Privacy Policy

Version 1.0 · Last updated 19 May 2026

1. Who we are

The data controller is AML Certification Centre OÜ (referred to here as AML Certification Centre, we, us and our).

Registered nameAML Certification Centre OÜ
Legal formOsaühing (Estonian private limited company)
Business register code16718573
VAT numberEE102618918
Registered officeLõõtsa tn 2a, 11415 Tallinn, Estonia
EMTAK activity code85599 — Other education not elsewhere classified
Privacy contact[email protected]
General contact[email protected]

We have not appointed a Data Protection Officer because we are not legally required to do so under GDPR Art. 37 — we do not carry out large-scale, regular and systematic monitoring of data subjects, and we do not process special categories of data on a large scale. Data-protection responsibilities are held by the company's management board. Privacy questions, data-subject-rights requests and breach reports should be sent to [email protected].

Our supervisory authority is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon, AKI). You have the right to lodge a complaint with AKI at any time: https://www.aki.ee/en.

2. Scope

This policy covers personal data we process when you:

  • visit our public marketing pages or open a public certificate URL;
  • create an account on the AML Certification Centre Learning Platform (the Platform);
  • enrol in a training programme either directly or via your employer or another procurement channel;
  • complete learning activities, assessments and capstone simulators;
  • attend or watch a recording of an AML Certification Centre webinar;
  • contact us by email or through the in-platform support flow.

We are the controller for all the processing described below. Where another party (your employer, an awarding body, etc.) provides personal data about you, we process it on your behalf as your direct relationship with us — but bear in mind that the originating party remains responsible for the data it transferred to us.

3. What personal data we collect

3.1 Account and profile

  • Mandatory account fields: full name, email address, role, workspace (CASS / FIAR), password (stored only as a salted bcrypt hash, never as the original password).
  • Optional profile fields: phone number, country, job title, company, profile photo.
  • MFA-related secrets: an encrypted TOTP shared secret and bcrypt-hashed one-time recovery codes (only created when you enable two-factor authentication).
  • Account-status flags: active flag, email-verified flag, MFA-enabled flag.
  • Terms-and-privacy acceptance: timestamp and version of the Terms and this Policy you accepted.

3.2 Learning records (the bulk of what we process)

  • Enrolments — programme, status, source, commitment date and acknowledgements you made at programme kickoff (including IP address and user-agent captured at the moment of acceptance, as evidence).
  • Submodule + block progress — content blocks you have viewed, percentage completed, time spent, completion and heartbeat timestamps.
  • Video-watch telemetry — per-video seconds watched, furthest position reached, last position (for resume), completion flag.
  • Assessment submissions — per-question answers, per-question grades and feedback, overall score, pass/fail outcome, attempt number, file uploads, and an anti-cheat event log for final exams (see §10).
  • Simulator attempts — score, percentage, pass/fail, per-skill breakdown, time spent, attempt number, completion timestamp.
  • Webinar registrations + recording views — attendance status, attended-at, left-at, total minutes attended, seconds watched of recordings, completion flags.
  • Learner notes and highlights — notes you write on any submodule, text you highlight (with surrounding context), colour, and any note you attach.
  • Skill scores — per-skill computed score, contributing evidence counts, last-updated timestamp.
  • Achievements and streaks — earned achievements, in-flight progress, daily-activity rollup, current and longest streak.
  • Notifications — title, body and link of every in-platform notification, plus your per-type email/in-app preferences.

3.3 Security and audit

  • Login events — every authentication attempt with email, outcome, IP address, user-agent and timestamp.
  • Audit log (admin actions only) — action, actor, entity, before/after snapshot, IP address, user-agent.
  • Security emails — when you change your password we send a security alert email that includes the IP and a user-agent fingerprint so you can spot unauthorised access.

