CPD Registry ("CPD Registry", "we", "us" or "our") respects your privacy and is committed to securing and protecting your personal data. This Privacy Policy describes how we collect, use, store, and share personal data when you use our website, tracking platform, and related services (collectively, the "Services").
1. Our Role: Data Controller vs. Data Processor
Depending on how you use our Services, our legal role under the General Data Protection Regulation (GDPR) differs:
- Individual Subscribers (B2C): If you sign up for an individual account on cpdregistry.app, CPD Registry is the Data Controller for the personal data, training logs, and completion certificates you upload.
- Firm / Team Accounts (B2B): If your employer (e.g., a law firm) purchases a team subscription, CPD Registry acts as the Data Processor under the terms of a Data Processing Agreement (DPA) executed with your employer.
2. The Data We Process
We collect and process the following categories of personal data:
- User Account Information: Full name, email address, profession (e.g., Advokat, Biträdande jurist), professional body membership year, and subscription status.
- Training Log Data: Course titles, educational providers, dates of training, training duration (hours), and training format (e.g., Teacher-led or E-learning).
- Certificate Files: Completion certificates (PDF, JPG, or PNG files) that you upload to verify your attendance.
- Billing & Transaction Data: Managed securely by our payment processor, Stripe. We do not collect or store your credit card details. We only receive confirmation of payment, billing email, subscription status, and billing country.
- Technical & Usage Data: IP address, browser type, device information, and anonymous usage logs collected to secure our IT systems.
3. Binding "No AI Training" Guarantee
We do not, and will never, use your training logs, course metadata, notes, or uploaded completion certificates to train artificial intelligence (AI) or machine learning models.
Your compliance data is processed solely to calculate your compliance status and generate your audit reports.
4. Purposes, Legal Bases, and Retention
We only process your personal data when we have a valid legal basis under Article 6 of the GDPR:
| Purpose of Processing | Categories of Personal Data | Legal Basis (GDPR) | Retention Period |
|---|---|---|---|
| To provide, maintain, and calculate your CPD compliance status | User Account, Training Log, and Certificate Files | Performance of a contract (Art. 6(1)(b)) | For the duration of your active subscription. |
| To securely process subscription payments | Billing & Transaction Data | Performance of a contract (Art. 6(1)(b)) | Handled by Stripe; transaction records kept for 7 years to comply with bookkeeping laws. |
| To secure our platform and prevent fraud | Technical & Usage Data, Account Info | Legitimate Interest (Art. 6(1)(f)) | Active use + 30 days. |
| To send automated compliance reminders (if enabled) | Email, Training Log | Performance of a contract (Art. 6(1)(b)) or Consent | Retained until you opt-out or close your account. |
| Account Deletion (Soft-Delete) | All account data | Performance of a contract (Art. 6(1)(b)) | Soft-deleted for 30 days, then permanently purged. |
5. Data Location and Sub-Processors
All personal data, database records, and uploaded certificates are stored exclusively within the European Union (EU).
To deliver our Services, we share limited personal data with the following trusted sub-processors, each bound by strict Data Processing Agreements (DPAs):
Database & Hosting
Processed within EU-central regions.
Certificate File Storage
Uploaded files are stored securely in Cloudflare R2 buckets located in Western Europe. Files are accessed only via time-limited, cryptographically signed URLs.
Payment Infrastructure
Processes billing and card data globally under strict PCI-DSS compliance and EU Standard Contractual Clauses (SCCs).
Email Delivery
Used to send magic links, billing receipts, and compliance reminders.
6. Your Rights Under the GDPR
As a European resident, you have the following rights regarding your personal data:
Right to Access (Data Portability)
You can request a complete copy of your personal data. We provide an "Export my data" tool in your settings that downloads all your training logs and records as a machine-readable JSON file.
Right to Rectification
You can edit your profile details, dates, and training records at any time.
Right to Erasure (To Be Forgotten)
You may delete your account at any time. Your data is soft-deleted for 30 days (to allow recovery in case of accidental deletion), after which all logs, database records, and certificates are permanently purged from our servers.
Right to Restrict or Object
You can opt-out of optional email reminders at any time via your Settings page.
Right to Lodge a Complaint
You have the right to lodge a complaint with your local supervisory authority (e.g., Integritetsskyddsmyndigheten (IMY) in Sweden).
7. Security Measures
We implement industry-standard technical and organizational security measures to protect your data, including:
- Encryption of all files at rest and in transit (SSL/TLS).
- Passwordless authentication via secure, one-time passwords (OTPs) to prevent credential theft.
- Strict backend access control: every database query is cryptographically verified against your authenticated session.
8. Contact Us
If you have any questions about this Privacy Policy or wish to exercise your rights, please contact us at: