Who's the data controller?
It depends on the data:
- For your CertFlow account itself (your name, email, login records, billing) — CertFlow LTD is the data controller.
- For data you put into CertFlow about your clients, sites, assets and engineers — you are the data controller and CertFlow LTD is the processor. Our obligations as a processor are set out in our Data Processing Agreement.
Your rights under UK GDPR
If you are a data subject (an individual whose personal data we process as a controller), you have eight rights:
1. Right to be informed
You can ask us what data we hold about you, why, and how we use it.
2. Right of access
You can request a copy of the personal data we hold about you (a Subject Access Request).
3. Right to rectification
You can ask us to correct inaccurate or incomplete data.
4. Right to erasure
You can ask us to delete your personal data, subject to lawful basis to retain.
5. Right to restrict processing
You can ask us to stop processing your data while a query is resolved.
6. Right to data portability
You can ask for your data in a machine-readable format to move elsewhere.
7. Right to object
You can object to processing based on legitimate interests or for marketing.
8. Rights re: automated decisions
You have rights around any solely automated decision-making and profiling.
How to exercise your rights
Email privacy@certflow.co.uk with the nature of your request. We respond to all valid requests within one calendar month. We may need to verify your identity before disclosing personal data.
There is no fee for most requests, but we may charge a reasonable fee for manifestly unfounded, excessive or repetitive requests, or for additional copies.
Lawful basis for processing
We rely on the following lawful bases under Article 6 of the UK GDPR:
- Contract — to provide the CertFlow service you've signed up for.
- Legitimate interests — to operate, secure, and improve the service, and for limited business-to-business communications. Balanced against your rights and freedoms.
- Legal obligation — to comply with UK law (e.g. tax records, statutory retention).
- Consent — for non-essential cookies and any direct marketing where required.
Data we collect
As a controller of your account data, we typically hold:
- Name, work email, work phone, organisation name
- Login credentials (hashed, never stored in plain text)
- Authentication and access logs
- Billing details handled via our payment processor (we do not store card numbers)
- Support correspondence
As a processor, we hold whatever inspection, asset, client and certificate data you put into CertFlow on behalf of your customers. You decide what's in there.
Retention
We retain account data for as long as your CertFlow account is active, plus a reasonable period afterwards to handle final billing, legal holds and statutory obligations (typically up to 6 years for accounting records).
Customer data you hold in CertFlow is retained for the life of your account. On termination, we will return or delete your data in line with the DPA.
International transfers
CertFlow's primary infrastructure is UK and EU based. Where any sub-processor is located outside the UK or EU, we rely on appropriate safeguards including Standard Contractual Clauses and additional technical measures, in line with the UK GDPR's international transfer rules.
Cookies
CertFlow uses strictly necessary cookies for authentication and session management. Where we use any non-essential cookies, we ask for your consent first. See our Cookie Policy for details.
Complaints
If you're unhappy with how we've handled your data, please contact us first at privacy@certflow.co.uk so we can try to put it right. You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.
Contact
CertFlow LTD
Privacy queries: privacy@certflow.co.uk
General queries: info@certflow.co.uk · 0114 392 2407
Registered office: 20 Wenlock Road, London, N1 7GU
Company number: 17056886