Overview
Introduction
RACERT is an independent, UKAS-accredited certification body delivering audit and certification services against globally recognised ISO and ISO/IEC standards. The integrity with which we handle personal data is a direct expression of the compliance values we uphold for our clients.
This Privacy Notice describes what personal data we collect when you visit racert.com, enquire about our services, or engage with us through a certification or assessment process — and explains how we use, protect, and retain that data.
Important: By using our website or engaging with RACERT’s services, you confirm that you have read and understood the practices described in this Notice.
Section 1
Who We Are
RACERT operates as an independent certification body accredited by the United Kingdom Accreditation Service (UKAS) under accreditation number 10720. Our services include certification and assessment against ISO/IEC 27001, ISO/IEC 42001, ISO/IEC 27701, ISO 22301, ISO 9001, and other internationally recognised frameworks.
Our website address is https://racert.com. For any questions relating to how we handle your personal data, please reach out via our Contact Us page or email us at info@racert.com.
Section 2
Personal Data We Collect
The type of personal data we collect depends on how you interact with us.
Website Visitors
- IP address and browser type / user agent string
- Pages visited, session duration, and navigation patterns
- Device type, operating system, and screen resolution
- Referring source (how you arrived at our website)
Enquiries and Contact Forms
- Full name and email address
- Organisation name and job title
- Telephone number (if provided)
- Details shared within the body of your message
Certification and Assessment Clients
- Contact details of nominated personnel (name, email, role, phone)
- Organisational and operational information within the audit scope
- Audit records, findings, non-conformities, and corrective action plans
- Correspondence relating to certification decisions, complaints, or appeals
Newsletter and Blog Subscribers
- Email address
- Name (optional, if provided)
Sensitive data: We do not intentionally collect sensitive personal data (such as health information, racial or ethnic origin, religious beliefs, or biometric data) through this website. Please refrain from including sensitive information in any correspondence or contact form submissions.
Section 3
How We Collect Personal Data
We gather personal data through the following means:
- Direct interaction — contact forms, email, telephone, or written enquiries
- Certification engagement — information provided during the audit and certification process
- Automated website technologies — cookies and analytics tools running on racert.com
- Publicly available sources — such as company registers or professional directories where relevant to a certification engagement
Section 4
How We Use Your Personal Data
We process personal data only for defined, lawful purposes. The table below sets out our main processing activities and the legal basis for each.
| Purpose | Legal Basis |
|---|---|
| Responding to website enquiries and service requests | Legitimate interests / Pre-contractual steps |
| Conducting audits and issuing certification decisions | Performance of contract |
| Maintaining certification records and our public certificate directory | Legal obligation / Legitimate interests |
| Sending industry insights and blog updates (opted-in subscribers only) | Consent |
| Analysing website performance and improving user experience | Legitimate interests |
| Processing complaints, appeals, and formal feedback | Legal obligation / Legitimate interests |
| Meeting UKAS accreditation requirements and applicable regulations | Legal obligation |
| Protecting against fraud, security threats, and unlawful activity | Legitimate interests |
We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects.
Data Minimisation
We limit what we collect to what is genuinely necessary for the stated purpose. We do not collect personal data speculatively or beyond what is proportionate to the service provided.
Section 5
Cookies & Tracking Technologies
Our website uses cookies — small text files stored on your device — to help us understand how visitors use the site and to maintain certain preferences across sessions.
Types of Cookies We Use
- Strictly necessary — required for core website functionality; cannot be disabled
- Analytics — via Google Analytics (deployed through Google Tag Manager) to track aggregated, anonymised usage patterns; no personally identifiable information is passed to Google
- Functional — used to remember preferences such as previously submitted form fields
Managing Your Cookie Preferences
You can manage or withdraw consent for non-essential cookies at any time through your browser settings. To prevent your data from being used by Google Analytics specifically, you may install Google’s opt-out browser add-on. Disabling certain cookies may affect the functionality of some parts of this website.
For further information on how Google processes data, see Google’s Privacy Policy.
