Legal & Policies

Privacy & Data Protection

Version 1.0 · Profectify LLC (Certiva)

This is a template prepared for Certiva and is not legal advice. It will be reviewed by qualified counsel in each operating jurisdiction before it takes effect.

1. Purpose & scope

Certiva (“we”, “us”) provides certification, accreditation, and curriculum services to educators, school leaders, students, and schools. This policy explains how we handle personal data and how we comply with the EU GDPR, the UK GDPR and Data Protection Act, and — where student data is involved — child-protection regimes such as COPPA and FERPA. Certiva positions its data storage within the EU where feasible, consistent with its “your data stays in the EU” commitment.

2. Data we process

CategoryExamplesSource
Account dataName, email, role, school, credentialsProvided by user / school admin
Learning dataCourse progress, quiz and assignment results, capstone submissionsGenerated on the platform
Certification dataCertificates, validity dates, verification recordsGenerated by Certiva
Proctoring dataExam webcam/screen data, integrity flagsCollected during exams
Accreditation dataSchool evidence, interview notes, evaluator reportsCollected during accreditation
Student dataAge band, badge progress, project workProcessed on behalf of schools

3. Lawful bases

  • Contract — to deliver certification, accreditation, and curriculum services.
  • Legitimate interests — to secure the platform, prevent fraud, and improve services.
  • Consent — for optional communications and certain cookies.
  • Legal obligation — to meet regulatory, tax, and safeguarding requirements.

For student personal data, Certiva acts as a processor on the instructions of the school (the controller); schools are responsible for obtaining any required parental consent.

4. How we use data

  • Deliver and administer courses, assessments, and certificates.
  • Conduct and verify school accreditation.
  • Maintain integrity through proctoring and fraud detection.
  • Provide school dashboards and certification-coverage reporting.
  • Meet legal, security, and safeguarding obligations.

5. Sharing & sub-processors

We share data with the candidate’s school (for certification status and accreditation), with vetted sub-processors (hosting, proctoring, payments) under data-processing agreements, and with authorities where legally required. Certiva does not sell personal data. A current list of sub-processors is available on request.

6. International transfers

Where data is transferred outside the EEA/UK, Certiva relies on adequacy decisions or appropriate safeguards (e.g., Standard Contractual Clauses). Certiva’s default is EU-based storage.

7. Retention

Account data is kept for the duration of the relationship plus a statutory minimum; certification records are retained to support lifetime verification of issued credentials; proctoring data has a short retention window; accreditation evidence is retained for the accreditation cycle plus a defined archive period.

8. Security

  • Encryption in transit and at rest; access on a least-privilege basis.
  • Vendor due diligence for all AI and platform tools that touch personal data.
  • Breach detection and a documented breach-notification procedure (72-hour GDPR timeline).

9. Your rights

Individuals have rights to access, rectification, erasure, restriction, portability, and objection, and rights relating to automated decision-making. Requests are handled within statutory timeframes; student-data requests are routed via the school.

10. Contact & governance

Data protection contact: [email protected]. A Data Protection Officer is appointed where required by law. This policy is reviewed at least annually and versioned.


Questions about this document? Contact [email protected].