3.4 What we do not collect

  • No payment-card data. Payments are processed by Stripe; we never see or store your card number.
  • No special categories of personal data (health, ethnicity, religion, sexual orientation, etc.).
  • No automatic geolocation, device fingerprinting, advertising identifiers, or cross-site tracking identifiers.
  • No analytics, advertising or behavioural-marketing pixels. The Platform sets only essential cookies — see the Cookie Policy.

4. Why we process your data, and our lawful basis

For each purpose below, the lawful basis is the GDPR Art. 6(1) ground we rely on.

PurposeLawful basis
Creating and maintaining your account; authenticating youContract — Art. 6(1)(b)
Recording progress, grading assessments, awarding skill scores, issuing certificatesContract — Art. 6(1)(b)
Issuing accredited certificates and reporting CPD evidence to the CPD Standards OfficeContract + legitimate interest — Art. 6(1)(b) and (f)
Anti-cheat event logging on final examinations (see §10)Legitimate interest — Art. 6(1)(f), balanced against the limited intrusiveness
Transactional emails (password changes, grades, certificates, webinar reminders)Contract — Art. 6(1)(b)
Marketing emails about new programmes and AML Certification Centre newsConsent — Art. 6(1)(a), collected via a separate, unticked-by-default checkbox at registration. Withdraw at any time via the unsubscribe link or by writing to [email protected].
Security — detecting unusual logins, investigating abuse, auditing admin actionsLegitimate interest — Art. 6(1)(f)
Retention obligations under CPD Standards Office accreditation, Estonian accounting law (Raamatupidamise seadus) and tax law (Maksukorralduse seadus)Legal obligation + legitimate interest — Art. 6(1)(c) and (f)

We do not rely on consent for anything other than marketing communications and any cookie that is not strictly necessary (and at the time of writing, no non-essential cookie is set).

4.1 Children

The Platform is not directed at children. You must be at least 16 years old (or the age of digital consent in your country, whichever is lower) to register. If we learn that we hold data on a child below that age, we will delete it without delay.

5. Who we share your data with — sub-processors

We do not sell, rent or trade your personal data. We share data only with the sub-processors listed in our public sub-processor register at /legal/sub-processors, all of whom are contractually bound by data-processing agreements that meet GDPR Art. 28 requirements.

In summary, your data is shared with:

  • Cloud infrastructure: Neon (EU — Frankfurt) for the primary database, Cloudflare R2 (EU primary, global edge) for file storage, Railway (EU region) for Redis and worker hosting.
  • Email delivery: Resend (US) as the primary transactional email provider, with Postmark (US) as fallback.
  • Marketing email: MailerLite (EU — Lithuania) for newsletters and announcements (only if you opted in).
  • Payments: Stripe (EU — Ireland for European customers) for purchase processing.
  • Live webinars: Zoom (US, with EU data-region routing where available).
  • Video hosting: Vimeo (US) for course videos and webinar recordings.
  • First-party certificate platform: credentials.amlcertification.com, operated by AML Certification Centre OÜ itself.

Each entry in the sub-processor register tells you what data is sent, why, and where it is hosted.

We do not share your data with marketing networks, advertising platforms, data brokers or any party not listed in that register.

6. International transfers

We are an EU controller; our primary infrastructure (database, Redis, file storage) is in the European Union. Where personal data is transferred to a sub-processor in the United States (Resend, Postmark, Zoom, Vimeo, Stripe US accounts where applicable), the transfer is protected by:

  • the EU-US Data Privacy Framework (DPF) where the recipient is self-certified under it; and/or
  • Standard Contractual Clauses (SCCs) — Commission Implementing Decision (EU) 2021/914 — together with appropriate supplementary measures (encryption in transit, encryption at rest where the sub-processor offers it, restricted-access keys).

You can request a copy of the SCCs in place with any specific sub-processor by writing to [email protected].

7. How long we keep your data — retention

We keep personal data only for as long as we need it to provide the service, comply with legal obligations, or defend our legitimate interests.

