GSI GlobalCert Platform Privacy Policy

Last Updated: October 12, 2025

1. Introduction

Welcome to GSI GlobalCert, the world's leading one-stop platform for global certification. This Privacy Policy explains how GSI (German Scientific Institute for Quality, Testing and Certification) and its affiliates ("GSI," "we," "us," or "our") collect, use, share, and protect information in relation to our services. Our mission is to simplify and automate the global product certification journey, making it transparent, efficient, and accessible for all stakeholders.

This policy applies to all users of the GSI GlobalCert platform, including our websites, mobile applications, and other online products and services (collectively, the "Platform"). It is designed to be compliant with the EU General Data Protection Regulation (GDPR) and other major global privacy laws.

By using our Platform, you agree to the collection and use of information in accordance with this policy.

2. Who We Are

The data controller for your information is:

GSI-CERT GmbH
(German Scientific Institute for Quality, Testing and Certification)
Managing Director Dr. Yannick Timo Böge
James-Loeb-Str. 11
82418 Murnau/ Greater Munich
Germany

Platform.Support@gsi-cert.com
www.gsi-cert.com

We have appointed a Data Protection Officer (DPO) to oversee our data protection strategy. You can contact our DPO at dpo@gsi-cert.com with any questions about this policy or our data protection practices.

3. Information We Collect

We collect information to provide and improve our Platform. The type of information we collect depends on your role and how you interact with our services.

Information You Provide to Us

• Account and Profile Information: When you register for an account, we collect information such as your name, email address, and password. Depending on your user persona (e.g., Manufacturer, Expert, Consultant), you may provide additional profile information, including company details, contact information, areas of expertise, professional certifications, and billing information.
• Certification and Project Data: As a core function of the Platform, we collect and store all data related to certification requests and projects. This includes product details, technical specifications, target countries, and all associated documentation you upload (e.g., technical files, test reports, quality manuals).
• Communications: We collect information when you communicate with other users through our Platform, including chat messages, internal emails, and file exchanges. All chat history is retained for auditing purposes. We also process external emails that are replies to platform-generated messages to route them to the correct internal thread.
• Financial Information: To process payments for subscriptions and services, we collect payment information. This data is securely handled by our third-party payment processors (e.g., Stripe, Adyen). We also manage a virtual wallet for each tenant, which includes a full transaction history.
• Feedback and Support: If you provide feedback or contact us for support, we will collect your name, contact information, and any other content you send us to reply and improve the platform.

Information We Collect Automatically

• Log and Usage Data: We automatically log information when you access and use the Platform. This includes your IP address, user agent, browser type, operating system, pages viewed, and the dates and times of your requests. We also collect business-level events for our audit trail, such as "Certification Request Submitted" or "Document Uploaded".
• Cookies and Similar Technologies: We use cookies and similar technologies to operate and administer our Platform, gather usage data, and improve your experience. You can control the use of cookies at the individual browser level.
• AI Assistant Interactions: We collect and store the conversations you have with our AI Assistant to improve its performance and provide you with context-aware support. The assistant has secure access to your user data (like your role and active tasks) to provide personalized help.

4. How We Use Your Information

We use the information we collect for various purposes, always based on a lawful foundation.

• To Provide and Maintain the Platform: We use your information to operate our core services, including user authentication, managing certification workflows, facilitating communication between users, and processing payments.
• To Improve and Personalize the Platform: We analyze user behavior to understand needs and improve our services. This includes using data to personalize your dashboard, recommend relevant experts or certification bodies, and enhance the AI Assistant's capabilities.
• For Security and Fraud Prevention: Security is a fundamental aspect of our platform. We use your data to protect against fraud, abuse, and security incidents. Our Fraud Inspector module analyzes activity in real-time to calculate risk scores and can automatically trigger security actions like account suspension to protect the platform and its users.
• For Communication: We use your contact information to send you transactional communications, such as service-related announcements, security alerts, and automated notifications about project status changes or upcoming certificate expirations.
• To Enforce our Terms and Comply with Legal Obligations: We use your information to enforce our agreements and to comply with our legal obligations, including responding to data subject requests and maintaining auditable records for compliance with standards like ISO 9001 and GDPR.

5. Data Sharing and Disclosure

We do not sell your personal data. We only share it in the following circumstances:

• With Other Platform Users: The core purpose of the Platform is to connect stakeholders. Your profile information (e.g., an Expert's profile) will be visible to other users in our directories. Information and documents you share within a project or chat are accessible to the other participants of that project or chat.
• With Service Providers: We work with third-party service providers to operate our platform, such as cloud hosting providers (Google Cloud Platform), payment processors, and e-signature providers. These providers only have access to the information necessary to perform their services and are contractually obligated to protect your data.
• For Legal Reasons: We may disclose your information if we believe it's required by law, regulation, legal process, or an enforceable governmental request.
• With Your Consent: We may share your information with third parties when we have your explicit consent to do so.

6. International Data Transfers

Your information may be transferred to, and maintained on, computers located outside of your state, province, or country where the data protection laws may differ. Our platform is built on the Google Cloud Platform, which provides a global infrastructure. We rely on appropriate safeguards, such as Standard Contractual Clauses, to ensure that your data is protected when transferred internationally.

7. Your Data Protection Rights

Under GDPR and similar laws, you have rights over your personal data. We are committed to upholding these rights.

• Right of Access: You have the right to request a copy of the personal data we hold about you.
• Right to Rectification: You have the right to request that we correct any inaccurate or incomplete information.
• Right to Erasure (Right to be Forgotten): You have the right to request that we delete your personal data, under certain conditions.
• Right to Restrict Processing: You have the right to request that we restrict the processing of your personal data, under certain conditions.
• Right to Data Portability: You have the right to request that we transfer the data that we have collected to another organization, or directly to you, under certain conditions.
• Right to Object: You have the right to object to our processing of your personal data, under certain conditions.

You can exercise these rights by contacting our DPO. We have a dedicated Data Protection Officer Interface to manage and process these requests in a timely and compliant manner.

8. Data Security and Retention

We implement robust technical and organizational measures to protect your data, in line with our "Security by Design" principle. All data is encrypted at rest and in transit. Access to data is strictly controlled through a Role-Based Access Control (RBAC) system.

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements. Document policies can define specific retention periods to comply with regulatory needs.

9. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new policy on this page and updating the "Last Updated" date. We encourage you to review this policy periodically for any changes.

10. Contact Us

If you have any questions or concerns about this Privacy Policy or our data practices, please contact us or our Data Protection Officer at:

GSI GlobalCert DPO
dpo@gsi-cert.com