose a secure password.
You must accept these Terms before completing registration. You are
responsible for the accuracy of all information you provide.

2.2 Account Security
You are solely responsible for maintaining the confidentiality of your
password. You must notify us immediately of any unauthorized use of your
account. We are not liable for any loss or damage arising from your
failure to secure your credentials.

2.3 One Person, One Account
Creating multiple accounts to circumvent quotas or rate limits is
prohibited and may result in termination of all associated accounts.

2.4 Age Requirement
You must be at least 16 years old to use the Service. By registering,
you represent that you meet this requirement.

================================================================================

3. ACCEPTABLE USE

You agree NOT to:

3.1 Scan domains that you do not own or lack authorization to monitor.

3.2 Use the Service for any illegal purpose or in violation of any
applicable law or regulation.

3.3 Attempt to gain unauthorized access to any part of the Service, its
servers, systems, or networks.

3.4 Interfere with, disrupt, or create an undue burden on the Service
(including denial-of-service attacks, excessive automated queries,
or API abuse).

3.5 Use the Service to distribute malware, spam, phishing content, or
other harmful material.

3.6 Circumvent rate limits, quotas, or security measures (including
Turnstile bot protection and IP-based rate limiting).

3.7 Use the Service in a manner that could damage, disable, or impair
the experience of other users.

We reserve the right to suspend or terminate accounts that violate these
terms, with or without notice.

================================================================================

4. DATA AND PRIVACY

4.1 Data We Collect
– Account data: email address, hashed password, language and theme
preferences, notification settings.
– Usage data: IP addresses at registration and login, last login
timestamps.
– Service data: domain names, certificate metadata and PEM data,
user-defined tags, scan history.
– Contact form submissions: name, email, subject, message, IP address.

4.2 How We Use Data
We process your data exclusively to deliver the Service:
– Monitor certificates and send expiry alerts.
– Provide account management and sharing features.
– Prevent abuse and ensure security (IP tracking, rate limiting).
– Respond to support inquiries submitted via the contact form.

4.3 Data Sharing
– We do NOT sell, rent, or trade personal data.
– Public certificate links are accessible to anyone who possesses the
URL. You control which domains are public and can disable public
sharing at any time.
– Private share tokens provide access to anyone who possesses the URL.
You control token regeneration and can disable private sharing.

4.4 Third-Party Services
The Service relies on the following third parties, each governed by
their own privacy policies:
– Cloudflare, Inc. — CDN, DDoS protection, SSL termination, and
Turnstile bot detection. Privacy policy:
https://www.cloudflare.com/privacypolicy/
– Google LLC — Google Analytics 4 (only activated with your explicit
consent via the cookie banner). Data is anonymized (IP truncation).
Privacy policy: https://policies.google.com/privacy
– Let’s Encrypt (Internet Security Research Group) — Certificate
issuance for ACME orders. Privacy policy:
https://letsencrypt.org/privacy/

4.5 Cookies
– Session and remember-me cookies for authentication (HTTP-only,
SameSite Lax, Secure; domain: .crtmgr.com).
– Language and theme preferences stored in localStorage.
– Cookie consent preference stored in localStorage.
– Google Analytics cookies only after you click “Accept” on the
cookie banner.

4.6 Data Retention
– Active account data is retained indefinitely while your account
is active.
– Upon account deactivation, data is permanently deleted after a
30-day grace period. You may cancel deactivation during the grace
period.
– Password reset tokens expire after 1 hour.
– Contact form messages are retained for support purposes.

================================================================================

5. SERVICE LIMITATIONS AND QUOTAS

5.1 Domain and Scan Quotas
– Default domain quota per account: 10 domains.
– Maximum domain quota per account: 20 domains.
– Base manual scan limit: 5 scans per domain per day.
– With extra scans enabled: 10 scans per domain per day.
– Automated background scans are scheduled based on certificate
expiry proximity: daily when <7 days remain, every 2 days when 7-30 days remain, every 7 days when >30 days remain.
– Scanning a domain you do not own or lack authorization to scan is
a violation of Section 3.1.

5.2 API Rate Limits
– Authentication endpoints: 5 registrations/hour, 10 logins/15 min
per IP address.
– Public Utility API: 1 req/s, 60 req/min, 1000 req/day per IP.
– SSL Checker endpoint: 3 req/min, 20 req/hour, 50 req/day per IP.
– Delay endpoint: 5 req/min, 30 req/day per IP.
– We may adjust these limits at any time to protect Service stability.

5.3 Service Availability
The Service is provided on a best-effort basis. We do not guarantee
100% uptime and are not liable for interruptions caused by:
– Scheduled maintenance.
– Third-party service disruptions (Cloudflare, hosting provider,
Let’s Encrypt).
– Circumstances beyond our reasonable control (force majeure).

5.4 ACME Certificate Issuance
– Certificate issuance depends on Let’s Encrypt’s availability and
rate limits.
– You are responsible for verifying that issued certificates meet
your requirements.
– We are not liable for failed, delayed, or rejected certificate
orders.

================================================================================

6. INTELLECTUAL PROPERTY

6.1 Our IP
The Service, including its code, design, logos, trademarks, and
documentation, is the exclusive property of CrtMgr or its licensors.
You may not copy, modify, distribute, sell, or reverse-engineer any
part of the Service without our written permission.

6.2 Your Content
You retain ownership of all domain names, certificate data, and
other content you submit to the Service. By submitting content, you
grant us a limited license to use it solely for the purpose of
providing the Service to you.

6.3 Feedback
Any suggestions, ideas, or feedback you provide about the Service
may be used by us without compensation or obligation to you.

================================================================================

7. THIRD-PARTY SERVICES

7.1 The Service integrates with third-party platforms and services.
We do not control and are not responsible for:
– Let’s Encrypt certificate issuance, validation, or revocation.
– Cloudflare availability, IP detection accuracy, or Turnstile
behavior.
– Google Analytics data collection (only with your consent).
– Any external websites linked from the Service.

7.2 Use of these third-party services is subject to their respective
terms and policies. You are responsible for reviewing them.

================================================================================

8. DISCLAIMER OF WARRANTIES

THE SERVICE IS PROVIDED “AS IS” AND “AS AVAILABLE”, WITHOUT WARRANTY OF
ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO:

  • MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
    NON-INFRINGEMENT.
  • UNINTERRUPTED, TIMELY, SECURE, OR ERROR-FREE OPERATION.
  • THE ACCURACY, COMPLETENESS, OR RELIABILITY OF CERTIFICATE SCAN
    RESULTS, NOTIFICATIONS, OR ANY OTHER DATA PROVIDED BY THE SERVICE.
  • THE AVAILABILITY OR CORRECTNESS OF THIRD-PARTY INTEGRATIONS.

You use the Service at your own risk. Certificate monitoring is an aid
and does not replace proper security practices. You remain solely
responsible for renewing your SSL/TLS certificates on time.

================================================================================

9. LIMITATION OF LIABILITY

TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW:

9.1 We shall NOT be liable for any indirect, incidental, special,
consequential, or punitive damages, including but not limited to:

 - Loss of profits, revenue, data, or business opportunities.
 - Costs of substitute services.
 - Damages resulting from: certificate expiry despite monitoring,
   failed or delayed email notifications, inaccurate scan results,
   unauthorized access to public or private certificate links, or
   Service unavailability.

9.2 Our total aggregate liability for any claims arising from your use
of the Service shall not exceed the amount you have paid us in the
12 months preceding the claim, or one hundred Euros (€100) if no
fees have been paid, whichever is greater.

9.3 These limitations apply regardless of the theory of liability
(contract, tort, negligence, strict liability, or otherwise), even
if we have been advised of the possibility of such damages.

================================================================================

10. TERMINATION AND ACCOUNT DEACTIVATION

10.1 By You
You may deactivate your account at any time via the Settings page.
Deactivation triggers a 30-day grace period during which your data
remains stored and you may cancel the deactivation. After the grace
period, your account and all associated data are permanently deleted.

10.2 By Us
We reserve the right to suspend or terminate your account at any
time, with or without notice, for:
– Violation of these Terms.
– Conduct that we believe is harmful to the Service or other users.
– Extended inactivity (at our discretion).
– Requests from law enforcement or regulatory authorities.

10.3 Effect of Termination
Upon termination, your right to access the Service ceases
immediately. Data retention follows the process described in
Section 4.6.

================================================================================

11. CHANGES TO THESE TERMS

11.1 We may modify these Terms at any time by posting an updated version
on the Service. The “Last Updated” date at the top of this document
indicates when the latest changes were made.

11.2 For material changes, we will make reasonable efforts to notify you
via email or a prominent notice on the Service.

11.3 Your continued use of the Service after the effective date of any
changes constitutes acceptance of the updated Terms. If you do not
agree with the changes, you must stop using the Service and
deactivate your account.

================================================================================

12. GOVERNING LAW AND DISPUTES

12.1 These Terms are governed by the laws of Poland, without regard to
conflict of law principles.

12.2 Any dispute arising from these Terms or the Service shall be
resolved through good-faith negotiations. If negotiations fail,
the dispute shall be submitted to the competent courts in Poland.

12.3 For users residing in the European Union, nothing in these Terms
affects your statutory rights under applicable consumer protection
laws.

================================================================================

13. MISCELLANEOUS

13.1 Entire Agreement
These Terms constitute the entire agreement between you and CrtMgr
regarding the Service and supersede all prior agreements.

13.2 Severability
If any provision of these Terms is found to be unenforceable, the
remaining provisions shall remain in full effect.

13.3 No Waiver
Our failure to enforce any right or provision of these Terms shall
not constitute a waiver of that right or provision.

13.4 Assignment
You may not assign or transfer your rights under these Terms without
our written consent. We may assign these Terms without restriction.

================================================================================

14. CONTACT

For questions about these Terms or the Service, please use the contact
form on our website at https://crtmgr.com/contact/.

For security vulnerability reports, please refer to our Security Policy
at https://crtmgr.com/ and contact us privately — do NOT publicly
disclose vulnerabilities.

================================================================================

Scroll to Top