Search

Prometric Global Privacy Policy

Language Disclaimer:
This policy is being made available in multiple languages for convenience. In the event of any discrepancy or conflict between the translated versions and the English version, the English version shall be deemed the official and controlling policy.

Last update: September 2025

Introduction

Prometric LLC, including Paragon and its other global subsidiaries and affiliates (hereafter collectively referred to as the “Company”, “us”, “our” or “we”) may act as data controller or as data processor depending its relationship to you, the data subject. 

This Privacy Policy (hereafter, “Policy”) describes our collection and processing of Personal Data about test candidates, clients, contractors and partners (hereafter, “Data Subjects”, “you” or “your”).  

The Company endeavors to comply with all data protection laws and regulations where the Company operates, including but not limited to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (“GDPR”); the California Consumer Privacy Act of 2018 (“CCPA”), as amended by the California Privacy Rights Act of 2020 (“CPPA”); the Personal Information Protection Law of the People's Republic of China (“PIPL”); the Children’s Online Privacy Protection Act (“COPPA”); the Family Educational Rights Privacy Act (“FERPA”); and other relevant data protection laws and regulations globally. 

As part of its certification, the Company complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) and to the rights of EU, UK, and Swiss Data Subjects.  As such, the Company is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).

Unless otherwise noted, the following definitions apply to this Policy:

“Applicable Law” refers to the relevant country, state or territory data protection law or applicable regulation relating to data protection. 

“Personal Data” means any information relating to an identified or identifiable natural person.

“Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Supervisory Authority” or “Supervisory Authorities” means an independent public authority which is established by a government body and is responsible for monitoring and/or enforcing the application of data protection laws and regulations in a given jurisdiction.

1. What types of Personal Data do we collect? 

The Company may collect the following Personal Data depending on your relationship to the Company, nature of the exam, services provided and as subject to Applicable Law: 

  • Contact details including name, address, telephone numbers, country-specific identification number, email address, login and password information
  • Date of birth
  • Birth country
  • Gender
  • School Entry Date (US)
  • Primary Language
  • Home Language
  • Parent / Guardian information
  • Candidate test and class scheduling details
  • Test assessment details, including test candidate ID number, examinations taken and when, scores related to those exams, results, how many times an exam or any particular section of exams have been taken
  • Behavior incidents
  • Interventions
  • Attendance
  • Assessment results
  • Social Security numbers where required by test sponsor for candidates (US)
  • Payment and financial institution information
  • Residence and country of citizenship
  • Photograph
  • Signature
  • Video recordings
  • Audio recordings (as permissible by law and only in specific jurisdictions)
  • Information from identification, verification, or eligibility documents
  • Transaction and Relationship Information including elements that reveal candidate test patterns, test locations, test results, and information about how our websites and applications are used.  

In addition, the Company may process special categories of Personal Data, as permitted by Applicable Law, that may include:

  • Biometrics (fingerprint and facial images)
  • Health information or medical data related to test candidates’ requests for testing accommodations
  • Race or ethnicity, as permitted by Applicable Law

The Company will not use special categories of Personal Data for a purpose other than the purpose for which it was originally collected or subsequently authorized by the Data Subject unless we have received your affirmative and explicit consent (opt-in).

Some of our exams may require the test site administrator to scan copies of your identification cards, record your signature and take your picture for identification purposes, which will be directly stored in the Company’s database. 

2. Personal Data of Minors

The Company does not knowingly collect Personal Data from or relating to minors without the consent of either the minor’s parent(s) or legal guardian. The Company expects the minor’s parents or legal guardian to supervise and monitor their children’s disclosure of Personal Data to the Company and its representatives.

As may be necessary, we assist schools in meeting their obligations pursuant to FERPA. The Company offers a limited feature set and website experience for minors. Nothing in this Policy is intended to diminish any students' (or their parent's or legal guardian’s) rights in relation to their educational records. The Company specifically agrees not to disclose any Personal Data from education records in violation of FERPA, not to use such information for any sales, marketing, advertising, or other prohibited purposes, and to Personal Data.

The Company receives from educational institutions the minimal amount of information necessary to create student accounts, which usually includes an email, a password, first and last name and a unique classroom code provided by the student’s teacher. Beyond this information, students can submit responses depending on the activities they are assigned, which will remain confidential between teacher and student and will only be used for the purposes of the school/teacher. In addition to the information entered by the student, we automatically collect information related to the use of our service.

The Company does not accumulate Personal Data about any minor or family for distribution, sharing, or selling except as described in this Policy. No student’s profile is made available or visible to the public, or to any other students. Teachers may share their classes, including grades or scores, with other teachers they co-teach within their school, to help them collaborate.

Parental Rights

The Company empowers parents and legal guardians of minors who have registered accounts with us to exercise their legal rights pursuant to COPPA.

Any parent who wants copies of their children’s Personal Data that we may have stored can contact their children’s school personnel. At any time, the school can also refuse to permit us to collect further Personal Data from its students, and can request that we delete the Personal Data we have collected from them. 

3. How do we collect your Personal Data? 

In most cases the Company collects such Personal Data directly from the Data Subject. 

However, in other cases we may receive information from primary or secondary schools, test sponsors or from third party data suppliers. When a Data Subject visits the Company’s website, registers or takes an exam, uses our applications, or contacts us we also collect transaction information for customer service purposes. 

All Personal Data collected by us via our mobile applications is protected and processed according to the terms of this Policy.  We also offer automatic ("push") notifications only to those who opt-in to receive such notifications from us. No individual is required to provide location information to us or to enable push notifications to use any of our mobile aware applications.

When using our website, and subject to how you configure your cookie settings, we may automatically collect certain information regarding your use of the website, such as the dates and times you access the website, the browsers, operating systems and devices you use to access the website, the website pages you access, and the referring and exit website pages. The Company may use that information for various purposes, including to administer and improve the Company’s websites and improve our products and services. 

Where permitted by Applicable Law, we may also use information to identify your general location to provide you with services, or relevant marketing and contextual advertisements. The Company also collects Internet Protocol (IP) addresses and unique device identifiers in order to recognize repeat visitors to our site and facilitate the use of our service by you.

Certain users of the Company’s website choose to interact with us in ways that require the Company to gather Personal Data so that we may provide you with the services you request. The amount and type of information that we gather depends on the nature of that interaction. 

It is important to note that Company’s website may contain links to other websites or online services. When you use those links, you are contacting another website or service. The Company has no responsibility or liability for, or control over, those other websites or service or their collection, use, disclosure, retention and deletion of your personal information. Please refer to the privacy policies and terms of use that apply to those other websites or online services.

Collection of Biometric Data 

Biometric Enabled Check-In System and the Company’s remote proctoring platform (known as ProProctor) are designed to improve the security and integrity of the testing process in a way that protects test candidate privacy while confirming test candidate identity. These technologies include the use of fingerprint and facial recognition, and are used for identity verification purposes, to detect and prevent fraud and misrepresentation, to maintain the integrity of the testing process, and improve the security of test centers and remotely-proctored exams.

4. Why do we collect your Personal Data?

On behalf of our test sponsors, the Company collects your Personal Data for the purposes of: 

  • Scheduling test examinations
  • Verifying identity
  • Managing accounts and administering tests and payments
  • Managing customer service requests
  • Detecting and preventing fraud and misrepresentation by unauthorized candidates
  • Conducting data analytics to maintain the integrity of the testing process
  • Reporting test results to candidate and test sponsor
  • Conducting marketing activities (e.g. announcements, new tests, new test centers, promotions, upcoming events, new products, special features and store openings), subject to Applicable Law
  • Protecting and enforcing the Company’s legal rights, interests and remedies and to protect the business, operations or customers of the Company or other persons, including to enforce any of the terms of use, terms of service and other agreements that govern access to or use of the Company’s products and services
  • Analyzing visitor behavior using website analytic tools (e.g. Google Analytics 4)
  • Evaluating and improving the performance of digital advertising campaigns across platforms
  • Training and testing our artificial intelligence-enabled technology, subject to Applicable Law.

For suppliers and other third parties, we collect your Personal Data for the following purposes:

  • Supplier management and administration
  • Invoice processing
  • Know-your-supplier due diligence and other legal requirements

We only disclose Personal Data to the Company’s employees, contractors and subcontractors that: (i) must access that information in order to process it on our behalf or to provide services available on the Company’s website and through our mobile applications; and, (ii) agree not to disclose that information to others. The Company does not rent, sell or exchange Personal Data to any third party.

If Personal Data covered by this Policy is to be used for a new purpose that is materially different from that for which the Personal Data was originally collected or subsequently authorized, or is to be disclosed to a third party in a manner not specified in this Policy, we will provide you with an opportunity to choose whether to have your Personal Data so used or disclosed. Requests to opt out of such uses or disclosures of Personal Data should be sent to the Company as specified in the "How to Contact Us" section below.

5. What are the legal bases of processing your Personal Data? 

Personal Data is generally collected and processed according to the following legal bases:

  • The performance of a contract which include registering and scheduling for a test, administering that test, fraud prevention and processing of the test results.
  • Your consent for the collection and processing of special categories of Personal Data.
  • Your consent if required by Applicable Law for cross-border data transfers.
  • For legitimate business purposes such as invoice processing and financial account management, backup purposes to facilitate business continuity, test center management, business planning, contract management, improvement of testing services provided to our customers, proposing related services and products to existing test candidates, website administration, fulfillment, analytics, security and fraud prevention, corporate governance, disaster recovery planning, auditing, and reporting, and training and improving our artificial intelligence technology as permitted by Applicable Law.
  • Compliance with any legal or regulatory obligations.

6. Disclosure of Personal Data 

Third parties who may process your Personal Data include other Company affiliates, authorized test centers, test sponsors and our service providers acting as processors for the Company, providing the following services: data hosting, test administration services, business productivity applications, customer service support and customer relationship management software. 

Government agencies may access Personal Data as the result of lawful requests, including to meet national security or law enforcement requirements.

Where permitted by Applicable Law, the Company uses website analytical and advertising platforms to understand user behavior on our website and deliver relevant advertisements. These platforms may use cookies, pixels, or similar technologies to collect data about your interactions with our websites. This information is used to help us measure the effectiveness of our campaigns, personalize advertising content, and enhance overall user experience. The extent of the use of such tools will depend on how you decide to configure the cookie settings on your browser, and you may opt out of personalized advertising at any time by managing your cookie preferences.

Biometric data may be disclosed to a third party only: 

  • For an investigation related to alleged misconduct solely for the purposes of an investigation of cheating, unauthorized testing, or other test candidate misconduct.  
  • In relation to lawful requests by regulatory, legal or government agencies with jurisdiction and/or authority to make such requests.

We implement contracts with our third-party service providers to ensure that Personal Data is processed in compliance with this Policy and any other appropriate confidentiality and security measures as required by Applicable Law. 

If you are a EU, UK, or Swiss data subject, where we transfer your Personal Data to third party service providers as indicated above and who perform services for us or on our behalf, the Company is responsible for the Processing of that data by them and shall remain liable if they process your Personal Data in a manner inconsistent with the DPF principles referred to below unless we prove that we are not responsible for the event giving rise to the damage. 

7. For how long do we store your Personal Data? 

The Company has adopted a comprehensive Records Management Program and related retention schedule that it adheres to for the purposes of retention, storage and destruction of all records created in the course of its business including those containing Personal Data.  We also deploy a Data Management strategy that segregates data based on regionally located data servers.  

Subject to client specific contract requirements and Applicable Law, our Company will keep your Personal Data for the duration of the processing, for the lesser period of: 

  • five (5) years from the date of the last service, test or assessment; or
  • the expiration of the purpose for which the Personal Data was collected; or
  • the laws of the applicable jurisdiction where the Personal Data was collected.  

