Privacy Policy

This Privacy Policy explains how we collect, use, share, and protect personal data when you visit https://tnvglobal.com ("Website"), engage with our ISO certification services, or otherwise interact with us. This policy is published in compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (UK), the EU General Data Protection Regulation (EU GDPR), the Digital Personal Data Protection Act 2023 (India DPDP), the California Consumer Privacy Act 2018 (CCPA) where applicable, and other applicable data protection laws.

Please read this Privacy Policy carefully. By using our Website or services, you confirm that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use our Website or services.

1. Who We Are (Data Controller)

TNV Global Limited is the data controller responsible for your personal data processed through our Website and services. Our details are as follows:

Although TNV Global Limited is not required by law to appoint a Data Protection Officer (DPO) under UK GDPR or EU GDPR, we have nominated a Privacy Contact responsible for handling data protection queries. All privacy queries should be directed to admin@tnvglobal.com with the subject line "Privacy Query".

2. Definitions

3. Personal Data We Collect

Depending on how you interact with us, we may collect the following categories of personal data:

3.1 Identity Data

Includes first name, last name, title, designation or role within your organisation, and similar identifiers necessary to communicate with you and deliver services.

3.2 Contact Data

Includes work email address, work telephone number, mobile number, postal address, country, city, and your organisation's name and address.

3.3 Organisation and Certification Data

Includes details about your organisation such as legal entity name, registration number, number of employees, number of sites, organisation size category, sector, existing ISO certifications, AI use case descriptions, and preferred audit scope and mode — submitted via our enquiry forms, application forms, or during the audit process.

3.4 Financial Data

Includes payment information processed for booking deposits, audit fees, and surveillance audit fees. We do not store full credit or debit card numbers ourselves; card payments are processed by our payment service provider Stripe. Bank transfer details are handled by Wise Business. We retain limited transaction reference information for accounting and audit-trail purposes.

3.5 Technical Data

Includes Internet Protocol (IP) address, device identifiers, browser type and version, time zone setting, operating system and platform, screen resolution, referrer URL, language preferences, and similar technical information collected automatically when you visit our Website.

3.6 Usage Data

Includes information about how you use our Website — pages visited, time spent on pages, navigation paths, links clicked, search terms, and similar interaction data collected through cookies, server logs, and analytics tools.

3.7 Communications Data

Includes records of communications with us — emails, WhatsApp messages, telephone notes, web chat transcripts (where applicable), enquiry form submissions, and quotation requests.

3.8 Audit Engagement Data

Where we conduct an audit for your organisation, we may collect information necessary to perform the audit. This may include names and roles of personnel interviewed, documents reviewed (which may contain personal data of your employees or third parties), audit findings, and supporting evidence. This information is processed in accordance with our ISO/IEC 17021-1 confidentiality obligations and the contract between us.

3.9 Marketing Data

Where you consent, includes your preferences regarding receiving marketing communications from us, your interaction with our marketing emails, and other engagement metrics.

We do not knowingly collect or process more personal data than is necessary for the purposes set out in this Privacy Policy. We apply data minimisation principles throughout.

4. How We Collect Personal Data

We collect personal data in the following ways:

• Directly from you: When you submit enquiry forms, applications, payment information, audit documentation, or contact us by email, phone, WhatsApp, or in person.
• Automatically: When you visit our Website, through cookies, server logs, and analytics tools (see our Cookie Policy for details).
• From third parties: From your organisation if your colleagues provide your details for audit logistics; from publicly available sources (such as Companies House, public regulatory databases) where necessary for due-diligence purposes; from our group entities for cross-referrals where you have indicated interest.
• From your interactions: Through your engagement with our marketing communications, events, webinars, or partnership channels.

