1) Who are we?

We are Cambridge University Press & Assessment, but you may know us as Cambridge.

Everyone at Cambridge wants you to know that your personal information is in safe hands. This Privacy Notice explains what information about you we collect, what we do with it, and how you can control it.

Cambridge is the data controller of your personal information under applicable data protection law globally including but not limited to the EU and UK General Data Protection Regulation (GDPR), the Australian Privacy Act 1988, the Chinese Personal Information Protection Law (PIPL), and the California Consumer Privacy Act (CCPA).

This privacy notice is intended to provide you with information about how we process your personal information when we are acting as a data controller. However, in the context of certain services, or in relation to your use of them, we may not be the controller of your personal information. In such cases, information about how your data is processed will be provided to you by the relevant party through their separate privacy notice.

This Privacy Notice explains how Cambridge uses your personal information when you interact with us directly, for example when you use our websites, purchase our products and services, create an online account, or contact us with a question. If you are a candidate or learner taking a Cambridge assessment or qualification, you should also read our separate Candidate Privacy Notice, which explains in more detail how we use personal information in connection with assessments, results and related services.

This Privacy Notice may change over time. The date of the most recent update to this notice will be reflected in the “Last Updated” field.

Please note that some Cambridge websites or services may have separate privacy notices.

2) Contact Information

If you have any questions about this Global Privacy Notice, how Cambridge collects and processes your personal information, or if you wish to exercise any of your data protection rights, please contact our dedicated Privacy Team or our data protection officer.

Privacy Team

• Email us at: privacy@cambridge.org
• Write to us at: Privacy Team at Cambridge University Press & Assessment, Shaftesbury Road, Cambridge, CB2 8EA, United Kingdom

Data Protection Officer: Trilateral Research Ltd

• Email: dpo@admin.cam.ac.uk
• Write to Data Protection Officer at: Trilateral Research Ltd, 1 Knightsbridge Green, London SW1X 7QA

3) What personal information does Cambridge collect, process and how?

Cambridge is committed to being transparent about how your personal information is used and will only collect and process the personal information we need as set out in this privacy notice. We collect personal information in several ways, including directly from you, automatically when you use our digital platforms, and sometimes from third parties.

The information below outlines the general categories of personal information we collect, the purpose for which we process it, and the legal basis we rely on to do so.

Please note: personal data categories may be used across multiple purposes described below. The information is intended to provide a transparent overview rather than to suggest that specific data items are used only for a single purpose.

Information we collect from you directly (e.g., when you register for an account, subscribe to services, order a product, contact us, or attend an event):

Contact & account information

• Examples of Personal Information Collected: Contact & account information including name, email address, phone number(s), billing/delivery address, social media handle, log-in details (username, passcode), title, marital status, age, sex (optional), interests, preferences, and feedback.
• Purpose(s) for Processing: To register you as a customer or candidate, manage your account, process orders, manage and collect payments, provide service updates (e.g., terms changes), reply to your communications, and manage event attendance (including dietary/accessibility
• Lawful basis for processing: Performance of a contract with you or in order to take steps at your request before entering into a contract.

Communications information

• Examples of Personal Information Collected: content of emails, texts, calls, letters, in-person conversations, and survey responses.
• Purpose(s) for Processing: To reply to you, troubleshoot issues, administer forms/surveys, and manage our relationship.
• Lawful basis for processing: Legitimate Interests in helping you use our products/services and understanding how to improve them.

Payment information

• Examples of Personal Information Collected: bank account or payment card details, transaction history. (Note: We generally do not see full payment card details; this is handled by our secure payment provider).
• Purpose(s) for Processing: To process and manage payments and comply with financial regulations.
• Lawful basis for processing: Performance of a contract and legal compliance.

Event & promotion entry information

• Examples of Personal Information Collected: attendance details, dietary requirements, event surveys/feedback, entry information for competitions or prize draws (e.g., answers to an entry form).
• Purpose(s) for Processing: To organise and manage events, competitions, prize draws, and promotions, and to gather feedback.
• Lawful basis for processing: Performance of a Contract (e.g., specific competition terms) and Legitimate Interests in managing and improving our events and promotions.

Information we collect automatically (e.g., when you browse our website, interact with our emails, or use our digital platforms)

Technical information

• Examples of Personal Information Collected: Internet Protocol (IP) address, login information, browser type/version, device IDs (e.g., IFA code, Android ID), operating system, time zone, file/software names.
• Purpose(s) for Processing: To ensure content is presented effectively, understand how users interact, improve the website, implement security measures, and detect/prevent exam malpractice.
• Lawful basis for processing: Legitimate interests in administering and securing our business, website, and services.

Information about your visit & behaviour

• Examples of Personal Information Collected: full URL clickstream, pages/services viewed, response times, download errors, length of visits, page interaction (scrolling, clicks), content consumption, email opens/clicks, traceable campaign links.
• Purpose(s) for Processing: To understand user interests, develop insights, improve our products/services, and inform our marketing strategy.
• Lawful basis for processing: Legitimate Interests in continual learning, business growth, and improving customer experiences. Consent for non-essential cookies and tracking technologies (see our Cookie Notice).

Location information

• Examples of Personal Information Collected: coordinates, full or partial IP address, device ID.
• Purpose(s) for Processing: To deliver location-specific content/services and check for fraudulent transactions.
• Lawful basis for processing: Consent (where required by law or device settings) and Legitimate interests in securing our transactions.

Information for marketing, news, and updates

• Examples of Personal Information Collected: Contact information, marketing preferences (opt-in/out status, specific preferences), and data from tracking technologies.
• Purpose(s) for Processing: To send direct marketing (news, updates), tailor content, segment audiences, target or re-target users, and measure the effectiveness of our advertising.
• Lawful basis for processing: Consent (where required by law) or Legitimate interests (for example for business-to-business marketing or managing our business growth).

Biometric Data for Identity Verification (only where our services use biometric tools)

• Examples of Personal Information Collected: Facial images or other unique identifiers captured and analysed by identity verification or remote invigilation tools.
• Purpose(s) for Processing: To verify identity, prevent exam malpractice, protect the security of our systems and assessments, and support the fairness and integrity of our qualifications.
• Lawful basis for processing: Explicit Consent (where required by law) together with our legitimate interests, or in some cases public interest, in maintaining the security and integrity of our services and safeguarding examinations.

4) Who we share your information with

We share your personal information only when necessary to perform our core functions as an awarding body, provide our services, or comply with legal obligations. We ensure all recipients are required to protect your data in line with our standards and applicable data protection laws.

We may share your personal data with the following trusted third parties:

• Cambridge entities, third parties, agents or independent contractors that provide services to any entity within Cambridge (such as IT systems providers, platform providers, financial advisors, brokers, consultants (including lawyers and accountants).
• Educational institutions and exam centres involved in the delivery of our qualifications and assessments, such as your school, college, university or exam centre. If you are a candidate or learner, the way we share your personal information with educational institutions and exam centres for assessment purposes is set out in our Candidate Privacy Notice.
• Goods and services providers (such as providers of marketing services, events managers, technology providers,, website, cloud providers, data hosting, data storage, background checking, insurance, legal, banking services provider, supplier onboarding, tax and accounting, training, event management, e-business cards.
• Third parties collaborating on events, to ensure proper coordination and organisation of the event.
• Competent authorities (including any national and/or international regulatory or enforcement body, agency, court or other form of tribunal or tax authority) or their agents where Cambridge is required or allowed to do so under applicable law or regulation.
• A prospective buyer, transferee, investor or successor entity (and their professional advisers) in connection with an actual or proposed transfer, sale, reorganisation or restructuring of part or all of Cambridge’s business or assets or operations.
• Anyone that we must disclose information to in order to protect our rights, property, or safety, our customers, or other third parties, and to enforce our rights under this Privacy Notice or under any agreement (for example, our Terms) with you. This includes exchanging information with other companies and organisations for the purposes of detecting and preventing fraud, credit risk and cyber-crime.
• Our auditors, legal advisers and other professional advisers.
• A partner if we run surveys, competitions, promotional campaigns, offers or other activities with a partner organisation (for example, if you chose to enter a prize draw we manage with a partner organisation).
• A partner that we are collaborating with in respect of a service or other offering.

We may also receive personal information about you from some of the organisations listed above. For example a regulator or government body may share information with us for regulatory, research or safeguarding purposes. We use this information only for the purposes described in this Privacy Notice or any more specific notice that applies to your relationship with Cambridge.

5) Marketing Communications and Opting Out

We may use your contact details and information about how you interact with our services to send you news and information about Cambridge products, services, events and resources that we think may be of interest to you. Depending on your relationship with us and the country you are in, we may rely on your consent or on our legitimate interests to do this.

You can always ask us to stop sending you direct marketing. Every marketing email we send will include a straightforward way to opt out, and you can also contact us using the details in the “How can you contact us?” section. If you opt out of marketing, we will still send you service messages where this is necessary, for example to tell you about changes to our services, terms or privacy notices, or to provide important information about an exam or product you are using.

We may also use aggregated or anonymised information to analyse and improve our marketing and communications, such as understanding which resources are most useful for different groups of users.

6) International transfers of your personal information

As a company operating globally, we provide our services to customers in different countries around the world. To make that possible, your personal information may be transferred to or accessed by entities around the world within the Cambridge group. Cambridge makes sure to protect your personal information by complying with the necessary laws and regulations on the transfer of personal information between countries, wherever they are.

Cambridge may need to transfer personal information outside of the location where such personal information is collected (an “international data transfer”). For transfers outside of the UK or EEA, we may transfer personal information to countries with “adequate” data protection standards as recognised by the European Commission (in the EEA) or the Secretary of State (in the UK).

When conducting an international data transfer to a country without “adequate” data protection standards, we will apply the necessary safeguards to protect personal information as required under law. Such safeguards may include “Standard Contractual Clauses” (SCCs) that require the person receiving the personal information to protect the personal information to a high standard, and any other necessary technical or organisational safeguards.

7) What rights do you have?

We respect your rights concerning the processing of personal information and provide you with the relevant and appropriate choices. Depending on your location and residency you may have a right to one or more of the following with respect to your personal information we process: right of access, right to rectify, right to delete, right to opt out and to object to processing. 

Note that you may have the right to designate another person to serve as your authorised agent, to exercise any of the rights described below.

You may exercise these rights for free, but under certain conditions we may charge a fee to cover our administrative costs.

We will aim to comply with your request within one month of receiving your request or within the timeframe defined by applicable law. Depending on the complexity and scope of your request, we may need to extend this one-month period. If so, we will notify you via the contact information you have provided, explaining the reason for the delay and the expected timeframe for fulfilling your request.

To exercise any of your rights, please contact our designated privacy contact here privacy@cambridge.org providing details of your request.

1. THE RIGHT OF ACCESS: You have the right to access a copy of your personal information and to request information about how we process your personal information. This includes information about the purposes of the processing, the categories of personal information we process, and the recipients or categories of recipient to whom the personal information have been or will be disclosed.
2. THE RIGHT TO RECTIFICATION: You have the right to request that we correct any inaccurate personal information we process about you, and to request that we complete any incomplete personal information we process about you.
3. THE RIGHT TO ERASURE: You have the right to request that we erase your personal information under certain conditions, e.g., if the information is no longer needed for its intended purposes, if you have withdrawn your consent, if you have made a valid request under the “right to object”, if the information has been processed unlawfully, or to comply with a legal obligation.
4. THE RIGHT TO RESTRICT PROCESSING: You have the right to request that we restrict how we process your personal information if:
   • You claim that the personal information is inaccurate, and we need time to verify this; or
   • The processing is unlawful, but you do not want the personal information erased; or
   • The personal information is no longer needed for the purposes for which it was collected, but you still need it to establish, exercise or defend legal claims; or
   • You have exercised the right to object, and we need time to determine whether to comply with your objection, under certain circumstances.
5. THE RIGHT TO OBJECT: You have the right to object to the Cambridge’s processing of your personal information under certain conditions. You have the absolute right to object to us using your personal information for direct marketing.
6. THE RIGHT TO DATA PORTABILITY: Under certain conditions, you have the right to request a copy of the personal information you have provided to us in a structured, commonly used, and machine-readable format.
7. RIGHT TO LODGE A COMPLAINT WITH A SUPERVISORY AUTHORITY: You have the right to lodge a complaint with your local supervisory authority if you have concerns about how we are processing your personal information. We encourage that you try and resolve the issue with us at first, although you have the right the contact the supervisory authority at any time.

