Canvas Badges Website Privacy Policy

Effective Date 12/6/2022

Canvas Badges is an online platform to create, curate, distribute, receive, explore, and share micro-credentials (“Badges”), and users can access tools to issue Badges to Badge Recipients, as well as associated administrative tools and services, such as Canvas Credentials.

Canvas Badges is provided by Instructure, Inc. (“Instructure,” “us,” “we,” or “our”) through our websites (,, and, Canvas Credentials, and our APIs (collectively “the Site” or “Canvas Badges”). This Privacy Policy often refers to “you,” i.e., the Canvas Badges user. This Privacy Policy applies to information and data collected by Instructure as a controller, including information about Badge recipients, visitors to our website, and individuals who interact with us through other means, such as contacting us via telephone, email, or mail for information about our services. This policy explains what personal data we collect through Canvas Badges and Canvas Credentials as a controller, how we use and share that data, and your choices and rights concerning our personal data practices.

This Privacy Policy does not apply to information and data Instructure processes in our capacity as a processer on behalf of organizations with a Business Account. Use of Canvas Badges or Canvas Credentials on behalf of an organization with a Business Account, for example as a badge issuer, is covered under the Canvas Badges Business Account Privacy Policy.

1. This Privacy Policy forms part of our Terms. For a listing of the other documents that form part of our Terms, click here. Capitalized terms not otherwise defined herein shall have the meaning set forth in the Terms. In the event of a conflict between this Privacy Policy and the Canvas Badges Terms of Service, the Canvas Badges Terms of Service will control.


If you are visiting our Site, if you have a registered account to earn and manage your Badges (a “Badge Recipient”), or if you otherwise provide personal information directly to Canvas Badges, we act as the “data controller” of personal data, and this Privacy Policy applies to the personal data we collect from you. This also means we determine how and why your personal data is processed.


3.1 Contact Information. Through Canvas Badges or other interactions with our customer support, you may provide contact information, such as your name and email address.

3.2 Information on How You Use Canvas Badges. As you interact with Canvas Badges, we automatically collect usage information, including the type of content that you engage with, the features you use, the other users you interact with, and the time, frequency and duration of your activities.

3.3 Browser and Device Information. We collect personal data about the internet browser and device that you use to access Canvas Badges, including the type of device, operating system, settings, unique device identifiers, network information and other device-specific information.

3.4 Log Data. Our servers log certain personal data that your browser automatically sends whenever you visit Canvas Badges. Log data includes your Internet Protocol address (to understand what country you are connecting from), browser type and settings, the date and time of your request, and how you interacted with Canvas Badges. Your geographic location may determine which features and third-party content will be available to you.

3.5 Cookies and Automatically Collected Information. We work with third-party tracking services that use cookies to collect data about Canvas Badges users. This data includes usage and user statistics. Emails sent through Canvas Badges may automatically collect information about whether emails have been opened and acted upon. We provide more information on cookies below.

3.6 Personal Data from Third Parties. We collect personal data from third parties to whom you give permission to share your personal data with us or where that personal data is publicly available online.

3.7 Personal Data Collected from Badge Recipient. If you are a Badge Recipient, we collect additional personal data, such as:

  • a. Registration information, including your email address, username, password, first and last name, and any organization with which you are affiliated. If you choose to register via a third-party partner, e.g., Facebook, LinkedIn, or Google, we may receive personal data made available by you through such third-party integration partner; and
  • b. Account settings, including various preferences and personal details, e.g., issuer profile image.


4.1 Sensitive Personal Data. We do not request or intentionally collect any sensitive personal data, such as health information, genetic data, religious information, or government issued ID numbers.

4.2 Children’s Personal Data. Canvas Badges are not directed to children under 13. Our Terms prohibit anyone under the age of 13 from using Canvas Badges.


5.1 Delivering Canvas Badges and the Site. We use your personal data to provide the Canvas Badges platform, including to invite users; share and track Badges; connect your Canvas Badges account to other services; log in and authenticate users; remember your settings; maintain back-end infrastructure; and for related business purposes. Legal basis: Consent; Contract; Legitimate Interests.

5.2 Improving Canvas Badges. We use your personal data to help deliver Canvas Badges in an effective and efficient manner, including to better understand how users interact with Canvas Badges, and as part of our efforts to keep Canvas Badges secure. Legal basis: Contract; Legitimate Interests.

5.3 Customer Support. We use your personal data to communicate changes about Canvas Badges and provide support via phone or email. Legal basis: Contract; Legitimate Interests.

5.4 Marketing. We use your personal data to respond to inquiries through our website or other contact methods about Canvas Badges that you send to us and to send users messages about updates, new features, and other relevant information. We will only send you email marketing information if you consent to us doing so when you register for Canvas Badges, opt in to receive marketing emails in your account settings, or as otherwise permitted by our agreement with you and applicable law. Legal basis: Consent; Contract.


