EduTone Corporation (“EduTone”, “we”, or “us”) understand how important data privacy is to you. We want you to know that data protection is at the very heart of everything we do, and we maintain strict administrative and technical procedures to keep all data safe and secure.
In an effort to make this Policy more readable, unless the context indicates or dictates otherwise, we refer to:
- our platform and all of our additional services and websites as “Service(s)”,
- schools and school districts that register for and/or purchase subscriptions to our Service(s) as “Schools”,
- students whose information we may access on behalf of a School as “Students”,
- teachers and other individuals authorized by a School to use our Service(s) in their work directly with Students as “teachers”,
- principals and other supervisory or support personnel authorized by a School to use our Service(s) as “administrators”,
- teachers and administrators together as “School officials”,
- adult parents or guardians of a minor Student authorized by a School to use our Service(s) as “parents”,
- each authorized School official and parent as “you”, and
- online visitors to our websites as “Website Visitors”.
This Policy applies to all of our Services. Our main Service is our platform which includes a unique digital education marketplace and a data store, and which together is designed to give School officials and Students in a School instant access on personal and institution-owned devices to all of their web apps, mobile apps, software tools, online courses and digital content that they need for teaching and learning. One of the main benefits is that they can securely access any web-based resource using only one individual username and password. This is what is meant by “Single Sign-On” (or “SSO”), hence we call this our SSO Platform & Marketplace, or simply our Platform, and when we offer our Platform directly to Schools we brand it the Global Grid for Learning (or “GGFL”). Within our Platform, administrators provision teacher and Student accounts with the third party applications that they use, and, as we describe below, it is the Schools who decide which data are integrated with any of our Service(s), and the Schools who are responsible for determining whether data is ever shared with third party applications through any of our Service(s).
Significant value is derived from our Platform’s ability to accept, store and manage identities controlling access by users – School officials, Students and parents – to resources within our Platform by associating user rights and restrictions with the established identity. When Schools and School officials take advantage of our Platform’s full potential, they are providing and accessing information relating to the Students entrusted to them, and are in turn entrusting that information to us. That trust is something we take very seriously and have prepared this Policy in an effort to be transparent about the steps we take to protect information entered in our Platform about both Students and School officials, who has access to that information and how that information is used.
This Policy applies to all of our Services which are often combined with our Platform and offered to Schools as an integrated solution, and which include: our Digital Content Library (which can also be found at www.ggflondemand.com), our Teacher Community Portal (which can also be found at www.wetheteachers.com), our Online Stores for Schools (which can also be found at www.edpay.net), and our Data Analytics tool; as well as to our websites which can be found at www.edutone.com and www.globalgridforlearning.com.
This Policy describes the types of information we may collect, or that you may provide, when registering with, accessing or using our Service(s). This Policy does not apply to information we collect offline or to information that you may provide to, or is collected by, third parties. Click on the links in the Menu on the above right of this page to read each section:
- How You Can Help
- Role of the School and School officials
- Protecting Student Information
- FERPA and Education Records
- COPPA and Children under the Age of 13
- Information about School Officials and Parents
- How We Collect and Use Information
- How We Share Your Information
- How We Store and Protect Your Information
- Your Choices About Your Information
- Children’s Privacy
- Student Privacy Pledge Signatory
- Links to Other Websites and Services
- How to Contact Us
1. How You Can Help
We need your help in ensuring that we are together protecting any sensitive information to ensure compliance with all relevant data privacy legislation.
a. Role of the School and School officials
Although most of this Policy will focus largely on what we do — and what we confirm we will not do — with information entered in our Service(s), we believe Schools and School officials are critical partners in our collective efforts to protect and ensure only appropriate use of Student-related information entrusted to them and to us. In that regard, it is important that Schools and School officials using our Service(s) are mindful that in granting or allowing access to our Service(s), they are controlling who has access to Student information. When we reference “granting or allowing access,” we are referring to both intentional actions, such as an administrator authorizing an account within our Service(s) for a teacher, as well as unintentional actions or consequences that may flow from, for example, allowing Students access to our Service(s) login credentials or a School’s failure to maintain sufficient data governance or security practices. In cases where FERPA applies (more below), access to certain Student information remains the legal responsibility of the applicable School. In all situations, it is incumbent upon our customers to make an affirmative determination prior to granting access to anyone that the party has a legitimate need for access to our Service(s) and the sensitive information that may be accessible to that party through our Service(s).
b. Protecting Student Information
i. FERPA and Education Records
One of the core tenets of the Family Educational Rights and Privacy Act (FERPA) is the protection of the privacy of personally identifiable information (or “PII”) in Student education records. As defined in FERPA, “education records” are “those records, files, documents and other materials which: (i) contain information directly related to a Student; and (ii) are maintained by an educational agency or institution or by a person acting for such agency or institution.” PII from education records includes information, such as a Student’s full name, email address or identification number, that can be used to distinguish or trace an individual’s identity, either directly or indirectly through linkages with other information.
FERPA generally requires that educational institutions and agencies that receive certain federal funds (for example, public Schools) get prior consent from a parent before disclosing any education records regarding that Student to a third party. Consequently, if you are using our Service(s) on behalf of an educational agency or institution and FERPA applies, before you enter, upload or access any data concerning a minor Student, you must confirm that your agency or institution has: (1) obtained appropriate consent from the parent or guardian of that Student, or (2) determined that one of the limited exceptions to the consent requirement applies. You can find more information on FERPA and related guidance here, and a summary of the limited exceptions here.
Although we hope it goes without saying, we will only use PII from Student education records to enable School officials and parents to access and use our Service(s). Unless a School official expressly instructs otherwise, we will not share or reuse PII from education records for any other purpose. While we think those statements are clear, to avoid any doubt, we will not use Student PII to target Students or their families for advertising or marketing efforts or sell rosters of Student PII to third parties (which we simply think is the wrong thing to do).
ii. COPPA and Children under the Age of 13
Some people tend to link (and sometimes confuse) FERPA and COPPA. The intent of the Children’s Online Privacy Protection Act (COPPA), is to give parents control over commercial websites’ and online services’ collection, use and disclosure of information from children under the age of 13. Many assume COPPA applies to all internet-based services, regardless of the identity of the end user. When our Services are used as intended by School officials and parents, although that use may involve information relating to Students under 13, the Student is not the end user and COPPA does not apply.
c. Information about School Officials and Parents
We collect information from and about you when you provide it to us, and automatically when you use our Service(s). Again, “you” refers to an authorized School official or parent user of our Service(s), not Students.
2. How We Collect and Use Information
We collect the following types of information from Schools and end users:
Information about Schools
We ask for certain information when a School official registers a School with our Service(s), or if the School official corresponds with us online, including a name, school name, school district, school email address and/or account name and password, phone number, message content, and information relating to the School’s information systems. We may also retain information provided by a School if the School sends us a message, posts content to our website or through our Service(s), or responds to emails or surveys. Once a School begins using our Service(s), we will keep records of activities related to the Service.
We use information that you, as a School official or parent, provide through our Service(s) to (as applicable):
- operate, maintain, and provide the features and functionality of the Service(s),
- analyze our Services’ functionality,
- provide our Service(s) and any other products or services you may request from us,
- give you notices about your registration and subscription, including expiration and renewal notices,
- carry out our rights and responsibilities under agreements between us and your School, and
- notify you of changes to our Service(s) (including substantive changes to this Policy or other user policies).
Information about Students
Our Service(s) may have access to PII about Students in the course of providing our Service(s) to a School. We consider Student information to be confidential and do not use such data for any purpose other than to provide our Service(s) on the School’s behalf.
