Privacy Policy
Effective March 28, 2026 - Last updated March 28, 2026
1. Who We Are
IFO4 (International Financial Operations Authority) is a Delaware-registered organization that operates 35 platforms serving financial operations professionals worldwide. Our platforms include social.ifo4.org, a professional networking community, along with certification, training, research, and standards platforms.
This privacy policy applies to all IFO4 platforms and services. When we say "IFO4," "we," "us," or "our," we mean IFO4 and its affiliated platforms. When we say "you" or "your," we mean you, the person using our services.
2. Information We Collect
Information you give us directly
- Account information: your name, email address, job title, employer, and professional credentials
- Profile information: biography, profile photo, professional experience, and other details you choose to add
- Assessment and certification records: exam scores, certification status, continuing education credits
- Payment information: billing address and payment method details (see note below on Stripe)
- Content you create: posts, comments, forum contributions, and messages on social.ifo4.org
- Communications: emails you send us, support tickets, feedback, and survey responses
Information collected automatically
- Usage data: pages visited, features used, time spent, and interaction patterns
- Device information: browser type, operating system, screen resolution, and language settings
- Log data: IP address, access times, referring URLs, and error logs
- Cookies and similar technologies: see our Cookie Policy for details
A note about payment data
Stripe handles all payment processing for IFO4. We never see, receive, or store your full credit card number, CVV, or bank account details. Stripe is PCI DSS Level 1 certified. The only payment-related information we retain is your billing address and the last four digits of your card (for your reference on receipts).
3. How We Use Your Information
We use the information we collect for these purposes:
- Running our platforms: creating and managing your account, delivering content, processing certifications, and maintaining platform functionality
- Processing payments: handling subscriptions, issuing invoices, and managing refunds through Stripe
- Issuing and verifying certifications: recording exam results, issuing digital credentials, and enabling third-party verification of your certification status
- Generating anonymized benchmarks: producing industry reports and benchmarks from aggregated data where no individual person can be identified
- Improving our services: analyzing usage patterns (in aggregate) to make our platforms better
- Communicating with you: sending account-related emails, responding to your inquiries, and notifying you of important changes
- Preventing fraud: detecting and preventing unauthorized access, cheating on assessments, and other abusive behavior
- Complying with the law: meeting legal obligations, responding to lawful requests, and protecting our legal rights
We do not use your personal information for purposes unrelated to our services. We do not sell your information. We do not use your data for targeted advertising.
4. Legal Basis for Processing (GDPR)
If you are located in the European Economic Area, the United Kingdom, or Switzerland, we process your personal data under the following legal bases:
- Contract performance: Processing that is necessary to deliver the services you signed up for. This includes managing your account, delivering certifications, and processing payments.
- Consent: Processing that you have specifically agreed to, such as receiving our newsletter or enabling optional analytics cookies. You can withdraw consent at any time, and we will stop the relevant processing going forward.
- Legitimate interest: Processing that serves our reasonable business interests without overriding your rights. This includes improving our platforms, preventing fraud, and generating anonymized industry benchmarks. We balance our interests against your privacy in every case.
- Legal obligation: Processing required by law, such as retaining financial records for tax purposes or responding to court orders.
5. Who We Share Your Information With
We do not sell your personal data. Period. We have never sold personal data and have no plans to do so.
We share information only with these categories of recipients, and only to the extent necessary:
| Recipient | Purpose | Data Shared |
|---|---|---|
| Stripe | Payment processing | Billing details, transaction amounts |
| Vercel | Platform hosting | Technical data necessary for hosting |
| Cloudflare | Security and content delivery | IP addresses, request data |
| Email service provider | Transactional and account emails | Email address, name |
| Law enforcement | When legally required | Only what is specified in valid legal process |
Our anonymized benchmark reports and research publications contain aggregated statistical data only. No individual person can be identified from these reports.
6. Social Platform Data (social.ifo4.org)
social.ifo4.org is a professional community platform for financial operations professionals. Because social platforms handle personal data differently than other services, we want to be very clear about how social.ifo4.org works.
What we do
- Display your posts and profile to other users based on the privacy settings you choose
- Allow you to connect with other professionals, send messages, and participate in discussions
- Allow you to delete your content at any time
- Give you control over who can see your profile and posts
- Moderate content to maintain a professional, safe environment
What we do not do
- We do not mine your social data for advertising purposes
- We do not sell your social graph (your connections, interactions, or network) to anyone
- We do not use your social content to train AI models
- We do not track you across other websites or build profiles of your browsing activity outside IFO4
- We do not build "shadow profiles" of non-users based on your contact lists
- We do not serve targeted advertisements based on your social activity
- We do not share your private messages with third parties
- We do not use facial recognition technology on photos you upload
We believe a professional social platform should serve its members, not advertisers. Your data on social.ifo4.org exists to make the platform useful for you, not to be packaged and sold. This is a fundamental difference between IFO4 and ad-supported social networks.
7. Artificial Intelligence and Your Data
Some IFO4 platforms include AI-powered features, such as content recommendations, skill gap analysis, and study tools.
- We do not use your personal data to train AI models. Your individual information, assessment responses, social posts, and private content are not fed into training datasets.
