Legal & Policies

Privacy & Data Protection

Version 1.0 · Profectify LLC (Certiva)

This is a template prepared for Certiva and is not legal advice. It will be reviewed by qualified counsel in each operating jurisdiction before it takes effect.

1. Purpose & scope

Certiva (“we”, “us”) provides certification, accreditation, and curriculum services to educators, school leaders, students, and schools. This policy explains how we handle personal data and how we comply with the EU GDPR, the UK GDPR and Data Protection Act, and — where student data is involved — child-protection regimes such as COPPA and FERPA. Hosting region and sub-processors are documented in our sub-processor list; we apply appropriate safeguards for any international transfers.

2. Data we process

CategoryExamplesSource
Account dataName, email, role, school, credentialsProvided by user / school admin
Learning dataCourse progress, quiz and assignment results, capstone submissionsGenerated on the platform
Certification dataCertificates, validity dates, verification recordsGenerated by Certiva
Assessment integrity dataExam responses, integrity declarations, invigilation notes where applicableCollected during assessments
Accreditation dataSchool evidence, interview notes, evaluator reportsCollected during accreditation
Student dataAge band, badge progress, project workProcessed on behalf of schools

3. Lawful bases

  • Contract — to deliver certification, accreditation, and curriculum services.
  • Legitimate interests — to secure the platform, prevent fraud, and improve services.
  • Consent — for optional communications and certain cookies.
  • Legal obligation — to meet regulatory, tax, and safeguarding requirements.

For student personal data, Certiva acts as a processor on the instructions of the school (the controller); schools are responsible for obtaining any required parental consent.

4. How we use data

  • Deliver and administer courses, assessments, and certificates.
  • Conduct and verify school accreditation.
  • Maintain assessment integrity and prevent fraud.
  • Provide school dashboards and certification-coverage reporting.
  • Meet legal, security, and safeguarding obligations.

5. Sharing & sub-processors

We share data with the candidate’s school (for certification status and accreditation), with vetted sub-processors (hosting, payments, email delivery) under data-processing agreements, and with authorities where legally required. Certiva does not sell personal data. A current list of sub-processors is available on request.

6. International transfers

Where data is transferred outside the EEA/UK, Certiva relies on adequacy decisions or appropriate safeguards (e.g., Standard Contractual Clauses). Preferred hosting regions are confirmed in the sub-processor list.

7. Retention

Account data is kept for the duration of the relationship plus a statutory minimum; certification records are retained to support lifetime verification of issued credentials; assessment integrity records have a short retention window; accreditation evidence is retained for the accreditation cycle plus a defined archive period.

8. Security

  • Encryption in transit and at rest; access on a least-privilege basis.
  • Vendor due diligence for all AI and platform tools that touch personal data.
  • Breach detection and a documented breach-notification procedure (72-hour GDPR timeline).

9. Your rights

Individuals have rights to access, rectification, erasure, restriction, portability, and objection, and rights relating to automated decision-making. Requests are handled within statutory timeframes; student-data requests are routed via the school.

10. Contact & governance

Data protection contact: [email protected]. A Data Protection Officer is appointed where required by law. This policy is reviewed at least annually and versioned.


Questions about this document? Contact [email protected].