Privacy Policy
This Privacy Policy explains how Edorer ("we", "us", "our") collects, uses, stores, and protects your personal data when you use our Learning Management System (LMS) — including course delivery, training programmes, assessments, certifications, and proctored examinations — across universities, companies, and other organisations.
Overview & Scope
Edorer is a Learning Management System (LMS) used by universities, educational institutions, corporations, and other organisations to deliver courses, training programmes, skill assessments, certifications, and proctored examinations. Our platform serves a wide range of users — from university students and faculty to corporate employees, new hires undergoing onboarding assessments, and job candidates taking pre-employment evaluations.
This Privacy Policy applies to all personal data processed through the Edorer platform, regardless of how you access it (web browser, mobile application, or API integration). It covers data collected during account registration, course participation, learning activities, assessments, certifications, proctored exams, and general platform usage.
If you are taking a proctored examination on Edorer, please pay special attention to Sections 7, 8, and 9 which detail how your webcam, audio, and screen recording data is collected, processed, and retained. You will be asked to provide explicit consent before any proctored session begins.
Who Are You (User Types)
Edorer processes personal data for various categories of users. The type and extent of data we collect depends on your role on the platform:
| User Type | Description | Typical Data Processed |
|---|---|---|
| Student | University or institutional students enrolled in courses, programmes, or degree tracks on Edorer | Identity, academic records, submissions, grades, learning progress, exam data, proctoring data (if applicable) |
| Job Candidate | Individuals taking pre-employment assessments, skill tests, or hiring evaluations administered through Edorer by a prospective employer | Identity, assessment responses, scores, proctoring data (if applicable), recruiter-shared evaluation reports |
| Employee / Trainee | Corporate employees, new hires, or contractors undergoing onboarding, compliance training, upskilling, or certification programmes | Identity, employment context, training progress, completion records, assessment scores, compliance status, certificates |
| Instructor / Trainer | University faculty, corporate trainers, or subject matter experts who create, manage, or deliver courses and assessments | Identity, contact details, course content, grading activity, communication records |
| Administrator | Institutional or corporate administrators who manage users, configure settings, and oversee platform usage | Identity, contact details, access logs, administrative actions |
If you are taking a pre-employment assessment, your data may be shared with the hiring organisation as described in Section 10. Your assessment results and any proctoring data will be accessible to authorised recruiters and hiring managers at the organisation that invited you to the assessment. You have the right to request a copy of your data and to object to processing — see Section 12.
Data Controller & Processor Roles
The relationship between Edorer and the organisations that use our platform determines how responsibilities for your personal data are allocated:
When Edorer Acts as Data Processor
In most cases, the university, educational institution, or company ("Organisation") that has engaged Edorer to deliver training or assessments is the data controller. The Organisation determines why and how your personal data is processed. Edorer acts as the data processor, processing data on the Organisation's behalf and in accordance with their instructions. A Data Processing Agreement (DPA) governs this relationship, ensuring your data is handled with appropriate safeguards.
When Edorer Acts as Data Controller
Edorer acts as the data controller when processing data for its own purposes, including: managing your Edorer platform account; providing customer support; sending platform-related communications; processing payments; analytics to improve the platform; and ensuring the security and integrity of the platform.
If your university or employer enrolled you in Edorer, they are the primary data controller for your learning and assessment data. For questions about how your data is used in that context, you should contact your Organisation's privacy team first. For questions about your Edorer account and platform-level data, contact us at collaborate@edorer.com.
Data We Collect
Depending on your user type and how you interact with our platform, we may collect the following categories of personal data:
| Category | Data Elements | Applicable Users |
|---|---|---|
| Identity Data | Full name, date of birth, profile photograph, student/employee/candidate ID number | All users |
| Contact Data | Email address, phone number, postal address | All users |
| Organisational Data | University name, degree programme, employer name, department, job title, hire date, manager name | Students, Employees, Candidates |
| Learning & Training Data | Course enrolments, module progress, time spent on content, video watch history, learning path completion, competency milestones | Students, Employees, Trainees |
| Assessment Data | Quiz and exam responses, scores, grades, attempt history, skill evaluation results, certification status, pass/fail outcomes | Students, Employees, Candidates |
| Submission Data | Assignments, projects, essays, code submissions, uploaded files, peer review feedback | Students, Employees |
| Certification & Credential Data | Certificates earned, credential IDs, issuance dates, expiry dates, continuing education credits, compliance completion records | Students, Employees |
| Communication Data | Discussion forum posts, chat messages, instructor feedback, support tickets, notification preferences | All users |
| Technical Data | IP address, browser type and version, device ID, operating system, login timestamps, session duration | All users (automatic) |
| Usage & Analytics Data | Pages visited, features used, clickstream, content engagement metrics, search queries within the platform | All users (automatic) |
| Proctoring Data ⬇ | Webcam, audio, screen recordings, browser activity, flagged events — see Section 7 | Users in proctored exams only |
Some of the data above (such as your name, email, employee ID, department, or enrolment details) may be provided to Edorer directly by your university or employer when they provision your account. In such cases, the Organisation is responsible for ensuring they have a lawful basis to share this data with us.
How We Use Your Data
Learning & Course Delivery
To deliver courses, training modules, and educational content; to track your learning progress and completion; to enable instructor-student or trainer-trainee interactions; and to personalise your learning experience based on your progress and preferences.
Assessments, Grading & Certification
To administer quizzes, exams, assignments, and skill evaluations; to calculate and record grades and scores; to issue certificates and credentials upon successful completion; and to maintain verifiable records of certifications for you and your Organisation.
Pre-Employment & Hiring Assessments
To administer skill tests, aptitude assessments, and evaluation exercises on behalf of hiring organisations; to generate score reports and evaluation summaries for recruiters and hiring managers; and to ensure the integrity of the assessment process.
Corporate Training & Compliance
To deliver mandatory compliance training (e.g., data protection, workplace safety, anti-harassment); to track completion status and generate compliance reports for the Organisation; and to issue and manage continuing education credits and recertification reminders.
Examination Integrity (Proctoring)
To administer proctored examinations, verify candidate identity, monitor exam sessions, detect potential academic misconduct, and support post-exam reviews. This is a specific processing activity detailed in Sections 7–9.
Platform Operations & Security
To manage user accounts and authentication; to ensure the security, availability, and performance of the platform; to detect and prevent fraud, abuse, or unauthorised access; and to provide technical support.
Analytics & Improvement
To analyse platform usage patterns in aggregated and anonymised form; to generate institutional learning analytics and reports for Organisations; to improve the user experience; and to develop new features. Individual-level analytics are shared only with the relevant Organisation and never with third parties for commercial purposes.
Communication
To send transactional notifications (assignment deadlines, grade publications, certificate issuances, system alerts); to enable messaging between users within the platform; and, with your consent, to send product updates or educational newsletters.
Legal Basis for Processing
Edorer processes personal data under the following legal bases as provided by the General Data Protection Regulation (GDPR):
| Legal Basis | GDPR Article | When It Applies |
|---|---|---|
| Contractual Necessity | Art. 6(1)(b) | Processing required to deliver the LMS services — course access, assessments, grading, certification, account management. This applies when you or your Organisation have contracted with Edorer for these services. |
| Legitimate Interest | Art. 6(1)(f) | Platform security, fraud prevention, aggregated analytics, service improvement, and maintaining examination integrity. We conduct Legitimate Interest Assessments (LIAs) for each purpose. |
| Explicit Consent | Art. 6(1)(a) | Proctoring data (webcam, audio, screen recordings), marketing communications, non-essential cookies, and any processing of special category data. Consent is freely given, specific, informed, and withdrawable. |
| Legal Obligation | Art. 6(1)(c) | Compliance with applicable laws, such as tax regulations for payment processing, mandatory record-keeping for accredited programmes, and responding to lawful government requests. |
| Public Interest | Art. 6(1)(e) | Where the Organisation is a public university or government body and processing is necessary for a task carried out in the public interest (e.g., accredited degree programmes). |
Proctoring Data Collection
This section specifically governs the collection and processing of personal data during proctored examinations conducted through the Edorer platform. Proctoring may be used for university exams, corporate certification tests, compliance assessments, and pre-employment evaluations. It involves the recording and monitoring of candidates to ensure examination integrity.
7.1 Data Captured During Proctored Exams
| Data Type | Description | Purpose |
|---|---|---|
| Webcam Video | Continuous video recording of the candidate via their device camera throughout the exam session | Identity verification, behaviour monitoring |
| Audio Recording | Continuous audio capture via the candidate's microphone during the exam session | Detection of verbal communication or external assistance |
| Screen Recording | Continuous capture of the candidate's entire screen or active browser window | Monitoring for unauthorised applications, tabs, or resources |
| Browser Activity | Tab switches, focus changes, copy/paste actions, URL navigation attempts | Detection of suspicious navigation patterns |
| System Metadata | IP address, device fingerprint, OS/browser version, approximate geolocation, timestamps | Session verification, audit logging |
| Flagged Events | Automated or AI-assisted alerts for anomalies such as face absence, multiple faces, gaze deviation, unusual noise, application switching | Integrity assurance, review prioritisation |
| Identity Verification | Photo ID capture and face-match comparison at exam start | Confirm candidate identity |
Facial recognition and face-match technology may constitute biometric data processing under certain jurisdictions. Where applicable, Edorer obtains separate explicit consent for biometric processing and complies with relevant local laws (e.g., Illinois BIPA, GDPR Article 9). Biometric templates are processed in real-time and are not stored beyond the exam session unless explicitly required for a misconduct investigation.
7.2 How Proctoring Data is Processed
Proctoring data is processed through a combination of automated systems and human review:
Automated Monitoring: AI-assisted algorithms analyse webcam feeds, audio, and screen activity in real-time to generate automated flags for potential integrity violations. No disciplinary action is taken solely based on automated processing.
Human Review: Flagged sessions are reviewed by authorised exam administrators or proctors. Only trained and authorised personnel with a legitimate need have access to proctoring recordings.
Candidate Rights: Candidates may request a review of any automated decision that affects their exam results. All decisions involving disciplinary consequences involve human oversight in accordance with GDPR Article 22.
7.3 Who Has Access to Proctoring Data
Access to proctoring data is restricted on a need-to-know basis: authorised exam proctors and administrators at the administering Organisation; Edorer's proctoring operations team (under strict contractual obligations); institutional disciplinary, academic integrity, or HR committees (only for flagged cases); and, for pre-employment assessments, authorised recruiters and hiring managers at the hiring organisation. Where legally required, regulatory or law enforcement authorities may access data pursuant to a valid legal process.
Proctoring data is never sold, shared for marketing purposes, or used for any purpose other than examination integrity.
Legal Basis for Proctoring
Edorer relies on the following legal bases under GDPR for processing proctoring data:
| Legal Basis | GDPR Article | Application |
|---|---|---|
| Explicit Consent | Art. 6(1)(a) | Candidates provide explicit, informed, freely-given consent via the Proctored Exam Declaration before each proctored session. Consent is granular, specific to proctoring, and can be withdrawn. |
| Legitimate Interest | Art. 6(1)(f) | Organisations and Edorer have a legitimate interest in maintaining the integrity, credibility, and fairness of examinations and assessments. A Legitimate Interest Assessment (LIA) has been conducted and is available upon request. |
| Contractual Necessity | Art. 6(1)(b) | Where proctoring is a mandatory requirement of the academic programme, certification, or hiring process, processing is necessary for the performance of the contract between the Organisation and the individual. |
| Special Category Data | Art. 9(2)(a) | Where biometric data is processed (facial recognition), explicit consent is obtained separately as required for special category data under Article 9. |
Candidates may withdraw consent at any time by contacting us at collaborate@edorer.com. However, withdrawal of consent may result in the termination of the exam session and potential invalidation of results, as proctoring is a prerequisite for the examination. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.
Proctoring Data Retention
Proctoring data is retained for the minimum period necessary to fulfil its purpose:
| Data Type | Retention Period | Basis for Period |
|---|---|---|
| Video & Audio Recordings | 180 days from exam date | Sufficient for result challenges, institutional review, and hiring dispute cycles |
| Screen Recordings | 180 days from exam date | Aligned with video/audio retention |
| Flagged Event Logs | 12 months from exam date | Required for academic integrity or HR proceedings |
| Identity Verification Images | 30 days from exam date | Deleted promptly after identity confirmation |
| Biometric Templates | Deleted immediately after session | Real-time processing only, no persistent storage |
| Session Metadata & Audit Logs | 24 months from exam date | Regulatory and institutional compliance requirements |
If a misconduct investigation, hiring dispute, or legal proceeding is ongoing at the time of scheduled deletion, the relevant proctoring data will be retained until the matter is fully resolved, after which it will be securely deleted within 30 days. Candidates will be notified if their data retention is extended for this purpose.
Secure Deletion
Upon expiry of the retention period, all proctoring data is permanently and irreversibly deleted using industry-standard secure deletion methods. Deletion is logged and auditable. Backup copies, if any, are purged within 30 days of the primary deletion.
Data Sharing & International Transfers
Edorer may share your personal data with the following categories of recipients, and only to the extent necessary:
Your Organisation (University, Employer, or Hiring Company)
The Organisation that administers your course, training, or assessment is the primary recipient of your learning, assessment, and certification data. This includes authorised staff such as faculty, instructors, trainers, academic administrators, HR personnel, compliance officers, recruiters, and hiring managers — each limited to the data relevant to their role. For pre-employment assessments, your scores and evaluation reports are shared with the hiring organisation that invited you to the test.
Service Providers
Third-party providers who assist in platform hosting, cloud infrastructure, email delivery, analytics, payment processing, and proctoring services. All providers are bound by Data Processing Agreements (DPAs) that ensure GDPR-equivalent protections and prohibit use of your data for any purpose other than providing services to Edorer.
Accreditation & Certification Bodies
Where your course or programme is accredited by an external body, Edorer may share necessary records (e.g., completion status, grades, certification IDs) with the relevant accreditation or credentialing authority, as required for the validity of your qualification.
Legal & Regulatory Authorities
Where required by law, regulation, or valid legal process (e.g., court order, subpoena), or to protect the rights, property, or safety of Edorer, our users, or the public.
International Transfers
Where personal data is transferred outside the European Economic Area (EEA), Edorer ensures adequate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, adequacy decisions, or binding corporate rules. Details of specific safeguards can be obtained by contacting us.
Edorer does not sell, rent, or trade personal data to third parties. We do not share your data with advertisers. Your learning, assessment, and proctoring data is used exclusively for the purposes described in this policy.
General Data Retention
Non-proctoring personal data is retained in accordance with the following principles. Where an Organisation has specified different retention periods in their Data Processing Agreement, those terms take precedence.
| Data Category | Retention Period | Notes |
|---|---|---|
| Account Data | Duration of account + 12 months after closure | To allow account reactivation and resolve any pending matters |
| Learning & Training Progress | Duration of relationship with Organisation + 24 months | May be extended per institutional or regulatory requirements |
| Assessment Scores & Grades | As required by the Organisation and applicable regulations | Academic records may be retained for extended periods per accreditation rules |
| Certificates & Credentials | Indefinitely (or as specified by Organisation) | Required for ongoing credential verification; can be deleted upon request |
| Pre-Employment Assessment Data | 12 months from assessment date | Unless the hiring Organisation specifies a different period in their DPA |
| Compliance Training Records | As mandated by applicable regulations | Some compliance records (e.g., workplace safety) have legally mandated retention periods |
| Communication & Support Data | 24 months from resolution | Support tickets, messages, forum posts |
| Technical & Usage Logs | 12 months (identifiable); indefinitely (anonymised) | Identifiable logs deleted; anonymised analytics retained for improvement |
Your Rights Under GDPR
As a data subject, you have the following rights under the General Data Protection Regulation. You may exercise any of these rights by contacting us at collaborate@edorer.com. Where Edorer acts as a data processor, we may redirect your request to the relevant Organisation (data controller) for fulfilment.
Right of Access
Request a copy of the personal data we hold about you, including learning records, assessment results, and proctoring recordings.
Article 15Right to Rectification
Request correction of inaccurate or incomplete personal data.
Article 16Right to Erasure
Request deletion of your data where consent is withdrawn or data is no longer necessary. Subject to legal and regulatory retention requirements.
Article 17Right to Restrict Processing
Request limitation of processing while accuracy or lawfulness is contested.
Article 18Right to Data Portability
Receive your data (including learning records and certificates) in a structured, machine-readable format.
Article 20Right to Object
Object to processing based on legitimate interest, including analytics and profiling.
Article 21Automated Decision-Making
Not be subject to decisions based solely on automated processing. Human review is always available for proctoring flags and automated grading disputes.
Article 22Right to Complain
Lodge a complaint with your local data protection supervisory authority.
Art. 77We will respond to all data subject requests within 30 days of receipt. If a request is complex or we receive a high volume of requests, we may extend this period by a further 60 days, in which case we will notify you within the initial 30-day period.
Data Security
Edorer implements appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:
Encryption: All data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Proctoring recordings and assessment data are encrypted with dedicated keys.
Access Controls: Role-based access controls (RBAC) ensure that only authorised personnel can access personal data. Organisational administrators can only access data within their own tenant. Additional restrictions apply for proctoring data.
Tenant Isolation: Each Organisation's data is logically isolated within the platform. University A cannot access data belonging to Company B, and vice versa.
Audit Logging: All access to sensitive data (including proctoring recordings, grades, and assessment results) is logged and monitored. Logs are retained for 24 months and subject to periodic review.
Infrastructure Security: Our hosting infrastructure complies with ISO 27001 and SOC 2 Type II standards. Regular penetration testing and vulnerability assessments are conducted.
Incident Response: In the event of a personal data breach, Edorer will notify the relevant supervisory authority within 72 hours and affected data subjects without undue delay, in accordance with GDPR Articles 33 and 34. We will also notify the affected Organisation(s) immediately.
Children's Privacy
Edorer's services are primarily designed for adult learners, university students (typically 18+), employees, and job candidates. Where the platform is used by educational institutions that serve minors (ages 16–18), parental or guardian consent is obtained by the institution before the minor's data is processed. Edorer does not knowingly collect personal data from children under 16 without verified parental consent.
Changes to This Policy
Edorer reserves the right to update this Privacy Policy from time to time. Material changes — especially those affecting proctoring data processing or data sharing practices — will be communicated to you via email notification and/or a prominent notice on the platform at least 30 days before they take effect. We will also notify Organisations so they can inform their users.
Continued use of the platform after the effective date of changes constitutes acceptance. For proctoring-specific changes, fresh consent will be obtained at the next proctored session.
Contact Us
If you have any questions about this Privacy Policy, wish to exercise your data subject rights, or have concerns about how your data is being handled, please contact us: collaborate@edorer.com