Privacy Policy
Effective date: [July 2025]
1. Introduction
The International Vital Code Association ("IVCA", "we", "us", "our") is the international professional body for Vital Code practitioners. We are committed to protecting your personal data and handling it responsibly and transparently. This Privacy Policy explains how we collect, use, store, and share your information when you interact with our website (ivca.ie) and our services, including membership, certification, the practitioner directory, the credential verification system, events, and continuing professional development (CPD) programmes.
IVCA is the data controller for the purposes of the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and applicable Irish and European data protection legislation. Our registered office is at [Registered address], Ireland.
This policy applies to all individuals who visit our website, apply for or hold IVCA membership, use our verification services, attend our events, submit complaints, or otherwise engage with IVCA. We encourage you to read this policy carefully. If you have any questions, you may contact us at privacy@ivca.ie at any time.
This Privacy Policy should be read alongside our Terms of Use and Cookie Policy, which provide further information about how we operate our website and services.
2. What Data We Collect
We collect different categories of personal data depending on how you interact with IVCA. The types of data we collect include the following:
From website visitors
- IP address, browser type, operating system, and device information (collected automatically via server logs)
- Pages visited, time spent on pages, referring URLs, and other usage data (via analytics tools)
- Cookie and similar technology data (see our Cookie Policy for full details)
- Information you voluntarily submit via contact forms, including your name, email address, and the content of your message
- Email address if you subscribe to our newsletter or event notifications
From members and certification applicants
- Identity data: Full name, date of birth, nationality, and a photograph for your practitioner profile
- Contact data: Email address, telephone number, postal address
- Professional data: Qualifications, training history, certificates from authorised training providers, supervised practice records, and examination results
- Certification data: Certification level, credential designation, validity dates, credential status, CPD records, and renewal history
- Financial data: Payment information for membership fees and event registrations (card details are processed directly by our payment provider — IVCA does not store card numbers)
- Directory profile data: Professional biography, areas of specialisation, languages spoken, practice location, website URL, and other information you choose to make publicly available
- Account data: Username, encrypted password, login history, and account preferences
From authorised trainers
- All data listed above for members, plus additional information relating to your training programme: curriculum documentation, candidate outcome data, quality assurance records, and re-authorisation materials
From event attendees
- Name, email address, organisation, dietary or accessibility requirements (for in-person events), and any other information you provide during registration
From complainants and subjects of complaints
- Name, contact details, the substance of the complaint, and any supporting documentation provided during the complaints process
- Correspondence and records generated during the investigation and resolution of complaints
3. How We Collect Data
We collect personal data through three principal means:
Directly from you
Most of the data we hold is provided directly by you when you create an account, apply for membership, submit a certification application, register for events, complete your directory profile, submit a complaint, or contact us. You are not obliged to provide personal data, but certain information is required for us to process your application or deliver our services.
Automatically when you use our website
When you visit ivca.ie, we automatically collect certain technical and usage data through server logs, cookies, and analytics tools. This includes your IP address, browser type, pages visited, and interaction patterns. For detailed information about the cookies we use and how to manage them, please see our Cookie Policy.
