CertCrowd Logo
Get CertCrowd FreeGet CertCrowd FreeContact UsLogin

Privacy Policy

Version 2.0
Last updated: 5 November 2025
Applies to: certcrowd.com, app.certcrowd.com and related sites (the "Services")

At CertCrowd, we know that our customers care about how their information is used and shared, and we take your privacy seriously. This policy explains what information CertCrowd collects about you, why we collect it, how we use and share it, and your choices.

By registering for or using our Services you consent to the collection, transfer, processing, storage, disclosure and other uses described in this Privacy Policy.

Who we are

CertCrowd Pty Ltd (ABN 68 634 250 758) and its associated entities (collectively, "CertCrowd", "we", "us").

Our role

  • For Customer Data (any personal data uploaded to or generated in the CertCrowd Service by, for, or on behalf of a customer), CertCrowd acts as a processor and the customer acts as the controller. We process Customer Data strictly on the customer's documented instructions (see our Data Processing Agreement).
  • For our own Business Data (for example website/app account registration, billing contacts, support communications, site analytics, and our marketing lists), CertCrowd acts as the controller.

Information you provide

Personal information

We collect personal information when you register for an account, create or modify your profile, or otherwise use, access, or interact with our Services. Personal information we collect may include name, business email address, role/title, phone and similar identifiers. You may enter this information yourself, or an administrator from your organisation may enter it for you.

Business information you import

To provide compliance and risk-management functionality, CertCrowd allows you to import or create content, such as company details, employee names/emails/titles, compliance obligations and status, incidents and hazards, risk registers and ratings, and other records you choose to store in the Services. You control the substance of this information.

Support and communications

If you contact us (for example support tickets, chat, email) we collect the information you provide (including any files you attach) to resolve your request and improve our Services.

Information we collect automatically

Log files

Like most online services, we gather certain information and store it in log files when you interact with the Services. This may include browser type, IP address, language, referrer URL, operating system, and time/date of interactions. Some URLs you access may contain your email address as necessary to perform requested operations and therefore may appear in logs.

Usage data and analytics

We collect usage data as you interact with the Services to understand performance and improve user experience. Where we associate usage data with an identifiable user (for example to provide support) we treat the combined data in accordance with this Policy.

Cookies and similar technologies

The Services use cookies and similar technologies to authenticate users, remember preferences, measure performance and (where permitted) support analytics/advertising. You can control cookies via your browser settings; essential cookies are required for the Services to function.

Information from other sources

If you choose to authenticate via a third-party identity provider (for example Google), we receive identity information as permitted by that service (such as name, email address, profile picture URL) and use it in accordance with this Policy. You can manage the information that third-party services share via their settings.

How we use information

  • Provide and operate the Services (including user management, projects, uploads, reports and sharing).
  • Maintain and secure the Services (fraud prevention, availability, incident response, quality assurance/testing, and product analytics).
  • Billing and account administration (including invoicing and payment processing).
  • Communications (product updates, security alerts, support and administrative messages).
  • Compliance with law, dispute resolution, and enforcement of our agreements.
  • Marketing (emails or campaigns), subject to your preferences and applicable law.

Sharing information

Third-party service providers (sub-processors)

We use trusted providers (for example hosting, backups, email delivery, payments, CRM/support, analytics) who may process personal information on our behalf strictly to provide their services to us. Each is bound by confidentiality and data-protection obligations. We maintain a current list on our Sub-processor Register.

Public authorities and law enforcement

We may disclose information as required by law or where we believe it necessary to protect rights, safety or security (for example to comply with lawful requests, to investigate fraud or security incidents, or to enforce our terms).

Online advertising

We may use remarketing services (for example Google Ads) to display relevant ads about CertCrowd. You can opt out via the provider's ad settings and the CertCrowd website disables these cookies by default unless you opt in.

Business transfers

If we undergo a merger, acquisition or asset sale, we may transfer relevant information as part of that transaction. We will notify you of any ownership changes and related choices.

Your choices and rights (global)

You may request access to, correction or deletion of your personal information. Depending on your jurisdiction, you may also request restriction or object to certain processing. To exercise rights, contact privacy@certcrowd.com. We aim to respond within one month and may extend by up to two months for complex requests; we will notify you if we need more time.

  • Marketing: you can opt out of marketing emails at any time using the unsubscribe link or by emailing cancel@certcrowd.com. You will still receive essential service messages.
  • Children: we do not knowingly target under-16s. If you believe a child has provided personal data, contact us and we will take appropriate steps.

Data location and international transfers

We operate a multi-region architecture.

  • Primary hosting/databases: We operate application and database infrastructure in several regions: Germany (EU) for EEA/UK customers by default, Sydney (Australia), United States, and Singapore for other customers. Your region is selected at onboarding or as later agreed with your account owner.
  • Service providers: We use vetted third-party providers to deliver specific functions (for example authentication, email delivery, support/CRM, payments, analytics). Some providers may process limited personal data in the United States and other regions where they operate. See our Sub-processor Register for a current list and regions.
  • Operational necessities: Regardless of your selected region, limited cross-region processing and data storage may occur for purposes such as 24x7 support, security monitoring, telemetry, authentication and disaster recovery/backup operations.

For transfers from the EEA/UK/CH to countries without an adequacy decision (including the United States and Australia), we rely on the EU Standard Contractual Clauses (2021) and, for the UK, the UK International Data Transfer Addendum, plus supplementary measures (encryption in transit/at rest, least-privilege access, logging, and vendor due diligence). See the EU/UK/CH Addendum below for more detail and our Sub-processor Register for current vendors and regions.

