Legal & Policies
Privacy & Data Protection
Version 1.0 · Profectify LLC (Certiva)
1. Purpose & scope
Certiva (“we”, “us”) provides certification, accreditation, and curriculum services to educators, school leaders, students, and schools. This policy explains how we handle personal data and how we comply with the EU GDPR, the UK GDPR and Data Protection Act, and — where student data is involved — child-protection regimes such as COPPA and FERPA. Certiva positions its data storage within the EU where feasible, consistent with its “your data stays in the EU” commitment.
2. Data we process
| Category | Examples | Source |
|---|---|---|
| Account data | Name, email, role, school, credentials | Provided by user / school admin |
| Learning data | Course progress, quiz and assignment results, capstone submissions | Generated on the platform |
| Certification data | Certificates, validity dates, verification records | Generated by Certiva |
| Proctoring data | Exam webcam/screen data, integrity flags | Collected during exams |
| Accreditation data | School evidence, interview notes, evaluator reports | Collected during accreditation |
| Student data | Age band, badge progress, project work | Processed on behalf of schools |
3. Lawful bases
- Contract — to deliver certification, accreditation, and curriculum services.
- Legitimate interests — to secure the platform, prevent fraud, and improve services.
- Consent — for optional communications and certain cookies.
- Legal obligation — to meet regulatory, tax, and safeguarding requirements.
For student personal data, Certiva acts as a processor on the instructions of the school (the controller); schools are responsible for obtaining any required parental consent.
4. How we use data
- Deliver and administer courses, assessments, and certificates.
- Conduct and verify school accreditation.
- Maintain integrity through proctoring and fraud detection.
- Provide school dashboards and certification-coverage reporting.
- Meet legal, security, and safeguarding obligations.
5. Sharing & sub-processors
We share data with the candidate’s school (for certification status and accreditation), with vetted sub-processors (hosting, proctoring, payments) under data-processing agreements, and with authorities where legally required. Certiva does not sell personal data. A current list of sub-processors is available on request.
6. International transfers
Where data is transferred outside the EEA/UK, Certiva relies on adequacy decisions or appropriate safeguards (e.g., Standard Contractual Clauses). Certiva’s default is EU-based storage.
7. Retention
Account data is kept for the duration of the relationship plus a statutory minimum; certification records are retained to support lifetime verification of issued credentials; proctoring data has a short retention window; accreditation evidence is retained for the accreditation cycle plus a defined archive period.
8. Security
- Encryption in transit and at rest; access on a least-privilege basis.
- Vendor due diligence for all AI and platform tools that touch personal data.
- Breach detection and a documented breach-notification procedure (72-hour GDPR timeline).
9. Your rights
Individuals have rights to access, rectification, erasure, restriction, portability, and objection, and rights relating to automated decision-making. Requests are handled within statutory timeframes; student-data requests are routed via the school.
10. Contact & governance
Data protection contact: [email protected]. A Data Protection Officer is appointed where required by law. This policy is reviewed at least annually and versioned.
Questions about this document? Contact [email protected].