shape
shape

Privacy Policy

Home / Privacy Policy

Last Updated: April 25, 2025

GSTC is committed to protecting your privacy and ensuring the security of your personal and business data. This Privacy Policy outlines how we collect, use, store, share, and safeguard your information when you interact with our website, engage our ISO certification services (including standards like ISO 9001, ISO 14001, ISO 45001, ISO 27001, and others), or participate in our consultation, auditing, or training programs. By using our services or website, you consent to the practices described in this policy.

1. Scope and Definitions

This Privacy Policy applies to all interactions with GSTC, including our website, certification processes, and related communications. Key definitions include:

  • Personal Information: Any data that can identify an individual, such as name, email, or phone number.
  • Certification Data: Documents, records, or information submitted for ISO certification processes (e.g., compliance reports for ISO 22000 or ISO 37001).
  • Usage Data: Non-identifiable information about website interactions, such as IP addresses or page visits.
  • Client: Any individual, organization, or entity engaging GSTC’s services.

2. Information We Collect

We collect information to provide and improve our services. The types of information include:

  • Personal Information:
    • Contact details (name, email, phone number, job title) provided during inquiries, registration, or service agreements.
    • Company details (business name, address, industry) for certifications like ISO 13485 (Medical Devices) or IATF 16949 (Automotive).
    • Billing information (e.g., payment details) for processing service fees.
  • Certification Data:
    • Documents and records required for audits, such as environmental impact reports for ISO 14001 or safety protocols for ISO 45001.
    • Employee training records or process documentation for standards like FSSC 22000 or SA 8000.
    • Non-conformity reports and corrective action plans.
  • Usage Data:
    • IP address, browser type, device information, and operating system.
    • Website navigation patterns, pages visited, and time spent on the site.
    • Referral sources (e.g., how you found our website).
  • Communication Data:
    • Emails, phone calls, or chat interactions with our support team.
    • Feedback or survey responses related to services like ISO 10002 (Customer Satisfaction).

We collect this information directly from you (e.g., via forms or audits), automatically (e.g., via cookies), or from third parties (e.g., accreditation bodies).

3. How We Use Your Information

We use your information to deliver high-quality certification services and enhance your experience. Specific uses include:

  • Service Delivery:
    • Processing applications and conducting audits for standards like ISO 50001 (Energy Management) or ISO 22301 (Business Continuity).
    • Issuing and maintaining certifications, including surveillance and recertification audits.
    • Providing consultation and training for standards like ISO 21001 (Educational Organizations).
  • Communication:
    • Sending updates on certification status, audit schedules, or non-conformities.
    • Responding to inquiries or support requests.
    • Sharing service-related announcements (e.g., updates to ISO 39001 Road Traffic Safety requirements).
  • Website and Service Improvement:
    • Analyzing usage data to optimize website functionality and user experience.
    • Conducting internal research to enhance services like ISO 10004 (Customer Satisfaction Monitoring).
  • Legal and Compliance:
    • Meeting accreditation requirements for certifications like ISO 37001 (Anti-Bribery) or ISO 10668 (Brand Valuation).
    • Complying with legal obligations, such as tax reporting or data protection laws.
  • Marketing (Optional):
    • Sending promotional materials or newsletters about our services, with your consent.
    • Inviting you to webinars or events related to ISO standards.

4. Legal Basis for Processing

We process your information based on the following legal grounds:

  • Contractual Necessity: To fulfill our service agreements (e.g., conducting audits for ISO 41001 Facility Management).
  • Legal Obligation: To comply with accreditation bodies or regulatory requirements.
  • Legitimate Interests: To improve our services, analyze website usage, or prevent fraud.
  • Consent: For marketing communications or non-essential cookies.

5. Sharing Your Information

We may share your information with trusted parties under strict confidentiality agreements, including:

  • Accreditation Bodies: To validate certifications (e.g., sharing audit reports for ISO 27018 or IATF 16949).
  • Third-Party Service Providers:
    • Payment processors for secure transactions.
    • Cloud storage providers for secure data management.
    • IT support services for website maintenance.
  • Legal Authorities: When required by law, court order, or regulatory bodies.
  • Business Transfers: In the event of a merger, acquisition, or sale of GSTC assets, your data may be transferred with prior notice.

We do not sell your information to third parties for marketing purposes.

6. Data Security

We implement robust security measures aligned with ISO 27001 (Information Security Management) to protect your data, including:

  • Encryption of sensitive data (e.g., certification documents) during transmission and storage.
  • Access controls to limit data access to authorized personnel only.
  • Regular security audits and vulnerability assessments.
  • Secure disposal of physical and digital records no longer needed.

Despite these measures, no system is completely secure. In the event of a data breach, we will notify affected Clients and relevant authorities as required by law.

7. Data Retention

We retain your information only for as long as necessary to fulfill the purposes outlined in this policy, including:

  • Personal Information: Retained for the duration of the service contract and up to 7 years for legal or tax purposes.
  • Certification Data: Retained for the certification validity period (typically 3 years) and up to 5 years thereafter for accreditation purposes.
  • Usage Data: Retained for up to 2 years for analytics purposes.

Data no longer needed is securely deleted or anonymized.

8. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

  • Access: Request a copy of the data we hold about you.
  • Rectification: Correct inaccurate or incomplete data.
  • Deletion: Request deletion of your data, subject to legal or contractual obligations.
  • Restriction: Limit how we process your data in certain circumstances.
  • Portability: Receive your data in a structured, machine-readable format.
  • Objection: Object to processing based on legitimate interests (e.g., marketing).
  • Withdraw Consent: Revoke consent for marketing or non-essential cookies at any time.

To exercise these rights, contact us at info@gstc.com. We will respond within 30 days, subject to verification of your identity.

9. Cookies and Tracking Technologies

Our website uses cookies and similar technologies to enhance functionality and analyze usage. Types of cookies include:

  • Essential Cookies: Necessary for website operation (e.g., session management).
  • Analytics Cookies: Track usage patterns to improve site performance.
  • Marketing Cookies: Deliver personalized ads, with your consent.

You can manage cookie preferences via your browser settings or our cookie consent tool. Disabling cookies may affect website functionality.

10. International Data Transfers

As a global ISO certification provider, we may transfer your data to countries outside your jurisdiction (e.g., for accreditation purposes). We ensure such transfers comply with data protection laws through:

  • Standard Contractual Clauses with third parties.
  • Data processing agreements aligned with ISO 27001 standards.
  • Verification of recipient countries’ adequacy status (e.g., EU GDPR compliance).

11. Third-Party Links

Our website may contain links to third-party sites (e.g., accreditation bodies or industry partners). We are not responsible for their privacy practices or content. Review their policies before providing information.

12. Children’s Privacy

Our services are not directed to individuals under 16. We do not knowingly collect personal information from children. If you believe we have collected such data, contact us to have it removed.

13. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in our practices, legal requirements, or services. Significant updates will be communicated via:

  • Email notification to Clients with active service contracts.
  • A prominent notice on our website at least 30 days before changes take effect.

Continued use of our services or website after changes constitutes acceptance of the updated policy.

You may also lodge a complaint with your local data protection authority if you believe we have not addressed your concerns adequately.