Product Privacy Policy

Updated and effective Date: 30 January 2024

This Privacy Policy applies to the ExamSoft assessment platforms, and the solutions used within those platforms (collectively the “Services” or the “Service”) owned and operated by ExamSoft Worldwide LLC (“ExamSoft,” “we,” “us” “our”), and is intended to inform our customers (“Customers”) and their users (“users,” “you,” “your”) how we may collect, use, process, store and disclose your Personal Information when interacting with the Services. This Privacy Policy also describes your choices regarding our use and your access and changes to your Personal Information.

Additional information may apply to you depending on residency. If you are a resident of the United Kingdom, the European Union, or a resident of California and certain other states, there may be specific practices applicable to you as noted specifically in this policy.

For the sake of clarity, this Privacy Policy does not apply to our website, which is governed by the privacy policy available here.

By accessing or using the Services, you acknowledge that you have read and understood this Privacy Policy.

Table of Contents


Personal Information We Collect

When we engage with a Customer or when you access or use our Services, when you request customer support or information about our Services or when you otherwise communicate with us, we may collect certain personal information about you. Personal Information, for purposes of this policy, is information that identifies, describes, or reasonably relates to an identifiable person or household, or that is otherwise defined as personal information, personal data, or protected data under applicable laws (“Personal Information”). We may collect this information from Customers, which are typically education institutions, as well as from Users, who may be educators or students.

We may collect and process all or some of the following Personal Information about you, which you may provide directly or which may be provided about you from our Customers:

Registering for an Account:

We will ask the provider of an exam (“Exam Provider” or “Customer”) to designate an employee as the key administrator for the Services. We will collect this employee’s first and last last name and email address to create an account that the Customer can use to administer the Services, create accounts for additional administrators, and access test-taker exam results.

Users, including students or test-takers (“Users”) register for an account to use the Services by providing personal information including a first and last name, student or registrant identification number, and email address. Users may also choose to provide an external identifier that will allow connection to the Services via the Exam Provider’s single sign on mechanism. We use this information to provide the User with an account and communicate with the User about their account.

Taking an Exam:

When you as a User take an exam, you provide information including your name, student or registrant identification number, phone number, email address, exam answers, and other assessment content.

Biometric Information and Audio and Video Recordings: Some Exam Providers choose to use our digital identity verification and authentication solution (“ExamID”) in conjunction with our remote proctoring solution (“ExamMonitor”) as part of the Services for your exam. When ExamID and/or ExamMonitor are used for your exam, we will present you with a Notice and Consent for Collection of Biometric and other Personal Data (“Notice and Consent”) for your review and consent prior to taking your exam. We collect the information that is set out in the Notice and Consent. As described in the Notice and Consent, the facial geometry scan and the information based on that scan that is used to authenticate your identity are considered “Biometric Data”.

Log Data: As you take an exam, in addition to collecting the exam results, we also collect information about your engagement with, and activity on, the Services.

Device Information: In addition, certain products and solutions offered as part of the Services require that prior to taking an exam, your device must be secured. In order to secure your device, ExamSoft must access and, in some instances, modify device system files. During an exam, we also record additional device-level events to help us recognize whether other services, including apps and websites are in operation on the device. We operate this process to ensure that other services are closed during the exam and to secure the device for our Services, and we do not see or capture the content of those other services. The Service may run in the background when not in use in order to provide automatic updates or to upload any previously taken exams that have yet to be uploaded.

Usage Information: When accessing and using the Services, our servers automatically collect the Internet Protocol (“IP”) address associated with your browser and device ID. We may also collect additional information such as the make and model of your device; types and versions of software being used during an exam; login timestamp; browser type and version; the operating system of the computer and language; country; the fact that an exam was uploaded and downloaded, and the associated timestamp; and areas in the Services that Users visit most frequently and features accessed most often.

To collect this information, we use cookies. Cookies are small data files sent by the Services and stored on the computer or device. Cookies store information related to your browser to enable us to recognize the browser on return visits to the Services and to remember your preferences.

Communication Information: We collect information you provide to us. For example, we collect information from you when you request customer support or information about our Services, or otherwise communicate with us.


How We Use and Disclose Your Personal Information

We do not sell or rent your Personal Information, as the terms are defined under applicable laws. We use and disclose your Personal Information to operate, provide, improve, and develop our Services. Our purposes for using and disclosing your Personal Information are as follows:

  • To understand, measure, and improve our Services for legally permissible purposes, including, but not limited to, analyzing the performance of our Services, improving our Services, research, product development, and/or to offer customized service suggestions.
  • To provide the Services to our Customers and their Users, including reporting on your performance to the Exam Provider and providing, as applicable: digital identity verification and remote proctoring services when requested by Customers and consented to by users; reporting on use of the Services; enabling the ability to upload and administer the exams, including to customize exam review parameters, review results, and diagnose technical problems; to administer and help secure the Services; and to access analytics and log information about exam performance and usage of the Services.
  • To create and manage log-in credentials, for the creation, maintenance, and administration of Customer and User accounts, and to authenticate Users on behalf of Exam Providers.
  • To provide customer support, including via email or text message to resolve a problem or support issue, to notify Customers or Users about updates, changes or issues impacting the Services and to otherwise communicate and solicit feedback on Customer experiences with the Services.
  • To protect our rights, such as to establish or exercise our legal rights or defend against claims. For example, sharing may be necessary in order to assert a legal claim or defense, such as to enforce our Exam Taker End User License Agreement.
  • In relation to a known or suspected violation of our terms of use, fraud prevention or other unlawful use, including to share Personal Information with entities assisting us in an investigation and as may be required by applicable law.
  • In connection with legal or regulatory obligations, including to disclose your Personal Information as necessary to protect our rights or the rights and safety of our users, or as necessary in the event of a court order, regulatory inquiry or other lawful request. Provided, however, that unless legally prohibited, we will direct any such request to you or notify you before responding unless to do so would prejudice the prevention or detection of a crime.
  • In the event of a reorganization, merger, sale, assignment, bankruptcy, or similar business change, we may need to transfer your Personal Information to that re-organized entity or new owner after the sale or reorganization for them to use in accordance with this Privacy Policy.
  • To provide our Customers with updates and offers about our Services. At any time, you may unsubscribe or opt-out of further communication on any electronic marketing communication by using the link labeled “unsubscribe” available in each email communication or by contacting us at unsubscribe@turnitin.com.

How You May Modify Your Information

Customers may correct or change the Personal Information collected during registration directly in the Services. Users may request to access, amend, correct, or delete their Personal Information by contacting their Exam Provider. We will work with the Exam Provider to respond to those requests in the time requested by the Exam Provider or otherwise as required by law.

Customers may also directly request deletion of their Users’ Personal Information at any time by contacting us at privacy@examsoft.com.


Cookies

We use third-party service providers, including Google Analytics, to assist us in collecting and understanding usage information. Most browsers can be set to detect browser cookies and to let a user reject them, but refusing cookies may make it difficult to use certain Services. You can learn more about the cookies within the Service in our Cookie Notice. To learn more about browser cookies, including how to manage or delete them, refer to the Tools, Help, or similar section of your web browser.


Children’s Privacy

In the event that a Customer chooses to use our Services with students under the age of 13 or otherwise under the age of consent in their jurisdiction, we rely on the Customer to obtain any necessary prior, verifiable parental or legal guardian consent. We otherwise comply with our direct obligations for protecting that Personal Information. If we learn that we have inadvertently collected such Personal Information without the requisite consent, we will take steps to promptly delete it.

Parents wishing to review or request deletion of their child’s Personal Information should contact the Customer. We will work directly with our Customer to facilitate any such requests.


Family Educational Rights and Privacy Act (FERPA)

Customers who are subject to the Family Educational Rights and Privacy Act (“FERPA”) contract with ExamSoft as a “School Official” with a “legitimate educational interest” in providing the Services as the terms are used in FERPA §§ 99.31(a)(1). ExamSoft remains under the direct control of the Customer with respect to the use and maintenance of FERPA-protected “education records” and will use student Personal Information only as set forth in our Customer agreement and in compliance with applicable law.


Third Party Service Providers

We may engage with third party service providers to facilitate our delivery of the Services and to provide certain features on our behalf, such as customer support; proctoring; identity verification and authentication; data hosting; analytics; content delivery; maintenance; security; and similar functions. These third parties may require a limited amount of information, including Personal Information, in order to deliver their services on our behalf.


Security

We implement technical, administrative, and physical safeguards to help protect the confidentiality, integrity, and availability of Personal Information. We host Customer and User Personal Information in third-party data centers that use firewalls, encryption of Personal Information, and other industry-standard technologies in an effort to prevent interference or access from outside intruders. The Internet, however, is not perfectly secure, and we are not responsible for security breaches not reasonably within our control.

We also require account identifiers and passwords that must be entered each time Customers or Users sign into the Services. You are responsible for maintaining the confidentiality of your account identifier and password. If you become aware of any unauthorized use of an account, loss of User or Customer credentials or suspect a security breach, it is your responsibility to promptly notify us at informationsecurity@turnitin.com.


Data Retention

We will retain your Biometric Data, photos, and the video and audio recordings for up to one year after your last interaction with the ExamSoft Services with the Exam Provider, or as otherwise required by law, after which we will delete the data. The Exam Provider may, at any time during this retention period, request that we delete your Personal Information, including but not limited to Biometric Information, photos, recordings, or other Personal Information, on your or on their behalf, and we will do so as permitted by law. Please note, however, that the Exam Provider may retain your Biometric Data, photos, and video and audio recordings. If you have questions about the Exam Provider’s data retention policies, please contact the Exam Provider.

We may retain certain User and Customer Personal Information for the period necessary to enable the continued use of the Services, to fulfill the purposes outlined in this Policy, for legally permissible business purposes, or as otherwise required by law. How long we retain specific Personal Information varies depending on its type and use, after which it will be deleted.

We may retain non-Personal Information, including aggregated, de-identified, or anonymized data for lawfully permissible purposes.


Opt-Out Policy

We send emails to Customers with information about our Services. Customers may opt out of receiving email messages by contacting us at unsubscribe@turnitin.com or by clicking on the “unsubscribe” link found at the bottom of every email that we send.

If Customers have opted out of receiving communications from us, we may still send essential communications regarding the Services to Customers or Users.

We do not send email messages on behalf of third parties.


Notice For California and Other US Residents

Certain US state laws, including California, provide their residents with certain rights related to their Personal Information, as described below. We provide these rights to all US residents. Before we may fulfill a request in relation to our Services, we may be required by law to verify your identity in order to prevent unauthorized access to your data. Since we will facilitate User requests through our Customers, we will rely on their verification of your identity and our existing Customer contact information in order to process requests.

Customer employees and other Users wishing to exercise their rights as described in this section should contact the Exam Provider. We will work with them as needed should they require our assistance in fulfilling your request.

We do not “sell” or “share” Personal Information as those terms are defined under California and other applicable state privacy laws. To the extent Personal Information is shared with third parties, it is only provided to third party service providers/processors.

Please note that your exercise of the rights described below is subject to certain exemptions to safeguard the public interest (e.g., the prevention or detection of crime) and our interests (e.g., the maintenance of legal privilege). Requests to exercise these rights may be granted in whole, in part, or not at all, depending on the scope and nature of the request and applicable law. Where required by applicable law, we will notify you if we reject your request and of any reasons why we are unable to honor your request.

