Home / Privacy & Security
Legal

Privacy & Security

How IAAF handles personal information, uploaded reports, and platform security. We are committed to transparency, proportionate data use, and protecting the integrity of the accreditation process.

Last updated: June 2026

Summary. We collect only what is needed to run accreditation — contact details, uploaded PDFs, and assessment outputs. Reports at Level 1 and 2 are for your internal use. Level 4 accredited reports may be published in our public library. We use industry-standard security practices and do not sell personal data.

Who we are

The Impact Assessment Accreditation Forum (IAAF) is a Section 8 not-for-profit company registered in India under the Companies Act, 2013. We administer the Impact Report Accreditation Standard and operate the accreditation platform at impactassessmentforum.org.

For privacy-related questions, contact us via our Contact page.

Information we collect

Depending on how you use the platform, we may collect:

  • Contact information — name, email address, and organisation name provided when you submit a report, register for accreditation, or contact us.
  • Uploaded reports — impact assessment PDFs and related metadata (report title, reporting period, submitting entity) submitted for benchmarking or accreditation.
  • Assessment outputs — scores, principle-level feedback, and generated review reports produced through our evaluation process.
  • Account information — for IAAF administrators and reviewers: name, email, role, and authentication credentials (passwords are stored in hashed form, never in plain text).
  • Technical data — server logs such as IP address, browser type, and timestamps, used for security and troubleshooting.

We do not intentionally collect sensitive personal data about beneficiaries named in submitted reports. Organisations submitting reports are responsible for ensuring their uploads comply with applicable consent and data-protection requirements.

How we use information

We use collected information to:

  • Receive, process, and assess submitted impact reports against the IAAF Standard
  • Deliver benchmarking and review outputs to the email address you provide
  • Administer the accreditation pathway (Levels 1–4), including human review where applicable
  • Operate the accredited reports public library for Level 4 outcomes
  • Communicate with you about your submission, accreditation status, or enquiries
  • Maintain platform security, prevent abuse, and improve our services

We do not sell or rent personal information to third parties.

AI-assisted assessment

Levels 1 and 2 use automated AI-assisted analysis to evaluate submitted reports against the nine IAAF principles. Uploaded PDFs are processed through a secure API provided by our AI service provider (Anthropic). Report content is transmitted solely for the purpose of generating your assessment and is handled under the provider's data-processing terms.

Human reviewers may subsequently review AI-generated outputs before they are shared with you (Level 2) or before accreditation decisions are finalised (Levels 3–4).

Storage & retention

Submissions and assessment outputs are stored on secure servers operated by or on behalf of IAAF. We retain data for as long as necessary to:

  • Complete and deliver your requested assessment or accreditation
  • Maintain records required for audit, quality assurance, and dispute resolution
  • Publish accredited reports in the public library where applicable

You may request deletion of non-public submission data by contacting us. Accredited reports published in the public library may remain available as part of IAAF's transparency commitment, unless removal is required by law or agreed as part of a formal withdrawal process.

Sharing & disclosure

We may share information only in these circumstances:

  • Service providers — trusted vendors who help us operate the platform (e.g. cloud hosting, email delivery, AI processing), bound by confidentiality obligations
  • Accreditation process — independent reviewers and committee members involved in assessing your submission
  • Legal requirements — where required by law, regulation, or valid legal process
  • With your consent — in any other case, only with your explicit agreement

Public accreditation library

Reports that receive Level 4 full accreditation may be published in the IAAF Accredited Reports Library as part of our commitment to transparency and public accountability (Principle 9 of the Standard). Published materials typically include the accredited report and summary accreditation outcome — not your private contact details.

Level 1 and Level 2 outputs are intended for internal organisational use only and must not be presented as formal IAAF accreditation.

Security

We take the security of submitted reports and personal data seriously. Measures include:

  • Encrypted transport — data in transit is protected using HTTPS/TLS when the platform is accessed over the internet
  • Access controls — administrative access is restricted to authorised IAAF staff and reviewers; authentication uses hashed passwords and session tokens
  • Upload limits — file size and type restrictions (PDF only) to reduce abuse
  • Isolated job storage — each submission is stored separately with a unique reference identifier
  • Principle of least privilege — system access is limited to what each role requires

No system is completely immune to risk. If you believe there has been unauthorised access to your data or account, please contact us immediately at the address below.

Your responsibility. Do not upload reports containing unnecessary personal data about individuals. Redact or anonymise beneficiary information where possible before submission.

Your rights

Depending on applicable law (including India's Digital Personal Data Protection Act, 2023, where relevant), you may have the right to:

  • Access the personal information we hold about you
  • Request correction of inaccurate information
  • Request deletion of personal data, subject to legal and accreditation record-keeping requirements
  • Withdraw consent where processing is consent-based
  • Lodge a complaint with a relevant data protection authority

To exercise these rights, contact us using the details below. We will respond within a reasonable timeframe.

Cookies & analytics

The public website uses minimal cookies. The admin portal may use session cookies to keep authorised users signed in. We do not use third-party advertising trackers. If we introduce analytics in future, this policy will be updated accordingly.

Changes to this policy

We may update this Privacy & Security notice from time to time. Material changes will be reflected on this page with an updated date. Continued use of the platform after changes constitutes acceptance of the revised policy.

Contact

For privacy, security, or data-related enquiries:

This page is provided for transparency and does not constitute legal advice. IAAF recommends organisations seek independent counsel where their reporting or data obligations require it.