1. Introduction

Rapid Cert ("we," "our," or "us") is committed to protecting your privacy and ensuring GDPR compliance with the General Data Protection Regulation (GDPR) and Irish data protection laws. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Software-as-a-Service (SaaS) platform for certificate management, CRM, booking systems, and email marketing. Our data protection practices are designed to meet the highest standards of privacy policy compliance for Irish training companies.

This GDPR compliant privacy policy applies to all users of Rapid Cert's training management software, including training companies, safety consultants, and certification organizations operating in Ireland and the European Union. We take your data protection seriously and are committed to transparency about how we handle your personal information.

Data Protection Officer: For all privacy-related inquiries, please contact us at info@rapidcert.eu.

2. Our Role: Data Controller vs. Data Processor

3. Types of Data We Collect

3.1 Administrative User Data (Data Controller)

• Full name and contact information
• Email address and phone number
• Company name and business address
• Payment and billing information (processed securely through third-party payment processors)
• Account credentials and authentication data

3.2 End-User Data (Data Processor)

When our clients use Rapid Cert to manage their training operations, they may upload the following types of data:

• Student/trainee names, email addresses, and phone numbers
• Certification history and expiry dates
• Exam results and assessment scores
• Attendance records and training completion certificates
• Booking schedules and course enrollment information
• Financial data generated by the system (revenue reports, payment records)

Note: This data is processed on behalf of our clients. The legal basis for processing is determined by our clients, who must ensure they have appropriate consent or legitimate interest to process this data.

4. How We Use Your Data

4.1 Administrative Data (Data Controller)

We use administrative user data to:

• Provide, maintain, and improve our SaaS platform
• Process payments and manage subscriptions
• Communicate with you about your account, service updates, and support requests
• Ensure security and prevent fraud
• Comply with legal obligations

Legal Basis: Contract performance, legitimate interests, and legal compliance.

4.2 End-User Data (Data Processor)

We process end-user data solely to:

• Enable our clients to manage their training operations
• Generate and issue digital certificates
• Track certification expiry and send renewal reminders
• Manage bookings and schedules
• Generate reports and analytics for our clients

Legal Basis: Determined by our clients (the Data Controllers) in accordance with GDPR.

5. Data Hosting and Location

We do not transfer personal data outside the EU/EEA unless explicitly required by law or with your explicit consent. Any such transfers would be subject to appropriate safeguards, including Standard Contractual Clauses (SCCs) approved by the European Commission.

6. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience on our platform:

6.1 Essential Cookies

These cookies are necessary for the platform to function properly and cannot be disabled:

• Authentication and session management cookies
• Security and fraud prevention cookies
• Load balancing and system performance cookies

6.2 Functional Cookies

These cookies enhance functionality and personalization:

• Dashboard preferences and user interface settings
• Language and regional settings
• Cookie consent preferences

6.3 Analytics Cookies (Optional)

With your consent, we use analytics cookies to:

• Understand how users interact with our platform
• Improve user experience and system performance
• Generate anonymized usage statistics

You can manage your cookie preferences at any time through our cookie consent banner. Analytics cookies are only activated with your explicit consent.

7. Third-Party Sub-Processors

To provide our services, we engage trusted third-party sub-processors who process data on our behalf:

7.1 Infrastructure Providers

• Cloud Hosting: EU-based cloud infrastructure providers for secure data storage and processing
• Database Services: Managed database services with EU data residency

7.2 Service Providers

• Email Services: Transactional email providers (e.g., SendGrid, Postmark) for system notifications and email campaigns
• Payment Processors: Secure payment processing services for subscription billing
• Analytics: Google Analytics (with consent) for website usage analytics

All sub-processors are bound by strict data processing agreements that require them to:

• Process data only as instructed by Rapid Cert
• Implement appropriate technical and organizational security measures
• Comply with GDPR and applicable data protection laws
• Maintain EU data residency where applicable

8. Data Security

9. Your Rights Under GDPR

As a data subject, you have the following rights under GDPR:

10. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes outlined in this Privacy Policy:

10.1 Administrative User Data

• Active Subscriptions: Data is retained for the duration of your active subscription
• After Cancellation: Data is retained for a grace period of 90 days to allow for account reactivation
• Legal Requirements: Certain data may be retained longer if required by law (e.g., financial records for tax purposes)

10.2 End-User Data (Student/Trainee Records)

• Active Accounts: Data is retained while the client's subscription is active
• Certificate Validation: Certification records may be retained longer as required for certificate validation and audit purposes (typically 7 years for compliance records)
• Client Instructions: Retention periods may be adjusted based on client requirements and legal obligations

Upon expiration of the retention period, data is securely deleted or anonymized in accordance with our data deletion procedures.

11. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority (Data Protection Commission of Ireland) within 72 hours of becoming aware of the breach
• Notify affected data subjects without undue delay if the breach poses a high risk to their rights and freedoms
• Provide clear information about the nature of the breach, likely consequences, and measures taken to address it

12. Children's Privacy

Rapid Cert is designed for B2B use by training companies. We do not knowingly collect personal data directly from children under 16 years of age. If a training company processes data relating to children, they (as the Data Controller) are responsible for ensuring appropriate consent and compliance with applicable laws.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of any material changes by:

• Posting the updated Privacy Policy on our website with a new "Last Updated" date
• Sending an email notification to registered users for significant changes
• Displaying a prominent notice on our platform

Your continued use of Rapid Cert after such changes constitutes acceptance of the updated Privacy Policy.

14. Supervisory Authority

If you believe that we have not addressed your privacy concerns adequately, you have the right to lodge a complaint with the Data Protection Commission of Ireland:

15. Contact Us