5. Purposes of Processing

We process personal data for the following purposes:

6. Lawful Bases for Processing

Under UK GDPR and EU GDPR, we must have a lawful basis (Article 6) for processing personal data. We rely on the following lawful bases:

Under the India DPDP Act, we process personal data based on (i) certain legitimate uses specified in the Act, including performance of contract, compliance with legal obligation, and provision of services to the data principal; and (ii) where required, the consent of the data principal.

7. Special Category Data

We do not routinely collect special category data (sensitive personal data) about visitors to our Website or prospective customers. In limited circumstances during audit engagements, we may incidentally encounter special category data within client documentation (for example, where you are auditing AI systems that process health or biometric data). In such cases, we process this data only as necessary to perform the audit, in accordance with our ISO/IEC 17021-1 confidentiality obligations, and we rely on Article 9(2)(b) (employment, social security, and social protection law), Article 9(2)(f) (legal claims), or Article 9(2)(g) (substantial public interest) of UK and EU GDPR as appropriate.

8. Cookies and Tracking Technologies

Our Website uses cookies and similar tracking technologies to provide functionality, analyse usage, and (with your consent) for marketing purposes. Detailed information about the cookies we use, including their purposes, types, and how to manage your preferences, is set out in our separate Cookie Policy.

Where consent is required (for non-essential cookies under UK PECR / EU ePrivacy Directive), we obtain your consent through our cookie consent banner displayed on first visit. You can change your cookie preferences at any time using the "Cookie Settings" link in our Website footer.

9. Sharing Your Personal Data

We share personal data only as necessary for the purposes set out in this Privacy Policy. Recipients of personal data may include:

9.1 Service Providers (Data Processors)

We use carefully selected third-party service providers (data processors) to support our operations. Each is bound by a data processing agreement that imposes confidentiality, security, and data protection obligations consistent with UK GDPR, EU GDPR, and applicable laws.

9.2 Public Certificate Register (Post-Certification)

Upon successful issuance of an accredited ISO certificate, certain non-sensitive certificate metadata is published on the global-aci.org public verification portal in accordance with UAF accreditation rules. This includes: certified organisation name, certificate number, scheme (ISO standard), scope of certification, accreditation body (UAF), issue date, expiry date, and certificate status (active / suspended / withdrawn). This information is published to enable any interested party to verify the validity of an issued certificate. Personal data of individuals (such as employees of the certified organisation) is not published on the public register.

9.3 Legal and Regulatory Disclosures

We may disclose personal data where required by law, regulation, court order, regulator request, or to defend against legal claims. This may include disclosure to UK or India tax authorities, the ICO, the Data Protection Board of India, our accreditation body UAF, professional regulators, law enforcement agencies, or in response to lawful demands.

9.4 Business Transfers

In the event of a merger, acquisition, restructuring, sale of business assets, or insolvency, personal data may be transferred to the successor entity. We will provide reasonable notice in advance of any such transfer that materially affects the processing of your personal data.

We do not sell, rent, or trade personal data to third parties for their own marketing purposes.

10. International Data Transfers

TNV Global Limited is based in the United Kingdom and operates in India and globally. Some of our service providers (notably Stripe, Vercel, and Google) are based in the United States. As a result, your personal data may be transferred to, stored in, or processed in countries outside the United Kingdom, the European Economic Area (EEA), and India.

10.1 Safeguards Applied

Where we transfer personal data internationally, we ensure that appropriate safeguards are in place to protect it, including:

• Adequacy decisions: Transfers to countries the UK government or European Commission has determined provide an adequate level of data protection.
• UK International Data Transfer Agreement (IDTA) or Addendum: For transfers from the UK to countries without adequacy decisions.
• EU Standard Contractual Clauses (SCCs): Module 1, 2, 3, or 4 as appropriate for transfers from the EEA.
• Supplementary measures: Encryption in transit and at rest, pseudonymisation, access controls, and risk assessments as required by the Schrems II ruling.
• Data Protection Impact Assessments (DPIAs): Conducted for high-risk transfers.

