Skip to main content
Skip to main contentSkip to navigationSkip to programs

Privacy Policy

How we collect, use, and protect your information across the CovCyber Institute training platform.

Updated: April 22, 2026

This Privacy Policy explains how CovCyber Institute ("CovCyber", the "Institute", or the "Platform") collects, uses, and protects information when you interact with our training, assessment, mentorship, and career-services platform. It applies to students and applicants, mentors, employer-partner users, workforce-development organization ("WDO") tenant users, and other visitors across the jurisdictions where the Platform is accessible, subject to applicable local laws.

1. Who operates this service

The Platform is operated by CovCyber Institute (together with its affiliates, officers, directors, employees, and agents, "we", "us", or "our"). References to "you" or "your" mean the individual user of the Platform and, where applicable, the organization you represent.

For most personal data processed through the Platform, CovCyber acts as an independent data controller, meaning that we determine the purposes and means of processing your personal data when you interact directly with the Platform.

Where the Platform is accessed through a WDO tenant sub-portal, the WDO tenant organization may act as an independent or joint controller for personal data that it, its staff, or its case managers submit on behalf of participants (for example, program eligibility information, case-management notes, referral records, or outcome reporting data). In those cases, the WDO tenant's own privacy notice and any signed data-sharing arrangement between CovCyber and the WDO tenant apply in addition to this Policy.

In limited cases where we process personal data solely on the documented instructions of a customer or partner (for example, when an employer partner uses the Platform to upload information about its own candidates, or a WDO tenant instructs us to process specific case records on its behalf), we may act as a data processor (or equivalent term under applicable law). In those cases, our processing is further governed by the data processing terms in the applicable agreement with that customer or partner.

2. Information we collect

The information we collect depends on how you use the Platform. In general, we may collect the following categories of data:

  • Account and profile information: Your name, email address, phone number, mailing address, date of birth, preferred pronouns (optional), organization or employer, job title or role, and other basic profile data when you create or manage an account.
  • Application and eligibility information: Information you submit when you apply to a program, including educational background, work history, resume, program preferences, goals, WIOA eligibility details where applicable, veteran status, dislocated-worker status, and any demographic information required for funded workforce programs.
  • Assessment and learning data: Your responses, scores, and progress on screening assessments, course work, labs, quizzes, and certifications, including content delivered through our third-party learning management system (TalentLMS).
  • Mentor-session and communication data: Metadata and, where you or your mentor expressly consent, recordings or transcripts of mentor sessions held through our video provider (Agora), plus chat messages, support tickets, admin comments, and other communications you exchange through the Platform.
  • Accessibility and accommodation data: Information you voluntarily provide when requesting accommodations or accessibility support, handled in accordance with applicable disability, privacy, and confidentiality laws.
  • Authentication and security data: Login timestamps, authentication factors (for example, multi-factor enrollment metadata), session identifiers, IP address, and related security logs used to help protect your account and our systems.
  • Transactional data: High-level information about tuition, deposits, installment plans, refunds, and other payments processed by our third-party payment provider (Stripe), such as amounts, currencies, plan status, and payment status. We do not store full payment-card numbers on the Platform.
  • Career-services and employment data: Information related to job search, employer introductions, interview outcomes, offers, placements, starting wages, and post-program employment status, some of which may be required for program reporting obligations.
  • Usage and device data: Technical logs and limited analytics such as browser type, device characteristics, operating system, referring URLs, pages viewed, timestamps, and diagnostic information used to monitor reliability, performance, and security.
  • Communications: Content of messages you send us by email, the in-platform contact form, or other channels, and related communications about your application, enrollment, courses, mentor sessions, and support requests.

In addition to information you provide directly and data generated by your use of the Platform (such as logs), we may also receive limited personal data about you from:

  • WDO tenant organizations that refer you into a program or upload eligibility, enrollment, or case-management data about you;
  • Employer partners who invite you to apply, submit you as a candidate, or provide feedback after interviews or placements;
  • Third-party providers such as identity, authentication, and payment services, which may confirm information like successful login, identity verification status, or payment outcome; and
  • Government workforce agencies or program funders, where data exchange is required or authorized by law for grant eligibility or outcome verification.

We use this information only for the purposes described in this Privacy Policy and subject to any applicable contractual limitations.

3. How we use your information

We use the information we collect for purposes including:

  • Operating, maintaining, and improving the Platform and its learning, assessment, mentorship, and career-services features.
  • Creating and managing your account, verifying your identity, authenticating you, and helping keep the Platform secure.
  • Processing applications, evaluating screening assessment results, placing you into an appropriate cohort or program, and managing enrollment and program progression.
  • Delivering courses and labs, tracking learning progress, issuing certifications, and coordinating mentor sessions.
  • Providing career services, including matching you with employer-partner opportunities, facilitating introductions and interviews, and supporting job placement.
  • Communicating with you about your application, enrollment, courses, schedule, mentor sessions, invoices, and support requests.
  • Responding to accommodation and accessibility requests, and supporting student success, retention, and well-being.
  • Using a limited AI-assisted screening workflow (powered by OpenAI) to help review and summarize application and assessment responses; human reviewers remain responsible for admissions decisions.
  • Meeting program-reporting, compliance, grant-administration, and audit obligations, including WIOA and other federal or state workforce program requirements, and corresponding obligations to WDO tenants and funders.
  • Detecting, investigating, and preventing incidents, abuse, fraud, academic dishonesty, harassment, and security threats.
  • Complying with legal obligations, enforcing our Terms of Service, and protecting our rights and those of our students, staff, mentors, and partners.
  • Conducting internal analytics and program evaluation in a privacy-respectful manner.

We do not use your personal data to make solely automated decisions that produce legal effects or similarly significant effects about you (for example, we do not use fully automated decision-making to approve or deny admission, determine tuition, or terminate enrollment). AI-assisted tools may help organize or summarize information, but meaningful human review remains part of any material decision. If we introduce such features in the future, we will update this Privacy Policy and, where required by law, provide you with additional information and choices.

Where applicable law (such as the EU/EEA/UK General Data Protection Regulation, "GDPR") requires a legal basis for processing, we generally rely on one or more of the following bases:

  • Contract: Processing necessary to provide the Platform and related educational services under our agreement with you or the organization that enrolled you, including application, enrollment, course delivery, mentor sessions, assessments, and career services.
  • Legitimate interests: Processing necessary for our legitimate business interests, such as securing the Platform, improving programs, supporting student success, preventing abuse, and conducting program evaluation, where those interests are not overridden by your rights and interests.
  • Legal obligation: Processing necessary to comply with applicable laws, regulations, and lawful requests from public authorities, including workforce-program reporting obligations such as those under the Workforce Innovation and Opportunity Act (WIOA) and corresponding state rules.
  • Consent: Where required by law (for example, certain types of optional communications, sensitive or special-category data, mentor-session recording, or non-essential cookies), we may rely on your consent. You can withdraw your consent at any time, without affecting processing that occurred before withdrawal.
  • Vital or public interest: In limited cases, processing may be necessary to protect someone's vital interests or to perform a task carried out in the public interest, such as responding to a safety emergency or cooperating with lawful government program audits.

5. How we share information

We do not sell your personal information. We may share information in the following situations:

  • Infrastructure and hosting β€” Supabase: Our primary database, authentication, and storage infrastructure is hosted with Supabase, which processes data on our behalf under appropriate data-processing terms.
  • Learning management β€” TalentLMS: Course content, progress, completion, and certification data are delivered and tracked through TalentLMS, our third-party learning management system.
  • Video mentorship β€” Agora: Live video mentor sessions, coaching meetings, and similar real-time interactions are powered by Agora; session metadata and, with consent, recordings may be processed through Agora's infrastructure.
  • AI-assisted screening β€” OpenAI: Certain application-review, assessment-summarization, and content-moderation tools use OpenAI APIs. Inputs sent to these tools are limited to what is needed for the specific task, and we rely on OpenAI's enterprise data-handling terms which restrict use of inputs for model training.
  • Payments β€” Stripe: Tuition, deposits, installment plans, and other payments are processed by Stripe. Stripe has its own privacy policy and terms that apply to your payment information.
  • Other service providers: Carefully selected vendors that provide email delivery, logging, error monitoring, analytics, customer support tooling, and other operational services, acting as processors under appropriate agreements.
  • WDO tenant organizations: Where you access the Platform via a WDO tenant sub-portal or are referred into a program by a WDO tenant, we share relevant application, eligibility, enrollment, progress, and outcome data with that WDO tenant as an independent or joint controller for the purpose of case management and program administration.
  • Employer partners: With your awareness and, where required, your consent, we may share relevant resume and profile information, program outcomes, and interview status with employer partners for the purpose of candidate matching, job placement, and recruitment.
  • Government and workforce agencies: Where required by law, grant agreement, or WIOA and similar workforce-program rules, we share participant, eligibility, and outcome data with federal, state, and local workforce agencies, program funders, and their auditors.
  • Legal and safety: When we believe disclosure is necessary to comply with applicable law, regulation, legal process, or a valid government request; to enforce our Terms of Service; to protect the rights, property, or safety of CovCyber, our students, staff, or others; or to detect, prevent, and address fraud, security, or technical issues.
  • Business transfers: In connection with a merger, acquisition, reorganization, or asset sale, where permitted by law and subject to appropriate safeguards, including notice where required.

6. International data transfers

The Platform is primarily operated from, and stores data within, the United States. However, your information may also be processed in other countries where our service providers or support personnel are located (for example, where a sub-processor operates infrastructure or support centers outside the U.S.). As a result, your information may be transferred across borders and processed in jurisdictions that may not offer the same level of data protection as your home country.

Where required by applicable law, we take steps to help protect such transfers, for example by using appropriate contractual safeguards (such as the European Commission's Standard Contractual Clauses or the UK International Data Transfer Addendum), relying on recognized adequacy frameworks where available, and limiting access to personal data to personnel and service providers who need it for legitimate business purposes.

7. Regional information and rights

7a. Users in the United States

Several U.S. state laws, including the California Consumer Privacy Act as amended ("CCPA/CPRA") and comparable laws in Colorado, Connecticut, Utah, Virginia, and other states, give residents specific rights over their personal information. Depending on your state, you may have rights such as:

  • The right to know what categories of personal information we collect, use, and disclose.
  • The right to access specific pieces of personal information we hold about you.
  • The right to request correction or deletion of certain personal information, subject to legal exceptions.
  • The right to opt out of the "sale" or "sharing" of personal information for cross-context behavioral advertising, where applicable.
  • The right to limit the use or disclosure of sensitive personal information, where applicable.
  • The right not to be subject to unlawful discrimination for exercising your rights.

We do not sell personal information, and we do not "share" personal information for cross-context behavioral advertising, as those terms are commonly defined in CCPA-style laws.

Student education records may also be subject to additional protections. While CovCyber Institute is a private training organization and is not a "school" within the meaning of the federal Family Educational Rights and Privacy Act (FERPA) in most contexts, we aim to handle student records with a comparable level of care, and FERPA rules may apply where we handle data on behalf of a covered educational institution or a funded workforce-development program subject to similar requirements.

If you are a resident of a U.S. state with a comprehensive privacy law, you may have some or all of the following rights, subject to applicable exceptions:

  • Request access to or a copy of the personal information we hold about you;
  • Request deletion of certain personal information;
  • Request correction of inaccurate personal information;
  • Receive information about the categories of personal information we collect, use, and disclose;
  • Opt out of certain types of processing where applicable (for example, targeted advertising or certain types of profiling); and
  • Appeal a decision where we decline to act on a request, where that right is provided by law.

To submit a request, please use our Privacy Request Form or contact us via the contact details on our Contactpage, and clearly describe your request and the state in which you reside. We may need to verify your identity before responding and will respond within the timeframe required by applicable law.

7b. Users in the EU/EEA, UK, and other GDPR-style jurisdictions

If the GDPR, UK GDPR, or similar laws apply to you, you may have the following rights, subject to the conditions and limitations set out in law:

  • Right of access to the personal data we hold about you.
  • Right of rectification of inaccurate or incomplete personal data.
  • Right to erasure ("right to be forgotten") in certain circumstances.
  • Right to restriction of processing in certain circumstances.
  • Right to data portability, where technically feasible.
  • Right to object to certain types of processing, including direct marketing or processing based on legitimate interests.
  • Right to withdraw consent where processing is based on your consent.
  • Right to lodge a complaint with a supervisory authority in your country or region.

To exercise these rights, please contact us using the details provided on our Contactpage, or submit a request through our Privacy Request Form. We will review and respond to your request in accordance with applicable law.

7c. Users in India

For users located in India, personal data may be processed in accordance with applicable Indian data protection and information-technology laws, including the Digital Personal Data Protection Act, 2023 ("DPDP Act") as implemented. You may have rights of access and may request the correction, updating, or erasure of certain personal data, subject to applicable legal and retention requirements.

