We at Vretta consider the privacy of your personal and sensitive information (together referred to as data in this Privacy Policy), which you share with us on our online platforms, to be of utmost importance. We are committed to protecting your data whether you are engaging in learning, conducting business with us electronically, or simply browsing our websites for information. As such, we have developed this Privacy Policy for you to understand how we collect, communicate, disclose,and make use of your data. Our commitment to ensuring privacy of your data is as follows:
Your rights are very important, and we are committed to being transparent about our use of your data.
We offer our products and services to organizations, ministries of education (and their agencies), and academic institutions (referred together as entities or our partners in this Privacy Policy). These entities are Controllers of the data that we collect. It is through these entities that students, educators, and administrators have access to our platforms. The Controllers instruct us on the means and purpose of processing the data. We are called the Processors of the data.
We have established protocols to handle data processing. Just as we guarantee the confidentiality and security of data, you can be assured that at the end of our service any data processed will be erased. Additionally, should a data breach occur, we will immediately report the event and its details to our data controller upon its identification.
We have a team of highly specialized data personnel responsible to process data and to ensure that we are fully compliant with data protection regulations. Our data team monitors data integrity, accuracy, and confidentiality and performs regular security reviews. The team keeps a record of all processing activities. When an inaccuracy is discovered the data is updated without undue delay.
Our Data Protection Officer (DPO) keeps our management updated on data protection responsibilities, risks, and issues. Our DPO also deals with access requests and approvals of any contracts with third parties that handle sensitive data. Since we handle large amounts of data on a regular basis, our DPO oversees our compliance with various data laws, including the General Data Protection Regulation (GDPR) of the European Union (EU) and the European Economic Area (EEA), the Personal Information Protection and Electronic Documents Act (PIPEDA) of Canada, and the Family Educational Rights and Privacy Act (FERPA).
When you access our website and platforms, we may collect the following information based on the requirement of the Controller:
Further, we acknowledge that we are designated as a “school official” with “legitimate educational interests” in your data and associated metadata, as those terms have been defined under FERPA and its implementing regulations, and we agree to abide by the limitations and requirements imposed by 34 CFR 99.33 9(a) on school officials. We will use your data only for the purpose of fulfilling our duties under this agreement and will not monitor or share such data with or disclose it to any third party except as require by law, or as authorized in writing by you.
When you access our platforms, we do not collect any of the following:
We have a valid legal basis for the processing of any data that we collect from you. The legal basis for the processing of your data is established between us and the Controller of the data prior to the processing of the data. It is also processed lawfully, fairly, and transparently. The lawful basis on which we process your data is based on the following:
2.2.1. Consent: We process data only after you have provided your consent (permission) to the Controller of the data to process the personal data that you provide us while accessing our products. It is only after we receive official instructions from the Controller, we process the data.We use cookies to enhance your browsing experience on our website and to provide functionalities that meet your needs. Cookies are small text files stored on your device (computer, tablet, or mobile phone) when you visit a website. They help us remember your preferences and ensure the smooth operation of our site.
For detailed information about the types of cookies we use, their purposes, and how you can manage your cookie preferences, please refer to our full Cookie Policy.
If you have any questions or concerns about our cookie use, please email our Data Protection Officer at dpo@vretta.com.
We are committed to protecting your data by utilizing security safeguards against loss, theft, unauthorized access, disclosure, copying, and unauthorized use or modification. We keep data confidential, accurate, and available when needed, and review our data protection measures on a regular basis. The data is stored on secure cloud servers that have stringent security standards which are regularly audited to maintain the following industry leading certifications: Cloud Security Alliance Controls, ISO 9001 (Global Quality Standard), ISO 22301 (Security and Resilience), ISO 27001 (Security Management Controls), ISO 27017 (Cloud Specific Controls), ISO 27701 (Privacy Information Management), ISO 27018 (Personal Data Protection), SOC 1 (Audit Controls Report), SOC 2 (Security, Availability, & Confidentiality Report), and SOC 3 (General Controls Report). The cloud servers are located in jurisdictions that fully comply with the data security requirements as specified by our Controllers and the related data laws of their respective jurisdictions.
Our Data Management Framework details our policies concerning the usage, storage, dissemination, and deletion of all data we collect. If you would like to know more, download our Data Management Framework by clicking the link below.
Download the Data Management FrameworkWe design, develop, and deliver educational assessments and learning products. Our contracts/agreements are with organizations, ministries of education, and academic institutions, through whom we provide our products and services to their students, educators, and administrators (together referred to as users) at primary, secondary, and post-secondary educational institutions and training organizations.
The data that is collected from the use of our products and services is used to serve the educational goals of our users. It is also used to enhance their learning and assessment experiences on our platforms. We may use account information being provided to connect teachers to the progress that students have on our platforms.
We may also track devices used and their version information to resolve any issues particular to a device, and provide support for different platforms.
The following table summarizes the data processing activities related to the data that is collected from their sources.
# | Source | Data | Reasons | Legal Basis | Erasure of Data |
---|---|---|---|---|---|
5.1.1 | Browsing the Website | |
| Legitimate Interest |
|
5.1.2 | Contact Form | Name, email, institution/organization name | To respond to your request. | Consent |
|
5.1.3 | Newsletter Subscribe Form | To send you periodic updates. | Consent |
| |
5.1.4 | Accessing our Platforms (Account Creation Form and Login Form) | Data as instructed to be collected by the Controller in the contract/agreement. | To provide you with access to the platform. | Contract/Agreement |
|
5.1.5 | Activity on our Platforms | Activity progress on assessments and learning products. | To support the learning and assessment requirements as per the contract/agreement with the Controller. | Contract/Agreement |
|
5.1.6 | Data from Controller | Data as instructed to be collected by the Controller in the contract/agreement. | To support the learning and assessment requirements as per the contract/agreement with the Controller. | Contract/Agreement |
|
5.1.7 | Survey | Data as instructed to be collected by the Controller in the contract/agreement. | To support the survey requirements as per the contract/agreement with the Controller. | Contract/Agreement |
|
We will retain your data only for the period of time that is necessary under the contract/agreement we have with the Controller of the data or as required by the data law of the jurisdiction we serve. If and when your information is no longer required for the purposes specified by the Controller, we will delete your data.
The data from the sources as outlined in the table under the section Data Processing Activities are available for the respective Controllers to support you with your learning and assessment experiences. It is the requirement of the Controller to inform you on whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether you are obliged to provide the personal data, and the possible consequences of failure to provide such data.
Data Controllers can download a Data Processing Agreement that serves as documented instructions between the Data Controller and Data Processor. This documentation is necessary in some jurisdictions, including the European Union.
Download the Data Processing AgreementAt times, we may be required to share your data with affiliated entities that help us provide the service or products you have requested. We will disclose your data to third-parties only under the following circumstances:
In the above cases, we will only disclose data after receiving written consent from the Controller.
We do not transfer any personal information to countries where there is an absence of Adequacy Decision (as per the GDPR). If there is a need to transfer personal information to a country where there is an absence of Adequacy Decision (either due to an operational requirement or an instruction from a Controller of the data), we will ensure that there are appropriate safeguards for the security of the data that is transferred. These safeguards will include contractual agreements with the recipient of the personal data (using standard contractual clauses approved by the European Commission) containing binding and enforceable commitments and adherence to our code of conduct. We will also ensure that the rights of individuals (the data subjects) will be enforceable and legal remedies will be available for them.
Certain data becomes public when you voluntarily post it in the public areas of our websites, such as a chat-room or a discussion forum. Public information is not protected by this Privacy Policy. All messages and comments posted in public areas of the website express the views of the author and we will not be held accountable for the content of any such message or comment. We do not control and are not responsible for the information that users may post, transmit, or share on our websites.
Our website may contain links to other websites (third-party sites), which are not covered under this Privacy Policy. We do not provide any representation or warranty with respect to third-party sites. We do not endorse third-party sites and are not liable or otherwise responsible for the data collection procedures implemented by third-parties.
You have the following rights to give you more control over how your data is processed by us.
8.1.1. Right to be Informed: You have the right to know what kind of processing is happening to your data.
8.1.2. Right of Access: We will confirm (free of charge) if your data is being held as well as notify you of the type of data.
8.1.3. Right to Rectification: If any personal data is either inaccurate or incomplete, you can request this to be fixed.
8.1.4. Right to Erasure / Be Forgotten: You have the right to have your data erased if the data was processed unlawfully, if you withdraw consent, or if your data is no longer necessary for the original purpose in which it was collected.
8.1.5. Right to Restrict Processing: If you feel the processing of your data is either inaccurate or unlawful, you have the right to stop processing activities.
8.1.6. Right to Data Portability: You have the right to move your data from one organization to another, without any loss of usability.
8.1.7. Right to Object: You can object to your personal data being used for scientific or historical research, direct marketing, processing based on official authority, legitimate interests or in the public interest.
8.1.8. Right to Object Automated Processing: You have the right not to be subject to profiling. We do not analyze your personal information to predict your economic situation, health, location, or personal preferences.
8.1.9. Right to Withdraw Consent: You have the right to withdraw previously given consent to process your personal data.
8.1.10. Right to Lodge a Complaint with a Supervisory Authority: You have the right to lodge a complaint with a supervisory authority. As we have offices in Canada, Luxembourg, and the United Kingdom, you can lodge a complaint with the supervisory authorities in any of these countries.
You can obtain access to your data by submitting a request to our Data Protection Officer at dpo@vretta.com. You can also contact your organization, ministry of education (or their agency), or academic institution (i.e., the Controller of your data) with your request. If you would like to request any of your data, download the Data Request Form by clicking the link below, complete the details, and send the document as an email attachment to dpo@vretta.com.
Download the Data Request Form
By accessing our website and platforms, and providing your data to us, you authorize us to collect, use, and disclose such information in accordance with this Privacy Policy.
If you have questions, concerns, or would like to provide us with any feedback on our Privacy Policy, please reach out to our Data Protection Officer at dpo@vretta.com.
Please note that our Privacy Policy is reviewed, audited, and revised periodically without notice. It is your responsibility to review the Privacy Policy each time you use our website.
Revisions | Date |
---|---|
Privacy Policy and GDPR statement audited by a third-party auditor for compliance with the GDPR. | May 28, 2024 |
Included new Clause 3. Cookie Policy. | May 28, 2024 |
Privacy Policy in French updated. | August 19, 2022 |
GDPR statement merged with Privacy Policy. | August 12, 2022 |
Privacy Policy and GDPR statement audited by a third-party auditor for compliance with the GDPR. | July 22, 2022 |
Privacy Policy and GDPR statement translated to French. | June 06, 2022 |