Privacy policy

1. Who is the data controller?

LexiCo AS (registration pending) is the data controller for personal data collected through Lexico Academy. Privacy enquiries go to the contact under § 12.

2. What data do we collect?

We limit ourselves to what is necessary to deliver the training, issue certificates, and improve the service.

• Contact information

  Name, email address, optional phone number, and city — used for sign-in, training notifications, and certificate issuance.

• Profile data

  Optionally provided education, work experience, and skills — used for personalised learning recommendations and competence presentations.

• Training data

  Enrolments, lesson progress, quiz results, and TSP-verified certificates.

• Usage data

  Anonymised telemetry (page views, error rates) to detect issues and improve the experience — no cross-site tracking.

3. What we do NOT store

We minimise our data footprint. The following categories never enter our database:

• National identification numbers
• Bank account or card details (payments handled by Stripe)
• Health data or other sensitive personal information
• Full street address (only city is recorded)
• Plain-text passwords — only modern hashes (ASP.NET Identity, PBKDF2)
• Biometric data or behavioural profiling

4. Purpose of processing

We use the data to:

• Deliver compliance training and track your progress through modules and lessons.
• Issue TSP-signed certificates when you complete a learning track.
• Notify you of important regulatory changes that affect training and certificates.
• Improve the service based on anonymised usage data.

5. Legal basis

Processing is based primarily on consent (GDPR art. 6(1)(a)) provided at registration, and on contract (art. 6(1)(b)) for delivery of training and certificates. For corporate customers, the basis may also be legitimate interest (art. 6(1)(f)) for compliance reporting.

6. Your rights

Under GDPR you have the right to:

• Access

  the data we hold about you.

• Rectify

  data that is incorrect or outdated.

• Erase

  all your data ("the right to be forgotten").

• Export

  your data in a machine-readable format.

• Withdraw

  consent at any time, without affecting the lawfulness of prior processing.

• Complain

  to the Norwegian Data Protection Authority if you believe we mishandle data.

7. Information security

We protect data with TLS in transit, AES encryption for sensitive fields at rest, role-based access control, and audit logging of administrative actions. Certificates are hash-chained via TSP for tamper-evidence.

8. Storage and location

All persistent data is stored on servers within the EU/EEA — there is no transfer to the United States or other third countries. Backups are encrypted and also stored within the EU. We adhere to the principle of EU sovereignty.

9. Third parties and sub-processors

We use a minimum of sub-processors. All have a data processing agreement (DPA) and operate within the EU/EEA:

• Stripe

  payment processing (EU instance, no card data stored with us).

• Resend

  transactional email from Lexico Academy.

• Brevo

  SMS notifications when the service needs to send short alerts.

• Hetzner (Germany / Finland)

  hosting of application and database within the EU/EEA.

10. Cookies

We use only strictly necessary cookies — a session cookie for sign-in and a CSRF token. We set no tracking cookies, no third-party scripts like Google Analytics, and no advertising tracking.

11. Changes to this policy

We may update this policy as the service or regulations evolve. Material changes are communicated by email to registered users at least 30 days before they take effect.

12. Contact

Have questions about privacy or want to exercise your rights? Contact our data protection officer: