Privacy Policy
Effective date: 2026-06-04
1. Introduction
Company (registry code 14926155, “we”, “us”, “our”) operates the CERED platform and the website at ce-red.org (together, the “Service”). This Privacy Policy explains what personal data we collect, why we collect it, the legal bases we rely on under the General Data Protection Regulation (EU) 2016/679 (“GDPR”), and the rights you have over your data.
Please read this policy carefully. If you do not agree with it, you should not use the Service.
2. Data Controller
The data controller for personal data processed through the Service is:
For all privacy enquiries, including the exercise of data subject rights, contact us at the email address above.
3. Personal Data We Collect
We collect the following categories of personal data depending on how you interact with the Service.
3.1 Website visitors
| Data | Source |
|---|---|
| IP address (anonymised or pseudonymised in analytics) | Automatic |
| Browser type, operating system, device type | Automatic |
| Pages visited, time spent, referring URL | Automatic |
| Cookie consent preference | You |
3.2 Waitlist applicants
| Data | Source |
|---|---|
| Email address | You |
| Optional free-text fields submitted on the waitlist form | You |
3.3 Platform users (registered accounts)
| Data | Source |
|---|---|
| Name | You |
| Email address | You |
| Organisation name and details | You |
| Product and compliance data you enter (product names, model numbers, test results, declarations, IXIT declarations, evidence documents) | You |
| Session and activity data (pages visited, features used, actions taken) | Automatic |
| Magic-link login tokens (short-lived, hashed) | Automatic |
| Invitation and membership records | You / your organisation admin |
3.4 Data we do not collect
We do not collect payment card details (we have no payment processing at this stage). We do not knowingly collect special-category personal data.
4. Purposes of Processing
| Purpose | Categories of data used |
|---|---|
| Providing and operating the platform | Account, compliance, and session data |
| Authentication (magic-link login) | Email address, login tokens |
| Product analytics and service improvement | Anonymised/pseudonymised usage data, session recordings |
| User identification in analytics for authenticated sessions | Email address, name (PostHog) |
| AI-powered suggestions (ICS suggestions, test hints) | Product and compliance data excerpts sent to OpenAI |
| Transactional email (invitations, access grants, notifications) | Email address, name |
| Responding to enquiries submitted via contact forms | Email address, message content |
| Managing the waitlist and granting early access | Email address, waitlist data |
| Legal compliance and enforcement of our Terms | Any relevant data |
5. Legal Bases (GDPR)
| Processing activity | Legal basis | Article |
|---|---|---|
| Operating the platform for registered users | Performance of a contract | Art. 6(1)(b) |
| Magic-link authentication | Performance of a contract | Art. 6(1)(b) |
| Sending transactional emails | Performance of a contract | Art. 6(1)(b) |
| Analytics (PostHog) — authenticated sessions | Legitimate interest: improving the service | Art. 6(1)(f) |
| Analytics (PostHog) — anonymous website visitors | Consent (via cookie banner) | Art. 6(1)(a) |
| OpenAI-powered suggestions | Legitimate interest: providing platform features | Art. 6(1)(f) |
| Waitlist management | Legitimate interest: pre-launch communications | Art. 6(1)(f) |
| Enquiry responses | Legitimate interest: responding to queries | Art. 6(1)(f) |
| Legal compliance and enforcement | Legal obligation / legitimate interest | Art. 6(1)(c) / (f) |
Where we rely on legitimate interest, you have the right to object to that processing (see Section 13).
Where we rely on consent, you may withdraw your consent at any time by adjusting your cookie preferences. Withdrawal does not affect the lawfulness of processing before withdrawal.
6. Cookies and Tracking
We use the following categories of cookies and similar technologies.
6.1 Strictly necessary cookies
These are required for the Service to function and cannot be disabled.
| Cookie | Purpose | Duration |
|---|---|---|
| cered_cookie_consent | Stores your cookie consent preference | 1 year |
| Session cookie | Maintains your authenticated session | Session |
6.2 Analytics cookies (requires consent)
We use PostHog for product analytics, session recording, and feature usage measurement. PostHog may set first- and third-party cookies on your device. For authenticated users, PostHog receives your email address and name to link events to a user identity.
PostHog may transfer data to the United States. We have put in place appropriate safeguards (standard contractual clauses). See Section 10 for details.
You can withdraw consent for analytics cookies at any time via the cookie preference centre accessible from the footer of the Website.
6.3 Managing cookies
Most browsers allow you to refuse or delete cookies via their settings. Doing so may affect the functionality of the Service.
7. Marketing Communications
If you join the waitlist, we may send you Service-related updates about CERED’s launch and early-access availability. These messages are not promotional; they are a direct consequence of you requesting access. You may unsubscribe at any time by following the unsubscribe link in any such message or by emailing support@ce-red.org.
We do not send unsolicited marketing emails.
8. Sharing Personal Data
We share personal data only in the following circumstances.
8.1 Service providers (processors)
We use the following sub-processors. All are bound by data processing agreements that require them to process data only on our instructions and to maintain appropriate security.
| Provider | Purpose | Location |
|---|---|---|
| PostHog (EU cloud) | Product analytics and session recording | EU (Frankfurt) |
| OpenAI | AI-powered compliance suggestions | US |
| Resend | Transactional email | EU (Frankfurt) |
| DigitalOcean | Server and database hosting | EU |
| Sentry | Error monitoring and in-app feedback | US |
8.2 Organisation admins
Within the platform, your name and email address are visible to administrators of the organisation(s) you belong to. This is inherent to the multi-tenant design of the Service.
8.3 Legal requirements
We may disclose personal data if required to do so by law or in response to valid requests by public authorities (e.g. courts, regulators).
8.4 Business transfers
If we are involved in a merger, acquisition, or sale of all or a portion of our assets, personal data may be transferred as part of that transaction. We will notify affected users by email and/or prominent notice on the Website before data is transferred and becomes subject to a different privacy policy.
We do not sell personal data.
9. AI-Powered Features
Some platform features use OpenAI’s API to generate compliance suggestions, ICS statement hints, and similar outputs. When you use these features, relevant excerpts of the compliance data you have entered (e.g. product category, selected standards, assessment responses) are sent to OpenAI for processing.
We do not send your name, email address, or directly identifying information to OpenAI unless you have included such information in the compliance data itself. We use OpenAI’s paid API tier, which is covered by a Data Processing Agreement; OpenAI does not use API-submitted data to train its models.
10. International Transfers
Most of our service providers process data within the EEA. The following providers are based in the United States; transfers to them are made under Standard Contractual Clauses (SCCs) approved by the European Commission:
| Provider | Data transferred |
|---|---|
| OpenAI | Compliance data excerpts used for AI suggestions |
| Sentry | Error logs, stack traces, and in-app feedback submitted by authenticated users |
PostHog, Resend, and DigitalOcean process data within the EU and no third-country transfer mechanism is required for those providers.
OpenAI’s paid API tier is subject to a Data Processing Agreement; data submitted via the API is not used to train models. You may request a copy of any SCC by contacting us at support@ce-red.org.
11. Data Retention
We retain personal data for as long as necessary for the purpose for which it was collected, subject to the following:
| Data | Retention period |
|---|---|
| Registered user account data | For the duration of your account plus 3 years after closure |
| Compliance and product data | For the duration of your organisation’s subscription plus 3 years, or 10 years where required by EU product compliance record-keeping obligations |
| Waitlist entries | Until access is granted or denied, then deleted within 12 months |
| Analytics data (PostHog) | Per PostHog’s retention settings; typically up to 7 years for aggregated events |
| Contact form submissions | 3 years from submission |
| Login tokens | Expire after a short period (minutes); purged on use or expiry |
When data is no longer needed, we delete or anonymise it securely.
12. Data Security
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, or alteration, including:
- TLS/HTTPS for all data in transit.
- Encrypted storage for sensitive configuration and credentials.
- Access controls limiting data access to authorised personnel and systems.
- Magic-link authentication (no stored passwords) for user accounts.
No security measures are infallible. If you have reason to believe your interaction with the Service is no longer secure, please notify us immediately at support@ce-red.org.
13. Your Data Subject Rights
Under the GDPR, you have the following rights in respect of the personal data we hold about you:
| Right | What it means |
|---|---|
| Access | Obtain a copy of the personal data we hold about you |
| Rectification | Have inaccurate or incomplete data corrected |
| Erasure | Request deletion of your data where there is no legitimate ground for continued processing |
| Restriction | Ask us to suspend processing of your data in certain circumstances |
| Portability | Receive your data in a machine-readable format or have it transferred to another controller |
| Objection | Object to processing based on legitimate interest; we must stop unless we can demonstrate compelling legitimate grounds |
| Withdraw consent | Withdraw consent at any time without affecting prior lawful processing |
| Not to be subject to automated decisions | Not be subject to solely automated decisions that produce significant legal effects |
To exercise any of these rights, email support@ce-red.org. We will respond within one month. We may ask you to verify your identity before processing your request.
If you are not satisfied with our response, you have the right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon, www.aki.ee) or with the data protection authority in your country of residence within the EU.
14. Children
The Service is not directed to persons under the age of 18. We do not knowingly collect personal data from children. If you believe a child has submitted personal data to us, please contact us at support@ce-red.org and we will delete it promptly.
15. Third-Party Websites
The Website and platform may contain links to third-party websites, including regulatory bodies, standardisation organisations, and integrations. This Privacy Policy does not apply to those sites. We recommend reading the privacy policy of any third-party site you visit.
16. Changes to This Policy
We may update this Privacy Policy from time to time. The “Effective date” at the top of this page will reflect the date of the most recent revision. Where changes are material, we will notify registered users by email. Your continued use of the Service after an update constitutes acceptance of the revised policy.
17. Contact
For any privacy-related enquiries, requests to exercise your rights, or to report a concern: