Launching soon. RhinoCert is in final pre-launch testing. For early access, email hello@rhinocert.com.

Privacy Policy

Last updated: 18 May 2026

1. Introduction

RhinoCert is operated by RHINOCERT LTD, a company registered in England and Wales with company number 17150289 (VAT No. GB517421019), whose registered office is at S08 The Genesis Centre, Innovation Way, Stoke-on-Trent, ST6 4BF ("we", "our", or "us"). RHINOCERT LTD is the data controller for the personal information described in this Privacy Policy and is registered with the UK Information Commissioner's Office under reference ZC144494.

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our electrical certification platform and related services (the "Service").

Please read this Privacy Policy carefully. If you do not agree with the terms of this Privacy Policy, please do not access the Service.

2. Information We Collect

2.1 Personal Information

We collect personal information that you voluntarily provide when you:

  • Register for an account
  • Create electrical certificates
  • Contact us for support
  • Subscribe to our services

This information may include:

  • Name and contact information (email, phone, address)
  • Company information and business details
  • Professional qualifications and certifications
  • Payment information (processed securely through Stripe)
  • Certificate data and client information

2.2 Technical Information

We automatically collect certain technical information when you use our Service:

  • Device information (type, operating system, browser)
  • IP address and location data
  • Usage data and analytics
  • Log files and error reports

3. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and maintain our Service
  • Process your transactions and manage your account
  • Generate and store your electrical certificates
  • Communicate with you about your account and our services
  • Provide customer support and technical assistance
  • Improve our Service and develop new features
  • Train and improve our AI features (including AI Circuit Detection) using photographs you upload (such as consumer unit images)
  • Ensure security and prevent fraud
  • Comply with legal obligations

3.1 Certificate Pre-population

To streamline your workflow and reduce data entry, information you provide during account registration (such as your name, company details, business address, and professional qualifications) is automatically used to pre-populate relevant fields in your electrical certificates. This includes:

  • Your name and professional details in certificate signature sections
  • Company name, address, and contact information in certificate headers
  • Business registration and scheme membership details where applicable
  • Professional qualifications and certification numbers

Some pre-populated fields (such as your name and company address) are locked to ensure consistency and prevent errors, while other fields can be modified as needed for each specific certificate. This feature is designed to save time while maintaining accuracy and professional standards.

4. Legal Basis for Processing

Under the UK GDPR, we process your personal information on the following legal bases:

Processing ActivityLegal Basis
Account registration and managementContract performance (Art 6(1)(b))
Certificate generation and storageContract performance (Art 6(1)(b))
Payment processing and invoicingContract performance (Art 6(1)(b))
Financial record retention (6 years)Legal obligation (Art 6(1)(c)) — UK tax law
Electrical certificate retentionLegal obligation (Art 6(1)(c)) — BS 7671
Fraud prevention (trial abuse)Legitimate interest (Art 6(1)(f))
Security audit logsLegitimate interest (Art 6(1)(f))
Service improvement and analyticsLegitimate interest (Art 6(1)(f))
Transactional emails (verification, receipts)Contract performance (Art 6(1)(b))

5. Information Sharing and Disclosure

We do not sell, trade, or rent your personal information to third parties. We may share your information in the following circumstances:

4.1 Service Providers

We share information with the following trusted third-party service providers who assist us in operating our Service:

  • Google Cloud Platform / Firebase — hosting, database, authentication, file storage
  • Google reCAPTCHA Enterprise — bot detection and abuse protection (see Section 9.1)
  • Firebase Analytics (Google) — collects default app-lifecycle events (such as first launch, session start, screen views, and app removal) linked to your Firebase Auth user ID, used solely to understand how the app is used and improve the product. We do not log custom analytics events and we do not use this data for cross-app tracking or advertising.
  • Stripe — payment processing and subscription management
  • Apple Pay (Apple Inc.) — wallet-based payment method available to users on Safari / iOS / iPadOS. Tokenises your payment card via Apple's Wallet and returns a one-time token to our payment processor (Stripe). Apple may process device and transaction context as an independent data controller.
  • Google Pay (Google LLC) — wallet-based payment method available to users with a payment card saved in their Google account. Tokenises your payment card via Google's wallet and returns a one-time token to our payment processor (Stripe). Google may process device and transaction context as an independent data controller.
  • Resend — transactional email delivery
  • Vercel — web application hosting
  • OpenStreetMap Foundation (Nominatim) — reverse-geocoding used to convert your device's GPS coordinates into a postal address when you tap “Use current location” on a certificate. Only latitude and longitude are sent; no account identifier or other personal data is included.
  • HaveIBeenPwned (Pwned Passwords API) — checks whether a password you choose has appeared in known data breaches, using k-anonymity. Only the first five characters of a one-way SHA-1 hash of your password are sent; your password itself is never transmitted.

5.2 Legal Requirements

We may disclose your information if required by law or in response to valid legal requests from public authorities.

5.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction.

