GRACEPR

PRIVACY POLICY

GRACEPR ("we", "our", "us") provides a change management and capability maturity services and systems platform ("the Platform"), including:

• Certification programs for users
• Proficiency-centric learning courses
• Organizational change readiness surveys
• Analytics dashboards.

We respect your privacy and are committed to protecting personal data in accordance with global privacy laws, including GDPR (EU/UK), CCPA/CPRA (California), PIPEDA (Canada), Privacy Act (Australia/New Zealand), and other applicable regulations.

By using the Platform, you consent to the collection and use of information as described in this Privacy Policy.

A. Account and Profile Data

• Name, email, job title, organization, and user role
• Passwords and authentication credentials
• Certification history and course progress

B. Transaction and Billing Data

C. Survey and Assessment Data

• Responses to organizational surveys, readiness assessments, and quizzes
• Project and phase identifiers for analysis and reporting
• Aggregated metrics for dashboards.

D. Platform Usage Data

• Login timestamps, feature usage, and navigation behaviours
• IP addresses, device type, browser information
• Cookies, session tokens, and web beacons for analytics and authentication.

E. Third-Party Integration Data

• Data from connected tools (e.g., Typeform for surveys, Power BI for reporting, etc)
• Limited information pulled from external services you authorize.

F. Communications Data

We use personal data to:

• Operate, maintain, and improve the Platform
• Authenticate and manage user accounts
• Deliver certification programs and proficiency courses
• Process payments, subscriptions, and refunds
• Generate and display survey dashboards and analytics
• Provide customer support and respond to inquiries
• Monitor system performance and usage for improvement
• Send updates, security alerts, or marketing communications (where permitted)
• Comply with legal obligations and prevent misuse or fraud.

• Performance of a contract: To deliver services and certifications you request
• Legitimate interests: To secure, optimize, and improve the Platform
• Consent: For marketing communications, surveys, or analytics tracking
• Legal obligation: To comply with applicable laws and audits.

Your data is securely stored in cloud infrastructure and associated analytics or reporting tools (e.g., Power BI).

International transfers are protected by safeguards like:

• Standard Contractual Clauses (SCCs) for EU/UK transfers
• Data protection agreements with service providers
• Encryption of sensitive data in transit and at rest.

We share data only with:

• Service providers (hosting, analytics, email, payment processing)
• Authorized GRACEPR personnel and affiliates under confidentiality agreements
• Legal or regulatory authorities, if required
• Business partners in the event of mergers, acquisitions, or restructuring.

We do not sell any personal information.

• User account data, course completions, and certifications: retained while the account is active + [X months after account closure] as required. X is changeable.
• Survey data: retained for reporting and analytics for the duration of the subscription period
• Anonymized aggregate data may be archived and retained indefinitely for research, analytics, and product improvement.

We may use cookies and similar technologies for:

• Session management and authentication
• Survey analytics and dashboard generation
• Performance monitoring and usage metrics.

You can manage cookies via your browser, though disabling them may limit functionality.

Depending on your jurisdiction, you may:

• Access, correct, or delete your personal data
• Request restriction of processing or object to certain processing
• Withdraw consent where applicable
• Request data portability for your account and survey responses.

California residents have additional rights under CCPA/CPRA. Requests can be submitted to us via email [contact us via www.gracepr.io]. Identity verification may be required.

We implement:

• Encryption for data at rest and in transit
• Role-based access control and multi-factor authentication
• Regular security audits and vulnerability testing.

While we use industry-standard protections, no system is completely secure.

We integrate with third-party tools for surveys and analytics.  Their privacy practices are governed by their own policies. GRACEPR is not responsible for third-party data handling.

The Platform is not intended for children under 16. We do not knowingly collect information from children.

Changes will be posted on this page with a new "Last Updated" date. Significant changes may be communicated directly to users.

Email: see www.gracepr.io for latest email.

Address: New Zealand

Data Protection Officer: Not Applicable.

GRACEPR

GDPR Privacy Policy

GRACEPR (“we,” “our,” “us”) operates the www. Gracepr.io website and SaaS platform known as GRACEPR (the “Platform”). Our services include online certification programs, readiness and capability surveys, and analytics dashboards for clients and practitioners.

We are committed to protecting the personal data of everyone who interacts with our system - whether you're a certified professional, a client administrator, a survey respondent, or a casual visitor. This policy explains how we collect, use, and protect that data, in compliance with the General Data Protection Regulation (EU) 2016/679 (GDPR) and related privacy laws.

