Privacy and Cookie Policy
Last Updated June 25, 2020
Introduction
We ask you to read this privacy and cookie policy (“Privacy Policy”) carefully before using the CanCred Factory service which is a service issuing and managing digital credentials (“Service”).
Commitment to Privacy. Learning Agents Inc., a Canadian corporation, is the provider of the Service (“Service Provider”) and is committed to privacy by complying with Canada’s federal Personal Information Protection and Electronic Documents Act (“PIPEDA”), Ontario’s Freedom of Information and Protection of Privacy Act (“FIPPA”), British Columbia’s Freedom of Information and Protection of Privacy Act (“FOIPPA”) and the European Union’s General Data Protection Regulation (“GDPR”).
Definition of Personal Information or Personal Data. Personal information or personal data means any information about an identified or identifiable individual.
Content of this Privacy Policy. This Privacy Policy describes the types of personal information that the users of the Service (“User” or “Users”) provide to the Service Provider or the Service Provider is collecting from the Users in connection with the Service and how and why the Service Provider collects, uses, discloses and protects such personal information and the Users’ privacy rights in relation to personal data. In addition, this Privacy Policy outlines how to contact the Service Provider and supervisory authorities in the event a User would like to report a concern about the way in which the Service Provider processes personal information.
The Service. The Service strives to offer all Users a safe environment to issue and manage digital credentials (“Badges”) based on the Mozilla Open Badge standard. Users operate role-based logins (e.g. administrator, creator or issuer) on the Service to issue Badges and manage their accounts. The Service is designed to enable subscribers to the Service (“Issuers” or “Users”) to issue Badges to individuals who meet prescribed requirements (“Badge Earners”).
Designations under GDPR. For the purposes of the GDPR, the Service Provider is the “processor” of the Badge Earners’ personal data acting on behalf of and based on the instructions of the Users/Issuers, who are the “controllers” of the Badge Earners’ personal data.
Consent. Any User’s use of the Service is subject to this Privacy Policy. If a User does not consent to the processing of his/her personal information as outlined herein, the Service Provider asks the User to not use the Service.
Legal Basis in Canada. The Users’ use of the Service constitutes consent to the Service Provider’s collection, use and disclosure of personal information in accordance with this Privacy Policy. No law requires the User to provide the Service Provider with personal information.
Legal Basis in the European Union. For the applicable various legal bases of processing in the European Union please refer to the “DESCRIPTION OF PERSONAL INFORMATION, METHODS FOR ITS COLLECTION AND THE APPLICABLE LEGAL BASES” section of this Privacy Policy.
Children under the Age of 16. Individuals under the age of 16 are not permitted to use the Service or the Service website. The Service does not intentionally collect personal information from individuals under the age of 16. If the Service Provider becomes aware that it has inadvertently collected personal information about children under the age of 16, it will take steps to delete the information as soon as possible.
WITHDRAWAL OF USER CONSENT
Users may withdraw their consent to process personal information at any time by deleting their own accounts and all personal data associated with their accounts or by contacting the Service Provider to delete their accounts and all personal data associated with their accounts, provided such withdrawal is subject to legal or contractual restrictions. If the User withdraws consent, the Service Provider’s ability to provide Services to the User may be restricted or rendered impossible. The Service Provider will delete the personal information following the withdrawal of consent, however, such withdrawal will not affect the lawfulness of processing prior to withdrawal.
DESCRIPTION OF PERSONAL INFORMATION, METHODS FOR ITS COLLECTION AND THE APPLICABLE LEGAL BASES
“CONDITIONS OF SERVICE” INFORMATION. The Service collects the following information that are necessary and integral to the provision of the Service, some of which are considered personal information in certain jurisdictions, but not in others:
- Names of registered Users
- Email addresses of registered Users
- The role of the registered Users
- Names of User organizations
- Website addresses of User organizations
- Organization emails of User organizations
- Mailing addresses of User organizations
- Payment information and payment history of User organizations
- All communication, correspondence and contract history in specific matters (e.g. testimonials, service reviews, other statements)
Legal Basis in the European Union. It is the obligation of the Users who are the controllers to determine the legal basis of processing the personal data of Badge Earners. The processing of personal data is necessary for the Service Provider to perform the Service and the related promises and obligations based on the contract entered into between the User and the Service Provider or if it required for the Service Provider to comply with any legal obligations
OPTIONAL INFORMATION. The Service also collects the following information if provided by the User organization:
- Country (and province if in Canada)
- Organization type
- Description of the organization
- Logo and banner graphics
BADGE EARNERS INFORMATION. The Service also collects the following personal information:
- Email addresses of recipients of Badges (“Badge Earners”) that have been issued by the User/Issuer, as the Badges contain the Badge Earners’ names and email addresses in hashed form, which the User/Issuer has gathered. The User/Issuer acknowledges responsibility for the collection and safeguarding of the personal information of Badge Earners.
- Other personal information in the Badge may include links to the Badge Earner’s evidence and “Additional Criteria”, which can describe how an individual Badge Earner achieved a particular Badge.
Legal Basis in the European Union. It is the obligation of the Users who are the controllers to determine the legal basis of processing the personal data of Badge Earners. The processing of personal data is necessary for the Service Provider to perform the Service and the related promises and obligations based on the contract entered into between the User/Issuer and the Service Provider. The use of Badge Earners personal information will be limited to the purpose of providing the Service to the User/Issuer.
Badge Earners’ Consent. When the User/Issuer issues a Badge, the User/Issuer shares the Badge Earner’s personal information with the Service Provider. It is the User’s/Issuer’s responsibility to obtain the consent of the Badge Earners. The User/Issuer represents and warrants that the Badge Earners have consented to the collection and use of their personal information for this purpose and disclosure to the Service Provider and understand how their information will be used by the Service Provider. The Service Provider may request a copy or evidence of such consent.
When a Badge Earner receives an email notice of having earned a Badge, he/she may (i) ignore the notice, (ii) download the Badge to their computer, or (iii) direct the Badge to be transferred to a personal account on CanCred Passport, a separate free storage and sharing platform provided by the Service Provider for issued Badges serving Badge Earners. Irrespective of his/her decision, User will retain a record of the earned Badge containing the Badge Earner’s email in their Service account. Users are responsible for protecting the personal information of their Badge Earners. For more detail, please refer to the CanCred Passport Privacy Policy.
COOKIES. The Service Provider will also process personal data connected to its use of cookies that are strictly necessary to provide the Service by managing logins and keeping sessions open. No further cookies are used for any other kind of tracking purposes.:
For more information on the use of cookies, please refer to the “Cookies” section of this Privacy Policy.
Legal Basis in the European Union. The processing of personal data related to the use of strictly necessary cookies is necessary for the Service Provider to perform the Service and the related promises and obligations based on the contract entered into between the User and the Service Provider. Without use of the strictly necessary cookies, Service Provider is not able to provide the Service.
DISCLOSURE AND TRANSFER OF PERSONAL INFORMATION
The Service Provider does not sell, trade, or otherwise transfer to outside parties the User’s or Badge Earners’ personal information. This does not include trusted third parties who assist the Service Provider in operating its Service website, conducting its business, or servicing Users, so long as those parties agree to protect the personal information with a level of privacy and security protection which is same to that offered by the Service Provider. Third parties can only use or disclose personal information for purposes which have been authorized by the User in this Privacy Policy to provide necessary services to the Service Provider as specified in the contract between the Service Provider and the third party. Third parties must return or dispose any shared personal information upon completion of the contract between the Service Provider and the third party.
The Service Provider may also release the User’s personal information when the Service Provider believes release is appropriate to comply with applicable laws, the reasonable requests of law enforcement, enforce Service website or Service policies, Terms of Use or protect its or other’s rights, property, or safety.
Only the username, which each User uses to define themselves, is displayed to other users in the Service.
The Service Provider may use the following third-party services, provided by service providers, who are called subprocessors under GDPR: software development, platform maintenance and hosting.
For residents of the European Economic Area (EEA) or Switzerland, please note that the personal data the Service Provider obtains from or about Users is transferred, processed and stored in Canada, outside of the EEA or Switzerland for the purposes described in this Privacy Policy. Canada, for organizations that are subject to PIPEDA, such as the Service Provider, is considered a jurisdiction that offers an adequate level of data protection, as required by GDPR.
PURPOSES FOR COLLECTING, USING AND DISCLOSING PERSONAL INFORMATION
The Service Provider collects personal information for the following purposes:
- to open User accounts
- to verify the identity of Users of the Service
- to deliver the Service
- to inform the Users of updates, modifications and other matters relating to the Service
- to issue and display credentials of Badge Earners
- to provide support and customer services to Users
- to process payment, send purchase and billing confirmations and reminders
- to plan and develop the business activity of the Service Provider through various research methods
- to investigate and follow up in cases of suspected misuse of the Service
- to comply with legal requirements
COOKIES AND SIMILAR TECHNOLOGIES
What a Cookie is. The Service website may use “cookies”. Cookies are small text files offered to Users’ computers or devices by servers in order to keep track of a browser as a User navigates the Service website. Cookies may be stored on a User’s hard drive, or in temporary (cache) memory, in which case they are deleted when the User shuts down his/her browser or turns off his/her computer or device.
How Users Can Disable and Delete Cookies. The User can disable cookies using his/her Internet browser’s settings. Note that if the User disables cookies, certain features of the Service website may not function properly. For more information on managing cookies, please go to www.allaboutcookies.org.
STRICTLY NECESSARY OR FUNCTIONAL COOKIES. The Service Provider uses only strictly necessary cookies. The most important cookies are the functional or strictly necessary cookies that are written onto the Users’ computers or mobiles device for browsing, optimizing and customizing purposes. They are essential and help Users to navigate on the Service website and the Service and to use basic features. These cookies are strictly necessary to provide the Service by managing logins and keeping sessions open. No further cookies are used for any other kind of tracking purposes.
