Privacy Policy

1. Introduction

eFit Software ("we," "our," or "us") operates the VoiceExam platform ("Platform," "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our voice examination service.

We are committed to protecting the privacy of students, instructors, and educational institutions. Our platform is designed to comply with FERPA (Family Educational Rights and Privacy Act), GDPR (General Data Protection Regulation), CCPA/CPRA (California Consumer Privacy Act / California Privacy Rights Act), COPPA (Children's Online Privacy Protection Act), BIPA (Biometric Information Privacy Act), PIPEDA (Personal Information Protection and Electronic Documents Act), and other applicable privacy regulations.

By accessing or using VoiceExam, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you are using VoiceExam on behalf of an educational institution, you represent that you have the authority to bind the institution to this policy.

2. Definitions

• "Controller" means the entity that determines the purposes and means of processing Personal Data. For institutional users, the educational institution is the Controller; for individual users, eFit Software is the Controller.
• "Processor" means any entity that processes Personal Data on behalf of the Controller, including eFit Software (when processing on behalf of institutions) and our sub-processors.
• "Personal Data" or "Personal Information" means any information relating to an identified or identifiable individual.
• "Biometric Data" means data generated from the measurement or analysis of human biological characteristics, including voiceprints and facial geometry.
• "Educational Records" means records directly related to a student that are maintained by an educational institution or by a party acting for the institution, as defined by FERPA.
• "Sale" and "Share" have the meanings set forth in the California Consumer Privacy Act (CCPA/CPRA).

3. Information We Collect

3.1 Information You Provide

• Account Information: Name, email address, password (hashed and salted), and role (student/instructor/administrator)
• Profile Information: Educational institution affiliation, class enrollment data
• Exam Responses: Audio and/or video recordings of oral exam responses, AI-generated transcripts
• Communications: Support requests and correspondence with us

3.2 Information Collected Automatically

• Device Information: Browser type, operating system, device identifiers
• Usage Data: Pages visited, features used, time spent on platform
• Log Data: IP addresses, access times, error logs
• Cookies and Similar Technologies: Session cookies for authentication and preferences (see Section 12)

3.3 Information We Do Not Collect

• Payment Card Data: All payment processing is handled directly by our PCI-compliant third-party payment processors (Stripe and PayPal). We do not collect, store, transmit, or process full credit card numbers, CVVs, or sensitive financial data on our servers. Your financial information is subject to the privacy policies and terms of service of Stripe and PayPal.

4. How We Use Your Information

We use the collected information to:

• Provide, maintain, and improve the VoiceExam platform
• Process and facilitate grading of oral examination responses
• Generate transcripts using AI-powered transcription services
• Authenticate users and maintain account security
• Communicate with you about your account and provide support
• Comply with legal obligations and educational regulations
• Analyze usage patterns to improve our services (in aggregate, anonymized form)
• Detect and prevent fraud or unauthorized access

4.1 Artificial Intelligence and Transcription Processing

We utilize third-party AI services (including OpenAI) via enterprise API endpoints to generate transcripts of audio and video recordings. The following safeguards are in place:

• No Model Training: We enforce Data Processing Agreements with our AI sub-processors. Your audio, video, transcripts, and personal data are strictly prohibited from being used to train, improve, or fine-tune any foundational AI models.
• Data Ephemerality: Audio and video files sent to our AI sub-processors are processed transiently solely for the purpose of generating transcripts and are not retained by the AI provider after processing is complete (Zero Data Retention policy).
• No Automated Decision-Making: AI-generated transcripts and any AI-assisted grading suggestions are always subject to human review. No final academic decisions are made solely by automated processing.

5. Biometric Data Privacy

Given the nature of voice and video oral exams, our platform may collect data that qualifies as "biometric identifiers" or "biometric information" under laws such as the Illinois Biometric Information Privacy Act (BIPA) or the Texas Capture or Use of Biometric Identifier Act (CUBI).

• Purpose: Biometric data is collected and processed solely for the purposes of academic assessment, exam integrity, and identity verification as authorized by the educational institution.
• Consent: By utilizing the recording features of VoiceExam, and where required by applicable law, you explicitly consent to the collection, capture, and storage of your voiceprint or facial geometry for the purposes stated above.
• No Sale or Trade: We will never sell, lease, trade, or otherwise profit from your biometric data.
• No Model Training: Biometric data is never used to train machine learning models.
• Retention and Destruction: Biometric data is retained only for as long as required for the educational purpose (typically the duration of the exam review and grade appeal period, as defined by the institution). It is permanently and irreversibly destroyed within three (3) years of the individual's last interaction with the platform, or earlier upon validated request from the educational institution, whichever occurs first.
• Security: Biometric data is encrypted at rest and in transit using industry-standard encryption (AES-256 at rest, TLS 1.2+ in transit).