The Company will not keep Personal Data longer than necessary for the above-mentioned purposes. However, we may retain Personal Data longer if necessary to comply with client specific contract requirements and Applicable Law or if necessary to protect or exercise its rights.

In the case of test results relating to Immigration, Refugees and Citizenship Canada, then we retain records of your Personal Data for the minimum retention period (currently ten (10) years) as required by Immigration, Refugees and Citizenship Canada. In the case of test results relating to Australian Visas, then we retain records of your Personal Data for the minimum retention period (currently seven (7) years) as required by the Commonwealth of Australia.

Storing of Biometric Data 

All biometric data collected in computer-based test centers is securely transferred to and securely stored within the Company’s secure data center in the European Union and is retained according to Applicable Law in the jurisdiction where it was collected.  Biometric data is stored and secured in Microsoft Azure for a period of thirty (30) days.  

8. Cross-border Transfers of Personal Data

Our business processes often require the transfer of Personal Data between the Company and its affiliated entities internationally.  Depending on the nature of your relationship with the Company and as per Applicable Law, your Personal Data is stored on secure servers located in the United States. Depending on the nature of your exam and your test location, the Company and its service providers may process Personal Data at facilities in countries other than the US, which may include Canada, Mexico, India and other countries located in the European Union or Asia.  

If Personal Data is disclosed to third parties or to a country not considered as providing a sufficient level of protection according to Applicable Law then the Company will ensure: 

  • The implementation of standard contractual clauses as approved by the relevant Supervisory Authority;
  • The adoption of appropriate organizational, technical and legal safeguards to govern the cross-border data transfer and to ensure the necessary and adequate level of protection under Applicable Law.
  • If necessary, will evaluate the circumstances of the transfer and the legislation of the third country, and if required, complete a data transfer impact assessment to determine if supplemental measures are required to be implemented. 

In regards to cross-border data transfers to the United States, the Company complies with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF as set forth by the U.S. Department of Commerce.

The Company has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of Personal Data received from the EU and the UK in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF.  The Company has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of Personal Data received from Switzerland in reliance on the Swiss-U.S. DPF.

If there is any conflict between the terms in this Privacy Policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

9. What are your rights? 

Depending on your location and Applicable Law, you may have the following rights related to your Personal Data: 

  • Right to access
  • Right of rectification
  • Right to erasure
  • Right to restrict processing
  • Right to object to processing
  • Right to data portability
  • Right to decide how your Personal Data is used posthumously 

The exercise of such rights is subject to limitations provided by Applicable Law and relevant guidance from Supervisory Authorities.

To exercise your rights, the data subject may contact the Company as described in the section “How to contact us.” Please keep in mind that deleting records may require us to terminate the account in question. Before we can complete your request, the Company may ask additional questions or take other steps to verify the identity of the requester. If we can’t satisfy your request (refusal or limitation) then we will justify our decision in writing.

In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, the Company commits to resolve DPF Principles-related complaints about our collection and use of your Personal Data. 

EU, UK, and Swiss Data Subjects with inquiries or complaints regarding our handling of Personal Data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF should first contact the Company as described in section “How to contact us and complaint handling.”

California Privacy Rights

California Civil Code Section 1798 allows California residents to ask companies with whom they have an established business relationship to provide certain information about the companies’ sharing of Personal Data with third parties for direct marketing purposes.  The Company does not share any California consumer Personal Data with third parties for marketing purposes without consent.  If you are a test candidate, we will provide your Personal Data to your test sponsor, who may use the information in accordance with its own privacy policies.

10. How do we protect your Personal Data?

The Company implements a variety of security measures, such as technical, physical and administrative safeguards in order to protect all Personal Data from security incidents or unauthorized disclosure, and more generally from a Personal Data Breach. These security measures are recognized as appropriate security standards in the industry and include, inter alia, access controls, password, encryption, strict time limits for erasure, logging mechanisms and regular security assessments. 

In the event of a Personal Data Breach potentially impacting your Personal Data, the Company follows its Incident Response Plan and will promptly take appropriate action to mitigate the risks to Data Subjects.  Such measures may include notifying the appropriate Supervisory Authority and the impacted Data Subjects, while providing the relevant details of the incident and mitigation measures as may be mandated under Applicable Law.

The Company's Information Security Program is reviewed several times annually by multiple third-party organizations to ensure it meets or exceeds the highest benchmarks available for security and data privacy and protection. In addition, employees and contractors are obligated to promptly report any known or suspected instance of misuse, loss or unauthorized access.

11. Processing of Personal Data under the People’s Republic of China Personal Information Protection Law (‘PIPL’)

This section applies when Personal Data is located within the borders of the People’s Republic of China (PRC) or when Personal Data is processed by one of our subsidiaries located in the PRC. 

In accordance with Article 13 of the PIPL, Personal Data may be collected for the following purposes: 

  • Based on an individuals’ consent;
  • For the performance of contracts, for legitimate business interests;
  • To fulfill statutory duties and responsibilities or statutory obligations;
  • To process publicly available data;
  • To meet legal requirements.

Following the requirements set out under Article 23 of PIPL and the contents mentioned under Section 4, the transfer and sharing of your Personal Data to a third party will not be made without (1) your specific consent if applicable, or (2) to fulfill the statutory duties under Applicable Law.

Based on the purposes prescribed in this Policy, Personal Data may be transferred to a country or region outside your residence for Processing. At such time, the Company will protect the security of the Personal Data in accordance with Applicable Law, including but not limited to implementing access controls, passwords, encryption standards, strict time limits for retention periods, logging mechanisms and regular security assessments.

The Company will fully inform you of the cross-border data transfer in accordance with Article 39 of PIPL prior to transferring your Personal Data outside the PRC and will obtain your consent, informing you of the following: the name of the outbound receiver, the contact information, the purpose of the Processing, the method of Processing, the type of Personal Data, and remind you of the methods and procedures by which you can exercise your rights under the PIPL. We will request your explicit and separate consent to do this.

As may be required, the Company will carry out a cross-border data transfer risk assessment in accordance with Applicable Law if Personal Data is transferred outside of the PRC.

Under PIPL, Sensitive Personal Data is defined as Personal Data that, once leaked or illegally used, may easily cause harm to the dignity of natural persons grave harm to personal or property security, including information on biometric characteristics, religious beliefs, specially-designated status, medical health, financial accounts, individual location tracking, etc., as well as the Personal Data of minors under the age of 14. 

In line with the PIPL and as detailed in Section 1 and 3 of this Policy, the processing of Sensitive Personal Data is subject to the separate consent of the individual and is conducted for a specific business-related purpose. 

The Company will not collect Personal Data from minors under the age of 14 without the separate consent of the parent or other guardian. We will only use or disclose Personal Data about a child to the extent permitted by law, pursuant to applicable laws and regulations, to seek parental consent or to protect a child. 

In the event of a Personal Data Breach, the Company shall bear civil liabilities to the data subject if it infringes the rights of the data subject’s personal data, without prejudice to the administrative, criminal or other legal liabilities that shall be assumed by the Data Controller under the PIPL.

12. Changes to Privacy Policy

The Company may update this Policy in order to comply with new or different privacy practices and changes to Applicable Law. An updated version of this Policy will be made available via an appropriate channel and will apply to data collected subsequent to its effective date.

13. How to Contact Us and Complaint Handling

For any inquiries, comments or concerns about this Policy, or in order to exercise the privacy rights permitted by Applicable Law, please submit a request via our dedicated portal at Personal Data Requests.

In addition, you may contact our Data Protection Officer at the following address: privacy@prometric.com

You may also reach us via postal mail at: 

Prometric Privacy Program Manager
Prometric LLC, 1501 South Clinton Street
Baltimore, Maryland 21224 USA

In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, the Company commits to cooperate and comply respectively with the advice of the panel established by the EU Supervisory Authorities, the UK Information Commissioner’s Office (ICO), and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of Personal Data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF.

If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. 

You also have the right to file a complaint directly with the competent Supervisory Authority in your relevant jurisdiction.