By clicking the SUBMIT button, I’m providing the above information to Vretta for the purpose of responding to my request.
CONTACTlogo
twitterfacebookfacebook instagram

PRIVACY POLICY

1. Commitment

We at Vretta consider the privacy of your Data, which includes your personal and sensitive information, to be of utmost importance. We are committed to protecting your Data whether you are engaging in learning, assessment, conducting business with us electronically, or simply browsing our website for information. We have developed this Privacy Policy for you to understand how we collect, communicate, disclose,and make use of your Data.

Our Products and Services are used by our Partners who are ministries of education (and their agencies), academic institutions, school boards and districts, and regulatory or awarding bodies. Our Partners act as the Data Controllers of the Data processed by us in connection with the provision of our Products and Services.

The Users of our Products and services include students, candidates, educators, and administrators. They access our Products and Services as instructed by our Partners. We process personal and sensitive Data solely on behalf of and in accordance with the instructions of our Data Controllers, in our role as the Data Processor.

Our commitment to ensuring privacy of your Data is as follows:

  • We will collect and use your Data solely with the objective of fulfilling those purposes specified by us or by Partners with which we have agreements.
  • We undertake to collect your Data solely by lawful and fair means.
  • We will not share your Data with any third party, except as necessary to provide you with the Products and Services you have requested, or to comply with the law.
  • We will not sell or rent your Data under any circumstances.

Your rights are very important, and we are committed to being transparent about our use of your Data.

2. Definitions

2.1. Data: “Data” refers to any information relating to an identified and identifiable person, including personal and sensitive Data, processed by Vretta in connection with its Products and Services.

2.2. Partners: “Partners” refers to ministries of education (and their agencies), academic institutions, school boards and districts, and regulatory or awarding bodies that engage Vretta to provide its Products and Services.

2.3. Users: “Users” refers to individuals who access or use Vretta’s platforms and services through a Partner, including but not limited to students, candidates, educators, and administrators.

2.4. Products and Services: “Products and Services” refers to Vretta’s digital platforms, educational assessment tools, learning solutions, and related services provided to Partners and their Users.

2.5. Data Controller: “Data Controller” refers to the entity (typically a Partner) that determines the purposes and means of Processing Data, and provides instructions to Vretta regarding such Processing.

2.6. Data Processor: “Data Processor” refers to Vretta, which processes Data on behalf of the Data Controller in accordance with the Data Controller’s instructions and applicable Data protection laws.

2.7. Data Protection Officer: “Data Protection Officer” or “DPO” refers to the individual appointed by Vretta responsible for overseeing Data protection strategy, ensuring compliance with applicable Data protection laws, and serving as the point of contact for Data protection-related queries and requests.

2.8. Data Processing: “Data Processing” means any operation or set of operations performed on Data, whether or not by automated means, including collection, recording, storage, use, or deletion.

3. Data Collection

We provide our Products and Services through our Partners, who act as Data Controllers. Users access our services through these Partners. Vretta processes Data solely on behalf of and in accordance with the instructions of the Data Controllers, in its role as a Data Processor.

We have established protocols to handle Data Processing. Just as we guarantee the confidentiality and security of Data, you can be assured that at the end of our service any Data processed will be erased. Additionally, should a Data breach occur, we will immediately report the event and its details to our Data controller upon its identification.

We have a team of highly specialized Data personnel responsible to process Data and to ensure that we are fully compliant with Data protection regulations. Our Data team monitors Data integrity, accuracy, and confidentiality and performs regular security reviews. The team keeps a record of all Processing activities. When an inaccuracy is discovered the Data is updated without undue delay.

Our Data Protection Officer (DPO) keeps our management updated on Data protection responsibilities, risks, and issues. Our DPO also deals with access requests and approvals of any contracts with third parties that handle Data. Since we handle large amounts of Data on a regular basis, our DPO oversees our compliance with various Data laws, including the General Data Protection Regulation (GDPR) of the European Union (EU) and the European Economic Area (EEA), the Personal Information Protection and Electronic Documents Act (PIPEDA) of Canada, and the Family Educational Rights and Privacy Act (FERPA).

When you access our website and platforms, we may collect the following information based on the requirement of the Data Controller:

  • Personal Information: When you use our Products and Services, as instructed by your organization, ministry of education (or their agency), or academic institution, we may collect personal information such as your first name, last name, email address, phone number, and/or mailing address. In some cases, we may be instructed by the Data Controller to collect sensitive information. Any personal or sensitive information that is collected by us is in full compliance with the Data protection regulations as per the Data law of the jurisdiction we serve.
  • Credentials: We collect usernames of Users participating in our system.
  • Device Data: Some of our Products collect information on the version of the device, or operating system you are using while interacting with our Products, the type of browser you are using, and your IP address.
  • Language Data: If you are using any of our Products that are provided in multiple languages, we collect Data on the language of the application being used, as well as when the language is changed.
  • Activity Data: We collect Data about which components of the product you have used, how long you spend on them, whether you have completed them or not, and your scores on the questions that you have attempted.
  • Other Data: We collect (and receive from the Data Controller) other administrative information such as your institution name, class name, professor/teacher name, and grade level. Some of our services require us to collect survey information on your level of education as instructed by the Data Controller.

3.1. Data Not Collected

When you access our platforms, we do not collect any of the following:

  • Financial Information: We do not collect your financial information required to process your order, such as your credit card number. Any such information will be collected through a third-party payment system, if required. Their use of your financial data will be strictly limited for the purposes of processing the financial transaction for your purchase.
  • Personal Identifiers: We do not collect your Social Insurance Number (SIN) or Social Security Number (SSN) or other such personal identifiers.

3.2. Lawful Basis

We have a valid legal basis for the Processing of any Data that we collect from you. The legal basis for the Processing of your Data is established between us and the Data Controller of the Data prior to the Processing of the Data. It is also processed lawfully, fairly, and transparently. The lawful basis on which we process your Data is based on the following:

3.2.1. Consent: We process Data only after you have provided your consent (permission) to the Data Controller of the Data to process the personal Data that you provide us while accessing our Products and Services. It is only after we receive official instructions from the Data Controller, we process the Data.

3.2.2. Contract/Agreement: We process Data only after we have an established contract/agreement with the Data Controller to process your Data.

3.2.3. Legitimate Interest: We process Data to provide you and the Data Controller with use of our Products and Services as described in the section titled “Clause 6. Data Use” in this Privacy Policy.

3.2.4 Corporate Transactions (Sale, Merger, or Acquisition): In the event of a sale, merger, acquisition, or other corporate transaction involving Vretta, any successor or acquiring Vretta will be required to protect personal information in accordance with this Privacy Policy, applicable Data protection laws, and Vretta’s existing contractual obligations with the Data Controllers. Where personal Data processed by Vretta, as a Data Processor, is involved, the relevant Data Controller will be notified prior to any transfer of personal information where required by applicable law or contractual obligations. Users’ rights under applicable Data protection laws, including the right to withdraw consent where applicable, will continue to be respected following such a transaction.

4. Cookie Policy

We use cookies to enhance your browsing experience on our website and to provide functionalities that meet your needs. Cookies are small text files stored on your device (computer, tablet, or mobile phone) when you visit a website. They help us remember your preferences and ensure the smooth operation of our site. For detailed information about the types of cookies we use, their purposes, and how you can manage your cookie preferences, please refer to our full Cookie Policy.

5. Data Protection

We are committed to protecting your Data by utilizing security safeguards against loss, theft, unauthorized access, disclosure, copying, and unauthorized use or modification. We keep Data confidential, accurate, and available when needed, and review our Data protection measures on a regular basis. The Data is stored on secure cloud servers that have stringent security standards which are regularly audited to maintain the following industry leading certifications: Cloud Security Alliance Controls, ISO 9001 (Global Quality Standard), ISO 22301 (Security and Resilience), ISO 27001 (Security Management Controls), ISO 27017 (Cloud Specific Controls), ISO 27701 (Privacy Information Management), ISO 27018 (Personal Data Protection), SOC 1 (Audit Controls Report), SOC 2 (Security, Availability, & Confidentiality Report), and SOC 3 (General Controls Report). The cloud servers are located in jurisdictions that fully comply with the Data security requirements as specified by our Data Controllers and the related Data laws of their respective jurisdictions.

5.1. Protection of Personally Identifiable Information (PII)

At Vretta, safeguarding personally identifiable information is our top priority. We are certified under internationally recognized standards, including ISO 27001 (Information Security Management) and ISO 27018 (Personal Data Protection), which reflects our commitment to maintaining Data confidentiality, integrity, and availability. We provide robust security measures, such as encryption, Data masking, and environment segregation, to ensure that PII is protected at every stage. By relying on these controls and certifications, we assure our partners (Data controllers) that the PII of Users of our application is handled with the highest security and compliance standards.

5.2. Privacy Impact Assessment (PIA)

The Data controller, of the Data that Vretta processes, conducts the PIA as per their Data governance requirements. Vretta, as the Data Processor, actively supports the Data controller to conduct the PIA. We provide detailed documentation about our Data Processing activities, security measures, and compliance practices. By working collaboratively with our Data Controller, we ensure they have all the necessary information to complete the PIA and meet their compliance obligations successfully

5.3. Compliance with Privacy Regulations

Vretta adheres to Data protection laws and standards, including the Freedom of Information and Protection of Privacy Act (FIPPA), the Personal Information Protection and Electronic Documents Act (PIPEDA), British Columbia’s Personal Information Protection Act (PIPA), Ontario’s Municipal Freedom of Information and Protection of Privacy Act (MFIPPA), Alberta’s Personal Information Protection Act (PIPA), the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the Family Educational Rights and Privacy Act (FERPA), among others Our Data handling practices are designed to meet the core principles of these regulations; i.e., lawfulness, transparency, Data minimization, and security. We continuously review our compliance measures to ensure alignment with evolving legal requirements across all jurisdictions where we operate.

6. Data Use

We design, develop, and deliver educational assessments and learning products. Our contracts/agreements are with Data Controllers through whom we provide our Products and Services to our Users.

The Data that is collected from the use of our Products and Services is used to serve the educational goals of our Users. It is also used to enhance their learning and assessment experiences on our platforms. We may use account information being provided to connect teachers to the progress that students have on our platforms.

We may also track devices used and their version information to resolve any issues particular to a device, and provide support for different platforms.

6.1. Data Processing Activities

The following table summarizes the Data Processing activities related to the Data that is collected from their sources.

#SourceDataReasonsLegal BasisErasure of Data
6.1.1 Browsing the Website
  • IP Address
  • Browsing Logs
    • To improve the stability and functionality of the website.
    • To enable you to browse the website
    • To ensure security of the website.
    		Legitimate Interest: A Legitimate Interest Assessment (LIA) has been conducted and is available upon request.
    • When data is no longer required for security and diagnostic purposes.
    6.1.2Contact FormName, email, institution/organization name To respond to your request. Consent
    • When consent is revoked.
    • When data is no longer required.
    6.1.3Newsletter Subscribe FormEmailTo send you periodic updates.Consent
    • When consent is revoked.
    • When data is no longer required.
    6.1.4Accessing our Platforms (Account Creation Form and Login Form)Data as instructed to be collected by the Controller in the contract/agreement.To provide you with access to the platform.Contract/Agreement
    • When instructed by the Controller in the contract/agreement.
    • When data is no longer required.
    6.1.5Activity on our PlatformsActivity progress on assessments and learning products.To support the learning and assessment requirements as per the contract/agreement with the Controller.Contract/Agreement
    • When instructed by the Controller in the contract/agreement.
    • When data is no longer required.
    6.1.6Data from ControllerData as instructed to be collected by the Controller in the contract/agreement.To support the learning and assessment requirements as per the contract/agreement with the Controller.Contract/Agreement
    • When instructed by the Controller in the contract/agreement.
    • When data is no longer required.
    6.1.7SurveyData as instructed to be collected by the Controller in the contract/agreement.To support the survey requirements as per the contract/agreement with the Controller.Contract/Agreement
    • When instructed by the Controller in the contract/agreement.
    • When data is no longer required.

    6.2. Consequences of Not Providing Data

    Providing certain personal Data (for example, name, email, student ID) is necessary for us to deliver our services and fulfil contractual or legal obligations. If you do not provide this information, we may be unable to create your account, deliver assessments, or provide technical support. Optional Data can be withheld without affecting access to core services.

    7. Data Retention

    We will retain your Data only for the period of time that is necessary under the contract/agreement we have with the Data Controller of the Data or as required by the Data law of the jurisdiction we serve. If and when your information is no longer required for the purposes specified by the Data Controller, we will delete your Data.

    Upon the termination of our services with a Data Controller, we ensure the secure deletion of Data in compliance with contractual agreements and regulatory requirements. This process involves Data erasure techniques that prevent any unauthorized retrieval. Confirmation of deletion is provided to the Data Controller as part of our compliance measures.

    8. Redundancy and Backup Capabilities

    We implement redundancy and secure backup systems to ensure Data availability and protection against unforeseen incidents. Our automated backup processes run at regular intervals, storing encrypted copies of Data in geographically diverse locations. These backups are reviewed periodically to maintain reliability and compliance with Data protection regulations.

    9. Data Recipients

    9.1. Data Controller

    The Data from the sources as outlined in the table under the section Data Processing Activities are available for the respective Data Controllers to support you with your learning and assessment experiences. It is the requirement of the Data Controller to inform you on whether the provision of personal Data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether you are obliged to provide the personal Data, and the possible consequences of failure to provide such Data.

    9.1.1. Data Processing Agreement: Data Controllers can download a Data Processing Agreement that serves as documented instructions between the Data Controller and Data Processor. This documentation is necessary in some jurisdictions, including the European Union.
    Download the Data Processing Agreement

    9.2. Data Disclosure

    At times, we may be required to share your Data with affiliated entities that help us provide the service or products you have requested. We will disclose your Data to third-parties only under the following circumstances:

    • When we are required or permitted to do so by the law, regulations, or governmental requests.
    • To protect against fraud.
    • To protect the rights and property of Vretta or its Partners and Users.
    • When we retain a contractor to provide support to us, such as technical support and system maintenance services.
    • When we have your consent.
    • When a dispute arises over fees and we are taking legal action to collect the fees owing to us.

    In the above cases, we will only disclose Data after receiving written consent from the Data Controller.

    Vretta stores and processes Data within the European Union and in other jurisdictions recognized by the European Commission as providing an adequate level of Data protection.

    We do not transfer Data to countries that lack an adequacy decision under the GDPR. If a transfer becomes necessary, either due to operational requirements or an instruction from a Data Data controller we will ensure that appropriate safeguards are implemented to protect the security and confidentiality of the personal Data.

    Such safeguards include entering Standard Contractual Clauses (SCCs) approved by the European Commission, containing binding and enforceable obligations, and ensuring adherence to our internal Data protection policies and code of conduct. We will also ensure that Data subjects’ rights remain enforceable and that effective legal remedies are available to them in accordance with Article 46 of the GDPR.

    For more information on applicable safeguards, please contact our Data Protection Officer at dpo@vretta.com.

    Certain Data becomes public when you voluntarily post it in the public areas of our websites, such as a chat-room or a discussion forum. Public information is not protected by this Privacy Policy. All messages and comments posted in public areas of the website express the views of the author and we will not be held accountable for the content of any such message or comment. We do not control and are not responsible for the information that Users may post, transmit, or share on our websites.

    9.3. Third-Party Websites

    Our website may contain links to other websites (third-party sites), which are not covered under this Privacy Policy. We do not provide any representation or warranty with respect to third-party sites. We do not endorse third-party sites and are not liable or otherwise responsible for the Data collection procedures implemented by third-parties.

    10. Rights, Request, Consent, and Contact

    10.1. Your Rights

    You have the following rights to give you more control over how your Data is processed by us.

    10.1.1. Right to be Informed: You have the right to know what kind of Processing is happening to your Data.

    10.1.2. Right of Access: We will confirm (free of charge) if your Data is being held as well as notify you of the type of Data.

    10.1.3. Right to Rectification: If any Data is either inaccurate or incomplete, you can request this to be fixed.

    10.1.4. Right to Erasure / Be Forgotten: You have the right to have your Data erased if the Data was processed unlawfully, if you withdraw consent, or if your Data is no longer necessary for the original purpose in which it was collected.

    10.1.5. Right to Restrict Processing: If you feel the Processing of your Data is either inaccurate or unlawful, you have the right to stop Processing activities.

    10.1.6. Right to Data Portability: You have the right to move your Data from one organization to another, without any loss of usability.

    10.1.7. Right to Object: You can object to your Data being used for scientific or historical research, direct marketing, Processing based on official authority, legitimate interests or in the public interest.

    10.1.8. Right to Object Automated Processing: You have the right not to be subject to profiling. We do not analyze your personal information to predict your economic situation, health, location, or personal preferences.

    10.1.9. Right to Withdraw Consent: You have the right to withdraw previously given consent to process your personal Data. The withdrawal of consent does not affect the lawfulness of Processing based on consent before its withdrawal.

    10.1.10. Right to Lodge a Complaint with a Supervisory Authority: You have the right to lodge a complaint with a supervisory authority. As we have offices in Canada and Luxembourg, you can lodge a complaint with the supervisory authorities in any of these countries.

