OFFICIAL DISTRIBUTOR AND BUSINESS PARTNER OF NASM (USA) - AFAA (USA)
Search
START TYPING AND PRESS ENTER TO SEARCH

Privacy Policy

Last updated: February 2026

Introduction:

At INFC.global (International Network of Fitness Certifications for Exercise Professionals), we are committed to protecting your personal data and respecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard personal information when you visit our website (https://infc.global and its subpages, including the shop at infc.global/shop) or otherwise interact with us (e.g., by purchasing our NASM digital certification programs, subscribing to our newsletter, or contacting us). It also outlines your rights under the EU General Data Protection Regulation (GDPR) and applicable Greek data protection law.

Data Controller: For the purposes of EU data protection law, the “data controller” of your personal information is International Network of Fitness Certifications (INFC), located at Agiou Konstantinou 7, 15124 Marousi, Athens, Greece. You can contact us with privacy-related inquiries at contact@infc.global or by phone at +30 694 300 5310.

INFC processes personal data in accordance with the GDPR and relevant national laws. We adhere to key principles such as lawfulness, transparency, data minimization, and purpose limitation. We only collect personal data that is adequate, relevant, and limited to what is necessary for the purposes described in this policy , and we do not use it in ways incompatible with those purposes.

By using our Site or services, you acknowledge that you have read and understood this Privacy Policy. If we need to rely on consent for certain processing, we will explicitly seek your consent.

1. Information We Collect

We may collect and process the following categories of personal data about you:

  • Identity and Contact Data: When you purchase a course or create an account, we collect information such as your full name, email address, phone number, billing address, and (if applicable) your shipping address or company name/VAT number (for invoicing). For example, during checkout you will provide your name and email, which we use to deliver your course access and receipt.
  • Account Data: If you register an account on our Site, we will collect your login credentials (username and password, which are stored in encrypted form) and any profile information you choose to provide in your account (such as a profile photo or bio, if those features exist).
  • Transaction Data: Records of products/services you have purchased from us, such as the type of certification program, date and time of purchase, order number, and payment amount. We also maintain invoice records that include your purchase details and amount paid for accounting purposes.
  • Payment Information: We do not collect or store your full credit/debit card details on our servers. Payments made on our Site are handled by third-party processors (e.g., Stripe, Revolut, Klarna, or bank institutions). These providers process your payment information securely on our behalf. We may receive limited payment data such as a payment confirmation, your payment method (e.g., last four digits of card, card type or a transaction ID), and the status of the payment (success/failure). For bank transfers, we will see the sender’s name and account details as provided by the banking system. We use this information to confirm and record that your payment was completed.
  • Course Enrollment Data: After your purchase, we enroll you in the NASM/AFAA online platform. In doing so, we may collect or generate data such as your NASM Student ID, course activation code, and enrollment date. We may also later receive limited information from NASM about your course progress or completion (for example, whether you have passed the exam) to support you and for our internal records . Any such data shared by NASM to us will be treated confidentially and used only for legitimate purposes (like verifying certification status or providing customer support).
  • Communications: If you contact us via email, contact form, phone, or chat, we will collect the information you provide in your inquiry. This may include your contact details (email, phone) and the content of your communications. We keep these communications to respond to you and for our records. For example, if you email us a support question about accessing your course, we’ll store that email and our response.
  • Newsletter/Marketing Data: If you opt in to receive our newsletter or marketing emails, we will collect your name and email address for that purpose. We may also note your preferences (e.g., which certifications you’re interested in) if you provide that information, to send you more relevant content. We use a third-party email marketing service (currently planned: Moosend – an email marketing tool) to manage our subscriber list; that service will store your email and name on our behalf for sending newsletters. Every marketing email will include an unsubscribe link so you can opt out at any time.
  • Technical and Usage Data: Like most websites, we automatically collect certain technical information when you visit our Site:
    • Device and Browser Info: This includes your IP address, browser type and version, device type, operating system, language preferences, and geographic region (at a general level, e.g., country or city, derived from the IP).
    • Log Data: Our servers log information about your activity on the Site, such as the pages you viewed, the time and date of your visit, time spent on pages, clickstream data (which links or buttons you click), and referring/exit pages.
    • Cookies and Similar Technologies: We use cookies and similar tracking technologies to enable site functionality and analyze usage. Cookies are small text files stored on your browser. For example, we might use a session cookie to keep you logged in as you navigate the shop, or analytics cookies (from tools like Google Analytics, if used) to gather aggregate stats about site visits. Our Cookie Policy (if provided separately) gives more detail on what cookies we use. Where required by law, we will obtain your consent for non-essential cookies (e.g., via a cookie banner). You can manage cookie preferences through your browser settings. (Note: disabling certain cookies may affect site performance or login sessions.)
  • Special Category Data: We do not intentionally collect any sensitive personal data (such as health information, racial or ethnic origin, political opinions, etc.) through our Site. Please refrain from providing such information in any forms or communications. The only health-related information we might indirectly be aware of is if you mention something in a communication (for example, if you tell us you have a medical condition as a reason for needing to pause your studies). We will treat any such disclosures with confidentiality and only process them with your consent or if necessary to assist you.

 

Children’s Data: Our services are not directed to children under the age of 16 (and we require users to be 18 or older for our certification programs). We do not knowingly collect personal data from anyone under 16. If you are under 16, please do not provide any personal information to us. If we learn that we have inadvertently collected personal data from a child under 16, we will promptly delete it. If you are a parent or guardian and believe we have information about a minor, please contact us so we can remove it.

2. How We Use Your Information (Purposes and Legal Bases)

We use personal data for the following purposes, and rely on the corresponding legal bases under GDPR:

  • To Fulfill Orders and Provide Services: When you purchase a course or register on our Site, we use your identity, contact, and transaction data to process the transaction, enroll you in the course, provide you with access details, and maintain our contract with you. This is necessary for the performance of a contract with you (GDPR Article 6(1)(b)). For example, we use your email to send you confirmation and course access instructions, and your name to register you with NASM’s system. We also use your data to provide any customer support you request regarding the course (answering questions, troubleshooting access issues, etc.), which is part of our service to you.
  • Invoicing and Compliance: We process and retain certain data for legal obligations (GDPR Article 6(1)(c)). For instance, Greek and EU tax laws require us to issue invoices and maintain transaction records for a certain period. We will use your provided details to issue an invoice/receipt for each purchase and keep those records as required by tax law (e.g., records may be kept for at least 6 years for tax purposes in Greece ). If you are an EU customer, consumer protection laws may also require that we document and honor your withdrawal/cancellation requests; we will keep records of any such communications to comply with legal duties.
  • Course Administration: We may receive information on your course progress or completion from NASM (such as whether you passed the exam, or your scores) . We use this data to update our records and to provide you with support or recognition. The legal basis for this could be performance of contract (ensuring you get the outcome you paid for) and our legitimate interests (GDPR Article 6(1)(f)) in tracking the success of our students and improving our offerings. For example, if we see that many students struggle with a particular module, we might provide additional guidance. Any detailed academic data from NASM’s platform is primarily managed by NASM as a controller; our use on our side is minimal.
  • Communication and Customer Support: If you contact us with questions, requests, or feedback, we will use your contact info and any info you provided to respond. Our communication with you may include necessary service messages (e.g., password resets, important course updates, changes to terms or policies). The legal basis for responding to you is typically performance of contract or steps prior to entering a contract (if it’s about a purchase or question you have) or our legitimate interest in providing good customer service and maintaining correspondence (especially for general inquiries).
  • Marketing and Newsletters: With your consent (GDPR Article 6(1)(a)), we will use your name and email to send you our newsletter and promotional materials about INFC’s offerings, such as new courses, special offers, or events. If you are an existing customer, we may also rely on our legitimate interest (GDPR Article 6(1)(f)) to send you information about similar products or services that you might be interested in, but only as permitted by e-privacy laws (for instance, in some jurisdictions, we can send emails to our customers about related products unless they opt-out – this is sometimes called a “soft opt-in”). You will always have the opportunity to opt out of marketing messages. We include an unsubscribe link in each marketing email, or you can contact us at any time to be removed from marketing lists. We will not spam you or sell your data to advertisers. We may use third-party email services (like Moosend) to manage and send emails, but only for our communications to you.
  • Website Functionality and Analytics: We use cookies and similar technologies to ensure our website operates smoothly (for instance, to keep you logged in or remember your cart). Deploying these necessary cookies is in our legitimate interest (ensuring a functional, user-friendly site) and in some cases may be necessary for performing our contract with you (if a cookie is needed for the checkout process, for example). For any non-essential cookies (like analytics or performance trackers), we will seek consent where required. We may use analytics data (which is typically aggregated and does not directly identify you) to understand how users engage with our Site, which pages are popular, what marketing channels are effective, etc. This helps us improve our site layout, content, and services – a legitimate interest of our business. We ensure that analytics providers (if used) either do not identify individual users or have measures to protect user data (for example, IP anonymization in Google Analytics). You can object to analytics by refusing those cookies or using browser opt-outs.
  • Prevention of Fraud/Misuse: We may process personal data to protect our rights, prevent fraud, and ensure the security of our IT systems and users. For example, we might use IP address and login attempt information to detect possible malicious activity on accounts. We might also retain order data or communication data if needed to establish, exercise, or defend legal claims (e.g., if there’s a dispute with a customer about the terms of sale). These uses are under our legitimate interests in maintaining secure and lawful operations (GDPR Article 6(1)(f)) and, in some cases, to comply with legal obligations (like obligations to prevent money laundering or other crimes).
  • Testimonials/Reviews: If you provide us with a testimonial or review and consent to us using it, we may publish it on our Site or marketing materials along with your name or initials. The legal basis is consent. If we want to use your story, we will obtain your permission. You can withdraw that consent later, and we will stop using your testimonial in new materials (though we may not be able to retract print materials already distributed).
  • Other Purposes: If we intend to process personal data for any purpose not listed here, we will provide notice and, if required, obtain your consent. We will not use your personal data for any automated decision-making or profiling that produces legal effects or similarly significant effects on you, without your knowledge and consent.

