Privacy Policy
Last updated: March 2026
1. Data Controller
The data controller responsible for your personal data is:
Org. nr: 556880-7464
VAT: SE556880746401
Saturnusvagen 70, 352 64 Vaxjo, Sweden
Email: [email protected]
If you have any questions about how we process your data, contact us at the address above.
2. What Data We Collect
Account Information
- Full name and display name
- Email address
- Password (stored as a bcrypt hash -- we never store your password in plain text)
- Username
- Avatar URL (if provided)
Assessment Data
- Assessment results, scores, and completion dates
- Individual question responses and answers
- Time spent on assessments
- Certificates and verification tokens generated
Payment Data
- Purchase history, amounts, and payment references
- Discount codes used
- Note: full payment card details are processed by Stripe and never stored on our servers
Technical Data
- IP address
- Browser type and version
- Device information
- Pages visited and timestamps
User-Generated Content
- Assessment reviews (ratings and text)
- Question flags and reports
- Support case messages
If you use TrueCert through an organization account, your organization administrator may also have access to your assessment results and scores.
3. Legal Basis for Processing
We process your personal data under the following legal bases as defined by the GDPR:
| Legal Basis | Purpose |
|---|---|
| Contract performance (Art. 6(1)(b) GDPR) |
Account creation, assessment delivery, certificate generation, payment processing, support case handling |
| Legitimate interest (Art. 6(1)(f) GDPR) |
Platform security, fraud prevention, service improvement, analytics, maintaining assessment integrity |
| Legal obligation (Art. 6(1)(c) GDPR) |
Tax compliance, financial record keeping, responding to lawful requests |
| Consent (Art. 6(1)(a) GDPR) |
Marketing communications (where applicable). You can withdraw consent at any time. |
4. How We Use Your Data
We use your personal data to:
- Account management -- create and maintain your account, authenticate your identity.
- Assessment delivery -- present questions, record answers, calculate scores, enforce time limits and cooldown periods.
- Certificate generation -- issue certificates, generate verification tokens, and deliver Open Badges 2.0 credentials.
- Billing -- process payments, record purchases, apply discounts, and maintain financial records.
- Support -- respond to support cases and resolve issues.
- Platform improvement -- analyze usage patterns, identify technical issues, and improve our services.
- Security -- detect and prevent cheating, fraud, and unauthorized access.
- Organization features -- enable team management, assessment invitations, and results reporting for organization accounts.
We do not use your data for automated decision-making or profiling that produces legal effects.
5. Data Sharing
We do not sell your personal data. We share data only with the following categories of recipients:
| Recipient | Purpose | Location |
|---|---|---|
| Stripe, Inc. | Payment processing for individual purchases and subscriptions | United States |
| Email service provider | Sending transactional emails (account verification, notifications, support) | EU / United States |
| Organization administrators | If you are invited via an organization, your assessment results and scores may be shared with the inviting organization | Varies |
| Certificate verifiers | When you share a verification token, the verifier can see your name, assessment, score, and completion date | Varies |
6. Cookies
We use a minimal set of cookies that are essential for the platform to function. We do not use any third-party tracking or advertising cookies.
For full details on the cookies we use, please see our Cookie Policy.
In summary, we use: a session cookie (tc_session), a persistent login cookie (remember_token), and Stripe checkout session cookies for payment processing.
7. Analytics
We use Umami Cloud for website analytics. Umami collects anonymized usage data including pages visited, referrer source, browser type, and country. Umami does not use cookies, does not track individual users across sites, and does not collect personally identifiable information.
Analytics data is processed and stored in the European Union. For more information, see Umami's privacy policy.
8. Data Retention
| Data Category | Retention Period |
|---|---|
| Account data | Retained until you delete your account |
| Assessment results & certificates | Retained permanently (to maintain certificate verifiability) |
| Purchase records | Retained for 7 years after purchase (Swedish tax compliance requirements) |
| Support cases | Retained for 2 years after resolution |
| Technical logs (IP, browser) | Retained for 90 days |
| Session cookies | Deleted when browser session ends |
When you request account deletion, we will remove your personal data except where retention is required by law (e.g., financial records for tax purposes).
9. Your Rights (GDPR)
Under the General Data Protection Regulation, you have the following rights:
- Right of access (Art. 15) -- request a copy of the personal data we hold about you.
- Right to rectification (Art. 16) -- request correction of inaccurate personal data.
- Right to erasure (Art. 17) -- request deletion of your personal data ("right to be forgotten").
- Right to data portability (Art. 20) -- request your data in a structured, commonly used, machine-readable format.
- Right to restriction (Art. 18) -- request that we limit the processing of your data.
- Right to object (Art. 21) -- object to processing based on legitimate interest.
- Right to withdraw consent (Art. 7(3)) -- withdraw consent at any time where processing is based on consent.
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.
You also have the right to lodge a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY) at imy.se.
10. International Transfers
Some of our service providers are located outside the European Economic Area (EEA):
- Stripe (United States) -- processes payments under Standard Contractual Clauses (SCCs) and the EU-U.S. Data Privacy Framework.
- Email service (United States) -- transactional email delivery under Standard Contractual Clauses.
We ensure that all international transfers of personal data are protected by appropriate safeguards as required by the GDPR, including Standard Contractual Clauses approved by the European Commission.
11. Security Measures
We implement appropriate technical and organizational measures to protect your personal data, including:
- Password hashing -- all passwords are hashed using bcrypt.
- CSRF protection -- all forms are protected against cross-site request forgery attacks.
- Prepared statements -- all database queries use parameterized queries to prevent SQL injection.
- HTTPS -- all data in transit is encrypted via TLS.
- Secure sessions -- session cookies use Secure, HttpOnly, and SameSite attributes.
- Access controls -- role-based access to administrative functions.
While we take reasonable precautions, no system is completely secure. We encourage you to use a strong, unique password and keep your credentials confidential.
12. Children
TrueCert is not intended for children under 16 years of age. We do not knowingly collect personal data from anyone under 16. If we become aware that we have collected data from a child under 16 without parental consent, we will delete that data promptly. If you believe a child under 16 has provided us with personal data, please contact us at [email protected].
13. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Update the "Last updated" date at the top of this page.
- Notify registered users by email for significant changes.
We encourage you to review this page periodically.
14. Contact & Data Protection
For any privacy-related questions, data access requests, or to exercise your GDPR rights, please contact us or email [email protected].
TrueCert is operated by idealy AB (org. nr 556880-7464), Saturnusvägen 70, 352 64 Växjö, Sweden.
You may also contact the Swedish data protection authority:
See also: Terms of Service · Cookie Policy