Privacy Policy

Pando Certification ("Pando", "we", "our", or "us") is committed to protecting your personal information and your right to privacy. This Privacy Policy explains what information we collect, how we use it, and what rights you have in relation to it.

This policy applies to all information collected through our website (openpando.com), our certification management portal, and any related services, sales, or marketing activities.

Please read this policy carefully. If you do not agree with its terms, please discontinue use of our services.

We collect information that you provide directly to us, information collected automatically when you use our services, and information from third parties where applicable.

• **Information you provide:**
• Contact details (name, email address, phone number, job title, organisation name)
• Certification application data (facility addresses, production processes, supply chain information)
• Communication records (messages sent via our contact forms or email)
• Account credentials for the Pando certification portal

• **Information collected automatically:**
• Device and browser information (IP address, browser type, operating system)
• Usage data (pages visited, time spent, links clicked, referring URL)
• Cookies and similar tracking technologies (see our Cookie section below)

• **Information from third parties:**
• Accreditation bodies and standard organisations we work with
• Public business registries for verification purposes

We use the information we collect for the following purposes:

• **Providing certification services:** Processing applications, scheduling audits, issuing certificates, and managing your certification lifecycle
• **Communication:** Responding to enquiries, sending service updates, and notifying you of certification status changes
• **Compliance:** Meeting our obligations as an accredited certification body, including maintaining audit trails and records required by accreditation standards
• **Security:** Detecting, preventing, and addressing technical issues and fraudulent activity
• **Improvement:** Analysing usage data to improve our website and services
• **Marketing:** Sending information about our services where you have opted in or where we have a legitimate interest

We do not sell, trade, or rent your personal information to third parties for their own marketing purposes.

We process your personal data under the following legal bases:

• **Contractual necessity:** To fulfil our certification services agreement with you
• **Legal obligation:** To comply with accreditation requirements and applicable regulations
• **Legitimate interests:** To improve our services, prevent fraud, and maintain security — provided these interests do not override your rights
• **Consent:** For marketing communications and the use of non-essential cookies, where you have explicitly consented

You may withdraw consent at any time where consent is the legal basis for processing.

We may share your information in the following circumstances:

• **Accreditation bodies:** We are required to share audit records and certification data with our accreditation partners (e.g. ISEAL Alliance) as part of our accreditation obligations
• **Standard owners:** Where required by certification standards (e.g. GOTS, OCS, GRS), relevant data may be reported to the standard owner
• **Service providers:** We use trusted third-party providers for hosting, analytics, and communication tools who process data under contractual data processing agreements
• **Public certification registry:** Scope Certificates and Transaction Certificates are published in our public registry as required by the relevant standards
• **Legal requirements:** We may disclose information if required by law, court order, or governmental authority

We require all third parties to maintain appropriate security and to process your data only on our instructions.

We retain your personal data for as long as necessary to fulfil the purposes described in this policy, unless a longer retention period is required by law or accreditation standards.

Certification records (audit reports, corrective actions, certificates) are typically retained for a minimum of 5 years after the end of the certification relationship, as required by our accreditation obligations.

Contact and enquiry data is retained for up to 3 years from the date of last contact, after which it is securely deleted or anonymised.

You may request early deletion of your data subject to our legal and accreditation obligations (see Your Rights below).

Depending on your location, you may have the following rights regarding your personal data:

• **Right of access:** Request a copy of the personal data we hold about you
• **Right to rectification:** Request correction of inaccurate or incomplete data
• **Right to erasure:** Request deletion of your data where we have no legitimate reason to continue processing it
• **Right to restriction:** Request that we restrict processing of your data in certain circumstances
• **Right to data portability:** Receive your data in a structured, machine-readable format
• **Right to object:** Object to processing based on legitimate interests or for direct marketing purposes
• **Right to withdraw consent:** Where processing is based on consent, withdraw it at any time

To exercise any of these rights, please contact us at privacy@openpando.com. We will respond within 30 days.

You also have the right to lodge a complaint with your local data protection authority.

We use cookies and similar technologies to improve user experience and analyse website traffic.

Essential cookies are required for the website to function correctly and cannot be disabled.

Analytics cookies (e.g. Google Analytics) help us understand how visitors interact with the site. These are only set if you consent.

Preference cookies remember your settings and choices on our website.

You can manage your cookie preferences through your browser settings. Disabling cookies may affect the functionality of our services.

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, destruction, or disclosure. These include:

• Encrypted data transmission (TLS/HTTPS)
• Role-based access controls on our systems
• Regular security assessments and penetration testing
• Staff training on data protection obligations

While we take all reasonable precautions, no method of transmission over the internet is completely secure. We cannot guarantee the absolute security of data transmitted to us.

Pando operates globally and your data may be transferred to and processed in countries outside your own. When transferring data internationally, we ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by relevant data protection authorities or adequacy decisions where applicable.

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page with an updated effective date. For significant changes, we may also notify you directly by email.

We encourage you to review this policy periodically to stay informed about how we protect your information.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Pando Certification Email: privacy@openpando.com General enquiries: hello@openpando.com

We aim to respond to all privacy-related requests within 30 days.