We make sure that any legal basis we rely on is clearly applicable to the given purpose. Where our legal basis is legitimate interests, we have conducted a balancing test to ensure our interest is not overridden by your privacy rights.

3. Disclosure of Your Information (Third-Party Recipients)

We treat your personal data with care and confidentiality. We do not sell your personal information to third parties. However, we do share your data with certain categories of recipients when necessary, as outlined below:

  • NASM/AFAA (Course Providers): Since the courses we sell are delivered by NASM/AFAA, we must share certain details with them to enroll you. We will provide NASM (and/or AFAA, if you enroll in an AFAA program) with your name, email address, country of residence, and the specific course purchased. This allows them to set up your user account on their online learning platform and grant you access to the materials. NASM/AFAA will process your data as independent data controllers for providing their training service. For example, NASM will likely send you a welcome email and have you agree to their own terms when you first log in. We have an authorized distributor relationship with NASM, and while we share data with them to serve you, they have committed to handling EU personal data in compliance with applicable data protection standards (see Section 4 on international transfers for more about data going to the U.S.). We may also receive limited performance data back from NASM about your progress (as mentioned earlier) ; this is a two-way data exchange purely to facilitate the service.
  • Payment Processors: We use reputable third-party payment gateways (such as Stripe, Revolut, and Klarna) to handle financial transactions. When you enter payment details, you are typically interacting directly with these providers embedded in our checkout. They receive your card information or other payment data directly – it does not pass through our servers. These payment processors act as data controllers of your financial data for processing the payment, and their terms and privacy policies apply to that information. We share with them only the information necessary for the transaction: this includes the purchase amount, currency, and possibly your name and email to link the payment to your account/order. The payment provider will then inform us (via secure notification) of the payment status (success or failure) and some transaction identifiers. We require that all such providers are PCI-DSS compliant and GDPR-compliant. For instance, Stripe has an affiliated entity in the EU (Stripe Payments Europe) and adheres to GDPR in processing European transactions.
  • Bank(s) for Transfers: If you pay via bank deposit or transfer, your bank and our bank will process certain personal data (your name, IBAN/account number, payment reference) in the course of the transaction. This is pursuant to normal banking operations and legal obligations. We will see the info included with the transfer (e.g., name of sender, any note you add) and we may retain that for our records.
  • Email Service Provider (Moosend): If you subscribe to our newsletter or opt in to marketing emails, your name and email address will be stored in our third-party email marketing platform (currently planned to be Moosend – a GDPR-compliant email marketing service). This platform helps us design and send bulk emails efficiently and track engagement (like open rates or clicks) in aggregate. We have a data processing agreement in place with such providers as needed, meaning they can only use your data to provide services to us and not for their own purposes. You can unsubscribe at any time, and we will then remove your data from the active mailing list.
  • Hosting and IT Service Providers: Our website is hosted on servers provided by third-party hosting companies (or cloud services). As a result, any data you provide through the Site (account info, form submissions) will reside on their servers. We use hosting providers that are reliable and compliant with EU data protection (our main servers are EU-based datacenters). These providers may technically have access to data for storage and backup, but they are not allowed to use it. We ensure there is a contract in place (with standard data protection clauses) with any hosting or IT maintenance providers. Similarly, if we use a CRM system or other software tools internally that store customer data (for managing orders, support tickets, etc.), those providers may process data on our behalf. We choose reputable providers with appropriate safeguards.
  • Analytics and Advertising Partners: If we use analytics tools like Google Analytics, those tools will collect usage data via cookies or scripts. Google Analytics, for instance, might act as a data processor for us, but in practice it collects data directly from user browsers and stores it on Google’s servers. We configure such tools to anonymize data where possible (e.g., IP anonymization) and not to collect unnecessary data. We currently do not use any targeted advertising cookies or third-party ad networks that would get your data from our Site. If that changes, we will update our cookie and privacy disclosures and obtain necessary consent.
  • Business Partners and Affiliates: We do not currently share personal data with any joint venture partners or affiliates, except NASM/AFAA as described. If in the future we collaborate with fitness organizations or educational partners (for example, offering a combined program), we would inform you and only share data with consent or as necessary for service. For instance, if an in-person workshop is delivered by a local partner, we might share a roster (name, contact) of participants with the instructor solely to conduct the class.
  • Legal and Compliance Recipients: We may disclose your information when required to do so by law or lawful request by public authorities. For example, if the tax authority or another regulator in Greece requests certain transaction records or if we’re responding to a lawful subpoena or court order. We will only share what is necessary and will verify any request’s legitimacy. Also, if necessary, we might share data to enforce our Terms or protect our rights, property, or safety, or that of our customers or others. This could include sharing information with law enforcement or fraud prevention agencies regarding fraudulent transactions or security threats.
  • Professional Advisors: We may share relevant parts of your information with our professional advisors (lawyers, accountants, auditors) on a need-to-know basis. For instance, our accountant will see invoice records which contain personal data (your name, possibly address on the invoice) when preparing financial statements or tax filings. Similarly, if we face a legal dispute with a user, our legal counsel would need to review the contract and communications with that user, which contain personal data. These advisors are bound by confidentiality obligations.
  • Corporate Transactions: If INFC is involved in a merger, acquisition, sale of assets, or reorganization, your data may be transferred to the succeeding entity or prospective buyers, but always under appropriate confidentiality and only for the purposes of continuing the service or due diligence. We would inform you of any change in data controller if such a transaction and transfer takes place. Your data will remain subject to this Privacy Policy (unless you’re notified of changes) even after any transfer.

We strive to minimize the data shared and ensure that each third-party recipient has a valid need for access. Whenever personal data is shared with a data processor (third party processing data on our behalf), we make sure there is a data processing agreement in place to safeguard your information according to GDPR standards. When sharing with another data controller (like NASM or payment companies), we ensure the transfer is lawful and ideally within frameworks that protect your rights (see Section 4 on International Transfers).

If you have questions about specific third parties that might have your data, feel free to contact us. We can provide a current list of main subprocessors or partners upon request.

4. International Data Transfers

INFC is based in Greece (EU), and we primarily process your data within the European Union. However, some of the third parties we work with (notably NASM in the United States, and potentially some service providers) are located outside the European Economic Area (EEA). Whenever we transfer personal data out of the EEA, we will ensure that appropriate safeguards are in place to protect your data, as required by GDPR Chapter V.

Transfers to the United States (NASM): NASM (the National Academy of Sports Medicine) is headquartered in the USA. When we share your personal data with NASM to enroll you in a course, this involves transferring your data to the United States, which currently does not have an EU Commission adequacy decision (i.e., it’s not deemed to provide the same level of data protection as the EU by default). To safeguard such transfers, we rely on mechanisms such as the European Commission’s Standard Contractual Clauses (SCCs) . NASM has agreed via our distributor agreement or related data protection agreements to handle EU personal data according to GDPR standards, including signing on to SCCs to contractually ensure protection of your rights. This means NASM must, among other things, use your data only for the purposes of providing the course, implement security measures, and if there is any conflict with US law (like government access demands), NASM will (to the extent permitted) inform us or the user and push back unless legally compelled.

Additionally, NASM’s platform is likely accessed by you directly once you enroll. By necessity, your interactions (such as completing modules or taking exams) will involve personal data processing on their US-based systems. NASM’s privacy policy will give more details on their practices. If you have concerns about data handling by NASM, you can contact us or NASM’s support. As an extra note, as of 2023 there is an updated EU-US Data Privacy Framework; we will monitor if NASM becomes certified under such a framework as an additional safeguard.

Other Non-EU Providers: Some of our service providers or tools might operate from or store data in other countries:

  • Email/Newsletter Service (Moosend): Moosend is an EU-based service, your data stays in the EEA. If not, we’ll ensure SCCs or other measures
  • Payment Processors: Stripe and Klarna for EU transactions typically keep EU data in the EEA or under an EU subsidiary’s control. Stripe, for instance, processes European card data via Stripe Payments Europe (Ireland) and then may transfer to the US under SCCs for some processing. Klarna is based in the EU (Sweden) for EU customers. Revolut is UK-based but has EU operations; since the UK is at this time considered adequate (post-Brexit UK adequacy decision by EU exists), transfers to UK are permitted. We have agreements with these processors that incorporate necessary data protection clauses.
  • Hosting: If our website hosting or cloud storage provider uses servers outside the EEA (for example, a US-based cloud provider hosting in a European data center but with possible maintenance from outside), we also ensure SCCs are in place and/or the provider is certified under relevant frameworks.
  • Analytics: If we use Google Analytics, data might be transferred to Google in the US. We address this by (a) seeking your consent for analytics cookies, (b) activating IP anonymization, and (c) Google’s commitment via SCCs as part of their terms for European data. Still, there is ongoing discussion around analytics transfers; we continually assess compliance with the latest guidance (including recommendations from EU regulators)

Your Rights and Concerns: Despite our safeguards, we understand that international transfers (especially to the US) come with some risk (e.g., US government surveillance potential). If you prefer that we not transfer your data outside the EEA in a particular way, please communicate with us. For example, if you do not want us to share data with NASM in the US, note that would make delivering the course impossible (since NASM is the course provider). We will be transparent and try to accommodate privacy-sensitive requests where feasible

By using our services and providing your information, you acknowledge that your data may be transferred to and processed in countries outside of your country of residence, including jurisdictions with different data protection laws. Nonetheless, we assure you that we take steps to ensure all such transfers are protected by appropriate safeguards, such as SCCs , and that your rights remain enforceable.

If in the future a country (like the US under new frameworks) is recognized by the EU Commission as providing adequate protection, we may rely on that decision instead of SCCs. We keep our data transfer mechanisms under review as laws evolve.

You can request a copy of the relevant SCCs or data transfer agreements by contacting us (some sensitive or unrelated sections may be redacted for confidentiality, but we will provide as much info as possible).

