Closed alpha — onboarding slots available. Request access →
← Back to home

Privacy Policy

Effective date: 2026-06-04


1. Introduction

Company (registry code 14926155, “we”, “us”, “our”) operates the CERED platform and the website at ce-red.org (together, the “Service”). This Privacy Policy explains what personal data we collect, why we collect it, the legal bases we rely on under the General Data Protection Regulation (EU) 2016/679 (“GDPR”), and the rights you have over your data.

Please read this policy carefully. If you do not agree with it, you should not use the Service.


2. Data Controller

The data controller for personal data processed through the Service is:

Registry code: 14926155
Pärnu Mnt 148, Tallinn, Estonia
Email: support@ce-red.org

For all privacy enquiries, including the exercise of data subject rights, contact us at the email address above.


3. Personal Data We Collect

We collect the following categories of personal data depending on how you interact with the Service.

3.1 Website visitors

DataSource
IP address (anonymised or pseudonymised in analytics)Automatic
Browser type, operating system, device typeAutomatic
Pages visited, time spent, referring URLAutomatic
Cookie consent preferenceYou

3.2 Waitlist applicants

DataSource
Email addressYou
Optional free-text fields submitted on the waitlist formYou

3.3 Platform users (registered accounts)

DataSource
NameYou
Email addressYou
Organisation name and detailsYou
Product and compliance data you enter (product names, model numbers, test results, declarations, IXIT declarations, evidence documents)You
Session and activity data (pages visited, features used, actions taken)Automatic
Magic-link login tokens (short-lived, hashed)Automatic
Invitation and membership recordsYou / your organisation admin

3.4 Data we do not collect

We do not collect payment card details (we have no payment processing at this stage). We do not knowingly collect special-category personal data.


4. Purposes of Processing

PurposeCategories of data used
Providing and operating the platformAccount, compliance, and session data
Authentication (magic-link login)Email address, login tokens
Product analytics and service improvementAnonymised/pseudonymised usage data, session recordings
User identification in analytics for authenticated sessionsEmail address, name (PostHog)
AI-powered suggestions (ICS suggestions, test hints)Product and compliance data excerpts sent to OpenAI
Transactional email (invitations, access grants, notifications)Email address, name
Responding to enquiries submitted via contact formsEmail address, message content
Managing the waitlist and granting early accessEmail address, waitlist data
Legal compliance and enforcement of our TermsAny relevant data

Processing activityLegal basisArticle
Operating the platform for registered usersPerformance of a contractArt. 6(1)(b)
Magic-link authenticationPerformance of a contractArt. 6(1)(b)
Sending transactional emailsPerformance of a contractArt. 6(1)(b)
Analytics (PostHog) — authenticated sessionsLegitimate interest: improving the serviceArt. 6(1)(f)
Analytics (PostHog) — anonymous website visitorsConsent (via cookie banner)Art. 6(1)(a)
OpenAI-powered suggestionsLegitimate interest: providing platform featuresArt. 6(1)(f)
Waitlist managementLegitimate interest: pre-launch communicationsArt. 6(1)(f)
Enquiry responsesLegitimate interest: responding to queriesArt. 6(1)(f)
Legal compliance and enforcementLegal obligation / legitimate interestArt. 6(1)(c) / (f)

Where we rely on legitimate interest, you have the right to object to that processing (see Section 13).

Where we rely on consent, you may withdraw your consent at any time by adjusting your cookie preferences. Withdrawal does not affect the lawfulness of processing before withdrawal.


6. Cookies and Tracking

We use the following categories of cookies and similar technologies.

6.1 Strictly necessary cookies

These are required for the Service to function and cannot be disabled.

CookiePurposeDuration
cered_cookie_consentStores your cookie consent preference1 year
Session cookieMaintains your authenticated sessionSession

6.2 Analytics cookies (requires consent)

We use PostHog for product analytics, session recording, and feature usage measurement. PostHog may set first- and third-party cookies on your device. For authenticated users, PostHog receives your email address and name to link events to a user identity.

PostHog may transfer data to the United States. We have put in place appropriate safeguards (standard contractual clauses). See Section 10 for details.

You can withdraw consent for analytics cookies at any time via the cookie preference centre accessible from the footer of the Website.

6.3 Managing cookies

Most browsers allow you to refuse or delete cookies via their settings. Doing so may affect the functionality of the Service.


7. Marketing Communications

If you join the waitlist, we may send you Service-related updates about CERED’s launch and early-access availability. These messages are not promotional; they are a direct consequence of you requesting access. You may unsubscribe at any time by following the unsubscribe link in any such message or by emailing support@ce-red.org.

We do not send unsolicited marketing emails.


8. Sharing Personal Data

We share personal data only in the following circumstances.

