Legal
Privacy Policy
Last updated: April 2026
1. Who we are
good-trials (sole trader) operates the website https://good-trials.ch (the “Service”). We are the data controller responsible for your personal data. For data protection enquiries, contact: [email protected]
2. Applicable law
This policy is governed by the Swiss Federal Act on Data Protection (nDSG), which entered into force on 1 September 2023. Where the European Union’s General Data Protection Regulation (GDPR) applies to residents of EU/EEA member states, we comply with its requirements as well. References to “applicable data protection law” mean whichever of these instruments applies to you.
3. Data we collect and why
| Category | Data | Purpose & legal basis |
|---|---|---|
| Account | Name, email, hashed password | Authentication and account management. Basis: contract performance (nDSG Art. 31 para. 2 lit. b). |
| Progress | Module completions, quiz scores, timestamps | Enabling the learning experience and certificate issuance. Basis: contract performance. |
| Certificate | Name, score, date, course level | Issuing and verifying your credential. Public verification endpoint contains only name, score, and date. Basis: contract performance. |
| Payment | Transaction ID, payment status (Stripe) | We do not store card details; Stripe processes and stores payment data under its own privacy policy. We receive only payment confirmation. Basis: contract performance & legal obligation. |
| Email logs | Email delivery metadata (Resend) | Transactional emails (welcome, certificate). Basis: contract performance. |
| Server logs | IP addresses, request timestamps, browser type | Security, fraud prevention, and debugging. Retained for 30 days. Basis: legitimate interest. |
4. How we use your data
We use your data only for the purposes described above. We do not:
- Sell, rent, or trade your personal data to third parties
- Use your data for advertising or profiling
- Process your data for purposes incompatible with those stated above
5. Third-party processors
We share data with the following processors under data processing agreements:
- Vercel — hosting and edge network (USA; EU Standard Contractual Clauses apply)
- Stripe — payment processing (USA/Ireland; SCCs apply)
- Resend — transactional email delivery (USA; SCCs apply)
- Neon / Supabase — PostgreSQL database (EU region)
6. Certificate verification (public endpoint)
The URL https://good-trials.ch/api/certificate/verify/[id] is publicly accessible without authentication. It returns your name, final score, date of issue, and course level — to enable third-party verification of your credential. By completing the course and accepting the certificate, you consent to this limited public disclosure. You may request removal of the public endpoint at any time by contacting us; this will invalidate your certificate for third-party verification purposes.
7. Data retention
- Account and progress data: retained while your account is active and for 3 years after last login
- Certificate data: retained indefinitely while the certificate is valid
- Payment records: retained for 10 years per Swiss accounting obligations (OR Art. 958)
- Server logs: 30 days
8. Your rights
Under the nDSG (and GDPR where applicable) you have the right to:
- Access — receive a copy of the personal data we hold about you
- Correction — have inaccurate data corrected
- Deletion — request erasure of your data (subject to retention obligations above)
- Portability — receive your data in a structured, machine-readable format
- Objection — object to processing based on legitimate interest
- Complaint — lodge a complaint with the Federal Data Protection and Information Commissioner (FDPIC) at www.edoeb.admin.ch
To exercise any of these rights, email [email protected]. We will respond within 30 days.
9. Cookies and tracking
We use one session cookie (next-auth.session-token) for authentication. We do not use analytics cookies, advertising cookies, or third-party tracking scripts. No cookie consent banner is required for a strictly necessary session cookie under Swiss law.
10. Security
Passwords are hashed using bcrypt (cost factor 12) and are never stored in plaintext. All data in transit is encrypted via TLS 1.3. Database access is restricted to application-level credentials with least-privilege principles.
11. Changes to this policy
We may update this policy when required by changes in the law or our practices. Material changes will be communicated by email to registered users before taking effect. The “Last updated” date at the top of this page indicates when the current version was published.
Questions? Contact [email protected]