Overview

Welcome to GMETRIX’s Privacy Notice. Please read this Privacy Notice.

GMETRIX, LLC and its affiliated companies (collectively “GMETRIX”, “us”, “we”, “our”) provide preparation and assessment services and products (collectively, our “Services”) to a range of private and public sector organizations.

GMETRIX takes its obligation to protect your privacy and personal information very seriously. Most of the Services that GMETRIX offers are provided to organizations (“Clients”) under a legally binding contract and Clients use our Services to deliver high-quality courses and practice tests for those looking to pass their certifications (“Assessments”) to students, professionals, and anyone else that Clients may instruct us to assess (“Candidates”) for their own business, organizational or educational purposes. This Privacy Notice (the “Notice”) is aimed at informing such Candidates as well as our Clients, contractors, partners and users of our Site (collectively, “you”, “your”) as to how GMETRIX collects, uses, shares and otherwise processes information from our Clients and Candidates when using the Services, and users of the GMETRIX website(s) (the “Site(s)”) including any personal information or other information from which we can identify you (depending on applicable law or jurisdiction, such information is referred to as “Personal Data”, “Personal Information”, or “Personally Identifiable Information”) when taking an Assessment or using our Site. This Notice applies in the jurisdictions in which GMETRIX operates and covers the Personal Data of candidates, Clients, contractors, partners, and users of our Site.

By visiting our Site, or using any of our Services, you agree that your Personal Information will be handled as described in this Notice unless agreed upon otherwise in an applicable contract. If you do not agree to the terms in this Notice, you must not use our Site or Services. Your use of our Site or Services, and any dispute over privacy, is subject to this Notice and our Terms and Conditions, including any applicable limitations on damages and the resolution of disputes or any service-specific terms made available to you when you sign up for the Services. Our Terms and Conditions are incorporated by reference into this Notice. If you have any questions or complaints in relation to this Notice, you may contact our Privacy and Security Team at privacy@gmetrix.com.

A note to minors: If you are under the age of 13, please get permission from your parent/legal guardian before using this website or app or sending any e-mail to us. You must be 18 or older to order a subscription to any of the GMETRIX Sites or apps. We will not sell or market directly to minors.

A note to schools and districts: Wherever we collect Candidate or student Personally Identifiable Information (as defined under FERPA), we do so in support of the educational purposes for which GMETRIX is designed. Such information is only collected in conjunction with the use of GMETRIX Services.

Information We Collect

Based on the Services provided to you or our Clients, we may process the following categories of Personal Information about you as necessary to provide such Services.

For Candidates:

We collect Personal Information from Candidates for the purposes of administering an Assessment if instructed by, and on behalf of Clients. The information we collect is generally categorized as follows:

  • Minimum Personal Data. The following information is the minimum information required to take an Assessment and generally use our Services. All Minimum Personal Data is collected regardless of the Assessment type taken by a Candidate:
    • Contact Information,  including, but not limited to: first, last name and affiliation with a school or district (if applicable).
    • Assessment Information, including your responses to Assessments and the resulting reports.
    • Username and password:  Candidates create a username and password in the registration process, or, if they prefer, we or their school may assign these for them. We use usernames and passwords of Candidates’ accounts to authenticate logins, allow access to the paid content and monitor subscription compliance. The username is also used to authenticate users when requesting technical support. The passwords are all encrypted when stored.
  • Additional Personal Data. We offer many different types of Assessments. As such, we may collect additional, customized information in addition to the Minimum Personal Data described above. Whether or not Additional Personal Data is collected depends on the particular Assessment and Services requested by the Client. The following are examples of Additional Personal Data that may be collected through the Services:
    • Identity Information,  including, but not limited to date of birth, age (range), education level, gender, country of nationality, job function, managerial responsibilities, organization, sector, industry, and occupation level. We may also collect Sensitive or Special Category Information, including but not limited to data relating to racial or ethnic origin.

    Please be aware that Additional Personal Data may not always be collected. We collect and retain Additional Personal Data solely at the discretion of the Client and utilize it exclusively for the purpose of delivering our Services. It is important to note that the collection of Additional Personal Data may be restricted in certain jurisdictions; in such cases, we refrain from collecting such data in those specific regions. If you seek more information regarding Additional Personal Data and its collection in an Assessment, we recommend reaching out to the relevant Client who directed you to take the Assessment.

  • Contact Information. We may also collect telephone number for the purposes of identity verification (e.g., for multi-factor authentication) and email address.
    We use the email address to send Candidates service-related announcements on rare occasions when it is necessary or advisable to do so. For instance, if we perform routine maintenance, we might send an informational email. We may also use this Contact Information to request feedback on the use of our products and services, to be used to improve the products and services. We will always provide an option to opt out of such communications. Additionally, Clients can opt-out of communications at the organization level.
  • Transaction Information, including, but not limited to details about payments to and from you by us and other details about the Services you have purchased from us.
  • Technical Information, including, but not limited to internet protocol (IP) addresses, your login information, browser type and version, and operating system and platform information.
  • Emails received from candidates. We may retain certain information from Candidates when they send us messages through our system or by email. We only use such information for providing the services or support requested.
  • Information collected when using a GMETRIX mobile app. Your website subscription may also provide access to the Full Access level of our mobile apps. If you choose to download any such app and log into it with your website subscription username and password, we collect limited usage information in connection with user logins in order to monitor subscription compliance. This information is maintained in accordance to this Notice. We do not collect Personally Identifiable Information from users of the various GMETRIX applications. If you subscribe to a GMETRIX app with an in-app purchase subscription, we do not collect any Personal Information.
  • Push Notifications on mobile apps. We send you push notifications on GMETRIX mobile apps from time to time in order to update you about any events or promotions that we may be running. If you no longer wish to receive these types of communications, you may turn them off at the device level. To ensure you receive proper notifications, we will need to collect certain information about your device such as operating system and user identification information. We also collect the user time zone as it’s set on the device to limit the time, we send push notifications within a reasonable time of day. We do not combine this information with other Personal Information.
  • Mobile Analytics on mobile apps. We use mobile analytics software to allow us to better understand the functionality of our Mobile apps Software on your phone. This software may record information such as how often you use the apps, the events that occur within the apps, aggregated usage, performance data, and where the apps were downloaded from. We do not link the information we store within the analytics software to any Personal Information you submit within the mobile apps.

For Clients:

  • Transaction Information,  including, but not limited to business-related name, e-mail address, and details about payments to and from Clients to us and other details about Services that Clients have purchased from us.

For anyone who has provided their consent in relation to:

  • Marketing and Communications Information, including your preferences in receiving marketing information from us and our third parties along with your communication preferences.

For Site visitors:

  • Technical Information,  including, but not limited to internet protocol (IP) addresses, login information, browser type and version, and operating system and platform information.
  • Usage Information,  including information about how you use our Site, Products and Services.

We do NOT collect or use personal information as follows:

  • We do not knowingly collect Personal Information directly from Candidates under the age of 13. If we learn that we have inadvertently collected any Personal Information from a user under 13, we will take steps to promptly delete it. Please contact us at privacy@gmetrix.com if you believe we have inadvertently collected Personal Information from a user under 13.
  • We do not collect, use or share Personal Information other than as described in our privacy Notice, or with the consent of a parent or legal guardian as authorized by law, or otherwise as directed by a client or required by contract or by law.
  • In no event shall we use, share or sell any Personal Information for advertising or marketing purposes without obtaining explicit consent.

Purposes of Processing

We may use your Personal Information for one of the following activities:

  • For Candidates:
    • Provide Services to you and/or on behalf of our Client as agreed in an applicable contract;
    • Upon authorization from a Client, for internal analysis and research purposes to help us improve our Services.
  • For Clients:
    • Provide Services to you as agreed in an applicable contract.
  • For all visitors of our Site and Users of our Services (as applicable):
    • Keeping accounts and financial records related to any business or other activity carried out on by us;
    • Sending relevant administrative information such as notices related to product, service, or Notice changes; and
    • To send you information regarding the products and services you have requested if you have opted-in to receive such information or if another legal basis permits the processing of your personal data.

