Legal — Irish Asbestos Awareness

Privacy Policy

How Irish Asbestos Awareness collects, uses, stores and protects your personal data when you visit our website, register for an account, or take one of our online Asbestos Awareness Course programmes. Written in plain English, fully compliant with the General Data Protection Regulation (GDPR) and the Irish Data Protection Act 2018.

1) Introduction

Effective date: 27 April 2026 · Last updated: 27 April 2026

At Irish Asbestos Awareness, we take your privacy seriously. This Privacy Policy explains what personal data we collect when you visit https://irish-asbestos.ie, how we use it, who we share it with, how long we keep it, and the rights you have over your own information.

We act as the data controller for all personal data collected through this website and our Asbestos Awareness Course platform. Everything we do with your data is governed by the General Data Protection Regulation (EU) 2016/679 (GDPR), the Irish Data Protection Act 2018, and the ePrivacy Regulations 2011.

If anything in this policy is unclear, or if you want to exercise any of your data rights, contact us at [email protected] and we will respond within 30 days.

2) Data Controller

The data controller for your personal data is:

  • Legal company name: [COMPANY_LEGAL_NAME]
  • Trading as: Irish Asbestos Awareness
  • CRO Registration Number: 765014
  • VAT Number: [VAT_NUMBER]
  • Registered office: [REGISTERED_ADDRESS]
  • Country of incorporation: Republic of Ireland
  • Website: https://irish-asbestos.ie
  • General contact: [email protected]
  • Privacy contact (GDPR / SAR): [email protected]

Items in [BRACKETS] will be completed once the relevant registration documents are verified with the Irish Companies Registration Office and the Office of the Revenue Commissioners.

3) Data We Collect

We only collect the personal data we need to deliver the Asbestos Awareness Course, issue your Asbestos Awareness Certificate, meet our legal obligations, and keep the platform secure. The main categories are:

a) Account data

When you register, we collect your name, email address, a hashed password (never stored in plain text), and optionally your phone number. If an employer registers you as part of a team, we also record the name of the employer who assigned the course.

b) Course progress data

While you take the course we record which modules you have viewed, the time you spent on each stage, your assessment answers and results, the number of attempts you make, and the date we issue your Asbestos Awareness Certificate.

c) Payment data

Payments are processed by Stripe Payments Europe Limited. We do not store your card number, CVV or expiry date on our servers. We only receive and retain a Stripe transaction reference, the last four digits of the card, the amount paid, the date of purchase, and the billing address you provided at checkout.

d) Email delivery records

Emails we send (welcome, course credentials, certificates, password resets, receipts) are delivered via Resend. Resend keeps delivery logs (sent, delivered, opened, bounced) so we can investigate undelivered emails. These logs contain your email address and timestamps.

e) Cookies and similar technologies

We use a small number of strictly necessary cookies for the website to function. A full list of cookies and their purpose is in our Cookie Policy. In summary:

  • Session cookie - keeps you logged in while you take the course.
  • XSRF-TOKEN - prevents cross-site request forgery on forms.
  • Stripe payment cookies - only set during checkout to process your payment securely.
  • Google reCAPTCHA cookies - set by Google on the registration and feedback forms to prevent automated abuse.
  • Cloudflare security cookies - distinguish real visitors from bots and protect the site against attacks.
  • Consent cookie - records your choice in our cookie banner so we do not ask you again.

We do not currently run Google Analytics, Facebook Pixel, or any advertising cookies. Our cookie banner already has Analytics and Marketing categories reserved in case we add optional analytics in future; until then, both categories stay off by default and no cookies in those categories are set.

f) Server logs and security data

Our server and our security middleware record routine technical details for each visit: the IP address, the user agent (browser and operating system), the URL visited, the HTTP status code, the timestamp, and flags for any security events detected (blocked bot, rate-limit trigger, suspicious request pattern). These logs are retained for 90 days.

g) Video player data (Vimeo)

The course video lessons are embedded from Vimeo. When you view a video, Vimeo sets its own cookies on your browser and receives your IP address and user-agent information. Vimeo processes this data as an independent controller under its own privacy policy.

h) Font delivery (Google Fonts)

Our fonts are loaded from fonts.googleapis.com and fonts.gstatic.com. Google receives your IP address and the URL of the page that requested the font. No cookies are set by Google Fonts. This is a minimal data transfer; we are evaluating self-hosting the fonts in a future release to eliminate it entirely.