    10.2. Requesting Data

    You can obtain access to your Data by submitting a request to our Data Protection Officer at dpo@vretta.com. You can also contact your organization, ministry of education (or their agency), or academic institution (i.e., the Data Controller of your Data) with your request. If you would like to request any of your Data, download the Data Request Form by clicking the link below, complete the details, and send the document as an email attachment to dpo@vretta.com.
    Download the Data Request Form

    10.3. Consent

    By accessing our website and platforms, and providing your Data to us, you authorize us to collect, use, and disclose such information in accordance with this Privacy Policy.

    10.4. Contact

    10.4.1. Data Controller Information: For contact details of the Data Controller of your Data, reach out to the organization, ministry of education, or academic institution that provided you with access to our platform.

    10.4.2. Questions on Privacy Policy: For questions on our Privacy Policy or to provide us with any feedback, reach out to our Data Protection Officer at dpo@vretta.com

    11. Data Breach Notification

    Vretta maintains incident detection and response procedures to identify, assess, and respond to security incidents, including Data breaches involving unauthorized access to or disclosure of personal information. In the event of a breach, Vretta will promptly investigate, contain, and remediate the incident in accordance with applicable legal, regulatory, and contractual obligations. Where Vretta acts as a Data Processor, the relevant Data Controller will be notified without undue delay via direct email communication upon becoming aware of a breach. Any notifications to affected Users will be carried out by or under the direction of the Data Controller, and may include communication via email.

    Vretta will also support the Data Controller in fulfilling any breach notification obligations to applicable privacy regulators or supervisory authorities in the jurisdictions where the Data resides, including relevant Information and Privacy Commissioners or other relevant authorities.

    12. Dispute Resolution and Jurisdiction

    Vretta provides its services primarily through contractual agreements with Data Controllers

    12.1. Dispute Resolution

    Where applicable, dispute resolution mechanisms, including arbitration or mediation, are defined within the contractual agreements between Vretta and the relevant Data Controller. Any such mechanism is mutually agreed upon by the contracting parties. Vretta does not independently impose alternative dispute resolution requirements on end Users.

    12.2. Governing Law and Jurisdiction

    The governing law and jurisdiction applicable to any dispute are defined within the relevant contractual agreement between Vretta and the Data Controller. In most cases, the applicable jurisdiction corresponds to the jurisdiction in which the Data Controller is located.

    As Vretta acts as a Data Processor, Users typically interact with Vretta’s services through the Data Controller, and any disputes relating to Data Processing are generally subject to the terms established between Vretta and the Data Controller.

    13. Changes to this Privacy Policy

    Vretta may update this Privacy Policy from time to time to reflect changes in our practices, services, or evolving legal requirements.

    13.1. Notification of Changes

    When material changes are made to this Privacy Policy, Vretta will notify the relevant Data Controllers via email before or at the time the updated policy becomes effective. Data Controllers may communicate such updates to their Users in accordance with their own policies and legal obligations.

    13.2. Review and Responsibility

    We encourage Data Controllers and Users to review this Privacy Policy periodically. The Revision History table below outlines the specific nature of each update and the date it was implemented. Your continued use of our website and platforms after any changes signifies your acceptance of the revised Privacy Policy.

    13.3. Revision History

    RevisionsDate
    Added Clause 2. Definitions, Clause 3.2.4. Corporate Transactions, Clause 11. Data Breach Notification, Clause 12. Dispute Resolution and Jurisdiction, and Clause 13. Changes to this Privacy Policy.April 12, 2026
    Updated policy to clarify controller contact details, legitimate interest basis, international data transfer safeguards, consent withdrawal implications, and consequences of not providing personal data.November 10, 2025
    The Privacy Policy, Cookie Policy, International Transfers and GDPR Statement have been reviewed by a third-party auditor for compliance with the GDPR.October 28, 2025
    EU Data Management Framework merged with Privacy Policy.July 23, 2025
    Privacy Policy and GDPR statement audited by a third-party auditor for compliance with the GDPR.May 28, 2024
    Included new Clause 4. Cookie Policy.May 28, 2024
    Privacy Policy in French updated.August 19, 2022
    GDPR statement merged with Privacy Policy.August 12, 2022
    Privacy Policy and GDPR statement audited by a third-party auditor for compliance with the GDPR.July 22, 2022
    Privacy Policy and GDPR statement translated to French.June 06, 2022