By clicking the SUBMIT button, I’m providing the above information to Vretta for the purpose of responding to my request.
twitterfacebookfacebook instagram

PRIVACY POLICY

1. Commitment

We at Vretta consider the privacy of your personal and sensitive information (together referred to as data in this Privacy Policy), which you share with us on our online platforms, to be of utmost importance. We are committed to protecting your data whether you are engaging in learning, conducting business with us electronically, or simply browsing our websites for information. As such, we have developed this Privacy Policy for you to understand how we collect, communicate, disclose,and make use of your data. Our commitment to ensuring privacy of your data is as follows:

  • We will collect and use your data solely with the objective of fulfilling those purposes specified by us, or by any organization, ministry of education (or their agency), or academic institution with which we have agreements.
  • We undertake to collect your data solely by lawful and fair means.
  • We will not share your data with any third party, except as necessary to provide you with the services and products you have requested, or to comply with the law.
  • We will not sell or rent your data under any circumstances.

Your rights are very important, and we are committed to being transparent about our use of your data.

2. Data Collection

We offer our products and services to organizations, ministries of education (and their agencies), and academic institutions (referred together as entities or our partners in this Privacy Policy). These entities are Controllers of the data that we collect. It is through these entities that students, educators, and administrators have access to our platforms. The Controllers instruct us on the means and purpose of processing the data. We are called the Processors of the data.

We have established protocols to handle data processing. Just as we guarantee the confidentiality and security of data, you can be assured that at the end of our service any data processed will be erased. Additionally, should a data breach occur, we will immediately report the event and its details to our data controller upon its identification.

We have a team of highly specialized data personnel responsible to process data and to ensure that we are fully compliant with data protection regulations. Our data team monitors data integrity, accuracy, and confidentiality and performs regular security reviews. The team keeps a record of all processing activities. When an inaccuracy is discovered the data is updated without undue delay.

Our Data Protection Officer (DPO) keeps our management updated on data protection responsibilities, risks, and issues. Our DPO also deals with access requests and approvals of any contracts with third parties that handle sensitive data. Since we handle large amounts of data on a regular basis, our DPO oversees our compliance with various data laws, including the General Data Protection Regulation (GDPR) of the European Union (EU) and the European Economic Area (EEA) and the Personal Information Protection and Electronic Documents Act (PIPEDA) of Canada.

When you access our website and platforms, we may collect the following information based on the requirement of the Controller:

  • Personal Information: When you use our products, as instructed by your organization, ministry of education (or their agency), or academic institution, we may collect personal information such as your first name, last name, email address, phone number, and/or mailing address. In some cases, we may be instructed by the Controller to collect sensitive information. Any personal or sensitive information that is collected by us is in full compliance with the data protection regulations as per the data law of the jurisdiction we serve.
  • Credentials: We collect usernames of users participating in our system.
  • Device Data: Some of our products collect information on the version of the device, or operating system you are using while interacting with our products, the type of browser you are using, and your IP address.
  • Language Data: If you are using any of our products that are provided in multiple languages, we collect data on the language of the application being used, as well as when the language is changed.
  • Activity Data: We collect data about which components of the product you have used, how long you spend on them, whether you have completed them or not, and your scores on the questions that you have attempted.
  • Other Data: We collect (and receive from the Controller) other administrative information such as your institution name, class name, professor/teacher name, and grade level. Some of our services require us to collect survey information on your level of education as instructed by the Controller.

2.1. Data Not Collected

When you access our platforms, we do not collect any of the following:

  • Financial Information: We do not collect your financial information required to process your order, such as your credit card number. Any such information will be collected through a third-party payment system, if required. Their use of your financial data will be strictly limited for the purposes of processing the financial transaction for your purchase.
  • Personal Identifiers: We do not collect your Social Insurance Number (SIN) or Social Security Number (SSN) or other such personal identifiers.

2.2. Lawful Basis

We have a valid legal basis for the processing of any data that we collect from you. The legal basis for the processing of your data is established between us and the Controller of the data prior to the processing of the data. It is also processed lawfully, fairly, and transparently. The lawful basis on which we process your data is based on the following:

2.2.1. Consent: We process data only after you have provided your consent (permission) to the Controller of the data to process the personal data that you provide us while accessing our products. It is only after we receive official instructions from the Controller, we process the data.
2.2.2. Contract/Agreement: We process data only after we have an established contract/agreement with the Controller to process your data.
2.2.3. Legitimate Interest: We process data to provide you and the Controller with use of our products and services as described in the section titled “Data Use” in this Privacy Policy.

