Legal
Privacy Policy
Last updated: 10 July 2026
This page is maintained by the app owner to explain how personal data is handled on amltrainingspain.com. It is intended to help users understand their rights under the EU General Data Protection Regulation (GDPR, Regulation 2016/679) and the Spanish LOPDGDD (Ley Orgánica 3/2018). It is not legal advice.
1. Data controller
The data controller for personal data processed through amltrainingspain.com is Ai Risk Intelligence AS, trading under the brand CostaAML Compliance. Contact: ah@costaaml.com.
2. What personal data we collect
- Training account data: firm name, agent name, email address, user type and (if provided) related professional details.
- Training activity: module progress, self-test answers, quiz score, pass/fail status, completion timestamp and certificate identifier.
- Contact form submissions: the name, email, firm and message you send us through the contact form.
- Technical data: minimal server logs (IP address, user-agent, request path, timestamp) generated by the hosting provider for security and abuse prevention.
We do not knowingly collect special categories of personal data, and the service is not directed at children.
3. Purposes and legal bases
- Delivering the training and issuing certificates — performance of a contract (Art. 6(1)(b) GDPR).
- Notifying your firm's AML officer of completion — legitimate interest of the firm and the participant in demonstrating compliance with the annual training obligation under Art. 29 of Ley 10/2010 (Art. 6(1)(f) GDPR).
- Responding to contact-form enquiries — legitimate interest in answering user requests (Art. 6(1)(f) GDPR).
- Security, fraud prevention and service reliability — legitimate interest (Art. 6(1)(f) GDPR).
- Complying with legal obligations (e.g. accounting, responding to lawful requests from authorities) — Art. 6(1)(c) GDPR.
4. Recipients and processors
We share personal data only with processors acting on our instructions and under written data-processing terms:
- Hosting and backend infrastructure — Lovable and its sub-processors (including Cloudflare and Supabase) provide the application hosting, database, authentication and file storage.
- Transactional email — the email provider used to deliver completion notifications and contact-form messages to ah@costaaml.com.
- AI evaluation of the self-test — the free 2-minute self-test sends the answers you type to the Lovable AI Gateway for scoring. Answers are processed transiently and not used to train third-party models.
We do not sell personal data and we do not use it for advertising profiling.
5. International transfers
Some processors may store or process data outside the European Economic Area. Where that happens, transfers are covered by the European Commission's Standard Contractual Clauses or an equivalent Article 46 GDPR safeguard offered by the processor.
6. Retention
- Training records and certificates: retained for up to 10 years to align with the record-keeping period in Ley 10/2010, so completion can be evidenced to supervisors.
- Contact-form messages: retained for up to 24 months after the last exchange, then deleted or anonymised.
- Technical logs: retained for a short period by the hosting provider (typically up to 30 days) for security purposes.
7. Your rights
Under the GDPR you have the right to access, rectify, erase, restrict or object to the processing of your personal data, and to data portability. Where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, email ah@costaaml.com. You also have the right to lodge a complaint with the Spanish supervisory authority, the Agencia Española de Protección de Datos (www.aepd.es).
8. Security
We apply appropriate technical and organisational measures, including TLS in transit, encryption at rest by the hosting provider, role-based access controls and row-level security on the database. No system is perfectly secure, but we take reasonable steps to protect personal data.
9. Cookies
amltrainingspain.com uses only strictly necessary cookies and local storage to run the training and remember your session. See the Cookie Policy for details.
10. Changes to this policy
We may update this policy as the service evolves. Material changes will be indicated by updating the "Last updated" date above.
Questions about this policy? Contact us.