Privacy Policy

Last updated: 5 June 2026. Governed by the laws of Georgia. Published in English; a Georgian version will be made available.

This Privacy Policy explains how the Public Health Institute of Georgia (“PHIG”, “we”, “us”, “our”), acting as data controller, collects, uses, shares and protects personal data through certificate.ge and the SheniEkimi Accreditation service (the “Service”). We process personal data under the Law of Georgia on Personal Data Protection and, where they apply, the EU General Data Protection Regulation (“EU GDPR”), the United Kingdom GDPR and Data Protection Act 2018 (“UK GDPR”), and the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA/CPRA”).

1. Who is responsible for your data

The controller is PHIG, at the address above. Our responsible person and data-protection contact is Professor Giorgi Pkhakadze, MD, MPH, PhD. For any privacy request, contact info@accreditation.ge.

2. The personal data we collect

• Account data — name, email address and a password (stored only in hashed/encrypted form).
• Facility data — organisation name, type, physical address, contact details and logo.
• Assessment data — answers, notes and any documents or photographs you choose to upload as evidence.
• Correspondence — enquiries and support messages you send us.
• Public profile data — the limited information shown on an accredited facility public profile and certificate.
• Technical data — IP address, device and browser information, and cookies (see our Cookie Policy).

3. Why we use your data and our legal bases

We use personal data to create and manage your account; to assess applications and to issue, verify, renew, suspend or revoke certificates; to maintain the public register of accredited facilities; to communicate with you; to secure, operate and improve the Service; and to comply with law. Our legal bases are: performance of a contract (providing the Service you request); consent (for example optional cookies, which you may withdraw at any time); legitimate interests (operating, securing and improving the Service and protecting the integrity of the register, balanced against your rights); and compliance with a legal obligation.

4. Health data and other sensitive information

The Service assesses facilities, not individual patients. We do not ask for, and you must not upload, patient-identifiable information or special-category health data as evidence. If a facility nevertheless submits such data, the facility is the controller of that data, warrants that it has a lawful basis to share it, and PHIG processes it only to the limited extent needed to review the application. Please redact personal data from any document or photograph before uploading.

5. Cookies and similar technologies

We use cookies as described in our Cookie Policy. Non-essential cookies are used only with your consent.

6. Who we share data with

We share personal data only as needed: with assessors assigned to review your application; with vetted service providers (for example hosting) acting as our processors under written confidentiality and data-protection terms; with the public, but only the limited information shown on a facility public profile and certificate; and with courts, regulators or authorities where required by law. We do not sell personal data, and we do not share it for cross-context behavioural advertising.

7. International data transfers

We are based in Georgia, and our service providers may process data in other countries. Where personal data crosses borders, we rely on an adequacy decision where one exists, or on appropriate safeguards such as the European Commission Standard Contractual Clauses (and the UK International Data Transfer Addendum), to ensure a level of protection consistent with applicable law.

8. How long we keep data

We keep personal data only as long as necessary for the purposes above — typically for the life of your account and certificate, plus any period required by law — after which it is deleted or anonymised.

9. How we protect data

Uploaded evidence is stored in a private area that is not publicly accessible and is available only to the relevant assessor and authorised administrators. We apply appropriate technical and organisational measures, including access control and encryption in transit. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

10. Your rights

Everyone may ask us to access, correct, update or delete their personal data, and may contact us with any privacy question at info@accreditation.ge. We respond within the timeframe required by applicable law.

European Economic Area / EU (EU GDPR): rights of access, rectification, erasure, restriction, data portability and objection, and the right to withdraw consent at any time. You may lodge a complaint with your local data-protection supervisory authority.

United Kingdom (UK GDPR / Data Protection Act 2018): the same rights as above, and the right to complain to the Information Commissioner’s Office (ICO) at ico.org.uk.

California (CCPA/CPRA): California residents may request to know, delete and correct personal information, and may opt out of any “sale” or “sharing” of personal information — although we do not sell or share personal information — and may limit the use of sensitive personal information. We will not discriminate against you for exercising these rights, and you may use an authorised agent. Email info@accreditation.ge.

Georgia (Law on Personal Data Protection): rights of access, correction, updating, blocking, erasure and destruction, and the right to complain to the Personal Data Protection Service of Georgia (personaldata.ge).

11. Children

The Service is intended for organisations and adults. We do not knowingly collect personal data from children under 16, and the Service is not directed to children. If you believe a child has provided us data, contact us and we will delete it.

12. Do Not Track and Global Privacy Control

Because we do not track users across third-party websites for advertising, the Service responds to a Global Privacy Control (GPC) or “Do Not Track” signal by continuing not to sell or share personal information.

13. Complaints

Please contact us first so we can help. You also have the right to complain to a supervisory authority: the Personal Data Protection Service of Georgia; in the EU, your local data-protection authority; in the UK, the ICO; in California, the California Privacy Protection Agency or Attorney General.

14. Changes to this Policy

We may update this Policy from time to time. The “last updated” date above reflects the current version, and material changes will be notified through the Service.

15. Contact

Professor Giorgi Pkhakadze, MD, MPH, PhD, PHIG — info@accreditation.ge, +995 577 416 314, 3 Beltemi Rise, Tbilisi 0105, Georgia.