Please see relevant sections below for further information on the rights available to data subjects in specific jurisdictions where we operate, including the US and China.

8) How do we protect your personal information?

We prioritise the confidentiality and security of the data you share with us. To prevent unauthorised access or disclosure, we have implemented a range of organisational, personnel, physical, and technological measures. These include locked cabinets, password-protected systems, and pass card-controlled building access to safeguard and secure the information we collect. No data collection, transmission, or storage method is 100% secure, but we take every reasonable measure to protect your information with the appropriate security safeguards.

If at any point you suspect or receive a suspicious communication from someone suggesting they work for Cambridge or a website claiming to be affiliated with Cambridge, please forward the communication to us or report the incident as soon as possible, either by email to privacy@cambridge.org or in writing to Privacy Team at Cambridge University Press & Assessment, Shaftesbury Road, Cambridge, CB2 8EA, United Kingdom.

9) Third-party websites

Our websites and apps may contain links to third-party websites and apps. When you click on a link to any other website or location, you will leave our systems, websites or apps and go to another site, and another entity may collect personal information from you. We are not responsible for these third-party websites or their content. Please be aware that the terms of this Privacy Notice do not apply to these third-party websites or apps, or to any collection of your personal information after you click on links to such third-party websites.

10) Our use of cookies and other technologies

We use cookies and similar tools to enhance our ability to deliver our services, to understand how customers use our services so we can improve our customer experience, and to display advertisements. For more information about cookies and how we use them, please read our Cookies Notice. You can manage your cookie preferences here. Please note that there may be a different cookie notice for the relevant site on which you are accessing Cambridge products and services.

11) Our use of artificial intelligence (AI)

We, and some of our service providers, use AI tools in our digital systems to support and improve the delivery of our services. Before deploying any AI tool, we carry out internal reviews to ensure it is secure, performs as intended, and complies with data protection laws.

We may use AI to process personal data such as contact details, assessment-related data, biometric data and engagement data across our digital platforms. Examples include:

• Automated marking and feedback generation
• Identifying and preventing exam malpractice
• Chatbot functionality by improving chatbot responses to customer queries
• Processing candidate work (such as transcribing handwritten responses, analysing or structuring content, or supporting assessment delivery)
• Analysing user engagement across our digital touchpoints to help us understand different user profiles and improve our products and services
• Generating resources to support teaching, learning and research
• Content improvement

Where possible, we anonymise or pseudonymise the personal data used in AI tools. In all cases, we apply strict limitations and safeguards to protect your privacy. We may also use AI tools to transform or reformat content where necessary to support assessment, research, or service improvement, in line with applicable data protection laws.

We do not use AI to make decisions that have legal or similarly significant effect on you without human involvement, unless permitted by law and subject to appropriate safeguards. Where required, we will inform you separately if we plan to process special category data using AI or need your consent to do so.

12) How long do we keep your information for?

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for and in line with our Data Retention Policy and schedules. This includes the purposes of satisfying any legal, regulatory, accounting and reporting requirements. To determine the appropriate retention period for personal information, we consider its amount, nature, sensitivity, potential risks, processing purposes, possible alternative methods, and legal requirements. If you would like to know more about the retention periods we apply to your personal information, please contact us at privacy@cambridge.org.

When personal information is processed as part of legal claims, it will be retained for as long as required to complete ongoing legal actions, comply with court orders and/ or fulfil obligations under applicable laws. We conduct a periodic review (as may be necessary) to determine whether the data should be securely archived, anonymised or deleted once its relevance ceases. We endeavour to retain the personal information for the shortest term permitted by law.

In some circumstances we may anonymise your personal information (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.

13) How we protect your information

We use a mix of technical, organisational and contractual measures to keep your information safe.

• We use security tools such as encryption, access controls, and multi-factor authentication to protect our systems and data.
• We make sure that only authorised people can access your information and that our staff understand how to handle it securely and responsibly.
• We require our service providers and partners to protect your information through written agreements that include confidentiality and data protection obligations.
• We regularly review our security measures to make sure they stay effective.

While no system is completely secure, we take reasonable and proportionate steps to protect your information from loss, misuse, or unauthorised access.

14) Children’s personal data

Some of the people who use our services (e.g. learners and exam candidates) are under 18. We handle children’s data with particular care, in line with data protection law and relevant safeguarding requirements.

We do not typically rely on consent to process children’s personal data. Most of our processing is based on public task, legal obligation, or legitimate interest (e.g., delivering qualifications, ensuring access arrangements, or complying with exam regulations).

However, where consent is required for a specific service, such as certain online tools or marketing communications, we obtain consent from either the child (if they are at or above the age threshold for having capacity to give consent in their country) or their parent/guardian (as appropriate). This consent may be obtained via the child’s school or learning centre in some instances.

In some cases, a parent, guardian or school may also act on the children’s behalf to exercise data protection rights, depending on the child’s age and ability to understand those rights.

We take additional steps to protect children’s data, such as:

• Limiting access to staff with a need to know
• Applying appropriate retention periods
• Ensuring clear communication suitable for younger audiences
• Embedding child-protection considerations in service design.

15) U.S. State Rights

Please note that we will not sell your personal information. However, we may disclose your personal information for business purposes with service providers.

Personal information disclosed for a business purpose: To provide our services, we may need to disclose your personal information to service providers for business purposes. The list below provides further details about how we have shared personal information for business purposes:

Identifiers/Contact Information (Name, Email, Phone, Address, Account Credentials)

• Recipients: Cambridge Group Entities; Business Operations Service Providers; Technology Providers; Event Coordinators
• Purposes: Core business operations: Managing accounts, processing payments, internal administration, and fulfilling contractual obligations.

Commercial Information (Payment history, products purchased)

• Recipients: Business operations service Providers; technology providers
• Purposes: Fulfilling orders & accounting: Processing and tracking orders, maintaining transaction records

Internet or Other Electronic Network Activity Information (IP Address, Device ID, Browser Type, Website Interactions, Content Consumption)

• Recipients: Technology Service Providers; Analytics Providers
• Purposes: Website functionality & security: Providing, securing, and enhancing website access, ensuring functionality, and detecting fraudulent activity.

Geolocation data (Country/Region)

• Recipients: Technology Service Providers
• Purposes: Localisation & exam malpractice prevention: Delivering region-specific content and checking for fraudulent test takers.

Family Educational Rights and Privacy Act (FERPA):
Cambridge complies with all applicable provisions of the United States Family Educational Rights and Privacy Act (“FERPA”) in receiving and handling personally identifiable information from education records as a school official pursuant to FERPA.

Children’s Online Privacy Protection Act (COPPA):
The services to which this Privacy Notice applies are not designed or intended to collect personal information from children under the age of 13 for any commercial purpose. In the event the Children’s Online Privacy Protection Act (COPPA) is deemed to apply to the collection or processing of any Personal Information to which this Privacy Notice applies, Cambridge will comply with all applicable provisions of COPPA.

16) Additional information for the People’s Republic of China (PRC)

If there is any inconsistency between the below and the above Privacy Notice, the following shall prevail in respect of the PRC.

Data controller
For the PRC, if you have any questions or concerns about your personal information or this Privacy Notice, please contact privacy@cambridge.org.

Consent
We may obtain your consent (where applicable, separate consent) in accordance with the law to collect, use, share, transfer (including but not limited to overseas transfer), disclose or otherwise process your personal information if and to the extent required by the applicable laws.

How we transfer information across the border
In the provision of our services, supported by Cambridge Entities around the world, we may transfer your Personal Information outside of mainland China internally to other Cambridge Entities. We ensure that any Cambridge Entities accessing your Personal Information follow the same rules when processing it, to protect your data in accordance with applicable laws.

Many of our third-party service providers are located outside of mainland China, which means they may transfer your Personal Information outside of mainland China when processing it. These providers are carefully selected and contractually obligated to comply with applicable data protection laws, including the Personal Information Protection Law (PIPL).

We may disclose your Personal Information in the following ways:

• By permitting remote access to Personal Information stored on servers located within mainland China.
• By direct dissemination (e.g., when you submit information into Cambridge systems via email, shared links, or telephone).
• By sharing information electronically (e.g., email, video conferencing) or by post.

We may also share your Personal Information with third parties, such as government or judicial authorities, where required by law or with your prior specific consent.

When transferring your Personal Information outside of mainland China, we adopt safeguards as required by applicable laws and regulations. These may include conducting security assessments, obtaining government approvals where necessary, and/or implementing technical and organisational measures (e.g., encryption, access controls, and anonymisation) to ensure data security during transmission.

Your choices and rights
If you are an individual whose Personal Information, and the processing of that Personal Information by the relevant Cambridge Entity is subject to the application of PIPL, you have certain rights. These rights are identified below together with a brief, non-exhaustive explanation. Where your Personal Information and the processing of your Personal Information are not subject to PIPL these rights do not necessarily apply and nothing in this Notice may be interpreted to establish rights or obligations that go beyond what is mandated by PIPL.

If you have any questions in relation to this Notice, or wish to exercise any of your rights, please contact us using the contact details included below. To protect your rights and your privacy and to validate communications received in relation to this Notice, we may request confirmation and proof of your identity.

• The right to information - You have the right to be informed and to ask us to explain our rules of processing.
• The right to determine - You have the right to decide on the processing of your Personal Information.
• The right to restrict processing - You have the right to restrict or deny another person from the processing of your Personal Information, unless otherwise provided by law or administrative regulations.
• The right of access - Subject to certain exceptions, you have the right to access or make copies of your Personal Information from us.
• The right to transfer your personal information - You have the right to request us to transfer your Personal Information to another Data Controller of your choice, where permitted by the applicable laws.
• The right to rectification - If the Personal Information that we process is incomplete or incorrect, you have the right to request their completion or correction at any time.
• The right to deletion - Subject to certain exceptions if you consider that we should stop processing some or all of your Personal Information, you have the right to request its deletion. However, there may be reasons why an immediate deletion may not be possible (for example where retention is required to meet legal or regulatory obligations) or deletion may be technically difficult (in which case we will stop processing the Personal Information, except for the storage and any necessary measure taken for security protection).
• The right to withdraw consent - We may ask for your consent to process your Personal Information in specific cases. When we do this, you have the right to withdraw your consent at any time. We will stop the further processing as soon as possible after the withdrawal of your consent. However, this does not affect the lawfulness of the processing before consent was withdrawn.

Exercising your Rights
You may exercise any of your rights by emailing us at privacy@cambridge.org We aim to respond to all legitimate requests in a timely manner and, in any event, within 30 days or the time limit stipulated by applicable laws or regulations. If your request is particularly complex or if you have made multiple requests, it may take us longer than one month to respond. In such cases, we will notify you and keep you updated on our progress.

17) How to raise a privacy concern or complaint

If you have any questions or concerns about how we handle your personal data, or if you believe your data protection rights have been infringed, you have the right to raise a complaint.

We encourage you to contact us first so we can address your concerns as quickly as possible. You may submit a complaint by contacting our dedicated Privacy Team or Data Protection Officer using the details below: 

Privacy Team

• Email us at: privacy@cambridge.org
• Write to us at: Privacy Team at Cambridge University Press & Assessment, Shaftesbury Road, Cambridge, CB2 8EA, United Kingdom

Data Protection Officer: Trilateral Research Ltd

• Email: dpo@admin.cam.ac.uk
• Write to Data Protection Officer at: Trilateral Research Ltd, 1 Knightsbridge Green, London SW1X 7QA

When raising a complaint, please provide your name and contact details, a description of your concern, and any supporting information that may help us review the matter. If needed, we may contact you to request further information or supporting evidence to assist with our investigation.

In considering your complaint, and in consultation with the Data Protection Officer, we may seek input from the relevant individuals, teams, or departments across Cambridge University Press & Assessment. If your complaint does not relate to personal data, we may pass it to the appropriate team to consider and respond or direct you to the relevant point of contact.

We will acknowledge receipt of your complaint and aim to respond within 30 days. If your concern relates to a data breach or a matter requiring urgent attention, we will prioritise the investigation.

If you are not satisfied with our response, or if you prefer not to raise your concern with us directly, you also have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at https://ico.org.uk/make-a-complaint/.

You also have the right to seek judicial remedy where you believe your data protection rights have been violated.