In most instances, our Service(s) receive Student information only from the School and never interact with the Student directly. The type of Student information we receive (only from the School) is what is usually referred to as school roster information which includes, but is not limited to, student name, address, age, as well as sensitive personal information such as ethnicity and disability status. Depending on the level and type of Service selected by the School, the School may allow Students to log into our Service(s) to access third party applications that have been authorized by the School. In that instance, the School provides each student with login credentials and confirms that it has obtained appropriate parental consents, as needed, before the student is permitted access. Our Service(s) have access to Student information only as requested by the School and only for the purposes of acting on the School’s behalf. If you are a Student or parent, please contact your School if you have questions about the School’s use of technology service providers like us. If a Student contacts us with a question about our Service(s), we will collect personal information from that Student only as necessary to respond to the Student’s request and direct the Student to contact the Student’s School, and we will then delete or anonymize the personal data of the Student after providing our response.
See “How We Share Your Information” below for more information on the limited ways in which we share School and Student information. See “Children’s Privacy” below for more information on how we collect and use the personal information of children under 13.
Automatic Information Collection and Tracking
We automatically collect certain types of usage information when visitors view our websites or use our Services. We may send one or more cookies — which are small files placed on the hard drive of your computer or other device — to your computer that uniquely identifies your browser and lets our Service(s) help you log in faster and enhance your navigation through the site. A cookie may also convey information to us about how you use the Service (e.g. the pages you view, the links you click and other actions you take on the Service), and allow us to track your usage of the Service over time. We may collect log file information from your browser or mobile device each time you access the Service. Log file information may include anonymous information such as your web request, Internet Protocol (“IP”) address, browser type, information about your mobile device, number of clicks and how you interact with links on the Service, pages viewed, and other such information. We may employ small electronic files known as web beacons (also referred to as clear gifs, pixel tags and single-pixel gifs) that permit us to, for example, count users who have visited those pages or opened an email and for other related statistics. In addition, we may also use clear gifs in HTML-based emails sent to our Schools to track which emails are opened and which links are clicked by recipients. The information allows for more accurate reporting and improvement of the Service. We may also collect analytics data, or use third-party analytics tools, to help us measure traffic and usage trends for the Service. We do not allow third party advertising networks to collect information about the users of any of our Services.
We use or may use the data collected through cookies, log files, device identifiers, and web beacons to: (a) remember information so that a user will not have to re-enter it during subsequent visits; (b) provide custom, personalized content and information; (c) to provide and monitor the effectiveness of our Services; (d) monitor aggregate metrics such as total number of visitors, traffic, and usage on our Services; (e) diagnose or fix technology problems; and (f) help users efficiently access information after signing in.
Third Party Information Collection
As discussed further under “How We Share Your Information”, we may use third party providers to support elements of our Services’ infrastructure or functionality. These providers may, like us, use automatic information collection technologies to enable or streamline certain features they are providing on our behalf. In all cases, these providers will be contractually bound to us to keep PII confidential and to only in use it in order to fulfil their responsibilities to us.
3. How We Share Your Information
Except as expressly set forth below and under the Third Party Information Collection heading above, and only in those limited circumstances, we will not disclose any PII relating to Students, parents or School officials to third parties without your consent or the consent of your associated School. We hope it goes without saying that we do not and would not rent or sell information for marketing purposes.
We may provide access to PII data storage and disclose PII with your permission to those contractors and other service providers that we use to support our business. These may include individuals (such as data scientists and software developers) and commercial vendors that provide or support elements of our Services’ infrastructure or functionality. In all cases, these providers will be bound by contractual obligations to keep PII confidential and to use it only for the purposes for which we disclose it to them.
We may also disclose PII to fulfil the purpose for which you provide it. For example, if you contact us using your email address, we will use that email address to respond to you.
Of course, if we ever were to engage in any onward transfers of PII with third parties for a purpose other than which it was originally collected or subsequently authorized, we would provide you with an opt-out choice to limit the use and disclosure of your PII.
