Privacy Notice

This notice is valid as of 12 June 2025. It is reviewed periodically and at least annually to ensure compliance with the General Data Protection Regulation and legislative requirements defined by law, where appropriate. It is applicable for the following users:

• Marketing Communications
• Members
• IPAF Approved Training Centres
• IPAF Licence Holders and Candidates
• Facial Recognition in eLearning
• Event Bookings
• IPAF Swiss eShop

What we mean by personal data

Personal data is defined within GDPR as ‘any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person’ (Article 4, GDPR)

Representation for data subjects in the EU

IPAF values your privacy and your rights as a data subject and have therefore appointed Prighter Group with its local partners as our privacy representative and your point of contact.

Prighter gives you an easy way to exercise your privacy-related rights (e.g. requests to access or erase personal data). If you want to contact us via our representative Prighter or make use of your data subject rights, please visit the following website: https://prighter.com/q/16332056486

Marketing Communications

Why we collect and process data, and what we will collect

When you sign up to our mailing list, you consent to IPAF collecting the following personal data about you:

• Name
• Email
• Company
• Job Title
• Country
• IP Address (where applicable)

IPAF collect this information to provide you with the marketing communications you have requested. 

You will always have the option on our marketing emails to opt out or update your subscriptions at any time. Your data is stored and processed through Click in the EU. We will never pass your details on to any third parties or send you irrelevant email. You will still receive transactional emails for event booking confirmations, invoices and if applicable, membership/training correspondence.

Website

When you visit our website, we may collect limited information about your visit (such as IP address and browser type) to help us improve our services. For more details on the cookies we use and to manage your preferences, please refer to our Cookie Policy and the cookie consent banner displayed when you first visit the site.

You can update your preferences or withdraw consent at any time by clicking the cookie settings link available on our website.

Members

Why we collect and process data, and what we will collect

IPAF collects the following information about you as is necessary for the performance of our contract (membership administration) with you:

• Contact information (name, email, phone number, address, job title)

For some members, this will include information that is not classed as personal data. 

IPAF collects this information to fulfil its contract with you. If you have any concerns or queries around collection of personal data, you can contact IPAF’s Privacy Manager via email at privacy@ipaf.org. 

Who has access to personal data

IPAF is the data controller for the information identified above. In order to provide users with the correct level of service, and to fulfil our contract with you, this information is shared with some third parties:

• Payment information is processed by third party payment gateways. IPAF handles payment information in a PCI-DSS compliant manner.
• IPAF uses external development and IT support companies, who are based in the UK and EEA. Sometimes, individuals from these companies may come into contact with your personal data whilst providing services to IPAF. These third parties are subject to contracts detailing how they treat personal data and cannot use your information for any other purposes.
• Independent auditors may come into contact with your personal data when conducting audits of Training Centres, Instructors, and Rental Depots. These auditors are subject to contracts detailing how they treat personal data and cannot use your information for any other purposes.
• Member contact information is shared on the IPAF website Member’s Directory and in IPAF issued publications such as magazines and annual reports. Any members who do not wish to have their contact information shared in this manner must contact the Privacy Manager.

Personal data is subject to access control: access is restricted as much as possible to those with a need to know. The information that IPAF holds is not sold to other parties but may be made available to third parties via API for development of applications and services (such as telematics or site management apps) that utilise the data IPAF holds. This could include your personal information. Data will only be shared with approved third parties, who must continue to process your data in accordance with IPAF’s policies. IPAF do not use profiling or automated decision making based on personal data. However, third parties making use of the IPAF API may incorporate these features into applications they have developed. Third party applications must request specific consent from you as the user before processing your data in this way. For further information please contact the Privacy Manager. 

How long is personal data stored for

IPAF will not retain personal data for longer than necessary to perform our lawful processing. Some information must be kept for longer due to legal and regulatory obligations. 

Data subject rights

As a data subject, you have certain rights:

• The right to be informed
• The right to access
• The right to rectification
• The right to erasure
• The right to restrict processing
• The right to data portability
• The right to object
• Rights surrounding profiling and automated decision making

IPAF Approved Training Centres

Why we collect and process data, and what we will collect

IPAF collects this information to fulfil its contract (training provision administration) with you:

• Contact information (name, email, phone number, address, job title)

For some IPAF Approved Training Centres, this will include information that is not classed as personal data. 

Where this information is not provided, IPAF cannot fulfil a contract with you. If you have any concerns or queries around collection of personal data, you can contact privacy@ipaf.org.

As an IPAF Approved Training Centre, you act as an independent data controller for the personal data you collect and process in the course of providing training services. This means you must ensure that licence holders and candidates are provided with your own privacy notice at the point of data collection. 

Where you share personal data with IPAF for purposes such as registration and licence issuance, IPAF becomes a separate and independent data controller of that information. You must also direct licence holders and candidates to the relevant section of this IPAF privacy notice to explain how IPAF will use their data.