Right to Know and Access Information: You have the right to request access to the Personal Information we maintain about you in the ordinary course of business. This may include Personal Information we collect, use, or disclose about you.

Right of Correction: You have the right to correct inaccuracies in the Personal Information we maintain about you.

Right to Delete: You have the right to request that we delete your Personal Information.

In the case of all such requests, we may not fulfill all or part of the request as permitted or required by applicable law. For example, if you request that we delete your Personal Information, there may be certain records we are legally required to retain.

Authorized Agent: If you are an authorized agent trying to exercise rights on behalf of an ExamSoft User, please contact their Exam Provider with your supporting verification information required under applicable state law.

Non-discrimination: We will not discriminate or otherwise penalize anyone for exercising their rights under applicable law or this Privacy Policy.

The chart below reflects our current practices and our practices that have been in place for the past 12 months.


Categories of Personal Information we collect
  • Online identifiers, including Internet Protocol address;
  • Personal information including your name, under subdivision (e) of California Business and Professions Code Section 1798.80
  • Email address, phone number, and identification number;
  • Internet or other electronic network activity information related to your use of our Services;
  • Geolocation data;
  • Audio and video recordings of you taking an exam (when ExamMonitor is used by the Exam Provider, and you consent to its use);
  • Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99);
  • If you contact ExamSoft, we will collect identifiers such as your full name, email address, and phone number.

We also collect the following sensitive Personal Information:

  • Biometric Data as described above (when ExamID is used by the Exam Provider, and you consent to its use);
  • Log Data.
Categories or sources from which the Personal Information is collectedWe collect the Personal Information directly from you or from the Exam Provider, including while interacting with the Services
Business or commercial purpose for collecting or for sharing or selling Personal Information

We do not Sell Personal Information.

We collect your Personal Information to operate the Services, respond to your requests, and for the purposes described above in the section, “How We May Use and Disclose Your Personal Information.” This includes:

  • Providing the Services in accordance with our contract with the Customer and our Terms of Use, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, and verifying Customer information;
  • Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity;
  • Debugging to identify and repair errors that impair existing intended functionality;
  • To help us better understand how our Services are used
  • Undertaking internal research for technological development;
  • Sending you information and updates about our Services.
Categories of third parties with whom we share Personal Information We disclose your Personal Information only to service providers who support us in delivering the services as described above.
As noted above, we do not engage in what applicable US state laws refer to as “selling” or “sharing” your Personal Information.
Specific pieces of Personal Information we have collected in the past 12 months
  • From Customers: First name, last name, email address, institution name;
  • When you take an exam: First name, last name, email address, phone number, student or other registration ID, audio and video of you taking the exam (when ExamMonitor is used by the Exam Provider, and you consent to its use), a geometric scan of your face (when ExamID is used by the Exam Provider, and you consent to its use), your photo, your exam or other assessment results;
  • Internet Protocol address, device ID;
  • Geolocation;
  • Internet or other electronic network activity information described above in the section titled, “Usage Information.”

GDPR Information

When we operate our Services in support of a Customer, we function as a “data processor” under the EU and UK General Data Protection Regulations. Our processing of your Personal Information is governed by this Privacy Policy as well as the contractual agreement with the Customer.


For All International Users

If you are located outside of the United States, please be aware that your information may be transferred to, processed, and stored in the United States, Ireland or Australia, and for our Singapore Customers and Users, in Singapore.

By submitting your Personal Information, you acknowledge that we may transfer, process, and store your Personal information in this way. Wherever the Personal Information is, it will be treated securely and in accordance with this Privacy Policy and applicable privacy laws of the United States. These laws may be different from the privacy laws in your country. However, this does not change our commitments to safeguard your privacy, and we will comply with all applicable laws relating to the cross-border data disclosure of your personal information. Where required, we will implement Standard Contractual Clauses with our third parties or rely on such other transfer mechanisms to ensure that the transfer of your Personal Information outside of the EEA, Switzerland and the United Kingdom is lawful. You may request details of the transfer mechanisms that we rely on to transfer Personal Information outside of these regions by emailing us at DPO@turnitin.com.


EU-US Data Privacy Framework Certification

ExamSoft Worldwide LLC, and its group company, Turnitin, comply with the EU-US Data Privacy Framework (“EU-US DPF”), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-US DPF) (collectively, the “Frameworks”) as set forth by the U.S. Department of Commerce. ExamSoft has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (“EU-US DPF Principles”) with regard to the processing of Personal Information received from the European Union in reliance on the EU-US DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-US DPF. ExamSoft has certified to the U.S. Department of Commerce that it adheres to the Swiss-US Data Privacy Framework Principles (“Swiss-US DPF Principles”) with regard to the processing of Personal Information received from Switzerland in reliance on the Swiss-US DPF. If there is any conflict between the terms in this Privacy Policy and the EU-US DPF Principles and/or the Swiss-US DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (“DPF”) program, and to view our certification, please visit https://www.dataprivacyframework.gov.

In compliance with the Frameworks, ExamSoft commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU, UK and Swiss individuals with inquiries or complaints regarding our handling of Personal Information received in reliance on the Frameworks should first contact ExamSoft at:

Data Protection Officer
Turnitin, LLC, 2101 Webster Street, Suite 1900, Oakland 94612 CA USA
Phone: +44 (0) 191 681 0227
Email: DPO@turnitin.com

ExamSoft must respond within 45 days of receiving a complaint.

In compliance with the EU-US DPF and the UK Extension to the EU-US DPF and the Swiss-US DPF, ExamSoft commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (“DPAs”) and the UK Information Commissioner’s Office (ICO) and the Gibraltar Regulatory Authority (“GRA”) and the Swiss Federal Data Protection and Information Commissioner (“FDPIC”) with regard to unresolved complaints concerning our handling of Personal Information received in reliance on the respective Frameworks.

The Federal Trade Commission has jurisdiction over ExamSoft’s compliance with the Frameworks. ExamSoft will submit to binding arbitration in the event that a dispute can not be resolved by the aforementioned mechanisms. ExamSoft shall assume liability for any onward transfers of Personal Information made to third parties.


Additional Data Rights

Please note that the rules in your country may provide you with additional rights or may limit these rights. In all cases, our provision of the rights will comply with the applicable laws.

If you are based in the EEA, Switzerland or the United Kingdom, for example, you may have the right to access, update or correct your Personal Information, to request deletion of such Personal Information, and to object to certain processing, including that related to marketing, to receive a machine-readable copy of the Personal Information that you provided to us, or in certain circumstances, to request us to transfer such data to an applicable third party.

In addition, where you provided your consent for any of our processing of your Personal Information, you may withdraw such consent by contacting us using the details provided in the “Contact” section.

Your exercise of these rights is subject to certain exemptions to safeguard the public interest (e.g. the prevention or detection of crime) and our interests (e.g., the maintenance of legal privilege). To exercise your rights, please contact your Exam Provider. We will work with them to facilitate your request in circumstances in which they require our assistance.


Updates to This Privacy Policy

This Policy may be modified from time to time, as our services evolve. So that you are aware when changes have been made, we will adjust the “Last Updated” date at the beginning of this Privacy Policy and, when required by applicable law or regulation, we may also provide notice by email or within the Service.

The “Last Updated” note at the top of this policy indicates when it was last revised, and updates will become effective when they are posted.


Contact Information

If you have questions regarding this Privacy Policy, or if you have any concerns or complaints about how we handle your Personal Information, please write by email to privacy@examsoft.com or by postal mail to 2101 Webster St., Suite 19800 Oakland, California 94612

If you have concerns or complaints regarding this Privacy Policy or our data handling procedures, you may have a right to lodge a complaint with a supervisory authority.

Our Data Protection Officer may be reached at DPO@turnitin.com.