Last updated and effective as of August 21, 2025.
The National Association of State Boards of Accountancy (“NASBA”, “us”, or “we”) recognizes the importance of privacy and is committed to protecting the privacy of individuals who use our products and services (“you,” “your,” or “user”). This Privacy Policy describes how we collect information about you through our website NASBA.org, mobile application, and all other NASBA affiliated sites, products and services that link to this policy (the “Sites”), how it is protected, how we use it and what choices you have about how the information is used. Please read this Privacy Policy carefully. By accessing and/or using the Sites, you accept and agree to the terms of this Privacy Policy. You also agree to be bound by our Terms of Use. If you do not agree to be bound by this Privacy Policy or any subsequent modifications, you should not visit or use our Sites or disclose any personal information through our Sites.
This is an English-only legal document containing significant legal duties and requiring a high degree of competency in the English language. The language of this Privacy Policy is English and it shall be interpreted exclusively in English. Any translation into another language is unauthorized and shall not be binding nor constitute evidence of the intent or meaning of any part or whole of this Privacy Policy.
We reserve the right to change or update this Privacy Policy at any time. You are responsible for reviewing this Privacy Policy periodically, and your continued use of our Sites following changes to this Privacy Policy will be considered acceptance of any changes. Any changes or updates will be effective immediately upon posting to the Site.
This Privacy Policy contains the following information, which you can access by scrolling down:
I. How to Contact Us
II. Information We Collect
III. How We Collect Information
IV. How We Use Your Information
V. How We Store Your Information
VI. How We Share Your Information
VII. Transfer of Information to the United States
VIII. Your Data Protection Rights
IX. Security
X. External Websites
XI. Governing Law
XII. Special Notice to California Residents
XIII. Children
I. How to Contact Us
If you have any questions or comments about this Privacy Policy or our privacy practices, you can contact us at:
National Association of State Boards of Accountancy
Attn: Data Protection Officer /Chief Legal Officer
150 Fourth Ave. North
Suite 700
Nashville, TN 37219-2417
Email: [email protected]
Phone: 1-866-696-2722
II. Information We Collect
We obtain information about you and your use of our Sites when you provide it voluntarily and automatically when you use the Sites. We also collect information through any correspondence that you provide to us whether through email, mail, phone calls, or through our Site. For example, we collect information from you when you register an account with us, purchase a product from our Sites, or sign up to receive communications from us. The information we collect can include Personal Data (as defined below) or non-personal data, which is information that does not identify or relate to an individual.
“Personal Data” is information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Personal Data that you provide or that we otherwise collect might include, but is not limited to, the following categories:
- Identifiers: personal contact details, such as first and last names, mailing address, email address, telephone number; passport or other government-issued identification numbers; unique personal identifier; emergency contact information; and Internet Protocol (IP) address.
- Financial Information: your name; billing address; and payment information (including credit or debit card number and type, and expiration date).
- Audiovisual Information: photographs.
- Professional, Educational, or Employment-related Information: job title and company; details of other accounting designations held; educational history and qualifications; details of educational credit hours; details of continuing education credits; professional credentials, including license number and expiration date; past employment history.
- Demographic Information: gender; language; ethnicity/race; country of residence and country of citizenship.
- User Data: data or other information entered voluntarily into a contact form via the Sites that personally identifies you.
- Internet or Other Electronic Network Activity Information:
- Browse history: Data about the webpages you visit.
- Search history: Data about the search terms you enter.
- Device, connectivity, and configuration data: Data about your device and nearby networks, including browser type and regional and language settings.
- Geolocation Data: data about your device’s location, which may be inferred from your IP address.
- Sensitive Personal Data: driver’s license, national ID, or passport number; ethnicity/race; medical or disability information; sensitive information revealed from dietary requirements or accommodation requests.
Non-personal data
We use non-personal data collected through your use of our Sites to administer our Sites, to perform troubleshooting and help improve the quality and design of our services. We also use non-personal data to analyze trends and statistics, protect the security of our Sites and evaluate our services. Non-personal data (such as non-identifiable demographic and past transaction information) may be combined with your personally identifiable information from our records and other sources.