10.2 Transfers to India

Personal data is transferred between our UK office and our India office for operational purposes (audit delivery, customer support). India does not currently have a UK or EU adequacy decision. Such transfers are made under appropriate safeguards including UK IDTA / EU SCCs, intra-group agreements, and confidentiality controls under ISO/IEC 17021-1.

You may request a copy of the safeguards in place by contacting admin@tnvglobal.com (subject: "International Transfer Safeguards").

11. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, regulatory, accreditation, or reporting requirements. Specific retention periods include:

At the end of the applicable retention period, personal data is securely deleted, anonymised, or archived in accordance with our Information Retention and Destruction Policy.

12. Your Rights as a Data Subject

Subject to applicable law, you have the following rights in relation to your personal data:

• Right of access: To obtain confirmation of whether we process your personal data and, if so, a copy of the data and supplementary information (Subject Access Request).
• Right to rectification: To request correction of inaccurate or incomplete personal data.
• Right to erasure ("right to be forgotten"): To request deletion of your personal data where there is no compelling reason for its continued processing. This right is not absolute and is subject to exceptions (such as ISO/IEC 17021-1 record retention obligations or legal claims).
• Right to restriction of processing: To request that we limit the processing of your personal data in certain circumstances.
• Right to data portability: To receive your personal data in a structured, commonly used, machine-readable format, and to transmit it to another data controller (applies only to data processed by automated means based on consent or contract).
• Right to object: To object to processing based on legitimate interests or for direct marketing purposes. We will stop processing for direct marketing on request.
• Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing already carried out.
• Right not to be subject to automated decision-making: Including profiling, where it produces legal effects or similarly significantly affects you (see Section 18).
• Right to lodge a complaint: With a supervisory authority (ICO in the UK; the EU data protection authority in your country of residence; the Data Protection Board of India).

13. How to Exercise Your Rights

To exercise any of your rights, please contact us by email at admin@tnvglobal.com with the subject line "Data Subject Rights Request". Include in your request:

• Your full name and contact details
• The specific right(s) you wish to exercise
• Sufficient information to verify your identity (we may request additional identity verification)
• Where applicable, the specific personal data or processing activity to which your request relates

We will respond to your request without undue delay and in any event within one month of receipt. We may extend this period by a further two months where requests are complex or numerous, in which case we will inform you and explain the reason for the extension.

There is normally no fee for exercising your rights. We may charge a reasonable fee or refuse to act on requests that are manifestly unfounded or excessive, particularly where they are repetitive.

14. Marketing Communications

We may send you marketing communications about our certification services, industry updates, or related offerings only where you have explicitly consented or where you are an existing customer who has not opted out (soft opt-in under UK PECR / ePrivacy).

You can opt out of marketing communications at any time by:

• Clicking the unsubscribe link in any marketing email
• Emailing admin@tnvglobal.com with the subject "Unsubscribe"
• Adjusting your marketing preferences in any preference centre we provide

Opting out of marketing does not affect our ability to send you transactional communications necessary for the performance of our contract (such as audit schedules, invoices, and certificate notifications).

15. Children's Personal Data

Our Website and services are not directed at, designed for, or intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us at admin@tnvglobal.com and we will take steps to delete such information.

Under the India DPDP Act, processing of personal data of children (under 18) is subject to specific safeguards including verifiable parental consent and prohibition on certain forms of processing. TNV Global does not direct services at children and processes children's data only in exceptional circumstances and only with appropriate consent.

16. Information Security

We take the security of your personal data seriously and have implemented appropriate technical and organisational measures to protect it against unauthorised access, alteration, disclosure, loss, or destruction. Our security measures include:

• Encryption: Personal data transmitted via our Website is encrypted using TLS (HTTPS). Sensitive data at rest is encrypted where technically feasible.
• Access controls: Personal data is accessible only to personnel who require it for their role, on a need-to-know basis. Access is controlled by authentication and authorisation systems.
• Confidentiality obligations: All staff and contracted auditors are bound by confidentiality obligations consistent with ISO/IEC 17021-1, including specific NDAs covering audit information.
• Vendor security: Third-party processors are selected for their security maturity and bound by data processing agreements with security requirements.
• Incident response: We maintain an information security incident response procedure to detect, contain, and respond to security breaches.
• Regular review: Security controls are reviewed periodically as part of our overall management system.