5. Data Retention

We will retain your personal data only for as long as necessary to fulfill the purposes we collected it for, including for satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period, we consider the nature and sensitivity of the data, the purposes for processing, and the applicable legal requirements. Our typical retention periods are:

  • Account and Order Information: If you create an account or make a purchase, we will keep your basic account info and order history for as long as you remain a customer. If you delete your account or if it’s inactive for an extended period, we may archive or anonymize the data after [for example, 2 years] of inactivity, provided there’s no active orders or issues. Order records (invoices, transactional emails) are kept at least for the duration needed to provide the service and thereafter as required by law (see next point).
  • Financial and Invoicing Records: As required by Greek law and EU tax regulations, we retain invoice and payment records for at least 6 years from the end of the financial year to which they relate (some sources indicate 5 or 6 years; we will abide by the strictest requirement, e.g., 6 years). In practice, we currently keep these records for 7 years to be safe (e.g., if you purchased in 2026, your invoice may be kept until at least end of 2033). These records include your name and details on the invoice. We cannot generally erase these earlier upon request if they are needed for legal compliance, but we’ll store them securely and restrict access strictly to accounting personnel.
  • NASM Course Data: We retain info about your course enrollment and completion indefinitely in our internal records, to verify your credential if needed and for historical reference (e.g., if you come back years later and ask for proof of certification or if we want to invite alumni to advanced courses). However, if you request erasure of your data (and if there’s no overriding legal need to keep it), we can remove personal identifiers and just keep an anonymized record for stats. Note that NASM itself may keep your certification record according to their policies (often they keep certification records indefinitely so they can verify credentials for employers or for your recertification needs).
  • Communications: Emails and support correspondence are generally retained for a couple of years (standard is 2 years) after resolution of the matter, in case of follow-up issues. We may keep some communications longer if they contain valuable reference info for future dealings or if needed for legal reasons. For example, if you had a unique issue and we suspect it might come up again, we might retain that email to better assist you or others later. But we will periodically review old communications and securely delete those no longer needed.
  • Marketing Data: If you have subscribed to our newsletter, we will keep your contact details on our mailing list until you unsubscribe or withdraw consent. Upon opting out, we will remove you from active mailing lists promptly (and in any event within a few days). We may still keep a record of your request to unsubscribe (your email) to ensure we don’t accidentally send you further communications (this is a suppression list, kept as long as necessary to honor your opt-out). If you have not engaged (e.g., no email opens or clicks) for a long time, we may also purge inactive contacts periodically to protect privacy.
  • Web Analytics: Raw analytics logs (with IP addresses) are typically retained for a short duration (e.g., 14 months in Google Analytics by default) and then deleted or aggregated. We do not keep personally identifying web log data longer than necessary. General site logs on our server (for security) might be kept for a few months and automatically rotated, unless reviewing for specific security incidents.
  • Legal Hold: If any personal data is needed for resolving disputes, enforcing our terms, or defending legal claims, we will retain that data as long as the issue is ongoing, and as required by the relevant statute of limitations. For instance, in Greece the general civil claim limitation can be 5 years or more; if there’s a potential dispute, we may keep related data until that period passes. Once such data is no longer needed, we will either delete it or anonymize it.

After the retention period expires, we will either securely erase your personal data or anonymize it (so it can no longer be associated with you) for statistical purposes. For example, we might retain aggregated data about how many people earned a certification each year, but without personal identifiers.

If you request deletion of your data (see Section 7 on your rights), we will honor it to the extent consistent with these retention rules. Data that we are required to keep (e.g., invoices) will be kept for the mandated period but we can, for instance, deactivate your account and remove unnecessary data while leaving the required info in our archives.

We continuously review the data we hold and securely dispose of data that’s no longer needed. We also take appropriate measures to protect data in storage (encryption, access controls) so that while it is retained, it remains safe.

6. Data Security

We take the security of your personal data seriously. INFC has implemented a range of technical and organizational measures to safeguard your information against unauthorized access, alteration, disclosure, or destruction. These measures include:

  • Encryption: Our website is secured with HTTPS, which means data transmitted between your browser and our site (such as personal details entered in forms or payment information handled by Stripe/Klarna) is encrypted in transit using SSL/TLS. Where possible, we also encrypt data at rest. For example, passwords are stored hashed and salted (not in plain text), and sensitive fields are encrypted in our databases.
  • Access Control: Personal data is accessible only to those staff or contractors who need it to perform their duties. For instance, our customer support and operations team can access order details and contact info to assist you, but they will have limited access to payment information (they might see that a payment succeeded and method used, but not full card numbers). Administrative interfaces are protected by strong authentication credentials, and we limit who has administrative privileges. We train our team on confidentiality and data handling practices.
  • Hosting Security: Our Site is hosted by reputable providers that employ robust security protocols, including firewalls, intrusion detection systems, and regular security audits. We apply security updates and patches to our CMS, plugins, and servers in a timely manner to mitigate vulnerabilities. Data centers hosting our servers have physical security controls as well.
  • Payment Security: As noted, we outsource payment processing to compliant providers like Stripe, which are PCI-DSS Level 1 certified. This ensures that your card data is handled with industry-standard security. We ourselves do not see or store your full payment card details.
  • Monitoring: We monitor our systems for possible vulnerabilities and attacks. Unusual activities (such as multiple failed login attempts) may trigger alerts. We also utilize anti-malware and anti-virus solutions where appropriate.
  • Backups: We maintain secure backups of critical data to ensure continuity (so if data is accidentally lost or corrupted, we can restore it). Backups are encrypted and stored in a secure environment. Backup data is subject to retention schedules and secured just like live data.
  • Third-Party Due Diligence: When we work with third-party processors (like cloud services, email providers), we ensure they have strong security measures and standards. We review their security documentation and certifications (for example, compliance with ISO 27001, SOC 2, or similar standards where applicable).
  • Anonymization and Minimization: Where possible, we anonymize data that we don’t need in identifiable form. For instance, analytics data may be aggregated. We also avoid collecting more data than necessary (as described in this Policy) which inherently reduces risk.
  • Testing: We periodically test our infrastructure and web application for common security issues (through vulnerability scanning or even penetration testing by professionals, where appropriate). We promptly address any findings.
  • Data Breach Procedures: In the unlikely event of a data breach that is likely to result in a high risk to your rights (e.g., unauthorized access to personal data), we have an incident response plan. This includes notifying affected individuals and relevant authorities (such as the Hellenic Data Protection Authority) within the timeframe mandated by law . We would provide information on the nature of the breach, likely consequences, and measures taken to address it.

