Anthology Trust Center

Anthology Data Privacy Framework Statement

Privacy
Trustworthy AI
Security
Legal

Anthology Data Privacy Framework

Anthology (“we”, “us”) complies with the EU-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. Data Privacy Framework (“DPF”) as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information received from the European Economic Area (EEA) and the UK to the U.S. We* have certified to the U.S. Department of Commerce that we adhere to the DPF principles of notice, choice, accountability for onward transfer, security, data integrity and purpose limitation, access, and recourse, enforcement, and liability (“Principles”). If there is any conflict between the policies in this Statement and the Principles, the Principles shall govern. To learn more about the DPF, please visit the U.S. Department of Commerce DPF website: https://www.dataprivacyframework.gov/s/. For more information regarding our DPF certification, please see: https://www.dataprivacyframework.gov/s/participant-search.

For general information on our commitment to data privacy, please see our Trust Center and our Privacy Statement.

* Our U.S. affiliates which also adhere to the DPF and are identified in our DPF certification under “Other Covered Entities” are:

  • Anthology, Inc. (main) plus:
  • Blackboard, Inc.

Purpose

The purpose of this Anthology Data Privacy Framework Statement (“Statement”) is to outline how we comply with the Principles with respect to the personal data we collect. If you would like to obtain additional information regarding our privacy practices in connection with information collected on this website in general, please refer to our Privacy Statement. If there is any conflict between this Statement and the Privacy Statement, this Statement shall prevail.

Scope

This Statement applies to any personal information received by Anthology and its affiliates in the U.S. from the European Economic Area and the UK in reliance on the DPF.

Anthology Data Processing Activities

At times we act as a data processor or a data controller when processing personal data transferred from the European Economic Area and the UK, depending on the Anthology product or service. Though the types of data we collect and process may vary depending on the product and our clients’ preferences, data we collect typically includes personal data relating to learners and other end users of our products and services and schools/organizations, billing and payments information, web browsing behavior and other information relating to a user’s device used to access the services, and other information as described in our Privacy Statement. We process this data for the purposes of: providing our products and services; billing and payments; client service and product support; communications and marketing; analytics to inform and improve our services; and other internal purposes.

Principles

  1. Notice. We inform individuals about our data collection and processing practices in our Privacy Statement, which describes what personal data we collect, the purpose and use of the personal data , the categories of third parties with whom we may share such information (and the purposes for which we do so), the individual’s right to access such information, the choices and means through which the individual may limit the use and disclosure of personal data, and other disclosures consistent with the Notice Principle. Where we process personal data on behalf of an educational or other institution (each an “Institution”) with which end users have a direct relationship, the Institution is generally responsible for providing notices and we will support the Institutions as required for them to provide appropriate notices to their end users.

    Choice. We offer individuals the opportunity to opt-out of personal data (or to provide explicit opt-in consent for sensitive information) being: (i) disclosed to a third party (other than to our service providers under contract or pursuant to lawful request as set forth below), or (ii) used for a purpose materially different from the purpose for which it was originally collected (as set out in our Privacy Statement) or subsequently authorized by you if such circumstances arise. You can also opt-out at any time from having your personal data used for direct marketing purposes by following the unsubscribe procedures indicated in the marketing emails and/or by visiting the Anthology Preference Centre. For further questions related to the above, you can contact us at [email protected].

    Where we process personal data on behalf of an Institution, we will work with that Institution to comply with any individual’s choices for limiting use or disclosure of personal data.

  2. Accountability for Onward Transfers (Transfer to Third Parties). Anthology may transfer personal data to certain third parties (as described in our Privacy Statement). Where we transfer personal data to a third party, we will take reasonable and appropriate steps to ensure the third party processes personal data for limited and specified purposes and in a manner consistent with our DPF obligations. Where the transfer is to a third-party agent acting on our behalf, we may be liable if such third parties fail to meet those obligations.
  3. Security. We take reasonable and appropriate measures to protect personal data from loss, misuse and unauthorized access, disclosure, alteration and destruction. We have implemented appropriate physical, electronic and managerial procedures to help safeguard and secure personal data from loss, misuse, unauthorized access or disclosure, alteration or destruction.
  4. Data Integrity and Purpose Limitation. We process personal data in a manner that is compatible with and relevant to the purposes for which it was collected or authorized by individuals. To the extent necessary for those purposes, we will take reasonable steps to ensure that personal data is accurate, complete, current and reliable for its intended use. We only retain personal information for as long as is needed for those purposes. Where we receive personal data from an Institution, it will be the Institution that determines those purposes and the applicable retention period.
  5. Access. EU and UK individuals have the right to reasonable access to the personal data we hold about them. On request, we will also take reasonable steps to correct, update, amend or delete any information that is demonstrated to be inaccurate. Where we process personal data on behalf of an Institution, we will direct any individual requests for access or to limit use or disclosure to the Institution, and we will work with such Institution in complying with such requests in accordance with applicable law and our obligations under the DPF.
  6. Recourse, Enforcement, and Liability. We have established internal mechanisms to verify our ongoing adherence to this Statement. As part of our participation in the DPF, we are subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission. We encourage individuals covered by this Statement to raise any concerns about our processing of their personal data by contacting us (see below).
  7. Lawful Requests. We may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
  8. Contact Anthology and Recourse. In compliance with the DPF, we are committed to resolving complaints about our collection and use of your personal data. If you have any questions about this Statement or the information that we collect from you in reliance of the DPF, please contact us at [email protected] or write to:

Legal Department
Anthology Inc.
11720 Plaza America Drive 11th floor
Reston, Virginia 20190
USA

In the event that you are concerned about how personal data you have provided to us has been used, please address your inquiry or complaint first to us at the address listed above. We take all concerns about privacy and use of personal data very seriously and shall endeavor to reply to you within forty-five (45) days of receiving a complaint.

If we fail to respond within that time, or if our response does not adequately address your concerns, you may submit your complaint free of charge to JAMS, our designated independent DPF dispute resolution provider, using this link:
https://www.jamsadr.com/eu-us-data-privacy-framework.

In certain circumstances, complaints not resolved by other means can be resolved through the DPF binding arbitration process. Please see the DPF website for further information:
https://www.dataprivacyframework.gov/s/article/C-Pre-Arbitration-Requirements-dpf.

This Statement was updated on October 27, 2023.