Open Credits Privacy Policy
Operated by Vi Pi International Inc., Last Updated: April 2026
Open Credits ("Open Credits," "we," "us," or "our"), a product and service of Vi Pi International Inc., is committed to protecting the privacy, security, and integrity of personal data, including student information, institutional records, and user data processed through our platform.
This Privacy Policy explains how we collect, use, store, protect, and share information in compliance with applicable laws, including FERPA (34 CFR §99), COPPA, New York Education Law §2-d, GDPR (EU/EEA/UK), CCPA/CPRA, and applicable NIST security frameworks (800-53, 800-171, 800-88).
1. Scope of This Policy
This Policy applies to students using Open Credits, parents and legal guardians, educational institutions and administrators, and all users accessing our platform. It covers both individual and institution-managed accounts.
2. Information We Collect
2.1 Student and Academic Data
- Name, date of birth, and contact details
- Course enrollments, credits, grades, transcripts
- Academic progress and transfer records
2.2 Account and Technical Data
- Login credentials (securely hashed)
- Device, browser, IP address
- Session logs and access history
2.3 Institutional Data
- Enrollment and authorization records
- Administrative access logs
- System usage data tied to institutions
We do not collect sensitive health, biometric, or financial data unless explicitly authorized by an institution and permitted by law.
3. How We Use Information
We use data to provide credit transfer and academic support services, manage transcripts, facilitate institutional collaboration, improve platform performance, ensure security and prevent fraud, and comply with legal obligations. We do not sell or rent personal or student data.
4. Legal Basis for Processing
Contract performance (GDPR Art. 6(1)(b)); legal obligations (FERPA, NY §2-d, GDPR Art. 6(1)(c)); legitimate interests (security, system integrity); consent (COPPA, EU analytics or optional features).
5. Children's Privacy and Minor Users
Under 13 (COPPA): Verifiable parental consent required unless covered by school exception. No advertising or behavioral profiling. Strictly educational use only. Consent logs retained for 6 years.
Ages 13 to 17: No advertising or profiling. Limited analytics only with institutional approval. FERPA parental rights apply where applicable.
6. Data Security
Infrastructure: Hosted on Google Cloud Platform (U.S. regions only); SOC 2 Type II, ISO 27001/27017/27018 compliant; fully isolated tenant architecture.
Encryption: AES-256 at rest, TLS 1.2+/1.3 in transit, mTLS between services, key management via GCP KMS (90-day rotation).
Access Controls: Multi-factor authentication required, role-based access control, full audit logs retained for 6 years.
Monitoring: 24/7 SIEM monitoring, intrusion detection, WAF and DDoS protection.
7. Data Sharing and Vendors
We share data only with educational institutions, authorized personnel, and subprocessors under strict Data Processing Agreements. All vendors must maintain SOC 2 or equivalent certification and follow FERPA, COPPA, and GDPR obligations. We do not sell data.
8. International Data Transfers
For EU/EEA/UK users: Standard Contractual Clauses (SCCs), UK International Data Transfer Addendum, strong encryption and access controls. Data is primarily stored in the United States. Users have GDPR rights including access, correction, deletion, portability, and objection.
9. Data Retention and Deletion
Academic records: 10 years. Student PII: 7 years after account closure. Audit logs: 6 years. Consent records: 6 years. Technical logs: 1 year. Backups: 7-day rolling retention.
Secure deletion follows NIST 800-88 standards (cryptographic erasure, secure overwrite, encrypted volume destruction). Data may be retained longer if required by legal, regulatory, or institutional obligations.
10. Incident Response and Breach Notification
We maintain a formal Incident Response Plan: Detection → Analysis → Containment → Notification → Eradication → Recovery → Post-incident review.
Notification timelines: NY institutions within 24 hours; affected users within 7 business days; GDPR authorities within 72 hours; FERPA without unreasonable delay. All incidents are logged and retained for 6 years.
11. User Rights
Depending on jurisdiction, users may access personal data, request corrections or deletion, restrict processing, request portability, withdraw consent, or object to processing (GDPR). Requests: team@opencredits.org. Response time: 30 to 45 days depending on law.
12. Institutional Oversight and Audit Rights
Institutions may audit data processing systems, review vendor compliance, request DPIAs and ROPA reports, inspect security documentation, and access breach summaries. Audit records are retained for 6 years.
13. Cookies and Tracking
Essential: Authentication, security, session management. Functional: Preferences and settings. Analytics: Anonymous usage data only, no advertising or profiling, IP anonymization enabled. COPPA: analytics disabled for under-13 users. GDPR: consent required in EU/EEA. CCPA: opt-out supported.
14. Data Protection Impact Assessments (DPIA) and ROPA
We maintain Records of Processing Activities (ROPA), quarterly internal audits, and annual penetration testing. DPIAs are conducted for new features involving sensitive data, international transfers, and high-risk processing systems.
15. Policy Updates
We may update this Policy periodically. Material changes: 30 days notice. Operational updates: in-platform notice. Emergency updates: immediate notification. Where required, continued use may constitute acceptance.
16. Contact Information
Open Credits (Vi Pi International Inc.)
10325 Stern Avenue, Cupertino, CA 95014, United States
team@opencredits.org
Subject lines: Privacy request · FERPA request · GDPR request · Institutional audit request
Appendix A, New York Education Law §2-D Parents' Bill of Rights
Parents and eligible students have the right to access and review education records, request corrections, be informed of data security practices, receive breach notifications, know what data is collected and shared, and file complaints with NYSED. Open Credits does not sell student data and only shares it with authorized educational institutions and compliant vendors.