COPPA Compliance

We comply with the FTC’s Children’s Online Privacy Protection Act (COPPA), and support the goals and guidelines set forth by industry self-regulatory bodies and experts to providing online safety and privacy for children, households, parents and schools.

Parents and legal guardians of children under 13 who use any of GMETRIX’S Services have certain rights under COPPA, and GMETRIX recognizes those rights. Parents/guardians can consent to collection and use of a child’s Personal Information without consenting to the disclosure of information to third parties.

A child’s participation or access to an activity on GMETRIX cannot be conditioned on him or her providing more information than is reasonably necessary for that activity, or any Personal Information. GMETRIX does not collect Personal Information from children under 13, without a parent or guardian’s consent or otherwise without authorization from a Client (e.g., school).

FERPA Compliance

We understand the obligation educational agencies, districts and school systems have to comply with the Family Educational Rights and Privacy Act (FERPA) and we support schools in their compliance efforts and facilitate their alignment with FERPA. Under the terms of our contracts with schools, we agree to act as a “School Official” as defined by FERPA, meaning that we:

  • Perform an institutional service or function for which the school or district would otherwise use its own employees;
  • Have been determined to meet the criteria set forth in the school’s or district’s annual notification of FERPA rights for being a School Official with a legitimate educational interest in the education records;
  • Are under the direct control of the school or district with regard to the use and maintenance of education records;
  • Use education records only for authorized purposes and will not re- disclose Personally Identifiable Information from education records to other parties (unless we have specific authorization from the school or district to do so and it is otherwise permitted by FERPA).

Third Party Disclosures

We do not share your Personal Information with third parties for their own marketing purposes.

We may disclose your Personal Information internally, to GMETRIX affiliated entities and members of our corporate group, and externally, with the Client, and other third parties as set forth below. When we disclose Personal Information, the recipient is required to keep that Personal Information confidential, secure and process the Personal Information only for the specific purpose for which they are engaged:

  • Third-party service providers who work for GMETRIX and operate some of its functionalities, such as hosting services, streaming services and credit card processing. These third parties are well-known, established service providers, who are bound contractually to practice adequate security measures and only use your information for the sole purpose of providing the Services.

These third parties do not have an independent right to share your Personal Information. We may use or share information in anonymous or de-identified format, such that no individual may be identified from such information, for educational research purposes, to evaluate the educational benefit of using our Services or to improve our Services.

  • Candidates:   We share your information, including results of your Assessment, and other information about you with the Client who engaged us to provide the Services.
  • Government and Professional Licensing Agencies:    We may disclose Personal Data, Exam Information, Licensure Updates and other information relating to regulatory boards or state governments for inclusion in their files and records. In addition, we may also disclose such information to licensing agencies or professional associations, for a fee, for inclusion in their files and records. In certain states, licensees’ Personal Data, Exam Information, and Licensure Updates are considered information that is in the public domain.
  • Law Enforcement/Public Authorities:    We may be required to disclose information to public authorities, regulators or governmental bodies, as required by the applicable law or regulation, under a code of practice or conduct, where necessary to facilitate any investigation, or where we believe that disclosure is appropriate to protect our rights and interests or the rights and interests of third parties.
  • Corporate Transactions:     If we are acquired by, or merge with another company, any of our assets are transferred to another company, or bankruptcy proceeding ensues, we may transfer the information we have collected from you to the other party.

Using GMETRIX

School or district Clients using GMETRIX maintain ownership of their student Candidate educational records (“Candidate Records”).

Each school or district has access to a user-friendly administrator dashboard that allows direct control over the Candidate Records at all times. The administrator can create, update, review, modify and deactivate individual accounts, and monitor logins in the individual accounts. “Administrators” are only those individuals explicitly designated by the school or the district. Schools and districts are required to appoint an administrator that will be responsible for the Candidate Records. Districts and schools are urged to safeguard the administrator’s access information and keep it in strict confidence and notify us of any unauthorized use of password or account registered under their subscription.