Section 6
Who We Share Your Data With
We do not sell, rent, or trade your personal data to third parties. We may share data in limited circumstances with:
- UKAS — as required to maintain and demonstrate ongoing compliance with our accreditation obligations
- IT and hosting service providers — who operate our website and systems under appropriate data processing agreements
- Email and communication platforms — used solely to deliver certification-related communications or newsletter content you have subscribed to
- Legal, regulatory, or governmental authorities — where we are required to do so by applicable law, court order, or regulatory instruction
- Professional advisers — such as legal counsel, where necessary in connection with our legitimate business operations
Any third party receiving personal data from RACERT is required to process it securely and in compliance with applicable data protection law.
Section 7
How Long We Retain Your Data
We keep personal data only for as long as is necessary for the purpose for which it was collected, or as required by law or accreditation obligations.
| Data Category | Retention Period |
|---|---|
| Certification and audit records | Minimum 7 years from end of certification relationship |
| Enquiry and contact records | Up to 2 years from last contact, unless a certification engagement follows |
| Website analytics data | Up to 26 months in anonymised form |
| Newsletter subscriber data | Until unsubscribed or consent withdrawn |
Data retained for legal or accreditation purposes is held securely and is not used for any other purpose during the retention period.
Section 8
How We Protect Your Data
We apply appropriate technical and organisational security measures to protect personal data against unauthorised access, loss, disclosure, or misuse. Our approach to information security is consistent with the principles we assess our clients against under ISO/IEC 27001 — the international standard for information security management.
Access to personal data is restricted to staff who require it to carry out their role. Those individuals are trained in data protection responsibilities and are bound by confidentiality obligations.
While we take reasonable precautions, no system or method of transmission can be guaranteed to be completely secure. If you have reason to believe your personal data has been compromised, please contact us immediately via racert.com/contact-us or info@racert.com.
Section 9
Your Rights
Under UK GDPR and the Data Protection Act 2018, you have the following rights regarding your personal data:
- Right to AccessRequest a copy of the personal data we hold about you.
- Right to RectificationRequest correction of inaccurate or incomplete information.
- Right to ErasureRequest deletion where there is no lawful basis to continue holding it.
- Right to Restrict ProcessingAsk us to limit how we use your data in certain circumstances.
- Right to Data PortabilityReceive your data in a structured, machine-readable format where applicable.
- Right to ObjectObject to processing based on legitimate interests or for direct marketing.
- Right to Withdraw ConsentWithdraw consent at any time without affecting prior lawful processing.
- Right to Non-DiscriminationExercise any of these rights without any detriment to your service.
To exercise any of these rights, contact us at racert.com/contact-us or info@racert.com. We will respond within 30 days. In complex or high-volume cases this may be extended by up to two further months, and we will notify you accordingly.
Section 10
International Data Transfers
Where personal data is transferred outside the United Kingdom or the European Economic Area — for example, to cloud hosting providers or third-party software platforms — we ensure that such transfers are carried out in compliance with UK data protection law. This includes relying on appropriate safeguards such as Standard Contractual Clauses approved by the relevant supervisory authority, ensuring your data receives the same level of protection regardless of where it is processed.
Section 11
Third-Party Links
Our website may contain links to external sites, including those operated by standards bodies, accreditation authorities, and industry publications. This Privacy Notice does not govern those websites, and we have no responsibility for their content or privacy practices. We encourage you to review the privacy policies of any third-party sites before sharing personal data with them.
Section 12
Changes to This Notice
We review this Privacy Notice periodically and update it to reflect changes in our practices, services, or legal requirements. The revision date at the top of this page indicates when it was last updated. Where changes are material — for example, affecting how we use or disclose your data — we will highlight those changes clearly on the website.
Continued use of our website following any update constitutes acceptance of the revised Notice.
Section 13
Contact Us
If you have questions about this Privacy Notice or wish to exercise your data rights, please get in touch.
Get In Touch
Email: info@racert.com
Web: racert.com/contact-us
This Privacy Notice is governed by the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.