SGEP Fitness Assessments · Your data

How we treat your data.

From purchase to credential, personal data is collected minimally, protected in transit and at rest, moved across borders only under written safeguards, and deleted on request — save what law requires us to keep in anonymised form. This page is the whole journey.

Protected throughout

Minimal by design

We hold what fulfilment needs — name, email, order, result — and no payment data, ever. Each processor sees only its own step.

Locked in transit and at rest

TLS everywhere; encryption at rest with our processors; sign-in links work exactly once; access codes are single-purpose.

Never singled out

Group insights, if you consent, appear only in aggregates of at least ten people. Below that threshold, nothing is shown to anyone.

Leaves when you do

Every processor is bound by a written DPA with deletion duties — ClassMarker returns or deletes within 60 days of request; Sertifier on request, and in any event on termination. Our retention schedule is available on request.

01

Purchase

You buy from a Merchant of Record — FastSpring, Paddle or Lemon Squeezy — the seller of record and the controller of your payment. Card details never reach us; payment providers hold payment records under their own policies. We receive only your name, email and order number, to deliver what you bought.

FastSpring · SCCs + UK Addendum Paddle (IE / US) · UK–EEA adequacy + SCCs & UK Addendum
02

Access

Our service issues your access codes and single-use sign-in links, delivered by email. We keep the order record, codes and consent receipts — nothing more. Optional two-factor authentication protects your results page; our own operator access is hardware-key gated.

Cloudflare · DPF incl. UK ext. Resend · DPF incl. UK ext.
03

Assessment

You take the test on ClassMarker: name, email, answers, score. Anything beyond delivering your result — marketing, or inclusion in anonymised group insight — is asked as an explicit consent question inside the test, and defaults to no.

ClassMarker (AU / US-hosted) · SCCs + UK Addendum · signed DPA
04

Credential

Pass, and your certificate and badge are issued by Sertifier, with your data hosted in the EU (Belgium). A public verification page lets employers confirm the credential is genuine — published only if you choose, asked at the moment your credential is issued. It carries only the credential itself, and you can change your mind and have it removed at any time.

Sertifier (US) · EU-hosted · SCCs + UK Addendum

Want the full detail?

Every company named above — who they are, where they are, what they do for us, and the exact safeguard covering each data flow — is set out in plain language on its own page.

Who handles your data

Orderly Disruption Ltd (t/a Adaptive Fitness) · UK data controller · Data requests: info@orderlydisruption.com

Every cross-border transfer is covered by a written safeguard: UK Addendum / SCCs, UK adequacy, or DPF including the UK Extension. See also our privacy policy and its assessment addendum.

Version 3.0 · Effective on publication