In cases of onward transfer to third parties of data of EU individuals received pursuant to the EU-US Privacy Shield (please see section on Compliance with International Standards below), we are potentially liable.
In the event of a change of control: If a third party purchases all or most of our ownership interests or assets, or we merge with another organization, it is possible that we would need to disclose PII to the other organization following the transaction, for example, were we to integrate our Service(s) with the other organization’s product offerings. However, we will not transfer personal information of our customers unless the new owner intends to maintain and provide our Service(s) as a going concern, and provided that the new owner has agreed to data privacy standards no less stringent than our own. To the extent any such transaction would alter our practices relative to this Policy, we will give you advance notice and any choices they may have regarding PII.
We will retain PII for as long as the applicable School uses and/or maintains its subscriptions to our Service(s) in good standing. Once subscriptions lapse or terminate, unless a written agreement between us and a School provides otherwise, we will retain PII for up to 12 months after which time it will be destroyed. Any retained PII will of course remain subject to the restrictions on disclosure and use outlined in this policy for as long as it resides with us.
Finally, although we outlined earlier in this Policy what constitutes PII, we also want to be clear what information is not PII. Once PII, whether relating to a School official, parent or Student has been de-identified, that information is no longer PII. PII may be de-identified through aggregation or various other means. The U.S. Department of Education has issued guidance on de-identifying PII in education records here. In order to allow us to proactively address customer needs, we anticipate using de-identified information to improve our Service(s) and other of our products and services. That said, we will use reasonable de-identification approaches to ensure that in doing so, we are not compromising the privacy or security of the PII you entrust to us.
4. How We Store and Protect Your Information
Hosting: Our Services are cloud-based solutions hosted on Amazon Web Services (AWS) and Microsoft Azure in multiple data centers in multiple regions. Consistent with guidance from the U.S. Department of Education and other agencies of what constitutes “best practice” when storing sensitive education records, we only store such records used by our Service(s) in the cloud-based servers located in the country to which those records pertain – in other words, we store PII relating to Schools in the United States on servers located only in the United States.
Keeping information safe: We maintain strict administrative, technical and physical procedures to protect information stored in our servers. Access to information is limited (through multi-factor authentication) to those employees who require it to perform their job functions; in addition, we conduct thorough background checks for these employees, as well as conducting comprehensive activity audits and ensuring that their work is entirely separate from the rest of our team. Among other things, PII is encrypted at rest and in transit to and from our Service(s) using industry-standard encryption technology. We have implemented measures designed to secure PII from accidental loss and from unauthorized access, use, alteration and disclosure. In addition, all PII is securely stored behind firewalls in the Virtual Private Cloud environment protected by our hosting providers. All environments are equipped with intrusion detection systems.
Compliance with International Standards
Mail: EduTone Corporation
Attn: Data Policies
1320 Harbor Bay Pkwy, Suite 260
Alameda, CA 94502
We have further committed to refer unresolved privacy complaints under the EU-US Privacy Shield Principles to BBB EU PRIVACY SHIELD, a non-profit alternative dispute resolution provider located in the United States and operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www.bbb.org/EU-privacy-shield/for-eu-consumers/ for more information and to file a complaint.
Please note that if your complaint is not resolved through these channels, under limited circumstances, a binding arbitration option may be available before a Privacy Shield Panel.
Rights of EU citizens: We acknowledge that EU individuals have the right to access the PII that we might maintain about them. An EU individual who seeks access, or who seeks to correct, amend, or delete inaccurate data, should direct his query to firstname.lastname@example.org. If requested to remove data, we will respond within a reasonable timeframe.
Complaint Handling: We are subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC).
5. Your Choices About Your Information
Account information and settings: School officials may update account information and modify Service(s) by signing into the administrator account. Schools and other Website Visitors can opt-out of receiving any emails from us by clicking on the “unsubscribe” feature at the bottom of each email. We apologize for the fact that you cannot unsubscribe from Service-related messaging.
