OpenSesame Values Your Privacy

OpenSesame Values Your Privacy

OPENSESAME PRIVACY POLICY.

Effective Date: 1 April 2024

Welcome to OpenSesame! Your privacy is of paramount importance to us. This Privacy Policy (this “Policy”) outlines our practices concerning the collection, use, and disclosure of your personal information through our website, www.opensesame.com, and any related services, sales, marketing, or events (collectively referred to as the "Services"). For specific terms relating to GDPR and CCPA, see Section XIII (Jurisdiction-Specific Provisions).

I. INTRODUCTION

At OpenSesame Inc. (“OpenSesame”), we are committed to protecting your personal information and respecting your privacy in accordance with applicable state and international laws. This Policy explains how we handle personal information collected from and about our users, customers, and visitors when they use our Services, interact with us, or otherwise engage with our offerings. It is designed to inform you about our practices regarding the collection, use, and sharing of the information you provide to us or that we gather when you interact with our Services.

By accessing or using our Services, you agree to the collection and use of information in accordance with this Policy. We encourage you to read this Policy carefully to understand our policies and practices regarding your information and how we will treat it. If you do not agree with our policies and practices, please do not use our Services. By continuing to use our Services, you are accepting and consenting to the practices described in this policy.

This Policy is a binding contract between OpenSesame and you, and is integral to our Terms and Conditions and subject to them. We may update this Policy from time to time. We encourage you to review this Policy periodically to stay informed about our policies and practices. Your continued use of our Services after any modification to this Policy will constitute your acceptance of such modifications and updates.

Who is OpenSesame?
OpenSesame is a provider of elearning and certification courses that address a broad range of business needs from management and leadership, soft skills, HR, IT and more. With over 30,000 offerings in a variety of formats and languages, we are poised to help businesses prepare their employees today and into the future. OpenSesame also offers other products and services related to elearning and skills development.

II. INFORMATION COLLECTION

OpenSesame may collect two types of information:

Aggregate Information. For purposes of this Policy, information relating to your use of the Services that is anonymous and/or aggregated (such as pages visited on the Site, browser type, referring URL, IP address) will be referred to as “Aggregate Information.” We also collect course activity data (including enrollment, launch, completion, and review data) that, when anonymized and/or aggregated (either at the time of collection or at the end of your relationship with us), will also constitute Aggregate Information. Aggregate Information is owned by us and is not connected to you or to any other personally identifiable information relating to you. If you are a career navigation tool customer, Aggregate Information also may include anonymized and aggregate information from your career navigation tool profile.

Personal Information. For purposes of this Policy, personally identifiable information that is connected to you or other personally identifiable information relating to you, including, but not limited to your name, billing address, payment information, or email address, will be referred to as “Personal Information.”

We obtain the categories of personal information listed above from the following categories of sources:

Directly from our customers. For example, information that our customers provide to us related to the Services for which they engage us.
Indirectly from our customers. For example, through information we collect from our customers through their use of the Services.
Directly and indirectly from activity on our website. For example, from submissions through our website portal or website usage details collected automatically.
From third parties if you have provided your consent for such third parties to share your personal information with us.

The following is a description of the categories of Personal Information that OpenSesame may collect while utilizing the Site or providing Services:

Category	Examples	Collected?	GDPR Lawful basis for processing
A. Identifiers.	A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver's license number, passport number, or other similar identifiers.	YES	Consent to processing (Article 6(1)(c)) and/or contractual necessity (Article 6(1)(b))
B. Personal information categories (as listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e))).	A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver's license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. Some personal information included in this category may overlap with other categories.	YES	Consent to processing (Article 6(1)(c)) and/or contractual necessity (Article 6(1)(b))
C. Protected classification characteristics under California or federal law.	Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information).	YES (for job applicants only)	Consent to processing (Article 6(1)(c))
D. Commercial information.	Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.	NO	N/A
E. Biometric information.	Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data.	NO	N/A
F. Internet or other similar network activity.	Browsing history, search history, information on a consumer's interaction with a website, application, or advertisement.	YES	Consent to processing (Article 6(1)(c)) and/or contractual necessity (Article 6(1)(b))
G. Geolocation data.	Physical location or movements.	NO	N/A
H. Sensory data.	Audio, electronic, visual, thermal, olfactory, or similar information.	NO	N/A
I. Professional or employment-related information.	Current or past job history or performance evaluations.	YES (for job applicants or career navigation tool users only)	Consent to processing (Article 6(1)(c)) and/or contractual necessity (Article 6(1)(b))
J. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)).	Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records.	YES (for career navigation tool users only)	Consent to processing (Article 6(1)(c)) and/or contractual necessity (Article 6(1)(b))
K. Inferences drawn from other personal information.	Government identifiers, precise geolocation, information concerning sexual orientation, racial or ethnic origin, religious or philosophical beliefs, union membership, citizenship and immigration status, and mental and physical health conditions or diagnoses.	NO	N/A

III. USE OF INFORMATION

Aggregate Information. At OpenSesame, we utilize Aggregate Information to enhance our services and user experiences. This includes generating statistical reports to identify usage trends and service improvements. Aggregate Information, by nature, does not identify you personally; it helps us understand how our services are used collectively.

Personal Information. The Personal Information you provide enables us to offer and improve our Services tailored to your needs. This includes:

Fulfilling requests for products and services;
Customizing content and user experiences;
Communicating about promotions, specials, and new products;
Facilitating the overall use of our website and Services; or
Carrying out any other purpose described to you at the time the Personal Information is collected.

Third Party Interactions. OpenSesame partners with third-party service providers and advisors to assist in supporting our website and Services, including without limitation: (i) third-party service provides we use for shipping, credit card processing, and communication regarding OpenSesame's Services; and (ii) third-party advertising, marketing or analytics companies who may use your Personal Information in order to assist OpenSesame with its marketing or advertising or to otherwise provide OpenSesame with analytics services such as analyzing consumer or market trends. These partners are carefully selected and obligated to protect your information and use it solely for the purposes for which they have been engaged. When OpenSesame engages third parties such as these, OpenSesame requires that the third parties comply with this Policy and any other appropriate confidentiality and security measures. OpenSesame may also share Personal Information with any third parties in limited circumstances, including (i) when replying to requests of public authorities or any other government agencies; (ii) preventing fraud or imminent harm; and (iii) ensuring the security of OpenSesame’s network and services. We may also share your Personal Information with OpenSesame’s professional advisors such as attorneys or accountants in order to facilitate these professionals in the provision of their services to OpenSesame.

We respect your privacy rights and include provisions in this Policy for you to understand and control how your personal information is used. For detailed information on your rights and how to exercise them, please refer to Section VI (User Rights).

IV. INFORMATION SHARING AND DISCLOSURE

Personal Information. OpenSesame does not sell, rent or share personally identifiable information to or with any third party not affiliated with or owned by OpenSesame, except that you grant OpenSesame the right to disclose such information to service providers who may assist OpenSesame in providing services to you or in reporting the completion of certain types of training.

Aggregate Information. Aggregate information is used solely for internal purposes to help OpenSesame improve its users’ experience and to better provide its Services to you.

Disclosure to Comply With Laws or Respond to Other Requests. OpenSesame has the right to disclose an individual's personal information as deemed reasonably appropriate by OpenSesame: (i) in response to a request by any public authorities or any other government agencies, including without limitation to meet national security or law enforcement requirements or requests; (ii) to assist in replying to any other legal process, including without limitation any subpoena from any party or any order of any public authorities or other government agencies; or (iii) to assist in complying with any other laws or regulations, including without limitation, any tax reporting requirements.

Business Transition. In the event OpenSesame goes through a business transition, such as a merger, acquisition by another company, or a sale of a portion of OpenSesame’s assets, our customers’ Personal Information may be part of the assets transferred. Disclosure of users’ Personal Information in such a situation, or in contemplation of such a situation, shall be deemed consistent with this Policy. However, such a transfer may result in a change in this Policy, and you are advised and strongly encouraged to review this Policy frequently.

V. INTERNATIONAL DATA TRANSFERS

This section explains how we handle such international transfers of personal data to ensure your privacy is safeguarded in accordance with applicable data protection laws. OpenSesame is headquartered in Portland, Oregon, and processes Personal Information exclusively in the United States. Personal Information of international users will be transferred to and processed exclusively within the United States.