Despite our best efforts, no method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your personal data, we cannot guarantee absolute security.

17. Personal Data Breaches

In the event of a personal data breach that poses a risk to the rights and freedoms of individuals, we will:

• Notify the relevant supervisory authority (ICO in the UK; Data Protection Board of India; EU lead supervisory authority) within 72 hours of becoming aware of the breach, where required
• Notify affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms
• Document all personal data breaches in our internal breach register
• Cooperate with regulatory authorities in any investigation or remediation

18. Automated Decision-Making and AI

TNV Global does not currently make decisions about you based solely on automated processing (including profiling) that produce legal effects concerning you or similarly significantly affect you. Our certification decisions are made by qualified human reviewers in accordance with ISO/IEC 17021-1, which expressly requires human decision-making and prohibits the use of automated decision-making for certification outcomes.

Where we use AI tools internally (for example, AI-assisted document review during audits), this is performed under human oversight, and AI does not make final decisions. We do not use AI to make decisions about marketing, pricing, or eligibility that would significantly affect you without human review.

19. Region-Specific Rights

19.1 United Kingdom (UK GDPR / DPA 2018)

If you are located in the United Kingdom, you have the rights set out in Section 12 above. You may lodge a complaint with the Information Commissioner's Office:

• Website: https://ico.org.uk
• Helpline: 0303 123 1113
• Address: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

19.2 European Economic Area (EU GDPR)

If you are located in the EEA, you have the rights set out in Section 12 above. You may lodge a complaint with the data protection authority in your country of residence. The list of EU data protection authorities is available on the European Data Protection Board website at https://edpb.europa.eu.

19.3 India (DPDP Act 2023)

If you are a data principal in India under the DPDP Act, you have the following rights:

• Right to access: Confirmation of processing and a summary of personal data processed and processing activities.
• Right to correction and erasure: Correction of inaccurate or misleading personal data and erasure of personal data no longer necessary.
• Right of grievance redressal: Readily available grievance redressal through admin@tnvglobal.com.
• Right to nominate: To nominate another individual to exercise rights in the event of your death or incapacity.

You may also lodge a complaint with the Data Protection Board of India once it is operational. Until then, grievances should be raised with TNV Global at admin@tnvglobal.com (subject: "DPDP Grievance").

19.4 California (CCPA / CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (as amended by the California Privacy Rights Act):

• Right to know what personal information is collected, used, shared, or sold
• Right to delete personal information held by us
• Right to opt-out of the sale or sharing of personal information (we do not sell personal information)
• Right to correct inaccurate personal information
• Right to limit use and disclosure of sensitive personal information
• Right to non-discrimination for exercising your rights

To exercise these rights, please contact admin@tnvglobal.com with the subject line "CCPA Request".

20. Complaints to a Supervisory Authority

If you believe that our processing of your personal data infringes data protection law, we encourage you to contact us first so that we may seek to resolve the matter. However, you have the right to lodge a complaint directly with a supervisory authority as set out in Section 19 above.

21. Updates to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or applicable law. When we make material changes, we will:

• Update the "Last Updated" date at the top of this page
• Where appropriate, notify you by email or through a prominent notice on our Website
• Maintain a version history available on request

Your continued use of our Website or services after material updates constitutes acceptance of the updated Privacy Policy. We encourage you to review this Privacy Policy periodically.

22. Contact Us

If you have questions, concerns, or complaints about this Privacy Policy or our processing of your personal data, please contact us: