DRAFT — pending legal counsel review
This page contains placeholder text and is not yet legally binding. It is awaiting review and approval by legal counsel before it takes effect.
Privacy Policy
This Privacy Policy explains how personal data is collected and processed when you register for and attend courses administered through Kursio. It covers what data we process, why, how long we keep it, who it is shared with, and the rights you have.
Controller and processor
The course organizer — the customer organization running the course — is the data controller and decides why and how your personal data is processed. Kursio is the data processor and processes your data only on the organizer's documented instructions.
What data we process
Depending on the course, we process your name, email address, telephone number, employer, and billing details. For licensed medical professionals we also process your professional license number, specialty, and course attendance. We process evaluation responses and any other information you enter in the registration form.
Lawful bases
We process your data to perform the registration agreement (Art. 6(1)(b) GDPR). For medical license numbers, specialty, and attendance we rely on Art. 9(2)(h) GDPR — processing necessary for the purposes of occupational medicine and the assessment of professional competence. Optional uses such as marketing rely on your consent (Art. 6(1)(a) GDPR).
How long we keep your data
Operational registration data is retained for up to 730 days. Documentation evidencing continuing medical education (CME/CPD) is retained for up to 2555 days (about seven years) to support accreditation audits. Invoice data is retained for seven years as required by the Swedish Bookkeeping Act (bokföringslagen) and cannot be erased before that period ends.
Recipients and sub-processors
We share data with the sub-processors that operate our service: Supabase (database and authentication), Resend (email delivery), Stripe (payments), Vercel (hosting), and Sentry (error monitoring). A current sub-processor list is published on our Data Processing Agreement page.
Your rights
You have the right to access, rectify, erase, restrict, and port your personal data, and to object to processing and withdraw consent at any time. To exercise any of these rights, contact the course organizer or us using the details below. Self-service tools for some of these rights are being rolled out.
Supervisory authority
If you believe your data is processed unlawfully you may lodge a complaint with the Swedish Authority for Privacy Protection (Integritetsmyndigheten, IMY), the supervisory authority for Sweden.
Contact
For privacy questions, contact us at info@kursregistrering.se.