Privacy Policy

Last updated: September 29, 2025

This Privacy Policy explains how Certain Sustainability Inc. ("Certain", "we", "us") collects, uses, and shares personal information when you visit our website and when you submit information through our contact form. The contact form is the primary place where we collect personal information.

If we materially change what we collect or how we use data (for example, by enabling analytics or adding user accounts), we will update this Policy and, where required, request your consent.

Data Controller

Certain Sustainability Inc. is the controller of your personal information. You can reach us via the contact form on our homepage. If you prefer email, use the contact address published on our website and we will route your request appropriately.

What We Collect

When you use the contact form, we collect the information you provide so we can respond and assess fit for pilots or services. This may include:

  • Identity and contact: first name, last name, work email, organization, job title, country/region.
  • Business context: sector(s), sales/operating regions, products or material families, target certification schemes, current certification status, any existing schemes, team size/seats, data readiness, timeline, high‑level budget range, and other details you choose to share (e.g., production locations, market destinations, services, regions covered).
  • Preferences: interests, contact preference, and your consent to be contacted and for us to use the information to assess certification eligibility.
  • Message content and links you supply for context (e.g., shared docs/URLs).

Site operations may also generate minimal technical logs for security and debugging (e.g., error logs). We do not run third‑party analytics or advertising trackers at this time.

Why We Use Your Information (Legal Bases)

  • To respond to inquiries and provide information you request — based on our legitimate interests to communicate with prospective customers and perform pre‑contract steps.
  • To assess certification eligibility, match you to auditors or pilots, and improve our offering — based on legitimate interests, balanced against your privacy.
  • To send optional updates or marketing — based on your consent. You can withdraw consent at any time.
  • To protect our services, prevent abuse, and comply with legal obligations — based on legitimate interests and/or legal requirements.

Cookies and Tracking

We currently use only essential technology necessary to operate the site (and, if you sign in in the future, to maintain authentication sessions). We do not use analytics, advertising, or social media trackers at this time. If this changes, we will provide a notice and obtain consent where required.

How We Share Information

We do not sell personal information. We may share it with service providers who process data on our behalf for the purposes described above, subject to appropriate contracts:

  • Hosting and infrastructure providers for our website and email.
  • Business productivity/CRM tools (e.g., internal notes or lead management systems) to track follow‑ups and eligibility checks.
  • Optional scheduling or communications tools you choose to use (e.g., a calendar link), in which case information is shared directly by you with that provider.

We may also disclose information if required by law or to protect rights, safety, or the integrity of our services.

International Transfers

Our service providers may process data in countries outside your own (including the United States). Where applicable, we rely on lawful transfer mechanisms such as Standard Contractual Clauses and provider certifications. We take steps to help ensure your information remains protected.

Retention

We retain contact submissions for as long as needed to handle your inquiry and, unless a shorter period is appropriate, up to 24 months from our last interaction, or until you ask us to delete them. We may retain limited records as required by law or to resolve disputes.

Your Rights

Depending on your location, you may have rights to access, correct, delete, restrict or object to processing, and to data portability. Where we rely on consent, you may withdraw it at any time without affecting prior processing.

To exercise these rights, contact us via the homepage contact form. If you are in the EEA/UK, you also have the right to lodge a complaint with your local supervisory authority.

Children

Our site is not directed to children and we do not knowingly collect personal information from individuals under 16. If you believe a child has provided us with personal information, please contact us to request deletion.

Changes to This Policy

We may update this Policy to reflect changes to our practices. We will post the updated version here and update the "Last updated" date. Material changes will be highlighted and, where required, we will seek your consent.

How to Contact Us

For privacy questions or requests, please reach us through the contact form on our homepage. If you prefer email, use the contact address listed on our website and include "Privacy" in the subject line so we can route your message quickly.

Regional Notices

California (CPRA)

We do not sell or share personal information as defined by the CPRA. California residents may request access, deletion, or correction of their information and may limit use of sensitive personal information (we do not collect sensitive categories via the contact form). Submit requests through our contact form.

European Economic Area (EEA) and United Kingdom (GDPR)

If you are located in the EEA or UK, you have the following rights under the General Data Protection Regulation (GDPR):

  • Right of Access: You can request a copy of the personal information we hold about you, including details about how we process it.
  • Right to Rectification: You can request that we correct any inaccurate or incomplete personal information we hold about you.
  • Right to Erasure ("Right to be Forgotten"): You can request that we delete your personal information in certain circumstances, such as when it is no longer necessary for the purposes for which it was collected or if you withdraw consent.
  • Right to Restriction of Processing: You can request that we restrict the processing of your personal information in certain circumstances, such as while we verify the accuracy of data you have contested.
  • Right to Data Portability: You can request to receive your personal information in a structured, commonly used, and machine-readable format and have it transmitted to another controller where technically feasible.
  • Right to Object: You can object to the processing of your personal information where we rely on legitimate interests as our legal basis. You also have the right to object to direct marketing at any time.
  • Right to Withdraw Consent: Where we rely on your consent to process your personal information, you have the right to withdraw that consent at any time. This will not affect the lawfulness of processing based on consent before its withdrawal.
  • Right to Lodge a Complaint: You have the right to lodge a complaint with your local supervisory authority if you believe our processing of your personal information violates the GDPR.

How to Exercise Your Rights: To exercise any of these rights, please contact us via the contact form on our homepage or email us at the address published on our website with "GDPR Request" in the subject line. Please include sufficient information to help us locate your data and specify which right(s) you wish to exercise.

We will respond to your request within 30 days of receipt, as required by GDPR Article 12. If your request is complex or we receive multiple requests from you, we may extend this period by up to two additional months and will inform you of any such extension.

You will not have to pay a fee to access your personal information or to exercise any of your other rights. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive, or we may refuse to comply with your request in these circumstances.