Global Privacy policy

Effective Date: May 26, 2026

This Privacy Policy explains how McCoy Universe Inc. ("McCoy," "we," "us," or "our") collects, uses, discloses, retains, and protects personal information when individuals and organizations access or use McCoy products, websites, applications, APIs, certification and credential services, enterprise learning tools, consumer learning experiences, support channels, and related services. It is designed to cover McCoy products available today and McCoy products, features, websites, applications, APIs, integrations, credentials, and services that we may offer in the future when this Privacy Policy is posted or referenced.

This Privacy Policy is intended for both enterprise and consumer use. For enterprise, education, government, nonprofit, and other organizational customers, it should be read together with the applicable customer agreement, data processing addendum, service order, school agreement, certification program terms, or other written contract with McCoy. If a written agreement conflicts with this Privacy Policy for a particular customer deployment, the written agreement controls for that deployment to the extent of the conflict.

Contents

1. Who We Are and How This Policy Applies

2. Products and Services Covered

3. Defined Terms

4. McCoy’s Role: Controller, Business, Processor, and Service Provider

5. Information We Collect

6. Information We Do Not Intend to Collect

7. Sources of Personal Information

8. How We Use Personal Information

9. Certification Platform and Credential Verification

10. Artificial Intelligence, Generated Content, and Model Providers

11. Cookies, Browser Storage, Tracking, and Analytics

12. How We Disclose Personal Information

13. Data Processing by Service Providers and Subprocessors

14. Customer-Authorized Integrations, APIs, and Developer Tools

15. International Transfers

16. Legal Bases for Processing

17. Retention, Deletion, and Backups

18. Security

19. Enterprise Customers, Administrators, and Organization-Controlled Accounts

20. Students, Schools, Minors, and Education Records

21. Health, Medical, and Professional Training Data

22. Your Choices and Privacy Rights

23. U.S. State Privacy Notice

24. California Notice at Collection

25. European Economic Area, United Kingdom, and Switzerland Notice

26. Other International Privacy Rights

27. Automated Decision-Making, Profiling, and Learning Analytics

28. Communications Preferences

29. Third-Party Websites, Services, and Content

30. Changes to This Privacy Policy

31. Contact Us

1. Who We Are and How This Policy Applies

McCoy Universe Inc. is an education technology company that provides software, learning experiences, curriculum generation and management tools, learner-facing services, certification and credential verification services, APIs, websites, support, and related offerings. In this Privacy Policy, the word "Services" means all McCoy products, features, websites, applications, APIs, portals, dashboards, developer tools, support services, certification services, credentials, and integrations that link to or reference this Privacy Policy, whether offered now or in the future.

This Privacy Policy applies to personal information that McCoy processes in connection with the Services. Personal information means information that identifies, relates to, describes, can reasonably be associated with, or could reasonably be linked to an individual or household. Depending on the law that applies to you, terms such as "personal data," "personal information," "personally identifiable information," and "PII" may have different meanings. We use the term personal information broadly in this Privacy Policy.

This Privacy Policy does not apply to third-party websites, services, applications, wallets, proctoring tools, identity verification tools, learning management systems, payment processors, AI providers, analytics providers, or integrations that McCoy does not control, except to the extent McCoy describes how it shares personal information with them. It also does not replace any separate privacy notice that applies to employment, recruiting, investor relations, or other activities outside the Services.

When you use the Services through an employer, school, credential issuer, training provider, association, government agency, nonprofit, or other organization, that organization may control your account, workspace, credential program, learning records, and related information. You should review that organization’s privacy notices and policies because they may describe additional practices that are not controlled by McCoy.

2. Products and Services Covered

This Privacy Policy is written to cover McCoy’s current products and future products. The Services include, without limitation:

  • Quantum: McCoy’s administrative, authoring, curriculum generation, review, publishing, access management, content operations, analytics, billing, and integration portal.

  • Surface: McCoy’s learner-facing experience for courses, sessions, learning content, bookmarks, progress, completion, reports, practice, and related learning features.

  • McCoy App: McCoy-operated consumer or organization-supported learning applications and experiences, including web and mobile experiences where offered.

  • McCoy APIs, developer tools, SDKs, webhooks, and integrations: tools used to create, retrieve, publish, deliver, embed, analyze, or manage McCoy content, learning experiences, credentials, or customer workflows.

  • Certification Platform / McCoy Verify / Quantum Credential Verify: McCoy’s certification, credential issuance, badge, certificate, verification, revocation, audit, and credential lookup services, including services made available through verify.mccoy.org or successor domains.

  • McCoy websites, waitlists, research pages, licensing pages, forms, events, communications, newsletters, support, security, billing, account administration, authentication, and customer success services.

Future McCoy products, services, features, websites, applications, APIs, credentials, dashboards, portals, and related offerings that link to or reference this Privacy Policy.

Some products may have additional product-specific notices, in-product disclosures, certification program rules, customer agreements, or data processing terms. If a product-specific notice says that it supplements this Privacy Policy, both documents apply. If a product-specific written agreement says that it controls over this Privacy Policy, that agreement controls to the extent of the conflict.

3. Defined Terms

The following terms help explain how this Privacy Policy applies across enterprise, education, certification, API, and consumer contexts:

  • Authorized User means an individual who accesses the Services through or on behalf of a Customer, including administrators, authors, instructors, managers, learners, reviewers, developers, support users, and credential program personnel.

  • Consumer User or Individual User means an individual who accesses McCoy-operated Services directly for personal, professional, educational, or other individual purposes outside an organization-controlled workspace.

  • Customer means an organization, institution, business, school, agency, training provider, certification issuer, association, partner, or other entity that purchases, configures, sponsors, administers, or otherwise controls a McCoy workspace, credential program, integration, or deployment.