We share your personal data with certain third parties in the following circumstances:

6.1 Badge Tracking. We use personal data for processing the award of Badges, such as tracking progress and completion. We may also share your personal data with respect to a given Badge with the Badge Issuer who created or awarded the Badge, and with other individuals designated by that Badge Issuer to assist with the creation and/or awarding of the Badge, and with the organization with which they are affiliated. For example, a Badge may be issued based upon your attendance at an event at a particular time and location. Your personal data, including location information from your device or the event’s organizer, may be used to confirm whether you meet the criteria for receipt of such a Badge.

6.2 Badge Sharing by Third Parties. As part of the Badge Connect™ open standard, Instructure may share your Badges with third parties. The third party accessing Canvas Badges for such purposes is solely responsible for obtaining your consent in advance of accessing Canvas Badges for such purposes and for ensuring it shares your Badges only with third-party services you have expressly authorized. If you have concerns or would like more information about the sharing of Badges under this subparagraph, you should contact the third party to whom you provided authorization or consent.

6.3 Service Providers. To assist us in meeting business operations needs and to perform certain services it is sometimes necessary to share your personal data with third-party providers, such as providers of hosting, payment processing, email communication, and analytics. If required under applicable law, we will make a list of third-party service providers available to you upon request sent to

6.4 Business Transfers. If we are involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, sale of all or a portion of our assets, or transition of a service to another provider, your personal data and other information may be transferred to a successor or affiliate as part of that transaction.

6.5 Legal Requirements. We may share personal data in order to: (a) comply with our legal obligations, (b) detect, prevent, or otherwise address fraud, security or technical issues, (c) enforce applicable policies, including investigation of potential violations, or (d) protect against harm to the rights, property or safety of our users, the public, or ourselves. We may also share personal data with your consent or as otherwise disclosed at the time of collection. 

7. GLOBAL PRIVACY PRACTICES. If you are using Canvas Badges from a country outside the United States your personal data may be transferred for processing from your current location to our offices and servers and our authorized third-party service providers located globally, including in the United States. Other countries may have data protection laws less stringent than or otherwise different from the laws in effect in the country in which you are located. When we transfer information, we make use of the standard contractual data protection clauses, which have been approved by the European Commission. 

8. EEA and UK Privacy Rights

8.1 If you are located in the European Economic Area (EEA) or United Kingdom (UK), we are required to notify you about the legal basis upon which your personal data is processed. We process your personal data under one or more of the following legal bases:

“Contract” means that processing your personal data is necessary for us to fulfill the obligations of a contract between you and Instructure.

“Legitimate Interests” means processing your personal data is necessary to further our legitimate interests, which include:

  • a. Delivering, developing, and improving Canvas Badges
  • b. Understanding your behavior on Canvas Badges
  • c. Measuring the effectiveness of marketing campaigns

“Consent” means processing your personal data is done with your consent. You can revoke your consent at any time by emailing your revocation request to If you revoke your consent, we will stop processing your personal data, unless there is another legal basis for continuing to process your personal data.

“Legal Requirement” means processing of your personal data is necessary for compliance with a legal obligation to which we as the controller are subject.

8.2 Users in the EEA or UK have certain legal rights to obtain information about whether we hold their personal data, to access personal data we hold about them, and to obtain its correction, update, amendment or deletion in appropriate circumstances. Some of these rights may be subject to some exceptions or limitations. We will respond to your request to exercise these rights within a reasonable time. Rights which you may be entitled to include: (a) data access, (b) rectification, (c) erasure, (d) restrict processing, (e) data portability, and (f) object to processing. 

8.3 Should you wish to make a request in respect of your personal data please contact us at and we will address your request as required by applicable law.

8.4 Additionally, you have the right to lodge a complaint against us. To do so, contact the supervisory authority in your country of residence.


9.1 This section applies only to California consumers whose personal information is subject to protection under the California Consumer Privacy Act (CCPA). It describes how we collect, use, and share California consumers’ Personal Information in our role as a business, and the rights applicable to such residents. Instructure is a business and does not sell Personal Data. We may share Personal Data with third parties if those third parties are authorized service providers or business partners who have agreed to our contractual limitations as to their retention, use, and disclosure of such Personal Data. If you are unable to access this Privacy Policy due to a disability or any physical or mental impairment, please contact us and we will arrange to supply you with the information you need in an alternative format that you can access. For purposes of this section “Personal Information” has the meaning given in the CCPA.

9.2 How We Collect, Use, and Share your Personal Information. We have collected the following statutory categories of Personal Information in the past twelve (12) months:

  • a. Identifiers, such as first name, last name, and e-mail address. We collect this information directly from you, from issuers who award you Open Badges, or from single sign-on (SSO) identity providers (IDP) that you authorize. For example, if you access Canvas Badges through a third-party application, such as a social network or a third-party login service, we may collect information about you from that third party that you have made available via your privacy settings.
  • b. Geolocation data, such as IP address. We collect this information from your interaction with our web application.
  • c. Commercial information, such as organization name. We collect this information directly from you.
  • d. Other personal information, in instances when you interact with us online, by email in the context of receiving help through our help desk or other support channels; participation in customer surveys or contests; or in providing the Canvas Badges services to you.
  • e. California or federal law protected classification characteristics.
  • f. Education-related information. We collect this information from an organization or issues Business Account, such as a university or training organization that you work for or that awards badges to you, or from you if you share it with us as a badge recipient.

9.3 The business and commercial purposes for which we collect this information are described in Section 5 of this Privacy Policy. The categories of third parties to whom we “disclose” this information for a business purpose are described in Section 6 of this Privacy Policy.

9.4 You have certain rights regarding the Personal Information we collect or maintain about you. Please note these rights are not absolute, and there may be cases when we decline your request as permitted by law.

  • a. The right of access means that you have the right to request that we disclose to you or your authorized agent what Personal Information we have collected, used and disclosed about you in the past 12 months.
  • b. The right of deletion means that you have the right to request that we delete Personal Information collected or maintained by us, subject to certain exceptions.
  • c. The right to non-discrimination means that you will not receive any discriminatory treatment when you exercise one of your privacy rights.

9.5 How to Exercise your California Rights

You can exercise your rights yourself or you can alternatively designate an authorized agent to exercise these rights on your behalf. Please note that to protect your Personal Information, we will verify your identity by a method appropriate to the type of request you are making. We may also request that your authorized agent have written permission from you to make requests on your behalf, and we may also need to verify your authorized agent’s identity to protect your Personal Information.

9.6 Contact Us. If you want to contact us to access your rights under CCPA, learn more about your rights or our privacy practices, or to request access to this policy in an alternative format, contact us at:

9.7 Do Not Track (DNT). We may use cookies or other similar tracking technologies to collect information about your browsing activities over time and across different websites. We may allow third-party service providers and other third parties to do the same. We do not respond to “Do Not Track” (DNT) signals and we operate as described in this Privacy Policy whether or not a DNT signal is received.

10. DATA RETENTION. We keep your personal data for as long as we have a legitimate business need to do so or as required by law. Contact us at if you have questions about retention of your personal data.

11. COOKIES. We use cookies, and other similar technologies, for activities such as (a) maintaining the functionality of Canvas Badges, e.g., automatic account sign-in, (b) securing the Site, (c) improving Canvas Badges, and (d) deploying website analytics, e.g., Google Analytics. 

12. SECURITY. We take reasonable administrative and technical steps to protect your personal data from loss, misuse and unauthorized access, disclosure, alteration, or destruction. It is important for you to protect against unauthorized access to your password to the Site and to your computer. Be sure to sign out of Canvas Badges when finished.

13. UPDATING YOUR PERSONAL DATA. If you need to change or correct your personal data, or wish to have it deleted from our system, contact us at and we will address your request in accordance with applicable law.


14.1 No personal data. You can choose to simply browse the Canvas Badges site and not provide us with any personal data using browser features that restrict cookies, but you will not be able to utilize most of Canvas Badges’s features.

14.2 Unsubscribe from certain emails. You can unsubscribe or opt out of marketing emails at any time, via a link in each email from us or by emailing us at If you opt out to marketing emails, we will continue to contact you via email with respect to issuance of a Badge, your Canvas Badges account, and to respond to your requests.

14.3 Disable tracking technologies. Most Internet browsers allow you to disable and/or delete cookies. If you turn off or otherwise disable cookies, you can continue to use Canvas Badges, but it may not work effectively.

14.4 Contact Badge Issuer. Where you have received a notification about a Badge issued to you by a Badge Issuer, you will need to directly contact that person or organization to discuss access and/or deletion of personal data, e.g., your name and email address. In such instances, we do not control your personal data and we are not in a position to directly handle requests that relate to such personal data.

15. THIRD-PARTY LINKS. This Privacy Policy does not apply when you use a link to go from Canvas Badges to another website. Your browsing and interactions on any third-party website are subject to that third party’s own rules and policies. In addition, you agree that we are not responsible for, and we do not exercise control over any third parties that you authorize to access your content. If you are using a third-party website, e.g., Facebook, and you allow such third-party access to your content, you do so at your own risk.