4) Lawful Basis for Processing (GDPR Article 6)

Under GDPR we must have a lawful basis for every kind of personal-data processing we carry out. Ours are:

  • Contract performance (Article 6(1)(b)) - to deliver the Asbestos Awareness Course you purchased, mark your assessment, issue your certificate, provide access to your account dashboard and respond to support requests.
  • Legal obligation (Article 6(1)(c)) - to keep invoice and tax records for the minimum period Revenue.ie requires, to retain certificate issuance records for HSA audit purposes, and to comply with any lawful request from a regulator or court.
  • Consent (Article 6(1)(a)) - for any optional marketing email, newsletter or non-essential cookie. Consent is given explicitly through an opt-in tickbox or the cookie banner and can be withdrawn at any time without affecting other processing.
  • Legitimate interest (Article 6(1)(f)) - for site security (Cloudflare, reCAPTCHA, server logs), fraud prevention at checkout, basic service analytics used purely to keep the platform running, and transactional email delivery records. The legitimate interest has been balanced against the individual's rights and found proportionate.

Where we rely on legitimate interest, you have the right to object. Email [email protected] and we will review your request within 30 days.

5) Third-Party Data Processors

We use a small number of carefully selected data processors to run the service. Each one has signed a Data Processing Agreement with us and is bound by confidentiality and security obligations that match or exceed GDPR. The full list:

Processor What we use it for Location Their privacy policy
Stripe Card and bank payment processing for course purchases EU (Ireland) + USA stripe.com/privacy
Resend Transactional email delivery (welcome, certificates, password resets, receipts) EU + USA (SCC-covered) resend.com/legal/privacy-policy
Zoho Mail Email infrastructure and inbox hosting EU data centres (Amsterdam, Dublin) zoho.com/privacy.html
Google reCAPTCHA Anti-spam protection on registration and feedback forms USA (Data Privacy Framework) policies.google.com/privacy
Vimeo Hosting and delivery of course video lessons USA + EU vimeo.com/privacy
YouTube (Google LLC) A small number of supplementary video embeds, where used USA (Data Privacy Framework) policies.google.com/privacy
Google Fonts Typography (Plus Jakarta Sans and related web fonts) USA (Data Privacy Framework) policies.google.com/privacy
Cloudflare CDN, DDoS protection, security layer and basic performance analytics Global edge network (EU-primary for Irish visitors) cloudflare.com/privacypolicy
Ireland Safety Training (ireland-safetytraining.com) Parent training platform and payment checkout for some purchase flows Ireland ireland-safetytraining.com/privacy-policy

We do not sell, rent or otherwise share your data with any third party outside the processors listed above. We will only share data with law-enforcement or regulatory bodies when compelled by a valid legal order.

6) Data Retention

We hold each category of data only as long as we actually need it. Our standard retention schedule:

  • Account data (name, email, hashed password, phone) - until you request deletion, or three years after your last login if the account becomes inactive.
  • Asbestos Awareness Certificate records - forty years. Under Regulation 18 of CAR 2006, exposure records (including training evidence) must be retained for 40 years after the end of the period of exposure. The Health and Safety Authority (HSA) and insurers may request proof of training at any time during that period.
  • Payment and invoice records - six years (minimum Revenue.ie retention requirement under Irish tax law).
  • Server logs and security logs - 90 days on rolling deletion.
  • Email delivery logs - retained by Resend per their service terms (typically 30-90 days for delivery, longer for bounces).
  • Cookies - each cookie has its own expiry, listed in the Cookie Policy.
  • Marketing consent (if given) - until you withdraw it or two years have passed since you last engaged with an email.

After the retention period ends, data is either deleted or anonymised so it can no longer be linked back to you.

7) International Data Transfers

Some of our processors (Stripe, Resend, Google reCAPTCHA, Vimeo, YouTube, Google Fonts, Cloudflare) are incorporated in the United States or operate global infrastructure. When your data is transferred outside the European Economic Area (EEA), we rely on one of the following safeguards required by GDPR Articles 44-50:

  • EU-US Data Privacy Framework (DPF) - where the processor is self-certified under the DPF.
  • Standard Contractual Clauses (SCCs) - the European Commission's approved contract terms that bind the receiving party to GDPR-level protection.
  • Additional technical measures - encryption in transit (TLS 1.2+) and at rest, access logging, and regular security audits on our side.

You can request copies of the SCCs or DPF self-certifications from [email protected].

8) Your Rights Under GDPR

As a data subject in the EU, you have the following rights over your personal data:

  • Right of access (Article 15) - ask for a copy of the personal data we hold about you.
  • Right to rectification (Article 16) - ask us to correct inaccurate or out-of-date data.
  • Right to erasure / "right to be forgotten" (Article 17) - ask us to delete your data, subject to our legal retention duties (certificates, tax records).
  • Right to restriction of processing (Article 18) - ask us to pause processing while we check an accuracy or objection claim.
  • Right to data portability (Article 20) - ask for a machine-readable export of the data you gave us.
  • Right to object (Article 21) - object to any processing based on our legitimate interest.
  • Rights regarding automated decisions (Article 22) - we do not carry out any automated decision-making that has legal or similarly significant effects on you.
  • Right to withdraw consent - where we rely on consent (for example, marketing emails), you can withdraw it at any time without affecting processing carried out before the withdrawal.

To exercise any of these rights, email [email protected]. We will respond within 30 days of receiving a valid request (or tell you if the request is complex and needs a short extension, up to 60 extra days, which is the maximum allowed under GDPR).

If you are not satisfied with how we have handled your data or your request, you have the right to lodge a complaint with the Irish supervisory authority:

  • Authority: Data Protection Commission (Ireland)
  • Website: dataprotection.ie
  • Phone: +353 (0)761 104 800
  • Address: 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland

9) Cookies

A separate Cookie Policy explains every cookie the site may set, in detail. In summary, our cookie banner offers three categories:

  • Necessary - always on. Required for login, checkout, anti-spam and site security. These cannot be disabled because the site would not function without them. Examples: session cookie, XSRF-TOKEN, Stripe payment cookies, reCAPTCHA, Cloudflare security.
  • Analytics - reserved, currently off. No analytics cookies are set at the time of this policy update. If we add analytics in future (for example, privacy-respecting page-view statistics), they will only load if you opt in through the banner.
  • Marketing - reserved, currently off. No marketing or advertising cookies are set at the time of this policy update. Reserved for future opt-in choice.

You can change your cookie choice at any time by clicking the "Cookie settings" link in the footer of every page, or by clearing your browser's cookies and reloading the site.

10) Security

We use multiple layers of technical and organisational measures to keep your data safe:

  • TLS 1.2+ encryption in transit on every page (HTTPS by default, HSTS enabled).
  • Passwords hashed with bcrypt - we never store, log or transmit plain-text passwords.
  • Cloudflare WAF (Web Application Firewall) filters known attack patterns before traffic reaches our servers.
  • Rate limiting and reCAPTCHA on login, registration and feedback forms to block automated abuse.
  • Role-based access control - only authorised staff can access account data, and only to the minimum extent needed to do their job.
  • Regular security updates on all server software and third-party dependencies.
  • Backup and disaster recovery procedures with encrypted off-site backups.

No online service can guarantee absolute security. If we ever suffer a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the Irish Data Protection Commission within 72 hours as required by GDPR Article 33, and we will inform affected users without undue delay where the risk is high.

11) Children's Privacy

The Asbestos Awareness Course is a professional workplace-safety qualification built for adults at work. It is not intended for anyone under the age of 16, and we do not knowingly collect personal data from children.

If you are a parent or guardian and you believe a child under 16 has given us personal data, please email [email protected] and we will delete the data without delay.

12) Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our services, our processors, or Irish and EU data-protection law. When we make changes, we update the Last updated date at the top of the page.

If we make a material change (for example, adding a new processor that handles personal data in a new way), we will either email account holders or display a prominent notice on the site before the change takes effect. We will never reduce the rights you already have without asking you first.

13) How to Contact Us

For any question or request about this policy or your personal data:

If you prefer to contact the Irish supervisory authority directly, their details are in section 8 above.