Privacy Policy

1. Introduction

NextBix ("we," "us," "our") provides a Learning Management System (LMS) platform to business customers. This Privacy Policy explains how we handle personal data in connection with our services and clarifies our role as a data processor.

2. Scope

This policy applies to the processing of personal data through our LMS platform. Our platform is designed for business-to-business (B2B) use, not for direct consumer services.

3. Data Controller and Processor Roles

NextBix acts as a data processor. This means:

• Our customers (businesses or organizations that subscribe to the LMS) are the data controllers
• The data controller determines what personal data is collected, why it is collected, and how it is used
• NextBix processes personal data solely on behalf of and according to the instructions of the data controller
• All data entered into the platform is owned and controlled by our customers

If you are an end user accessing the LMS through your employer or organization, that entity is the data controller responsible for your personal data. Please contact them directly for questions about how your data is used.

4. Personal Data We Process

On behalf of our customers, we may process the following categories of personal data:

• User Account Information: Name, email address, username, role/position
• Learning Activity and Progress: Course enrollment, completion status, quiz results, certificates earned, learning paths
• Authentication Data: Login sessions, password hashes (encrypted), multi-factor authentication tokens
• Technical and System Logs: IP addresses, device type, browser information, access timestamps, error logs
• Content Data: Uploaded files, documents, videos, and other learning materials (as determined by the customer)

5. Purpose of Processing

NextBix processes personal data solely to:

• Provide and operate the LMS platform as subscribed by our customers
• Maintain system security, performance, and availability
• Provide technical support and customer service to our business customers
• Comply with legal obligations and enforce our Terms of Service
• Improve and develop our services (in an anonymized or aggregated manner where possible)

We do not use personal data for marketing, advertising, or purposes unrelated to the provision of our LMS platform.

6. Legal Basis for Processing

As a data processor, we process personal data based on our contractual relationship with our customers (the data controllers). The legal basis for processing is typically determined by the data controller and may include:

• Contractual necessity (to provide the LMS service)
• Legitimate interests (system security and service improvement)
• Legal obligations (compliance with applicable laws)
• Consent (where required and obtained by the data controller)

7. Data Sharing and Sub-Processors

NextBix does not sell, rent, or trade personal data. We may share data with trusted service providers (sub-processors) who assist in operating our platform, including:

• Cloud Infrastructure Providers: Microsoft Azure (hosting, storage, and infrastructure services)
• Content Delivery Networks: Bunny CDN (video and content delivery)

All sub-processors are contractually obligated to maintain appropriate security and confidentiality standards. A complete list of sub-processors is available in our Data Processing Agreement.

8. Data Security

NextBix implements appropriate technical and organizational measures to protect personal data against unauthorized access, loss, alteration, or disclosure, including:

• Encryption of data in transit (HTTPS/TLS) and at rest
• Access controls and authentication mechanisms
• Regular security monitoring and logging
• Employee training on data protection and confidentiality
• Incident response and breach notification procedures

9. Data Retention

Personal data is retained according to the instructions of our customers (the data controllers) and as specified in our contractual agreements. Upon termination of a customer's subscription, data is either returned to the customer or securely deleted, as agreed upon in the contract and Data Processing Agreement.

10. Data Subject Rights

As an end user of the LMS platform, you have certain rights regarding your personal data under applicable data protection laws (such as GDPR or similar regulations), which may include:

• Right to access your personal data
• Right to correct inaccurate or incomplete data
• Right to request deletion of your data
• Right to restrict or object to certain processing activities
• Right to data portability

To exercise these rights, please contact your employer or the organization that provided you access to the LMS (the data controller). As a data processor, NextBix will assist the data controller in responding to such requests.

11. International Data Transfers

Personal data may be processed and stored in cloud environments located in various jurisdictions. When data is transferred internationally, we ensure that appropriate safeguards are in place, such as:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Use of infrastructure providers certified under relevant data protection frameworks
• Compliance with applicable data protection laws in each jurisdiction

12. Cookies and Tracking

Our platform uses only essential cookies required for authentication, session management, and security. We do not use analytics, advertising, or tracking cookies. For more information, please see our Cookie Policy.

13. For Canadian Customers (PIPEDA)

Compliance with Canadian Privacy Law

NextBix is committed to protecting the privacy of Canadian customers and end users in compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation. This section explains our privacy practices specific to Canadian users.

Reasonable and Appropriate Collection

We collect personal information only for purposes that are reasonable, appropriate, and directly related to providing our LMS platform services. These purposes include:

• Providing secure access to the learning platform
• Tracking learning progress and achievements
• Delivering training content and certifications
• Maintaining security and preventing unauthorized access
• Providing customer support and troubleshooting

We limit collection to what is necessary for these purposes and do not collect personal information indiscriminately or for unrelated purposes.

Your Consent

Under PIPEDA, we obtain your consent to collect, use, and disclose your personal information. The type of consent depends on the sensitivity of the information and the context:

• Express Consent: When you create an account or accept our Terms of Service, you provide express consent for us to collect and process your personal information for the purposes described in this policy
• Implied Consent: Your continued use of the LMS platform indicates your ongoing consent to our privacy practices, particularly for routine operational activities like session management and security logging
• Withdrawal of Consent: You may withdraw your consent at any time by contacting your organization's administrator (the data controller) or our Privacy Officer. However, withdrawing consent may limit or prevent your ability to use the platform

Access and Correction Rights

You have the right to access your personal information held by NextBix and request corrections if it is inaccurate or incomplete. To exercise these rights:

• End Users: Contact your employer or the organization that provided you access to the LMS, as they are the primary data controller for your information
• Direct Customers: Submit a written request to our Privacy Officer (contact details below)

We will respond to your request within 30 days and provide you with:

• Access to your personal information in a readily understandable format
• Information about how your data is being used and to whom it has been disclosed
• The opportunity to correct any inaccuracies or update incomplete information

In limited circumstances (e.g., if information is protected by legal privilege or would reveal confidential commercial information), we may not be able to provide access. If we deny access, we will explain the reason and inform you of your right to challenge the decision.

Privacy Officer Contact

NextBix has designated a Privacy Officer responsible for ensuring compliance with PIPEDA and handling privacy-related inquiries, complaints, and access requests. You can contact our Privacy Officer at:

Filing a Complaint

If you believe your privacy rights under PIPEDA have been violated, you may:

1. Contact our Privacy Officer first to attempt to resolve the issue
2. If not satisfied with our response, file a complaint with the Office of the Privacy Commissioner of Canada:
   • Website: www.priv.gc.ca
   • Phone: 1-800-282-1376 (toll-free in Canada)
   • Email: [email protected]

14. Changes to This Policy

NextBix may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service offerings. We will notify our business customers of material changes. The "Effective Date" at the top of this policy indicates when it was last updated.

15. Contact Information

For privacy-related inquiries, questions about this policy, or to exercise data protection rights (as applicable), please contact:

Note: If you are an end user accessing the LMS through your employer or organization, please contact them first for data-related requests, as they are the data controller.