3. Data Protection

We are committed to protecting your data by utilizing security safeguards against loss, theft, unauthorized access, disclosure, copying, and unauthorized use or modification. We keep data confidential, accurate, and available when needed, and review our data protection measures on a regular basis. The data is stored on secure cloud servers that have stringent security standards which are regularly audited to maintain the following industry leading certifications: Cloud Security Alliance Controls, ISO 9001 (Global Quality Standard), ISO 22301 (Security and Resilience), ISO 27001 (Security Management Controls), ISO 27017 (Cloud Specific Controls), ISO 27701 (Privacy Information Management), ISO 27018 (Personal Data Protection), SOC 1 (Audit Controls Report), SOC 2 (Security, Availability, & Confidentiality Report), and SOC 3 (General Controls Report). The cloud servers are located in jurisdictions that fully comply with the data security requirements as specified by our Controllers and the related data laws of their respective jurisdictions.

3.1. Data Management Framework

Our Data Management Framework details our policies concerning the usage, storage, dissemination, and deletion of all data we collect. If you would like to know more, download our Data Management Framework by clicking the link below.

Download the Data Management Framework

4. Data Use

We design, develop, and deliver educational assessments and learning products. Our contracts/agreements are with organizations, ministries of education, and academic institutions, through whom we provide our products and services to their students, educators, and administrators (together referred to as users) at primary, secondary, and post-secondary educational institutions and training organizations.

The data that is collected from the use of our products and services is used to serve the educational goals of our users. It is also used to enhance their learning and assessment experiences on our platforms. We may use account information being provided to connect teachers to the progress that students have on our platforms.

We may also track devices used and their version information to resolve any issues particular to a device, and provide support for different platforms.

4.1. Data Processing Activities

The following table summarizes the data processing activities related to the data that is collected from their sources.

#SourceDataReasonsLegal BasisErasure of Data
4.1.1 Browsing the Website
  • IP Address
  • Browsing Logs
    • To improve the stability and functionality of the website.
    • To enable you to browse the website
    • To ensure security of the website.
    Legitimate Interest
    • When data is no longer required.
    4.1.2Contact FormName, email, institution/organization name To respond to your request. Consent
    • When consent is revoked.
    • When data is no longer required.
    4.1.3Newsletter Subscribe FormEmailTo send you periodic updates.Consent
    • When consent is revoked.
    • When data is no longer required.
    4.1.4Accessing our Platforms (Account Creation Form and Login Form)Data as instructed to be collected by the Controller in the contract/agreement.To provide you with access to the platform.Contract/Agreement
    • When instructed by the Controller in the contract/agreement.
    • When data is no longer required.
    4.1.5Activity on our PlatformsActivity progress on assessments and learning products.To support the learning and assessment requirements as per the contract/agreement with the Controller.Contract/Agreement
    • When instructed by the Controller in the contract/agreement.
    • When data is no longer required.
    4.1.6Data from ControllerData as instructed to be collected by the Controller in the contract/agreement.To support the learning and assessment requirements as per the contract/agreement with the Controller.Contract/Agreement
    • When instructed by the Controller in the contract/agreement.
    • When data is no longer required.
    4.1.7SurveyData as instructed to be collected by the Controller in the contract/agreement.To support the survey requirements as per the contract/agreement with the Controller.Contract/Agreement
    • When instructed by the Controller in the contract/agreement.
    • When data is no longer required.

    5. Data Retention

    We will retain your data only for the period of time that is necessary under the contract/agreement we have with the Controller of the data or as required by the data law of the jurisdiction we serve. If and when your information is no longer required for the purposes specified by the Controller, we will delete your data.

    6. Data Recipients

    6.1. Controller

    The data from the sources as outlined in the table under the section Data Processing Activities are available for the respective Controllers to support you with your learning and assessment experiences. It is the requirement of the Controller to inform you on whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether you are obliged to provide the personal data, and the possible consequences of failure to provide such data.

    6.1.1. Data Processing Agreement

    Data Controllers can download a Data Processing Agreement that serves as documented instructions between the Data Controller and Data Processor. This documentation is necessary in some jurisdictions, including the European Union.