Data categoryRetention period
Account and profile dataUntil you request deletion. We then anonymise your record within 30 days (see §8.5).
Enrolments, submissions, simulator attempts, skill scores, certificates issued7 years from the end of the enrolment, retained against your anonymised user record once the account is deleted. Reflects the auditability requirement under CPD Standards Office accreditation and standard practice for AML training records.
Issued certificates and their public verification pageIndefinite, linked to the anonymised user reference. A certificate's value depends on it being verifiable forever.
Webinar attendance and recording-view logs7 years where the webinar counts towards a CPD-awarded record; otherwise 2 years.
Audit log and login-event records2 years, then deleted.
Marketing-consent recordsUntil you withdraw consent, then 3 years thereafter (proof of prior consent).
Stripe payment recordsWe retain only the customer reference and invoice metadata; Stripe holds full transaction history under its own schedule. Estonian accounting law (Raamatupidamise seadus §12(2)) requires us to retain accounting records for 7 years from the end of the financial year.
Database backupsUp to 30 days, per our infrastructure provider's point-in-time-recovery configuration. A deletion request executed against the live database will propagate to backups within 30 days.
CookiesSee the Cookie Policy.

After retention, we delete or irreversibly anonymise the data. We do not retain personal data "just in case".

8. Your rights

Under GDPR you have the following rights. You can exercise them at any time by writing to [email protected]. We aim to respond within one calendar month (Art. 12(3) allows up to three months for complex requests; we will tell you if we need that extension).

8.1 Right of access (Art. 15)

You can request a copy of the personal data we hold about you by emailing [email protected] from the email address on your account. We respond within one calendar month with a structured export (JSON or PDF on request) containing your account, enrolments, progress, submissions, simulator attempts, notes, highlights, skill scores, achievements, webinar registrations, recording views, notifications and login-event history. A self-service one-click export is on our roadmap; until then, the email route is the canonical path.

8.2 Right to rectification (Art. 16)

You can correct any inaccurate or incomplete personal data we hold. Most profile fields are directly editable at /profile. Where a field is not user-editable, email [email protected].

8.3 Right to erasure (Art. 17)

You can ask us to delete your personal data through the in-app "Delete my account" flow at /profile, or by writing to [email protected].

Where we are required to keep an attainment record by accreditation or by law (see §7), we will anonymise rather than hard-delete that record — your name, email and contact data are removed, but the pseudonymised performance record remains so the integrity of a certificate we issued can later be verified. We explain exactly what survives anonymisation in §8.5 below.

8.4 Right to restrict processing, right to object, right to data portability

  • Restriction (Art. 18) — you can ask us to suspend processing pending the resolution of a complaint.
  • Objection (Art. 21) — you can object at any time to processing based on our legitimate interests. We will stop unless we can demonstrate compelling legitimate grounds that override your interests.
  • Portability (Art. 20) — the JSON export in §8.1 is also the portability format.

8.5 What account deletion looks like in practice

When you delete your account (or we delete it on your request) we anonymise rather than hard-delete. Specifically:

  • We replace your email with <uuid>@deleted.invalid, your full_name with [deleted], and we null out your phone, country, job title, company, profile photo, password hash, MFA secret and recovery codes.
  • We disable your account and immediately invalidate every active session.
  • We retain the pseudonymised attainment record for the period specified in §7. These records no longer identify you as an identifiable natural person; they describe what user 42a9-…-3b1 did.

If you require a hard delete because none of the legal-obligation or legitimate-interest grounds in §4 apply to your account (for example, you never completed a programme and we are not required to keep an attainment record), tell us in your deletion request and we will action it.

8.6 Right to withdraw consent (Art. 7(3))

Where we rely on consent (marketing emails, any future non-essential cookie), you can withdraw it at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

8.7 Right to lodge a complaint (Art. 77)

You can complain to the Estonian Data Protection Inspectorate:

You may also complain to your local supervisory authority if you live outside Estonia.