Privacy policy changes

We may update this Policy from time to time. The "Last updated" date shows the latest revision. For material changes we will provide additional notice (for example in-app or email) before they take effect.

Contact us

CertCrowd Pty Ltd
4/1027 Manly Road, Tingalpa, QLD 4173, Australia
General: info@certcrowd.com
Privacy/rights requests: privacy@certcrowd.com

EU/UK/CH Privacy Notice Addendum

This addendum applies to individuals in the European Economic Area (EEA), the United Kingdom (UK) and Switzerland and supplements the main CertCrowd Privacy Policy.

Roles (controller vs processor) and contacts

  • For Customer Data, the controller is the relevant customer (your employer/organisation). CertCrowd acts as the processor and processes Customer Data only on the controller's documented instructions under our DPA.
  • For Business Data we collect for our own purposes (website analytics, account registration and administration, billing contacts, support communications, and marketing lists), CertCrowd acts as the controller.

Controller (for Business Data): CertCrowd Pty Ltd, 4/1027 Manly Road, Tingalpa QLD 4173, Australia
Data Protection Officer: Not appointed (you may always contact privacy@certcrowd.com)

EU/EEA and UK GDPR representatives (Article 27)

If you are located in the EU or UK and have questions or concerns regarding your personal data, you may contact our appointed GDPR representative.

EU Representative
Euverify Ltd (Ireland)
Unit 3D North Point House
North Point Business Park
New Mallow Road
Cork
T23 AT2P
Ireland
Email: gdpr@euverify.com

UK Representative
Euverify Ltd (UK)
3rd Floor
86-90 Paul Street
London
EC2A 4NE
United Kingdom
Email: gdpr@euverify.com

To submit a Data Subject Access Request (DSAR), data deletion request, or any other GDPR-related inquiry, please use our secure portal at: GDRP Portal

This link allows you to verify our appointed representative and submit GDPR requests directly. Requests submitted through this portal are logged and tracked to ensure timely response and compliance.

Purposes and legal bases for processing

We process personal data for the purposes set out in the main Policy under the following legal bases:

  • Service delivery and account administration: Contract (GDPR Art 6(1)(b)).
  • Security, quality and product analytics: Legitimate interests (Art 6(1)(f)) in operating a reliable, secure SaaS. Where local law requires consent for analytics/ads, we rely on Consent (Art 6(1)(a)).
  • Billing, accounting and legal compliance: Legal obligation (Art 6(1)(c)).
  • Marketing communications: Consent or, where available, legitimate interests/soft opt-in with the ability to opt out at any time.

Categories of recipients

  • Service providers (hosting, storage, backups, email, payments, CRM/support, analytics) acting on our instructions.
  • Affiliates and professional advisers (legal, accounting, security) as needed.
  • Authorities when legally required.

International transfers and safeguards

Hosting regions: By default, EEA/UK customer tenants are hosted in Germany (EU). We also operate regions in Australia, the United States, and Singapore for non-EEA/UK customers.

Service providers: Certain functions (such as authentication, email delivery, payments, support/CRM, and analytics) are provided by third parties that may process personal data in the United States and other regions where they operate.

Safeguards: Where personal data originating in the EEA/UK/CH is transferred to a country without an adequacy decision (for example the United States or Australia), we implement the EU Standard Contractual Clauses (2021) and, for the UK, the UK International Data Transfer Addendum, along with supplementary measures (encryption in transit/at rest, access controls, logging, vendor due diligence, and regional data hosting for Customer Data). See our Sub-processor Register for current vendors/regions.

Retention

We keep personal data only for as long as necessary to provide the Services, comply with law, resolve disputes, and enforce agreements. We use objective criteria (for example account status, regulatory limits, and record type) to decide when data is no longer needed. Where deletion is not immediately possible (for example immutable backups), the data is isolated from further processing and removed once the backup rotates. You can request deletion at any time (subject to legal exceptions) via our GDPR portal; we will cascade your request to our processors.

Your rights (EEA/UK/CH)

You have the right to access, rectify, erase, restrict, object to processing, and data portability. You also have the right to withdraw consent and to lodge a complaint with your local supervisory authority. We will respond within one month of receiving a request at privacy@certcrowd.com and may extend by up to two months for complex or multiple requests.

Important: If your request concerns Customer Data (data in a workspace/tenant controlled by your organisation), please contact your organisation (the controller). If you send such a request to us directly, we will forward it to the controller and assist them in fulfilling it, in accordance with our DPA.

Cookies in the EEA/UK

Non-essential cookies (for example analytics/advertising) are off by default until you choose Accept in our cookie banner. The first layer of the banner provides Accept All / Reject Non-Essential with equal prominence. You can change or withdraw consent at any time via Cookie Settings.

Children

We do not knowingly process the personal data of children under 16 in the EEA/UK/CH.

Automated decision-making

We do not use automated decision-making or profiling that produces legal or similarly significant effects.

Annexes (public links)

FrameworksISO 9001ISO 27001HSEQ IMSISO 14001ISO 45001ISO 42001All Frameworks
SolutionsGet GRC SoftwareGet a SystemBe Audit ReadyHelp Getting Certified
FeaturesRequirementsActionsRiskDashboard & ReportsRegistersIncidentManualAlerts
ResourcesLearning HubBlogsChecklistsVideosLegal
PartnersBecome a PartnerFind a Partner
PricingCertCrowd StatusLegal
Audit Management - Users Most Likely to RecommendGovernance, Risk & Compliance - High Performer

© 2025 CertCrowd