Effective Date: March 1, 2024
Legal Entity: AEC International LLC, 1500 Market Street, Suite 1200, Philadelphia, PA 19102, United States
Contact: [email protected] | +1 (215) 297-6625

AEC International ("AEC," "we," "us," or "our") is committed to protecting your privacy and ensuring transparency about how we handle personal data. This Privacy Policy explains how we collect, use, share, and protect information when you visit our website, use our services, or interact with us.

1. Information We Collect and Why

1.1 Website and Support

Data we collect:

  • IP address, device and operating system information
  • Pages viewed, referrer URL, time spent on site
  • Error logs and technical diagnostics
  • Contact form submissions and quote requests

Sources:

Cookies, web beacons, server logs, contact and quote forms.

Purpose:

Site operation, security monitoring, analytics, responding to inquiries and quote requests.

Lawful basis (GDPR):

  • Legitimate interests — security monitoring and analytics
  • Consent — non-essential cookies
  • Contract — pre-contract steps when you request quotes or information

1.2 Client Certification Services

Data we collect:

  • Organization contact details (name, work email, phone)
  • Job role and responsibilities
  • Digital signatures and authorization approvals
  • Audit evidence and documentation that may contain limited personal data

Purpose:

Provide ISO consulting, implementation, and certification support; manage projects; issue certificates; billing and invoicing.

Lawful basis:

  • Contract — delivering agreed services
  • Legal obligation — record-keeping requirements where applicable
  • Legitimate interests — quality assurance and service improvement

1.3 Training Programs

Data we collect:

  • Trainee name, work email, employer organization
  • Course attendance records and participation
  • Assessment scores and learning progress
  • Digital certificates and professional badge IDs

Purpose:

Deliver training courses, verify attendance, issue certificates, maintain competence records for credential verification.

Lawful basis:

  • Contract — providing training services
  • Legitimate interests — credential verification and professional development tracking
  • Consent — optional marketing communications

1.4 Marketing Communications

Data we collect:

  • Name, email address, company, industry sector
  • Marketing preferences and communication history
  • Campaign engagement and UTM tracking data

Purpose:

Send newsletters, product updates, event invitations, and relevant ISO industry information.

Lawful basis:

  • Consent — explicit opt-in for marketing communications
  • Soft opt-in — where permitted for existing clients
  • You can opt out at any time using unsubscribe links

2. Cookies and Tracking Technologies

We use different types of cookies and tracking technologies:

Cookie Categories:

  • Strictly Necessary: Authentication, load balancing, security protection
  • Analytics: Page performance and usage statistics (requires consent where applicable)
  • Marketing: Remarketing pixels and email tracking (requires consent)

Your choices: Manage cookie preferences using our Cookie Settings link or through your browser settings. We honor Do Not Track signals: Yes and Global Privacy Control (GPC) signals: Yes.

3. How We Use Your Data

We use personal data to:

  • Operate and secure our services and website
  • Deliver ISO certification projects and audit services
  • Issue certificates and maintain training records
  • Provide customer support and technical assistance
  • Comply with legal and regulatory obligations
  • Improve our services and develop new offerings
  • Send marketing communications (with consent)

4. Sharing and Disclosure

We share personal data only as necessary for business operations:

Service Providers (Data Processors)

  • Cloud hosting and infrastructure services
  • Customer relationship management (CRM) systems
  • Helpdesk and customer support platforms
  • Email delivery and SMS communication services
  • Payment processing and billing systems
  • Website analytics and performance monitoring
  • Learning management and proctoring platforms

Professional Services

  • External auditors and quality assessors
  • Legal counsel and compliance advisors
  • Accounting and financial services

Certification Bodies

When you request us to coordinate with accredited certification bodies for final certificate issuance.

Legal Requirements

To comply with lawful requests from authorities or to protect our rights and interests.

Important: We do not sell personal data to third parties.