CovCyber Institute does not currently operate a separate Indian contracting entity; where Indian law nonetheless applies to our processing of your personal data, we will work in good faith to honor your rights under that law.

To exercise your rights under Indian law or raise grievances, please contact us through our Contact page and indicate that your request relates to the India region so that it may be routed appropriately, including to a designated grievance officer where required by law. We will respond within the timeframe required by applicable law.

8. Security, DORA-style resilience, and incident handling

We use reasonable technical and organizational measures designed to protect the Platform and the information we process against unauthorized access, loss, misuse, or alteration. While no online service can guarantee absolute security, we aim to design the Platform against modern security expectations and, where applicable, frameworks such as the EU Digital Operational Resilience Act ("DORA")-style resilience principles.

Measures may include role-based access controls, database row-level security (RLS), encryption in transit, environment segregation, logging and monitoring, vendor review, and periodic review of our infrastructure and dependencies. We also maintain procedures designed to help us detect, assess, and respond to suspected security incidents. Where required by law, we will notify you and/or relevant authorities of certain data breaches without undue delay.

9. Data retention

We retain personal information for as long as necessary to provide the Platform, support your application, enrollment, courses, and career services, meet our contractual and legal obligations, resolve disputes, and enforce our agreements. Retention periods vary based on the type of data and the context in which it was collected.

Longer retention periods may apply to student records, transcripts, certifications, financial records, and data processed under WIOA or similar workforce-program rules, where applicable law, grant agreements, or audit obligations require us (or our WDO tenants and funders) to retain records for multi-year periods.

When information is no longer needed, we may delete or anonymize it, subject to any legal, regulatory, or contractual requirement to retain it for longer.

10. Cookies and similar technologies

The Platform uses cookies and similar technologies (such as local storage) to support essential functionality such as session management, security, and user preferences. Where additional third-party analytics or tracking tools are enabled, we use them in a way designed to respect applicable consent requirements (for example, by displaying our cookie/consent banner in certain regions).

Today, the Platform primarily uses cookies and similar technologies for:

  • Essential functionality such as authentication, session management, and security;
  • Remembering basic preferences such as language, theme, or layout; and
  • Limited analytics to understand Platform reliability and usage, subject to your consent where required.

Where our cookie/consent banner appears, you can accept, reject, or customize non-essential categories. Your preferences are recorded and can be changed at any time via the banner controls or your account settings.

Depending on your browser, you may also be able to control or block certain cookies through your browser settings. Doing so may affect some features of the Platform.

11. Children's privacy

The Platform is intended for adults aged 18 and older. We do not knowingly allow persons under 18 to create accounts or enroll in programs through the Platform. We do not knowingly collect personal information from children under the age of 13, and we handle the Platform consistent with the U.S. Children's Online Privacy Protection Act ("COPPA") and comparable laws.

If you believe that a minor has provided us with personal information without appropriate consent, please contact us through our Privacy Request Form so we can take appropriate steps to remove the information and close any associated account.

12. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Updated" date at the top of this page and may provide additional notice within the Platform where appropriate. Your continued use of the Platform after an update indicates that you have read and understood the updated policy.

13. Contact

If you have questions about this Privacy Policy, how we handle personal information, or if you would like to exercise your privacy rights under laws such as the GDPR, CCPA-style laws, the Indian DPDP Act, or similar frameworks, please contact us through our Contactpage, or submit a request directly via our Privacy Request Form.

For purposes of data-protection laws that recognize a "data controller", the controller is CovCyber Institute. Where the Platform is accessed via a WDO tenant sub-portal, the WDO tenant organization identified in that tenant's own notices and agreements may act as an independent or joint controller for certain data. If you are unsure which entity is responsible for your information, you can contact us through our Contact page and we will route your request appropriately.

Where local law requires us to designate a specific representative, grievance officer, or data-protection contact (for example, a grievance officer in India or a representative in the EU/UK), we will provide those details on request or in a regional annex to this Privacy Policy.

When you contact us to exercise your privacy rights, we may need to verify your identity before responding. We will respond within the timeframes required by applicable law and will let you know if we need additional information. Some rights may be subject to legal limitations or exceptions; if we are unable to fulfill a request in full, we will explain the reasons to the extent permitted by law.

This Privacy Policy is provided for informational and contractual purposes only and does not constitute legal advice. You should consult your own legal counsel to understand how these concepts apply to your specific situation or regulatory obligations.