Privacy Policy
Last updated: December 2025
This Privacy Policy explains how Ampliro AB (“Ampliro”, “we”, “our”, or “us”) collects, uses, discloses and protects personal data in connection with the Diplino platform and services available at diplino.com (the “Service”).
Ampliro AB is a company registered in Sweden (reg. no. 559488-1517), with its registered address at Warfvinges väg 31, 112 51 Stockholm, Sweden.
This Privacy Policy applies to:
- Individuals who create and use Diplino accounts (e.g. administrators, instructors, issuers),
- Individuals whose details appear on certificates or credentials issued via Diplino (e.g. course participants, employees),
- Visitors to our website and related web applications.
For California residents, please also see our separate California Privacy Notice.
1. Who Is Responsible for Your Data?
The role of Ampliro and your organisation can differ depending on how you interact with Diplino:
-
Organisational customers (e.g. companies, training providers)
When your organisation uses Diplino to issue certificates, your organisation is typically the data controller for certificate-related personal data. Ampliro acts as a data processor on behalf of your organisation, in accordance with our Data Processing Agreement (DPA). -
Platform users and website visitors
For certain types of data (e.g. billing, account management, security logs, our own service analytics and communications), Ampliro acts as an independent data controller.
If you have been issued a certificate by an organisation using Diplino (for example, your employer or a training provider), that organisation is usually your primary point of contact for questions about how your data is used in relation to that certificate.
2. Information We Collect
The exact personal data we collect depends on how you use the Service, but it may include the following categories:
2.1 Account Information (Administrators, Instructors, Issuers)
When you or your organisation create an account to use Diplino, we may collect:
- Name
- Email address
- Password (stored in hashed form only)
- Organisation name and role (e.g. admin, instructor)
- Preferred language and settings
- Account activity and login timestamps
2.2 Certificate and Credential Data
When certificates or credentials are issued via Diplino, we may process:
- Name of the certificate recipient
- Email address of the recipient (if provided)
- Company/organisation name
- Job title or role (if included on the certificate)
- Course, training or programme information
- Issue and expiry dates
- Unique certificate identifiers and verification data
- Cryptographic signatures and hashes used to verify the authenticity of certificates
The extent and type of data included on a certificate is determined by the issuing organisation (the Controller).
2.3 Usage and Technical Data
When you visit diplino.com or use the Service, we automatically collect certain information, such as:
- IP address and approximate location (based on IP)
- Browser type and version, device type, operating system
- Referring URLs and pages viewed
- Date and time of access
- Log files and event data (e.g. login attempts, configuration changes)
- Information about how you interact with the Service (e.g. features used, clicks, navigation patterns)
This information helps us operate, secure and improve the Service.
We use Plausible Analytics to understand how visitors use our website and to improve our content, structure, performance, and user experience. Plausible Analytics provides privacy-friendly, aggregated website statistics, such as page views, traffic sources, popular pages, device type, browser, country, and general usage patterns.
Plausible Analytics does not use cookies and does not track visitors across different websites. We use this information to evaluate and improve our website and services based on our legitimate interest in maintaining and improving our digital presence.
2.4 Communication and Support Data
If you contact us (for example via email or support channels), we may process:
- Name and contact details
- Organisation and role
- Content of your message and any follow-up
- Metadata relating to support cases (e.g. timestamps, status)
2.5 Payment and Billing Information
If you purchase a paid subscription:
- We may collect billing contact details (name, email, organisation, address).
- Payments are processed by third-party payment providers (e.g. card processors). We do not store full payment card numbers in Diplino. Limited transaction identifiers and status information may be retained for invoicing and accounting.
We do not intentionally collect sensitive personal data (e.g. health information, special categories of data) through Diplino and ask customers not to upload such data to the Service.
3. How We Use Your Information
We use personal data for the following purposes and under the legal bases set out in the GDPR:
3.1 To Provide and Operate the Service
(Legal basis: Performance of a contract, Article 6(1)(b); Legitimate interests, Article 6(1)(f).)
- Creating and managing user accounts and organisations.
- Issuing, storing and managing certificates and credentials.
- Providing certificate verification functionality.
- Enabling role-based access and organisation-level administration.
3.2 To Communicate with You
(Legal basis: Performance of a contract; Legitimate interests.)
- Sending important service-related messages (e.g. account notices, security alerts, operational updates).
- Responding to support requests, inquiries and feedback.
- Providing onboarding and information relevant to your use of Diplino.
We may also send optional product updates or informational emails. Where required by law, we will ask for your consent and you can opt out at any time.
3.3 To Maintain Security and Prevent Abuse
(Legal basis: Legitimate interests; Legal obligations.)
- Protecting accounts against unauthorised access and abuse.
- Implementing rate limiting and brute-force protection.
- Monitoring and logging access to detect suspicious activity.
- Responding to and investigating security incidents.
3.4 To Improve and Develop the Service
(Legal basis: Legitimate interests.)
- Analysing usage patterns and performance to enhance stability and usability.
- Developing new features and improving existing functionality.
- Aggregating and anonymising data for internal statistics and product development.
3.5 To Comply with Legal and Regulatory Obligations
(Legal basis: Legal obligations, Article 6(1)(c).)
- Accounting, tax and corporate record-keeping.
- Responding to lawful requests from public authorities.
- Enforcing our Terms of Service and other legal rights.
Where we rely on consent (e.g. certain cookies or marketing communications, where required), you can withdraw your consent at any time using the mechanisms described in this policy or in the relevant interface.
4. Cookies and Similar Technologies
We use cookies and similar technologies to operate and secure the Service, remember your preferences and understand how our site is used. For detailed information about the types of cookies we use and your choices, please refer to our separate Cookie Policy.
5. How We Share Your Information
We do not sell your personal data.
We may share personal data in the following limited circumstances:
5.1 Service Providers (Sub-processors)
We engage carefully selected third-party service providers to help us operate Diplino, such as:
- Hosting and cloud infrastructure providers
- Authentication and database providers (e.g. Supabase)
- Security and CAPTCHA/anti-abuse providers (e.g. Cloudflare Turnstile)
- Payment processors and billing platforms
- Logging, monitoring and support tools
These providers act as processors or sub-processors and may only process personal data on our documented instructions, for the purposes we specify, and under contractual obligations that ensure appropriate data protection and security.
A current list of core sub-processors is maintained in our Subprocessor List.
5.2 Your Organisation and Other Users
If you use Diplino as part of an organisation:
- Other authorised users within that organisation (e.g. administrators, instructors) may see your name, email address and role within the organisation’s Diplino environment.
- When a certificate is issued, certain information (e.g. your name, certificate details) may be visible to:
- The issuing organisation,
- You as the recipient, and
- Third parties who verify the certificate, depending on the organisation’s configuration.
5.3 Professional Advisers and Authorities
We may disclose personal data to:
- Professional advisers (e.g. lawyers, accountants) where necessary for legitimate business purposes.
- Law enforcement, regulators or courts where we are legally required to do so or where disclosure is necessary to protect our rights, property or safety, or that of our users or third parties.
5.4 Business Transfers
In the event of a merger, acquisition, restructuring or sale of all or part of our business, personal data may be transferred as part of that transaction. We will ensure that any such recipient is bound by appropriate confidentiality and data protection obligations.
6. International Transfers
We are based in Sweden, and many of our systems are hosted within the EU/EEA. Some of our service providers may process personal data in countries outside the EU/EEA or the UK.
When personal data is transferred to a country that does not provide an adequate level of data protection, we implement appropriate safeguards, such as:
- The European Commission’s Standard Contractual Clauses (SCCs), and/or
- Equivalent transfer mechanisms recognised under applicable data protection laws.
You can contact us for further information about the specific transfer mechanisms we rely upon.
7. Data Security
We take security very seriously and implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, misuse or alteration. These measures include, among others:
-
Encryption
- Encryption of data in transit (e.g. TLS 1.3 or equivalent).
- Encryption of data at rest in databases and storage systems.
- Use of Ed25519 cryptographic signatures for certificate integrity and verification.
-
Access Control
- Role-based access control (RBAC) and least-privilege principles.
- Strong authentication for administrative access.
- Segregation between environments (e.g. development, staging, production).
-
Monitoring and Logging
- Audit logging of relevant account and certificate-related actions.
- Rate limiting and brute-force protection mechanisms.
- Monitoring systems for unusual or suspicious activity.
-
Organisational Measures
- Confidentiality obligations for staff and contractors.
- Security and privacy training for relevant personnel.
- Internal policies for incident response, data handling and retention.
While we strive to protect your personal data using industry-standard practices, no system can be guaranteed to be 100% secure. We continually improve our security controls in line with best practices and evolving threats.
8. Data Retention
We retain personal data only for as long as necessary for the purposes described in this Policy or as required by law. In general:
-
Account and organisation data
Retained for the lifetime of the account and for a reasonable period thereafter (e.g. for backup, dispute resolution and compliance purposes). -
Certificate and credential data
Typically retained for the duration that certificates may need to be verified, which is linked to the lifetime of your organisation’s use of Diplino and any applicable legal or contractual requirements. The exact retention periods are determined by the issuing organisation and our agreements with them. -
Audit logs
Retained for approximately 90 days, unless a longer period is required for security, incident investigation, legal or compliance reasons. -
Rate limiting and security event data
Retained for approximately 7 days, unless needed longer to investigate or mitigate suspicious activity.
We may retain anonymised or aggregated data (which cannot be used to identify an individual) for longer periods for statistical and analytical purposes.
9. Your Rights Under GDPR and Other Laws
If you are in the EU/EEA, the UK or a similar jurisdiction, you have certain rights in relation to your personal data under applicable data protection laws, including:
-
Right of Access
To obtain confirmation whether we process your personal data and, if so, access to that data and certain information. -
Right to Rectification
To have inaccurate or incomplete personal data corrected or completed. -
Right to Erasure (“Right to be Forgotten”)
To request deletion of your personal data in certain circumstances, for example where it is no longer necessary for the purposes for which it was collected. -
Right to Restrict Processing
To request that we restrict the processing of your personal data in certain situations. -
Right to Data Portability
To receive personal data you provided to us in a structured, commonly used and machine-readable format, and to transmit that data to another controller where technically feasible. -
Right to Object
To object, on grounds relating to your particular situation, to processing based on our legitimate interests (including profiling). You also have the right to object at any time to the processing of your personal data for direct marketing. -
Right to Withdraw Consent
Where we rely on consent, you can withdraw that consent at any time. This will not affect the lawfulness of processing based on consent before its withdrawal.
Exercising Your Rights
If you are an administrator or user of Diplino, you may be able to access and update some of your personal data directly in your account settings.
Otherwise, or if you are a certificate recipient, you can exercise your rights by contacting:
- Your organisation (the issuer of the certificate), where they act as controller; and/or
- Ampliro, using the contact details in Section 11.
We will respond to your request in accordance with applicable laws and, where necessary, in cooperation with your organisation.
Complaints
You also have the right to lodge a complaint with a data protection authority. In Sweden, this is:
Integritetsskyddsmyndigheten (IMY)
www.imy.se
You may also contact the supervisory authority in your country of residence or place of work.
10. Third-Party Services
We rely on third-party services to operate Diplino, such as:
- Supabase – authentication, database and backend infrastructure.
- Cloudflare Turnstile – security and anti-abuse (CAPTCHA-like) functionality.
- Payment processors – to handle subscription payments and billing.
- Other hosting, logging and monitoring providers as listed in our Subprocessor List.
These providers process personal data only for the purposes specified by Ampliro and under contract. Their own privacy policies may also apply when they act as independent controllers for certain activities (for example, payment processing).
We encourage you to review the privacy policies of these third parties for more details about their data handling practices.
11. Children’s Privacy
The Service is not directed to children under the age of 16, and we do not knowingly collect personal data directly from children under 16 without appropriate consent from a parent, guardian, or responsible organisation (such as a school or training provider).
If you believe that we have collected personal data from a child in a way that is not compliant with applicable laws, please contact us, and we will take appropriate steps to investigate and, if necessary, delete the data.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in:
- Our Service or business practices,
- The third-party services we use, or
- Applicable legal or regulatory requirements.
When we make material changes, we will update the “Last updated” date at the top of this page and may provide additional notice (for example, via the Service or by email, where appropriate).
We encourage you to review this Privacy Policy periodically to stay informed about how we process personal data.
13. Contact Us
If you have any questions about this Privacy Policy, our data practices, or your rights, you can contact us at:
- Email: privacy@diplino.com
- Postal Address:
Ampliro AB
Attn: Privacy / Diplino
Warfvinges väg 31
112 51 Stockholm
Sweden