Sub-processors

Our current sub-processors include:

  • Cloud Hosting: Amazon Web Services (AWS) — US East region
  • CRM: HubSpot — US data centers
  • Email: SendGrid — global infrastructure
  • Analytics: Google Analytics 4 with IP anonymization
  • Payments: Stripe — US and EU processing
  • Learning Management: Moodle — self-hosted on AWS

We maintain an up-to-date list at: /legal/subprocessors

5. International Data Transfers

Data may be processed in the United States, European Union, and other countries where we operate offices. Where required, we use EU Standard Contractual Clauses (SCCs) and additional safeguards for international transfers.

  • Primary hosting regions: US East (Virginia), EU West (Ireland)
  • Primary storage location: United States with EU backup replication
  • Transfer mechanisms: Standard Contractual Clauses, Adequacy Decisions

6. Security Measures

We implement comprehensive technical and organizational security measures:

  • Access Control: Role-based permissions and multi-factor authentication
  • Encryption: Data encrypted in transit (TLS 1.3) and at rest (AES-256)
  • Network Security: Network segmentation and firewall protection
  • Monitoring: 24/7 security monitoring and incident response
  • Backup & Recovery: Regular encrypted backups with tested recovery procedures
  • Staff Training: Regular security awareness and privacy training
  • Vendor Management: Security assessments of all service providers

Certifications: We implement ISO/IEC 27001 controls and maintain SOC 2 Type II compliance.

7. Data Retention

We retain personal data only as long as necessary for legitimate business purposes, then securely delete or anonymize it.

Data Category Typical Retention Rationale
Website logs 90 days Security monitoring and troubleshooting
CRM leads and prospects 24 months from last activity Sales cycle management
Client project records 7 years post-engagement Contract defense and legal requirements
Audit evidence (containing personal data) 24 months post-engagement Certification history and quality assurance
Training records & certificates Minimum 7 years Professional credential verification
Invoices and payment records 7 years Tax and accounting compliance

8. Your Privacy Rights

Depending on your location, you may have the following rights regarding your personal data:

  • Access: Request copies of your personal data
  • Correction: Request correction of inaccurate or incomplete data
  • Deletion: Request deletion of your personal data
  • Restriction: Request limitation on how we process your data
  • Portability: Request transfer of your data to another organization
  • Object: Object to processing based on legitimate interests
  • Withdraw Consent: Withdraw consent for marketing or non-essential cookies
Exercise Your Rights: Email us at [email protected] or use our Privacy Request Form.

EU/EEA Residents: You have the right to lodge a complaint with your local data protection authority.

9. California Privacy Rights (CCPA/CPRA)

California residents have additional privacy rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).

Categories of Personal Information We Collect:

  • Identifiers: Name, email, phone, IP address
  • Commercial Information: Purchase history, preferences
  • Internet Activity: Website usage, search history
  • Professional Information: Job title, employer, certifications

Sale or Sharing for Cross-Context Advertising:

We do not sell or share personal information for cross-context behavioral advertising.

Your California Rights:

  • Know: What personal information we collect and how it's used
  • Delete: Request deletion of your personal information
  • Correct: Request correction of inaccurate information
  • Opt-out: Opt-out of sale or sharing (if applicable)
  • Limit: Limit use of sensitive personal information

Submit requests at /privacy-request or email [email protected]. We will not discriminate against you for exercising your privacy rights.

10. Children's Privacy

Our services are not directed to children under 16 years of age. We do not knowingly collect personal information from children. If we learn we have collected information from a child, we will delete it promptly.

11. Third-Party Links

Our website may contain links to third-party websites. We are not responsible for the privacy practices of these external sites. Please review their privacy policies before providing any personal information.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make changes, we will:

  • Update the "Effective Date" at the top of this policy
  • Notify you of material changes via email or website banner
  • Provide advance notice for significant changes that affect your rights

13. Contact Information

Data Controller: AEC International LLC

Privacy Contact: [email protected]

Postal Address: 1500 Market Street, Suite 1200, Philadelphia, PA 19102, United States

Phone: +1 (215) 297-6625

EU Representative: Not applicable (no EU establishment)

Data Protection Officer: Not appointed (not required for our processing activities)

Quick Actions:

Last Updated: March 1, 2024

Next Review: March 1, 2025