Legal & Policies
Privacy & Data Protection
Version 1.0 · Profectify LLC (Certiva)
1. Purpose & scope
Certiva (“we”, “us”) provides certification, accreditation, and curriculum services to educators, school leaders, students, and schools. This policy explains how we handle personal data and how we comply with the EU GDPR, the UK GDPR and Data Protection Act, and — where student data is involved — child-protection regimes such as COPPA and FERPA. Hosting region and sub-processors are documented in our sub-processor list; we apply appropriate safeguards for any international transfers.
2. Data we process
| Category | Examples | Source |
|---|---|---|
| Account data | Name, email, role, school, credentials | Provided by user / school admin |
| Learning data | Course progress, quiz and assignment results, capstone submissions | Generated on the platform |
| Certification data | Certificates, validity dates, verification records | Generated by Certiva |
| Assessment integrity data | Exam responses, integrity declarations, invigilation notes where applicable | Collected during assessments |
| Accreditation data | School evidence, interview notes, evaluator reports | Collected during accreditation |
| Student data | Age band, badge progress, project work | Processed on behalf of schools |
3. Lawful bases
- Contract — to deliver certification, accreditation, and curriculum services.
- Legitimate interests — to secure the platform, prevent fraud, and improve services.
- Consent — for optional communications and certain cookies.
- Legal obligation — to meet regulatory, tax, and safeguarding requirements.
For student personal data, Certiva acts as a processor on the instructions of the school (the controller); schools are responsible for obtaining any required parental consent.
4. How we use data
- Deliver and administer courses, assessments, and certificates.
- Conduct and verify school accreditation.
- Maintain assessment integrity and prevent fraud.
- Provide school dashboards and certification-coverage reporting.
- Meet legal, security, and safeguarding obligations.
5. Sharing & sub-processors
We share data with the candidate’s school (for certification status and accreditation), with vetted sub-processors (hosting, payments, email delivery) under data-processing agreements, and with authorities where legally required. Certiva does not sell personal data. A current list of sub-processors is available on request.
6. International transfers
Where data is transferred outside the EEA/UK, Certiva relies on adequacy decisions or appropriate safeguards (e.g., Standard Contractual Clauses). Preferred hosting regions are confirmed in the sub-processor list.
7. Retention
Account data is kept for the duration of the relationship plus a statutory minimum; certification records are retained to support lifetime verification of issued credentials; assessment integrity records have a short retention window; accreditation evidence is retained for the accreditation cycle plus a defined archive period.
8. Security
- Encryption in transit and at rest; access on a least-privilege basis.
- Vendor due diligence for all AI and platform tools that touch personal data.
- Breach detection and a documented breach-notification procedure (72-hour GDPR timeline).
9. Your rights
Individuals have rights to access, rectification, erasure, restriction, portability, and objection, and rights relating to automated decision-making. Requests are handled within statutory timeframes; student-data requests are routed via the school.
10. Contact & governance
Data protection contact: [email protected]. A Data Protection Officer is appointed where required by law. This policy is reviewed at least annually and versioned.
Questions about this document? Contact [email protected].