Privacy Policy
We believe transparency builds trust. Learn how we collect, use, and protect your information when you use our independent certification platform.
1. Introduction & Scope
This policy is written in plain English so you can easily understand how your information is handled. We are committed to protecting your data and being transparent about our practices. This policy applies to your use of the CertCheck platform (operated independently by Best Practice Institute) and any related services we provide.
2. Information We Collect
We collect information in three main ways to build comprehensive employer profiles and provide our assessment tools:
| Information Category | Description | Examples |
|---|---|---|
| Provided Directly | Information you voluntarily give us when interacting with the platform. | Name, email, phone number, job title, company name, assessments, testimonials, profile data, job listings, and preferences. |
| Collected Automatically | Data generated when you navigate and interact with our web services. | IP address, browser type, operating system, pages visited, timestamps, click data, referring URLs, device IDs, and cookies. |
| From Third Parties | Data gathered to enrich profiles and verify certification eligibility. | Public company data, PeopleDataLabs professional data, HubSpot CRM interactions, and business intelligence enrichment. |
CCPA/CPRA Data Categories Reference:
| Category | Collected? | Source |
|---|---|---|
| Identifiers (Name, Email, IP) | Yes | Direct, Automatic |
| Commercial Information | Yes | Direct, Third Parties |
| Internet / Network Activity | Yes | Automatic |
| Professional / Employment Info | Yes | Direct, Third Parties |
| Inferences | Yes | Automatic, AI Processing |
3. How We Use Your Information
We use the information we collect to provide and improve our services, process certifications, create and host company profiles, generate helpful AI content, and distribute job listings. We also use data to send important transactional emails or text messages (with your consent), perform analytics, prevent fraud, comply with legal obligations, and facilitate team collaboration within the platform.
4. AI & Automated Processing
We process certain data using advanced AI tools from OpenAI and Anthropic to generate content, analyze assessments, and provide recommendations. While these automated systems help us highlight the best aspects of employer brands, they do not make automated decisions that produce legal or similarly significant effects on users. Companies can always request a review or correction of AI-generated content on their profiles.
5. Legal Basis for Processing (GDPR)
For users subject to European data protection laws, we rely on the following legal bases to process your information: Consent (for marketing emails and non-essential cookies), Contract (to deliver the services you requested), Legitimate Interests (for service improvement, fraud prevention, public data aggregation, and content generation), and Legal Obligation (for tax, regulatory, and legal compliance).
6. Data Sharing & Third Parties
To run our platform efficiently, we work with trusted partners. We do not sell your personal information. All of our service providers are bound by strict Data Processing Agreements.
| Partner Category | Partner Name | Data Shared | Purpose |
|---|---|---|---|
| Job Board Partners | Indeed, ZipRecruiter, Jooble, Talent.com | Job listings | Distribution of open roles |
| AI Providers | OpenAI, Anthropic | Company data | Content and insight generation |
| CRM & Sales | HubSpot, Apollo | Contact & interaction data | Relationship management |
| Data Enrichment | PeopleDataLabs | Professional data queries | Profile verification |
| Resend | Email addresses, engagement | Transactional & marketing emails | |
| SMS | Salesmsg | Phone numbers | SMS communications |
| Presentations | Gamma | Company overview data | Report generation |
| Research | Tavily | Search queries | Web search for content |
| Storage | Cloudflare R2 | Files, logos, images | Secure file hosting |
| Live Chat | Tawk.to | Chat history, IP | Customer support |
8. Do Not Track Signals
We respect your privacy choices. While browsers offer a "Do Not Track" (DNT) feature, there is no widely accepted standard for how to respond to it. However, we proudly honor Global Privacy Control (GPC) signals as valid opt-out requests where applicable by law.
9. Data Security
We protect your data using industry-standard encryption in transit (TLS/SSL) and at rest. User passwords are securely hashed using bcrypt. Access to our databases is strictly controlled. While no digital system is 100% secure, we are committed to promptly addressing any vulnerabilities and will provide breach notifications within 72 hours (per GDPR) and according to applicable state laws should an incident occur.
10. Data Retention
We only keep your information for as long as necessary to provide our services and fulfill the purposes outlined in this policy. Our standard retention practices are detailed below:
11. California Privacy Rights (CCPA/CPRA)
If you are a resident of California, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) provide you with specific rights regarding your personal information.
12. GDPR Rights (EEA/UK)
For users located in the European Economic Area (EEA) and the United Kingdom, the General Data Protection Regulation (GDPR) guarantees significant control over your data.
13. Other US State Rights
Users residing in states like Virginia (CDPA), Colorado (CPA), and Connecticut (CTDPA) have similar rights to access, correct, delete, and opt-out of targeted advertising or profiling. If we decline to take action on your request, you have the right to an appeal process. Please submit requests using the contact email below.
14. International Data Transfers
Our platform and databases are primarily located in the United States. When transferring data from the EU/EEA to the US, we ensure adequate protection is in place by relying on legally recognized transfer mechanisms, including Standard Contractual Clauses (SCCs).
15. Email & SMS Communications
We send marketing emails only with your consent, and every email includes a clear unsubscribe link in compliance with CAN-SPAM laws. We send SMS messages only with your express consent, and you can text STOP at any time to opt out (TCPA compliance). Please note that essential transactional emails (like password resets or billing notices) cannot be unsubscribed from. We process unsubscribe requests within 10 business days.
16. Children's Privacy
Our platform is built for professionals and organizations. It is not directed to children under the age of 16. We do not knowingly collect personal information from children. If we discover that we have inadvertently gathered data from a minor, we will delete it promptly.
17. Data Protection by Design
We integrate robust data protection principles directly into the design of our platform from day one. We conduct impact assessments for any processing activities that present high risks to user rights, ensuring privacy is maintained by design and by default across all features.
18. Changes to This Policy
We may update this Privacy Policy periodically to reflect changes in our practices or legal requirements. Material changes will be communicated via email or a prominent notice on our website. Your continued use of the platform after updates indicates your acceptance of the revised policy.
19. Contact Information
If you have any questions, wish to exercise your privacy rights, or need to reach our Data Protection Officer, please contact us:
- Organization: Best Practice Institute
- Email: privacy@bestpracticeinstitute.org
- Address: 5600 PGA Blvd., Palm Beach Gardens, FL 33418