Privacy Policy
Last updated: April 17, 2026
This policy describes how CertifyOps (“we”) collects, uses, and protects personal data when you visit our website, request information, or engage us for compliance services. It is written to meet the requirements of the EU General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act (CCPA/CPRA).
1. Who we are
CertifyOps is a compliance delivery firm with offices in Cheyenne (US, WY), Tallinn (EE), and Paris (FR). For the purposes of this website, the data controller is CertifyOps. Contact: privacy@certifyops.com.
2. What we collect and why
| Category | Purpose | Legal basis | Retention |
|---|---|---|---|
| Contact form data | Respond to inquiries, schedule calls | Art. 6(1)(b) Contract / (f) Legitimate interest | 24 months |
| Client delivery data | Execute signed engagements | Art. 6(1)(b) Contract | Per contract + 7 years (tax) |
| Analytics (GA4, anonymized) | Measure site usage | Art. 6(1)(a) Consent | 13 months |
| Security logs | Protect systems and users | Art. 6(1)(f) Legitimate interest | Up to 12 months |
3. Cookies and trackers
We use only strictly necessary cookies by default. Analytics cookies load only after you opt in via the consent banner. We do not use advertising cookies or cross-site trackers. See the full Cookie Policy for details and category-level control.
4. Your rights under GDPR
You have the following rights regarding your personal data:
- Access (Art. 15) — request a copy of the data we hold about you.
- Rectification (Art. 16) — correct inaccurate data.
- Erasure (Art. 17) — request deletion where legally applicable.
- Restriction (Art. 18) — limit how we process your data.
- Portability (Art. 20) — receive data in a machine-readable format.
- Object (Art. 21) — object to processing based on legitimate interest or direct marketing.
- Withdraw consent (Art. 7(3)) — where processing is based on consent, you can withdraw at any time without affecting past lawful processing.
- Lodge a complaint with a supervisory authority (Art. 77), for example the CNIL in France or AKI in Estonia.
To exercise any of these, email privacy@certifyops.com. We respond within 30 days.
5. Service providers
We share personal data only with vetted processors under written contract:
- Email and ticketing: for responding to inquiries
- Analytics: Google Analytics 4 (optional, only with consent)
- Hosting and CDN: for serving the website
- CRM: for managing customer relationships
A full list of sub-processors involved in client engagements is provided with each contract and updated on 30-day notice.
6. International transfers
Where we transfer personal data outside the European Economic Area, we rely on one or more of: the EU-US Data Privacy Framework, the European Commission's Standard Contractual Clauses (Decision 2021/914), or the UK International Data Transfer Addendum. Supplementary technical measures (encryption in transit and at rest) are applied.
7. Security
We apply the technical and organizational measures required by GDPR Art. 32, including encryption, access controls, least privilege, monitoring, and regular review. We are SOC 2 Type II audited and ISO 27001 certified.
8. Data breach notification
If a personal data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and, where required, inform affected individuals without undue delay (GDPR Art. 33-34).
9. California residents (CCPA / CPRA)
California residents have additional rights, including the right to know, delete, correct, and opt out of sale or sharing of personal information. We do not sell personal information. To exercise these rights, email privacy@certifyops.com.
10. Children
This site is not directed at children under 16, and we do not knowingly collect personal data from them. If you believe a child has provided us data, contact us for deletion.
11. Changes to this policy
We update this policy when our practices change. The “Last updated” date at the top reflects the latest revision. Material changes are announced on the site.
Privacy FAQ
What personal data does CertifyOps collect?
Contact details you provide through forms (name, email, company), project-delivery metadata, and security-relevant operational logs. On the marketing website, we also process anonymized analytics data only if you consent.
Does CertifyOps sell personal data?
No. We do not sell, rent, or share personal data with advertisers. Access is limited to authorized team members and approved service providers under contract.
How can I exercise my GDPR rights?
Email privacy@certifyops.com. We respond within 30 days. You can request access, rectification, erasure, portability, restriction of processing, or object to processing at any time.
How long is data retained?
Retention depends on the data category. Contact-form submissions: 24 months. Contract and invoice data: 7 years (tax law). Service-delivery artifacts: per contract. Marketing analytics (if consented): 13 months max.
Do you transfer data outside the EU?
Yes, to Google LLC (US) for analytics if you consent, and to our email and CRM providers. Transfers rely on the EU-US Data Privacy Framework and Standard Contractual Clauses (2021/914) with supplementary measures.
Who is the data controller?
CertifyOps acts as the controller for website visitor data and contact requests. For client engagements we typically act as a processor under a signed DPA.