Last updated: March 27, 2026
1. Data Controller
Sertio AS (org. no. 937 286 643, Ulvenveien 123D, 0665 Oslo, Norway), operating the Sertio platform (sertio.no), is the data controller for personal data collected through this service.
Contact: martin@sertio.no
2. Personal Data We Collect
- Account information: Full name, email address, password (encrypted)
- Course data: Progress, answers, results, time spent
- Payment information: Transaction history (card data stored by Vipps MobilePay, not us)
- Certificate data: Certificate number, issue date, expiry date
- Technical data: IP address, browser type, device (for cookies)
- Communications: Emails and inquiries
3. Purpose of Processing
- Deliver the e-learning course and certification service
- Manage user accounts and authentication
- Process payments
- Issue and verify course certificates
- Comply with legal requirements (accounting, fire safety)
- Improve the service (anonymized analytics)
4. Legal Basis
- Contract (GDPR Art. 6(1)(b)): Necessary to provide the service
- Legal obligation (GDPR Art. 6(1)(c)): Accounting law, fire safety requirements
- Consent (GDPR Art. 6(1)(a)): Cookies, marketing
- Legitimate interest (GDPR Art. 6(1)(f)): Security, fraud prevention
5. Sharing of Personal Data
We share personal data with:
- Supabase (database and authentication) — EU-based
- Vipps MobilePay (payment processing) — PCI DSS certified
- Vercel (hosting) — DPA in place
- Twilio (SMS verification and certificate delivery) — US, EU SCCs
- Resend (transactional email) — US, EU SCCs
- Anthropic (AI tutor “Brann-Mads”) — US, EU SCCs
- Sentry (error monitoring and reliability) — US, EU SCCs
- Norwegian Fire Protection Association (certification data)
We never sell personal data to third parties.
6. Analytics and Insights
We use PostHog (EU-based, Frankfurt) for product analytics. PostHog collects:
- Page views and navigation (only with your consent via the cookie banner)
- Session recordings: Interactions on non-sensitive pages (never exam, identity verification, or certificate pages)
PostHog data is stored in the EU (Frankfurt) with a DPA (Data Processing Agreement) in place. You can withdraw consent at any time via the cookie settings.
7. Retention and Deletion
- Account information: As long as account is active + 30 days after deletion
- Course data: 5 years after certificate expiry (legal documentation)
- Detailed learning data: Anonymized 2 years after certificate expiry
- Payment data: 5 years (accounting law)
- Certificate data: 10 years after issuance (fire safety requirements)
8. Your Rights
You have the right to:
- Access: See what data we have about you
- Rectification: Correct inaccurate information
- Erasure: Request deletion of your data (except legally required retention)
- Data portability: Export your data (available in the dashboard)
- Data export: Download all your data via
/api/user/data-export - Object: Object to processing based on legitimate interest
- Complaint: Complain to the Norwegian Data Protection Authority (datatilsynet.no)
9. Cookies
We use necessary cookies for authentication (Supabase Auth). Analytical cookies require your consent and can be declined via the cookie banner.
10. Security
We use industry-standard security measures: encrypted data transfer (TLS), encrypted passwords, Row Level Security in the database, and regular security reviews.
11. Changes
We may update this privacy policy. Significant changes will be notified via email and/or in the service. Continued use after notification constitutes acceptance of the changes.