Updated and effective Date: 30 January 2024
Additional information may apply to you depending on residency. If you are a resident of the United Kingdom, the European Union, or a resident of California and certain other states, there may be specific practices applicable to you as noted specifically in this policy.
Table of Contents
When we engage with a Customer or when you access or use our Services, when you request customer support or information about our Services or when you otherwise communicate with us, we may collect certain personal information about you. Personal Information, for purposes of this policy, is information that identifies, describes, or reasonably relates to an identifiable person or household, or that is otherwise defined as personal information, personal data, or protected data under applicable laws (“Personal Information”). We may collect this information from Customers, which are typically education institutions, as well as from Users, who may be educators or students.
We may collect and process all or some of the following Personal Information about you, which you may provide directly or which may be provided about you from our Customers:
Registering for an Account:
We will ask the provider of an exam (“Exam Provider” or “Customer”) to designate an employee as the key administrator for the Services. We will collect this employee’s first and last last name and email address to create an account that the Customer can use to administer the Services, create accounts for additional administrators, and access test-taker exam results.
Users, including students or test-takers (“Users”) register for an account to use the Services by providing personal information including a first and last name, student or registrant identification number, and email address. Users may also choose to provide an external identifier that will allow connection to the Services via the Exam Provider’s single sign on mechanism. We use this information to provide the User with an account and communicate with the User about their account.
Taking an Exam:
When you as a User take an exam, you provide information including your name, student or registrant identification number, phone number, email address, exam answers, and other assessment content.
Biometric Information and Audio and Video Recordings: Some Exam Providers choose to use our digital identity verification and authentication solution (“ExamID”) in conjunction with our remote proctoring solution (“ExamMonitor”) as part of the Services for your exam. When ExamID and/or ExamMonitor are used for your exam, we will present you with a Notice and Consent for Collection of Biometric and other Personal Data (“Notice and Consent”) for your review and consent prior to taking your exam. We collect the information that is set out in the Notice and Consent. As described in the Notice and Consent, the facial geometry scan and the information based on that scan that is used to authenticate your identity are considered “Biometric Data”.
Log Data: As you take an exam, in addition to collecting the exam results, we also collect information about your engagement with, and activity on, the Services.
Device Information: In addition, certain products and solutions offered as part of the Services require that prior to taking an exam, your device must be secured. In order to secure your device, ExamSoft must access and, in some instances, modify device system files. During an exam, we also record additional device-level events to help us recognize whether other services, including apps and websites are in operation on the device. We operate this process to ensure that other services are closed during the exam and to secure the device for our Services, and we do not see or capture the content of those other services. The Service may run in the background when not in use in order to provide automatic updates or to upload any previously taken exams that have yet to be uploaded.
Usage Information: When accessing and using the Services, our servers automatically collect the Internet Protocol (“IP”) address associated with your browser and device ID. We may also collect additional information such as the make and model of your device; types and versions of software being used during an exam; login timestamp; browser type and version; the operating system of the computer and language; country; the fact that an exam was uploaded and downloaded, and the associated timestamp; and areas in the Services that Users visit most frequently and features accessed most often.
Communication Information: We collect information you provide to us. For example, we collect information from you when you request customer support or information about our Services, or otherwise communicate with us.
We do not sell or rent your Personal Information, as the terms are defined under applicable laws. We use and disclose your Personal Information to operate, provide, improve, and develop our Services. Our purposes for using and disclosing your Personal Information are as follows:
Customers may correct or change the Personal Information collected during registration directly in the Services. Users may request to access, amend, correct, or delete their Personal Information by contacting their Exam Provider. We will work with the Exam Provider to respond to those requests in the time requested by the Exam Provider or otherwise as required by law.
Customers may also directly request deletion of their Users’ Personal Information at any time by contacting us at email@example.com.
We use third-party service providers, including Google Analytics, to assist us in collecting and understanding usage information. Most browsers can be set to detect browser cookies and to let a user reject them, but refusing cookies may make it difficult to use certain Services. You can learn more about the cookies within the Service in our Cookie Notice. To learn more about browser cookies, including how to manage or delete them, refer to the Tools, Help, or similar section of your web browser.
In the event that a Customer chooses to use our Services with students under the age of 13 or otherwise under the age of consent in their jurisdiction, we rely on the Customer to obtain any necessary prior, verifiable parental or legal guardian consent. We otherwise comply with our direct obligations for protecting that Personal Information. If we learn that we have inadvertently collected such Personal Information without the requisite consent, we will take steps to promptly delete it.
Parents wishing to review or request deletion of their child’s Personal Information should contact the Customer. We will work directly with our Customer to facilitate any such requests.
Customers who are subject to the Family Educational Rights and Privacy Act (“FERPA”) contract with ExamSoft as a “School Official” with a “legitimate educational interest” in providing the Services as the terms are used in FERPA §§ 99.31(a)(1). ExamSoft remains under the direct control of the Customer with respect to the use and maintenance of FERPA-protected “education records” and will use student Personal Information only as set forth in our Customer agreement and in compliance with applicable law.
We may engage with third party service providers to facilitate our delivery of the Services and to provide certain features on our behalf, such as customer support; proctoring; identity verification and authentication; data hosting; analytics; content delivery; maintenance; security; and similar functions. These third parties may require a limited amount of information, including Personal Information, in order to deliver their services on our behalf.
We implement technical, administrative, and physical safeguards to help protect the confidentiality, integrity, and availability of Personal Information. We host Customer and User Personal Information in third-party data centers that use firewalls, encryption of Personal Information, and other industry-standard technologies in an effort to prevent interference or access from outside intruders. The Internet, however, is not perfectly secure, and we are not responsible for security breaches not reasonably within our control.
We also require account identifiers and passwords that must be entered each time Customers or Users sign into the Services. You are responsible for maintaining the confidentiality of your account identifier and password. If you become aware of any unauthorized use of an account, loss of User or Customer credentials or suspect a security breach, it is your responsibility to promptly notify us at firstname.lastname@example.org.
We will retain your Biometric Data, photos, and the video and audio recordings for up to one year after your last interaction with the ExamSoft Services with the Exam Provider, or as otherwise required by law, after which we will delete the data. The Exam Provider may, at any time during this retention period, request that we delete your Personal Information, including but not limited to Biometric Information, photos, recordings, or other Personal Information, on your or on their behalf, and we will do so as permitted by law. Please note, however, that the Exam Provider may retain your Biometric Data, photos, and video and audio recordings. If you have questions about the Exam Provider’s data retention policies, please contact the Exam Provider.
We may retain certain User and Customer Personal Information for the period necessary to enable the continued use of the Services, to fulfill the purposes outlined in this Policy, for legally permissible business purposes, or as otherwise required by law. How long we retain specific Personal Information varies depending on its type and use, after which it will be deleted.
We may retain non-Personal Information, including aggregated, de-identified, or anonymized data for lawfully permissible purposes.
We send emails to Customers with information about our Services. Customers may opt out of receiving email messages by contacting us at email@example.com or by clicking on the “unsubscribe” link found at the bottom of every email that we send.
If Customers have opted out of receiving communications from us, we may still send essential communications regarding the Services to Customers or Users.
We do not send email messages on behalf of third parties.
Certain US state laws, including California, provide their residents with certain rights related to their Personal Information, as described below. We provide these rights to all US residents. Before we may fulfill a request in relation to our Services, we may be required by law to verify your identity in order to prevent unauthorized access to your data. Since we will facilitate User requests through our Customers, we will rely on their verification of your identity and our existing Customer contact information in order to process requests.
Customer employees and other Users wishing to exercise their rights as described in this section should contact the Exam Provider. We will work with them as needed should they require our assistance in fulfilling your request.
We do not “sell” or “share” Personal Information as those terms are defined under California and other applicable state privacy laws. To the extent Personal Information is shared with third parties, it is only provided to third party service providers/processors.
Please note that your exercise of the rights described below is subject to certain exemptions to safeguard the public interest (e.g., the prevention or detection of crime) and our interests (e.g., the maintenance of legal privilege). Requests to exercise these rights may be granted in whole, in part, or not at all, depending on the scope and nature of the request and applicable law. Where required by applicable law, we will notify you if we reject your request and of any reasons why we are unable to honor your request.
Right to Know and Access Information: You have the right to request access to the Personal Information we maintain about you in the ordinary course of business. This may include Personal Information we collect, use, or disclose about you.
Right of Correction: You have the right to correct inaccuracies in the Personal Information we maintain about you.
Right to Delete: You have the right to request that we delete your Personal Information.
In the case of all such requests, we may not fulfill all or part of the request as permitted or required by applicable law. For example, if you request that we delete your Personal Information, there may be certain records we are legally required to retain.
Authorized Agent: If you are an authorized agent trying to exercise rights on behalf of an ExamSoft User, please contact their Exam Provider with your supporting verification information required under applicable state law.
The chart below reflects our current practices and our practices that have been in place for the past 12 months.
|Categories of Personal Information we collect
We also collect the following sensitive Personal Information:
|Categories or sources from which the Personal Information is collected
|We collect the Personal Information directly from you or from the Exam Provider, including while interacting with the Services
|Business or commercial purpose for collecting or for sharing or selling Personal Information
We do not Sell Personal Information.
We collect your Personal Information to operate the Services, respond to your requests, and for the purposes described above in the section, “How We May Use and Disclose Your Personal Information.” This includes:
|Categories of third parties with whom we share Personal Information
| We disclose your Personal Information only to service providers who support us in delivering the services as described above.
As noted above, we do not engage in what applicable US state laws refer to as “selling” or “sharing” your Personal Information.
|Specific pieces of Personal Information we have collected in the past 12 months
If you are located outside of the United States, please be aware that your information may be transferred to, processed, and stored in the United States, Ireland or Australia, and for our Singapore Customers and Users, in Singapore.
In compliance with the Frameworks, ExamSoft commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU, UK and Swiss individuals with inquiries or complaints regarding our handling of Personal Information received in reliance on the Frameworks should first contact ExamSoft at:
Data Protection Officer
Turnitin, LLC, 2101 Webster Street, Suite 1900, Oakland 94612 CA USA
Phone: +44 (0) 191 681 0227
ExamSoft must respond within 45 days of receiving a complaint.
In compliance with the EU-US DPF and the UK Extension to the EU-US DPF and the Swiss-US DPF, ExamSoft commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (“DPAs”) and the UK Information Commissioner’s Office (ICO) and the Gibraltar Regulatory Authority (“GRA”) and the Swiss Federal Data Protection and Information Commissioner (“FDPIC”) with regard to unresolved complaints concerning our handling of Personal Information received in reliance on the respective Frameworks.
The Federal Trade Commission has jurisdiction over ExamSoft’s compliance with the Frameworks. ExamSoft will submit to binding arbitration in the event that a dispute can not be resolved by the aforementioned mechanisms. ExamSoft shall assume liability for any onward transfers of Personal Information made to third parties.
Please note that the rules in your country may provide you with additional rights or may limit these rights. In all cases, our provision of the rights will comply with the applicable laws.
If you are based in the EEA, Switzerland or the United Kingdom, for example, you may have the right to access, update or correct your Personal Information, to request deletion of such Personal Information, and to object to certain processing, including that related to marketing, to receive a machine-readable copy of the Personal Information that you provided to us, or in certain circumstances, to request us to transfer such data to an applicable third party.
In addition, where you provided your consent for any of our processing of your Personal Information, you may withdraw such consent by contacting us using the details provided in the “Contact” section.
Your exercise of these rights is subject to certain exemptions to safeguard the public interest (e.g. the prevention or detection of crime) and our interests (e.g., the maintenance of legal privilege). To exercise your rights, please contact your Exam Provider. We will work with them to facilitate your request in circumstances in which they require our assistance.
The “Last Updated” note at the top of this policy indicates when it was last revised, and updates will become effective when they are posted.
Our Data Protection Officer may be reached at DPO@turnitin.com.