Privacy Policy

Who We Are

Our website address is: https://c-ao.com. This site serves as a knowledge base for the CIAO Standard and functions as a corporate reference and statement of adherence to the CIAO Standard.

We are committed to protecting personal data in compliance with:

• The EU General Data Protection Regulation (GDPR)
• The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018
• The Protection of Personal Information Act (POPIA) of South Africa
• The African Union Convention on Cyber Security and Personal Data Protection (Malabo Convention)
• The Mauritian Data Protection Act 2017

Wherever possible, we also align with other applicable privacy regulations worldwide.

Information We Collect

Comments

When visitors leave comments, we collect the information entered in the comments form, together with the visitor’s IP address and browser user agent string to assist with spam detection. An anonymised string (hash) of your email address may be shared with the Gravatar service to check if you use it. The Gravatar privacy policy is available at https://automattic.com/privacy/. Once your comment is approved, your profile picture may be visible to the public in the context of your comment.

Media

If you upload images, please avoid including embedded location data (EXIF GPS). Visitors may download and extract location data from images posted on the site.

Cookies

• If you leave a comment, you may opt in to saving your name, email address, and website in cookies for convenience. These last for one year.
• A temporary cookie is set on the login page to check if your browser accepts cookies. It contains no personal data and is discarded when you close your browser.
• Login cookies last for two days; display preference cookies last for one year. Selecting “Remember Me” extends login persistence to two weeks. Logging out removes login cookies.
• Editing or publishing an article sets an additional cookie containing the post ID, which expires after one day.

Embedded content from other websites

Articles may include embedded content (e.g. videos, images, articles). Embedded content from other websites behaves as if you visited those sites directly. These sites may collect data, use cookies, embed third‑party tracking, and monitor your interaction with the content.

How We Use and Share Data

• If you request a password reset, your IP address will be included in the reset email.
• Visitor comments may be checked through automated spam detection services.
• We do not sell or rent personal data to third parties. Data is shared only when necessary for site functionality, security, or legal compliance.

Legal Basis for Processing

We process personal data only where a lawful basis exists under applicable regulations, including:

• Consent: Where you have given clear consent for us to process your data for a specific purpose (e.g. storing cookies, publishing comments).
• Contractual necessity: Where processing is required to fulfil a contract with you or to take steps at your request prior to entering into a contract.
• Legal obligation: Where processing is required to comply with applicable laws and regulations.
• Legitimate interests: Where processing is necessary for our legitimate business interests, provided these are not overridden by your rights and freedoms.
• Public interest / regulatory requirements: Where required under POPIA, the African Union Convention, or Mauritian law to protect public interests or comply with supervisory authorities.
• Please see our Site and Subscribed Data Usage Terms for processing contexts outside the scope of this Privacy Policy.

Data Retention

• Comments and their metadata are retained indefinitely to recognise and approve follow‑up comments automatically.
• For registered users (if applicable), we store personal information provided in user profiles. Users can view, edit, or delete their personal information at any time (except usernames). Administrators can also access and edit this information.

Your Rights

Depending on your jurisdiction, you may have the following rights:

• EU GDPR / UK GDPR: The right to access, rectify, erase, restrict processing, data portability, and object to processing. You may also lodge a complaint with your local supervisory authority (e.g. the ICO in the UK or your national data protection authority in the EU).
• African Union Convention: Rights to privacy, data protection, and recourse through national supervisory authorities.
• POPIA (South Africa): The right to be informed, to access, to request correction or deletion, and to object to processing. Complaints may be lodged with the Information Regulator.
• Mauritian Data Protection Act 2017: The right to access, rectify, erase, and object to processing, and to lodge complaints with the Data Protection Commissioner.

We will honour these rights in accordance with the applicable law.

Children’s Privacy

Our services are not directed at children under the age of 16 (or the age of digital consent in your jurisdiction). We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected personal data from a child, we will take steps to delete such information promptly. Parents or guardians who believe their child has provided personal data may contact us to request deletion.

Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction.

International Data Transfers

Where personal data is transferred across borders, we ensure adequate safeguards are in place, consistent with GDPR, UK GDPR, POPIA, the African Union Convention, and Mauritian law. This may include standard contractual clauses, adequacy decisions, or equivalent mechanisms.

Changes to This Policy

We may update this Privacy Policy from time to time. Any changes will be posted on this page with an updated revision date.

Data Controller and Contact Details

For the purposes of the EU GDPR, UK GDPR, POPIA, the African Union Convention, and the Mauritian Data Protection Act 2017, the data controller responsible for your personal data is as per C-AO sub-domain member organisation that you are subscribed to.

If you have any questions, concerns, or requests relating to your personal data or this Privacy Policy, you may contact us using the details below.

Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please contact us at: sr@c-ao.com with Subject noting specifically the subscribed sub-domain member organisation name that you are querying this policy for, else we would respond from a CIAO Standard perspective i.e. C-AO.com.

The CIAO Standard is owned by C-AO.com.

Email: sr@c-ao.com

© 2026 [C-AO.com].
This policy is licensed under the Creative Commons Attribution-ShareAlike 4.0 International License .
You are free to share and adapt this material for any purpose, even commercially, provided that you give appropriate credit, provide a link to the license, and indicate if changes were made. If you remix, transform, or build upon this material, you must distribute your contributions under the same license as the original.