SOURCES OF PERSONAL INFORMATION
The Service Provider receives personal information primarily from the Users, as the data is entered into the Service by the Users. For the purposes described in this Privacy Policy, personal information may also be collected and updated from cookies. Data updating of this kind is performed manually or by automated means.
LOCATION OF PERSONAL INFORMATION
The Service Provider maintains the Service and stores and processes any personal information collected through the Service on servers located in Canada. No personal data is transferred outside Canada by the Service Provider.
PROTECTION AND SECURITY OF PERSONAL INFORMATION
The Service Provider and its third-party service providers use appropriate technical and organizational measures to protect the security of personal information provided or generated through or received as a result of the Service.
The personal information is stored in the Service databases which are secured with firewalls, passwords, backups, malware scanning and other appropriate technical and organizational measures. For example, the email addresses of Badge Earners are encrypted to prevent unauthorized access, according to the Open Badge standard. The Service databases and the backup copies of them are maintained in locked and monitored premises and can be accessed only by certain designated persons, i.e. only those of the Service Provider’s employees, who as a result of their work are entitled to process personal information with designated access rights (username, password and access level information). These persons include the Service Provider’ customer service personnel, the technical administrators of the Service and trusted third parties.
Some information may be kept outside the Service databases for the purposes of invoicing. That information is also subject to appropriate technical and organizational security measures.
The Service Provider ensures its personnel and third-party service providers abide by the appropriate confidentiality commitments. The Service Provider will strive to ensure that no stored personal information (i) disappears, (ii) is used for wrong purposes or (iii) is accessed or (iv) changed without authorization.
Users are warned not to disclose their username or password to anyone other than the Service Provider.
Data Breaches. A personal data breach is a breach of security leading to the accidental, unlawful or unauthorized destruction, loss, alteration, disclosure of, or access to personal data. Breaches can happen when personal information is stolen, lost or mistakenly shared. The Service Provider and its third-party service providers have procedures in place to deal with any suspected or actual data security breach, including risk assessment of any suspected or actual breach and maintaining records of all breaches. The Service Provider will notify the User without undue delay after becoming aware of any personal data breach and any applicable regulator of a suspected or actual data security breach where the Service Provider is legally required to do so.
Links to Third Party Websites. The Service website may contain links to other websites that are provided as a convenience only, neither owned, nor managed by the Service Provider, and which may have different privacy policies and practices than those of the Service Provider. The Service Provider has no responsibility for these third-party websites, and User is advised to review the privacy policies of any third-party websites User chooses to visit.
RETENTION OF PERSONAL INFORMATION
Personal information is retained for as long as is necessary for the Service Provider to fulfill the purposes which have been identified and consented to by the User or otherwise required by the law. If the User quits the Service, the related personal information is deleted. The User may request complete deletion of their account, which will destroy all personal information stored on the Service server. The Badge Earners can also delete their personal information on their own initiative.
USER RIGHTS
Under the PIPEDA, Users have right to
- access their personal information in the custody or control of the Service Provider and have an account of its collection and use.
- correction to have the User’s personal information corrected if it is incorrect, have incomplete personal information completed or out-of-date data updated.
- erasure to request deletion of personal information processed by the Service Provider at any time in a number of situations, except for the following situation:
- the User has an ongoing matter with the Service Provider’s customer service or technical administrator personnel.
- complain to the Service Provider and the Office of the Privacy Commissioner of Canada, if the User believes that the Service Provider has processed the personal information incorrectly.
In addition to the above rights, and if the Badge Earners reside in the United Kingdom (UK) or a country within the European Union, under GDPR, subject to certain exceptions, Badge Earners have additional rights, such as the right to data portability and the right to restrict processing. Service Provider, as a processor of the Badge Earners personal data will assist the Users, who are controllers of the Badge Earners’ personal data, by appropriate technical and organizational measures, as technically feasible and applicable, to respond to Badge Earners’ requests for exercising their rights, taking into account the nature of the processing carried out by the Service Provider.
Users can exercise their right to access, correction and erasure by accessing, modifying and/or deleting any personal information stored in the Service by logging into their Service account.
In addition, Users can exercise any of these rights by contacting the Service Provider using the information provided below in the “Contact Us” section. The Service Provider will respond to any User request within a reasonable timeframe in accordance with the applicable law.
CHANGES TO THIS PRIVACY POLICY
The Service Provider reserves the right to make adjustments to this Privacy Policy at any time and from time to time. The Service Provider suggests that Users review this Privacy Policy on a regular basis.
CONTACT
If Users have questions regarding this Privacy Policy or Users believes that the Service Provider has not abided by this Privacy Policy or wish to exercise any of their privacy rights, Users should contact the Service Provider using the information provided below:
Learning Agents Inc.
Mailing address: 134 Home Street
Winnipeg, Manitoba
CANADA
Phone number: 1 (204) 219-5933
Email address: info@learningagents.ca