Data Privacy Framework Principles

EU-US and Swiss-US Data Privacy Framework Privacy Statement For EU, UK, and Swiss Individuals

OpenSesame Inc. complies with the EU-U.S. Data Privacy program Framework (EU-U.S. DPF) and the Swiss-U.S. Data Privacy program Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. OpenSesame Inc. has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework program Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF. OpenSesame Inc. has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework program Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

The Federal Trade Commission (FTC) has jurisdiction with enforcement authority over OpenSesame's compliance with the Data Privacy Framework. All OpenSesame employees who handle Personal Data from Europe, the UK, and Switzerland are required to comply with the Principles stated in this Policy.

A. SCOPE
This Policy applies to the processing of Individual Customer Personal Data that OpenSesame receives in the United States concerning Individual Customers who reside in the European Union, the UK, and Switzerland. OpenSesame provides products and services to businesses and consumers. This Policy does not cover data from which individual persons cannot be identified or situations in which pseudonyms are used. (The use of pseudonyms involves the replacement of names or other identifiers with substitutes so that identification of individual persons is not possible.)

B. RESPONSIBILITIES AND MANAGEMENT
OpenSesame has designated the Legal Department to oversee its information security program, including its compliance with the EU-US and Swiss-US Data Privacy Framework Principles programs The Legal Department shall review and approve any material changes to this program as necessary. Any questions, concerns, or comments regarding this Policy also may be directed to legal-notices@OpenSesame.com. OpenSesame will maintain, monitor, test, and upgrade information security policies, practices, and systems to assist in protecting the Personal Data that it collects. OpenSesame personnel will receive training, as applicable, to effectively implement this Policy. Please refer to Section VII (Data Security) for a discussion of the steps that OpenSesame has undertaken to protect Personal Data.

C. RENEWAL / VERIFICATION
OpenSesame will recertify its participation in the EU-US and Swiss-US Data Privacy Framework Principles annually, unless it subsequently determines that it no longer needs such certification or if it employs a different adequacy mechanism. Prior to the recertification, OpenSesame will conduct an in house verification to ensure that its attestations and assertions with regard to its treatment of Individual Customer Personal Data are accurate and that the company has appropriately implemented these practices. Specifically, as part of the verification process, OpenSesame will undertake the following:

Review this Data Privacy Framework Principles policy and its publicly posted website privacy policy to ensure that these policies accurately describe the practices regarding the collection of Individual Customer Personal Data
Ensure that the publicly posted privacy policy informs Individual EU, UK, and Swiss Customers of OpenSesame's participation in the EU-US and Swiss-US Data Privacy Framework Principles programs and where to obtain a copy of additional information (e.g., a copy of this Policy)
Ensure that this Policy continues to comply with the Data Privacy Framework Principles
Confirm that Individual Customers are made aware of the process for addressing complaints and any independent dispute resolution process (OpenSesame may do so through its publicly posted website, Individual Customer contract, or both)
Review its processes and procedures for training Employees about OpenSesame's participation in the Data Privacy Framework programs and the appropriate handling of Individual's Personal Data OpenSesame will prepare an internal verification statement on an annual basis.

D. RECOURSE MECHANISM
In compliance with the EU-US Data Privacy Framework Principles, OpenSesame Inc. commits to resolve complaints about your privacy and our collection or use of your personal information transferred to the United States pursuant to the DPF Principles. European Union and Swiss individuals with DPF inquiries or complaints should first contact OpenSesame Inc. at security@opensesame.com

OpenSesame Inc. has further committed to refer unresolved privacy complaints under the DPF Principles to an independent dispute resolution mechanism, Data Privacy Framework Services, operated by BBB National Programs. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit https://bbbprograms.org/programs/all-programs/dpf-consumers/ProcessForConsumers for more information and to file a complaint. This service is provided free of charge to you.

If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See https://www.dataprivacyframework.gov/s/article/G-Arbitration-Procedures-dpf?tabset-35584=2

E. LIABILITY FOR ONWARD TRANSFERS
In the context of an onward transfer, OpenSesame has responsibility for the processing of personal information it receives under the Data Privacy Framework Principles and subsequently transfers to a third party acting as an agent on its behalf. OpenSesame shall remain liable under the Principles if its agent processes such personal information in a manner inconsistent with the Principles, unless it proves that it is not responsible for the event giving rise to the damage.

VI. USER RIGHTS

When applicable, data privacy laws may provide you with certain user rights regarding your data. This section outlines these potential rights and how you can exercise these rights.

Right to Access. You may have the right to request access to the Personal Information OpenSesame holds about you. This may include the right to be informed about the nature, processing, and disclosure of your data.

Right to Rectification. If any Personal Information we hold about you is incorrect or incomplete, you may have the right to request that we correct or complete it.

Right to Erasure (‘Right to be Forgotten’). You may have the right to request the deletion or removal of Personal Information when there is no legal basis for its continued processing by OpenSesame.

Right to Restrict Processing. You may have the right to 'block' or suppress further use of your Personal Information under certain conditions. When processing is restricted, we may still store your information but will not use it further.

Right to Data Portability. You may have the right to obtain and reuse your Personal Information for your own purposes across different services in a safe and secure way, without affecting its usability.

Right to Object. You may have the right to object to the processing of your Personal Information based on legitimate interests, direct marketing (including profiling), and processing for scientific or historical research and statistics.

Rights in relation to Automated Decision Making and Profiling. You may have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.

VII. DATA SECURITY

OpenSesame takes commercially reasonable precautions to protect your Personal Information. However, given the nature of the Internet and the fact that network security measures are not infallible, OpenSesame cannot guarantee the security of Personal Information submitted through the Site. OpenSesame also takes commercially reasonable offline efforts to protect your Personal Information. OpenSesame also makes commercially reasonable efforts to restrict access to Personal Information to employees who need the information to perform a specific job. OpenSesame maintains commercially reasonable physical, electronic and managerial procedures to safeguard the Personal Information OpenSesame collects.

VIII. DATA RETENTION

OpenSesame retains personal information in production for the duration of your business relationship with OpenSesame and for up to 90 days thereafter to allow you to recover your account if you decide to renew. For more information on where and how long your personal information is stored, and for more information on your rights of erasure and portability, please contact us using the contact information provided in Section XII (Contact Information).

IX. COOKIES; LINKS

Cookies. OpenSesame may use “cookies” to recognize and count new visitors and to acquire Aggregate Information that lets OpenSesame analyze traffic patterns and tune the performance and functionality of our website and the Services. A cookie is a small text file that is placed on your device when you visit a website. It contains specific information that allows the Site to “recognize” your computer the next time you visit. The most important use for cookies is to eliminate the need for you to re-enter your information every time you visit the website. Most browsers accept cookies by default, but you can turn off cookies using your browser settings. If you turn off cookies, certain website features may no longer work or may work differently. Please note that when you accept a cookie from the website, OpenSesame does not gain access to your device or personal information other than the information you have provided to us. OpenSesame does not provide cookie information to any third party. By using our site, you agree to our use of cookies. For more details on managing cookies, check your browser's help section.

Links. The Site contains or may contain links to other web sites, including without limitation social media sites. OpenSesame is not responsible for the privacy practices or content of these other web sites. This Policy applies solely to information collected by the Site. OpenSesame encourages you to be aware when you leave the Site and to read the privacy statements of each and every web site that collects Personal Information.

X. CHILDREN’S PRIVACY

OpenSesame is committed to protecting the privacy of children. In compliance with the Children’s Online Privacy Protection Act (COPPA) and the FTC’s Rule interpreting COPPA (16 CFR § 512), our website and Services are not directed towards children under the age of 13. Furthermore, OpenSesame does not knowingly collect any Personal Information from children under 13 years of age in any manner.

XI. UPDATES TO THE PRIVACY POLICY

We reserve the right to amend this Policy at our discretion and at any time and from time to time. When we make material changes to this Policy, we will use commercially reasonable efforts to notify you; provided, however, you agree that it will be deemed commercially reasonable if OpenSesame provides you with this notice either by email or through a notice on our website homepage. You agree that your continued use of this site or of any of our Services constitutes your acceptance of these changes. Thus, you should regularly review and print this Policy for your records.

XII. CONTACT INFORMATION

If you wish to exercise your rights under this Policy, or if you have any questions, comments or concerns regarding this Policy or your experiences with the Services, please do not hesitate to get in touch with us using the details provided below.

Email: security@opensesame.com
Address: 1629 SW Salmon Street, Portland, OR 97205, United States of America, ATTN: Legal Department
Phone: (503) 808-1268

XIII. JURISDICTION-SPECIFIC PROVISIONS

California Privacy Rights
OpenSesame is dedicated to upholding the privacy rights of California residents in compliance with the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). This section details the rights afforded to California residents under these laws and explains how to exercise them.

Rights Under CCPA and CPRA:

Right to Know: You can request disclosure of the specific pieces and categories of personal information OpenSesame has collected, used, disclosed, and sold about you in the past 12 months. We have collected the categories of personal information listed in Section II from consumers within the last twelve (12) months (California job applicants and employees click here for additional information). Once we receive and confirm your verifiable consumer request, we will disclose to you:
- The categories of personal information we collected about you.
- The categories of sources for the personal information we collected about you.
- Our business or commercial purpose for collecting or selling that personal information.
- The categories of third parties with whom we share that personal information.
- The specific pieces of personal information we collected about you (also called a data portability request).
- If we sold or disclosed your personal information for a business purpose, two separate lists disclosing:
- sales, identifying the personal information categories that each category of recipient purchased; and
- disclosures for a business purpose, identifying the personal information categories that each category of recipient obtained.
Right to Delete: You have the right to request the deletion of personal information collected from you, subject to certain exceptions. Once we receive and confirm your verifiable consumer request, we will delete (and direct our service providers to delete) your personal information from our records, unless an exception applies. We may deny your deletion request if retaining the information is necessary for us or our service providers to:
- Complete the transaction for which we collected the personal information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you.
- Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
- Debug products to identify and repair errors that impair existing intended functionality.
- Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.
- Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 seq.).
- Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information's deletion may likely render impossible or seriously impair the research's achievement, if you previously provided informed consent.
- Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us.
- Comply with a legal obligation.
- Make other internal and lawful uses of that information that are compatible with the context in which you provided it.
Right to Correct: Under the CPRA, you have the right to request correction of inaccurate personal information held about you.
Right to Opt-Out of Sale or Sharing: You have the right to direct us not to sell or “share” (as defined under the CCPA as amended by the CPRA) your personal information with third parties. OpenSesame does not sell or “share” personal information, but if this practice changes, we will provide a clear method for you to exercise this right.
Right to Limit Use and Disclosure of Sensitive Personal Information: The CPRA provides you the right to limit the use and disclosure of your sensitive personal information for purposes other than those necessary to provide the goods or services you requested. OpenSesame does not knowingly collect or use sensitive personal information.
Right to Non-Discrimination: You have the right not to be discriminated against for exercising any of your CCPA or CPRA rights. We will not discriminate against you for exercising any of your CCPA or CPRA rights. Unless permitted by the CCPA or CPRA, we will not:
- Deny you goods or services.
- Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
- Provide you a different level or quality of goods or services.

Exercising Your CCPA/CPRA Rights:

To exercise any of the above rights, please submit a verifiable consumer request to us by filling out our Data Subject Access Request Form. We may need to verify your identity before processing your request, which may require additional information from you.
Requests can be made directly by the consumer or by an authorized agent on their behalf.
We aim to respond to consumer requests within 45 days of receiving them. If more time is needed, we will inform you of the reason and extension period in writing.

For any inquiries or to exercise your CCPA or CPRA rights, please contact us using the contact information provided in Section XII (Contact Information).

General Data Protection Regulation (GDPR) Compliance

OpenSesame processes Personal Information in accordance with the requirements of the GDPR. OpenSesame recognizes the following rights of individuals located in the EU:

the right to request information about whether and which personal data is processed by us, and the right to demand that personal data is rectified or amended.
the right to request that personal data should be deleted.
the right to demand that the processing of personal data should be restricted.
withdraw your consent to the processing and use of your data completely or partially at any time with future application.
have the right to obtain your personal data in a common, structured and mechanically readable format.
contact our data protection officer if there are any questions, comments, complaints or requests in connection with our statement on data protection and the processing of your personal data.
the right to complain to the responsible supervisory authority if believed that the processing of your personal data is in violation of the legislation.

Pursuant to Article 46 of the GDPR, OpenSesame provides appropriate safeguards through execution of Data Processing Agreements (“DPAs”) with its subprocessors and its corporate customers that have employees located in the European Union, which incorporate Standard Contractual Clauses. A list of OpenSesame’s current subprocessors and OpenSesame’s DPA are available upon request.

OpenSesame’s GDPR Representative in the EU can be contacted at:

Osano International Compliance Services Limited
ATTN: 2KSF
25/28 North Wall Quay
Dublin 1, D01 H104
IRELAND