- AI-generated content on our platforms is clearly labeled so you always know whether you are reading human-authored or AI-generated material.
- You can opt out of AI features at any time in your account settings without losing access to the core platform.
- Assessment scoring may involve algorithmic calculations, but no fully automated decision affects your certification status, rights, or access without human review. A human being reviews any consequential decision.
8. Children
IFO4 platforms are designed for working professionals and are not intended for anyone under the age of 16. We do not knowingly collect personal data from anyone under 16. If we learn that we have collected information from a person under 16, we will delete that information immediately and terminate the associated account. If you believe a minor has provided us with personal data, please contact us at privacy@ifo4.org.
9. International Data Transfers
IFO4 is based in the United States, and our primary data storage and processing occurs in the US. If you are located outside the United States, your information will be transferred to and processed in the US.
For users in the European Economic Area, United Kingdom, and Switzerland:
- We rely on Standard Contractual Clauses (SCCs) approved by the European Commission to provide adequate safeguards for data transferred outside the EEA
- We participate in and comply with the EU-US Data Privacy Framework
- We assess the legal environment in any country where data is processed to confirm adequate protection
If you have questions about international transfers, contact our Data Protection Officer at dpo@ifo4.org.
10. How Long We Keep Your Data
| Data Type | Retention Period | Reason |
|---|---|---|
| Account information | Duration of account + 2 years | Service delivery and post-closure inquiries |
| Certification records | Permanent | Professional credentials must remain verifiable indefinitely |
| Payment records | 7 years | Tax and financial regulatory requirements |
| Usage logs | 90 days | Security monitoring and troubleshooting |
| Social content you delete | Deleted within 30 days | Time needed for deletion to propagate through backups |
You may request deletion of your personal data at any time. We will honor your request except where retention is required by law or necessary to maintain the integrity of professional certification records.
11. Your Rights
Rights for all users
- Access: Request a copy of the personal data we hold about you
- Correction: Ask us to correct inaccurate or incomplete data
- Deletion: Ask us to delete your personal data (subject to legal retention requirements)
- Portability: Receive your data in a structured, machine-readable format
- Restriction: Ask us to limit how we process your data
- Objection: Object to processing based on legitimate interest
- Withdraw consent: Where processing is based on your consent, withdraw it at any time
Additional rights for California residents (CCPA/CPRA)
- Right to know: What personal information we collect, use, disclose, and sell (we do not sell)
- Right to delete: Request deletion of your personal information
- Right to opt out of sale: We do not sell personal information, but this right is available to you regardless
- Right to non-discrimination: We will not treat you differently for exercising your privacy rights
- Right to correct: Request correction of inaccurate personal information
- Right to limit use of sensitive personal information: Direct us to limit the use of sensitive categories
How to exercise your rights
Email privacy@ifo4.org with your request. We will verify your identity and respond within 30 days. If we need more time (up to an additional 60 days for complex requests), we will let you know. There is no fee for exercising your rights. If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.
12. Security
We protect your data with the following measures:
- All data transmitted between your browser and our servers is encrypted using TLS 1.3
- Data stored on our servers is encrypted at rest using AES-256
- Access to personal data is restricted to personnel who need it to do their jobs, and all access is logged
- We conduct regular security reviews and vulnerability assessments
- We maintain an incident response plan and will notify affected users and regulators within required timeframes if a breach occurs
No system is perfectly secure. While we work hard to protect your information, we cannot guarantee absolute security. We are being honest with you about that, not hiding behind marketing language.
13. Cookies
We use cookies and similar technologies to keep you logged in, protect against fraud, and (with your consent) understand how people use our platforms. For a complete list of cookies we use and how to manage your preferences, see our Cookie Policy.
14. Changes to This Policy
If we make material changes to this policy, we will notify you by email at least 30 days before the changes take effect. We will also post the updated policy on this page with a new effective date. Non-material changes (like fixing a typo or clarifying existing language) may be made without advance notice. The current version of this policy is always available at this URL.
15. Contact Us
For privacy-related questions, requests, or complaints:
- Privacy team: privacy@ifo4.org
- Data Protection Officer: dpo@ifo4.org
- Mail: IFO4 Privacy Office, Wilmington, Delaware, USA
We aim to respond to all inquiries within 5 business days and to resolve all requests within 30 days.
16. Regulatory Compliance
IFO4 is committed to complying with applicable data protection laws wherever our users are located. This includes, but is not limited to:
- GDPR - General Data Protection Regulation (European Union and European Economic Area)
- UK GDPR - United Kingdom General Data Protection Regulation
- CCPA / CPRA - California Consumer Privacy Act and California Privacy Rights Act (California, USA)
- PIPEDA - Personal Information Protection and Electronic Documents Act (Canada)
- LGPD - Lei Geral de Protecao de Dados (Brazil)
- POPIA - Protection of Personal Information Act (South Africa)
- Privacy Act 1988 / APPs - Australian Privacy Principles (Australia)
- PDPA - Personal Data Protection Act (Singapore)
If a specific provision of local law grants you greater rights than those described in this policy, the local law prevails. Contact dpo@ifo4.org with jurisdiction-specific questions.