We will make reasonable arrangements to ensure that the Personal Data we collect, use, or disclose is accurate and complete.
III. How We Collect Information
We collect information from you both when you provide it voluntarily and also automatically when you access our Sites. For example, through our Site, you may have the opportunity to register for an online account to access CPA exam-related materials and information, register for an exam, schedule an exam, complete information required for a NASBA Record, credentials evaluation, or continuing professional education audit). When you create an account and complete those activities, we may require that you provide us with Personal Data to facilitate your requests. We also may collect Personal Data from other sources, as described below.
We collect Personal Data from you and any devices (including mobile devices) you use when you: use our Sites, contact us via email or other means, or respond to our communications to you, such as surveys or requests for feedback.
In addition, we also collect Personal Data about you from third parties in connection with our Sites, including from the following sources:
- Service providers (including hosting providers and payment processors);
- Data analytics service providers;
- Email, survey, feedback, and other communications service providers;
- Advertising providers;
- Social media platforms; and
- Promotional partners.
Cookies
As you navigate our Sites, we also may collect information using commonly used information-gathering tools, such as cookies. Cookies are small files that are saved to, and during subsequent visits to our sites retrieved from, your computer or mobile device. The use of these “session” cookies are essential to the operation of our Sites and are used to simplify your visit.
We also may contract with third party service providers, who assign cookies and/or web beacons to conduct site tracking for us and collect information about your visits to our Sites. The use of these “analytics” cookies are used to provide marketing analytics about goods and services of interest to you, your preferences, how you share information about our products and services with others, and to improve our marketing efforts.
All commonly used web browsers allow you to block, disable, or delete cookies from your computer. Your mobile device may also allow you to refuse cookies by activating the appropriate setting on your device. To learn more about how to block, disable, or delete cookies, review your browser’s or device’s privacy and security features. To learn more about how to control cookies generally, you can visit www.aboutcookies.org. However, if you disable or block cookies on your browser or device, the features on our Sites and services may not work correctly. In addition, if you disable or block all cookies, you will not be able to make a purchase, set up an account profile or register for a program or event using our Sites.
Some browsers have a “do not track” feature that lets you indicate that you do not wish to have your online activities tracked. These features are not yet uniform, so we do not currently respond to such features or signals. Therefore, if you select or turn on a “do not track” feature in your web browser or block or delete tracking cookies, we and our third-party providers may continue collecting information about your online activities as described in this Privacy Policy.
IV. How We Use Your Information
In the table below, we have set out the reasons why we process your Personal Data, the associated legal basis we rely upon to legally permit us to process your information, and the categories of information (as described in the “Information We Collect” section above) used for these purposes. If we wish to process your existing information for a new purpose other than as stated below, we may inform you of that further processing and provide information surrounding your information’s use.
| Why we process your Personal Data | Legal basis for the processing purpose (e.g., the business or commercial purpose for collection) | Categories of information used by NASBA for the processing purpose |
| Providing and administering your online account in order whereby you may access to CPA exam-related materials and information and other services, schedule an examination, and or complete information required to site for an examination or obtain licensure. | -Performance of a Contract -Legitimate Interest -Consent, if you are located in India, Canada, Vietnam, or Japan (with respect to Sensitive Personal Data) | -Identifiers -Audiovisual Information -Professional, Educational, or Employment-related Information -User Data -Internet or Other Electronic Network Activity Information -Demographic Information -Sensitive Personal Data |
| Facilitating the application process for examination and licensure with State Boards; verifying your identity; determining your eligibility to sit for tests; verifying your educational credentials and continuing professional education credits; creating a sponsor page to list registry coursework; and/or tracking your licensure status | -Performance of a Contract -Legitimate Interest -Consent, if you are located in India, Canada, Vietnam, or Japan (with respect to Sensitive Personal Data) | -Identifiers -Audiovisual Information -Professional, Educational, or Employment-related Information -User Data -Demographic Information -Sensitive Personal Data |
