Privacy Policy
This Privacy Policy describes how CIWZ Academy (the “Platform”) processes personal data of users and visitors in connection with the use of the website and available services (registration, authentication, Dashboard, Courses & Tests, Wallet management, certificate issuance/verification, support). This notice is written with an institutional, compliance-oriented approach (privacy-by-design and security-by-design). For general terms of use, please also refer to the Terms & Conditions: https://www.certificatoiwz.org/academy/terms.php.
Definitions and roles
1. Scope
1.1 This Policy applies to processing activities performed through the Platform, for both registered users and visitors. 1.2 Some features (payments, email delivery, analytics) may involve third-party services operating under their own privacy notices.
2. Categories of data processed
2.1 Account and identification data: first/last name, email, credentials (stored in encrypted/hashed form), preferred language. 2.2 Usage and activity data: selected courses/tests, attempts, results, progress, timestamps, faculty committee validation outcomes (where applicable). 2.3 Wallet and transaction data: Wallet movements, amounts, currency, technical transaction IDs and receipts; sensitive payment data (e.g., card number) is not stored by the Platform and is processed by payment providers. 2.4 Technical and security data: IP address, user agent, access logs, system events, anti-abuse measures, application logs. 2.5 Support/communications data: content of requests submitted via forms or support channels (where available).
3. Purposes and legal bases
3.1 Service delivery and account management (registration, login, Dashboard, Courses/Tests, certificates): performance of a contract or pre-contractual measures. 3.2 Wallet and payments (top-ups, outcome tracking, reconciliation): performance of a contract; compliance with legal obligations (e.g., accounting/tax, where applicable). 3.3 Security, fraud/abuse prevention and Platform protection (logging, controls, audit trail): Controller’s legitimate interest and/or legal security obligations. 3.4 Service communications (operational notifications about account, tests, certificates): contract performance/legitimate interest. 3.5 Service improvement and analytics (where enabled): legitimate interest and/or consent depending on configuration and applicable law. 3.6 Handling support/complaints and data subject requests: legal obligations and/or legitimate interest.
4. Processing methods
4.1 Data is processed using IT tools and organizational procedures suitable to ensure confidentiality, integrity and availability. 4.2 Security-by-design measures may include (e.g., privilege segregation, CSRF protections, access controls, security logging, application hardening), proportionate to data nature and risk. 4.3 Credentials are not stored in plain text. Passwords are stored using cryptographic hashing with appropriate parameters/salting, where implemented.
5. Data sharing and recipients
5.1 Data may be shared with authorized personnel and necessary vendors (Processors) to provide the service (hosting, maintenance, email delivery, analytics, payment systems). 5.2 Payment providers (PayPal/Stripe): during top-ups/checkout, payment data is processed by those providers under their policies. The Platform typically receives outcomes/transaction IDs and metadata needed to record the top-up/operation. 5.3 Authorities and legal requirements: data may be disclosed to public bodies/authorities where required by law or to protect rights.
6. International transfers
6.1 Some vendors (e.g., cloud, email, analytics, payments) may process data outside the EEA. In such cases, the Controller aims to rely on appropriate safeguards (e.g., adequacy decisions, Standard Contractual Clauses, supplementary measures) depending on applicable law and vendor terms. 6.2 Detailed information on processing locations and transfers is provided in the vendors’ privacy notices.
7. Data retention
7.1 Account data: retained for as long as necessary to provide and manage the account; afterwards according to internal policies and applicable legal obligations. 7.2 Test results and certificate data: retained to ensure traceability, verifiability and audit trail, especially where certificates with QR/code verification are issued. 7.3 Wallet and transaction data: retained for accounting, reconciliation and dispute management, consistent with legal obligations and internal policies. 7.4 Security logs: retained for a period proportionate to security, abuse prevention and incident investigation purposes. 7.5 Support data: retained as needed to handle requests and, where useful, to improve the service and keep historical traceability.
8. Cookies and similar technologies
8.1 The Platform uses necessary technical cookies (session, authentication, language preference, CSRF protection) to provide essential functionality. 8.2 Where enabled, analytics cookies/tools may be used to measure aggregated performance and usage and improve service quality. 8.3 During payments, third-party providers (PayPal/Stripe) may set cookies or equivalent technologies according to their policies. 8.4 Users can manage cookies via browser settings; disabling technical cookies may impair login, Dashboard, Wallet and Tests.
9. Data subject rights
9.1 Data Subjects may exercise rights available under applicable law (e.g., access, rectification, erasure, restriction, portability, objection; where applicable, withdrawal of consent). 9.2 To exercise rights or submit privacy requests, use the official contact channels indicated within the Platform or on the reference website, providing information sufficient to identify the account and process the request. 9.3 Data Subjects may lodge a complaint with the competent supervisory authority, subject to applicable rules.
10. Minors
10.1 The Platform is not intended for minors unless explicitly stated and subject to applicable legal requirements. 10.2 If you believe a minor provided personal data without proper authorization, please contact the official channels indicated within the Platform for verification.
11. Changes to this Policy
11.1 The Controller may update this Policy due to legal changes, technical evolution or service changes. The last updated date is shown at the top of this page. 11.2 Continued use of the Platform after changes are published indicates acknowledgement of the updated notice.
12. Documentation and transparency
12.1 For operational details (registration, Wallet, Tests, validation and certificates), see the user guide: https://certificatoiwz.org/academy/user_guide.html. 12.2 For general terms of use, see the Terms & Conditions: https://www.certificatoiwz.org/academy/terms.php.
Simplified record of processing activities (Art. 30)
Below is a simplified record of the main processing activities performed through the Platform. Operational details (vendors/processors, locations, specific safeguards and precise retention schedules) are managed at organizational level and made available upon request according to internal procedures.
| Processing activity | Data subject categories | Data categories | Purposes | Legal basis | Recipients / Processors | International transfers | Retention | Security measures (summary) |
|---|---|---|---|---|---|---|---|---|
| Account management and authentication (registration/login/Dashboard) | Registered users | Identification & contact; credentials (hash); language prefs; access logs | Service delivery and access management | Contract / pre-contractual steps; legitimate interest (security) | Hosting/maintenance; email provider (notifications); authorized staff | Possible depending on vendors (see notices) | Account duration and technical time; security logs proportionate period | Access control; CSRF; logging; hardening; backups |
| Courses & Tests delivery, results and faculty committee validation | Registered users | Course/test activity; answers; results; attempts; timestamps; validation outcomes | Competence assessment, traceability and audit trail | Contract; legitimate interest (assessment integrity) | Authorized staff; Faculty committee (internal role) | N/A unless third-party tools enabled | As needed for traceability/disputes; per internal policies | Randomization; rate limiting; anti-abuse controls; audit logs |
| Wallet: top-ups, ledger and reconciliation | Registered users | Wallet ledger; amounts; currency; transaction IDs; payment outcomes | Credit management, reconciliation and disputes | Contract; legal obligations (where applicable); legitimate interest | Payment providers (PayPal/Stripe); authorized staff; accounting (if any) | Possible depending on payment provider | Per accounting/dispute needs and internal policies | Data minimization; no card storage; event logging |
| Certificate issuance and verification (QR/code) | Certified users; verifiers (when using verification) | Certificate data; identifier; QR/code; verification outcome metadata | Issuance, availability and authenticity/integrity verification | Contract; legitimate interest (verifiability/anti-fraud) | Hosting; PDF generation systems (if any); authorized staff | N/A unless third-party vendors enabled | To ensure long-term verifiability; per scheme/policies | Unique IDs; access control; audit logs; document integrity |
| Support and request handling (forms/support) | Users and visitors contacting the Platform | Contact data; request content; technical metadata | Support, complaints handling and privacy requests | Legitimate interest; legal obligation (rights requests) | Email/helpdesk provider; authorized staff | Possible depending on vendors | As needed to manage and keep useful history | Access restriction; logging; controlled retention |
| Security and abuse prevention (technical logging/monitoring) | Users and visitors | IP; user agent; events; login attempts; anti-fraud/abuse signals | Security, continuity, fraud/abuse prevention | Legitimate interest; security obligations | Hosting/security vendor; authorized staff | Possible depending on vendors | Proportionate period for security and incident investigation | Hardening; rate limiting; alerting; backups; privilege segregation |
| Analytics/measurement (where enabled) | Visitors and users | Technical/navigation data; aggregated events; analytics cookies (if any) | Improve performance and service quality | Legitimate interest and/or consent (per configuration/law) | Analytics provider; authorized staff | Possible depending on provider | Per analytics configuration and policies | Minimization; aggregation; access controls |