If you are based in the European Union, please note that you have the right to make a complaint at any time to your national supervisory authority for data protection issues. We would, however, appreciate the chance to deal with your concerns before you approach the regulator, so please contact us in the first instance.
Our Website is not intended for visitors under 18 of age. No one under 18 may provide any Personal Information to or on the Website. We do not knowingly collect personal information from children. If you are under 18, do not use or provide any information on this Website or through any of its features, or provide any information about yourself to us, including your name, address, telephone number, or email address. If we learn we have collected or received Personal Information from a child, we will delete that information. If you believe we might have any information from or about a child, please contact us at firstname.lastname@example.org.
It is important that the Personal Information we hold about you is accurate and current. Please update it or keep us informed if your Personal Information changes during your relationship with us.
The Information We Collect About You
We may collect, use, store and transfer the following categories of Personal Information from our Website users. For information about the categories of Personal Information about you we collect or otherwise access as a data processor for purposes of our Services to our Customers, please contact the Customer institution on behalf of which we process your Personal Information:
- Identity Data includes your first and last name.
- Contact Data includes business phone number, email address, postal address (street address, city and state.
- Employment and Education Data includes your CV information (job applicants), job title, and employer name.
- Financial Data includes your credit card and bank account information
- Marketing and Communications Data includes your preferences in receiving marketing from us and your communication preferences.
- Social Media Data includes information associated with your use of social networks
- Technical Data includes internet or other electronic network activity information, including, but not limited to, information about your browser, software, equipment, IP address, domain names, access times, browsing history, search history, and information regarding your interaction with an internet website, application, cookie, or advertisement. For users of our mobile applications, we automatically collect information on the type of device you use and operating system version.
If you fail to provide Personal Information
Where we need to collect Personal Information by law, or under the terms of a contract we have with you, and you fail to provide that information when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with our Services). In this case, we may have to cancel a Service you have with us but we will notify you if this is the case at the time.
How We Collect Your Personal Information
We use different methods to collect information from and about you including through:
- Direct interactions. You may give us your Identity, Contact, Marketing and Communications, Employment and Education, and Social Media Data by filling in forms or by corresponding with us by post, phone, email, through our social media accounts, fax, or otherwise. This includes Personal Information you provide when you:
- request a demo of our software.
- register for or watch previous trainings, webinars, or events.
- apply for one of our available positions at Veracross.
- apply to become one of our Partners.
- log into your account on our Service or visit our Websites.
- subscribe to our Blog.
- request marketing to be sent to you.
- contact account or customer service teams for support.
- request more information about our Services;
- use our VCPay payment functionality when purchasing one of our Services; or
- otherwise contact us.
- Third parties or publicly available sources. We will receive Personal Information about you from various third parties as set out below:
- Technical Data from analytics providers such as Google Analytics, Google Data Studio and Pendo based outside the EU.
- Identity, Contact, Marketing and Communications, and Technical Data from the following categories of third parties based outside the EU:
- providers of survey services such as Survey Monkey, and Microsoft Forms
- providers of inbound marketing such as HubSpot, Campaign Monitor and Pardot
- advertising networks such as Google Ads (including Google Data Studio)
- Identity and Contact Data from your school’s public website
- Identity and Contact Data from our affiliated companies of the Veracross group of companies
- Identity and Contact Data from our registered Partners
- Identity, Contact, and Marketing and Communications Data from our interactions with you when we communicate with you via communications tools such as Zoom
- Identity and Contact Data from industry associations when we exhibit at a conference which you have attended
- If you are based in the United States, Identity and Contact Data about you we have obtained from data brokers
- Identity and Contact Data from our Customers that engage our Services
- Identity and Contact and Financial Data from providers of payment services, such as Bluesnap, Stripe, Authorize.net (VISA), Intuit, Network Merchants, and Spreedly based inside and outside the EU.
When we provide our Services, we collect individuals’ information under the direction of contracted educational or other institutions (our “Customers”). We process that information as a service provider for our Customers through our Services. We have no direct relationship with the individuals whose Personal Information we process through our Services. Any Personal Information about individuals that we collect on behalf of our Customers is used solely for the business purpose for which our Customers provide the information, and we will promptly comply with Customers’ requests to provide, correct, or remove information, in compliance with applicable law.
When you use our Website, whether you are an employee of a Customer, an individual with whom we interact on behalf of our Customer, or any other individual, we may collect the categories of information listed above from you directly through your interaction with the Website.
How We Use Your Personal Information
We will only use your Personal Information when the law allows us to. Most commonly, we will use your Personal Information in the following circumstances:
- Where we need to perform the contract we are about to enter into or have entered into with you or the Customer on behalf of whom we process your Personal Information to provide our Services.
- Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
- Where we need to comply with a legal obligation
Click here to find out more about the types of lawful basis that we will rely on to process any Personal Information that we collect directly from you.
Generally, we do not rely on consent as a legal basis for processing your Personal Information although we will get your consent before sending third party direct marketing communications to you via email or text message. You have the right to withdraw consent to marketing at any time by contacting us.
When we obtain your Personal Information through one of our Customers we will only use that information for purposes of our Services to that Customer, on the Customer’s behalf, and in accordance with our contract with such Customer.
Purposes for which we will use your Personal Information
We have set out below, in a table format, a description of all the ways we plan to use your Personal Information collected from our Website and, if you are based in the European Union or the UK, which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.
|Purpose/Activity||Type of data||Lawful basis for processing including basis of legitimate interest|
|Performance of a contract with you (to inform you of any changes to our terms and conditions)
|To enable you to complete a survey regarding our services||Identity
Marketing and Communications
|Necessary for our legitimate interests (to study how customers use our services)|
|To administer and protect our business and our Website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)||Identity
|Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganization or group restructuring exercise)|
|To deliver relevant Website content to you||Identity
|Necessary for our legitimate interests (to study how customers use our services, to develop them, to grow our business and to inform our marketing strategy)|
|To use data analytics to improve our Website, Services, marketing, customer relationships and experiences||Technical||Necessary for our legitimate interests (to define types of customers for our services, to keep our Website updated and relevant, to develop our business and to inform our marketing strategy)|
|To make suggestions and recommendations to you about services that may be of interest to you||Identity
Marketing and Communications
|Necessary for our legitimate interests (to develop our services and grow our business)|
|To process your application as a partner with us||Identity
|Performance of a contract with you or in order to take steps at your request prior to entering into a contract with you|
|To respond to your inquiries related to employment opportunities||Identity
Employment and Education
|Performance of a contract with you or in order to take steps at your request prior to entering into a contract with you|
|To process your payment for our Services using our VCPay functionality||Financial
|Performance of a contract|
We strive to provide you with choices regarding certain Personal Information uses, particularly around marketing. We have established the following Personal Information control mechanisms:
Promotional offers from us
We may use your Identity, Contact, Technical, and Social Media Data to form a view on what we think you may want or need, or what may be of interest to you, in which cases we rely on our legitimate interests under the GDPR. This is how we decide which services and offers may be relevant for you.
You will receive marketing communications from us if we believe you would find an interest in receiving information about our Services, if you have requested information from us or purchased services from us, and you have not opted out of receiving that marketing.
We will get your express opt-in consent before we share your Personal Information with any company outside our company for their own marketing purposes.
You can ask us or third parties to stop sending you marketing messages at any time by following the opt-out links on any marketing message sent to you.
Where you opt out of receiving these marketing messages, this will not apply to Personal Information provided to us as a result of a Service purchase, support experience or other transactions.
Change of purpose
We will only use your Personal Information for the purposes for which we collected it. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.
If we need to use your Personal Information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your Personal Information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
How We Share Your Personal Information
We may share Personal Information with the categories of third-party service providers set out below for the business purposes listed in the tables above.
- Other companies within the Veracross Group, acting as joint controllers or as processors, based in the UK, the U.S., and Australia, who may use your Personal Information for their own marketing purposes.
- Our “IT” Service Providers, such as Amazon Web Services, Salesforce.com, Microsoft, Zoom, Pendo, Atlassian, Groove.co, Docusign, Citrix Sharefile, acting as processors based in the United States who provide data hosting services, data analytics services, CRM services, email or telecommunication services, or support services to our Customers.
- Our “Marketing” Service Providers, such as Pardot, Google, WordPress, Salesforce, LinkedIn, Pendo, Veracross Composer, and Groove, acting as processors and based in the U.S., who provide relevant shortform and longform content, webinar content, sales promotions, product announcements and general information via email, digital advertising and our websites to our prospects and customers on our behalf.
- Our “Recruitment” Service Providers, such as Workable, Remote.com, and VerifiedFirst, acting as processors based in the United States, who provide us with services in connection with fulfilling our available positions at Veracross.
- Professional advisers acting as processors or joint controllers including lawyers, bankers, auditors, and insurers based in the United States who provide consultancy, banking, legal, insurance and accounting services.
We may share data with our trusted partners to help perform statistical analysis, send you email or postal mail, provide customer support, or arrange for deliveries.
All such third-party service providers and Veracross affiliates with whom we may share your Personal Information are prohibited from using your Personal Information, except to provide these services to us, and they are required to maintain at least the same level of privacy protection that we maintain for your information.
We will disclose Personal Information, without notice, only if required to do so by law or in the good faith belief that such action is necessary to: (a) conform to the law or comply with legal process, such as a subpoena, served on us or the site; (b) protect and defend our rights or property; (c) act under necessary circumstances to protect the personal safety of users, or the public; and (d) in certain situations, we may be requested to disclose Personal Information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
If we are involved in a merger, acquisition, or sale of all or a portion of its assets, you will be notified via email and/or a prominent notice on our Website of any change in ownership or uses of your Personal Information, as well as any choices you may have regarding your Personal Information.
Cookies and other tracking technologies
We largely operate in the United States (“U.S.”), and therefore, if you reside outside of the U.S. you understand and agree that your Personal Information may be transferred to, stored or processed in, the U.S. by us and our third-party hosting providers. Furthermore, you understand that U.S. law may not afford the same level of protection to personal information as those afforded in your country. Personal Information may be transferred for the performance of a contract or as required for the implementation of pre-contractual measures taken at your request or to establish or exercise our legal rights.
EEA, Swiss and UK residents
Whenever we transfer your Personal Information out of the European Economic Area (“EEA”), Switzerland or the UK, we ensure a similar degree of protection is afforded to it by using specific contracts approved by the European Commission or the UK Government (as applicable) which give Personal Information the same protection it has in Europe or the UK (as applicable). For further details, see European Commission: Model contracts for the transfer of personal data to third countries and UK International data transfer agreement and guidance.
Please note that we may process, store, and transfer your personal information in and to a foreign country, with different privacy laws that may or may not be as comprehensive as Canadian law. In these circumstances, the governments, courts, law enforcement, or regulatory agencies of that country may be able to obtain access to your personal information through the laws of the foreign country. Whenever we engage a service provider, we require that its privacy and security standards adhere to this policy and applicable Canadian privacy legislation.
If you want further information on the specific mechanism used by us when transferring your Personal Information out of the EEA, Switzerland, or the UK, please contact us.
EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield
Veracross LLC and its subsidiaries participate in and have certified their compliance with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework administered by the US Department of Commerce. We are committed to subjecting all personal data received from European Union (EU) member countries, the UK, and Switzerland, respectively, in reliance on each Privacy Shield Framework, to the Framework’s applicable Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement, and Liability. To learn more about the Privacy Shield Frameworks, and to view our certification, visit the U.S. Department of Commerce’s Privacy Shield List at https://www.privacyshield.gov/list/
Veracross is responsible for the processing of personal data it receives, under each Privacy Shield Framework, and subsequently transfers to a third party acting as an agent on its behalf. Veracross complies with the Privacy Shield Principles for all onward transfers of personal data from the EU and Switzerland, including the onward transfer liability provisions.
With respect to personal data received or transferred pursuant to the Privacy Shield Frameworks, Veracross is subject to the investigatory and enforcement authority of the U.S. Federal Trade Commission. In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.
Under certain conditions, more fully described on the Privacy Shield website at https://www.privacyshield.gov/article?id=How-to-Submit-a-Complaint, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted.
Please note that the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield Frameworks were invalidated as a result of the Court of Justice of the European Union (“CJEU”) in the “Schrems II” ruling of July 16, 2020. As a result, these Frameworks are no longer deemed valid for any international transfer to the U.S. of personal data from the EEA and/or Switzerland. Consequently, Veracross has, since the CJEU decision, used the Model Contract terms issued by the European Commission (see above) in connection with any transfer to the U.S. of personal data from the EEA and/or Switzerland.
Data Subject Rights
Under certain circumstances, you have rights under data protection laws in relation to your Personal Information.
Please see the glossary below to find out more about these rights:
- request access to your Personal Information.
- request correction of your Personal Information.
- request erasure of your Personal Information.
- object to the processing of your Personal Information.
- request restriction of processing your Personal Information.
- request transfer of your Personal Information.
- right to withdraw consent.
We will process your request within the time provided by applicable law.
We will not discriminate against you for exercising your data subject rights.
You will not have to pay a fee to access your Personal Information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.
Exercising Your Data Subject Rights
The following section only applies to you if we collect and process your Personal Information directly and for our own purposes, not on behalf of our Customers for purposes of the Services we provide to you on their behalf. If we collect and/or otherwise process your information this section does not apply to you and we ask that you please direct any request to exercise your data subject rights to the data owner / controller on behalf of which we process your Personal Information for purposes of our Services.
If we collect and process your Personal Information directly and for our own purposes, you may submit a request to exercise your data subject rights by sending an email via the link below: email@example.com
Individuals who submit requests to exercise data subject rights will be required to verify their identity by answering certain questions. We cannot process data subject rights requests until your identity is verified. This is a security measure to ensure that Personal Information is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
If you are making a request for access, we may not be able to provide specific pieces of Personal Information if the disclosure creates a substantial, articulable, and unreasonable risk to the security of your Personal Information, your account with us, or our systems or networks.
If you are making a request for erasure of Personal Information, we will ask that you confirm that you would like us to delete the Personal Information again before your request is processed.
You may designate an authorized agent to submit a request on your behalf by providing that agent with your written permission. If an agent makes a request on your behalf, we may still ask that you verify your identity directly with us before we can honor the request.
Agents who make requests on behalf of individuals will be required to verify the request by submitting written authorization from the individual. We will not honor any requests from agents until authorization is verified.
If you are seeking to access, correct, or delete information on our Services, we may refer your request to the Customer (your educational or other institution).
We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
If you are a California resident, California law may provide you with additional rights regarding our use of your personal information. To learn more about your California privacy rights, visit [here].
Nevada residents who wish to exercise their sale opt-out rights under Nevada Revised Statutes Chapter 603A may submit a request to this designated address: firstname.lastname@example.org. However, please know we do not currently sell data triggering that statute’s opt-out requirements.
Virginia residents who wish to exercise their right under the Virginia Consumer Data Protection Act (VCDPA) to opt out of the processing of their personal data for targeted advertising, personal data sales, or automated decision-making, including profiling, may submit a request to this designated address: email@example.com. However, please know we do not currently sell personal data triggering that statute’s opt-out requirements.
We will retain your information that we have collected for our own business purposes, to provide you with services, for as long as your account is active, or as needed, to provide you with the services.
If we have obtained your Personal Information on behalf of one of our Customers we will retain that Personal Information for as long as needed to provide services to our Customer.
We will retain and use this Personal Information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.
To determine the appropriate retention period for Personal Information, we consider the amount, nature and sensitivity of the Personal Information, the potential risk of harm from unauthorized use or disclosure of your Personal Information, the purposes for which we process your Personal Information and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.
In some circumstances you can ask us to delete your data: see [data subject rights] above for further information.
In some circumstances we will aggregate your Personal Information (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.
Security of Your Personal Information
We maintain physical, electronic, and procedural safeguards designed to help secure our platform and your Personal Information, and to assist us in preventing unauthorized access, use, disclosure, loss, alteration, and destruction of that information. When you enter sensitive information or login to our portal, we encrypt the transmission of that information using Transport Layer Security (TLS) . Nevertheless, no set of security safeguards is guaranteed to be impenetrable. We cannot and do not guarantee that communications to or from our Websites or Services, or that data transmitted or stored on or through our Websites or Services, are or will be totally secure from unauthorized access, use, disclosure, loss, alteration, or destruction by third parties.
We have put in place procedures to deal with any suspected personal data breach and will notify you (with respect to any Personal Information we collect directly from you and which we process as a controller) or our Customer (with respect to any Personal Information relating to you which we process on behalf of such Customer for purposes of our Services) and any applicable regulator of a breach where we are legally required to do so.
Changes to this Policy
Attn: DPO & CISO
401 Edgewater PlaceSuite 360
Wakefield, Massachusetts 01880
Email Address: firstname.lastname@example.org
Legitimate Interest means the interest of our business in conducting and managing our business to enable us to give you the best service and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your Personal Information for our legitimate interests. We do not use your Personal Information for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us.
Performance of Contract means processing your data where it is necessary for the performance of a contract to which you or the Customer on behalf of whom we process your Personal Information to provide the Services, are a party or to take steps at your request before entering into such a contract.
Comply with a legal obligation means processing your Personal Information where it is necessary for compliance with a legal obligation that we are subject to.
Consent means any freely given, specific, informed and unambiguous indication of your wishes by which you, by a statement or by a clear affirmative action, signify agreement to the processing of Personal Information relating to you.
YOUR LEGAL RIGHTS
You have the right to:
Request access to your Personal Information (commonly known as a “data subject access request”). This enables you to receive a copy of the Personal Information we hold about you and to check that we are lawfully processing it.
Request correction of the Personal Information that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
Request erasure of your Personal Information. This enables you to ask us to delete or remove Personal Information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your Personal Information where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your Personal Information to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
Object to processing of your Personal Information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your Personal Information for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
Request restriction of processing of your Personal Information. This enables you to ask us to suspend the processing of your Personal Information in the following scenarios:
- If you want us to establish the data’s accuracy.
- Where our use of the data is unlawful but you do not want us to erase it.
- Where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims.
- You have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
Request the transfer of your Personal Information to you or to a third party. We will provide to you, or a third party you have chosen, your Personal Information in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
Withdraw consent at any time where we are relying on consent to process your Personal Information. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain services to you. We will advise you if this is the case at the time you withdraw your consent.
When your Personal Information was collected by any of our Customers and processed by us on behalf of such Customers please contact your educational institution to exercise any of the above rights.
View Other Resources
CCPA Notice at Collection
Click here to read our notice to California Consumers.
Processors & Subprocessors
Click here to learn more about our processors & subprocessors.