6. Information Sharing and Disclosure

We may share your information in the following limited circumstances:

6.1 Educational Purposes

Student exam responses and grades are shared with instructors and authorized institutional administrators as part of the educational process, consistent with FERPA's "school official" exception.

6.2 Service Providers (Sub-Processors)

We work with trusted third-party sub-processors for hosting, transcription, AI processing, and payment processing. These providers are contractually bound by Data Processing Agreements that require them to protect your data, use it only for providing services to us, and delete it upon termination of their engagement.

6.3 Legal Requirements

We may disclose information when required by law, court order, subpoena, or governmental authority, or when necessary to protect our rights, safety, or property. We will notify affected users of such disclosure to the extent permitted by law.

6.4 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of the transaction. We will provide notice before your Personal Data is transferred and becomes subject to a different privacy policy.

6.5 We Do Not Sell or Share Your Data

We do not sell, rent, trade, or share your personal information with third parties for marketing, advertising, or cross-context behavioral advertising purposes. This applies to all users, including California residents under the CCPA/CPRA.

7. Data Security and Breach Notification

7.1 Security Measures

We implement administrative, technical, and physical safeguards to protect your information:

• TLS/SSL encryption for all data in transit
• AES-256 encryption for sensitive data at rest
• Passwords stored using industry-standard hashing algorithms with per-user salts
• Regular security audits and vulnerability assessments
• Role-based access controls and multi-factor authentication options
• Secure data centers with physical security measures
• Regular backups with encrypted storage

While we strive to protect your data using industry best practices, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security but are committed to promptly addressing any security vulnerabilities.

7.2 Data Breach Notification

In the event of an unauthorized disclosure or security breach involving personal data or educational records, we will:

• Notify affected educational institutions, users, and regulatory authorities as required by applicable law
• Notify EU/UK supervisory authorities within 72 hours of becoming aware of a breach, as required by GDPR Article 33
• Notify California residents as required by California Civil Code § 1798.82
• Comply with all applicable state and federal breach notification laws without undue delay
• Provide a description of the breach, the types of data involved, and recommended protective measures

8. Data Retention

We retain your information only for as long as necessary to fulfill the purposes described in this policy and to comply with legal obligations:

• Account Data: Retained while your account is active and for a reasonable period afterward (up to 12 months) to allow for reactivation
• Exam Recordings and Biometric Data: Retained according to institutional policies, typically for the duration of the academic term plus a grade appeal period, and destroyed no later than three (3) years after your last interaction
• Transcripts and Grades: Retained as educational records per FERPA requirements and institutional policy
• Billing Records: Retained for up to seven (7) years for tax and legal compliance purposes
• Log Data: Retained for security and debugging purposes, typically 12 months

After the applicable retention period expires, we securely delete or irreversibly anonymize your data. Educational institutions may request earlier deletion subject to applicable legal requirements.

9. Your Rights

Depending on your location, you may have the following rights regarding your Personal Data:

• Access: Request a copy of the personal information we hold about you
• Correction: Request correction of inaccurate or incomplete information
• Deletion: Request deletion of your personal information (subject to legal retention requirements)
• Portability: Request your data in a structured, commonly used, machine-readable format
• Restriction: Request that we restrict certain processing of your information
• Objection: Object to processing based on legitimate interests
• Withdrawal of Consent: Where processing is based on consent, withdraw your consent at any time without affecting the lawfulness of prior processing

To exercise these rights, contact us at support@efit.software. We will respond within 30 days (or within the timeframe required by applicable law).

Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights. You will not receive different pricing, quality, or levels of service for exercising your rights.

10. FERPA Compliance and Institutional Control

For educational institutions in the United States, VoiceExam acts as a "School Official" with a "legitimate educational interest" under the Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. § 1232g.

