1. Scope and definitions

• “We”, “our” and “BTIB” refer to the program operator.
• “You” means registered users, applicants, and accredited members.
• “Personal data” means any information that identifies you or your business.

2. Core principles

• Collect only what we need.
• Use data only for the purpose we collected it for.
• Keep data accurate and up to date.
• Protect data with strong security.
• Keep data only as long as needed, then delete or anonymise it.
• Be transparent and respond to requests about your data.

3. What we collect

• Registration and contact details: name, business name, email, phone, address.
• Application details: token pathway, item details, category, connection descriptions.
• Orientation progress: completion status and quiz result (pass/fail, score).
• System data: account activity, audit logs, device/browser info, IP address.
• Communications: emails, help desk messages, misuse reports.
• Assets we generate for you: QR code, welcome kit files.

4. Why we collect it

• To register your account and verify your email.
• To run Orientation and record completion.
• To assess and manage accreditation applications.
• To create and maintain your public directory listing and QR code.
• To send service emails and provide support.
• To keep the portal secure, prevent misuse, and meet legal obligations.

5. Legal basis

• Contract: to provide the portal and accreditation services you request.
• Legitimate interests: to protect the program, prevent fraud, and improve services.
• Consent: where required for optional features or communications.
• Legal obligation: where laws require us to keep or share certain records.

6. How we protect your data

• Encryption in transit (TLS) and at rest.
• Role-based access control and least-privilege permissions.
• Multi-factor authentication for admin access.
• Network segregation and firewalls.
• Regular backups and tested restore procedures.
• Audit logs for key actions.
• Vulnerability management and patching.
• Supplier risk reviews and data processing agreements with vendors.
• Staff confidentiality and security training.

7. Where we store and process data

• In secure cloud data centres. Some processing may occur outside the Cook Islands.
• When data is transferred internationally, we use contracts and safeguards to protect it.

8. Sharing your data

We share only when necessary:

• Service providers (hosting, email delivery, file storage, analytics with privacy controls).
• BTIB reviewers and authorised program staff.
• Public directory: limited business information and accredited items that you approve for publication.
• Law enforcement or regulators when legally required.

We do not sell your personal data.

9. Your rights

You can:

• Access your data and get a copy.
• Correct inaccurate information in your profile.
• Ask us to delete data we no longer need.
• Restrict or object to certain processing.
• Withdraw consent where processing relies on consent.

Contact the Help Desk to make a request. We will respond within a reasonable time.

10. Data retention schedule

We keep data only as long as needed for the purpose it was collected, then we delete or anonymise it.

• Registration and account data: for as long as your account is active. If the account is closed, retain for 24 months, then delete or anonymise.
• Orientation records (status and score): for the life of the account, then delete within 24 months of account closure.
• Accreditation applications
  • Approved: keep the application and accredited item records for the life of the accreditation and for 6 years after expiry or withdrawal, then archive or anonymise.
  • Declined or withdrawn: keep for 24 months from decision date, then delete or anonymise.
• Public directory listing: visible while accreditation is active. On expiry or revocation, remove from public view within 7 days and archive for 6 years.
• QR code assets: active while accreditation is active. Retain archived versions for 24 months after deactivation.
• Communications (email, help desk, misuse reports): 36 months, then delete or anonymise.
• System logs and audit trails: 12 months, then delete or aggregate.
• Backups: rolling backups retained up to 90 days.

If law or a dispute requires longer retention, we will keep only what is necessary for as long as needed.

11. Cookies and analytics

• Essential cookies are used to keep you signed in and secure the session.
• Optional analytics use aggregated data to improve the portal. Where required, we will ask for consent and provide controls to opt out.

12. Data accuracy

Keep your profile and accreditation details up to date. You can edit your information from the Profile Page. We may ask you to confirm details during reviews or audits.

13. Incident response

• We monitor for security events.
• If we discover a breach that affects your data, we will investigate, contain the issue, notify affected users and relevant authorities as required, and share guidance on next steps.

14. Third-party links

If the portal links to other sites (for example, payment or file tools), their privacy and security practices apply on those sites. Review their policies before sharing information.

15. Children

The portal is for businesses and adult applicants. We do not knowingly collect children’s data.

16. Changes to this policy

We may update this policy to reflect improvements or changes in law. We will post the latest version in the portal and note the date of change. Important changes will be communicated by email or an in-portal notice.

17. Contact

For questions, requests, or concerns about data protection:

• Email: ucibtib@cookislands.gov.ck
  
• Phone: +682 24296