9. Automated decision-making and profiling

The Platform makes a number of automated decisions that affect what you can do or what you receive:

  • Assessment grading. Multiple-choice and scenario-based questions are graded automatically against the model answer. Document-analysis and practical-exercise questions are graded manually by a qualified assessor.
  • Pass/fail outcomes on assessments and simulators are computed against a published pass threshold (typically 70%).
  • Skill scoring. We compute a per-skill score from your evidence with a decay half-life so older evidence weighs less.
  • Achievement and streak rules automatically grant badges and track daily-activity streaks.
  • Anti-cheat event log on final exams (see §10).
  • Certificate-issue gate. You can self-issue a certificate only when our system computes that you have reached 100% completion of the relevant programme.

These decisions are deterministic, transparent and based on rules published in the Platform itself. They do not rely on machine-learning models or third-party scoring services. If you believe a decision has been made incorrectly, you can ask for it to be reviewed by writing to [email protected] — under GDPR Art. 22 you have the right to obtain human intervention, express your point of view and contest the decision.

10. Anti-cheat logging on final examinations

When you sit a final examination on the Platform, we record certain behavioural events while you are taking the exam:

  • tab switch — when you change tabs in your browser
  • window blur — when the exam window loses focus
  • paste — when you paste text into a free-text answer (we record the character count, not the text itself; the text itself is recorded as part of your answer)
  • fullscreen exit — when you leave fullscreen mode after entering it
  • devtools open — when developer tools are detected

Each event is stored against your submission with an ISO timestamp and the question you were on. We capture these events for one reason only: to allow a human reviewer to determine whether a submission shows credible evidence of cheating in a way that would invalidate a certificate we have issued. The data is not used to automatically disqualify any submission. Lawful basis: legitimate interest (Art. 6(1)(f)) in protecting the integrity of accredited certificates. You will see a clear notice on the pre-exam consent screen before this logging begins.

If you do not wish your behaviour during a final exam to be logged in this way, you can choose not to sit the final exam; however, you will not be able to obtain the accredited certificate in that programme.

11. Cookies and similar technologies

We set only essential cookies that are strictly necessary for the Platform to work (authentication and CSRF protection). We do not set analytics, marketing or tracking cookies of our own. Embedded video players (Vimeo) and webinar widgets (Zoom) may set their own cookies on their own domains when you interact with them.

Full details, including names, durations and purposes of every cookie and local-storage item, are in the Cookie Policy.

12. Security

We take appropriate technical and organisational measures to protect your data, including:

  • TLS 1.2+ on all client-server connections; HSTS preload and modern Content-Security-Policy headers on the application.
  • Password storage as bcrypt hashes with a current work factor of 12.
  • Multi-factor authentication available for every account; required for administrator and assessor accounts.
  • Encrypted-at-rest storage of TOTP secrets and full-disk encryption on hosting infrastructure.
  • Audit logging of all administrator actions, including IP and user-agent.
  • Rate-limiting on authentication endpoints; automatic invalidation of all sessions on credential change.
  • Sub-processors selected for their own security posture; data-processing agreements in place with each.
  • Annual security review of dependencies, infrastructure and access controls.

We notify the Estonian Data Protection Inspectorate within 72 hours of becoming aware of any personal-data breach that is likely to result in a risk to your rights and freedoms (GDPR Art. 33), and notify affected data subjects directly where the risk is high (Art. 34).

13. Changes to this policy

We may update this policy from time to time — for example when we add a new sub-processor or feature. When we make a substantive change we will:

  • update the version number and last-updated date at the top;
  • post an in-platform banner asking you to re-acknowledge the new version on your next sign-in;
  • if you have marketing consent on file, also email you to highlight what changed.

Non-substantive changes (typos, clearer wording) will not trigger a banner but will still be reflected in the last-updated date. A full history of versions is available on request.

14. Contact

Privacy, data-subject rights, data-breach reports[email protected]
General customer support[email protected]
Supervisory authorityEstonian Data Protection Inspectorate

We use only essential cookies — for sign-in sessions and your theme preference. No analytics, no marketing trackers. See the cookie policy for full details.