๐Ÿ‡ฌ๐Ÿ‡ง UK-Registered Certification Body India: +91 88513 03712 UK: +44 7700 000000
5.0 Google Rating ยท 36+ Reviews
Homeโ€บPrivacy Policy
Legal Document ยท Privacy Policy

Privacy Policy

This Privacy Policy explains how London Cert Ltd collects, uses, stores, and protects your personal data when you use our website or services. We are committed to protecting your privacy and handling your data transparently, lawfully, and securely.

Data Controller: London Cert Ltd
Governing Law: GDPR ยท UK GDPR ยท India DPDPA
Last Updated: 10 June 2024
Effective: 10 June 2024
Last updated: 10 June 2024
Plain English Summary

London Cert Ltd collects only the personal data we need to run our website and deliver ISO certification and cybersecurity services โ€” never more. Key points: (1) We never sell your data to anyone; (2) We process data under GDPR, UK GDPR, and India's DPDPA 2023; (3) You can access, correct, delete, or export your data at any time by emailing us; (4) We keep data only as long as legally necessary; (5) You can complain to the ICO, your national DPA, or India's Data Protection Board if you're unhappy with how we've handled a request. Full details in the sections below.

1Who We Are โ€” Data Controller

London Cert Ltd ("London Cert", "we", "us", "our") is a UK-registered, IAF-accredited third-party ISO certification body. We provide ISO certification, cybersecurity compliance, and related consultancy services to businesses globally.

For the purposes of applicable data protection law โ€” including the EU General Data Protection Regulation (GDPR), the UK GDPR and Data Protection Act 2018, and India's Digital Personal Data Protection Act 2023 (DPDPA) โ€” London Cert Ltd is the Data Controller (also referred to as "Data Fiduciary" under India's DPDPA) in respect of any personal data we hold about you.

Data Controller / Data Fiduciary:London Cert Ltd, Registered in England & Wales. Registered Office: 82, Adley Street, London E5 0DZ, United Kingdom. India Office: 458, 4th Floor, Aggarwal Metro Heights, NSP, Pitampura, Delhi-110034, India.

This Privacy Policy applies to:

  • Visitors to our website londoncert.co.uk and all associated subdomains
  • Individuals who submit enquiries, forms, or contact us via any channel
  • Business contacts and representatives of client organisations
  • Candidates for ISO certification and related services
  • All persons whose personal data we process in the course of providing our services

By using our website or submitting your information to us, you acknowledge that you have read and understood this Privacy Policy.

2Personal Data We Collect

We collect only the personal data that is necessary for the specific purposes described in this policy (the data minimisation principle). The categories of personal data we may collect include:

CategoryData ElementsWhy Collected
Identity DataFull name, job title, designationTo identify you and address correspondence correctly
Contact DataEmail address, mobile number, office phone, postal addressTo respond to enquiries, deliver services, and send updates
Business DataCompany name, company size, industry sector, number of employees, business addressTo assess certification requirements and provide relevant services
Transaction DataService details, invoice information, payment records (non-card)To manage service delivery, billing, and financial records
Technical DataIP address, browser type, device type, operating system, referring URL, pages visited, time on siteWebsite analytics, security monitoring, improving user experience
Communication DataEmail correspondence, WhatsApp messages, contact form submissions, chat logsTo manage our relationship with you and improve our services
Marketing DataCommunication preferences, service interests, opt-in/opt-out recordsTo send relevant marketing communications (only with your consent)
Certification DataAudit documents, quality management records, process information, organisational details submitted for certificationTo conduct ISO certification audits and issue certificates
Sensitive Data: We do not intentionally collect special categories of personal data (health data, racial/ethnic origin, religious beliefs, biometric data, etc.) through our website or certification processes. If you believe you have inadvertently provided such data, please contact us immediately at info@londoncert.co.uk so we can delete it.
Business Data: Much of the data we process relates to your business or organisation, not to you personally. Where we process personal data of your employees or representatives in the course of providing certification services, you are responsible for ensuring they have been informed and that you have a lawful basis for sharing their data with us.

3How We Collect Your Data

Direct collection โ€” data you provide to us

We collect personal data directly from you when you:

  • Complete and submit any enquiry or contact form on our website
  • Request a quote for ISO certification or cybersecurity services
  • Contact us via telephone, WhatsApp, email, or live chat
  • Enter into a service agreement or certification contract with us
  • Submit documents, questionnaires, or information as part of a certification audit
  • Subscribe to our newsletter, blog, or marketing communications
  • Engage with us on LinkedIn, Facebook, Instagram, or other social platforms

Automated collection โ€” data collected through technology

When you visit our website, we automatically collect certain technical data through cookies, web server logs, and similar technologies. This includes your IP address, browser type, device information, the pages you visit, and how long you spend on each page. This data is used to improve website performance and security, and for analytics purposes. Please see Section 8 (Cookies) for full details.

Third-party sources

We may occasionally receive data about you from third parties including: business directories and databases used to identify potential clients; social media platforms when you interact with our business pages; and referral sources when a client or partner refers you to us. We ensure that any such data is obtained lawfully and that the source had the right to share it with us.

4Why We Process โ€” Our Purposes

We process your personal data only for the specific, legitimate purposes described below. We do not process your data for any purpose that is incompatible with the purpose for which it was collected.

PurposeDescriptionData Used
Service DeliveryProviding ISO certification, audit, and cybersecurity services you have engaged us forIdentity, Contact, Business, Certification
Enquiry ManagementResponding to your enquiries, quote requests, and providing information about our servicesIdentity, Contact, Communication
Contract ManagementEntering into, performing, and managing service contracts and certification agreementsIdentity, Contact, Business, Transaction
Billing & FinanceInvoicing, processing payments, and maintaining financial records as required by lawIdentity, Contact, Transaction
Certificate IssuanceIssuing, managing, and verifying ISO certificates on behalf of clientsBusiness, Certification
Website AnalyticsUnderstanding how visitors use our website to improve content and user experienceTechnical
MarketingSending service updates, industry news, and promotional communications (with your consent)Contact, Marketing
Legal ComplianceComplying with legal obligations including tax records, accreditation requirements, and regulatory reportingAll categories as required
Security & Fraud PreventionDetecting, preventing, and investigating fraud, security incidents, and misuse of our servicesTechnical, Identity, Communication
Purpose Limitation: We will never sell your personal data to third parties. We will never use your data for automated profiling or decision-making that produces significant legal effects. We will never use certification-related documents submitted by your business for any purpose other than conducting the certification audit and issuing the certificate.

5Legal Basis for Processing

Where applicable law requires us to identify a legal basis for processing personal data โ€” including under EU GDPR, UK GDPR, India's DPDPA 2023, and DPDP Rules 2025 โ€” we rely on one or more of the following:

EU GDPR 2016/679
Articles 6, 7, 9
UK GDPR & DPA 2018
UK Schedule 1
India DPDPA 2023
DPDP Rules 2025
IT Act 2000 (India)
SPDI Rules 2011
Legal BasisWhen We Rely On ItApplicable Law
ConsentWhen you opt in to marketing communications; when cookies are set; when you expressly agree to data processing at the point of collectionGDPR Art.6(1)(a); UK GDPR; DPDPA 2023 ยง4โ€“6
Contract PerformanceProcessing necessary to deliver the certification or cybersecurity service you have engaged us for; managing the service contractGDPR Art.6(1)(b); UK GDPR; DPDPA "contractual necessity"
Legal ObligationRetaining financial records for tax purposes; responding to lawful regulatory or law enforcement requests; maintaining accreditation recordsGDPR Art.6(1)(c); UK GDPR; Indian Companies Act, IT Act
Legitimate InterestsWebsite analytics; security monitoring; fraud prevention; responding to unsolicited enquiries; improving our services. We only rely on this basis where our interests are not overridden by your fundamental rights.GDPR Art.6(1)(f); UK GDPR. DPDPA has no direct equivalent โ€” we use consent or contractual necessity for Indian data principals.
Vital InterestsIn exceptional circumstances where processing is necessary to protect lifeGDPR Art.6(1)(d); UK GDPR
India DPDPA Note: The DPDPA 2023 requires that we only collect the necessary data required for the specific purpose and delete it when no longer necessary. For Indian data principals (users), our primary lawful basis is your consent, which we collect at the point of data submission. You may withdraw your consent at any time by contacting us at info@londoncert.co.uk.
Withdrawing Consent:Where we rely on your consent as the legal basis for processing, you have the right to withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal. To withdraw consent, email info@londoncert.co.uk with the subject "Withdraw Consent" and we will action your request within 30 days.

6Who We Share Your Data With

We do not sell, rent, or trade your personal data to any third party. We share your data only in the limited circumstances described below and only to the extent necessary for the relevant purpose.

RecipientReason for SharingSafeguards
Service ProvidersIT hosting, email delivery, CRM, accounting software, and analytics providers who process data on our behalf as data processorsBound by data processing agreements (DPAs); restricted to processing only as instructed by us
Accreditation BodiesIAF and associated accreditation bodies that require audit records for our accreditation maintenance and oversightContractual restrictions; accreditation body data protection frameworks
Payment ProcessorsBanks and payment service providers for processing invoices and payments related to our servicesPCI-DSS compliance; subject to their own privacy policies
Professional AdvisersLegal, financial, and compliance advisers engaged to support our business operationsProfessional confidentiality obligations; contractual restrictions
Law Enforcement / RegulatorsWhere required by law, court order, or government authority; to investigate fraud or security incidentsOnly disclosed to the extent legally required; we will notify you where legally permitted to do so
Business SuccessionIn the event of a merger, acquisition, or sale of all or part of our business, personal data may be transferred as part of that transactionThe acquirer will be required to handle data in accordance with this policy; we will notify you
No Data Selling: London Cert Ltd will never sell, rent, license, or commercially exploit your personal data. We do not allow third-party advertising networks to collect data through our website. Our service providers are contractually prohibited from using your data for any purpose other than providing services to us.

7International Data Transfers

London Cert Ltd operates from the United Kingdom and India and serves clients globally. As a result, your personal data may be transferred to and processed in countries outside your home country, including between the UK and India.

UK India Transfers

Where we transfer personal data between our UK and India offices, we ensure that appropriate safeguards are in place. For transfers from the UK to India and vice versa, we rely on:

  • Standard Contractual Clauses (SCCs) โ€” the UK International Data Transfer Agreements (IDTAs) or EU SCCs as applicable
  • Binding Corporate Arrangements โ€” internal data transfer policies between our offices
  • Your consent โ€” where you have explicitly consented to the transfer after being informed of its nature

Transfers to Other Countries

Where our service providers process your data outside the UK or European Economic Area (EEA), we ensure adequate protection through Standard Contractual Clauses, adequacy decisions, or other approved transfer mechanisms. We do not transfer data to countries that do not provide adequate protection without appropriate safeguards.

India DPDPA โ€” Cross-Border Transfers:India's DPDP framework introduces concepts such as significant fiduciaries and localisation requirements for specified categories of data. We monitor the DPDP Rules 2025 and will update our transfer practices as required by the Data Protection Board of India's guidance on cross-border data transfers.

8Cookies & Tracking Technologies

Our website uses cookies and similar technologies to operate the website, analyse how it is used, and improve your experience. This section explains what cookies we use and how you can control them.

What are cookies?

Cookies are small text files placed on your device by a website when you visit it. They allow the website to recognise your device on subsequent visits, remember your preferences, and collect information about how you use the site.

Cookie TypePurposeExamplesConsent Required?
Strictly NecessaryEssential for the website to function. Cannot be disabled without breaking core functionality.Session management, security tokens, CSRF protectionNo โ€” legitimate interest
Analytics & PerformanceHelp us understand how visitors use the site โ€” which pages are most visited, how long sessions last, error pagesGoogle Analytics 4 (GA4), heatmapping toolsYes โ€” your consent required
FunctionalEnable enhanced features and personalisation โ€” remembering your preferences and language settingsLanguage preference, form field memoryYes โ€” your consent required
Marketing / TargetingTrack visits across websites to show relevant advertising. We do not currently run advertising campaigns that use tracking cookies.None currently deployedYes โ€” your consent required
Google Analytics 4: We use GA4 to understand aggregate website usage. GA4 data is anonymised before processing and does not identify individual users. IP addresses are anonymised. You can opt out of GA4 tracking by installing the Google Analytics Opt-out Browser Add-on.

Managing your cookie preferences

You can manage your cookie preferences at any time by:

  • Browser settings โ€” most browsers allow you to block or delete cookies. Check your browser's help documentation for instructions.
  • Our cookie banner โ€” when you first visit our website, you are presented with a cookie consent banner. You can revisit your preferences at any time via the "Cookie Settings" link in our footer.
  • Opt-out tools โ€” for specific third-party services (e.g., Google Analytics), you can use the provider's opt-out tools.

Please note that disabling cookies may affect the functionality of our website and your ability to use certain features.

9How Long We Keep Your Data

We retain personal data only for as long as is necessary for the purposes for which it was collected, or as required by law. Our retention periods are determined by the nature of the data, the purpose of processing, and any applicable legal or regulatory requirements.

ISO Certification Records
7 Years
IAF accreditation requirements mandate that certification records be retained for the certificate validity period plus the preceding cycle. Minimum 7 years from certificate expiry.
Financial & Transaction Records
7 Years
Companies Act 2006 (UK) and Income Tax Act 1961 (India) require financial records to be retained for a minimum of 7 years from the end of the relevant financial year.
Enquiry & Contact Form Data
3 Years
Retained to manage ongoing client relationships, respond to follow-up enquiries, and for dispute resolution purposes. Deleted after 3 years of inactivity unless converted to a client.
Marketing Communication Records
Until opt-out + 1 Year
Consent records and communication preferences are retained for 1 year after you unsubscribe to demonstrate compliance and prevent accidental re-addition to mailing lists.
Website Analytics Data
26 Months
Google Analytics 4 standard retention period of 26 months for user and event data. Aggregate reports may be retained indefinitely as they contain no personal data.
Email Correspondence
5 Years
Business correspondence retained for 5 years for dispute resolution, client service continuity, and as evidence of agreed service terms.
Audit Documentation
7 Years from Audit Date
Audit findings, non-conformance reports, and audit evidence retained for 7 years per ISO accreditation body requirements and to support surveillance audit continuity.
Unsolicited / No-Longer-Needed Data
30 Days
Data we determine we have no need for or no lawful basis to hold (including accidental receipt of special category data) is deleted within 30 days of identification.
Deletion on Request: Subject to our legal retention obligations (such as financial record-keeping requirements), you can request deletion of your personal data at any time. See Section 10 (Your Rights) for how to exercise your right to erasure. We will confirm deletion within 30 days of your verified request.

10Your Data Protection Rights

Depending on where you are located, you have certain rights regarding your personal data. We take these rights seriously and will respond to all valid requests within the legally required timeframe โ€” typically 30 days.

Right to Access (Subject Access)

You have the right to obtain a copy of the personal data we hold about you, information about why and how we process it, and details of any third parties we share it with.

GDPR Art.15 / DPDPA ยง11
Right to Rectification

If your personal data is inaccurate or incomplete, you have the right to request that we correct it. We will update your data within 30 days of a verified request.

GDPR Art.16 / DPDPA ยง13
Right to Erasure ("Right to be Forgotten")

You can request deletion of your personal data where there is no legal reason for us to continue processing it. This right is subject to our legal retention obligations.

GDPR Art.17 / DPDPA ยง12
Right to Restriction of Processing

In certain circumstances, you can ask us to restrict processing of your data โ€” for example, while a complaint is being resolved or while you contest the accuracy of your data.

GDPR Art.18 / UK GDPR
Right to Data Portability

Where processing is based on consent or contract, and carried out by automated means, you can request your data in a structured, machine-readable format to transfer to another service provider.

GDPR Art.20 / DPDPA ยง13
Right to Object

You can object to processing based on legitimate interests or for direct marketing at any time. Where you object to direct marketing, we will stop immediately with no requirement to justify.

GDPR Art.21 / UK GDPR
Rights re: Automated Decisions

You have the right not to be subject to decisions made solely by automated processing that produce significant legal effects. We do not currently use automated decision-making that produces such effects.

GDPR Art.22 / UK GDPR
Right to Withdraw Consent (India)

Under India's DPDPA 2023, you may withdraw consent for processing at any time. Withdrawal will not affect the lawfulness of processing carried out before withdrawal. We will action requests within 30 days.

India DPDPA 2023 ยง6
How to Exercise Your Rights: Submit a written request to info@londoncert.co.ukwith the subject line "Data Subject Request". Include your full name, email address, and the specific right you wish to exercise. We will verify your identity before processing the request. No fee is charged for most requests. We will respond within 30 days (extendable by 2 months for complex requests, with notification).
Identity Verification: To protect your privacy, we will verify your identity before processing any data rights request. This means we may ask you to provide proof of identity. We cannot action requests from unverified individuals.

11How We Protect Your Data

We take the security of your personal data seriously and have implemented appropriate technical and organisational measures to protect it against unauthorised access, accidental loss, alteration, disclosure, or destruction.

