• 2. Our Compliance With COPPA And FERPA Our learning platform is designed for schools, teachers and Parents working with Students. We recognize the sensitive nature of personal information concerning Students under age 13, and concerning Students generally, where the information is contained in a school’s educational records. This personal information is protected under either or both of the following federal statutes: the Children’s Online Privacy Protection Act (“COPPA”) and the Family Educational Rights and Privacy Act, including the Protection of Pupil Rights Amendment (“FERPA”). Our privacy practices comply with both COPPA and FERPA. For California residents only, this personal information is also subject to California Consumer Privacy Act (“CCPA”). Our privacy practices comply with the CCPA.
• 6. The Types of User Information We Collect We limit our collection of personal information to no more than is reasonably necessary for the user at issue to participate in our learning platform. Specifically, we collect the following types of information: • School Administrator Information: we collect registration information from a school administrator when the school administrator activates the school’s subscription account, which may include the school administrator’s own first and last name, business address and phone number, date of birth, email address, and username; • Teacher Information: we collect registration information from a teacher or school administrator when the teacher (or school administrator) activates the teacher’s account, which may include the teacher’s first and last name, business address and phone number, date of birth, email address, and username; additionally, we may collect information that constitutes Performance Review Data; • Student Information: we collect registration information from a teacher or school administrator when the teacher (or school administrator) activates the account of an individual Student, which may include the Student’s first and last name, email address, username and other information which may include gender, race, and ethnicity; • Schoolwork Information: we collect information contained in Student homework, assignments, Student compositions and reports, tests, test results, grades, and other exchanges over our learning platform; • User-Generated Content: we collect information that Students and other users provide in connection with submitting user-generated content, and participating in collaborative features of our learning platform (where applicable). Examples of user-generated content that might contain personal information include stories, responses to teacher assignments (either in text, image, audio, or video format), drawings that allow text or free-hand entry of information, and other information provided in open-text and open-form fields; and • Usage Information: we collect usage, viewing, analytics, and technical data, including device identifiers and IP addresses, relating to users of our learning platform. If we discover that we have collected information in a manner inconsistent with the requirements of COPPA or FERPA, we will either (a) delete the information or (b) promptly seek requisite consents before taking further action concerning the information.
• 10. How We Protect Personal Information We have implemented and maintain technical, administrative and physical security controls that are designed to protect the security, confidentiality and integrity of personal information collected through our learning platform from unauthorized access, disclosure, use or modification. Our information security controls comply with reasonable and accepted industry practice, as well as requirements under COPPA and FERPA. We diligently follow these information security controls and periodically review and test our information security controls to keep them current.
• 10.1 Information Security Procedures. We will: • Standard of Care. Keep and maintain all personal information in strict confidence, using such degree of care as is appropriate to avoid unauthorized access, use, modification, or disclosure; • Use for School Purposes Only. Collect, use, and disclose personal information solely and exclusively for the purposes for which you provided the personal information, or access to it to us, and not use, sell, rent, transfer, distribute, modify, data mine, or otherwise disclose or make available personal information for our own purposes or for the benefit of anyone other than the school, without the school’s or Parent’s prior written consent; • Non-Disclosure. Not, directly or indirectly, disclose personal information to any person other than our employees and service providers who have a need to know, without express written consent from the school; • No Commingling. Segregate (via logical, database, or physical segregation) personal information from our other information or our other customers so that a school’s users’ personal information is not commingled with any other types of information not related to the school; • Employee Training. Provide appropriate privacy and information security training to our employees. • Transport Security. Use Transport Layer Security (TLS) for the transmission of all user data to and from our learning platform; and • Secure Storage. Use industry standard file encryption for user data that is subject to protection under either COPPA, FERPA, or both. Where file encryption is not reasonably feasible, we employ other industry standard safeguards, protections, and countermeasures to protect such data, including authentication and access controls within media, applications, operating systems and equipment.
• 10.2 Data Location and Security. We use cloud service providers in the delivery and operation of our learning platform(s), and data (including personal information) is stored on the servers of our cloud service providers. Our contracts with our cloud service providers requires them to implement reasonable and appropriate measures designed to secure content against accidental or unlawful loss, access, or disclosure. Our cloud service providers have at least the following security measures in place for their networks and systems: (i) secure HTTP access (HTTPS) points for customer access, (ii) built-in firewalls, (iii) tested incident response program, (iv) resilient infrastructure and computing environments, (v) ITIL based patch management system, (vi) high physical security based on SSAE-16 standards, and (vii) documented change control processes. To the extent we store personal information internally on our servers, we comply with the information security controls set out in Section 10.1.
• 10.3 Data Breach Response. In the event of a security breach involving Personal Information, we will take prompt steps to mitigate the breach, evaluate and respond to the intrusion, and cooperate and assist schools and other subscribers in efforts with respect to (i) responding to the breach, including the provision of notices to data subjects; and (ii) engaging mutually agreeable auditors or examiners in connection with the security breach, subject to reasonable notice, access and confidentiality limitations.
• 11. Access and Control of Personal Information School administrators and (where applicable) teachers hold access to personal information of the Students for whom they are responsible, and they are able to update this information in the manner permitted by our learning platform. School administrators and teachers are similarly able to access and update their own personal information. Parents can obtain access to information concerning their child that is available on our learning platform. To do so, the Parent should follow the school's procedures for access under FERPA. We cooperate with and facilitate the school’s response to these access requests. Where the school's procedures do not apply to the Parent's access request (and the request is otherwise proper), we will ourselves fulfill the request if and as required by law. After fulfilling an access request, we will update and (where necessary) correct the personal information at issue, as requested by the school or individual entitled to such access. We limit access to personal information to only those employees (i) who have a need to know such information, and (ii) who use the information only for the educational purposes of operating our learning platform and delivering our services.
• 12. Our Retention and Deletion of Personal Information We retain personal information of users of our learning platform (i) for so long as reasonably necessary (ii) to permit the user to participate in the platform, (iii) to ensure the security of our users and our services, or (iv) as required by law or contractual commitment. After this period has expired, we will delete the personal information from our systems. Please understand that these deletion periods apply to personal information and do not apply to de-identified information. We retain de-identified information in accordance with our standard practices for similar information, and do not retain or delete such information in accordance with this policy. In addition, if requested by a school, we will delete from our platform the personal information of the school’s users, including its teachers and Students, as the school directs. Deleting this information will prevent the school user from engaging in some or all features of our learning platform. Where required by local law, we will delete such information and provide a certification of such deletion.
• 13. Your Rights Under California Privacy Law / Only For California Residents This section is adopted to comply with the California Consumer Privacy Act of 2018 (CCPA) and other California privacy laws. Any terms defined in the CCPA have the same meaning when used in this section.
• 13.2 Right to Not To be Discriminated Should you exercise any of your privacy rights as a California consumer, we will not discriminate against you by offering you different pricing or products, or by providing you with a different level or quality of services, based solely upon your request. However, in some circumstances, for example where you have requested or consented to our services that use your personal information to provide the service, we may not be able to provide a service if you choose to delete your Personal Information.
• 13.3 Right to Request Deletion Should you exercise any of your privacy rights as a California consumer, we will not discriminate against you by offering you different pricing or products, or by providing you with a different level or quality of services, based solely upon your request. However, in some circumstances, for example where you have requested or consented to our services that use your personal information to provide the service, we may not be able to provide a service if you choose to delete your personal information.
• 13.4 Information We Collect In the past twelve (12) months, we collected the following categories of personal information regarding California residents: a) Identifiers (names, physical addresses, email addresses, phone numbers, online identification numbers, and online account names) b) Demographic information (age, race, gender, marital status, national origin/ancestry) c) Posts and profiles on social media platforms d) Professional or employment related information e) Inferences drawn from other personal information f) Video recordings
• 13. 5 Sources of Information
We obtain the categories of personal information listed under Section 13.4(a)-(f)) hereto from the following categories of sources:
a) Directly from you. For example, from user generated content on our platform, from you when you open an account with us.
b) Indirectly from you. For example, when you open an email from us or submit an online form.
c) Directly and indirectly from activity on our website. For example, your usage details on our website and platform collected automatically. d) From third parties such as data partners. For example, we may receive demographic data, from data partners. e) From publicly available government records f) From information made freely available by individuals via a variety of online platforms
• 13.6 Use of Personal Information
a) To fulfill or meet the reason for which the information is provided.