Page 2 of 11
Table of Contents
1. Introduction 3
2. Data Protection Principles 3
3. Categories of Personal Data Processed 3
4. Purposes of Processing 4
5. Lawful Bases for Processing 4
6. Data Sharing and Disclosure 4
7. International Data Transfers 5
8. Data Retention 5
9. Data Security Measures 5
10. Data Subject Rights 6
11. Cookies and Website Tracking 6
12. Children’s Data 6
13. Data Breach Notification 6
14. Changes to This Policy 7
15. ICAB Main Contact Information 7
16. ICAB Apple App Store Disclosures 7
16.1 Categories of Data Collected by the ICAB App 7
16.2 Data Linked to the User 8
16.3 Data Not Linked to the User 8
16.4 Tracking Disclosure 8
16.5 Purposes of App‑Specific Processing 8
16.6 Third‑Party SDKs and Service Providers 9
16.7 App‑Specific Data Retention 9
16.8 User Rights and App‑Specific Data Deletion 9
16.9 Children’s Data (App‑Specific COPPA Statement) 10
16.10 ICAB DPO Contact Information for Apple Questions 10
17.0 ICAB Google Play App Store Disclosures 10
17.1 App Listing Information 10
17.2 Privacy and Data Safety Disclosures 10
17.3 Technical Declarations 11
17.4 Developer Verification 11
Page 3 of 11
1. Introduction
The Institute of Chartered Accountants of Barbados (ICAB) is committed to protecting the privacy,
confidentiality, and security of personal data in accordance with the Barbados Data Protection
Act, 2019 (BDPA) and international best practices. This Privacy Policy explains how ICAB collects,
uses, discloses, stores, and protects personal data relating to members, students, employees,
Council members, vendors, complainants, event participants, and website users.
ICAB acts as a Data Controller for all personal data it processes.
2. Data Protection Principles
ICAB adheres to the following BDPA principles:
● Lawfulness, fairness, and transparency
● Purpose limitation
● Data minimisation
● Accuracy
● Storage limitation
● Integrity and confidentiality
● Accountability
3. Categories of Personal Data Processed
ICAB processes the following categories of personal data:
● Identification data — name, date of birth, gender, national ID, passport number
● Contact data — address, email, telephone number
● Membership and student records — membership number, application forms, CPD
records, examination results
● Professional and employment data — qualifications, work history, employer details
● Financial data — payment records, invoices, bank transfer information
● Sensitive data — health information, disability declarations, criminal record declarations
(where legally required)
● Technical data — IP address, device identifiers, website usage data
● Event and training data — attendance, participation records, certificates
● Complaint and disciplinary data — investigation files, evidence, outcomes
Page 4 of 11
4. Purposes of Processing
ICAB processes personal data for the following purposes:
● Membership administration and renewal
● Student registration, examinations, and certification
● Continuing Professional Development (CPD) tracking
● Regulatory oversight and disciplinary investigations
● Employment and HR management
● Financial administration and payment processing
● Event management and training delivery
● Communication with members and stakeholders
● Compliance with legal and regulatory obligations
● Website security, analytics, and service improvement
5. Lawful Bases for Processing
ICAB relies on the following lawful bases under the BDPA:
● Consent — for optional services, marketing, and certain sensitive data
● Contractual necessity — membership, student services, employment contracts
● Legal obligation — statutory reporting, regulatory oversight
● Legitimate interests — organisational governance, fraud prevention, service improvement
● Public interest — professional regulation and disciplinary functions
6. Data Sharing and Disclosure
ICAB may share personal data with:
● Regional and international accountancy bodies
● Examination and certification partners
● Government agencies and regulators
● External auditors and legal advisors
● IT service providers and cloud hosting partners
● Event partners and training providers
● Law enforcement (where legally required)
All third parties are bound by confidentiality and BDPA‑compliant data processing agreements.