• Data Ownership: All student educational records, including exam recordings, transcripts, and grades, remain the sole property of the educational institution
• Direct Control: We process educational records strictly under the direct control and instruction of the educational institution
• Limited Use: We use student education records only for the authorized educational purposes specified in our agreement with the institution
• Safeguards: We maintain appropriate administrative, technical, and physical safeguards to protect student information
• No Unauthorized Disclosure: We do not disclose student records without proper authorization from the institution or as permitted by FERPA
• Privacy Requests: Because we process data on behalf of institutions, any student requests to access, amend, or delete educational records under FERPA must be directed to the educational institution. We will assist the institution in fulfilling these requests

11. Lawful Basis for Processing (EEA/UK Users)

If you are located in the European Economic Area (EEA) or the United Kingdom (UK), we process your Personal Data under the following legal bases as defined by GDPR Article 6:

• Performance of a Contract (Art. 6(1)(b)): To provide VoiceExam services as agreed with you or your institution
• Legal Obligation (Art. 6(1)(c)): To comply with applicable laws and regulations, including educational record-keeping requirements
• Legitimate Interests (Art. 6(1)(f)): To maintain, secure, and improve the platform, provided this does not override your fundamental rights and freedoms
• Consent (Art. 6(1)(a)): For specific processing activities such as optional marketing communications or biometric data collection, where required

11.1 International Data Transfers

VoiceExam is hosted in the United States. If you access our platform from outside the US, your data will be transferred to and processed in the US. We ensure appropriate safeguards for these transfers by:

• Entering into Standard Contractual Clauses (SCCs) as approved by the European Commission
• Executing Data Processing Agreements (DPAs) with institutional clients and sub-processors
• Implementing supplementary technical and organizational measures where necessary

You may request a copy of the applicable SCCs by contacting us at support@efit.software.

11.2 GDPR-Specific Rights

In addition to the rights listed in Section 9, EEA/UK users have the right to lodge a complaint with a supervisory authority in their country of residence. We will respond to GDPR rights requests within one (1) month.

12. Cookies and Tracking Technologies

We use the following types of cookies and similar technologies:

• Strictly Necessary Cookies: Required for authentication, security, and core platform functionality. These cannot be disabled.
• Functional Cookies: Remember your preferences and settings to provide a personalized experience.
• Analytics Cookies: Help us understand how users interact with our platform so we can improve it. These are used only in aggregate, anonymized form.

We do not use third-party advertising or tracking cookies. You can manage cookie preferences through your browser settings. Where required by law, we will obtain your consent before placing non-essential cookies.

13. US State Privacy Rights

Residents of California, Virginia, Colorado, Connecticut, Utah, Texas, and other states with comprehensive privacy laws have specific rights regarding their personal information:

13.1 CCPA/CPRA (California)

Categories of Personal Information we may collect (per CCPA § 1798.140):

• Identifiers (name, email, IP address)
• Education information (exam recordings, transcripts)
• Internet or network activity (usage data, log files)
• Biometric information (voiceprints from recordings)

13.2 Your State Privacy Rights

• Right to Know / Access: Request the specific pieces and categories of personal data we have collected about you in the past 12 months, including sources, purposes, and recipients
• Right to Delete / Correct: Request deletion or correction of your personal data
• Right to Opt-Out: We do not sell or share your personal information for cross-context behavioral advertising. No opt-out is necessary, but you may still submit a request for confirmation.
• Right to Limit Use of Sensitive Personal Information: We only use sensitive personal information for purposes authorized by applicable law
• Non-Discrimination: We will not discriminate against you for exercising any of these rights

14. Children's Privacy

VoiceExam is designed for use by educational institutions and their enrolled students. We do not knowingly collect personal information directly from:

• Children under 13 (in the United States, per COPPA)
• Children under 16 (in the EEA, per GDPR)
• Children under 14 (in certain other jurisdictions)

without verifiable parental consent or explicit authorization from an educational institution acting in loco parentis. When we process children's data through an educational institution, the institution is responsible for obtaining any required parental consent.

If you believe we have collected information from a child without proper authorization, please contact us immediately at support@efit.software, and we will promptly investigate and delete such data.

15. Canadian Users (PIPEDA)

For users in Canada, we process personal information in compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation. Canadian users have the right to access and correct their personal data. We retain data only as long as required to fulfill the purposes for which it was collected or as permitted by law.

For PIPEDA-related inquiries, contact us at support@efit.software.

16. Data Processing Agreements

Educational institutions and other customers who act as Controllers may request and execute our Data Processing Addendum (DPA), which incorporates EU Standard Contractual Clauses and meets GDPR Article 28 requirements. Our DPA is available upon request by contacting support@efit.software.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. For material changes, we will:

• Post the revised policy on this page with an updated "Last Updated" date
• Provide at least 30 days' advance notice before material changes take effect
• Notify affected users via email or prominent in-app notification
• Notify institutional administrators for changes affecting student data processing

Your continued use of VoiceExam after the effective date of any changes constitutes your acceptance of the revised policy. We encourage you to review this policy periodically.

18. Contact Us

If you have questions about this Privacy Policy, our data practices, or wish to exercise your privacy rights, please contact us: