This Privacy Policy explains how IVQA ("we", "us") collects, uses, discloses, stores, and protects Personal Data when you access IVQA.org or use our services (QR verification, verification pages, dashboards, APIs, and related tools).

We aim to protect Personal Data in line with applicable privacy laws (including GDPR/UK GDPR where applicable and Moroccan Law No. 09-08) and ISO/IEC 27001-aligned information security principles.

Definitions

Personal Data: Any information relating to an identified or identifiable natural person.

Controller: The entity that determines the purposes and means of processing Personal Data.

Processor: The entity that processes Personal Data on behalf of a Controller.

Organization / Customer: An organization subscribing to IVQA Services.

End-User / Holder: An individual whose credential or document is issued, verified, or displayed through IVQA Services.

Roles

IVQA acts as a Data Controller for website visitors, prospective customers, organization administrators, billing, support, and business communications.

IVQA acts as a Data Processor when an Organization uploads, creates, or manages verification records. In that case, the Organization remains the Data Controller and IVQA processes the data only to provide the service and under contractual instructions.

Data collection & use

Data you provide

• Identification and contact details (name, email, phone, job title, organization).
• Account credentials and access roles.
• Billing/invoicing information (payments handled by third-party providers).
• Support communications and attachments.

Data collected automatically

• IP address and device identifiers, browser/OS details.
• Access timestamps, referral URLs, usage and security logs.
• Audit logs to protect the platform and investigate abuse.

Data received from Organizations or third parties

• Credential record data uploaded by Organizations for verification (e.g., holder name, title, issuer, issue date, status, QR token).
• B2B contact information obtained lawfully in a professional context.

We do not sell Personal Data. We share Personal Data only with service providers (hosting, security, email, analytics, payment processing), Organizations (according to their visibility settings), and authorities where legally required.

Legal basis

Where GDPR/UK GDPR applies, we rely on one or more legal bases depending on the context:

• Contract (to provide the services you request).
• Legitimate interests (security, fraud prevention, service improvement).
• Legal obligation (compliance and recordkeeping where required).
• Consent (where required, for example for certain cookies/marketing). Consent can be withdrawn anytime.

Verification pages

Verification pages are designed to confirm authenticity while respecting data minimization. Displayed information is limited to what is necessary and what the issuing Organization configures. IVQA does not independently expand or alter publicly visible data.

International transfer

Personal Data may be processed or stored outside the country of origin. Where required, IVQA implements appropriate safeguards (such as contractual protections) to ensure adequate protection.

Retention

We retain Personal Data only for as long as necessary to provide services, meet legal/contractual obligations, resolve disputes, and enforce agreements. Data is deleted, anonymized, or securely archived when no longer required.

Security

IVQA uses technical and organizational measures aligned with ISO/IEC 27001 principles, including:

• Access control and role-based permissions.
• Encryption in transit.
• Logging, monitoring, and audit trails.
• Secure development and incident response procedures.

Your rights

Depending on applicable law, you may have rights to:

• Access and correct Personal Data.
• Request deletion or restriction of processing.
• Object to processing and request portability (where applicable).
• Withdraw consent (where processing is based on consent).
• Lodge a complaint with a supervisory authority.

Where IVQA acts as a Processor for verification records, requests may be redirected to the issuing Organization (the Data Controller).

Cookie policy

We use essential cookies for security and site functionality and, where permitted, analytics cookies to improve services. You can manage cookies through your browser settings and cookie banners where required.

Children

IVQA does not knowingly collect Personal Data from individuals under 18. If such data is identified, it will be deleted without delay.

Third-party sites

IVQA websites may contain links to third-party websites. This Privacy Policy does not apply to those websites, and IVQA is not responsible for their privacy practices.

Contact

Email: privacy@ivqa.org
Subject: Privacy Request – IVQA

Changes

This Privacy Policy may be updated periodically. Material changes will be published on IVQA.org and become effective upon publication.