Totara Official Logo
Request a demo
Totara Official Logo
Background pattern

Totara – Privacy Notice

Last Revised: 10 November 2025

Totara is committed to respecting and protecting your privacy. We believe in transparency and aim to keep you informed about how your personal data is collected and used. Any data we collect is handled in accordance with our Privacy Notice, which outlines in detail how we use, process, and safeguard your information. The notice also covers other key aspects of data privacy to ensure you understand your rights and our responsibilities. Please read this privacy notice carefully to understand the types of information we collect from you, how we use that information, the circumstances under which we will share it with third parties, and your rights in relation to the personal data you provide to us.

If you have any questions, please contact us here.

Who We Are

1.1 At Totara Learning Europe Limited (UK) and its affiliated companies, Think Associated Ltd (UK), Totara Learning Solutions Ltd (New Zealand) and Totara Learning Inc (United States) (collectively referred to as “Totara,” “we,” “us,” or “our”), we place the highest importance on protecting your data, privacy, and personal information.

1.2 This notice (together with our terms of service and any other documents referred to in it), sets out the basis on Totara collects, uses, shares or otherwise processes information relating to individuals (“Personal Data”) Please read this privacy notice carefully to understand the types of information we collect from you, how we use that information, the circumstances under which we will share it with third parties, and your rights in relation to the personal data you provide to us.

1.3 This privacy notice applies to your use of our website at Totara.com, along with all related websites including our Community site, Partner Site, Support Site, academy site, and subscriptions site. It also extends to our direct marketing activities, recruitment processes, and product feedback channels. Collectively, these are referred to as our “Service.”

1.4 In cases where Totara provides enterprise hosting solutions, the applicable customer contract and, where relevant, the Data Processing Agreement (“DPA”) will govern the applicable privacy and data protection terms.

1.5 This Privacy Notice does not apply to the extent we process Personal Data in the role of a processor or service provider on behalf of our customers, including where we offer to our customers various products and services through which our partners (or their affiliates) create their own websites and applications running on our platforms that collect, use, share or process Personal Data via our products and services

1.6 Our Websites contains links to third party websites. If you follow a link to any of those third-party websites, please note that they have their own privacy policies and that we do not accept any responsibility or liability for their policies or processing of your personal data. Please check these policies before you submit any personal data to such third-party websites.

Information We May Collect

2.1 We may process your Personal Data if:

  • You visit our websites that display or link to this Privacy Notice;
  • You or the company you work for are a customer or a supplier of ours;
  • You or the company you work for use our products or services; or
  • You are someone (or you work for someone) to whom we want to advertise or market our services.

Please note that we need certain types of information so that we can provide services to you. If you do not provide us with such information, or if you ask us to delete it, you may no longer be able to access our services.

2.2 Information Provided by You

You may provide us with your personal data when you:

  • fill in forms or create profiles on our websites;
  • submit applications for employment;
  • correspond with us by phone or email;
  • when you interact with us at trade shows or events;
  • send us customer service-related requests.

2.3 Information We May Collect About You

With regard to each of your visits to our websites we may automatically collect the following information:

  • Device-specific information, such as your hardware model, operating system version, unique device identifiers, and mobile network information; technical information about your computer, including where available, your IP address, operating system and browser type, for system administration and analytical purposes; and details of your visits to, and activity on, the Website.
  • We may also use website and application analytics service provided by third parties that use cookies and other similar technologies to collect information about website or application use, report trends and target marketing messaging. These third parties include Google Analytics, LinkedIn, and HubSpot. You can learn about Google’s and HubSpot’s practices in connection with this information collection and how to opt out of it by viewing Google’s privacy options and choices as are described here or downloading the Google Analytics opt-out browser add-on, reviewing LinkedIn’s Privacy documentation, and checking HubSpot’s Privacy Policy.
  • We partner with Microsoft Clarity and Microsoft Advertising to capture how you use and interact with our Partner Portal website through behavioral metrics, heatmaps, and session replay to improve and market our products/services. Website usage data is captured using first and third-party cookies and other tracking technologies to determine the popularity of products/services and online activity. Additionally, we use this information for site optimization, fraud/security purposes, and advertising. For more information about how Microsoft collects and uses your data, visit the Microsoft Privacy Statement.
  • Some of the data we collect is anonymous information sent by your browser when you visit our websites. For more information about our use of cookies and tracking technologies, please see section 9 of this Privacy Notice.

2.4 Information we receive from other sources

We may receive personal data about you if:

  • You obtain our services through one of our resellers or partners. The types of information may include contact details of partner employees, or employees of a subscribing organization for whom the partner manages the subscription.
  • We may implement third party buttons (such as Facebook “like” or “share” buttons and LinkedIn tags) that may function as web beacons even when you do not interact with the button. Information collected through third-party web beacons and buttons is collected directly by these third parties, not by Totara Learning. Information collected by a third party in this manner is subject to that third party’s own data collection, use, and disclosure policies.

2.5 Personal Data Concerning Children

Our website and services are not intended for or targeted at children under the age of 13 (or under 16 where applicable under local law), and we do not knowingly collect personal data from such individuals. If you believe we have mistakenly or unintentionally collected personal data from a child, please contact us at Privacy@Totara.com so we can promptly delete the information.

How We May Use Your Personal Data

3.1 We collect and process your personal data for clearly defined purposes and in accordance with applicable data protection laws, including the UK General Data Protection Regulation (UK GDPR) and the EU General Data Protection Regulation (EU GDPR). How we use your information depends on the services you use, how you interact with those services, and any preferences you have communicated to us.

3.2 Under UK and EU data protection laws, we must have a valid legal basis—referred to as a “lawful ground”—for each use of your personal data. The specific legal basis applicable to each processing activity will be detailed in this privacy notice. The main legal bases we rely on include:

  • Consent: Where you have given us clear, informed, and freely given consent to process your personal data for a specific purpose. You have the right to withdraw your consent at any time, as outlined in the “Your Rights” section of this notice.
  • Contract Performance: Where the processing is required to enter into or fulfill a contract with you, such as providing access to our services or processing your subscription.
  • Legal obligation: Where we are required to process your personal data to comply with a legal or regulatory obligation to which we are subject.
  • Legitimate interest: Where the processing is necessary for our legitimate interests, provided these interests are not overridden by your fundamental rights and freedoms. Our legitimate interests include service improvement, fraud prevention, marketing (where permitted by law), and maintaining network and information security.
  • Legal claims: Where the processing is necessary for the establishment, exercise, or defense of legal claims, whether in court proceedings or in an administrative or out-of-court procedure.

3.3 We carefully assess and document our reliance on each of these grounds in relation to the personal data we process, and ensure our practices are transparent and accountable.

We may use the personal data we obtain about you for the following reasons:

  • Service Delivery and Account Management
    To operate and manage our services, including providing access to community forums (e.g., for product support), administering subscriptions, delivering training content and courses, and creating and maintaining user accounts. (Legal basis: Contract Performance)
  • Communications
    To communicate with you regarding new product releases, service updates, security alerts, webinars, commercial offers, and customer service inquiries. (Legal basis: Contract Performance, Legitimate interest)
  • Business Operations and Service Improvement
    To operate, evaluate, and enhance our services and business operations. This includes developing new features and services, assessing communication effectiveness, measuring user satisfaction, and analyzing user interactions to improve functionality and performance. (Legal basis: Legitimate interest)
  • Marketing and Promotions
    To send you marketing communications about Totara and selected third-party products, services, offers, programs, and promotions (e.g., newsletters, surveys, contests). We also process entries and deliver rewards related to promotional campaigns. (Legal basis: Consent, Legitimate interest)
  • Personalization
    To personalize your experience, including:
    • Remembering your preferences and login details for future visits
    • Providing tailored recommendations and content
    • Assessing the effectiveness of our marketing efforts
    • Tracking your participation in services and activities
      (Legal basis: Legitimate interest, Consent)
  • Analytics and Insights
    To understand usage patterns, user preferences, and service performance through data analysis and conducting surveys. This supports improvements to our service design, user interface, and delivery. (Legal basis: Legitimate interest)
  • Partner and Subscriber Relationship Management
    To communicate with partners regarding account performance and engagement, and to associate individual users with their organizational subscriptions and assigned partners. (Legal basis: Contract Performance, Legitimate interest)
  • Recruitment and Hiring
    To manage our recruitment process, including providing information about career opportunities at Totara, processing job applications, supporting the interview process, and where applicable, assisting with employment onboarding. (Legal basis: Contract Performance, Legitimate interest, Legal obligation)
  • Data Anonymization
    To anonymize personal data for research, reporting, and analytical purposes. (Legal basis: Legitimate interest)
  • Contract Enforcement and Security
    To enforce agreements, ensure the security and integrity of our services, and protect against fraud or unauthorized access. (Legal basis: Legitimate interest, Legal obligation)
  • Legal Compliance
    To comply with applicable laws, regulatory requirements, and internal policies. (Legal basis: Legal obligation)

How We Share Your Personal Data

4.1 We do not sell or otherwise disclose personal data we collect about you, except as described in this notice or otherwise disclosed to you at the time the data is collected.

4.2 We may share your personal data with third parties under specific circumstances and only where permitted by applicable data protection laws. For details on the sub-processors involved in handling Personal Data Data, please refer to Totara Sub-Processors.

  • Service Providers, Business Partners, and Group Companies
    We may disclose your personal data to trusted third parties that provide services on our behalf, including website hosting, analytics, marketing support, and other operational functions. This may include Totara Alliance Partners and our group companies, where necessary for internal administration and service delivery.
  • Business Transfers
    In the event that Totara, or substantially all of its assets, are acquired by a third party (through merger, acquisition, or asset sale), customer personal data may be transferred as part of the transaction.
  • Legal Obligations and Protection of Rights
    We may disclose your personal data where we are legally required to do so, or where disclosure is necessary to protect the rights, property, or safety of Totara, our customers, or others.
  • Fraud Prevention and Credit Checks
    We and other relevant organizations may access and use your personal data for the purposes of fraud detection, credit risk assessment, and identity verification. If false or misleading information is identified, details may be shared with fraud prevention agencies.
  • Legal Proceedings and Law Enforcement
    We may disclose your information to courts, regulators, law enforcement agencies, or other competent authorities if required by law, or in connection with legal proceedings or investigations—whether within or outside your country of residence. Where possible and lawful, we will notify you of such disclosures unless doing so would compromise the investigation or legal process.

Data Retention

5.1 We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including to carry out the processing activities described in this notice, to address any issues or disputes that may arise, and to comply with legal or regulatory obligations.

5.2 In certain cases, personal data may be retained for longer periods to meet legal requirements, enforce our rights, or adhere to internal compliance procedures. For example, we may retain your email address on a suppression list to ensure that we respect your choice to opt out of receiving marketing communications.

5.3 We also retain personal data for the duration of your use of our services, and thereafter only as long as necessary to support our legitimate business interests, enforce our agreements, and comply with applicable laws.

Your Rights and Choices

6.1 Subject to the conditions set forth under applicable law, you have the following rights in relation to your personal data. All of these rights can be exercised by Contacting Us.

  • Right of Access
    You have the right to obtain from us information as to whether your personal data is being processed and, where that is the case, access to such personal data.
  • Right to Rectification
    We will use reasonable endeavours to ensure that your personal data is accurate. In order to assist us with this, you should notify us of any changes to the personal data that you have provided to us by sending us a request to rectify your personal data where you believe the personal data we have is inaccurate or incomplete.
  • Right to erasure / ‘Right to be forgotten’
    Asking us to delete all of your personal data will result in Totara deleting your personal data without undue delay (unless there is a legitimate and legal reason why Totara is unable to delete certain of your personal data, in which case we will inform you of this in writing).
  • Right to restriction of processing
    You have the right to ask us to stop processing your personal data at any time.
  • Right to data portability

    You have the right to request that Totara provides you with a copy of all of your personal data and to transmit your personal data to another data controller in a structured, commonly used and machine-readable format, where it is technically feasible for us to do so and the processing is based on consent or contractual performance.
  • Right to complain
    We are dedicated to resolving any privacy-related concerns or complaints in a fair and constructive manner. We strongly encourage you to contact us directly should you have any issues, so that we may address them promptly and effectively.However, if you believe your concern has not been adequately resolved and you are located in the European Economic Area (EEA) or the United Kingdom, you have the right to submit a complaint to the appropriate supervisory authority. Contact details for the relevant data protection authorities can be found at the European Data Protection Board (EDPB)
  • Right to not be subject to discrimination for the exercise of rights
    Under no circumstances will Totara refuse goods or services to individuals who exercise their consumer rights.

6.2 Totara is committed to facilitating the exercise of your data protection rights without charge. However, in accordance with applicable data protection laws, we reserve the right to charge a reasonable administrative fee when a request is manifestly unfounded, excessive, or repetitive. This fee will be based on the administrative costs incurred in processing your request. Additionally, while we provide one copy of your personal data undergoing processing free of charge, we may charge a reasonable fee for any further copies requested, as permitted by law.

6.3 Where you request Totara to rectify or erase your personal data or restrict any processing of such personal data, Totara may notify third parties to whom such personal data has been disclosed of such request. However, such third party may have the right to retain and continue to process such personal data in its own right.

6.4 If you receive commercial email communications from us, you may unsubscribe at any time by following the instructions provided in the email. Alternatively, you may opt out of receiving such communications by submitting a request via email to Privacy@Totara.com or by writing to us at the address listed in the “How to Contact Us” section below.

Where applicable, you may update, correct, or delete your account information and manage your preferences, such as the type and frequency of promotional communications, via the settings available within your user account on the website.

Please note that it may take up to ten (10) business days to process your request. During this time, you may continue to receive promotional communications from us, as permitted by applicable law.

6.5 Even if you choose to opt out of commercial communications, you will continue to receive essential administrative messages from us that relate to your use of a service.

6.6 Your device operating system or browser may include settings, options, or add-on components to control the placement and presence of cookies and access to location information. Please note that if you choose to delete (or not to accept) cookies from the Service, or to deny the Service access to your location information, you may not be able to utilise the features of the Service to their fullest potential. We do not specifically respond to Do Not Track (“DNT”) signals.

How We Protect Your Personal Data

7.1 We implement commercially reasonable organizational, technical, and physical safeguards to protect your personal data in accordance with applicable data protection laws. These measures are designed to protect your information from accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access, misuse, or any other form of unlawful processing.

7.2 Access to your personal data is restricted to authorized employees, contractors, and service providers who require such information to perform their duties or deliver services on our behalf.

7.3 While we take appropriate steps to secure your data, no method of transmission over the internet or electronic storage is completely secure. Therefore, we cannot guarantee the absolute security of your information or that unauthorized access, disclosure, alteration, or destruction will never occur as a result of a breach of our safeguards.

7.4 In addition, we cannot control the behavior of other users with whom you may choose to share information via a website. Even after you remove information from a website, copies may remain viewable in cached or archived pages, or may have been copied or stored by other users or third parties.

7.5 Where we have given you (or where you have chosen) a password which enables you to access a website, you are responsible for keeping this password confidential and for complying with any other security procedures that we notify you of. We ask you not to share your password with anyone.

Third-Party Services

8.1 Totara websites may contain features or links to websites and services provided by third parties. Any information you provide on third-party sites or services is provided directly to the operators of such services and is subject to those operators’ policies, if any, governing privacy and security, even if accessed through a Totara website. We are not responsible for the content or privacy and security practices and policies of third-party sites or services to which links or access are provided through Totara websites. We encourage you to learn about third parties’ privacy and security policies before providing them with information.

Cookies and Other Tracking Technologies

9.1 When you access a Totara website, we may place one or more small text files known as cookies on your device. These cookies contain a string of alphanumeric characters that uniquely identify your browser. Some cookies are session-based and will be deleted once you close your browser, while others are persistent and may remain on your device for use during future visits to the Service—for example, to retain your preferences.

9.2 Totara uses cookies to distinguish you from other users in order to enhance your experience on our Website. This includes personalizing content and advertisements, enabling social media functionality, and analyzing website traffic.

9.3 Most internet browsers are configured to automatically accept cookies. These settings can be modified to selectively accept, block cookies, or alert you when cookies are being sent to your device. Please refer to your browser’s documentation or visit www.allaboutcookies.org for ways to manage cookies. Please be aware, however, that if you choose to disable cookies, certain features of the Website may not function properly or may be unavailable to you.

9.4 We use web beacons, pixels, and similar tracking technologies on our websites and in email communications. These tools may automatically collect certain information from your device, including but not limited to your IP address or other device identifiers, browser type, device type, referring and exit web pages, pages viewed, content interacted with, and timestamps of your visits or interactions.

9.5 Web beacons (also known as “clear GIFs”) may also be used to monitor your engagement with our email messages—for example, to determine whether a message was opened, clicked, or forwarded.

9.6 Additionally, we may collect information about your approximate physical location. This may be obtained through geolocation features on your device or inferred from data such as your IP address, which indicates the general geographic region from which you are accessing a website.

9.7 Where possible, our cookie consent tool lets you choose which types of cookies you’d like to allow, except for those that are strictly necessary. Necessary cookies help the website work properly by supporting things like security, network management, and accessibility. Because they’re essential, you can’t turn them off.

The tool also provides an overview of all the cookies we use, grouped into the categories below:

  • Necessary: These cookies are needed to make the site work, like helping you log in to secure areas. Without them, some parts of the site won’t function.
  • Functional: These cookies remember you when you come back, so we can show your preferred settings like language or region.
  • Analytics: These help us understand how people use the site, so we can make it easier and better to use.
  • Performance: These track how well the site runs and help us improve your experience.
    Advertising: These cookies show you relevant ads and help us see how effective our campaigns are.
    International Data Transfers

10.1 Totara is a global organization with affiliates and service providers located in multiple countries, including New Zealand, the United States, and the United Kingdom. As such, your personal data may be transferred to, stored in, or processed in jurisdictions that may have data protection laws that differ from those applicable in your country of residence, including the European Economic Area (EEA) or the United Kingdom (UK).

10.2 To ensure adequate protection of personal data transferred across borders, Totara implements appropriate safeguards in compliance with applicable data protection laws. These safeguards include entering into Data Processing Agreements (DPAs) with customers, partners, and vendors that incorporate robust privacy and security obligations. Where required, particularly in relation to data transfers from the UK or the EEA, Totara relies on the European Commission’s Standard Contractual Clauses (SCCs), along with the UK Addendum, to provide a lawful basis for such international transfers. In addition, personal data may be processed by Totara staff or third-party data processors located outside of the EEA or the UK, including in the United States and New Zealand. These personnel may be engaged in various support functions such as service delivery, transaction processing, and customer support.

10.3 By using our websites or otherwise providing your personal data to us, you acknowledge and consent to the transfer, storage, and processing of your information in countries outside your jurisdiction, in accordance with this Privacy Notice, applicable data protection laws, and contractual obligations.

10.4 Totara takes all reasonable steps to ensure that such transfers are conducted securely and in compliance with applicable data protection requirements, and that your personal data is afforded a level of protection consistent with legal obligations and best practices.

Changes and Updates to this Notice

11.1 Please revisit this page periodically to stay aware of any changes to this Notice, which we may update from time to time. If we update this Notice, the revised version will be posted on this website, along with the date of the most recent update. In the event that the modifications materially alter your rights or obligations hereunder, we will make reasonable efforts to notify you of the change. For example, we may send a message to your email address, if we have one on file, or generate a pop-up or similar notification when you access the Service for the first time after such material changes are made. Your continued use of the Service after the revised Notice has become effective indicates that you have read, understood and agreed to the revised Notice.

How to Contact Us

If you have any questions, comments, or complaints about this Privacy Notice or our privacy practices or if you would like to exercise your rights and choices, please contact our Data Protection Officer or Contact Us.

EU General Data Protection Regulation (GDPR) – EU Representative

Pursuant to Article 27 of the General Data Protection Regulation (EUGDPR), Totara Learning (Europe) Limited has appointed European Data Protection Office (EDPO) as its GDPR representative in the EU. You can contact EDPO regarding matters pertaining to the GDPR:

  • by using EDPO’s online request form:
  • by writing to EDPO at Avenue Huart Hamoir 71, 1030 Brussels, Belgium