User Responsibilities: You also play a role in keeping your data safe. We encourage you to use a strong, unique password for your INFC account and to keep your login credentials confidential. If you suspect any unauthorized activity on your account, notify us immediately. When using the Site, especially on a public or shared device, be sure to log out and close the browser to protect your account.

Despite our best efforts, no system can be guaranteed 100% secure. The internet by its nature carries some risk. However, we adhere to industry best practices to minimize risks. We will update our security measures regularly as technology and threats evolve.

If you have reason to believe that your interaction with us is no longer secure (for example, if you feel your account has been compromised), please contact us right away.

7. Your Rights as a Data Subject

As an individual in the European Union (or in jurisdictions with similar data protection laws), you have certain rights regarding your personal data. INFC is committed to upholding these rights. Below is a summary of your key GDPR rights and how you can exercise them:

  • Right of Access: You have the right to request confirmation of whether we are processing your personal data, and if so, to obtain a copy of the data we hold about you , as well as information about how we use it. This allows you to understand and verify the lawfulness of our processing. We will provide you with a copy of your personal data undergoing processing, usually free of charge. For additional copies, we may charge a reasonable fee based on administrative costs . (We’ll inform you beforehand if any fee applies, but typically we handle access requests without charge.)
  • Right to Rectification: You have the right to have inaccurate personal data corrected and incomplete data completed . If any of the information we hold about you is incorrect or out-of-date (for example, you change your name or email), please let us know and we will update it promptly . Many basic details can be updated by you directly by logging into your account profile as well.
  • Right to Erasure (Right to be Forgotten): You have the right to request the deletion of your personal data in certain circumstances . These include situations such as: the data is no longer necessary for the purposes it was collected; you withdraw consent (and no other legal ground exists); you object to processing and we have no overriding legitimate grounds to continue; or the data was processed unlawfully. We will honor valid erasure requests without undue delay. However, the right to erasure is not absolute – we may retain certain data if necessary, for example, to comply with a legal obligation or for the establishment, exercise or defense of legal claims. If such an exception applies, we will inform you. Example: If you request deletion of your account, we can delete or anonymize personal info in our user database, but we might keep invoice records for tax law compliance (in which case, we’d secure them and keep only as required).
  • Right to Restrict Processing: You have the right to request that we limit the processing of your data in certain scenarios . For instance, if you contest the accuracy of the data, you can request we restrict processing while we verify its accuracy; or if you object to processing (see below) and we are considering that objection. When processing is restricted, we will store your data but not actively use it (except to the extent necessary, e.g., to secure the data or if you consent or for legal reasons). We will inform you before lifting any such restriction.
  • Right to Object: You have the right to object to our processing of your personal data when that processing is based on legitimate interests or public interest . If you object, we must stop processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or unless it’s needed for legal claims. Importantly, you have an absolute right to object to processing of your data for direct marketing purposes at any time (including profiling related to direct marketing). If you object to marketing, we will cease using your data for that purpose immediately.
  • Right to Data Portability: For data you provided to us and that we process by automated means based on your consent or on a contract, you have the right to request that we provide it to you in a structured, commonly used, machine-readable format, or transmit it to another controller where technically feasible . For example, you could request an export of the personal info you gave us at sign-up. This right facilitates moving your data between services. Note it applies to data you actively provided (or data generated by your actions in the context of our service, like your course enrollment), not to results of our analysis or internal notes.
  • Right not to be Subject to Automated Decisions: We do not make any decisions about you that are based solely on automated processing (with no human involvement) and that produce legal or similarly significant effects. However, you have the right to not be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you , unless it’s necessary for a contract, authorized by law, or based on your explicit consent, with safeguards in place. (Example of such decisions might be automatic application rejections, credit checks by algorithm, etc. – none of which we do.)
  • Right to Withdraw Consent: Where we process your data based on your consent (e.g., for sending newsletters), you have the right to withdraw that consent at any time. Withdrawing consent will not affect the lawfulness of processing that was done before withdrawal. If you withdraw consent for marketing, we will stop sending you marketing communications. You can withdraw by using the unsubscribe link in emails or contacting us. For any other consent-based processing, just let us know you withdraw consent and we will accommodate.
  • Right to Information: You have the right to be informed in a concise, transparent, intelligible, and easily accessible form about how we use your data. We aim to achieve this through this Privacy Policy and any notices we provide at data collection points (like form notices). If anything is unclear, you can always ask us for more information.
  • Right to Lodge a Complaint: If you believe we have infringed your data protection rights or not handled your data lawfully, you have the right to file a complaint with a supervisory authority, particularly in the EU member state of your habitual residence, place of work, or place of the alleged infringement . In Greece, the supervisory authority is the Hellenic Data Protection Authority (HDPA). The HDPA’s website is http://www.dpa.gr, which provides instructions on how to submit a complaint. The address is Kifissias Ave. 1-3, 115 23, Athens, Greece. Phone: +30-210-6475600. If you reside in another country, you can contact your national Data Protection Authority. We would appreciate the chance to address your concerns before you approach the DPA, so please consider reaching out to us first, and we will do our utmost to resolve any issue.

