1. DATA PROCESSING AND STORAGE
1.1 Processor. We are a processor of Data (“Processor”) provided to us by you or collected by us from you or a third party you have authorized.
1.3 Direct Control. We may store your Data in locations outside of our direct control (e.g., on servers or databases co-located with hosting providers).
1.4 United States. Our Services are hosted and operated entirely in the United States and are subject to United States law. Data we collect from you is stored and processed in the United States. By accessing or using our Services outside of the U.S., you consent to the transfer of your Data to the United States. Please be advised that United States law may not offer the same privacy protections as the law in your jurisdiction.
1.5 International Transfer. Data may be processed and/or stored in the United States, European Union Member Nations, Canada or any other country in which our Subprocessors and we operate. We may transfer Data to them across borders and from your country or jurisdiction of domicile to other countries or jurisdictions. If you are located in the European Union or other regions with laws restricting data transfer, please note that we will comply with laws applicable to us.
2. LAWFUL BASIS
We only collect and process your Data where we have lawful basis. Our lawful basis includes consent (where you have given it), where necessary for us to operate our Services, and for our legitimate interests, including (i) complying with applicable law, (ii) protecting against security or other threats, (iii) improving our Services, and (iv) addressing customer relationship issues.
3. DATA USE
We may use your Data to:
- operate our Services;
- deliver our Services to you;
- manage our relationship with you (e.g., provide you with help and support);
- perform analysis of your use of our Services;
- communicate with you about your Plan options;
- enforce our Terms and any applicable Other Agreements;
- tailor your experience on our Services (e.g., showing you content we believe may be relevant to you and displaying Content according to your preferences).
- respond to investigation, court orders, legal process, or to investigate prevent or take action regarding illegal activities, suspected fraud or situations involving potential threats to the physical safety of any person or potential emotional or physiological abuse (e.g., bullying) of any person, or as otherwise required by law; and
- perform functions as otherwise described to you at the time of Data collection.
4. PERSONALLY IDENTIFIABLE INFORMATION
4.1 Definition. Data includes personally identifiable information about you such as your username, name and email address (“PII”).
4.2 Accessing and Using Services. You can choose what information to share with us. If you choose to withhold PII requested by us, it may not be possible to access or use our Services or portions thereof.
4.3 Collecting PII. We may collect PII from you:
- when we correspond with you;
- when you register for an Account;
- when you complete a survey;
- when you contact us for help; and
- when our Services send us error or application data reports.
4.4 Sensitive Information. We do not require you to provide sensitive information such as racial or ethnic origin, political opinions, religious beliefs, sexual orientation, or genetic, biometric or health data (“Sensitive Information”).
4.5 Managing PII. You may access, correct, update, change or delete your PII at any time via Your Account settings.
5. DATA RETENTION
We may retain records of Data related to your use of our Services, including usage and activity logs. We retain PII you give us only for (i) as long as your account is open or (ii) otherwise for a limited period of time as long as we need to fulfill the purposes for which it was collected, unless otherwise required by law.
6. DATA REMOVAL
You may request that we delete your Data. To do so, please email us at email@example.com. Complying with your request may require termination of your Account. Selective or partial deletion of your Data may not be possible without hindering your ability to access or use our Services and may require we suspend, limit access to or terminate your Account. Note that we may not be able to delete any de-identified PII about you.
7. DATA SHARING
7.1 Selling PII. We will not sell your PII to any third party without your permission.
7.2 Disclosure by You. Any Data you choose to make publicly available via our Services (such as posting comments, reviewing items, etc.) will be available to others.
7.3 Third Party Disclosure. We may partner with other organizations based, for example, on the interests of our users. We will not share your PII with them without your permission. We may communicate with you about them. However, you may opt-out of any such communications via Your Account settings. If necessary, Data will be shared with third parties (a) only on an aggregate basis such that it does not identify you or (b) in a way in which your PII is de-identified. In such cases, we prohibit them from re-identifying de-identified Data.
7.4 Permitted Disclosure. We reserve the right to disclose Data when required by law, such as by a subpoena or other legal proceedings. We may also disclose Data if we reasonably believe it necessary to (i) comply with requests of law enforcement or other applicable law; (ii) to enforce any agreement between you and us; (iii) to protect the security and integrity of our Services; and/or (iv) to protect us and our users.
7.5 Change of Control. If our business is ever acquired, merged or divested of assets, Data may be sold or transferred to a new organization. We may sell, assign or otherwise transfer Data in connection with a sale of all or substantially all of our business or assets. You will be notified via email or a message in an interface of our Services of any resulting change in protection or use of your Data.
We do not display advertising in our Services.
10. PRIVACY OF CHILDREN AND COPPA
We respect the privacy of children. Our Services are compliant with the Children’s Online Privacy Protection Act (“COPPA”). We do not knowingly or directly collect PII from anyone who we know to be under the age of 13. We do not email any such person. We do not share Data about any such person with Subprocessors or third parties. If we discover that a person under the age of 13 has provided us with any PII, we will use commercially reasonable efforts to remove it from our Services.
11. STUDENT DATA PRIVACY
We are concerned about student data privacy and make privacy and security safeguards and commitments specifically to protect student Data.
11.1 Authorized Use. We do not collect or use student Data for any purpose other than to operate and provide our Services to students as described herein and in our Terms.
11.2 FERPA. Our Services are compliant with the Federal Educational and Privacy rights Act (“FERPA”).
11.3 Data Ownership. Consistent with our Terms, we do not claim ownership of student Data. If a student Account is on an individual Plan, the associated student Data is owned by the student. If a student Account is on a Group Plan, the student Data is owned by the Group Plan Owner, which may be the student’s teacher or educational institution (e.g. school, school district, college or university). If allowed by the Group Plan, the student may associate a personal email address with their Account in order to continue accessing and using their Account and Content if and when their Account is no longer on the Group Plan. Once that occurs, the student Data is owned by the student and the student Account becomes a separate, personal account (“Personal Account”).
11.4 Parent Access. The parent or legal guardian of a student may access, correct, update, change or delete the student’s PII at any time via the student’s Account settings.
11.5 Third Party Disclosure. Unless legally prohibited, if law enforcement contacts us with a request for student Data, we will redirect them to request the data directly from the owner of the student Data, which may be the student (or their parent or legal guardian) or their educational institution, depending on which Plan the student’s Account is on.
12. DATA SECURITY AND PROTECTION
We are concerned about protecting your Data.
12.1 Secure Service. Our Services have security measures in place designed to prevent the loss and unauthorized use or disclosure of your Data. We make best efforts to secure usernames, passwords and other means of gaining access to our Services via your Account.
12.3 Secure Transmission. We use industry-standard technologies when transferring and receiving Data exchanged between us and Subprocessors. When our Services are accessed or used via a supported Web browser, we use Secure Socket Layer (“SSL”), including server authentication and data encryption to help secure Data transmission.
12.4 Back Up and Hosting. Our servers are backed up regularly and protected from virtual and physical compromise. We host our Services and your Data in an enterprise-class hosting facility in an environment using a firewall that is periodically updated according to industry standards.
12.5 Breach. Despite our best efforts to secure and protect Data, we cannot guarantee that your Data may not be accessed, disclosed, altered or destroyed by breach of any of our industry standard physical, technical or managerial safeguards. In the event of such a breach, unless prevented by law enforcement, we will notify you via email and/or a message in an interface of our Services within 2 business days of our discovering the breach. The notification will provide what we know at the time regarding the nature of the breach, when it occurred and what, if any, of your Data may have been compromised.
13. CALIFORNIA PRIVACY RIGHTS
13.1 Third Party Tracking. Third parties often collect information about Internet users over time and across websites. As may be the case when you visit other websites and online services, third parties may be able to collect information about you when you access or use our Services, which do not currently respond to browser “Do Not Track” (DNT) mechanisms.
13.2 Removal of Public Posting. If you are a California resident under the age of 18, and a registered user of our Services, California Business and Professions Code Section 22581 permits you to request and obtain removal of content or information you have publicly posted. To make such a request, e-mail us with a detailed description of the specific content or information to firstname.lastname@example.org. Note that such a request does not ensure complete or comprehensive removal of the content or information you have posted and that there may be circumstances in which the law does not require or allow removal even if requested.
You may opt-out of receiving email communications from us, except transactional correspondence and messages related to privacy, data security, negative Account or payment status and interruption or disruption of our Services. You may set or change your email communication preferences via Your Account settings.
16. SUCCESSORS AND ASSIGNS