For most processing activities, GRACEPR is the Data Controller. For survey and analytics data uploaded by clients, we act as a Data Processor on behalf of those clients.

GRACEPR

New Zealand

Email: See www.gracepr.io for latest email.

3. Data We Collect

We collect and process the following data depending on your relationship with the Platform:

a. For Certified Users and Course Participants

• Name, email address, company name, and contact details
• Account login information
• Course progress, assessment results, and certification status
• Payment and billing data (processed through secure third-party providers).

b. For Clients and Organizations

• Account and administrative contact details
• Client identifiers and domains
• Data relating to purchased surveys or certification seats
• Dashboard activity and configuration details.

c. For Survey Respondents

• Responses to survey questions (which may include opinions, role-related info, or demographic data depending on survey design)
• Metadata such as IP address, browser type, time of submission, and client/project identifiers
• Respondents are never required to provide personal identifiers unless the survey specifically asks for them and you choose to provide them.

d. Automatically Collected Data

• Usage logs, browser type, device information, and IP addresses
• Cookies and analytics data to improve platform performance and user experience.

4. Legal Basis for Processing

We process personal data under the following legal bases:

• Contractual necessity: To deliver certification programs, process purchases, or enable surveys.
• Legitimate interest: To operate and improve our Platform, ensure system security, and maintain client relationships.
• Legal obligation: To comply with accounting, tax, or regulatory duties.
• Consent: For marketing communications and optional analytics tracking.

5. How We Use Data

We use your information to:

• Create and manage user accounts and certifications
• Deliver survey and reporting services to clients
• Maintain dashboards summarising project, phase, and client performance
• Provide technical support and respond to inquiries
• Send service or certification updates
• Improve system functionality and reliability
• Comply with applicable legal requirements

Survey data may be aggregated and anonymised to produce benchmarks or insights. No individual respondent is identifiable in aggregated outputs.

6. Data Roles

• Clients act as Data Controllers for any survey data they collect or upload.
• We act as a Data Processor, managing and storing data securely on their behalf.
• For certification users or site members, we are the Data Controller for the information you provide directly to us.

7. Data Sharing

We may share limited data with:

• Hosting and infrastructure providers (e.g., database, analytics, email delivery)
• Payment processors (for billing and renewals)
• Accreditation or certification verification services (when you authorise sharing your certification status)
• Regulators or authorities when legally required

All vendors are bound by GDPR-compliant data processing agreements.

8. International Transfers

If data is transferred outside the European Economic Area (EEA), we ensure adequate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission or equivalent protections.

9. Data Retention

We retain:

• Certification and course data for as long as your certification remains valid or your account is active.
• Client and survey data for the duration of your subscription plus [X] months for auditing and renewal purposes.
• Aggregated or anonymised data indefinitely for research and benchmarking.

When retention periods expire, personal data is securely deleted or anonymised.

10. Your GDPR Rights

You have the right to:

• Access and receive a copy of your personal data
• Correct or update inaccurate information
• Request deletion of your data (“right to be forgotten”)
• Restrict or object to processing
• Request data portability
• Withdraw consent (where processing is based on consent).

To exercise your rights, contact us at www.gracepr.io. We will respond within the GDPR-required timeframes.

11. Data Security

We use encryption, role-based access, and network monitoring to protect all data in transit and at rest. Access to sensitive data is restricted to authorised personnel only. Regular backups and security audits are conducted to ensure integrity.

No digital system is perfectly secure, but we take every reasonable technical and organisational measure to minimise risk.

12. Cookies and Tracking

We use cookies and analytics tools for:

• Authentication and session management
• Performance tracking and error monitoring
• Optional analytics and marketing (only with consent)

You can manage or withdraw cookie preferences through your browser or our consent banner.

13. Sub-Processors

A list of our approved sub-processors is available upon request and includes hosting, analytics, and payment service providers operating under GDPR-aligned contracts.

14. Updates to This Policy

We may revise this policy from time to time. The latest version will always be posted on our website, with an updated 'Effective Date.' Substantial changes may be communicated by email or in-app notice.

15. Contact

Data Protection Officer (DPO):

GRACEPR

Email: See www.gracepr.io for latest email.

If you are unsatisfied with our response, you have the right to contact your local Data Protection Authority (DPA).