Technical Measures

  • SSL/TLS encryption โ€” all data transmitted between your browser and our website is encrypted using TLS 1.2 or higher
  • Encryption at rest โ€” sensitive data stored on our systems is encrypted using industry-standard algorithms
  • Access controls โ€” personal data is accessible only to authorised staff on a need-to-know basis, protected by multi-factor authentication
  • Firewalls and intrusion detection โ€” network perimeter security and monitoring for suspicious activity
  • Regular backups โ€” data is backed up regularly to secure, geographically separate locations

Organisational Measures

  • Staff training โ€” all staff who handle personal data receive regular data protection and cybersecurity training
  • Data processing agreements โ€” all third-party processors are bound by written DPAs
  • Privacy by design โ€” privacy considerations are built into all new processes and systems from inception
  • Incident response โ€” we maintain a data breach response procedure and will notify you and relevant authorities in the event of a notifiable breach
Breach Notification: In the event of a personal data breach that is likely to affect your rights and freedoms, we will notify you without undue delay and, where required by law, within 72 hours of becoming aware (GDPR/UK GDPR) or within 72 hours under India DPDPA. We will provide details of the breach, its likely consequences, and the measures we have taken or propose to take.

12Children's Privacy

Our website and services are directed at businesses and business professionals. We do not knowingly collect personal data from children under the age of 18 (or the applicable age of digital consent in your jurisdiction).

Under India's DPDPA 2023, processing of personal data of children (under 18) requires verifiable parental or guardian consent before collection. As our services are exclusively B2B, we have no business requirement to process children's data.

If you believe a child has provided personal data to us without appropriate parental consent, please contact us immediately at info@londoncert.co.uk and we will promptly investigate and delete the data.

If you are under 18: Our website and services are not intended for persons under 18. If you are under 18, please do not submit any personal data to us and ask a parent or guardian to make any enquiries on your behalf.

13Complaints & Regulatory Authorities

If you are not satisfied with how we have handled your personal data or responded to a data rights request, you have the right to lodge a complaint with the relevant supervisory authority.

Your LocationSupervisory AuthorityContact
United KingdomInformation Commissioner's Office (ICO)ico.org.uk ยท 0303 123 1113
European UnionYour national Data Protection Authority (DPA) โ€” e.g., CNIL (France), BfDI (Germany), AEPD (Spain)Find your DPA at edpb.europa.eu
IndiaData Protection Board of India (DPB) โ€” established under DPDP Rules 2025 (13 November 2025)Contact via Ministry of Electronics and IT (MeitY): meity.gov.in
Preferred approach โ€” contact us first: Before lodging a complaint with a supervisory authority, we would appreciate the opportunity to address your concerns directly. Please email info@londoncert.co.ukwith the subject "Privacy Complaint" and we will aim to resolve your concern within 30 days. This does not affect your right to complain to a supervisory authority at any time.

14Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our data processing practices, changes in applicable law, or improvements in how we describe our practices. When we make changes, we update the "Last Updated" date at the top of this page.

For material changes that significantly affect your rights or how we use your data, we will provide additional notice โ€” for example, by sending an email notification to clients and subscribers, or by displaying a prominent notice on our website for at least 30 days before the change takes effect.

We encourage you to review this policy periodically. Continued use of our website or services after a policy update constitutes your acknowledgement of the revised policy.

Policy Update History
Jun 2024

Current version: Added India DPDPA 2023 and DPDP Rules 2025 compliance sections. Updated data retention schedules. Added rights under DPDPA. Updated international transfer safeguards. Added Data Protection Board of India to complaints section.

Mar 2022

Initial privacy policy published. Coverage of GDPR (EU) and UK GDPR. Baseline data collection and processing disclosure.

15Contact Us โ€” Privacy Team

For any questions, concerns, or requests regarding this Privacy Policy or how we process your personal data, please contact our Privacy Team using any of the contact details below. We will respond to all privacy-related enquiries within 30 days.

When contacting us about a data privacy matter, please include: your full name, email address, the nature of your request or concern, and (if exercising a data right) the specific right you wish to exercise. This helps us identify you and process your request efficiently.

India Office
+91 88513 03712
UK Registered Address
82, Adley Street
London E5 0DZ
United Kingdom
India Office Address
458, 4th Floor, Aggarwal Metro Heights
NSP, Pitampura, Delhi-110034
India
WhatsApp โ€” Fastest Response
+91 88513 03712 (WhatsApp)
Response Commitment: We will acknowledge all privacy requests within 5 working days and aim to fully respond within 30 calendar days. For complex requests, we may extend this by up to 2 additional months, but will notify you within the first 30 days if this is the case.

This Privacy Policy is governed by the laws of England and Wales (for UK/EU matters) and the laws of India (for DPDPA matters). London Cert Ltd is committed to handling your personal data with care, transparency, and respect for your rights.

Chat with us