8.1 Service providers (processors)

We use the following sub-processors. All are bound by data processing agreements that require them to process data only on our instructions and to maintain appropriate security.

ProviderPurposeLocation
PostHog (EU cloud)Product analytics and session recordingEU (Frankfurt)
OpenAIAI-powered compliance suggestionsUS
ResendTransactional emailEU (Frankfurt)
DigitalOceanServer and database hostingEU
SentryError monitoring and in-app feedbackUS

8.2 Organisation admins

Within the platform, your name and email address are visible to administrators of the organisation(s) you belong to. This is inherent to the multi-tenant design of the Service.

8.3 Legal requirements

We may disclose personal data if required to do so by law or in response to valid requests by public authorities (e.g. courts, regulators).

8.4 Business transfers

If we are involved in a merger, acquisition, or sale of all or a portion of our assets, personal data may be transferred as part of that transaction. We will notify affected users by email and/or prominent notice on the Website before data is transferred and becomes subject to a different privacy policy.

We do not sell personal data.


9. AI-Powered Features

Some platform features use OpenAI’s API to generate compliance suggestions, ICS statement hints, and similar outputs. When you use these features, relevant excerpts of the compliance data you have entered (e.g. product category, selected standards, assessment responses) are sent to OpenAI for processing.

We do not send your name, email address, or directly identifying information to OpenAI unless you have included such information in the compliance data itself. We use OpenAI’s paid API tier, which is covered by a Data Processing Agreement; OpenAI does not use API-submitted data to train its models.


10. International Transfers

Most of our service providers process data within the EEA. The following providers are based in the United States; transfers to them are made under Standard Contractual Clauses (SCCs) approved by the European Commission:

ProviderData transferred
OpenAICompliance data excerpts used for AI suggestions
SentryError logs, stack traces, and in-app feedback submitted by authenticated users

PostHog, Resend, and DigitalOcean process data within the EU and no third-country transfer mechanism is required for those providers.

OpenAI’s paid API tier is subject to a Data Processing Agreement; data submitted via the API is not used to train models. You may request a copy of any SCC by contacting us at support@ce-red.org.


11. Data Retention

We retain personal data for as long as necessary for the purpose for which it was collected, subject to the following:

DataRetention period
Registered user account dataFor the duration of your account plus 3 years after closure
Compliance and product dataFor the duration of your organisation’s subscription plus 3 years, or 10 years where required by EU product compliance record-keeping obligations
Waitlist entriesUntil access is granted or denied, then deleted within 12 months
Analytics data (PostHog)Per PostHog’s retention settings; typically up to 7 years for aggregated events
Contact form submissions3 years from submission
Login tokensExpire after a short period (minutes); purged on use or expiry

When data is no longer needed, we delete or anonymise it securely.


12. Data Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, or alteration, including:

No security measures are infallible. If you have reason to believe your interaction with the Service is no longer secure, please notify us immediately at support@ce-red.org.


13. Your Data Subject Rights

Under the GDPR, you have the following rights in respect of the personal data we hold about you:

RightWhat it means
AccessObtain a copy of the personal data we hold about you
RectificationHave inaccurate or incomplete data corrected
ErasureRequest deletion of your data where there is no legitimate ground for continued processing
RestrictionAsk us to suspend processing of your data in certain circumstances
PortabilityReceive your data in a machine-readable format or have it transferred to another controller
ObjectionObject to processing based on legitimate interest; we must stop unless we can demonstrate compelling legitimate grounds
Withdraw consentWithdraw consent at any time without affecting prior lawful processing
Not to be subject to automated decisionsNot be subject to solely automated decisions that produce significant legal effects

To exercise any of these rights, email support@ce-red.org. We will respond within one month. We may ask you to verify your identity before processing your request.

If you are not satisfied with our response, you have the right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon, www.aki.ee) or with the data protection authority in your country of residence within the EU.


14. Children

The Service is not directed to persons under the age of 18. We do not knowingly collect personal data from children. If you believe a child has submitted personal data to us, please contact us at support@ce-red.org and we will delete it promptly.


15. Third-Party Websites

The Website and platform may contain links to third-party websites, including regulatory bodies, standardisation organisations, and integrations. This Privacy Policy does not apply to those sites. We recommend reading the privacy policy of any third-party site you visit.


16. Changes to This Policy

We may update this Privacy Policy from time to time. The “Effective date” at the top of this page will reflect the date of the most recent revision. Where changes are material, we will notify registered users by email. Your continued use of the Service after an update constitutes acceptance of the revised policy.


17. Contact

For any privacy-related enquiries, requests to exercise your rights, or to report a concern:

Registry code: 14926155
Pärnu Mnt 148, Tallinn, Estonia
Email: support@ce-red.org