The teachers using GMETRIX will only be able to access or use GMETRIX with an administrator login provided by their school or GMETRIX. Candidates will only be able to create or access their teacher’s class with an Access Code provided by their teachers. Candidates will be able to store their activities, tests, and results with their teachers on their individual accounts. Candidates can only interact with teachers who created the GMETRIX class.

We encourage schools and districts using GMETRIX to notify parents that the product is used in their school. Parents can log into their children’s accounts and access their records. If you are a parent or guardian of a candidate using GMETRIX with his or her school, you can request the login information from your child or their teacher. You are encouraged to use the Candidate’s login information and view all their activities and progress on the account at any time. Parents have a right to request the Candidate’s Personally Identifiable Information be deleted or request changes in his or her records if it is inaccurate or misleading by contacting the school or teacher or GMETRIX at privacy@gmetrix.com. Parents may also refuse to allow GMETRIX to collect further information from their children by contacting us at privacy@gmetrix.com.

Location and Security Measures

Our servers are located in the United States.

We take extra measures to ensure the safety of PII and Candidate Records and apply a Secure Sockets Layer (SSL or HTTPS) encrypting technology to establish and ensure that all data passed between the server and the browser remains encrypted.

Governance policies and access controls are in place to ensure that the information of each client or other party is separated, and they are only able to access their own data.

Only limited GMETRIX personnel have access to the database, and they only access the database when necessary to provide services. Personnel with access to Candidate Records pass criminal background checks and periodic privacy training.

While we strive to maintain best industry-standard privacy and security practices, it should be noted that no industry system is fail proof. In the event we learn of an actual data breach, loss or disaster, we have established a Disaster Recovery Plan, which includes notifying the affected client and, and as appropriate, coordinating with the client to support its notification of affected candidates when there is a substantial risk of harm from the breach or a legal duty to provide notification.

While we use SSL encryption to protect information online, we also do everything in our power to protect candidate-information off-line.
All of our candidates’ information is restricted in our offices. Only employees who need the information to perform a specific job (for example, our billing clerk or a customer service representative) are granted access to personally identifiable information. Our employees must use password-protected screen-savers when they leave their desk. When they return, they must re-enter their password to re-gain access to your information. Furthermore, ALL employees are kept up-to-date on our security and privacy practices. Every quarter, as well as any time new policies are added, our employees are notified and/or reminded about the importance we place on privacy, and what they can do to ensure our Candidates’ information is protected.

Data Retention

We will only retain your Personal Information for as long as reasonably necessary to fulfill the purposes we collect it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your Personal Information for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you or our Client.

To determine the appropriate retention period for Personal Information, we consider the amount, nature and sensitivity of the Personal Information, the potential risk of harm from unauthorized use or disclosure of your Personal Information, the purposes for which we process your Personal Information, whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other retention requirements.

Districts and school Clients are able to delete student Candiate Personally Identifiable Information at any time using the Administrator Dashboard as mentioned above. Once information is deleted, we do not retain any copies.

Unless agreed otherwise, we may use your Personal Information after anonymization (so that it can no longer be used to identify any individual) for research or statistical purposes, in which case we may use this information for a reasonable period of time without further notice to you. We may also use your Personal Information as part of statistical and aggregated data for research purposes in a pseudonymized form, if approved by you or our Client.

Using GMETRIX outside the US

If you are using our Site or Services outside the United States, you consent to having your information and data stored in the United States. If you are from any jurisdiction with laws or regulations governing the use of the Internet, including collection, use and disclosure of Personal Information or Personal Data, different from those of the United States, you may only use our Site or Services in a manner lawful in your jurisdiction. If your use of our Site or Services may be unlawful in your jurisdiction, please do not use our Site or Services.

We process Personal Data in accordance with your instructions, the applicable contract with our Clients, and with applicable law. Based on the specific circumstances, the legal basis for our processing is one of the following:

  • Performance of a Contract. We collect and process Personal Data for the purposes of the performance of a contract with you or our Client.
  • Consent. In certain cases where required under the law, we process your Personal Data based on your specific and informed consent. For example, where you have opted-in to receive our marketing information, we may use your information to send you news and newsletters, special offers, and promotions, or to otherwise contact you about our Services or information we think may interest you.
  • Legitimate Interest. We process Personal Data where it is necessary for our legitimate interests (or those of a third party). This includes activities related to everyday business operations, such as invoice processing, business planning, and handling client service-related queries and complaints.
  • Legal Obligation. We process your Personal Data when we need to comply with a legal obligation, meet our on-going regulatory and compliance obligations, including in relation to recording and monitoring communications, disclosures to tax authorities, financial service regulators and other regulatory and governmental bodies, and to investigate security incidents and prevent crime.
  • Other bases. We may rely on other legal bases for processing as set out in the contract with the Client.

Under applicable data protection laws (collectively, “Data Protection Laws”), GMETRIX is generally a “Service Provider” (as defined under Data Protection Laws) of Candidates’ Personal Information with respect to the Services provided to our Clients. The Client that has engaged us to provide the Services is generally the “Business” (as defined under Data Protection Laws) and our mandate to process Personal Information is based on the contract between us and the Business.

Our Client, or the relevant organization in the supply chain, determines the purposes and means of the processing. The contract with our Client sets out our mandate to process your Personal Data in such instances.

We also act as a Business in instances where we process Clients’ business-related Transaction Information, provide our Services directly to you and where we determine the purposes and means of processing your Personal Information. Depending on your jurisdiction, you may have certain rights, including the following rights, in relation to your Personal Information under Data Protection Laws:

  • The right o know about the personal information that we collect about you and how it is used and shared.
  • The right to delete personal information collected from you.
  • The right to opt-out of the sale or sharing of your personal information.
  • The right to correct inaccurate personal information that we collected about you.
  • The right to limit the use and disclosure of sensitive personal information collected about you.

If you are a Candidate and seek to exercise an applicable right under Data Protection Laws, we encourage you to contact the Client, which is the relevant organization for whom you have taken an assessment, directly, to exercise your rights. If you wish to contact us directly, we can only forward your request to the Client for instructions on how best to respond to your request.

We will try to respond to all legitimate requests within the time period required under Data Protection Laws. Occasionally it may take us longer than such time period if your request is particularly complex or you have made several requests. In this case, we will notify you. To exercise any of these rights, please submit a request at privacy@gmetrix.com.

We will not discriminate against you for exercising any of the foregoing rights under Data Protection Laws. You will not have to pay a fee to know your Personal Information or to exercise any of the other rights. Only you, or someone legally authorized to act on your behalf, may make a verifiable request. Your request must provide sufficient information that allows us to reasonably verify that you are the person about whom we collected Personal Information. As a security measure, we may need to request specific information from you to help us confirm your identity.

Marketing Communications

We may engage in marketing campaigns in order to introduce new products or services that may be of interest to you, and our current or prospective Clients. Where required by applicable law, we will only engage in such marketing communications if the individual has opted into these communications. Individuals may opt-out of the processing of their Personal Information by withdrawing consent for the processing of their information for marketing communications To opt-out of commercial emails, simply click the link labelled “unsubscribe” at the bottom of any email sent by us. Please note that even if you opt-out of commercial emails, we may still need to contact you with important transactional information about your account or a scheduled exam in order to fulfil a contractual obligation. For example, we will still send assessment confirmations and reminders, information about Assessment or Services changes and closures, and information about Assessment results even if commercial emails have been opted-out (or not opted-in).

Our Site may provide links to third-party websites. We have no control over third parties, and we assume no responsibility for the availability, content, accuracy or privacy practices of other websites, services or goods that may be linked to, or advertised on, such third-party websites. We suggest that you review the privacy policies and the terms and conditions of the third-party websites to get a better understanding of what, why and how they collect and use any Personal Information.

Updates to Privacy Notice

We reserve the right to amend or change this Notice from time to time. We encourage you to visit and review this Notice periodically. We will post our revised Notice on our website and update the revision date below to reflect the date of the changes. By continuing to use our website after we post any such changes or updates, you accept the Notice as modified. This document was last updated on January 31, 2024.