    Download the Data Processing Agreement

    6.2. Data Disclosure

    At times, we may be required to share your data with affiliated entities that help us provide the service or products you have requested. We will disclose your data to third-parties only under the following circumstances:

    • When we are required or permitted to do so by the law, regulations, or governmental requests.
    • To protect against fraud.
    • To protect the rights and property of Vretta or its partners and users.
    • When we retain a contractor to provide support to us, such as technical support and system maintenance services.
    • When we have your consent.
    • When a dispute arises over fees and we are taking legal action to collect the fees owing to us.

    In the above cases, we will only disclose data after receiving written consent from the Controller.

    We do not transfer any personal information to countries where there is an absence of Adequacy Decision (as per the GDPR). If there is a need to transfer personal information to a country where there is an absence of Adequacy Decision (either due to an operational requirement or an instruction from a Controller of the data), we will ensure that there are appropriate safeguards for the security of the data that is transferred. These safeguards will include contractual agreements with the recipient of the personal data (using standard contractual clauses approved by the European Commission) containing binding and enforceable commitments and adherence to our code of conduct. We will also ensure that the rights of individuals (the data subjects) will be enforceable and legal remedies will be available for them.

    Certain data becomes public when you voluntarily post it in the public areas of our websites, such as a chat-room or a discussion forum. Public information is not protected by this Privacy Policy. All messages and comments posted in public areas of the website express the views of the author and we will not be held accountable for the content of any such message or comment. We do not control and are not responsible for the information that users may post, transmit, or share on our websites.

    6.3. Third-Party Websites

    Our website may contain links to other websites (third-party sites), which are not covered under this Privacy Policy. We do not provide any representation or warranty with respect to third-party sites. We do not endorse third-party sites and are not liable or otherwise responsible for the data collection procedures implemented by third-parties.

    7. Rights, Request, Consent, and Contact

    7.1. Your Rights

    You have the following rights to give you more control over how your data is processed by us.

    7.1.1. Right to be Informed: You have the right to know what kind of processing is happening to your data.

    7.1.2. Right of Access: We will confirm (free of charge) if your data is being held as well as notify you of the type of data.

    7.1.3. Right to Rectification: If any personal data is either inaccurate or incomplete, you can request this to be fixed.

    7.1.4. Right to Erasure / Be Forgotten: You have the right to have your data erased if the data was processed unlawfully, if you withdraw consent, or if your data is no longer necessary for the original purpose in which it was collected.

    7.1.5. Right to Restrict Processing: If you feel the processing of your data is either inaccurate or unlawful, you have the right to stop processing activities.

    7.1.6. Right to Data Portability: You have the right to move your data from one organization to another, without any loss of usability.

    7.1.7. Right to Object: You can object to your personal data being used for scientific or historical research, direct marketing, processing based on official authority, legitimate interests or in the public interest.

    7.1.8. Right to Object Automated Processing: You have the right not to be subject to profiling. We do not analyze your personal information to predict your economic situation, health, location, or personal preferences.

    7.1.9. Right to Withdraw Consent: You have the right to withdraw previously given consent to process your personal data.

    7.1.10. Right to Lodge a Complaint with a Supervisory Authority: You have the right to lodge a complaint with a supervisory authority. As we have offices in Canada, Luxembourg, and the United Kingdom, you can lodge a complaint with the supervisory authorities in any of these countries.

    7.2. Requesting Data

    You can obtain access to your data by submitting a request to our Data Protection Officer at dpo@vretta.com. You can also contact your organization, ministry of education (or their agency), or academic institution (i.e., the Controller of your data) with your request. If you would like to request any of your data, download the Data Request Form by clicking the link below, complete the details, and send the document as an email attachment to dpo@vretta.com.

    Download the Data Request Form

    7.3. Consent

    By accessing our website and platforms, and providing your data to us, you authorize us to collect, use, and disclose such information in accordance with this Privacy Policy.

    7.4. Contact

    If you have questions, concerns, or would like to provide us with any feedback on our Privacy Policy, please reach out to our Data Protection Officer, Adam Lorentz, at dpo@vretta.com.

    8. Revision History

    Please note that our Privacy Policy is reviewed, audited, and revised periodically without notice. It is your responsibility to review the Privacy Policy each time you use our website.

    RevisionsDate
    Privacy Policy and GDPR statement translated to FrenchJune 06, 2022
    Privacy Policy and GDPR statement audited by a third-party auditor for compliance with the GDPRJuly 22, 2022
    GDPR statement merged with Privacy PolicyAugust 12, 2022
    Privacy Policy in French updatedAugust 19, 2022