If you have any questions about reviewing or modifying account information, please contact us directly at email@example.com.
Access to Student information: Student information is provided and controlled by the Schools. If you have any questions about reviewing, modifying, or deleting personal information of a Student, please contact your School directly.
Deleting or disabling cookies: You may be able to disallow cookies to be set on your browser. Please look for instructions on how to delete or disable cookies and other tracking/recording tools on your browser’s technical settings. You may not be able to delete or disable cookies on certain mobile devices and/or certain browsers. For more information on cookies, visit www.allaboutcookies.org. Remember, disabling cookies may disable many of the features available on our Service(s), so we recommend you leave cookies enabled.
How long we keep User Content: Following termination or deactivation of a School account, our Service(s) may retain profile information and content for a commercially reasonable time and according to our data retention policies for backup, archival, or audit purposes, but any and all Student information associated with the School will be deleted promptly. Any publicly shared comments or ratings on our Service(s) may remain in view to other subscribers after an account deletion, but nobody will be able to see the identity of a deleted account holder. We may maintain anonymized or aggregated data, including usage data, for analytics purposes. If you have any questions about data retention or deletion, please contact firstname.lastname@example.org.
6. Children’s Privacy
Our Services do not knowingly collect any information from children under the age of 13 unless the School has obtained appropriate parental consent for the Student to use our Services. Please contact us immediately at email@example.com if you believe we have inadvertently collected personal information of a Student under 13 without proper parental consent so that we may delete such data as soon as possible.
7. Student Privacy Pledge Signatory
EduTone is a signatory of the Student Privacy Pledge, which requires us to adhere to 11 stringent standards as a further assurance of our commitment to protecting your data. These include the following commitments:
|OUR COMMITMENTS TO THE STUDENT PRIVACY PLEDGE|
|Not collect, maintain, use or share student PII beyond that needed for authorized educational/ school purposes, or as authorized by the parent/ student.||Collect, use, share, and retain student PII only for purposes for which we were authorized by the educational institution/agency, teacher or the parent/student.|
|Not use or disclose student information collected through an educational/school service (whether personal information or otherwise) for behavioral targeting of advertisements to students.||Disclose clearly in contracts or privacy policies, including in a manner easy for parents to understand, what types of student PII we collect, if any, and the purposes for which the information we maintain is used or shared with third parties.|
|Not build a personal profile of a student other than for supporting authorized educational/school purposes or as authorized by the parent/student||Support access to and correction of student PII by the student or their authorized parent, either by assisting the educational institution in meeting its requirements or directly when the information is collected directly from the student with student/parent consent.|
|Not sell student personal information.|
|Not make material changes to school service provider consumer privacy policies without first providing prominent notice to the account holder(s) (i.e., the educational institution/agency, or the parent/student when the information is collected directly from the student with student/parent consent) and allowing them choices before data is used in any manner inconsistent with terms they were initially provided; and not make material changes to other policies or practices governing the use of student personal information that are inconsistent with contractual requirements.||Maintain a comprehensive security program that is reasonably designed to protect the security, privacy, confidentiality, and integrity of student PII against risks – such as unauthorized access or use, or unintended or inappropriate disclosure – through the use of administrative, technological, and physical safeguards appropriate to the sensitivity of the information.|
|Not knowingly retain student personal information beyond the time period required to support the authorized educational/school purposes, or as authorized by the parent/student.||Require that our vendors with whom student PII is shared in order to deliver our Service(s), are obligated to implement these same commitments for the given student PII.|
8. Links to Other Web Sites and Services
We are not responsible for the practices employed by websites, applications or services linked to or from our Service(s). We recommend that you review the privacy policies of other applications before authorizing any usage.
9. How to Contact Us
You can and should ask questions about this Policy and our privacy practices. You should always feel free to contact us at:
Mail: EduTone Corporation
Attn: Data Policies
1320 Harbor Bay Pkwy, Suite 260
Alameda, CA 94502