Privacy Policy
This Privacy Policy was last updated on February 17, 2026.
1. Introduction
ArcLero (“we,” “us,” or “our”) respects your privacy and is committed to protecting the personally identifiable information (“PII”) of our government and commercial users. This Privacy Policy describes how we collect, use, store, and protect information when you use the ArcLero Learning Management System (“Service”).
This policy applies to all users of the Service, including learners, instructors, and administrators. If your organization has a separate agreement with ArcLero (such as a signed Order or contract), the terms of that agreement control to the extent they conflict with this policy.
2. Information We Collect
We collect information necessary to provide and operate the Service. The types of information we collect fall into the following categories:
| Category | Examples |
|---|---|
| Account Information | Name, email address, job title, organization or agency name, user role |
| Learning Activity Data | Course enrollments, progress, completion status, assessment scores, certificates earned, time spent on activities |
| Authentication Data | Login timestamps, SSO tokens, MFA status |
| Technical Data | IP address, browser type, device type, operating system — collected automatically when you access the Service |
| Customer-Uploaded Content | Course materials, documents, media, and other content uploaded by your organization’s administrators or instructors |
We do not intentionally collect sensitive personal information such as Social Security numbers, financial account numbers, or health information through the Service. If your organization requires fields that may contain sensitive data, your organization is responsible for determining the appropriateness of collecting that information.
3. How We Use Your Information
We use the information we collect for the following purposes:
- Providing the Service — authenticating users, delivering course content, tracking learning progress, generating reports, and issuing certificates
- Platform operations — maintaining system performance, troubleshooting issues, and providing technical support
- Security — detecting and preventing unauthorized access, fraud, and other malicious activity
- Compliance — fulfilling audit logging requirements and responding to lawful requests from your organization’s administrators
- Improvement — using aggregated, de-identified usage data to improve platform features and performance (this data cannot be used to identify individual users)
We do not sell, rent, or trade user data to third parties. We do not use your personal information for advertising or marketing by third parties. We do not use your data to build profiles for purposes unrelated to the Service.
4. When We Share Information
We share personal information only in the following limited circumstances:
- With your organization — your employer or agency administrators can access your learning records, progress, and account information through the Service’s reporting and administration features. This is the primary way your data is accessed.
- Service providers — we use a limited number of third-party providers to host and operate the Service (primarily Amazon Web Services). These providers are selected for their security practices and are subject to agreements that restrict how they may use your data.
- Legal requirements — we may disclose information if required by law, regulation, subpoena, court order, or other governmental request. When permitted, we will notify the affected Customer organization before making such a disclosure.
We do not share personal information with third parties for their own marketing or commercial purposes.
5. Data Hosting & Security
All data is hosted within the United States on Amazon Web Services GovCloud (US) regions. Our infrastructure adheres to FedRAMP Moderate baseline security controls.
We protect your data with the following measures:
- FIPS 140-2 validated encryption for data in transit (TLS 1.2+) and at rest (AES-256)
- Multi-factor authentication and role-based access controls
- Immutable audit logging of all user actions and administrative changes
- Regular vulnerability scanning and security monitoring
- Access to Customer Data limited to authorized ArcLero personnel on a need-to-know basis
While we implement strong safeguards, no system is 100% secure. If we become aware of a security breach affecting your personal information, we will notify your organization’s designated contact without unreasonable delay.
6. Data Retention
We retain Customer Data for the duration of the Customer’s subscription. When a subscription ends, we make data available for export for a reasonable period, after which it is securely deleted from our production systems. Data in backups is removed through the normal rotation cycle.
Audit logs may be retained for a longer period as required by applicable compliance frameworks or as specified in your organization’s agreement with ArcLero.
7. Cookies
We use a limited number of cookies to operate the Service:
- Essential cookies — required for authentication and maintaining your login session. The Service cannot function without these. These are not optional.
- Analytics cookies — used to understand how users interact with the platform so we can improve performance and usability. Analytics data is used in aggregate form.
We do not use advertising cookies or third-party marketing cookies. We do not track users across other websites.
8. Education Records
When ArcLero processes education records on behalf of an educational agency or institution, we do so as a “school official” under the Family Educational Rights and Privacy Act (FERPA). Our handling of education records is governed by the FERPA provisions in our Terms of Service and any applicable agreement with the Customer organization.
We do not use education records for any purpose other than providing the Service as directed by the Customer. We do not redisclose personally identifiable information from education records except as directed by the Customer or as required by law.
9. Your Rights
Because ArcLero provides the Service to organizations (not directly to individual consumers), your organization controls the personal data within the platform. To exercise your rights regarding your personal data, you should first contact your organization’s LMS administrator.
You or your organization may:
- Access — request a copy of the personal data we hold about you
- Correct — request correction of inaccurate information (administrators can update most fields directly in the platform)
- Export — request an export of your data in a standard format
- Delete — request deletion of your personal data, subject to any legal or contractual retention requirements
If your administrator is unable to assist, or if you have concerns about how your data is handled, you may contact ArcLero directly at the address below. We will respond to requests within a reasonable timeframe.
10. Children’s Privacy
The Service is intended for use by organizations and their adult employees or authorized learners. We do not knowingly collect personal information from children under 13. If a Customer organization uses the Service for learners under 13, the Customer is responsible for obtaining any required parental consent and ensuring compliance with the Children’s Online Privacy Protection Act (COPPA). If we learn that we have collected personal information from a child under 13 without appropriate consent, we will take steps to delete that information promptly.
11. Changes to This Policy
We may update this Privacy Policy from time to time. When we make changes, we will update the “Last Updated” date at the top of this page. For material changes, we will provide notice to Customer organizations through the Service or by email. Continued use of the Service after changes take effect constitutes acceptance of the updated policy.
12. Contact Us
If you have questions or concerns about this Privacy Policy or how your data is handled, contact us: [email protected]