Exercising Your Rights: You can exercise any of these rights by contacting us via email at contact@infc.global or by mail at our address provided in the Contact section. Please clearly state your request – e.g., “I am requesting a copy of my data” or “Please delete my account and all associated data” – and include enough information for us to verify your identity (we may ask for additional proof of identity if necessary, to ensure we don’t disclose data to the wrong person). This is to protect your data from unauthorized access. We will respond to your request as soon as possible, generally within one month of receipt . If your request is complex or we have a high volume of requests, we may extend this by a further two months, but we will inform you and explain why if that happens.

We will comply with your request to the extent required by law. If we cannot fulfill a request fully (e.g., we can’t delete data we must keep for legal reasons, or providing certain data may adversely affect others’ rights), we will explain our reasoning. Typically, access and correction requests are fulfilled without charge. For excessive or unfounded requests (especially repetitive ones), we may either charge a reasonable fee or refuse the request, but we would provide an explanation in such cases.

We want you to have control over your data. Our team is here to help with any privacy-related inquiries or requests.

8. Cookies and Tracking Technologies

Our Site uses cookies and similar tracking technologies to provide and improve our services, as touched on earlier. This section provides more details on our use of cookies

What Are Cookies? Cookies are small text files that are placed on your device (computer, smartphone, etc.) when you visit a website. They allow the website to recognize your device and store certain information about your preferences or past actions. Cookies can be “session” cookies (which expire when you close your browser) or “persistent” cookies (which remain on your device for a set period or until deleted).

How We Use Cookies:

  • Essential Cookies: These are necessary for our Site to function properly. For example, if our shop uses a cookie to keep track of your cart items as you navigate, or to maintain your logged-in session so you don’t have to log in on every page. Without these cookies, certain features (like the shopping cart or secure login) may not work. Because they are necessary, they do not require consent.
  • Preferences Cookies: These cookies store your preferences (e.g., language or currency selection) to provide a more personalized experience. They remember choices you make to improve your next visits. You can disable them, but you may have to re-enter information or preferences each time.
  • Analytics Cookies: We use these to collect information about how visitors use our Site – which pages are visited, how long users stay, how they got to our Site, etc. This helps us analyze site traffic and user behavior to improve our content and layout. We currently use [for example, Google Analytics] which places cookies to gather this data. The information is aggregated and not used to identify you directly. IP anonymization is enabled, meaning Google truncates your IP address within the EU to anonymize it. We treat analytics cookies as non-essential, so if required by law, we will ask for your consent before setting them. (You might see a cookie consent banner when you first visit the Site, giving you the option to accept or reject analytics cookies.)
  • Marketing Cookies: As of now, we do not have third-party advertising cookies on our Site (we are not showing third-party ads or tracking you across other sites for advertising). If this ever changes – for example, if we partner with advertising networks or use remarketing ads – we will update our policy and request your consent for those. Marketing cookies would be used to track browsing habits and show you relevant ads on other platforms. We recognize the importance of user consent in such cases.
  • Social Media Plugins: If our site integrates social media sharing buttons or login features (like “Login with Facebook” or a “Share on Instagram” button), those might set cookies if you use them or if you are already logged into those platforms. These cookies are set by the third-party social networks and are subject to their privacy policies. We ensure any such integration complies with e-privacy rules (e.g., not loading tracking elements from social sites unless you interact with the plugin).

Your Choices: When you first visit our Site, you may see a notification about cookies. If it’s required, we will not set non-essential cookies (like analytics) unless you opt in. You can manage or delete cookies using your browser settings at any time. Most web browsers allow control of cookies through the browser settings (you can typically find options to block or delete cookies under the “Privacy” or “Security” settings). Keep in mind that disabling certain cookies may affect the functionality of our Site. For instance, blocking all cookies might log you out or prevent items from staying in your cart.

 

For analytics, Google provides an opt-out browser add-on (for Google Analytics) if you want to prevent data collection by Google Analytics across all websites.