Page 5 of 11
7. International Data Transfers
ICAB may transfer personal data outside Barbados for:
● Examination administration
● Professional reciprocity and recognition
● Cloud‑based services
Transfers are made only where adequate protections exist, including:
● Adequacy decisions
● Contractual safeguards
● Secure technical controls
8. Data Retention
ICAB retains personal data only as long as necessary for the purposes collected and in accordance
with statutory, regulatory, and operational requirements.
Examples:
● Membership records — retained indefinitely for professional history
● Examination records — retained permanently
● Financial records — minimum 7 years
● HR records — duration of employment + statutory period
● Complaint and disciplinary files — retained according to regulatory requirements
Data is securely destroyed when no longer required.
9. Data Security Measures
ICAB implements appropriate technical and organisational measures, including:
● Encryption of data in transit and at rest
● Access controls and role‑based permissions
● Secure cloud hosting and backup procedures
● Audit logging and monitoring
● Staff confidentiality agreements
● Regular security assessments and training
Page 6 of 11
10. Data Subject Rights
Under the BDPA, individuals have the following rights:
● Right to be informed
● Right of access
● Right to rectification
● Right to erasure
● Right to restrict processing
● Right to object
● Right to data portability
● Right not to be subject to automated decision‑making
Requests may be submitted to ICAB’s Data Protection Officer.
11. Cookies and Website Tracking
ICAB’s website uses cookies and analytics tools to:
● Improve website functionality
● Analyse usage patterns
● Enhance user experience
Users may manage cookie preferences through their browser settings.
12. Children’s Data
ICAB does not knowingly collect personal data from children under 16 unless required for
examination or training purposes and with appropriate consent.
13. Data Breach Notification
ICAB maintains an Incident Response Plan. In the event of a personal data breach, ICAB will:
● Assess the severity and impact
● Notify the Data Protection Commissioner where required
● Inform affected individuals when there is a high risk to their rights and freedoms
Page 7 of 11
14. Changes to This Policy
ICAB may update this Privacy Policy periodically. The latest version will always be available on
ICAB’s website.
15. ICAB Main Contact Information
Institute of Chartered Accountants of Barbados (ICAB)
Carlisle House, Hincks Street, Bridgetown, Barbados
Email: info@icab.bb
Telephone: +1 (246) 429‑5678
16. ICAB Apple App Store Disclosures
This section provides the disclosures required by the Apple App Store, including the types of data
collected by the ICAB mobile application (“ICAB App”), how it is used, and the third‑party services
involved in processing.
The ICAB App is operated by the Institute of Chartered Accountants of Barbados (ICAB), acting as
Data Controller under the Barbados Data Protection Act, 2019 (BDPA).
16.1 Categories of Data Collected by the ICAB App
The ICAB App may collect and process the following categories of personal data:
● Identification Data — name, membership ID, date of birth
● Contact Data — email, phone number
● Membership & Student Data — CPD records, exam results, membership status
● Professional Data — qualifications, employer details
● Financial Data — payments, invoices (if in‑app payments are enabled)
● Technical & Device Data — IP address, device identifiers, crash logs, app performance
data
● Usage Data — app interactions, feature usage, session duration
● Uploaded Content — documents, forms, or files submitted through the app
● Location Data — only if the user enables location‑based features
Page 8 of 11
16.2 Data Linked to the User
The following data may be linked to the user’s identity, as required by Apple’s Privacy Nutrition
Label:
● Identification data
● Contact data
● Membership and student data
● Financial data (if applicable)
● Usage data
● Device identifiers
16.3 Data Not Linked to the User
The following data may be collected but not linked to the user:
● Crash logs
● Performance metrics
● Aggregated analytics
16.4 Tracking Disclosure
The ICAB App:
Does not track users across apps or websites owned by other companies.
No advertising identifiers or cross‑app tracking technologies are used.
16.5 Purposes of App‑Specific Processing
The ICAB App processes data for the following purposes:
● Account creation and authentication
● Membership verification
● CPD tracking and certificate access
● Examination and student services
● Event registration and attendance
● Secure communication with ICAB
● App performance monitoring and crash diagnostics
● Payment processing (if enabled)
● Fraud prevention and security monitoring
Page 9 of 11
16.6 Third‑Party SDKs and Service Providers
The ICAB App may use the following categories of third‑party services:
● Analytics SDKs (e.g., Firebase Analytics, Google Analytics for Firebase)
● Crash reporting SDKs (e.g., Firebase Crashlytics, Sentry)
● Cloud hosting providers (e.g., AWS, Azure, Google Cloud)
● Authentication providers (e.g., Firebase Auth, OAuth, Apple Sign‑In)
● Payment processors (e.g., Stripe, Apple Pay)
● Push notification services (e.g., Firebase Cloud Messaging, Apple Push Notification
Service)
● Email and messaging services (e.g., SendGrid, Mailchimp)
All third‑party processors operate under BDPA‑compliant data processing agreements.
16.7 App‑Specific Data Retention
Data collected through the ICAB App is retained according to the retention rules in Section 8 of this
Policy, unless:
● The user deletes their account
● The user requests deletion of app‑specific data
● The data is no longer required for the purpose collected
App‑specific logs (e.g., crash logs) may be retained for up to 12 months.
16.8 User Rights and App‑Specific Data Deletion
Users may exercise all BDPA rights described in Section 10.
In addition, Apple requires the following app‑specific deletion options:
● Delete account: Users may request account deletion by contacting ICAB’s DPO.
● Delete app data: Users may delete locally stored data by uninstalling the app.
● Request deletion of server‑stored data: Users may email the DPO to request deletion of
data processed through the app.
ICAB will verify identity before processing deletion requests.
Page 10 of 11
16.9 Children’s Data (App‑Specific COPPA Statement)
The ICAB App is not intended for children under 13 years of age.
ICAB does not knowingly collect personal data from children under 13.
For examination or training services involving minors aged 13–16, ICAB obtains appropriate
consent as required by the BDPA.
16.10 ICAB DPO Contact Information for Apple Questions
For questions about the ICAB Apple App’s privacy practices:
Data Protection Officer
Institute of Chartered Accountants of Barbados (ICAB)
Room 29, Hastings Plaza, Hastings, Christ Church, Barbados
Email: dpo@icab.bb
Telephone: +1 (246) 429‑5678
17.0 ICAB Google Play App Store Disclosures
Purpose
This section outlines the disclosures required for publication of the ICAB App on the
Google Play Store, ensuring transparency and compliance with
Google’s Data Safety and Developer Policies.
17.1 App Listing Information
● App Title, Short Description, and Full Description as approved by ICAB.
● Screenshots and Feature Graphic (16:9 ratio).
● Category: Education – Professional Training.
● Developer Contact Email and Website URL (info@icab.bb | www.icab.bb).
17.2 Privacy and Data Safety Disclosures
● Public Privacy Policy URL (linking to this document).
● Data Safety Form disclosing collection, sharing, and security practices.
● Declaration of Minimal Data Use (only functional data collected).
● Confirmation of No Third‑Party Advertising SDKs or Trackers.
● Encryption of all data in transit and at rest.
● User consent required for any optional data collection features.
Page 11 of 11
17.3 Technical Declarations
● Target API Level: Android 14 or higher.
● Permissions list with justification (e.g., Internet access for secure API calls).
● Demo Account credentials for Play review (if login required).
● App Content Declaration for age rating and restricted features.
17.4 Developer Verification
Vision Nova Inc.
#4, #19 Pine Road, Belleville, St. Michael, Barbados
Email: reymar.gooding@visionnova.com
Telephone: +1 (246) 257‑0722
17.5 Compliance Statement
The ICAB App meets Google Play Store requirements for data privacy, security, and developer trans
p‑arency.
All information is accurate as of submission date and maintained under ICAB’s Data Protection Polic
y V1.0FV.
