Privacy Policy
This Privacy Policy explains how London Cert Ltd collects, uses, stores, and protects your personal data when you use our website or services. We are committed to protecting your privacy and handling your data transparently, lawfully, and securely.
London Cert Ltd collects only the personal data we need to run our website and deliver ISO certification and cybersecurity services โ never more. Key points: (1) We never sell your data to anyone; (2) We process data under GDPR, UK GDPR, and India's DPDPA 2023; (3) You can access, correct, delete, or export your data at any time by emailing us; (4) We keep data only as long as legally necessary; (5) You can complain to the ICO, your national DPA, or India's Data Protection Board if you're unhappy with how we've handled a request. Full details in the sections below.
1Who We Are โ Data Controller
London Cert Ltd ("London Cert", "we", "us", "our") is a UK-registered, IAF-accredited third-party ISO certification body. We provide ISO certification, cybersecurity compliance, and related consultancy services to businesses globally.
For the purposes of applicable data protection law โ including the EU General Data Protection Regulation (GDPR), the UK GDPR and Data Protection Act 2018, and India's Digital Personal Data Protection Act 2023 (DPDPA) โ London Cert Ltd is the Data Controller (also referred to as "Data Fiduciary" under India's DPDPA) in respect of any personal data we hold about you.
This Privacy Policy applies to:
- Visitors to our website londoncert.co.uk and all associated subdomains
- Individuals who submit enquiries, forms, or contact us via any channel
- Business contacts and representatives of client organisations
- Candidates for ISO certification and related services
- All persons whose personal data we process in the course of providing our services
By using our website or submitting your information to us, you acknowledge that you have read and understood this Privacy Policy.
2Personal Data We Collect
We collect only the personal data that is necessary for the specific purposes described in this policy (the data minimisation principle). The categories of personal data we may collect include:
| Category | Data Elements | Why Collected |
|---|---|---|
| Identity Data | Full name, job title, designation | To identify you and address correspondence correctly |
| Contact Data | Email address, mobile number, office phone, postal address | To respond to enquiries, deliver services, and send updates |
| Business Data | Company name, company size, industry sector, number of employees, business address | To assess certification requirements and provide relevant services |
| Transaction Data | Service details, invoice information, payment records (non-card) | To manage service delivery, billing, and financial records |
| Technical Data | IP address, browser type, device type, operating system, referring URL, pages visited, time on site | Website analytics, security monitoring, improving user experience |
| Communication Data | Email correspondence, WhatsApp messages, contact form submissions, chat logs | To manage our relationship with you and improve our services |
| Marketing Data | Communication preferences, service interests, opt-in/opt-out records | To send relevant marketing communications (only with your consent) |
| Certification Data | Audit documents, quality management records, process information, organisational details submitted for certification | To conduct ISO certification audits and issue certificates |
3How We Collect Your Data
Direct collection โ data you provide to us
We collect personal data directly from you when you:
- Complete and submit any enquiry or contact form on our website
- Request a quote for ISO certification or cybersecurity services
- Contact us via telephone, WhatsApp, email, or live chat
- Enter into a service agreement or certification contract with us
- Submit documents, questionnaires, or information as part of a certification audit
- Subscribe to our newsletter, blog, or marketing communications
- Engage with us on LinkedIn, Facebook, Instagram, or other social platforms
Automated collection โ data collected through technology
When you visit our website, we automatically collect certain technical data through cookies, web server logs, and similar technologies. This includes your IP address, browser type, device information, the pages you visit, and how long you spend on each page. This data is used to improve website performance and security, and for analytics purposes. Please see Section 8 (Cookies) for full details.
Third-party sources
We may occasionally receive data about you from third parties including: business directories and databases used to identify potential clients; social media platforms when you interact with our business pages; and referral sources when a client or partner refers you to us. We ensure that any such data is obtained lawfully and that the source had the right to share it with us.
4Why We Process โ Our Purposes
We process your personal data only for the specific, legitimate purposes described below. We do not process your data for any purpose that is incompatible with the purpose for which it was collected.
| Purpose | Description | Data Used |
|---|---|---|
| Service Delivery | Providing ISO certification, audit, and cybersecurity services you have engaged us for | Identity, Contact, Business, Certification |
| Enquiry Management | Responding to your enquiries, quote requests, and providing information about our services | Identity, Contact, Communication |
| Contract Management | Entering into, performing, and managing service contracts and certification agreements | Identity, Contact, Business, Transaction |
| Billing & Finance | Invoicing, processing payments, and maintaining financial records as required by law | Identity, Contact, Transaction |
| Certificate Issuance | Issuing, managing, and verifying ISO certificates on behalf of clients | Business, Certification |
| Website Analytics | Understanding how visitors use our website to improve content and user experience | Technical |
| Marketing | Sending service updates, industry news, and promotional communications (with your consent) | Contact, Marketing |
| Legal Compliance | Complying with legal obligations including tax records, accreditation requirements, and regulatory reporting | All categories as required |
| Security & Fraud Prevention | Detecting, preventing, and investigating fraud, security incidents, and misuse of our services | Technical, Identity, Communication |
5Legal Basis for Processing
Where applicable law requires us to identify a legal basis for processing personal data โ including under EU GDPR, UK GDPR, India's DPDPA 2023, and DPDP Rules 2025 โ we rely on one or more of the following:
| Legal Basis | When We Rely On It | Applicable Law |
|---|---|---|
| Consent | When you opt in to marketing communications; when cookies are set; when you expressly agree to data processing at the point of collection | GDPR Art.6(1)(a); UK GDPR; DPDPA 2023 ยง4โ6 |
| Contract Performance | Processing necessary to deliver the certification or cybersecurity service you have engaged us for; managing the service contract | GDPR Art.6(1)(b); UK GDPR; DPDPA "contractual necessity" |
| Legal Obligation | Retaining financial records for tax purposes; responding to lawful regulatory or law enforcement requests; maintaining accreditation records | GDPR Art.6(1)(c); UK GDPR; Indian Companies Act, IT Act |
| Legitimate Interests | Website analytics; security monitoring; fraud prevention; responding to unsolicited enquiries; improving our services. We only rely on this basis where our interests are not overridden by your fundamental rights. | GDPR Art.6(1)(f); UK GDPR. DPDPA has no direct equivalent โ we use consent or contractual necessity for Indian data principals. |
| Vital Interests | In exceptional circumstances where processing is necessary to protect life | GDPR Art.6(1)(d); UK GDPR |
6Who We Share Your Data With
We do not sell, rent, or trade your personal data to any third party. We share your data only in the limited circumstances described below and only to the extent necessary for the relevant purpose.
| Recipient | Reason for Sharing | Safeguards |
|---|---|---|
| Service Providers | IT hosting, email delivery, CRM, accounting software, and analytics providers who process data on our behalf as data processors | Bound by data processing agreements (DPAs); restricted to processing only as instructed by us |
| Accreditation Bodies | IAF and associated accreditation bodies that require audit records for our accreditation maintenance and oversight | Contractual restrictions; accreditation body data protection frameworks |
| Payment Processors | Banks and payment service providers for processing invoices and payments related to our services | PCI-DSS compliance; subject to their own privacy policies |
| Professional Advisers | Legal, financial, and compliance advisers engaged to support our business operations | Professional confidentiality obligations; contractual restrictions |
| Law Enforcement / Regulators | Where required by law, court order, or government authority; to investigate fraud or security incidents | Only disclosed to the extent legally required; we will notify you where legally permitted to do so |
| Business Succession | In the event of a merger, acquisition, or sale of all or part of our business, personal data may be transferred as part of that transaction | The acquirer will be required to handle data in accordance with this policy; we will notify you |
7International Data Transfers
London Cert Ltd operates from the United Kingdom and India and serves clients globally. As a result, your personal data may be transferred to and processed in countries outside your home country, including between the UK and India.
UK India Transfers
Where we transfer personal data between our UK and India offices, we ensure that appropriate safeguards are in place. For transfers from the UK to India and vice versa, we rely on:
- Standard Contractual Clauses (SCCs) โ the UK International Data Transfer Agreements (IDTAs) or EU SCCs as applicable
- Binding Corporate Arrangements โ internal data transfer policies between our offices
- Your consent โ where you have explicitly consented to the transfer after being informed of its nature
Transfers to Other Countries
Where our service providers process your data outside the UK or European Economic Area (EEA), we ensure adequate protection through Standard Contractual Clauses, adequacy decisions, or other approved transfer mechanisms. We do not transfer data to countries that do not provide adequate protection without appropriate safeguards.
8Cookies & Tracking Technologies
Our website uses cookies and similar technologies to operate the website, analyse how it is used, and improve your experience. This section explains what cookies we use and how you can control them.
What are cookies?
Cookies are small text files placed on your device by a website when you visit it. They allow the website to recognise your device on subsequent visits, remember your preferences, and collect information about how you use the site.
| Cookie Type | Purpose | Examples | Consent Required? |
|---|---|---|---|
| Strictly Necessary | Essential for the website to function. Cannot be disabled without breaking core functionality. | Session management, security tokens, CSRF protection | No โ legitimate interest |
| Analytics & Performance | Help us understand how visitors use the site โ which pages are most visited, how long sessions last, error pages | Google Analytics 4 (GA4), heatmapping tools | Yes โ your consent required |
| Functional | Enable enhanced features and personalisation โ remembering your preferences and language settings | Language preference, form field memory | Yes โ your consent required |
| Marketing / Targeting | Track visits across websites to show relevant advertising. We do not currently run advertising campaigns that use tracking cookies. | None currently deployed | Yes โ your consent required |
Managing your cookie preferences
You can manage your cookie preferences at any time by:
- Browser settings โ most browsers allow you to block or delete cookies. Check your browser's help documentation for instructions.
- Our cookie banner โ when you first visit our website, you are presented with a cookie consent banner. You can revisit your preferences at any time via the "Cookie Settings" link in our footer.
- Opt-out tools โ for specific third-party services (e.g., Google Analytics), you can use the provider's opt-out tools.
Please note that disabling cookies may affect the functionality of our website and your ability to use certain features.
9How Long We Keep Your Data
We retain personal data only for as long as is necessary for the purposes for which it was collected, or as required by law. Our retention periods are determined by the nature of the data, the purpose of processing, and any applicable legal or regulatory requirements.
10Your Data Protection Rights
Depending on where you are located, you have certain rights regarding your personal data. We take these rights seriously and will respond to all valid requests within the legally required timeframe โ typically 30 days.
You have the right to obtain a copy of the personal data we hold about you, information about why and how we process it, and details of any third parties we share it with.
GDPR Art.15 / DPDPA ยง11If your personal data is inaccurate or incomplete, you have the right to request that we correct it. We will update your data within 30 days of a verified request.
GDPR Art.16 / DPDPA ยง13You can request deletion of your personal data where there is no legal reason for us to continue processing it. This right is subject to our legal retention obligations.
GDPR Art.17 / DPDPA ยง12In certain circumstances, you can ask us to restrict processing of your data โ for example, while a complaint is being resolved or while you contest the accuracy of your data.
GDPR Art.18 / UK GDPRWhere processing is based on consent or contract, and carried out by automated means, you can request your data in a structured, machine-readable format to transfer to another service provider.
GDPR Art.20 / DPDPA ยง13You can object to processing based on legitimate interests or for direct marketing at any time. Where you object to direct marketing, we will stop immediately with no requirement to justify.
GDPR Art.21 / UK GDPRYou have the right not to be subject to decisions made solely by automated processing that produce significant legal effects. We do not currently use automated decision-making that produces such effects.
GDPR Art.22 / UK GDPRUnder India's DPDPA 2023, you may withdraw consent for processing at any time. Withdrawal will not affect the lawfulness of processing carried out before withdrawal. We will action requests within 30 days.
India DPDPA 2023 ยง611How We Protect Your Data
We take the security of your personal data seriously and have implemented appropriate technical and organisational measures to protect it against unauthorised access, accidental loss, alteration, disclosure, or destruction.
Technical Measures
- SSL/TLS encryption โ all data transmitted between your browser and our website is encrypted using TLS 1.2 or higher
- Encryption at rest โ sensitive data stored on our systems is encrypted using industry-standard algorithms
- Access controls โ personal data is accessible only to authorised staff on a need-to-know basis, protected by multi-factor authentication
- Firewalls and intrusion detection โ network perimeter security and monitoring for suspicious activity
- Regular backups โ data is backed up regularly to secure, geographically separate locations
Organisational Measures
- Staff training โ all staff who handle personal data receive regular data protection and cybersecurity training
- Data processing agreements โ all third-party processors are bound by written DPAs
- Privacy by design โ privacy considerations are built into all new processes and systems from inception
- Incident response โ we maintain a data breach response procedure and will notify you and relevant authorities in the event of a notifiable breach
12Children's Privacy
Our website and services are directed at businesses and business professionals. We do not knowingly collect personal data from children under the age of 18 (or the applicable age of digital consent in your jurisdiction).
Under India's DPDPA 2023, processing of personal data of children (under 18) requires verifiable parental or guardian consent before collection. As our services are exclusively B2B, we have no business requirement to process children's data.
If you believe a child has provided personal data to us without appropriate parental consent, please contact us immediately at info@londoncert.co.uk and we will promptly investigate and delete the data.
13Complaints & Regulatory Authorities
If you are not satisfied with how we have handled your personal data or responded to a data rights request, you have the right to lodge a complaint with the relevant supervisory authority.
| Your Location | Supervisory Authority | Contact |
|---|---|---|
| United Kingdom | Information Commissioner's Office (ICO) | ico.org.uk ยท 0303 123 1113 |
| European Union | Your national Data Protection Authority (DPA) โ e.g., CNIL (France), BfDI (Germany), AEPD (Spain) | Find your DPA at edpb.europa.eu |
| India | Data Protection Board of India (DPB) โ established under DPDP Rules 2025 (13 November 2025) | Contact via Ministry of Electronics and IT (MeitY): meity.gov.in |
14Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our data processing practices, changes in applicable law, or improvements in how we describe our practices. When we make changes, we update the "Last Updated" date at the top of this page.
For material changes that significantly affect your rights or how we use your data, we will provide additional notice โ for example, by sending an email notification to clients and subscribers, or by displaying a prominent notice on our website for at least 30 days before the change takes effect.
We encourage you to review this policy periodically. Continued use of our website or services after a policy update constitutes your acknowledgement of the revised policy.
Current version: Added India DPDPA 2023 and DPDP Rules 2025 compliance sections. Updated data retention schedules. Added rights under DPDPA. Updated international transfer safeguards. Added Data Protection Board of India to complaints section.
Initial privacy policy published. Coverage of GDPR (EU) and UK GDPR. Baseline data collection and processing disclosure.
15Contact Us โ Privacy Team
For any questions, concerns, or requests regarding this Privacy Policy or how we process your personal data, please contact our Privacy Team using any of the contact details below. We will respond to all privacy-related enquiries within 30 days.
When contacting us about a data privacy matter, please include: your full name, email address, the nature of your request or concern, and (if exercising a data right) the specific right you wish to exercise. This helps us identify you and process your request efficiently.
London E5 0DZ
United Kingdom
NSP, Pitampura, Delhi-110034
India
This Privacy Policy is governed by the laws of England and Wales (for UK/EU matters) and the laws of India (for DPDPA matters). London Cert Ltd is committed to handling your personal data with care, transparency, and respect for your rights.