6. Data Security

We implement appropriate technical and organizational security measures to protect your personal information:

  • Encryption of data in transit and at rest
  • Secure authentication and access controls
  • Regular security assessments and updates
  • Secure cloud infrastructure (Firebase/Google Cloud)
  • PCI DSS compliant payment processing

However, no method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

7. Data Retention

We retain your personal information for as long as necessary to provide our services, comply with legal obligations, resolve disputes, and enforce agreements.

7.1 When You Delete Your Account

You can delete your account at any time from within the app (Settings → Delete your account) or from the web portal (Account → Delete your account). When you delete your account, we immediately and permanently delete:

  • Your user profile and login credentials
  • Your company memberships
  • Any companies where you are the sole owner, along with all company data (certificates, team data, invitations, logos, and stored files)

7.2 Data Retained After Account Deletion

The following data is retained after account deletion for the reasons stated:

  • Financial records (tax compliance): Billing history, invoices, and payment records are retained for 6 years by our payment processor Stripe, as required by UK tax law (HMRC). RhinoCert does not store payment card details directly. Legal basis: legal obligation (Article 6(1)(c) UK GDPR).
  • Security audit logs: Records of account actions (e.g. "account deleted") are retained for security and compliance purposes. These contain only a user identifier, the action performed, and a timestamp. Legal basis: legitimate interest in security (Article 6(1)(f) UK GDPR).
  • Certificates belonging to other companies: If you created certificates as a team member of another company, those certificates remain with the company. Electrical certificates are legal compliance documents under BS 7671 and the company is the data controller for them — see Section 7.3 below.

7.3 Electrical Certificate Data

Electrical certificates created through RhinoCert contain information about electrical installations and the professionals who inspected or installed them. This data has a specific regulatory context:

  • The company account holder (the electrical business) is the data controller for certificate data and any client information within certificates.
  • RhinoCert is the data processor — we store and process certificate data on behalf of the company account holder.
  • Electrical certificates must be retained in accordance with BS 7671 (IET Wiring Regulations) and relevant building regulations. They are legal compliance documents, not personal data belonging to the individual who created them.
  • If a homeowner or client wishes to request deletion of their data from a certificate, they should contact the electrical company that issued the certificate (the data controller), not RhinoCert.

8. Your Rights and Choices

Under the UK GDPR, you have the following rights regarding your personal information:

  • Access: Request access to your personal information
  • Correction: Request correction of inaccurate information
  • Deletion: Request deletion of your personal information (see Section 7.1 for what is deleted and Section 7.2 for what is retained and why)
  • Portability: Request a copy of your data in a portable format
  • Restriction: Request restriction of processing
  • Objection: Object to processing based on legitimate interest

8.1 How to Delete Your Account

You can delete your account directly without contacting us:

  • In the mobile app: Go to Settings, then tap "Delete your account" at the bottom of the page
  • On the web portal: Go to Account, then click "Delete your account" at the bottom of the page
  • By email: Contact support@rhinocert.com and we will process your request within 30 days

Account deletion is immediate when done through the app or web portal. You will receive a confirmation email after your account has been deleted. If you are the owner of a company with other team members, you will need to transfer ownership or close the company before deleting your account.

8.2 Complaints

If you are unhappy with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk/make-a-complaint. RHINOCERT LTD's ICO registration reference is ZC144494.

9. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience:

  • Essential cookies: Required for the Service to function
  • Analytics cookies: Help us understand how you use our Service
  • Preference cookies: Remember your settings and preferences

You can control cookies through your browser settings, but disabling certain cookies may affect Service functionality.

9.1 Bot Protection (Google reCAPTCHA Enterprise)

Our website and mobile applications use Google reCAPTCHA Enterprise to protect against automated abuse, credential stuffing, and other malicious activity. reCAPTCHA collects hardware and software information about your device (such as device and application data) and sends it to Google for analysis. This information is used to provide, maintain, and improve reCAPTCHA, and for general security purposes — it is not used to target advertising.

Our Service is protected by Google reCAPTCHA Enterprise. Google's Privacy Policy and Terms of Service apply to its use.

10. International Data Transfers

Your information may be transferred to and processed in countries outside the United Kingdom, including the United States and European Economic Area. Our service providers (Google Cloud Platform, Stripe, Vercel, and — when you use a digital wallet to pay — Apple Inc. for Apple Pay or Google LLC for Google Pay) process data internationally under appropriate safeguards, including Standard Contractual Clauses and applicable data transfer frameworks. We ensure these transfers comply with UK GDPR requirements for the protection of your personal data.

11. Children's Privacy

Our Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected such information, we will take steps to delete it.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

  • Posting the updated policy on our website
  • Sending you an email notification
  • Providing notice through our Service

13. Contact Us

If you have any questions about this Privacy Policy or our privacy practices, please contact the data controller:

RHINOCERT LTD
Company No. 17150289 (registered in England and Wales)
VAT No. GB517421019
Registered office: S08 The Genesis Centre, Innovation Way, Stoke-on-Trent, ST6 4BF
Email: support@rhinocert.com
Website: https://rhinocert.com