Privacy Policy

Privacy Policy for Edube™ and TestNow™ by Open Education and Development Group, LLC (“OpenEDG”)

Effective Date: June 15, 2021
Last Updated: January 29, 2025

Introduction

At OpenEDG, we respect your privacy and are committed to protecting the personal information of all users of Edube™ – our e-learning platform, and TestNow™ – our exam delivery system (“Platforms” or “Apps”).

This Privacy Policy explains how we collect, use, store, and protect your information in compliance with U.S. laws, including the Family Educational Rights and Privacy Act (FERPA), the Children’s Online Privacy Protection Act (COPPA), and the Children’s Internet Protection Act (CIPA), as well as the European Union’s General Data Protection Regulation (GDPR) and other relevant global privacy regulations.

Our commitment is to ensure your information is handled responsibly, transparently, and in compliance with the highest standards of data protection.

Purpose

This Privacy Policy is designed to:

Inform users of Edube™ and TestNow*trade; apps, including students, educators, and parents, about how their data is collected and used.
Ensure compliance with applicable laws protecting student data and personal information in the U.S., the EU, and other regions where we operate.
Describe the rights users have regarding their data and how they can exercise those rights.
Outline the steps OpenEDG takes to protect the integrity and security of user data.

Due Diligence

We are committed to maintaining the highest standards of data protection by:

Conducting regular audits and assessments to ensure compliance with data protection laws, industry best practices, and international standards.
Encrypting sensitive data during transfer and storage to protect it from unauthorized access.
Limiting access to personal information to authorized personnel only, ensuring strict access controls.
Implementing robust policies for data retention and deletion to meet educational, legal, and regulatory requirements.
We adhere to the principle of data minimization, collecting only the personal information necessary to provide our services or fulfill legal and contractual obligations.

Our systems are ISO 9001 and ISO 27001 certified, which obligates us to maintain high standards for quality management and information security. This includes regular evaluations, continuous improvements, and strict safeguards to ensure data integrity, confidentiality, and availability.

Definitions

To help you understand this Privacy Policy, here are some key terms:

Personal Information (PII): Any information that identifies or can be used to identify an individual, such as name, email address, phone number, or student ID.
Educational Data: Information specific to a learner’s educational activities, including but not limited to test responses, learning progress, performance metrics, certifications earned, and enrollment details.
Data Controller: The organization responsible for determining how and why personal information is processed. In this context, OpenEDG acts as the Data Controller when providing its services.
Data Processor: Any third party that processes personal information on behalf of the Data Controller. This can include hosting services, analytics providers, or customer support tools. Unless stated otherwise, OpenEDG also acts as a Data Processor, managing User data on behalf of clients such as educational institutions or certification agencies.
User: Any individual who interacts with the Edube and TestNow apps or their services, including but not limited to students, educators, parents, administrators, and representatives of institutions.
Proctoring Data: Data collected during online or in-person proctoring, including video and audio recordings, face photos, and other information used to maintain test security and verify identity.
Local Proctor: An individual or entity authorized by an educational institution, certification agency, or client to handle identity verification and proctoring tasks onsite, without storing sensitive data on the platforms.
FERPA: The Family Educational Rights and Privacy Act, a U.S. federal law that protects the privacy of student education records and grants students and parents certain rights over those records.
COPPA: The Children’s Online Privacy Protection Act, a U.S. federal law that safeguards the privacy of children under the age of 13 by requiring parental consent for data collection and use.
CIPA: The Children’s Internet Protection Act, a U.S. federal law that requires schools and libraries to implement measures to protect children from harmful online content and ensure safe internet usage.
GDPR: The General Data Protection Regulation, a European Union regulation that sets strict guidelines for the collection, use, and storage of personal information for individuals in the EU. It emphasizes user rights, transparency, and accountability in data processing.
Other Applicable Laws: Other Applicable Laws: Regional and international privacy laws such as Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), Australia’s Privacy Act, and the UK General Data Protection Regulation (UK GDPR).
Sensitive Information: Personal data that requires extra protection due to its nature, such as biometric data (e.g., face or keystroke patterns), government ID numbers, or health-related information.
Biometric Data: Sensitive data such as facial recognition patterns and keystroke dynamics used for identity verification.
De-Identified Data: Data that has been stripped of personally identifiable details to ensure anonymity. Unlike anonymized data, de-identified data could potentially be re-associated with an individual under certain circumstances.
Anonymized Data: Data that has been permanently stripped of all identifying elements, making it impossible to link back to an individual.
Consent: A freely given, specific, informed, and unambiguous agreement by a data subject to allow the processing of their personal data. Consent can be withdrawn at any time.
Legitimate Interest: A legal basis for processing personal data when there is a valid reason that does not override an individual's privacy rights. Used for fraud prevention, service improvements, or internal analytics.
Standard Contractual Clauses (SCCs): Pre-approved contractual terms adopted by the European Commission to facilitate the lawful transfer of personal data outside the European Economic Area (EEA), including to the United States.
Data Breach: A security incident that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data.
Data Portability: The right of users to receive a copy of their personal data in a structured, commonly used, and machine-readable format, allowing them to transfer it to another service provider.

By using Edube™ and TestNow™ apps, you acknowledge that you have read, understood, and agreed to this Privacy Policy. For any questions or concerns, please contact us at privacy@openedg.org.

Data Controller and Data Processor

OpenEDG serves as the Data Controller for all personal information collected and processed through the Edube™ and TestNow™ platforms. As the Data Controller, OpenEDG determines the purposes and means of processing your personal data, ensuring full compliance with applicable laws and regulations, including GDPR, FERPA, and other privacy frameworks.

Additionally, OpenEDG acts as the Data Processor, managing your data directly while relying only on essential external parties for cloud/hosting services and badging. This approach allows us to maintain strict control over data security, minimization, and retention while ensuring compliance with industry standards and regulatory requirements.

Third-Party Data Sharing

While OpenEDG handles the majority of data processing internally, we may share limited information with trusted third parties for specific purposes:

AWS (Amazon Web Services) – we use AWS to securely store and manage data. AWS complies with GDPR, ISO 27001, and other global data protection standards to ensure the confidentiality, integrity, and availability of data.
Credly – for candidates who pass their exams, we may share information (such as your name, email address, and certification details) with Credly to issue digital badges. Credly ensures compliance with GDPR and other privacy standards, and your data is only used to facilitate badge issuance and management.

These third parties are contractually obligated to process your data solely for the purposes defined by OpenEDG and in compliance with data protection laws. We ensure that these partners implement robust security measures to safeguard your data at all times.

Information We Collect

We may collect the following types of personal information to provide our services:

Personal Details – information like your name, email address, or date of birth, which you provide during registration.
Exam Information – test responses, results, and related performance metrics.
Learning Information – information related to your learning activities, including course progress, quiz performance, test results, lab activities, and participation in learning modules or exercises.
Device Information – browser type and version, IP address, operating system, device screen dimensions.
Audio and Video Recordings – during online proctoring, we may capture recordings to ensure test integrity.
Biometric Data and ID Verification – for some exams, we may request either a face photo or both a face photo and a photo of a valid ID, such as a student ID, passport, or government-issued ID. Sensitive details, like ID numbers, should be covered. While face photos may be retained as part of exam records, ID photos are only used for verification purposes and are securely deleted immediately after the verification process is complete. In compliance with applicable regulations, including GDPR, we always obtain explicit consent before collecting sensitive data such as biometric information or ID photos. You have the right to withdraw consent at any time by contacting us at privacy@openedg.org.

Customized Data Collection Requests

In certain cases, specific requests from clients, including educational institutions, certification agencies, businesses, or government organizations, may result in adjustments to the data collection process. For such cases:

The amount of data collected may be minimized further, depending on the requirements of the client or agency.
Proctoring data, including face photos, and ID verification data may be handled directly by local proctors designated by the client or agency.
In these cases, identity verification and proctoring oversight are conducted by local personnel, and sensitive data such as face or ID photos may not be stored in our systems at all.

This approach ensures flexibility for different clients while maintaining compliance with privacy and data protection regulations.

If your organization requires customized data processing protocols, specialized procedures, or unique data handling requirements, please contact us at privacy@openedg.org to discuss tailored solutions that align with your compliance and security standards.

How We Use Your Information

We use the information you provide to us to deliver our services effectively, securely, and in compliance with applicable laws. Here’s how we use your information:

To Administer Exams and Deliver Results – we use your information to facilitate the examination process, verify your identity, manage test submissions, and provide accurate and timely results.
To Provide E-Learning Services – your information helps us deliver e-learning materials, manage course access, and track your progress on our platforms.
To Maintain System Security and Integrity – we process data to protect our platforms from unauthorized access, prevent fraud, and ensure the reliability and security of our services.
To Communicate with You – we use your contact details to send updates, respond to your queries, and provide customer support related to exams, courses, or technical issues.
For Legal and Security Purposes – your data may be processed to comply with applicable laws and regulations (e.g. FERPA, U.S., and GDPR, EU), ensure exam integrity, and respond to lawful requests from authorities.
To Enhance and Improve Our Services – we analyze anonymized and de-identified data to better understand how our services are used and to improve their functionality and user experience.

When legally required (e.g., biometric data for ID verification, marketing communications, cookies), we obtain explicit user consent, which can be withdrawn at any time.

We may use automated tools to analyze test results, monitor proctoring sessions, or improve learning outcomes. You have the right to request human oversight for decisions made by automated systems where applicable.

We ensure that your information is processed only for these purposes and in line with your rights under U.S. and EU privacy laws.

We never sell your information to third parties, nor do we use it for commercial purposes. Your data is used solely to deliver educational services and improve our offerings.

Data Protection, Security, and Retention

We take the protection of your information seriously and employ robust measures to safeguard your data. Below is an overview of how we ensure your information remains secure:

Encryption

All data transfers between your device and our systems are encrypted using industry-standard protocols, such as TLS (Transport Layer Security). This ensures that your data is protected against unauthorized access during transmission. Sensitive information, such as passwords or payment details, is securely hashed or encrypted while stored.

Standards Compliance

We adhere to internationally recognized security and quality standards, including:

ISO 9001: Ensuring consistent delivery of high-quality services.
ISO 27001: Establishing a comprehensive Information Security Management System (ISMS) to safeguard data confidentiality, integrity, and availability.

Our compliance with these standards demonstrates our commitment to implementing best practices in data security and management.

Restricted Access

Access to your information is strictly limited to authorized personnel who require it to perform their job responsibilities. All employees and contractors with access to data undergo rigorous background checks and regular training on data privacy and security practices. Access is granted based on the principle of least privilege, ensuring that individuals only have access to the information they need.

Data Monitoring and Intrusion Prevention

We use advanced monitoring tools to detect and prevent unauthorized access, threats, or breaches. These tools help us identify suspicious activity and respond swiftly to potential security incidents.

Secure Infrastructure

Our systems are hosted on secure servers in facilities that comply with strict physical and digital security measures. Data centers are equipped with:

Physical security controls (e.g., biometric authentication and surveillance).
Redundant systems to ensure availability and resilience in the event of hardware or software failure.

Regular Audits and Assessments

We perform regular internal and third-party audits of our systems, processes, and security protocols to ensure compliance with legal and regulatory requirements. Vulnerability assessments and penetration testing are conducted periodically to identify and address potential security gaps.

Incident Response

In the event of a data breach, we have a comprehensive incident response plan in place. This ensures that breaches are identified, contained, and resolved promptly. Where required, we will notify affected users and relevant authorities in accordance with applicable laws.

Retention and Disposal

We retain personal information only for as long as necessary to provide our educational services or comply with legal and regulatory requirements. The retention periods for different types of data are as follows:

Exam Data (Responses and Logs) – retained for 5 years, after which it is simplified to general exam details such as pass/fail status, score, and exam date.
Proctoring Data – retained only for as long as the verification process is complete, plus an additional 30 days to allow users to raise any concerns about their exam results. After this period, proctoring data is permanently deleted.
Certification Records – retained indefinitely to allow users to retrieve their certification records unless deletion is requested by the user.
Learning Progress – retained indefinitely so users can access their learning history unless they request deletion.
User Account Data – deleted within 14 days after an account deletion request.
De-Identified Data – may be retained temporarily during the 14-day grace period after an account deletion request, allowing users to retrieve their account if needed. After this period, the data is either permanently deleted or transitioned into anonymized data for internal research, statistical analysis, and service improvements, unless immediate deletion is explicitly requested.
Anonymized Data – may be retained indefinitely for research, statistical analysis, and service improvements.

Users may request the deletion of their data where legally permissible. However, certain data may be retained for compliance with legal obligations, dispute resolution, or legitimate business purposes.

If you have any questions about data retention or wish to request deletion, please contact us at privacy@openedg.org.

Your Rights

We respect your rights and are committed to giving you control over your personal information. Here are your rights:

Right to Access Your Data

You have the right to request and obtain a copy of the personal data we hold about you. This includes information on how your data is being used and processed.

Right to Request Corrections

If you believe any of the personal data we hold is inaccurate or incomplete, you have the right to request corrections. We will promptly update your information to ensure its accuracy.

Right to Request Deletion

You can request the deletion of your personal data in certain circumstances, such as when it is no longer necessary for the purposes for which it was collected. Please note that we may retain certain information to comply with legal or institutional obligations, such as record-keeping or regulatory requirements. When you request to delete your account, we take the following steps:

Removal of Personally Identifiable Information (PII) – we promptly delete any identifiable data, such as your name, address, phone number, and account preferences.
Retention of Non-Identifiable Data – some non-identifiable data, such as aggregated usage statistics, may be retained indefinitely to support our legitimate business needs, comply with legal obligations, or improve our services.

Right to Restrict Processing

You may request that we limit the processing of your data in specific situations, such as if you contest the accuracy of the data or object to its processing.

Right to Data Portability

You can request that we provide your personal data in a structured, commonly used, and machine-readable format. This allows you to transfer your data to another service provider where technically feasible.

Right to Object

You have the right to object to the processing of your data in certain cases, such as when your data is used for purposes not covered by this Privacy Policy.

Right to Withdraw Consent

If you have provided consent for specific data processing activities, you have the right to withdraw your consent at any time. This will not affect the lawfulness of processing based on your consent before its withdrawal.

Right to File a Complaint

If you believe your rights have been violated, you have the right to file a complaint with the relevant data protection authority in your jurisdiction.

To exercise any of these rights or if you have questions about your data, please contact us at privacy@openedg.org.

Children’s Privacy

Protecting children's privacy is very important to us. We encourage parents and guardians to monitor and guide their children's online activities.

We comply with COPPA and require parental consent for users under 13. We do not knowingly collect personal information from children under the age of 13. If you believe your child has provided us with such information, please contact us immediately, and we will remove the child’s information from our records promptly.

Cookies, Tracking, and Log Files

We use cookies to make your experience better by:

Saving your preferences.
Improving the performance and functionality of our platforms.

You can manage or disable cookies through your browser settings. However, disabling cookies may affect how some features of our platform work.

We collect log files automatically to help us maintain and improve our services. These files may include:

IP addresses.
Browser type.
Internet Service Provider (ISP).
Date and time stamps.
Pages you visit on our platforms.

This information is used for troubleshooting, analyzing trends, and ensuring the security and reliability of our platforms.

International Data Transfers

User data is securely stored in AWS data centers located in North Virginia, United States. If you access Edube™ and TestNow™ from outside the United States, please note that your data may be transferred to, processed, and stored in the United States. We take steps to ensure that all international data transfers comply with applicable laws in the United States, the European Union, and other regions where we operate.

Compliance with US and EU Laws

We rely on Amazon Web Services (AWS) for data storage and processing, which adheres to stringent security and data protection standards, including:

GDPR Compliance: AWS provides a GDPR-compliant Data Processing Addendum (DPA) that includes Standard Contractual Clauses (SCCs), a valid mechanism for transferring data from the European Union to the United States.
Supplementary Measures: AWS has implemented additional contractual commitments to safeguard customer data in line with EU Data Protection Board (EDPB) recommendations and the Schrems II ruling.

New EU-US Data Privacy Framework

As of July 2023, data transfers between the EU and the US are supported by the new "EU-US Data Privacy Framework," adopted by the European Commission. This framework provides an updated mechanism for compliant data transfers.

Our Commitment

We work with AWS to ensure your data is handled securely, whether it is transferred within the EU, the US, or elsewhere.
We implement Standard Contractual Clauses and supplementary measures to protect your data when it is transferred internationally.
Our practices are regularly reviewed to align with evolving legal requirements in the US, EU, and other jurisdictions.

By using our platform, you acknowledge and consent to the transfer of your data as described above. For any questions about international data transfers, please contact us at privacy@openedg.org.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or legal requirements. If significant changes are made, we will notify you through appropriate channels, such as email or in-platform notifications.

We encourage you to review this policy regularly to stay informed about how we protect your information. Your continued use of Edube™ and TestNow™ apps after updates indicates your acceptance of the revised Privacy Policy.

How To Contact Us

If you have any questions, concerns, or feedback about this Privacy Policy, you can contact us through the appropriate regional office:

For Users in the United States

Open Education and Development Group, LLC
1013 Centre Road, Suite 403-A, Wilmington, DE, 19805
Phone: (+1) 302 498 9037
Email: privacy@openedg.org

For Users in the EU and the EMEA Region

We operate in the EU and comply with GDPR requirements. For any queries related to data protection, you can contact our Data Protection Officer (DPO):

Open Education and Development Group Europe
Jagiellońska 67F, 70-382 Szczecin, Poland
DPO: Leszek Teszka
Phone: (+48) 91 484 4437
Email: privacy-eu@openedg.org

We are committed to addressing your inquiries promptly and ensuring compliance with applicable data protection laws in both the United States and the European Union.

By using Edube™ and TestNow™ apps, you acknowledge that you have read, understood, and agreed to this Privacy Policy.