Privacy Policy

Effective date: 16/03/2026

This Privacy Policy explains how AssureUp Pty Ltd T/A CertBetter (CertBetter, we/us/our) collects, uses, discloses, and protects personal information in connection with the CertBetter platform (Platform). By using the Platform, you agree to this Policy, our Terms of Service and Cookie Policy.

Who we are & how to contact us

Registered business: AssureUp Pty Ltd T/A CertBetter
ABN: 74 6760 61760
Email: support at certbetter.com

Scope

This Policy covers ISO Finders (businesses seeking ISO services) and ISO Providers (consultants, certification bodies, training providers, software vendors) and their team members. It applies when we act as a controller (e.g., accounts, profiles, directories, reviews, verification), and when we act as a processor on your documented instructions (e.g., routing RFQs to recipients you select)—in which case our Data Processing Terms (DPA) apply.

How the Platform works

CertBetter is a lead-matching platform. An ISO Finder (business seeking ISO services) submits a Request for Quotation (RFQ) describing their requirements. Our team reviews and approves the RFQ, then notifies matched ISO Providers. Interested Providers may unlock the RFQ (for a fee) to view the Finder's contact details and reach out directly. Finders can track their RFQ status via a unique token link without creating an account.

Personal information we collect

From ISO Finders (via the RFQ form)

• Contact details: name, email address, phone number, job title.
• Business details: business name, website, business activities, staff count, industry.
• Location: address, city, country. We may geocode your address into coordinates to match you with nearby Providers.
• Certification context: ISO standards required, current certification status, certification body, system maturity, urgency, budget range, decision stage.
• Preferences: whether you accept remote services, additional locations, free-text description of your requirements.
• Tracking identifiers: referral code (if you arrived via a referral link), affiliate code (if applicable), and browser identifiers for conversion measurement.

From ISO Providers (via registration and profile management)

• Account & profile: name, email, phone, job title, business name, role, country, membership tier, preferences.
• Business details: legal name, registration number (e.g., ABN/ACN), addresses, established year, tagline, about description.
• Location: business address(es), which may be geocoded into coordinates for matching purposes.
• Media & links: logo, header image, business media, social media profiles (LinkedIn, YouTube, Twitter/X, Instagram, Facebook).
• Services: ISO standards offered, industries served, service types.
• Team: team member names, emails, and roles (when you invite team members).

Verification data

• Business & verification: ABN/registration details, business address, business structure, established year, declarant name, insurance certificates, ISO auditor/lead auditor training certificates (per claimed standard), capability statements, proposals, consultant CVs, public web presence, and screening results (e.g., sanctions/PEP/adverse media checks).

Platform activity

• RFQs: submission details, approval status, provider matches, unlock history.
• Messages: content of messages exchanged between Finders and Providers on the Platform, including any file attachments.
• Reviews & ratings: reviewer name, email, company name, website, rating score, review text, and optionally a profile photo.
• Connections, lead sharing, listings, support requests.

Device, usage & visitor data

• Device & browser: IP address, device/browser type, pages viewed, referral URLs.
• Visitor logging: we log visitor IP addresses and use them to determine approximate location (country, region, city). This helps us understand where our visitors come from and improve the Platform.
• Cookies & local storage: see our Cookie Policy and the Cookies, tracking & analytics section below.

Payment data

• Payments: we use a PCI-compliant payment processor (Stripe) to handle payments. We do not store full card numbers or CVV on our servers. Your payment card details are processed and stored by our payment processor under their own privacy policy.

Third-party & public sources

• Business registries, insurers, professional networks (e.g., LinkedIn), review platforms, and our service providers.

How we collect your information

• Directly from you — forms, uploads, messages, RFQs, reviews, support requests.
• Automatically — via cookies, local storage, server-side tracking, and analytics tools.
• From others — team members, references you provide, public sources, and service providers that support the Platform.
• From URL parameters — referral and affiliate codes may be captured from your browser URL to attribute referrals.

How we use your information (purposes & legal bases)

• Provide and operate the Platform — accounts, profiles, directories, RFQ matching, lead delivery, messaging, listings, payments; basis: contract / legitimate interests.
• RFQ matching & lead delivery — reviewing and approving RFQs, notifying matched Providers, processing lead unlocks, sharing Finder contact details with Providers who unlock; basis: contract / legitimate interests.
• Verification & trust — assess documentation, run proportionate checks (including sanctions/PEP/adverse media), issue/manage badges and certificates; basis: legitimate interests / compliance.
• Safety & integrity — prevent fraud/abuse, enforce AUP and review rules, secure systems; basis: legitimate interests / compliance.
• Communications — service emails (RFQ confirmations, provider reminders, review requests, unlock notifications, renewal notices), updates, and responses; basis: contract / legitimate interests.
• Marketing — optional newsletters, product updates, and promotions; basis: consent / legitimate interests (as applicable).
• Conversion measurement — we share hashed data with advertising platforms for conversion tracking (see Cookies, tracking & analytics below); basis: legitimate interests / consent (where required).
• Research & product improvement — analytics, testing, aggregated/de-identified insights; basis: legitimate interests.
• Compliance — legal obligations (lawful requests, accounting, record-keeping); basis: legal obligation.

Direct marketing

We send electronic direct marketing only where permitted (e.g., your consent under the Spam Act 2003 (Cth) / GDPR, or soft opt-in for existing Australian/EU/UK customers). All messages include an unsubscribe. You can opt out at any time without affecting service emails.

Cookies, tracking & analytics

We use necessary cookies to run the site and optional cookies/technologies for analytics and conversion measurement. See our Cookie Policy for full details and to manage preferences.

Analytics

We use Google Analytics to understand how visitors use the Platform. Analytics cookies are set to track page views, sessions, and usage patterns.

Conversion tracking

We use advertising platform tools (including Meta/Facebook) to measure the effectiveness of our advertising. When you submit an RFQ, we may send hashed versions of your contact information to these platforms for conversion measurement and ad optimisation only.

Visitor logging

We log visitor IP addresses and use server-side geolocation to determine your approximate location (country, region, city). This data is used for analytics and to improve the Platform.

Local storage

In addition to cookies, we store certain data in your browser's local storage for authentication, language preferences, country detection, and referral/affiliate tracking. This data is used solely to operate the Platform and is not shared with third parties.

We currently do not respond to Do Not Track signals.

When we share your information

With other users

• Finder → Provider: when a Provider unlocks your RFQ, they receive your contact details (name, email, phone, job title) and business details (name, location, requirements). This is the core function of the Platform.
• Provider → Finder: when a Provider unlocks an RFQ, the Finder can see the Provider's business name, contact details, and profile information.
• Public profiles: information you choose to make public (e.g., Provider profiles, listings, reviews) is visible to all visitors.

With service providers (sub-processors)

We share personal information with the following categories of service providers, who process data on our behalf under contractual safeguards:

• Payment processing — processes payments and stores payment card details (e.g., Stripe).
• Email delivery — sends service emails such as RFQ confirmations, reminders, and notifications.
• Analytics & advertising — analytics, event tracking, address geocoding, and conversion measurement (e.g., Google Analytics, Meta/Facebook).
• Hosting & infrastructure — cloud hosting, CDN, and image delivery services.

We maintain a list of current sub-processors and provide 30 days' notice of material additions or replacements. If you reasonably object and we cannot resolve your concerns, you may terminate the affected services before the change takes effect (see DPA).

Other sharing

• Referral & affiliate partners: if you arrived via a referral or affiliate link, we share limited information (RFQ submission confirmation, not your personal details) with the referring party for attribution purposes.
• Legal & compliance: to comply with law, enforce our terms, or protect rights, security, and integrity.
• Corporate transactions: in connection with a merger, investment, or sale of assets, subject to confidentiality.

RFQ access for Finders

Finders access their RFQ status via a unique secure link sent to their email. This link does not require an account or password. Do not share this link — anyone with it can view your RFQ status and matched provider details. If you believe your link has been compromised, contact us immediately.

International data transfers

We may transfer personal information outside your country (e.g., to the EU/UK/US or other locations where our providers operate). Where required, we use safeguards such as EU Standard Contractual Clauses or the UK IDTA. See the DPA for details.

Sensitive information & uploads

We do not seek to collect sensitive information (e.g., health, racial/ethnic origin, religious beliefs) or government identifiers. Please do not upload such data unless we specifically request it and it is necessary.

Sanctions/PEP/adverse media checks (EU/UK). Any criminal-offence-related personal data is processed under GDPR/UK GDPR Article 10 (and applicable local law) for fraud prevention and platform integrity, with appropriate safeguards.

Uploads. Please redact unnecessary personal data in uploads (e.g., TFNs, full ID numbers). If such data is accidentally provided, we may delete or redact it.

Profiling & automated decisions

We use limited profiling (e.g., to improve search ranking relevance, match Providers to RFQs based on location/standards/industry, detect spam/abuse). We do not make decisions based solely on automated processing that produce legal or similarly significant effects. EU/UK users may object to profiling based on legitimate interests; we will assess and comply where required.

Controller vs. processor (and RFQs)

CertBetter is a controller for most Platform activity (accounts, profiles, directories, verification, reviews, RFQ matching). When you route personal information to recipients you select (e.g., RFQs), we act as your processor. When an RFQ is delivered to a Provider, that Provider acts as an independent controller for the copy they receive and processes it under their own privacy policy.

Administrative access

Authorised CertBetter staff may access user accounts for support, troubleshooting, and fraud prevention purposes. All administrative access is logged and governed by internal policies.

Data retention

We retain personal information for as long as needed to provide the Platform, comply with law, resolve disputes, and enforce agreements. We set retention periods based on legal requirements, business needs, and risk, applying the shortest period compatible with those factors. Examples:

• Account & profile: for the life of the account, then up to 6 years for record-keeping/legal purposes.
• RFQ data: retained for the life of the RFQ and a reasonable period afterwards (up to 6 years) for dispute resolution and record-keeping.
• Messages: retained for the life of the relevant accounts, then deleted upon account closure (subject to legal holds).
• Visitor logs: retained for up to 12 months for analytics, then deleted or anonymised.
• Verification documents: while verification is active and for a reasonable period afterwards to manage renewals, appeals, and audit trail.
• Payment records: retained as required by tax and accounting law (typically 7 years in Australia).
• Backups & logs: operational backups may persist for up to 90 days.

Security

We implement technical and organisational measures appropriate to the risk (e.g., access controls, encryption in transit, audit logging, least-privilege access). No system is 100% secure; use strong passwords, enable MFA where available, and contact us immediately if you suspect unauthorised activity.

Your privacy rights

• Australia (APPs): access and correction of personal information; complaint rights with us and the OAIC.
• EEA/UK (GDPR/UK GDPR): access, rectification, erasure, restriction, portability, and objection (including to direct marketing). You may also lodge a complaint with your supervisory authority.
• US states (where applicable): rights to know, delete, correct, and limit use of sensitive information. We do not sell personal information and do not share it for cross-context behavioural advertising. If this changes, we will update this Policy and provide a "Do Not Sell or Share" option.

Withdraw & object. You may withdraw consent at any time (where processing is based on consent) and object to direct marketing (including profiling for marketing). We action requests promptly.

To exercise rights or update preferences, email support at certbetter.com. We may verify your identity and request information to locate your data.

Children

The Platform is not intended for children under 16, and we do not knowingly collect personal information from children under 16. If you believe a child has provided personal information, contact us to request deletion.

International representatives

Where required by GDPR/UK GDPR, we will appoint an EU/UK representative and publish contact details on this page.

Breach notifications

We notify affected users and regulators of data breaches where required by law (including the Privacy Act 1988 (Cth) and other applicable regimes).

Changes to this Policy

We may update this Policy from time to time. For material changes, we will provide at least 14 days' notice via email or in-product notice where practicable. Your continued use after the effective date constitutes acceptance.

Complaints

If you have concerns about our handling of personal information, contact support at certbetter.com