Privacy Policy

1. Information We Collect

Personal Information

When you use CertStudio, we may collect the following personal information:

• Account Information: Name, email address, password, and organization details
• Profile Information: Professional credentials, job title, and contact preferences
• Certificate Data: Recipient information, course details, and certification records
• Usage Data: How you interact with our platform, features used, and system performance

Technical Information

We automatically collect certain technical information when you visit our website:

• IP address and device information
• Browser type and version
• Operating system
• Log files and analytics data
• Cookies and similar tracking technologies

2. How We Use Your Information

Under UK GDPR, we must have a lawful basis for processing your personal information. We use your information for the following purposes with the corresponding lawful bases:

Lawful Bases for Processing

• Contract Performance (Article 6(1)(b)): To provide certificate management and generation services as part of our contract with you
• Legitimate Interests (Article 6(1)(f)): To improve our platform, prevent fraud, and ensure security. We balance our legitimate interests against your rights and freedoms
• Legal Obligation (Article 6(1)(c)): To comply with legal obligations, industry standards, and regulatory requirements
• Consent (Article 6(1)(a)): For marketing communications and non-essential cookies (where we have obtained your explicit consent)
• Vital Interests (Article 6(1)(d)): In rare cases, to protect someone's life or prevent serious harm

Specific Processing Activities

• Service Delivery: Processing based on contract performance to deliver certificate management services
• Account Management: Contract performance and legitimate interests to maintain secure accounts
• Communication: Contract performance for service-related communications; consent for marketing
• Platform Improvement: Legitimate interests to analyze usage patterns and enhance user experience
• Compliance and Security: Legal obligation and legitimate interests to meet regulations and protect against threats

Special Category Data

For healthcare training providers, we may process health-related training data under Article 9(2)(h) for health and social care purposes, and with appropriate safeguards under the Data Protection Act 2018.

3. Information Sharing and Disclosure

We do not sell, rent, or trade your personal information. We may share your information only in the following circumstances:

With Your Consent

We may share your information when you explicitly consent to such sharing.

Service Providers

We work with trusted third-party service providers who assist us in operating our platform:

• Cloud hosting and infrastructure providers
• Email delivery services
• Analytics and monitoring tools
• Customer support platforms

Legal Requirements

We may disclose your information if required by law or in response to valid legal requests from government authorities.

Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction.

4. Data Security

We implement industry-standard security measures to protect your information:

• Encryption: Data is encrypted in transit and at rest using SSL/TLS protocols
• Access Controls: Strict access controls and authentication mechanisms
• Regular Audits: Security assessments and vulnerability testing
• Monitoring: Continuous monitoring for suspicious activities
• Backup and Recovery: Regular data backups and disaster recovery procedures

While we strive to protect your information, no method of transmission over the internet is 100% secure. We cannot guarantee absolute security but are committed to protecting your data using best practices.

5. Data Retention

We retain your information for as long as necessary to provide our services and comply with legal obligations:

• Account Data: Retained for the duration of your account plus 3 years after closure
• Certificate Records: Retained for 7 years to support verification and compliance requirements
• Usage Data: Aggregated and anonymized data may be retained indefinitely for analytics
• Legal Requirements: Some data may be retained longer to comply with healthcare regulations

6. Your Rights and Choices

You have the following rights regarding your personal information. Under the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018, you have enhanced rights as detailed below:

Right of Access (Article 15)

You can request a copy of your personal information in a portable format, including details about how we process your data.

Right to Rectification (Article 16)

You can update or correct your personal information through your account settings or by contacting us directly.

Right to Erasure (Article 17)

You can request deletion of your personal information, subject to legal retention requirements and legitimate business needs.

Right to Restrict Processing (Article 18)

You can request that we limit how we process your personal information in certain circumstances.

Right to Data Portability (Article 20)

You can request your data in a structured, commonly used format for transfer to another service provider.

Right to Object (Article 21)

You can object to processing of your personal information for direct marketing or other purposes based on legitimate interests.

Rights Related to Automated Decision Making (Article 22)

You have rights regarding automated decision-making and profiling, though we do not currently engage in automated decision-making that significantly affects you.

Right to Withdraw Consent

Where processing is based on consent, you can withdraw your consent at any time.

Marketing Opt-Out

You can opt out of marketing communications at any time using the unsubscribe link in emails.

Cookie Controls

You can manage cookie preferences through your browser settings.

Exercising Your Rights

To exercise these rights, please contact us at privacy@certstudio.com. We will respond within one month (extendable to three months for complex requests) and will not charge a fee unless the request is manifestly unfounded or excessive.

Right to Lodge a Complaint

You have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's data protection supervisory authority, if you believe we have not handled your personal information in accordance with the law. You can contact the ICO at ico.org.uk or call their helpline on 0303 123 1113.

7. International Data Transfers

CertStudio is based in the United Kingdom and operates under UK GDPR and Data Protection Act 2018. Your information may be processed and stored in countries other than your own. We ensure that international transfers comply with UK data protection laws through:

Adequacy Decisions

We transfer data to countries that have been deemed to have adequate data protection laws by the UK government.

Standard Contractual Clauses (SCCs)

For transfers to countries without adequacy decisions, we use the UK's approved Standard Contractual Clauses to ensure appropriate safeguards.

Additional Safeguards

• Technical and organisational measures to protect data in transit and at rest
• Regular assessments of data protection laws in destination countries
• Binding corporate rules where applicable
• Certification schemes and codes of conduct

We conduct Transfer Impact Assessments (TIAs) to evaluate the effectiveness of these safeguards and ensure your data remains protected regardless of where it is processed.

8. Children's Privacy

CertStudio is not intended for use by children under 16 years of age. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16, we will take steps to delete such information.

9. Healthcare Data

For healthcare training providers, we understand the sensitive nature of health-related training data:

• We implement additional security measures for healthcare-related information
• We comply with relevant healthcare data protection regulations
• Training records are handled with appropriate confidentiality measures
• Access to healthcare training data is strictly controlled and logged

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable laws. We will:

• Post the updated policy on this page
• Update the "Last updated" date
• Notify users of material changes via email or platform notification
• Provide 30 days' notice for significant changes

Your continued use of CertStudio after changes become effective constitutes acceptance of the updated Privacy Policy.

11. Contact Information

If you have questions about this Privacy Policy or our data practices, please contact us:

We will respond to your inquiry within 30 days of receipt.