GENERAL DATA PROTECTION REGULATION (GDPR) PRIVACY NOTICE
In accordance with the GDPR, this notice describes how we process personal data transferred to us by persons or entities located in the European Union at the time the data is released.
To protect your privacy, we follow these principles:
- We do not collect more personal data than necessary.
- We use and disclose personal data only as described in this notice (and as you may further agree).
- We do not keep personal data longer than necessary.
What data do we collect?
Online Account. You must have an online account to order services. However, you only need to provide the following information to set up the account (we do not collect additional data until you are ready to place an order):
- Email address
- Account username and password
Orders. When you place an order, and sometimes during the evaluation process, we collect the following additional data:
- Any previously used names that may appear on educational records
- Contact and delivery information (home address, phone number)
- Date of birth
- Educational history
- Official educational records (paper and/or electronic)
- Evaluation report purpose (e.g., further education, professional licensure, etc.)
- Additional evaluation report delivery addresses or recipients, if any
- Communications related to your order
- Order and purchase history (we do not record/store payment card numbers or bank account information)
- In limited cases we request identification, if necessary to confirm identity and resolve discrepancies between the educational records and information submitted
Using cookies, we may also collect information related to the device used to visit our website (for session management, user settings and preferences, custom ad content, etc.)
You can delete an online account, with or without erasing your personal data from our system. To delete an existing account and/or erase personal data, please see “Contact us with GDPR questions or requests” below.
To better manage resources, we delete accounts created more than a year ago if they have not been used to place an order.
How do we collect data?
You provide most of the information we collect when you:
- Visit our website (cookies and similar technologies may collect information about your device to improve your experience on our site)
- Create an online account
- Order services
- Communicate with us about an order
- Submit educational records to us
We receive information directly from educational, governmental, or professional institutions or private verification services (collectively, “Institutions”) when:
- You instruct one or more Institutions to submit educational records directly to us.
- We contact one or more Institutions to confirm the authenticity of educational records.*
*We reserve the right to verify records in this manner; however, we do this only if we determine we cannot issue a report without first receiving direct confirmation that the records submitted to us are authentic.
Processing personal data: our lawful basis and purpose
Lawful Basis. When you order an evaluation report, you must submit a completed application form. This creates a contract with us. We need personal data to establish the contract and perform the related services. This constitutes our lawful basis for processing personal data. In relation to marketing communications, our lawful basis is consent.
Purpose. We collect personal data so we can process your application, evaluate your education, and deliver the services you ordered.
How do we use personal data?
We use personal data only as described in this notice (and as you may further agree):
- To manage your online account and process your order
- To prepare our evaluation report and deliver it to you
- To deliver paper or electronic report copies to any recipients you designate (electronic delivery may include copies of your educational records)
- To improve your experience on our website
- For purposes of marketing communications and ad content, if you have agreed
Sometimes we share personal data:
- With relevant educational, governmental, and professional institutions and private verification services (collectively, “Institutions”) to confirm the authenticity of educational records submitted to us. This involves the transfer of personal data to one or more Institutions outside the United States.
- With Institutions, including other evaluation services, if we determine false information or forged, altered, or falsified records were submitted (see “How long do we retain personal data?” below for more on how we process data in cases of falsified records).
- In response to a court order or subpoena.
How do we store personal data?
We keep personal data on secure servers in our offices in Milwaukee, WI, USA, on secure off-site backup servers just outside Milwaukee, and in secure cloud-based storage.
We store paper records containing personal data in our offices in Milwaukee, WI. Our office space is access-restricted and closed to the public.
We have implemented appropriate technical and organizational measures to secure all personal data and protect it from unauthorized access or disclosure.
How long do we retain personal data?
Normally you may order copies of an evaluation report for five years after it was first issued. Therefore, we retain personal data for five years. However, we reserve the right not to issue report copies and the right to change the period during which we will issue copies.
We reserve the right to retain beyond five years any information that is not personally identifiable. Additionally, if we determine false information or falsified records were submitted to us at any time, we will: (1) retain all falsified records beyond five years; and (2) retain the following personal data beyond five years: name(s), birthdate, school, and the fact that falsified records were submitted to us. We do this to deter and identify further use of falsified records.
If you consent, we may send you marketing communications. If you have agreed to such communications, you may stop them at any time. You have the right to object to the use of personal data for direct marketing purposes. If you decline to receive marketing communications, you will still receive communications related to your account and any services you ordered.
Your data protection rights
If your data is covered by the GDPR, you have the following rights:
- Access. To access this privacy notice; and to obtain a list or copy of the personal data we possess (Art. 15).
- Rectification. To have inaccurate personal data corrected; and to have incomplete personal data made complete, taking into consideration the processing purposes (Art. 16).
- Erasure (the “right to be forgotten”). To have personal data erased (Art. 17).
- Restriction. To restrict processing of personal data, under certain conditions (Art. 18).
- Portability. To receive the personal data or have it sent to another party (Art. 20).
- Objection. To object to the processing of personal data if it is used for direct marketing purposes or if the legal basis for such processing is the “public interest” or the controlling party’s “legitimate interest” (Art. 21).
- Automated individual decision-making. To not be subject to a decision based solely on automated processing or profiling if it has legal or comparably significant effects for you (Art. 22).
What are cookies?
Cookies are text files placed on a computer or device when it is used to visit a website. They collect information to enable certain site functions and customize user experience. When you visit our site, we may automatically collect information using cookies or similar technologies. For more information about cookies, visit www.allaboutcookies.org.
How to manage your cookies
You can set your browser not to accept cookies. Visit www.allaboutcookies.org to learn how to remove cookies from your browser. Please note that, without cookies, some features of our website may not work for you.
We may review and update this privacy notice from time to time. It was last updated on June 20, 2022.
Contact us with GDPR questions or data rights requests
Do you have questions or wish to exercise a data right (such as delete an account and/or erase personal data)? If so, please chat with a Customer Care Specialist via LiveChat (click "Contact Us Now" on the lower right). A Customer Care Specialist or, if needed, the ECE® Compliance and Contract Officer will assist you. LiveChat communications may be recorded for quality control and customer service purposes.
Contact GDPR authorities
You have the right to submit a complaint to a supervisory authority. If you feel we have not satisfactorily addressed your concerns, you may contact the Information Commissioner’s Office at https://ico.org.uk/make-a-complaint/.