Privacy Policy
International Accreditation Registrar (IAR) respects your privacy and is committed to protecting personal data. This policy explains what we collect, how we use it, and your rights under the GDPR and other applicable laws.
Website: https://iar-iso.org
Email: [email protected]
Phone: +1-972-638-3198
Effective date: [Update date]
1. Who We Are (Data Controller)
IAR is an independent accreditor of certification bodies operating internationally. We accredit and oversee certification bodies (CBs) and operate services such as the Certificate Check/verification portal.
For privacy queries or to exercise your rights, contact [email protected]
.
2. Personal Data We Collect
Identity & contact data: name, email address, phone number, job title, organisation.
Account & access data: user IDs, login timestamps (for IAR portals where applicable).
Professional records: information submitted by CBs/applicants (e.g., competence records, assessor CVs, audit evidence).
Verification data: certificate numbers, client organisation names, CB names, scheme details, status and validity dates.
Technical data: IP address, device/browser type, pages visited, cookies, and online identifiers.
Financial/transactional data: invoices, payments, billing details (for fee processing).
Communications: emails, forms, support requests, meeting notes.
3. How We Collect Data
Directly from you (email, phone, web forms, portal registrations).
From accreditation applications and surveillance/assessment activities.
From certification bodies and their clients as part of accreditation oversight.
Automatically via our website and portals (analytics, security logs, cookies).
4. How We Use Your Data (Purposes)
Accreditation services: processing applications, conducting assessments, managing accreditation decisions and surveillance.
Certificate verification: enabling the public and stakeholders to verify certification status through our Certificate Check portal.
Communication: service updates, assessment scheduling, contractual notices.
Compliance & governance: maintaining records required by accreditation rules, legal, tax, and audit requirements; fraud and misuse prevention; security monitoring.
Service improvement: site performance, usage analytics, and customer support quality.
5. Legal Bases for Processing
Contract – to assess and deliver accreditation and related services you request.
Legitimate interests – to ensure integrity of accredited certification, maintain security, operate our portals, and improve services.
Legal obligation – to meet regulatory, tax, and record-keeping requirements.
Consent – for optional marketing/newsletters or non-essential cookies (where used).
6. Sharing Your Data
We may share data with:
Assessment teams and technical experts bound by confidentiality.
Accreditation committees/decision-makers for impartial decision processes.
Certification bodies and their nominated contacts where necessary for accreditation oversight and verification.
IT and cloud service providers (hosting, email, backup, ticketing) under data-processing agreements.
Payment processors and accountants for fee processing and compliance.
Regulators or law-enforcement where legally required.
We do not sell personal data.
7. International Transfers
Where data is transferred outside your jurisdiction, we implement appropriate safeguards (e.g., EU Standard Contractual Clauses) and require equivalent protections from our processors.
8. Data Retention
Accreditation/application & assessment records: typically 5–7 years from the end of accreditation or last interaction (to evidence decisions and oversight).
Financial records: 6–7 years (tax/accounting laws).
Emails & correspondence: 3 years (unless required longer for ongoing cases).
Backups: up to 12 months on rolling cycles.
Security/access logs: 90–180 days.
We may retain data longer if required to resolve disputes, enforce agreements, or meet legal obligations.
9. Your Rights
Subject to law, you may:
Access your data and request a copy.
Rectify inaccurate or incomplete data.
Erase data (where no longer needed and no overriding legal basis applies).
Restrict or object to certain processing.
Data portability (for data you provided, where processing is by consent/contract and automated).
Withdraw consent (for marketing or non-essential cookies) at any time.
To exercise rights, email [email protected]
. You may also lodge a complaint with your local Data Protection Authority.
10. Security
We use administrative, technical, and physical controls including encryption in transit, access control, least-privilege principles, secure configuration, logging/monitoring, and tested backup/restore procedures. Access to accreditation files is restricted to authorised personnel and contractors under confidentiality.
11. Cookies & Similar Technologies
We use essential cookies for site operation and may use analytics cookies to improve performance. Non-essential cookies are used only with consent.
You can manage preferences via our cookie banner and your browser settings.
For details, see our Cookie Notice (if published) or contact us.
(If using the Drupal EU Cookie Compliance module, ensure the banner lists categories and providers you actually use, e.g., Google Analytics.)
12. Children’s Data
Our services are intended for professional users and organisations. We do not knowingly collect data from children.
13. Changes to This Policy
We may update this policy periodically. The latest version will be posted at https://iar-iso.org
with the effective date shown at the top.
14. Contact
International Accreditation Registrar (IAR)
Email: [email protected]
Phone: +1-972-638-3198