| Administration and operational purposes (e.g., in relation to attendance at exams, communicating results, test times and other details; communicating with you for Service’s related purposes); Business management purposes, including without limitation, the protection of copyright, trade secret, and trademark rights | -Performance of a Contract -Legitimate Interest -Consent, if you are located in India, Canada, or Vietnam | -Identifiers -User Data -Internet or Other Electronic Network Activity Information |
| Verifying compliance with the test-taking and application policies; investigating any suspected fraudulent or inappropriate activity, including without limitation cheating, infringement of intellectual property rights, violating test-related agreements, and verifying | -Performance of a Contract -Legitimate Interest -Consent, if you are located in India, Canada, Vietnam, or Japan (with respect to Sensitive Personal Data) | -Identifiers -Audiovisual Information -Internet or Other Electronic Network Activity Information -Sensitive Personal Data |
| Backing up records to prepare for events that may make it difficult for NASBA to access original copies of your Personal Data | -Performance of a Contract -Legitimate Interest -Vital Interest -Consent, if you are located in India, Canada, Vietnam, or Japan (with respect to Sensitive Personal Data) | -Identifiers -Financial Information -Audiovisual Information -Professional, Educational, or Employment-related Information -Demographic Information -User Data -Internet or Other Electronic Network Activity Information -Geolocation Data -Sensitive Personal Data |
| Helping NASBA comply with contractual, legal or regulatory obligations | -Legal Obligations -Consent, if you are located in India, Canada, Vietnam, or Japan (with respect to Sensitive Personal Data) | -Identifiers -Financial Information -Audiovisual Information -Professional, Educational, or Employment-related Information -Demographic Information -User Data -Internet or Other Electronic Network Activity Information -Geolocation Data -Sensitive Personal Data |
| Processing payment transactions | -Performance of a Contract -Consent, if you are located in India, Canada, or Vietnam | -Identifiers -Financial Information |
| Improving services, including to understand how you access and use our services to ensure technical functionality of our Sites, to prevent or investigate security breaches or other potentially prohibited activities, develop new products and services, and analyze your use of our Sites, including your interactions with applications or services made available, linked to, or offered through our Sites. | -Consent, if you are in India, Canada, or Vietnam -Legitimate Interest | -Identifiers -User Data -Internet or Other Electronic Network Activity Information -Geolocation Data |
| To communicate with you, either directly or through one of our service providers, for: marketing, research, to provide email updates, or other promotional purposes, via email, notifications or other messages, consistent with any permissions you may have communicated to us. | -Consent, if you are in India, Canada, or Vietnam -Legitimate Interest | -Identifiers -User Data -Internet or Other Electronic Network Activity Information -Geolocation Data |
| Industry reporting | -Consent, if you are in India, Canada, Vietnam, or Japan (with respect to Sensitive Personal Data) -Legitimate Interest | -Identifiers -Professional, Educational, or Employment-related Information -Demographic Information -User Data -Geolocation Data -Sensitive Personal Data |
| Providing a more personalized experience on our Sites, for example by providing customized or localized content, recommendations, support, and features through our Sites | -Consent, if you are in India, Canada, or Vietnam -Legitimate Interest | -Identifiers -User Data -Internet or Other Electronic Network Activity Information -Geolocation Data |
| Other purposes identified in our Informed Consent, where you have executed our Informed Consent | -Consent | -As set forth in the Informed Consent |
Legitimate Interests
Where we rely on legitimate interests as the reason for processing your information, we carry out a balancing exercise (which is detailed below) to make sure your rights as an individual are not impacted unnecessarily.
We consider that it is reasonable for us to process your Personal Data for the purposes of our legitimate interests when, on balance, (a) we process your Personal Data only so far as is necessary for such purpose, and your rights and freedoms do not outweigh such purposes, and (b) it can be reasonably expected for us to process your Personal Data in this way. In most cases, the information is being processed for your benefit as well as ours. For example, we have a legitimate interest in processing your Personal Data where:
- We need the information to respond to your inquiries or to send you information; and
- We would be unable to provide our services without processing your information.
Consent
Depending on the jurisdiction in which you are located, you may have the right to withhold your consent for NASBA to collect, process and use your non-optional Personal Data as described in this Privacy Policy. However, if you withhold your consent, you will not be able to sit for the examinations or submit your application to a state board in order to seek licensure in such state.
V. How We Store Your Information
NASBA will keep your Personal Data only for the length of time required perform the processing purposes described in this Privacy Policy. After that period of time has passed, we will securely destroy or anonymize Personal Data once it is no longer necessary to fulfil the identified purposes or any other legal purposes.
VI. How We Share Your Information
NASBA will disclose to third parties information about usage of our Sites and any related services for purposes including performing services for us with respect to our Sites as well as our existing and prospective business partners.
We disclose Personal Data collected about you to third parties that we have contracted to provide services to us in accordance with the purposes described above. Third parties may be contracted to review Personal Data available online, to assist NASBA to better provide you with services and information.
We may contract with service providers to facilitate our services, to provide services on our behalf, or to perform services that assist us in analyzing how our services are used. These third parties have access to your personally identifiable information; however, they are bound by law or contract to protect your Personal Data, and can only use your information according to our instruction, in connection with the services performed for us, and not for their own benefit. If you opt in, as described in the “Opt into Marketing” section below, we may share your name, email, and mailing address with other organizations for their marketing purposes.
Please note that we also use and disclose information about you that is not personally identifiable. For example, we may publish reports that contain aggregated and statistical data about our candidates or website visitors. These reports do not contain any information that would enable the recipient to contact, locate or identify you.
In addition, as required by law, we may disclose Personal Data about you in the following circumstances:
- To comply with valid legal requirements such as a law, regulation, search warrant, subpoena or court order; and
- In special cases, such as to investigate, prevent or take action regarding illegal activities, suspected fraud, to protect and defend our rights and property, to protect against misuse or unauthorized use of our sites, to protect against potential threats to the physical safety or property of any person.
* Please note that we may not provide you with notice prior to disclosure in such cases.
Also, our subsidiary and affiliate companies, entities into which our company may be merged, or entities to which any of our assets, products, sites or operations may be transferred, will be able to use Personal Data we collect and, and such Personal Data may be one of the transferred business assets.
Users should also be aware that courts of equity, such as U.S. Bankruptcy Courts, may have the authority under certain circumstances to permit Personal Data to be shared or transferred to third parties without permission. We may share aggregate information, which is not personally identifiable, with others.
Within some of our Sites, we may provide bulletin boards, blogs, or chat rooms, or we may host forums or maintain groups for examination candidates on social media sites, such as Facebook. Any Personal Data you choose to submit in such a forum or group may be read, collected, or used by others who visit these forums or groups, and may be used by such parties to send you unsolicited messages. You should exercise caution when deciding whether to disclose your Personal Data in such a manner and you should make sure you are comfortable with the information the operators of such social media sites may make available by reviewing privacy policies of those providers and/or modifying your privacy settings directly with those sites. We are not responsible for the Personal Data you choose to submit on social media sites, including in these forums or groups nor the communications or acts of third parties who use or view information you have disclosed social media sites, including in such forums or groups.
Marketing
If you provide your consent as described in the “Opt into Marketing” section below, we may also share your Personal Data with our third-party partners who may send you information about products and/or services that may be of interest to you. You consent to and agree that NASBA and designees acting on our behalf may send you marketing communications, offers, promotions, and information that may be of interest to you at any email address, phone number (including via text message to a mobile phone number), postal address, or other contact information that you have provided NASBA does not sell your contact information to third parties for their independent direct marketing purposes, but we may engage partners or service providers to market to you.
You may withdraw your consent to receive such marketing communications at any time as described in the “Opt into Marketing” section below.
VII. International Transfers of Your Personal Information
The Personal Information we collect or receive through your visits to, and use of, the Site may be transferred to, or processed by, recipients that are located in countries outside of the country where you reside. If you are located outside the United States and are visiting the Sites, you should be aware that your Personal Data will be transferred to the United States, the laws of which may be deemed by your country to have inadequate data protection. If you are located in a country outside the United States and voluntarily submit Personal Data to us, you thereby consent to the general use of such information as provided in this Privacy Policy and to the transfer of that information to, and/or storage of that information in, the United States. We may transfer Personal Data to our service providers in the United States or in other countries for the purposes identified in the “How We Share Personal Data” section above. To the extent your Personal Information is transferred to a third party in a country that does not provide for an adequate level of data protection, as defined by applicable law, we will use appropriate safeguards, such as standard data protection clauses adopted by the applicable supervisory authority. If you would like more information about how we transfer Personal Information to the United States and elsewhere you may contact us as set forth in the “How to Contact Us” section above.
When transferring your data, we will protect your data in accordance with the security standards described below under “Security.” Your information may be subject to access by the United States government, and courts, law enforcement or regulatory agencies located in the United States.
If you are a resident of Japan, you may find a description of United States data protection regulations prepared by the Japanese Personal Information Protection Commission at https://www.ppc.go.jp/enforcement/infoprovision/laws/offshore_report_america/ (in Japanese only). Please note that, at this time, NASBA is not subject to industry- or state-specific data protection laws such as the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act, or the California Consumer Privacy Act.
VIII. Your Data Protection Rights
Depending on the jurisdiction where you may reside, you may have the right to:
- Obtain certain information about the collection and use of your Personal Data;
- Access and obtain copies of your Personal Data;
- Update or correct your Personal Data;
- Request that the processing of your Personal Data be limited;
- Object to how your Personal Data is processed;
- Withdraw consent to processing of Personal Data;
- Request your Personal Data be deleted; and
- Have your complaints with respect to your data rights addressed.
You may exercise these rights or contact us to address any grievances with respect to your rights by contacting NASBA at [email protected] or 150 4th Avenue North, Suite 700, Nashville, Tennessee 37219. We will respond to your request promptly, and in any case, in the time required under applicable law. Additionally, if you have registered for an online account, you may update or correct certain account information by logging into your account, or by contacting NASBA’s client services at [email protected]; NASBA’s Accountancy Licensing Library at [email protected]; CPE Audit Services at [email protected]; and/or CPE sponsors at [email protected].
Before we respond to a communication or request, we may take certain steps to verify the requestor’s identity and the authenticity of a request. Where we have reasonable doubts concerning the identity of the person making the request, or the authenticity of a request, we may request such additional information as we deem necessary to satisfy ourselves of their identity and authenticity of their request. If we cannot satisfactorily verify the identity of a requestor and the authenticity of a request, we will not be able to take any action pursuant to the request. Instead, we will only annotate the information, noting that the correction was requested but not made. If we refuse a request, we will explain our refusal and outline further steps available to you.
If you are sitting for a test outside of the United States, you may object to the collection of your Personal Data for any legitimate purpose. However, you understand and agree that if you object to such collection of any non-optional Personal Data, NASBA will be unable to process your application and you will forfeit your application and right to sit for a test or have it scored.
You may have the right to lodge a complaint with local data protection authorities if you believe we have not complied with applicable data protection laws. The local authority differs depending on the country. For more information on the local authority where you are located, you may want to visit iapp.org/resources/global-privacy-directory for more information.
If you reside in the EU and you wish to report a complaint or if you feel that we have not addressed your concern in a satisfactory manner, you may contact the appropriate Data Protection Authority, whose contact information can be found at https://edpb.europa.eu/about-edpb/about-edpb/members_en.
Opt Into Marketing
For domestic applicants using the NASBA online application to register to take the CPA examination, if you want to permit us to release your name and address to other organizations, please select “Yes” from the drop down menu. International applicants using the NASBA products and services must read and expressly consent to all sections of the Informed Consent agreement.
For both domestic and international applicants, if you receive a specific email from NASBA regarding special offers, products, conferences or other communications, and no longer want to receive these types of emails from us, please click the “opt out” link located at the bottom of the NASBA email that was sent to you. You may also send an email marked “remove from email list” in the subject line to [email protected]. Once this information is shared with our Communications Department and NASBA has finished processing your request, we will make reasonable efforts to remove personally identifiable information from our databases. Please note that while you will no longer receive marketing communications from NASBA, you may still receive emails containing important or relevant information specific to your individual account. If you receive a marketing communication through text message, you may opt-out by following the instructions provided in the message.
IX. Security
We use reasonable precautions to protect information about our customers while it is stored on our servers or in transit to our vendors processing on our behalf. We have put in place reasonable safeguards to protect the security, integrity and privacy of the Personal Data we collect via our sites, including Secure Sockets Layer (SSL) encryption. In addition, access to all of our users’ information is restricted. Only employees and business partners who need the information to perform a specific job (for example, an application processor or candidate service associate) are granted access to personally identifiable information. Unfortunately, no data transmission over the Internet can be guaranteed to be 100% secure. While we strive to protect your Personal Data, we cannot ensure or warrant the security of any information you transmit to us or through our Sites.
Lost or Stolen Information
If you believe credit card and/or password are stolen from or used without your permission on any of our Sites, immediately notify your card provider in accordance with its rules and procedures, and contact us. Upon notification, we will further investigate and, if necessary, cancel any verified false transactions and compromised passwords, and will update any affected records.
X. External Websites
Our Sites may contain links to other third-party websites. The information practices or the content of such other websites is governed by the privacy statements of such other websites. We encourage you to review the privacy statements of other websites to understand their information practices. We are not responsible for the nature, quality or accuracy of the content or opinions expressed on such websites, or of the services provided through such websites. Such websites are not investigated, monitored or checked for quality, accuracy or completeness by us. Inclusion of any linked website on our Sites does not imply or express an approval or endorsement of the linked website by us, or of any of the content, opinions, products or services provided on these websites. Even if an affiliation exists between our Sites and a third-party website or application, we exercise no control over linked websites.
XI. Governing Law
Our Sites are controlled, operated and administered entirely within the United States. By using our Sites, you signify your agreement to the terms of this Privacy Policy. If you do not agree with this Privacy Policy, please do not disclose any Personal Data through our Sites. This Privacy Policy and the use of our Sites are governed by Tennessee law and United States federal law. Any claim related to our Sites or this Privacy Policy shall be brought only in a federal or state court in Davidson County, Nashville, Tennessee, within one year after the claim arises. Users of our Sites consent to the exclusive jurisdiction and venue of such courts as the most convenient and appropriate for the resolution of disputes concerning this Privacy Policy. This Privacy Policy and the notices outlined herein are not intended to and do not create any contractual or other legal rights in or on behalf of any third party. The information we collect from you through our Sites may be collected and transferred by and to our affiliates located throughout the world, to the extent necessary to provide services and/or products that you have requested.
XII. Special Notice to California Residents
Under the California Civil Code, residents of the State of California that have provided any personally identifiable information to us have the right to request a list of all third parties to which we have disclosed personally identifiable information during the preceding year for direct marketing purposes. Alternatively, the law provides that if we have a privacy policy that gives either an opt-out or opt-in choice for use of personally identifiable information by third parties (such as advertisers or affiliated companies) for marketing purposes, we may instead provide you with information on how to exercise your disclosure choice options free of charge. We qualify for the alternative option andhave adopted a policy of not disclosing the personal information of users of our Sites to third parties for the third parties’ direct marketing purposes if the user has exercised an option that prevents that information from being disclosed to third parties for those purposes. We have established this Privacy Policy that provides you with details on how you may either opt-out of the use of your personally identifiable Information by third parties for direct marketing purposes. If you are a California resident and would like to request information about how to exercise your third-party disclosure choices, please call us with a preference on how our response to your request should be sent.
XIII. Children
We do not knowingly collect Personal Data from or market online to children under the age of 16, and users under the age of 16 should not submit any Personal Data to us. If we have actual knowledge that Personal Data about a child under 16 years old has been collected, then we will take the appropriate steps to delete this Personal Data. If you are a parent or guardian and you are aware that your child under 16 has provided us with Personal Data, please contact us though one of the methods listed under “Contact Us” below. If you are under 18, you may purchase products through our sites only with the involvement and consent of a parent or guardian.
For more information about the Children’s Online Privacy Protection Act (“COPPA”), which applies to websites that direct their services to children under the age of thirteen (13), please visit the Federal Trade Commission’s website: https://www.ftc.gov/tips-advice/business-center/guidance/complying-coppa-frequently-asked-questions.