Do Not Track: Our Site does not currently respond to “Do Not Track” (DNT) signals. DNT is a setting in some browsers that sends a signal to websites requesting not to track your browsing. There is not yet a consensus on how sites should interpret DNT signals. We will monitor developments around DNT and may update our practices accordingly.

Further Information: For more detailed info about how we use cookies (names of cookies, durations, etc.), you can refer to our Cookie Policy [if a separate cookie policy is available, we would direct the user there]. You can also contact us if you have specific questions about our cookie practices.

By continuing to use our Site with cookies enabled in your browser, you consent to our use of cookies as described herein (unless you have opted out of specific cookies).

9. Third-Party Links and Services in Privacy Context

Our Site and communications may contain links to third-party websites, embedded content, or the use of external services (as discussed in Section 11 of the Terms and Conditions). It’s important to understand how this relates to your privacy:

When you click a link to a website outside infc.global, or use a service not operated by us, that third party’s privacy policy and terms will apply to any data you provide or that is collected from you. We do not have control over the privacy practices of external sites or services.

Examples:

  • If we link to NASM.org for additional resources, and you visit NASM’s site, any data they collect (like if you sign up for something on their site) is governed by NASM’s privacy notice.
  • If you make a payment via Stripe Checkout, you are interacting with Stripe’s platform embedded in ours. Stripe will process your payment details under their privacy policy. (They generally only use it for payment and fraud prevention, but it’s their responsibility to inform you.)
  • If you click on a social media icon (say, our Facebook or LinkedIn page link), you will be redirected to those external platforms, which have their own data practices.
  • We might integrate a YouTube video on a page (showing a NASM promotional video, for example). If it’s embedded in privacy-enhanced mode, YouTube may not store cookies until you play it. But generally, interacting with embedded content might allow the third party (YouTube/Google in this case) to collect usage data (like your IP and what video was played). That data usage is subject to Google’s privacy policies.

We encourage you to review the privacy policies of any third-party sites or services before providing any personal information or as soon as you land on their page. These policies will tell you what data is collected, how it’s used, and how you can manage it for that service.

Third-Party Tools: If our Site uses third-party analytics (Google Analytics) or email marketing (Mooned), as described earlier, those services technically involve third parties receiving some data. We have covered those in section 3 and 8 (cookies). We ensure such providers are bound by confidentiality and data protection obligations via contracts.

No Endorsement: A link to a third-party site or use of a third-party tool doesn’t mean we endorse their privacy practices. It’s simply for functionality or reference.

Service Providers: We already described sharing data with service providers under Section 3 (who do things like hosting, payments, etc.). They are third parties too, but acting on our instructions. They will only use your data for providing services to us, not for their own marketing or other purposes.

To reiterate: we do not share your data with third parties for them to market to you, and we do not sell personal data.

However, if you access third-party websites or services through our site, any information they collect falls under their control. For example, if an external blog article is linked on our site and you go there, and that site has trackers or asks you to subscribe, that’s between you and them.

If you find any third-party link or content on our site that concerns you (for example, you suspect it’s malicious or it’s gathering data improperly), please let us know. We strive to only associate with trusted partners.

10. Updates to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational reasons. If we make significant changes, we will notify you in an appropriate manner, for example:

  • Posting a prominent notice on our website (e.g., a banner or pop-up notification about the Privacy Policy update).
  • Sending an email notification to users (especially if you have an account or are on our mailing list) outlining the changes.

The “Last updated” date at the top of this Policy will always indicate when the latest changes were made. We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your data.

If changes are material and, where required by law, we will obtain your consent for the new ways we use personal data (for instance, if we were to start processing data for a new purpose that requires consent).

For example, if in the future we decide to collect additional personal data or use existing data for new marketing purposes, we would update this Policy and request any necessary consent.

Any changes to the Privacy Policy will become effective when posted on this page, unless stated otherwise. Your continued use of our Site or services after the effective date of the updated Policy will constitute acceptance of the changes, to the extent permitted by law. If you do not agree with any aspect of the updated Policy, you should notify us and/or consider stopping using our services (though we hope to always handle your data in a way that earns your trust and confidence).

We will archive previous versions of this Privacy Policy and make them available upon request, so you can see what changes have been made over time.

11. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data handling practices, please do not hesitate to contact us:

International Network of Fitness Certifications (INFC) – Privacy Department

Agiou Konstantinou 7, 15124 Marousi, Athens, Greece

Email: contact@infc.global
Phone: +30 694 300 5310

When contacting us about your personal data, please provide sufficient detail so we can assist you (for example, the email address associated with your account, and any specific detail about your inquiry). We may need to verify your identity before fulfilling certain requests, as discussed in Section 7.

We are committed to resolving any issues or questions you might have. Your privacy is important to us, and we welcome feedback on how we can improve our practices.

Thank you for taking the time to read our Privacy Policy. We value the trust you place in INFC to handle your personal data respectfully and responsibly.

By using our website or services, you acknowledge that you have read and understood this Privacy Policy. If anything is unclear, we are here to help – feel free to reach out using the contact information above.