From third parties
In limited circumstances, we may receive personal data from third parties, including:
- Authorised training providers: Confirmation of training completion and candidate assessment results, submitted as part of the certification process
- Payment processors: Transaction confirmation and billing status (but not full card numbers)
- Public sources: Publicly available professional registration data, where relevant to verifying qualifications
4. How We Use Your Data
We use your personal data for the following purposes:
- Membership administration: Processing applications, managing your account, communicating about your membership status, processing renewals, and maintaining accurate records of the membership register
- Certification and credentialing: Assessing applications against certification criteria, verifying qualifications and supervised practice, issuing credential designations, and maintaining the professional register
- Continuing professional development: Tracking CPD activities, verifying compliance with annual CPD requirements, conducting CPD audits, and communicating about CPD deadlines and obligations
- Practitioner directory: Displaying your professional profile in the public directory so that members of the public, employers, and other professionals can find and verify certified practitioners. Optional fields (bio, specialisations, contact details) are published only with your consent
- Public verification: Making your credential status — including your name, certification level, validity dates, and current status (active, expired, suspended, or revoked) — available through our public verification system. This is a core function of IVCA as a professional register
- Trainer authorisation: Evaluating and monitoring authorised training providers, reviewing curricula, and tracking candidate outcomes
- Events: Managing registrations, issuing confirmations and joining instructions, recording CPD hours for attendees, and planning future events
- Communication: Responding to enquiries, sending service-related notifications (such as renewal reminders and policy updates), and delivering newsletters or updates you have subscribed to
- Complaints and disciplinary processes: Investigating complaints in accordance with our Ethics and Complaints Procedure, communicating with parties involved, and implementing outcomes
- Governance: Supporting the work of the IVCA Board, committees, and advisory panels in fulfilling their governance responsibilities
- Website improvement: Analysing anonymised and aggregated usage data to improve website performance, accessibility, and user experience
- Legal compliance: Meeting our obligations under applicable law, responding to lawful requests from authorities, and establishing, exercising, or defending legal claims
5. Legal Basis for Processing
Under GDPR Article 6, we must have a lawful basis for each processing activity. The table below summarises the legal bases we rely upon:
| Processing Activity | Legal Basis |
|---|---|
| Processing membership applications and managing your account | Contract — necessary for the performance of the membership agreement |
| Certification assessment and credential issuance | Contract — necessary to deliver the certification service you have applied for |
| Maintaining the professional register and public verification system | Legitimate interest — IVCA's core purpose as a professional body requires a public register for public protection and professional accountability |
| CPD tracking and compliance auditing | Contract — CPD is a condition of ongoing certification |
| Publishing optional directory profile fields (bio, specialisations, contact details) | Consent — you choose which optional fields to complete and publish |
| Sending marketing communications and newsletters | Consent — you actively subscribe and may unsubscribe at any time |
| Investigating complaints | Legitimate interest — upholding professional standards and protecting the public |
| Website analytics and improvement | Legitimate interest — improving website functionality and user experience (with anonymised data where possible) |
| Processing payments | Contract — necessary to collect fees under the membership agreement |
| Responding to legal requests or obligations | Legal obligation — where processing is required by applicable law |
Where we rely on legitimate interest, we have conducted a balancing assessment to ensure that our interests do not override your fundamental rights and freedoms. You may request a copy of these assessments by contacting privacy@ivca.ie.
6. Public Verification and Directory
IVCA exists to provide a trusted, transparent register of certified Vital Code practitioners. Public access to credential data is fundamental to this mission. If you are an IVCA member, the following information is made publicly available through the practitioner directory and the credential verification system:
Mandatory public data (condition of membership)
- Your full name
- Your certification level and credential designation (e.g., VCP, SVCP)
- Your certification validity dates (date of issue and expiry)
- Your credential status: active, expired, suspended, or revoked
Publication of this data is a condition of membership and certification. It is necessary for IVCA to fulfil its purpose as a public register and serves the legitimate interest of public protection. This data remains visible for as long as you hold active certification, and historical records may be retained for verification and regulatory purposes after certification lapses.
Optional directory data (your choice)
- Your practice location (city and country)
- Your professional biography
- Your areas of specialisation
- Your languages spoken
- Your contact information, website URL, or social media links
- A professional photograph
You control which optional fields are completed and displayed. You may add, edit, or remove optional directory information at any time through your member account. Removing optional information takes effect immediately.
If you cancel your membership, your directory listing is removed. However, your credential record (name, level, dates, and status — marked as "lapsed" or "cancelled") may remain in the verification system as part of the permanent professional register.
7. Who We Share Your Data With
We do not sell, rent, or trade your personal data. We share data only in the following circumstances and with the following categories of recipients:
- Payment processors: We use Stripe to process membership fees and event payments. Stripe acts as an independent data controller for payment card data. IVCA does not have access to your full card number. See Stripe's Privacy Policy
- Email service providers: We use a third-party email service to deliver transactional emails (account confirmations, renewal reminders, CPD notifications) and marketing communications (newsletters, event announcements). Your email address and name are shared with this provider solely for the purpose of delivering these messages
- Hosting and infrastructure providers: Our website and member database are hosted on servers located within the European Union. Our hosting provider processes data on our behalf under a GDPR-compliant data processing agreement
- Analytics providers: We use Google Analytics to collect anonymised website usage data. See our Cookie Policy for details on what is collected and how to opt out
- Professional advisors: In limited circumstances, we may share data with legal, accounting, or insurance advisors, under professional confidentiality obligations
- Regulatory and legal bodies: We may disclose data where required by law, regulation, or legal process, or where necessary to protect the rights, property, or safety of IVCA, our members, or the public
- Complaints panels: Where a complaint is investigated, relevant information is shared with members of the independent complaints panel, who are bound by confidentiality obligations
All third-party processors acting on our behalf are bound by data processing agreements that comply with GDPR Article 28. We conduct due diligence on our processors and review these agreements periodically.
8. International Data Transfers
IVCA is headquartered in Ireland and our primary data storage is within the European Economic Area (EEA). However, some of the third-party services we use may process data outside the EEA — for example, Stripe and Google maintain infrastructure in the United States.
Where personal data is transferred outside the EEA, we ensure that appropriate safeguards are in place, including:
- Adequacy decisions: Transfers to countries recognised by the European Commission as providing an adequate level of data protection
- Standard Contractual Clauses (SCCs): Where no adequacy decision exists, we rely on the European Commission's Standard Contractual Clauses to provide appropriate safeguards for the transfer
- Supplementary measures: Where required by the circumstances, we implement additional technical or organisational measures to ensure the transferred data receives an equivalent level of protection
IVCA does not transfer personal data to countries or organisations that lack appropriate safeguards. You may request further information about the specific safeguards we use by contacting privacy@ivca.ie.
9. Data Security
We take the security of your personal data seriously and implement appropriate technical and organisational measures to protect it against unauthorised access, alteration, disclosure, or destruction. These measures include:
- Encryption: Data transmitted between your browser and our servers is protected by TLS (Transport Layer Security) encryption. Sensitive data at rest is encrypted using industry-standard algorithms
- Access controls: Access to personal data is restricted to authorised IVCA staff and contractors on a need-to-know basis. All staff with access to personal data are bound by confidentiality obligations
- Authentication: Member accounts are protected by password-based authentication. We strongly encourage the use of unique, strong passwords
- Infrastructure security: Our hosting environment employs firewalls, intrusion detection, regular security patching, and automated backups
- Incident response: We maintain a data breach response plan. In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Data Protection Commission within 72 hours and, where required, notify affected individuals without undue delay
- Vendor assessment: Third-party processors are assessed for their security practices before engagement and are required to maintain appropriate security measures under their data processing agreements
While we strive to use commercially acceptable means to protect your personal data, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security, but we are committed to continuously reviewing and improving our security measures.
10. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. The table below summarises our retention periods:
| Data Category | Retention Period | Rationale |
|---|---|---|
| Active member account and profile data | Duration of membership plus 2 years | Account administration, re-activation window, and follow-up communications |
| Certification and credential records | Indefinitely (permanent register) | Historical verification, regulatory purposes, and the integrity of the professional register |
| CPD records | Duration of membership plus 6 years | Audit trail and regulatory compliance |
| Financial and payment records | 7 years from the transaction date | Irish tax and accounting legislation |
| Complaint records | 7 years following resolution | Legal and regulatory obligations; potential future proceedings |
| Contact form submissions | 12 months from submission | Follow-up and quality assurance; deleted thereafter |
| Event registration data | 2 years from the event date | CPD verification and event planning |
| Newsletter subscriber data | Until you unsubscribe | Consent-based; deleted upon withdrawal of consent |
| Website analytics data | 26 months (anonymised) | Website performance analysis; data is anonymised and cannot identify individuals |
| Server logs | 90 days | Security monitoring and troubleshooting |
When data is no longer required, it is securely deleted or irreversibly anonymised. Certification records retained as part of the permanent register are maintained in a reduced form containing only the data necessary for historical verification (name, credential level, dates, and status).
11. Your Rights Under GDPR
Under the General Data Protection Regulation, you have the following rights in relation to your personal data:
- Right of access (Article 15): You have the right to request a copy of the personal data we hold about you, together with information about how it is processed. We will respond to your request within one month. There is no fee for the first copy; additional copies may be subject to a reasonable administrative charge
- Right to rectification (Article 16): If any of the personal data we hold about you is inaccurate or incomplete, you have the right to have it corrected. Members can update most data directly through their account; alternatively, contact us and we will make the correction promptly
- Right to erasure (Article 17): You may request that we delete your personal data. We will comply where there is no overriding legal or contractual reason to retain it. Please note that certain data — particularly certification records forming part of the permanent professional register — may be exempt from erasure where retention is necessary for reasons of public interest or legal obligation
- Right to restriction (Article 18): You may request that we restrict the processing of your data in certain circumstances — for example, while we verify the accuracy of contested data, or where you have objected to processing pending our assessment
- Right to data portability (Article 20): Where processing is based on consent or contract and carried out by automated means, you have the right to receive the personal data you provided to us in a structured, commonly used, machine-readable format (e.g., CSV or JSON), and to transmit it to another controller
- Right to object (Article 21): You have the right to object to processing based on legitimate interest. Upon receiving an objection, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms
- Right to withdraw consent (Article 7): Where processing is based on your consent (e.g., marketing communications, optional directory fields), you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal
How to exercise your rights
To exercise any of these rights, please contact us at privacy@ivca.ie. We may ask you to verify your identity before processing your request, to ensure the security of your data. We will respond within one month of receiving your verified request. If your request is complex or we receive a large number of requests, we may extend this period by a further two months, and we will inform you of any such extension within the initial one-month period.
Right to complain
If you are dissatisfied with how we handle your data or respond to your request, you have the right to lodge a complaint with your local data protection supervisory authority. In Ireland, this is the Data Protection Commission:
Data Protection Commission
21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland
Website: dataprotection.ie
Phone: +353 (0)1 765 0100 / 1800 437 737
12. Automated Decision-Making
IVCA does not use automated decision-making or profiling, as defined by GDPR Article 22, in a way that produces legal effects or similarly significant effects on individuals.
All decisions relating to certification, membership, complaints, and disciplinary outcomes are made by qualified individuals or panels, with appropriate human oversight. While we may use automated tools for administrative tasks (such as CPD tracking calculations or renewal reminders), no decisions with significant consequences are made solely by automated means.
13. Children's Data
IVCA's services are designed for adult professionals and are not directed at children. We do not knowingly collect personal data from individuals under the age of 16. If you are a parent or guardian and believe that a child under 16 has provided personal data to IVCA, please contact us at privacy@ivca.ie, and we will take steps to delete the data promptly.
Applicants for IVCA membership and certification must be at least 18 years of age.
14. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the services we offer. When we make changes:
- The "Effective date" at the top of this page will be updated to reflect the date of the latest revision
- For minor changes (clarifications, formatting), the updated policy will simply be published on this page
- For material changes that affect how we process your data, we will take reasonable steps to notify you in advance — for example, by email to our members or by a prominent notice on our website — at least 30 days before the changes take effect
We encourage you to review this policy periodically. Your continued use of our website and services after a revised policy takes effect constitutes your acknowledgement of the updated terms.
15. Data Protection Contact
If you have any questions about this Privacy Policy, wish to exercise your data protection rights, or have concerns about how we handle your personal data, please contact us:
Data Protection Lead
International Vital Code Association (IVCA)
Email: privacy@ivca.ie
Address: [Registered address], Ireland
We aim to respond to all data protection enquiries within five working days and to resolve any concerns as quickly as possible. If you are not satisfied with our response, you have the right to escalate your concern to the Data Protection Commission as described in Section 11 above.