Who has access to personal data

IPAF is the data controller for the information it collects directly and for information shared with it by IPAF Approved Training Centres for registration and licensing purposes. In order to provide users with the correct level of service, and to fulfil our contract with you, IPAF shares information with some third parties:

• Payment information is processed by third party payment gateways. IPAF handles payment information in a PCI-DSS compliant manner.
• IPAF uses external development and IT support companies, who are based in the UK and EEA. Sometimes, individuals from these companies may come into contact with your personal data whilst providing services to IPAF. These third parties are subject to contracts detailing how they treat personal data and cannot use your information for any other purposes.
• Independent auditors may come into contact with your personal data when conducting audits of Training Centres, Instructors, and Rental Depots. These auditors are subject to contracts detailing how they treat personal data and cannot use your information for any other purposes.

Personal data is subject to access control: access is restricted as much as possible to those with a need to know. The information IPAF hold is not sold or made available for use by other entities. 

No profiling or automated decision making based on personal data is used by IPAF.

How long is personal data stored for

IPAF will not retain personal data for longer than necessary to perform our lawful processing. Some information must be kept for longer due to legal and regulatory obligations. 

Data subject rights

As a data subject, you have certain rights:

• The right to be informed
• The right to access
• The right to rectification
• The right to erasure
• The right to restrict processing
• The right to data portability
• The right to object
• Rights surrounding profiling and automated decision making

IPAF Licence Holders and Candidates

Why we collect and process data, and what we will collect

IPAF collects the following information about you as is necessary for the performance of our contract (training administration) with you:

• Contact information (name, email, phone number, address, job title)
• Date of birth
• Photo
• National Insurance Number (where applicable)
• IPAF Powered Access Licence number

Where this information is not provided, IPAF cannot fulfil a contract with you. If you have any concerns or queries around collection of personal data, you can contact privacy@ipaf.org. 

National Insurance Number (Optional – UK Candidates Only)

If you are a UK-based IPAF Licence applicant and wish to include the CSCS logo on your IPAF PAL Card, you are required to provide your National Insurance Number for a one-time verification with the Construction Industry Training Board (CITB) to confirm successful completion of the Health, Safety and Environment (HS&E) test. Your National Insurance Number is not stored by IPAF after this verification, although the IPAF Approved Training Centre may retain it according to their own privacy notice.

If you do not wish to include the CSCS logo on your PAL Card, providing your National Insurance Number is not required.

Who has access to personal data

IPAF is the data controller for the information it collects directly and for information shared with it by IPAF Approved Training Centres for registration and licensing purposes.

IPAF Approved Training Centres act as independent data controllers for personal data they collect and use within their own businesses (such as for managing training, certification, invoicing, and communication). Each IPAF Approved Training Centre is responsible for providing their own privacy notice covering their processing activities.

When IPAF Approved Training Centres share data with IPAF for the purposes of registration and issuing licences, IPAF becomes a separate and independent controller of that data.

To support training administration or audits, IPAF may share relevant candidate or licence holder data with the original Training Centre, including information from their IPAF ID account where details have been provided.

In order to provide users with the correct level of service, and to fulfil our contract with you, IPAF shares information with some third parties:

• The IPAF Approved Training Centre where you completed your training will hold a copy of information they collect.
• Payment information is processed by third party payment gateways.
• IPAF uses external development and IT support companies, who are based in the UK and EEA. Sometimes, individuals from these companies may come into contact with your personal data whilst providing services to IPAF. These third parties are subject to contracts detailing how they treat personal data and cannot use your information for any other purposes.
• The IPAF website contains a verification tool which allows anyone to search for a licence number. By searching for your licence number, it is possible to view information from your licence including your name.
• Independent auditors may come into contact with your personal data when conducting audits of Training Centres, Instructors, and Rental Depots. These auditors are subject to contracts detailing how they treat personal data and cannot use your information for any other purposes.

Personal data is subject to access control: access is restricted as much as possible to those with a need to know. The information IPAF holds is not sold or made available for use by other entities.

No profiling or automated decision making based on personal data is used by IPAF. 

How long is personal data stored for

IPAF will not retain personal data for longer than necessary to perform our lawful processing. Some information must be kept for longer due to legal and regulatory obligations. We will keep name and contact information, date of birth, photo and IPAF Powered Access Licence number for 6 years. After this time, we will keep name, date of birth, photo and IPAF Powered Access Licence.

Data subject rights

As a data subject, you have certain rights:

• The right to be informed
• The right to access
• The right to rectification
• The right to erasure
• The right to restrict processing
• The right to data portability
• The right to object
• Rights surrounding profiling and automated decision making

Data Sharing for Industry Projects

IPAF does not sell your personal data or make it available to third parties for marketing purposes. We only share limited, anonymised, or pseudonymised data with third parties when necessary to support industry-wide initiatives. In such cases, the data is processed to provide aggregated insights that help improve workforce planning, training, and safety in the industry. This shared data will not be used to identify you as an individual.

FACIAL RECOGNITION IN ELEARNING

For certain eLearning courses, IPAF uses facial recognition technology to help verify the identity of registered learners. This is to ensure the integrity of our training and confirm that only the enrolled candidate is completing the course.

IPAF’s eLearning is delivered through a third-party Learning Management System (LMS), provided by Sponge Group Limited. The LMS uses Amazon Rekognition, a service operated by Amazon Web Services (AWS), to perform facial recognition checks. This technology captures a live image via the learner’s webcam and compares it against previous images taken during the session, solely for the purpose of verifying identity.

Facial images are encrypted and stored securely within the European Union, using AWS data centres.

We process this data based on your consent, the necessity to perform our contract with you (to deliver certified eLearning), and IPAF’s legitimate interest in protecting the integrity of its training and certification programmes.

We do not share these images with any other parties except the third-party providers listed here (Sponge Group Limited and Amazon Web Services), solely to facilitate the delivery of our services. These providers are subject to data protection agreements and cannot use the data for any other purpose.

Use of facial recognition is limited to specific eLearning courses. Learners are informed in advance when it is required. Alternatives are available through IPAF Approved Training Centres for those who are unable or unwilling to use a webcam for verification.

For more information on how Sponge and Amazon Web Services handle personal data, please see:

• Sponge Privacy Policy 
• AWS Data Privacy FAQs 

If you have questions or concerns about this feature, please contact us at privacy@ipaf.org. 

EVENT BOOKINGS

When you register to attend an IPAF event, we collect and process your personal data for the purpose of managing your booking, providing event-related communications, and where applicable, handling payment. The information we collect typically includes your name, contact details, organisation (if relevant), and any preferences or requirements you may submit.

If the event requires payment, transactions are processed securely by our payment provider, Stripe Payments Europe, Ltd (“Stripe”). Stripe acts as our data processor and only processes your information in accordance with our instructions and applicable data protection laws. IPAF does not store your payment card information.

You can find more information about how Stripe processes data in its Privacy Policy.

Booking on behalf of others

If you register on behalf of other individuals, you must ensure you have their authority to provide their personal data to IPAF. Those individuals should also be made aware of this privacy notice and how we will use their information. Where applicable, we may contact attendees directly to confirm their registration or to provide essential event information.

IPAF SWISS ESHOP

If you place an order through the IPAF Swiss eShop (www.ipafshop.ch), we collect the personal data necessary to process your purchase and deliver the goods you have ordered. This may include your name, delivery address, email address, and order details.

Orders placed via the Swiss eShop are fulfilled by our partner, Sulser Group AG, a Swiss-based print and logistics provider. To fulfil your order, IPAF securely shares your order information with Sulser by email. Sulser processes this data solely for the purpose of producing and dispatching the requested materials on our behalf. They do not use your personal data for any other purpose and are contractually bound to comply with data protection requirements in line with data protection laws.

Your personal data is kept only for as long as necessary to fulfil your order and meet legal or accounting obligations. If you have any questions about how your data is processed in relation to the Swiss eShop, please contact privacy@ipaf.org.

CUSTOMER SUPPORT AND CONTACT CHANNELS

If you contact IPAF for support or assistance (e.g. via the IPAF website, IPAF Portal, ePAL app, eLearning platform, or help centre), we may collect your name, contact details, IPAF ID or licence number, language preference, date of birth, and details of your enquiry. Technical information such as device type or system data may also be collected to help resolve the issue.

This information is used to verify your identity, manage and respond to your enquiry, and maintain a record of support requests. Support cases are handled through contracted third-party systems under strict data protection agreements.

Support contact may take place via phone, email or webchat:

• Telephone: Calls to IPAF’s main numbers are logged using the caller’s phone number and may be recorded, transcribed, and summarised using AI tools.
• Email: Messages to info@ipaf.org      are logged using the sender’s email and summarised automatically.
• Webchat: Webchat on our websites and portals collects name and email to allow follow-up. Conversations may also be transcribed and summarised.

We may link information from multiple contact channels to build a unified customer profile. This helps us respond more effectively and improve your experience. Associated data may include contact details, job role, organisation, and location.

All personal data is stored securely and only accessed by authorised personnel. Call recordings are retained for up to 12 months. Message transcriptions are stored for 180 days. 

Contact records are retained for 12 months from the last interaction, unless a longer period is required by legal or contractual obligations.

Third Party Processors

To support our services, IPAF engages with selected third-party processors who handle personal data on our behalf. These processors operate under strict contractual agreements to ensure data protection compliance.

Note: The specific security measures implemented by each processor may vary. IPAF ensures that all processors adhere to appropriate data protection standards.

For more information about any of these processors or how your data is handled, please contact us at privacy@ipaf.org.