CertCardBack to home

Privacy Policy

Last updated: 17 February 2026

1. Introduction

CertCard is a trading style of Code Strategy Limited, a company registered in England & Wales (Company No. 16243141). In this policy, “we”, “us” and “our” refer to Code Strategy Limited.

We are committed to protecting and respecting your privacy. This policy explains how we collect, use, store, and share personal data when you use the CertCard platform (“Service”), visit our website, or otherwise interact with us.

We are the data controller for the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Data we collect

2.1 Information you provide

  • Account information – name, email address, password, job title, and organisation details when you register.
  • Employee data – names, job roles, employee ID numbers, photographs, certification details (type, issuing body, reference numbers, expiry dates), and uploaded supporting documents.
  • Organisation data – company name, branding assets (logos), ID card prefixes, and department structures.
  • Payment information – billing name, address, and payment card details (processed securely by our payment provider; we do not store full card numbers).
  • Communications – messages you send to our support team or through feedback forms.

2.2 Information collected automatically

  • Usage data – pages visited, features used, actions taken within the Service, timestamps, and session duration.
  • Device and technical data – IP address, browser type and version, operating system, device identifiers, and screen resolution.
  • Cookies and similar technologies – see our Cookie Policy for details.

2.3 Information from third parties

We may receive data from identity verification providers, certification bodies, or your organisation’s administrator acting on your behalf.

3. How we use your data

We process personal data for the following purposes:

  • Providing, maintaining, and improving the Service.
  • Generating digital ID cards and public QR verification pages.
  • Tracking certification validity and sending expiry alert notifications.
  • Processing payments and managing subscriptions.
  • Responding to support enquiries and communications.
  • Ensuring the security of accounts and detecting fraudulent activity.
  • Complying with legal obligations, including health and safety record-keeping requirements.
  • Producing anonymised, aggregated analytics to improve the Service.

4. Lawful basis for processing

We rely on the following lawful bases under the UK GDPR:

  • Contract – processing necessary to provide the Service you have subscribed to (Article 6(1)(b)).
  • Legitimate interests – improving the Service, fraud prevention, and ensuring platform security (Article 6(1)(f)).
  • Legal obligation – complying with applicable laws, including record-keeping and health & safety regulations (Article 6(1)(c)).
  • Consent – where you have given clear consent, for example for marketing communications (Article 6(1)(a)). You may withdraw consent at any time.

5. Data sharing

We may share personal data with:

  • Your organisation – administrators within your organisation can access employee data they have entered or that relates to their workforce.
  • Public verification – when a QR code on an ID card is scanned, a limited verification page is displayed showing the employee’s name, role, organisation, and certification status. No sensitive personal data is exposed.
  • Service providers – hosting providers, payment processors, email delivery services, and analytics providers who process data on our behalf under appropriate data processing agreements.
  • Legal requirements – where required by law, court order, or regulatory authority.

We do not sell personal data to third parties.

6. Data retention

We retain personal data for as long as your account is active or as needed to provide the Service. When an account is closed, we will delete or anonymise personal data within 90 days, unless retention is required by law or for legitimate business purposes (such as resolving disputes or enforcing agreements).

Certification records may be retained for longer periods where required by health and safety legislation or regulatory obligations.

7. Data security

We implement appropriate technical and organisational measures to protect personal data, including encryption in transit (TLS) and at rest, access controls, regular security reviews, and secure hosting infrastructure. However, no method of transmission or storage is 100% secure, and we cannot guarantee absolute security.

8. International transfers

Your data is primarily stored and processed within the United Kingdom and the European Economic Area. Where data is transferred outside these regions, we ensure appropriate safeguards are in place, such as standard contractual clauses approved by the UK Information Commissioner’s Office (ICO).

9. Your rights

Under the UK GDPR, you have the right to:

  • Access – request a copy of the personal data we hold about you.
  • Rectification – request correction of inaccurate or incomplete data.
  • Erasure – request deletion of your personal data in certain circumstances.
  • Restriction – request that we limit how we process your data.
  • Portability – receive your data in a structured, machine-readable format.
  • Objection – object to processing based on legitimate interests or for direct marketing.
  • Withdraw consent – where processing is based on consent, withdraw it at any time.

To exercise any of these rights, contact us at privacy@certcard.net. We will respond within one month as required by law.

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk.

10. Children’s privacy

The Service is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that a child has provided us with personal data, we will take steps to delete it.

11. Data Breach Notification

In the event of a personal data breach that poses a risk to the rights and freedoms of individuals, CertCard will:

  1. Notify the ICO within 72 hours of becoming aware of the breach, providing the nature of the breach, categories and approximate number of individuals affected, likely consequences, and measures taken to address it.
  2. Notify affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms.
  3. Document all breaches in an internal breach register, including those not reported to the ICO, recording the facts, effects, and remedial actions taken.

To report a suspected breach, contact security@certcard.net.

12. Changes to this policy

We may update this policy from time to time. We will notify you of material changes by posting the updated policy on our website and, where appropriate, by email. The “Last updated” date at the top of this page indicates when the policy was last revised.

13. Contact us

If you have questions about this Privacy Policy or our data practices, contact us at:

Code Strategy Limited (trading as CertCard)
Email: privacy@certcard.net
Registered in England & Wales, Company No. 16243141