  • Customer Content means content, prompts, files, text, media, logos, source materials, data, course materials, assessments, instructions, configurations, metadata, and other materials submitted to, uploaded to, generated through, or stored in the Services by or for a Customer or Authorized User.

  • Workspace Data means Customer Content and related administrative, usage, learner, course, credential, and configuration information associated with a Customer workspace or Customer-controlled deployment.

  • Credential Record means information related to a certificate, badge, license, completion, credential, certification, assessment, exam, renewal, revocation, or verification event processed through the Certification Platform or related Services.

  • Service Data means operational data generated by the Services, such as logs, diagnostic data, security events, performance data, feature usage, and system metadata.

  • De-identified Data or Aggregated Data means information that cannot reasonably be used to identify an individual, either because identifying details have been removed or because the information has been combined with other information.

4. McCoy’s Role: Controller, Business, Processor, and Service Provider

McCoy may process personal information in different roles depending on the context.

Customer-controlled data. When a Customer uses the Services to create, upload, publish, deliver, assign, monitor, issue, verify, revoke, or analyze content, courses, learner activity, certification records, or credential programs, McCoy generally acts as a processor, service provider, or similar role under applicable privacy laws. In that context, the Customer generally determines the purposes and means of processing. The Customer decides what information is submitted to the Services, who may access the workspace or credential program, which learners or credential holders are included, how courses and credentials are configured, whether integrations are enabled, and how Customer Content and Workspace Data should be handled.

McCoy-controlled data. McCoy may act as an independent controller, business, or similar role when it processes information for its own business purposes, such as operating McCoy websites, providing consumer accounts, managing direct subscriptions, administering billing, maintaining security, handling support, communicating with users, improving the Services, conducting analytics, marketing McCoy products, complying with legal obligations, and issuing credentials directly under a McCoy-controlled program.

Certification data. For credential and certification services, McCoy’s role depends on the program. If a Customer, school, employer, association, or other issuer controls the credential program, McCoy generally processes Credential Records as a processor or service provider for that issuer. If McCoy itself issues or controls a credential, McCoy may act as the controller or business for the Credential Record. Public verification features may make limited credential details visible to people who have or enter a verification link, QR code, certificate ID, or other verification method.

Conflicts with written agreements. If a data processing addendum, business associate agreement, school agreement, customer agreement, certification program agreement, order form, or other written agreement applies, that agreement governs the processing of Customer Content, Workspace Data, Credential Records, or other covered information to the extent it conflicts with this Privacy Policy.

5. Information We Collect

The categories of personal information we collect depend on the Services used, the Customer configuration, the individual’s role, the product features enabled, and the applicable customer or certification program requirements. We may collect the following categories:

Account, contact, and identity information

Name, email address, phone number, username, password or passwordless authentication data, account ID, profile photo, organization, job title, school or program affiliation, role, permissions, group membership, preferred language, time zone, communication preferences, authentication identifiers, single sign-on information, multi-factor authentication settings, and account status.

Enterprise administration and workspace information

Workspace names, tenant IDs, organization settings, user invitations, access controls, permissions, roles, team membership, license assignments, workspace branding, billing status, subscription records, plan information, administrator activity, audit logs, integration settings, API keys, webhooks, developer credentials, and configuration metadata.

Quantum authoring and curriculum information

Source materials, prompts, files, datasets, instructions, course outlines, generated courses, curriculum, lessons, exercises, explanations, assessments, questions, rubrics, answer keys, review comments, edit history, publishing history, version history, model output, metadata, and content quality or safety signals.

Surface and learner activity information

Courses assigned or accessed, curriculum, topics, sessions, bookmarks, notes, answers, attempts, assessment responses, practice activity, progress, completion status, time spent, mastery signals, reports, achievements, badges, learning recommendations, activity history, group or cohort membership, and learner profile information.

McCoy App and consumer learning information

Account details, learning preferences, selected subjects, in-app activity, subscription or plan information, progress, interactions with learning content, saved items, settings, feedback, and communications with McCoy.

Certification, credential, and verification information

Credential holder name, email address, account ID, learner ID, employer or organization affiliation, issuer name, certification title, certificate or badge number, credential ID, QR code or verification token, course or assessment completion, exam results, continuing education units, issue date, expiration date, renewal status, revocation status, verification status, verification history, credential display settings, and audit records.

Identity verification and proctoring information, where applicable

If a certification program or integration requires identity proofing, exam proctoring, fraud prevention, or credential assurance, we or our providers may collect information such as date of birth, mailing address, government-issued ID information, ID images, selfie images, video or audio recordings, device checks, keystroke or browser integrity data, or biometric information where disclosed and permitted by law. These features are used only when required or enabled for a program and subject to applicable notices, consents, and agreements.

Customer Content and user-generated content

Text, files, images, audio, video, prompts, responses, comments, posts, support attachments, messages, course materials, educational materials, logos, media, source documents, assessment content, credential content, and other materials submitted to or generated through the Services.

Payment and commercial information

Billing contact details, invoice information, subscription plan, payment status, transaction identifiers, tax information, purchase history, renewal information, and limited payment metadata. We do not intend to directly collect full payment card numbers through the Services; payment card data is typically handled by payment processors.

Support, feedback, and communications

Name, email address, organization, message contents, support tickets, attachments, chat or call information, product feedback, survey responses, sales and customer success notes, preferences, and related metadata.

Marketing, waitlist, and event information

Contact details, company or school name, role, event registration information, newsletter preferences, waitlist submissions, campaign interactions, referral source, and responses to marketing communications.

Device, usage, log, and security information

IP address, device identifiers, browser type, device type, operating system, pages viewed, URLs, referring pages, timestamps, session identifiers, language, approximate location derived from IP address, diagnostic data, crash reports, error logs, authentication events, API events, credential verification events, security events, rate limits, performance data, and audit logs.

Cookies, browser storage, and similar technology data

Cookies, local storage, session storage, pixels, tags, SDKs, and similar technologies used for authentication, session persistence, security, preferences, diagnostics, analytics, product operation, and, where enabled and permitted, marketing measurement.

Integration and third-party information

Information received from identity providers, learning management systems, HR systems, customer applications, payment processors, certification issuers, proctoring or identity providers, analytics tools, AI providers, communication tools, and other services authorized by a Customer, user, or integration.

Sensitive or special categories of information

We do not seek to collect sensitive personal information unless it is necessary for a particular Service, requested by a Customer, submitted by a user, or required for a certification, education, security, legal, or support purpose. Sensitive information may include account credentials, government ID information, precise identifiers, biometric information where applicable, health-related training information, student records, or other information that applicable law treats as sensitive. We use sensitive information only for permitted purposes and do not use it to infer characteristics or for targeted advertising.

6. Information We Do Not Intend to Collect

Unless a feature, Customer agreement, certification program, or legal requirement specifically calls for it, you should not submit Social Security numbers, national identification numbers, passport numbers, driver’s license numbers, financial account numbers, payment card numbers, protected health information, genetic information, biometric information, precise location information, criminal history information, union membership, religious or political views, or other sensitive information to the Services.

If a Customer or user submits sensitive information to the Services, McCoy will process it in accordance with the applicable agreement, product configuration, user instructions, and law. Customers are responsible for ensuring that they have provided required notices, obtained required consents, and have a lawful basis for submitting sensitive information to McCoy-controlled systems or McCoy-managed service providers.

The Services are not intended to be used as a system of record for emergency medical care, clinical diagnosis, urgent communications, legal advice, financial advice, or other high-risk decisions unless a separate written agreement expressly provides otherwise.

7. Sources of Personal Information

McCoy may collect personal information from the following sources:

  • You, when you create an account, sign in, use the Services, submit content, answer assessments, request support, subscribe to communications, register for a waitlist or event, purchase a service, or participate in a certification or credential program.

  • Customers and administrators, when they invite users, configure workspaces, upload learning materials, assign courses, issue credentials, connect integrations, manage roles, set permissions, or provide learner, employee, student, or credential holder information.

  • Credential issuers, instructors, reviewers, proctors, assessors, and program operators, when they record completions, scores, credential status, identity verification results, exam outcomes, revocations, renewals, or verification rules.

  • Your browser, device, and use of the Services, through logs, cookies, browser storage, telemetry, analytics, and security monitoring.

  • Authentication, identity, payment, AI, infrastructure, analytics, communication, and other service providers that support the Services.

  • Customer-authorized integrations, such as learning management systems, HR systems, single sign-on providers, customer applications, third-party APIs, badge wallets, credential systems, and proctoring or identity verification tools.

  • Publicly available sources, business contact databases, event partners, or referral sources, where permitted by law and relevant to McCoy business communications.

  • McCoy-generated data, such as generated course content, learning analytics, credential verification records, Service Data, and security or fraud signals.

8. How We Use Personal Information

McCoy uses personal information for the purposes described below, subject to applicable law and customer agreements:

  • Provide, operate, maintain, troubleshoot, support, and improve the Services.

  • Create, authenticate, and manage accounts, sessions, workspaces, roles, permissions, groups, licenses, API keys, integrations, and access controls.

  • Generate, review, edit, publish, deploy, deliver, and manage curriculum, courses, lessons, assessments, learning paths, explanations, reports, and related learning materials.

  • Deliver learner-facing experiences, sessions, bookmarks, progress tracking, learning analytics, completion records, recommendations, reports, and other learning features.

  • Issue, manage, verify, display, renew, audit, suspend, revoke, and prevent fraud relating to certificates, badges, credentials, certifications, continuing education records, and credential verification pages.

  • Administer identity verification, proctoring, examination integrity, credential assurance, and anti-fraud controls where a certification program or Customer requires those features.

  • Process payments, subscriptions, invoices, taxes, renewals, and other commercial records.

  • Provide customer success, technical support, security support, product notices, administrative communications, and responses to inquiries.

  • Send marketing communications, newsletters, waitlist updates, event information, product announcements, and similar communications where permitted by law and subject to opt-out rights.

  • Monitor, debug, secure, and protect the Services; detect and prevent fraud, spam, abuse, misuse, credential fraud, unauthorized access, and security incidents.

  • Analyze Service performance, usage trends, feature adoption, user experience, content quality, reliability, and product effectiveness, including through aggregated or de-identified analytics.

  • Develop, test, and improve products, features, models, prompts, safety systems, workflows, documentation, and customer support operations, using safeguards appropriate to the data and context.

  • Comply with legal obligations, enforce agreements, respond to lawful requests, protect rights and safety, maintain business records, and exercise or defend legal claims.

  • Evaluate, negotiate, or complete a business transaction, such as a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets.

  • Carry out any other purpose described at the time of collection, authorized by the Customer, requested by the user, or permitted by applicable law.

McCoy does not use Customer workspace data, learner records, or Credential Records to serve cross-context behavioral advertising. McCoy does not sell personal information for money.

9. Certification Platform and Credential Verification

This section applies to McCoy’s Certification Platform, McCoy Verify, Quantum Credential Verify, verify.mccoy.org, credential issuance workflows, digital badges, certificates, completion records, credential lookup pages, QR code or credential ID verification, revocation and renewal features, and related future credential services.

Credential Records. Credential Records may include holder name, email address, user ID, learner ID, organization, program or course name, certificate title, badge title, credential description, issuer, issue date, expiration date, renewal date, credential ID, QR code, verification token, assessment status, completion status, score or pass/fail status, continuing education credits, revocation status, suspension status, evidence or audit metadata, public display settings, and verification events.

Credential visibility. A credential may be visible to the credential holder, issuer, Customer administrators, instructors, managers, verifiers, accrediting bodies, employers, regulators, or others depending on the program design, Customer configuration, credential holder actions, and verification method. If a credential is configured for public or link-based verification, anyone with the verification link, QR code, credential ID, or required lookup information may be able to view limited credential details. You should not share a credential link or QR code with someone unless you are comfortable with that person viewing the information displayed on the verification page.

Verification events. When a person or system verifies a credential, McCoy may log information about the verification event, such as timestamp, credential ID, verification result, IP address, user agent, referral information, and fraud or abuse signals. These logs help us confirm authenticity, prevent misuse, investigate suspicious activity, maintain audit records, and improve verification reliability.

Issuers and Customers. Credential issuers and Customers may control credential eligibility, requirements, content, display fields, expiration, renewal, revocation, access rights, and record retention. If a Customer or issuer controls your credential, requests to correct, delete, suppress, or change a Credential Record may need to be directed to that Customer or issuer. McCoy may forward requests to the relevant Customer or issuer or respond as instructed by them.

Identity assurance and proctoring. Some certification programs may require identity proofing, proctoring, human review, or automated integrity checks. If those features are enabled, additional information may be collected by McCoy or an authorized provider. The program or provider should disclose what is collected and obtain consent where required. McCoy will use this information to verify identity, administer exams, maintain credential integrity, prevent fraud, and comply with program requirements.

Retention of Credential Records. Credential Records may be retained longer than ordinary account data because credentials may need to remain verifiable, auditable, renewable, defensible, or revocable. Retention may be determined by the issuer, Customer agreement, accreditation requirement, legal obligation, fraud prevention need, or user settings. Deleting an account may not automatically delete a credential that an issuer is required or permitted to maintain.

10. Artificial Intelligence, Generated Content, and Model Providers

McCoy products may use artificial intelligence, machine learning, large language models, retrieval systems, content generation systems, recommendation systems, automated scoring, semantic search, embeddings, or similar technologies to generate curriculum, courses, assessments, explanations, learning paths, tutoring experiences, reports, summaries, recommendations, credential-related insights, and other product features.

Inputs and outputs. Customer Content and user inputs may be processed to produce generated outputs. Inputs and outputs may contain personal information if the Customer or user includes personal information in prompts, source materials, files, assessments, answers, credential records, or other content. Customers and users should avoid submitting unnecessary personal information or sensitive information to AI-enabled features unless they have authority to do so.

Model providers and infrastructure. McCoy may use third-party AI model providers, cloud providers, vector databases, content processing tools, and infrastructure providers to support AI-enabled features. When McCoy uses providers to process Customer Content or Workspace Data, McCoy uses them as service providers, processors, or subprocessors where applicable and restricts processing through contracts, technical controls, and product configurations appropriate to the Service.

Training and improvement. McCoy does not use Customer workspace data, learner records, or Credential Records to train third-party foundation models or to serve targeted advertising, except where a Customer or user specifically instructs us to do so, consents, or a written agreement expressly allows it. McCoy may use Service Data, feedback, aggregated data, de-identified data, and other data permitted by law and contract to operate, secure, evaluate, and improve the Services.

Human review. McCoy may review limited content, logs, and outputs for support, safety, abuse prevention, debugging, quality assurance, legal compliance, product improvement, or at the Customer’s request. Access is limited to personnel or providers with a need to know and subject to confidentiality or access controls.

Customer responsibilities. Customers are responsible for configuring AI-enabled Services appropriately for their users, providing required notices, obtaining required consents, reviewing generated content before use where appropriate, and ensuring that content submitted to or generated through the Services complies with their legal obligations and agreements.

11. Cookies, Browser Storage, Tracking, and Analytics

The Services may use cookies, local storage, session storage, pixels, tags, SDKs, device identifiers, and similar technologies. These technologies help us operate the Services, keep users signed in, secure accounts, remember preferences, measure performance, troubleshoot problems, understand usage, prevent abuse, and improve product experiences.

Categories of technologies we may use include:

  • Strictly necessary technologies, such as authentication, session persistence, load balancing, security, consent management, fraud prevention, and core product functionality.

  • Preference technologies, such as language, region, accessibility, workspace, product settings, display preferences, and saved choices.

  • Analytics and performance technologies, such as feature usage, page views, event logs, error reports, latency, reliability, and diagnostic information.

  • Security technologies, such as device, IP, browser, login, API, suspicious activity, abuse prevention, and credential verification signals.

  • Marketing measurement technologies, where used and permitted, to understand whether website visitors or business contacts interact with McCoy communications or campaigns. McCoy does not use these technologies to sell personal information or share it for cross-context behavioral advertising.

You may be able to control cookies through your browser settings, device settings, consent tools, or other controls that we make available. Disabling cookies or browser storage may prevent parts of the Services from functioning correctly, including authentication, workspace access, learner sessions, credential verification, and security features.

Some browsers send "Do Not Track" signals. Because there is no consistent industry standard for responding to those signals, McCoy does not currently respond differently to them. Where legally required and technically feasible, McCoy will honor recognized browser-based opt-out preference signals, such as Global Privacy Control, for applicable processing.

12. How We Disclose Personal Information

McCoy may disclose personal information to the following categories of recipients, depending on the Services used and applicable agreements:

  • Customers, workspace administrators, instructors, managers, reviewers, issuers, assessors, and other Authorized Users, according to workspace settings, credential program rules, roles, permissions, and Customer instructions.

  • Credential holders, credential issuers, verifiers, employers, accrediting bodies, regulators, or other recipients who access, receive, or verify Credential Records as configured by a Customer, issuer, or credential holder.

  • Service providers and subprocessors that host, secure, authenticate, operate, monitor, analyze, support, process payments, send communications, provide AI functionality, verify identity, proctor exams, manage logs, provide customer support, or otherwise help us provide the Services.

  • Customer-authorized integrations, third-party applications, learning management systems, HR systems, identity providers, badge wallets, credential platforms, payment processors, and other systems connected by a Customer or user.

  • Other users or the public, if you or a Customer choose to make information public, share a credential link, publish content, join a public program, participate in a public forum, or configure a public profile or verification page.

  • Professional advisors, auditors, insurers, legal counsel, accountants, banks, and other advisors where reasonably necessary for business, legal, security, or compliance purposes.

  • Government agencies, courts, regulators, law enforcement, or other recipients when we believe disclosure is required or appropriate to comply with law, legal process, government request, security obligation, or to protect rights, safety, and property.

  • Business transaction parties in connection with an actual or proposed merger, acquisition, financing, reorganization, bankruptcy, diligence process, investment, sale of assets, or similar transaction.

  • Other recipients with your consent, at your direction, at the direction of a Customer that controls the data, or as otherwise permitted by applicable law.

McCoy does not sell personal information for money and does not share personal information for cross-context behavioral advertising. If our practices change in a way that requires an opt-out right, we will provide the required notice and choice.

13. Data Processing by Service Providers and Subprocessors

McCoy uses service providers and subprocessors to deliver, secure, support, and improve the Services. These providers may include cloud hosting providers, infrastructure providers, data storage providers, content delivery networks, identity and authentication providers, email and communication providers, customer support tools, payment processors, analytics and monitoring tools, logging and security tools, AI model providers, data processing tools, identity verification providers, proctoring providers, and other vendors that support product functionality.

McCoy requires service providers and subprocessors to process personal information only as needed to provide services to McCoy or as otherwise permitted by law and contract. Where McCoy processes Customer Content, Workspace Data, or Credential Records as a processor or service provider, McCoy uses subprocessors subject to the applicable customer agreement or data processing addendum.

Enterprise Customers may request information about applicable subprocessors through their McCoy contact or support@mccoy.org, unless a separate subprocessor notice, trust portal, or agreement-specific process applies.

14. Customer-Authorized Integrations, APIs, and Developer Tools

Customers and Authorized Users may enable integrations, generate API keys, configure webhooks, connect identity providers, connect learning management systems or HR systems, embed McCoy learning experiences, connect credential wallets or verification tools, or otherwise use developer tools to transmit information between McCoy and third-party systems.

When a Customer or user authorizes an integration or uses an API key, McCoy may disclose information to the integration or receive information from it as configured by the Customer or user. Customers and users are responsible for reviewing the privacy and security practices of third-party integrations, limiting API key access, rotating keys when needed, disabling unused integrations, and ensuring that connected systems are authorized to receive the information transmitted.

McCoy may log API activity, integration events, webhook delivery, authentication events, rate limits, errors, and security signals to operate the Services, troubleshoot issues, prevent abuse, support developers, and maintain audit records.

15. International Transfers

McCoy is based in the United States, and personal information may be processed in the United States and other countries where McCoy, its Customers, users, service providers, subprocessors, or integration partners operate. These countries may have data protection laws that differ from the laws in your country or region.

Where required, McCoy uses appropriate safeguards for international transfers, such as data processing agreements, standard contractual clauses, the UK International Data Transfer Addendum or equivalent transfer mechanism, transfer impact assessments, vendor due diligence, technical and organizational safeguards, and other legally recognized measures. Enterprise Customers may have additional transfer terms in their data processing addendum or customer agreement.

16. Legal Bases for Processing

Where laws such as the GDPR, UK GDPR, Swiss Federal Act on Data Protection, LGPD, or similar laws require a legal basis, McCoy relies on one or more of the following legal bases when it acts as a controller:

  • Contract: to provide the Services, administer accounts, process subscriptions, support users, issue or verify credentials, and perform obligations under agreements.

  • Legitimate interests: to secure, operate, maintain, improve, analyze, and support the Services; communicate with business contacts; prevent fraud and abuse; protect rights and safety; and manage business operations, unless overridden by your rights and interests.

  • Consent: where required for optional cookies, marketing communications, certain identity verification or proctoring features, certain sensitive information, or other processing that requires consent. You may withdraw consent where applicable, although withdrawal may not affect processing that occurred before withdrawal.

  • Legal obligation: to comply with laws, regulations, legal process, accounting obligations, tax obligations, security obligations, accessibility obligations, credentialing requirements, and lawful government requests.

  • Vital interests, public interest, or other legal bases: where applicable law recognizes these bases and the circumstances require them.

When McCoy processes Workspace Data or Credential Records as a processor or service provider, the Customer or issuer is generally responsible for determining the appropriate legal basis and providing required notices to individuals. McCoy processes that information according to the Customer’s documented instructions and the applicable agreement.

17. Retention, Deletion, and Backups

McCoy retains personal information for as long as reasonably necessary for the purposes described in this Privacy Policy, including to provide the Services, maintain accounts, administer workspaces, verify credentials, provide support, comply with legal obligations, resolve disputes, enforce agreements, maintain security, prevent fraud, and keep business records.

Retention periods vary depending on the type of information, the product used, the Customer agreement, the sensitivity of the information, user settings, legal requirements, security needs, backup practices, and whether the information is needed for audit, credential verification, or dispute resolution. In general:

  • Account and profile information is generally retained while the account is active and for a reasonable period afterward for support, audit, security, legal, and business purposes.

  • Workspace Data is retained according to the applicable Customer agreement, Customer settings, product functionality, deletion requests, and backup practices.

  • Learner records, course records, and completion data may be retained as directed by the Customer or as needed to provide learning history, reporting, compliance, and support.

  • Credential Records may be retained for the life of the credential and for a longer period where needed for verification, revocation, renewal, accreditation, legal defense, fraud prevention, or issuer requirements.

  • Security logs, API logs, verification logs, and diagnostic data may be retained for a limited period or longer when needed for security, fraud prevention, legal, or audit purposes.

  • Billing, tax, accounting, and commercial records are retained as needed for legal, tax, accounting, audit, and business purposes.

  • Marketing contact information is retained until you opt out, request deletion, or the information is no longer needed, subject to maintaining suppression lists where required by law.

  • Backups, archives, and disaster recovery copies may retain information after deletion from active systems until they are overwritten or securely deleted according to McCoy’s standard backup lifecycle, unless retention is legally required.

Deletion from active systems may not immediately remove information from backups, logs, archives, or records that must be retained for legal, security, billing, credential verification, or compliance purposes. When we no longer need personal information, we will delete, de-identify, aggregate, or isolate it according to our retention practices and legal obligations.

18. Security

McCoy uses administrative, technical, and organizational safeguards designed to protect personal information. Safeguards may include access controls, authentication, least-privilege access, encryption in transit, encryption at rest where appropriate, network and application security controls, logging, monitoring, vulnerability management, security reviews, backups, incident response procedures, vendor review, confidentiality commitments, and employee or contractor access restrictions.

Customers and users also play an important role in security. You should protect your credentials, use strong authentication, keep devices secure, limit administrator permissions, rotate API keys, disable unused integrations, configure appropriate access controls, and promptly report suspicious activity.

No method of transmission, storage, or processing is completely secure. If you believe that your account, workspace, credential, verification link, API key, integration, or learner portal has been compromised, contact support@mccoy.org promptly. McCoy will evaluate security incidents and provide notifications where required by law or applicable agreement.

19. Enterprise Customers, Administrators, and Organization-Controlled Accounts

If you access the Services through an organization, your account and information may be subject to that organization’s policies, agreements, monitoring, retention settings, and administrator controls. Organization administrators may be able to:

  • Create, suspend, restrict, or delete accounts and access rights.

  • View profile, enrollment, role, group, usage, progress, assessment, completion, credential, and activity information.

  • Upload, download, export, correct, delete, or retain Workspace Data where the Services allow it.

  • Configure learner portals, domains, branding, identity providers, integrations, API keys, webhooks, and access controls.

  • Review logs, reports, analytics, and security events.

  • Issue, suspend, revoke, renew, or verify credentials through the Certification Platform.

  • Request support from McCoy and provide McCoy with information about users, content, courses, learners, or credential holders.

McCoy is not responsible for privacy or security practices controlled by Customers, including decisions about who may access a workspace, which records are retained, what content is uploaded, whether credentials are public, or how Customer exports are used. Individuals should contact the relevant Customer for questions about organization-controlled accounts, workspace data, learner records, or Customer-issued credentials.

20. Students, Schools, Minors, and Education Records

McCoy products may be used by schools, districts, universities, training providers, employers, certification bodies, and other educational organizations. In those contexts, the Services may process student information, education records, learner records, training records, assessment data, or credentials.

When McCoy provides Services to an educational institution and processes student information on that institution’s behalf, McCoy will use the information to provide, maintain, secure, and support the Services; comply with the applicable agreement; and follow the institution’s lawful instructions. Where the Family Educational Rights and Privacy Act (FERPA) applies and the Customer designates McCoy as a school official or similar service provider, McCoy will use education records only for authorized educational purposes and will not redisclose them except as permitted by the Customer agreement and applicable law.

McCoy does not use student data for targeted advertising, does not sell student data, and does not build profiles of students for purposes unrelated to providing the Services. Parents, guardians, and eligible students should contact the relevant school or educational Customer to exercise rights in education records, unless McCoy has a direct relationship with the individual for a separate consumer Service.

The Services are not directed to children under 13 for direct consumer use. McCoy does not knowingly collect personal information directly from children under 13 unless the use is authorized by a Customer, school, parent, guardian, or other responsible organization that is responsible for providing notices and obtaining required consents under applicable law, including the Children’s Online Privacy Protection Act where applicable. If you believe that a child under 13 has provided personal information to McCoy without proper authorization, contact support@mccoy.org.

For minors aged 13 to 17, use of the Services may require parent, guardian, school, employer, or Customer authorization depending on the Service, jurisdiction, and program. McCoy does not knowingly sell or share personal information of minors for cross-context behavioral advertising.

21. Health, Medical, and Professional Training Data

McCoy may provide educational technology, workforce development, healthcare education, professional training, and certification tools. The Services may involve health-related educational content, professional training information, continuing education records, or learner performance data. However, McCoy is not a healthcare provider, and the Services are not intended for emergency medical care, diagnosis, treatment, or clinical decision-making unless a separate written agreement expressly provides otherwise.

Customers and users should not submit protected health information or other regulated medical information to the Services unless they are authorized to do so and a written agreement with McCoy permits that processing. If McCoy signs a Business Associate Agreement or similar agreement for a particular Customer or Service, that agreement will control the processing of protected health information for that deployment.

Professional training, certification, and credentialing records may be retained and disclosed as needed to verify credentials, comply with issuer or accreditation requirements, provide continuing education reporting, prevent fraud, and support career or workforce development workflows configured by the Customer or user.

22. Your Choices and Privacy Rights

Depending on where you live, how you use the Services, and whether McCoy acts as a controller or processor for the information at issue, you may have rights to access, confirm, correct, delete, restrict, object to, opt out of certain processing, withdraw consent, obtain a copy of, or port your personal information. You may also have the right to appeal a privacy request decision, lodge a complaint with a regulator, or use an authorized agent.

How to submit a request. To submit a privacy request, contact support@mccoy.org. Please describe the request, the email address or account involved, the relevant product or workspace, and whether your request relates to a McCoy-operated consumer account, Customer workspace, learner record, or credential. McCoy may need to verify your identity and authority before fulfilling a request.

Organization-controlled data. If your request relates to Workspace Data, Customer Content, an organization-controlled account, a school account, an employer account, or a Customer-issued credential, McCoy may direct you to the Customer or issuer that controls the information. McCoy may also work with the Customer or issuer to respond according to the applicable agreement and law.

Verification and authorized agents. McCoy may request information reasonably necessary to verify your identity, residency, account ownership, or authorization to act on behalf of another individual. If you use an authorized agent, we may require proof that the agent is authorized and may ask you to verify your identity directly where permitted by law.

Appeals. If applicable law gives you the right to appeal a privacy request decision, you may appeal by replying to our decision email or contacting support@mccoy.org with the subject line "Privacy Appeal." We will review the appeal and respond as required by applicable law.

Limitations. Privacy rights are not absolute. McCoy may deny or limit requests where permitted by law, such as when we cannot verify your identity, the information is controlled by a Customer, the information must be retained for legal or security purposes, the request would affect another person’s rights, or an exception applies.

Choices you may have include:

  • Account settings: Update certain profile, account, preference, and communication information through available product settings.

  • Marketing emails: Opt out by using the unsubscribe link in marketing emails or contacting support@mccoy.org. You may still receive transactional, security, service, support, billing, or legal notices.

  • Cookies: Manage cookies through browser settings, device settings, consent tools, or other controls we make available. Some features may not work without necessary cookies or storage.

  • Credentials: Contact the credential issuer, Customer, or McCoy to request correction, suppression, deletion, or updates to credential display information, subject to issuer rules and retention obligations.

  • Integrations: Contact your Customer administrator to disconnect or reconfigure organization-controlled integrations, API keys, or connected systems.

  • Consent withdrawal: Where processing is based on consent, you may withdraw consent as permitted by law. Withdrawal may affect your ability to use certain features and does not affect prior lawful processing.

23. U.S. State Privacy Notice

This section applies to residents of U.S. states with comprehensive privacy laws, to the extent those laws apply to McCoy and the relevant processing. The rights and definitions vary by state. Depending on your state and how the Services are used, you may have the right to:

  • Confirm whether we process your personal information and access that information.

  • Correct inaccuracies in personal information.

  • Delete personal information, subject to exceptions.

  • Obtain a copy of personal information in a portable format.

  • Opt out of targeted advertising, sale of personal information, or certain profiling that produces legal or similarly significant effects.

  • Limit or opt out of certain sensitive data processing where applicable.

  • Appeal a privacy request decision.

  • Use an authorized agent where permitted by law.

McCoy does not sell personal information for money and does not process or share personal information for cross-context behavioral advertising or targeted advertising. McCoy does not knowingly sell or share personal information of minors under 16. McCoy does not use sensitive personal information for purposes that require a right to limit under California law, such as inferring characteristics, and does not use sensitive data for targeted advertising.

Categories collected. In the last 12 months, McCoy may have collected the categories of personal information described in Section 5, including identifiers, customer records information, commercial information, internet or electronic network activity, approximate geolocation derived from IP address, professional or employment-related information, education information, audio/electronic/visual information if submitted or recorded for support, proctoring, identity verification, or content purposes, inferences such as learning progress or preferences, and sensitive personal information such as account credentials, government ID information, biometric information where applicable, student information, or other sensitive information submitted by Customers or users.

Sources, purposes, disclosures, and retention. The sources of personal information are described in Section 7. The business and commercial purposes for collection are described in Section 8. The categories of recipients are described in Sections 12 through 14. Retention is described in Section 17.

Non-discrimination. McCoy will not unlawfully discriminate against you for exercising privacy rights. We may provide a different level of service where the difference is reasonably related to the value of the data or where the data is necessary to provide the Service you requested.

Financial incentives. McCoy does not currently offer financial incentives or price differences in exchange for the collection, sale, or deletion of personal information as those terms are used under California privacy law. If we offer such a program in the future, we will provide the required notice and choice.

24. California Notice at Collection

This California Notice at Collection applies to California residents where the California Consumer Privacy Act, as amended by the California Privacy Rights Act, applies. It supplements the rest of this Privacy Policy.

Categories of personal information collected, used, disclosed, and retained. In the last 12 months, we may have collected the following categories of personal information:

  • Identifiers, such as name, email address, account ID, user ID, IP address, device identifiers, authentication identifiers, credential IDs, and organization identifiers.

  • California customer records information, such as billing contact details, mailing address if provided, phone number if provided, organization affiliation, and payment-related records handled through payment processors.

  • Commercial information, such as subscriptions, invoices, purchases, plans, renewals, service records, credential purchases, or transaction records.

  • Internet or electronic network activity information, such as usage data, logs, device information, browser information, authentication events, API events, security events, verification events, and diagnostics.

  • Approximate geolocation information, such as general location inferred from IP address.

  • Audio, electronic, visual, or similar information, if submitted through support, workspace content, identity verification, proctoring, recordings, or course materials.

  • Professional, employment-related, or education information, such as organization role, school affiliation, course participation, learner activity, authoring activity, progress, completion status, certification status, credential records, training records, or continuing education records.

  • Inferences, such as preferences, learning progress, mastery signals, recommendations, product usage patterns, likely interests in McCoy products, or credential integrity signals.

  • Sensitive personal information, such as account credentials, government ID information, biometric information where applicable, student records, precise information a Customer or user chooses to submit, or information that may reveal sensitive characteristics if included in Customer Content. McCoy does not use sensitive personal information for purposes that require a right to limit under California law.

We collect, use, disclose, and retain these categories for the purposes described in Sections 8, 9, 10, 12, 13, 14, and 17. We disclose these categories to the recipient categories described in Sections 12 through 14. We do not sell personal information and do not share personal information for cross-context behavioral advertising.

California rights. California residents may have the right to know, access, correct, delete, obtain a copy of, opt out of sale or sharing, limit certain sensitive personal information uses, and not be discriminated against for exercising rights. Because McCoy does not sell personal information or share it for cross-context behavioral advertising, there is no sale or sharing to opt out of. To exercise applicable rights, contact support@mccoy.org.

25. European Economic Area, United Kingdom, and Switzerland Notice

This section applies where the GDPR, UK GDPR, Swiss Federal Act on Data Protection, or similar law applies. McCoy Universe Inc. is the controller for personal information it processes for McCoy-controlled purposes described in this Privacy Policy. For Customer-controlled Workspace Data and many Customer-issued Credential Records, the Customer or issuer is generally the controller, and McCoy is generally the processor.

Individuals in the EEA, UK, or Switzerland may have the right to access, rectify, erase, restrict, object to processing, data portability, withdraw consent where processing is based on consent, and lodge a complaint with a supervisory authority. You may also object to processing based on legitimate interests and to direct marketing.

To exercise rights for McCoy-controlled processing, contact support@mccoy.org. If your request concerns Customer-controlled data, McCoy may direct you to the relevant Customer or process the request according to the Customer’s instructions. If you have concerns about how an organization uses McCoy Services, you should also contact that organization directly.

International transfers from the EEA, UK, or Switzerland are handled as described in Section 15. Where required, McCoy uses appropriate transfer safeguards such as standard contractual clauses, UK transfer addenda or equivalent mechanisms, and supplementary measures.

26. Other International Privacy Rights

McCoy provides Services globally, and privacy rights vary by jurisdiction. Where applicable, individuals may have rights under laws such as Brazil’s Lei Geral de Protecao de Dados, Canadian federal or provincial privacy laws, Australia’s Privacy Act, New Zealand’s Privacy Act, South Africa’s Protection of Personal Information Act, India’s Digital Personal Data Protection Act, or other national, state, provincial, or sector-specific privacy laws.

Depending on the law that applies, you may have rights to access, correct, delete, anonymize, block, oppose, withdraw consent, receive information about disclosures, request data portability, complain to a regulator, or challenge certain processing. To request assistance, contact support@mccoy.org and include your country or region, the product involved, and whether your request relates to a Customer-controlled workspace or credential.

If local law requires additional notices, mechanisms, representatives, consents, or contract terms for a particular deployment, McCoy may provide them through a customer agreement, data processing addendum, in-product notice, certification program disclosure, consent flow, or other appropriate method.

27. Automated Decision-Making, Profiling, and Learning Analytics

The Services may use automated systems, learning analytics, scoring tools, recommendation systems, fraud detection tools, credential verification systems, and AI-assisted workflows. These features may help generate learning paths, recommend content, estimate mastery, score assessments, flag anomalies, detect credential fraud, verify certificates, prioritize support, or improve user experience.

Automated outputs may be imperfect and may require human review, especially in high-stakes educational, employment, credentialing, or professional contexts. Customers and issuers are responsible for configuring and reviewing automated features appropriately for their programs and legal obligations. Where applicable law gives you the right to object to or obtain human review of certain automated decisions that produce legal or similarly significant effects, you may contact support@mccoy.org or the relevant Customer or issuer.

McCoy does not use learning analytics, Workspace Data, Credential Records, or student data for targeted advertising. Learning analytics and credential analytics are used to provide, secure, measure, and improve the Services and to support Customer-controlled learning, reporting, and credentialing purposes.

28. Communications Preferences

McCoy may send administrative, transactional, service, security, support, billing, credential, and legal communications. These communications are not optional where they are necessary to provide the Services, protect security, administer credentials, or comply with legal obligations.

McCoy may also send marketing communications, newsletters, product announcements, event invitations, and waitlist updates where permitted by law. You can opt out of marketing emails by using the unsubscribe link in the email or contacting support@mccoy.org. Opting out of marketing does not stop transactional or service-related communications.

If mobile applications, push notifications, SMS messages, or similar communication features are offered, you may be able to control them through the application, device settings, message instructions, or communication preferences. Standard carrier rates may apply to SMS or mobile communications.

29. Third-Party Websites, Services, and Content

The Services may link to or integrate with third-party websites, services, products, content, wallets, proctoring tools, identity verification tools, payment processors, AI providers, learning management systems, HR systems, credential platforms, social media services, or customer applications. Third-party services may have their own privacy notices, terms, and security practices.

McCoy is not responsible for the privacy, security, or content practices of third-party services that it does not control. Customers and users should review third-party privacy notices before enabling integrations, sharing data, using connected services, or following links. Where a Customer authorizes a third-party integration, that Customer is responsible for ensuring the integration is appropriate for its users and data.

30. Changes to This Privacy Policy

McCoy may update this Privacy Policy from time to time to reflect changes in products, services, laws, technologies, business operations, or privacy practices. The updated Privacy Policy will be effective on the date stated in the updated version unless a different date is required by law or communicated by McCoy.

If changes are material, McCoy will provide notice by reasonable means, such as posting a notice in the Services, sending an email, notifying Customers, updating the website, or using another method appropriate to the change. Continued use of the Services after an updated Privacy Policy becomes effective means that the updated Privacy Policy applies to information processed after the effective date, subject to applicable law and agreements.

31. Contact Us

For privacy, security, support, or data protection questions, contact McCoy at:

  • McCoy Universe Inc.

  • 1048 Irvine Ave. 451, Newport Beach, CA 92660, United States

  • Privacy, security, and support email: support@mccoy.org

When contacting us, please include enough information for us to understand the request, such as the product involved, the relevant account email, the Customer or workspace name if applicable, the credential or certificate ID if applicable, and the country or state where you are located. Do not include sensitive information in an email unless necessary.

If your request relates to a Customer-controlled workspace, school account, employer account, issuer-controlled credential, or Customer-managed integration, we may refer the request to the relevant Customer or issuer or respond according to that organization’s instructions and the applicable agreement.