Skip to main content

Privacy Policy

Last updated: March 2026

1. Data Controller

The data controller responsible for your personal data is:

idealy AB
Org. nr: 556880-7464
VAT: SE556880746401
Saturnusvagen 70, 352 64 Vaxjo, Sweden
Email: [email protected]

If you have any questions about how we process your data, contact us at the address above.

2. What Data We Collect

Account Information

Assessment Data

Payment Data

Technical Data

User-Generated Content

If you use TrueCert through an organization account, your organization administrator may also have access to your assessment results and scores.

We process your personal data under the following legal bases as defined by the GDPR:

Legal Basis Purpose
Contract performance
(Art. 6(1)(b) GDPR)
Account creation, assessment delivery, certificate generation, payment processing, support case handling
Legitimate interest
(Art. 6(1)(f) GDPR)
Platform security, fraud prevention, service improvement, analytics, maintaining assessment integrity
Legal obligation
(Art. 6(1)(c) GDPR)
Tax compliance, financial record keeping, responding to lawful requests
Consent
(Art. 6(1)(a) GDPR)
Marketing communications (where applicable). You can withdraw consent at any time.

4. How We Use Your Data

We use your personal data to:

We do not use your data for automated decision-making or profiling that produces legal effects.

5. Data Sharing

We do not sell your personal data. We share data only with the following categories of recipients:

Recipient Purpose Location
Stripe, Inc. Payment processing for individual purchases and subscriptions United States
Email service provider Sending transactional emails (account verification, notifications, support) EU / United States
Organization administrators If you are invited via an organization, your assessment results and scores may be shared with the inviting organization Varies
Certificate verifiers When you share a verification token, the verifier can see your name, assessment, score, and completion date Varies

6. Cookies

We use a minimal set of cookies that are essential for the platform to function. We do not use any third-party tracking or advertising cookies.

For full details on the cookies we use, please see our Cookie Policy.

In summary, we use: a session cookie (tc_session), a persistent login cookie (remember_token), and Stripe checkout session cookies for payment processing.

7. Analytics

We use Umami Cloud for website analytics. Umami collects anonymized usage data including pages visited, referrer source, browser type, and country. Umami does not use cookies, does not track individual users across sites, and does not collect personally identifiable information.

Analytics data is processed and stored in the European Union. For more information, see Umami's privacy policy.

8. Data Retention

Data Category Retention Period
Account data Retained until you delete your account
Assessment results & certificates Retained permanently (to maintain certificate verifiability)
Purchase records Retained for 7 years after purchase (Swedish tax compliance requirements)
Support cases Retained for 2 years after resolution
Technical logs (IP, browser) Retained for 90 days
Session cookies Deleted when browser session ends

When you request account deletion, we will remove your personal data except where retention is required by law (e.g., financial records for tax purposes).

9. Your Rights (GDPR)

Under the General Data Protection Regulation, you have the following rights:

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

You also have the right to lodge a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY) at imy.se.

10. International Transfers

Some of our service providers are located outside the European Economic Area (EEA):

We ensure that all international transfers of personal data are protected by appropriate safeguards as required by the GDPR, including Standard Contractual Clauses approved by the European Commission.

11. Security Measures

We implement appropriate technical and organizational measures to protect your personal data, including:

While we take reasonable precautions, no system is completely secure. We encourage you to use a strong, unique password and keep your credentials confidential.

12. Children

TrueCert is not intended for children under 16 years of age. We do not knowingly collect personal data from anyone under 16. If we become aware that we have collected data from a child under 16 without parental consent, we will delete that data promptly. If you believe a child under 16 has provided us with personal data, please contact us at [email protected].

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

We encourage you to review this page periodically.

14. Contact & Data Protection

For any privacy-related questions, data access requests, or to exercise your GDPR rights, please contact us or email [email protected].

TrueCert is operated by idealy AB (org. nr 556880-7464), Saturnusvägen 70, 352 64 Växjö, Sweden.

You may also contact the Swedish data protection authority:

Integritetsskyddsmyndigheten (IMY)
Box 8114, 104 20 Stockholm, Sweden
Website: imy.se