Data Privacy & Security
Effective date: August 22, 2025
Certified Microplastic-Free™ respects your privacy and protects client information. This policy explains what we collect, how we use it, how long we keep it, and how we secure it.
Scope
This policy covers information shared with Certified Microplastic-Free™ during the certification process, use of our website at microfree.org, and related email communications.
Information We Collect
- Application data such as company name, contact information, product details, and responses to our forms.
- Supporting documentation that you choose to provide for review, for example supplier statements or material specifications.
- Payment information is handled by our payment processor. We receive payment confirmations, not full card details.
- Website analytics such as page views and referrers. We use Google Analytics to understand aggregate usage only.
Information We Do Not Collect
- We do not collect consumer-level personal data about your customers.
- We do not store full payment card data.
- We do not sell client information.
How We Use Information
- Evaluate products against our certification criteria and make approval decisions.
- Communicate about application status, renewals, and compliance.
- Maintain records of certified products and license terms.
- Improve our services and site based on aggregate analytics.
Data Retention
- Application records and final decisions are retained for business records and renewal tracking.
- Supporting documentation is deleted after the review is complete, unless a compliance reason requires limited retention or you ask us to keep it for audit readiness.
- Clients may request deletion of nonessential files after certification is complete. We will confirm what can be deleted while preserving required records.
Our goal is minimal retention. We keep only what we need to operate the certification and meet legal requirements.
Storage and Security
- Files are stored in encrypted systems, including Google Drive and SFTP, with access restricted to the certification team.
- Access follows least-privilege principles and is reviewed on a regular schedule.
- All team accounts use multi-factor authentication.
- Data is encrypted in transit using TLS.
- We maintain internal procedures for account provisioning, data handling, and secure deletion.
Sharing and Disclosure
- We do not sell or rent your information.
- We share information only with service providers that help us operate the certification, such as hosting and payment vendors.
- We may disclose information if required by law or to protect our rights.
Vendors and Subprocessors
Core vendors include:
- Google for email, file storage, and website analytics.
- Stripe for payment processing.
- Hosting and CDN providers for serving the website and static assets.
We review vendors for security and privacy commitments and restrict access to the minimum required scope.
Your Choices and Rights
- Request a copy of your application information.
- Request correction of inaccurate data.
- Request deletion of nonessential files after certification is complete.
Contact us at info@microfree.org to make a request. We will respond within a reasonable timeframe.
Children's Privacy
Our site and services are intended for business users. We do not knowingly collect information from children under 13.
Updates to This Policy
We may update this policy to reflect changes to our practices. If changes are material, we will post a notice on the site or notify active clients.
Contact
Questions about this policy or our data practices can be sent to info@microfree.org.
Cookies and Tracking
We use Google Analytics to understand aggregate website usage. Google Analytics may set cookies and collect pseudonymous information about your device and pages visited. You can opt out by adjusting your browser settings to block analytics cookies or by using the Google Analytics Opt-out Browser Add-on.
Data Breach Response
If we become aware of a security incident that affects your information, we will investigate promptly, take appropriate steps to mitigate harm, and notify impacted clients as required by applicable law.
Jurisdiction and Compliance
This policy is governed by the laws of the State of Illinois and United States law. While our services are primarily for U.S. businesses, we aim to operate in line with internationally recognized privacy principles (such as GDPR/CCPA) regarding transparency, purpose limitation, and data minimization.
Responsible Use of AI
Certified Microplastic-Free™ does not use artificial intelligence or automated decision-making tools to review or approve client documentation. All application reviews are conducted by qualified human reviewers.
We never use AI tools to analyze, store, or process confidential client materials. Your documentation is reviewed by people — not algorithms — to ensure accuracy, fairness, and confidentiality.
If our use of AI changes in the future, we will update this policy and provide full transparency.