/Privacy Policy
Privacy Policy 2018-05-29T20:48:47+00:00

Privacy Policy

EduTone Corporation (“EduTone”, “we”, or “us”) is committed to protecting your privacy through our compliance with the policies and practices in this notice.

In an effort to make this Policy more readable, unless the context indicates or dictates otherwise, we refer to:

  • our platform and all of our additional services and websites as “Service(s)”,
  • schools and school districts that register for and/or purchase subscriptions to our Service(s) as “Schools”,
  • students whose information we may access on behalf of a School as “Students”,
  • teachers and other individuals authorized by a School to use our Service(s) in their work directly with Students as “Teachers”,
  • principals and other supervisory or support personnel authorized by a School to use our Service(s) as “Administrators”,
  • teachers and administrators together as “School officials”,
  • adult parents or guardians of a minor Student authorized by a School to use our Service(s) as “Parents”,
  • each authorized School official and Parent as “you”, and
  • online visitors to our websites as “Website Visitors”.

This Policy applies to all of our Services which are often combined within our Platform and offered to Schools as an integrated solution, and which includes:

– “Single Sign-On” (or “SSO”) and Identity Management service, called PASSPORT
– User Account & Roster Data provision service, called DataZone
– Data Analytics and VIsualization service, called TrueNorth
– Digital Content Library
– corporate website: https://edutone.com  
1. How You Can Help
  A. Role of the School and School officials
  B. Protecting Student Information
    i. FERPA and Education Records
    ii. COPPA and Children under the Age of 13
  C. Information about School Officials and Parents
2. Information We Collect and How We Use Information We Collect
3. How We Share Your Information
4. How We Store and Protect Your Information
5. Your Choices About Your Information
6. Children’s Privacy
7. Student Privacy Pledge Signatory
8. Links to Other Web Sites and Services
9. EU Data Privacy Laws
10. How to Contact Us
11. Changes to our Privacy Policy

1. How You Can Help

We need your help in ensuring that we are together protecting any sensitive information to ensure compliance with all relevant data privacy legislation.

a. Role of the School and School officials

Although most of this Policy will focus largely on what we do — and what we confirm we will not do — with information entered in our Service(s), we believe Schools and School officials are critical partners in our collective efforts to protect and ensure only appropriate use of Student-related information entrusted to them and to us.  In that regard, it is important that Schools and School officials using our Service(s) are mindful that in granting or allowing access to our Service(s), they are controlling who has access to Student information. When we reference “granting or allowing access,” we are referring to both intentional actions, such as an administrator authorizing an account within our Service(s) for a teacher, as well as unintentional actions or consequences that may flow from, for example, allowing Students access to our Service(s) login credentials or a School’s failure to maintain sufficient data governance or security practices.  In cases where FERPA applies (more below), access to certain Student information remains the legal responsibility of the applicable School. In all situations, it is incumbent upon our customers to make an affirmative determination prior to granting access to anyone that the party has a legitimate need for access to our Service(s) and the sensitive information that may be accessible to that party through our Service(s).

b. Protecting Student Information

i. FERPA and Education Records

One of the core tenets of the Family Educational Rights and Privacy Act (FERPA) is the protection of the privacy of personally identifiable information (or “PII”) in Student education records.  As defined in FERPA, “education records” are “those records, files, documents and other materials which: (i) contain information directly related to a Student; and (ii) are maintained by an educational agency or institution or by a person acting for such agency or institution.”  PII from education records includes information, such as a Student’s full name, email address or identification number, that can be used to distinguish or trace an individual’s identity, either directly or indirectly through linkages with other information. FERPA generally requires that educational institutions and agencies that receive certain federal funds (for example, public Schools) get prior consent from a parent before disclosing any education records regarding that Student to a third party.  Consequently, if you are using our Service(s) on behalf of an educational agency or institution and FERPA applies, before you enter, upload or access any data concerning a minor Student, you must confirm that your agency or institution has: (1) obtained appropriate consent from the parent or guardian of that Student, or (2) determined that one of the limited exceptions to the consent requirement applies.  You can find more information on FERPA and related guidance here, and a summary of the limited exceptions here. Although we hope it goes without saying, we will only use PII from Student education records to enable School officials and parents to access and use our Service(s). Unless a School official expressly instructs otherwise, we will not share or reuse PII from education records for any other purpose.  While we think those statements are clear, to avoid any doubt, we will not use Student PII to target Students or their families for advertising or marketing efforts or sell rosters of Student PII to third parties (which we simply think is the wrong thing to do).

ii. COPPA and Children under the Age of 13

Some people tend to link (and sometimes confuse) FERPA and COPPA.  The intent of the Children’s Online Privacy Protection Act (COPPA), is to give parents control over commercial websites’ and online services’ collection, use and disclosure of information from children under the age of 13.  Many assume COPPA applies to all internet-based services, regardless of the identity of the end user. When our Services are used as intended by School officials and parents, although that use may involve information relating to Students under 13, the Student is not the end user and COPPA does not apply.

c. Information about School Officials and Parents

We collect information from and about you when you provide it to us, and automatically when you use our Service(s).  Again, “you” refers to an authorized School official or Parent user of our Service(s), not Students.

2. Information We Collect and How We Use Information We Collect

This section describes the types of information we may collect, or that you may provide, when registering with, accessing or using our Service(s).

Information about Schools When a School official registers a School with our Service(s), or if the School official corresponds with us, our system will collect a contact name, a school name, school district, school email address and/or account name, a phone number, message content, and information relating to the School’s information systems. We also collect information provided by a School if the School sends us a message, posts content to our website or through our Service(s), or responds to emails or surveys. Once a School begins using our Service(s), we will keep records of activities related to the Service.

We use information that you, as a School official or a Parent, provide through our Service(s) to (as applicable):

  • operate, maintain, and provide the features and functionality of the Service(s),
  • analyze our Services’ functionality,
  • provide our Service(s) and any other products or services you may request from us,
  • give you notices about your registration and subscription, including expiration and renewal notices,
  • carry out our rights and responsibilities under agreements between us and your School, and
  • notify you of changes to our Service(s) (including substantive changes to this Policy or other user policies).

Information about Students Our Service(s) may have access to PII about Students in the course of providing our Service(s) to a School. We consider Student information to be confidential and do not use such data for any purpose other than to provide our Service(s) on the School’s behalf. In most instances, our Service(s) receive Student information only from the School and never interact with the Student directly. The type of Student information we receive Schools may include students, teachers, courses, classes, roster, attendance, behavior, assessment data. Depending on the level and type of Service(s) selected by the School, the School may allow Students to log into our Service(s) to access third party applications that have been authorized by the School. In that instance, the School provides each student with login credentials and confirms that it has obtained appropriate parental consents, as needed, before the student is permitted access. Our Service(s) have access to Student information only as requested by the School and only for the purposes of acting on the School’s behalf. If you are a Student or Parent, please contact your School if you have questions about the School’s use of technology service providers like us. If a Student contacts us with a question about our Service(s), we will collect personal information from that Student only as necessary to respond to the Student’s request and direct the Student to contact the Student’s School, and we will then delete or anonymize the personal data of the Student after providing our response. See “How We Share Your Information” below for more information on the limited ways in which we share School and Student information. See “Children’s Privacy” below for more information on how we collect and use the personal information of children under 13.

Automatic Information Collection and Tracking We use various technologies to collect and store information when you use our Service. This may include using Google Analytics, browser storage and cookies (or similar technologies) to identify your browser and device and convey information to us about how you use the Service. In particular our Service(s) collects and aggregates anonymous usage information such as your web request details, Internet Protocol (“IP”) address and geolocation, browser type, information about your device, how you interact with the Service(s), pages viewed, and other such information that allows us to track usage of the Service(s) over time.

We do not allow third party advertising networks to collect information about the users of any of our Services. We use the data collected through user activity tracking technologies to: (a) remember information so that a user will not have to re-enter it during subsequent visits; (b) provide custom, personalized content and information; (c) to provide and monitor the effectiveness of our Services; (d) monitor aggregate metrics such as total number of visitors, traffic, and usage on our Services; (e) diagnose or fix technology problems; and (f) help users efficiently access information after signing in.

Third Party Information Collection As discussed further under “How We Share Your Information”, we may use third party providers to support elements of our Services’ infrastructure or functionality.  These providers may, like us, use automatic information collection technologies to enable or streamline certain features they are providing on our behalf. In all cases, these providers will be contractually bound to us to keep PII confidential and to only use it in order to fulfil their responsibilities to us.

3. How We Share Your Information

Within our Platform, administrators provision user accounts (School officials, Students, Parents accounts) and Roster and other data from the School Information System (SIS) with the third party applications that they use, and, as we describe below, it is the Schools who decide which data are integrated with any of our Service(s), and the Schools who are responsible for determining whether data is ever shared with third party applications through any of our Service(s). When Schools and School officials take advantage of our Platform, they are providing and accessing information relating to the Students entrusted to them, and are in turn entrusting that information to us.  

Except as expressly set forth below and under the Third Party Information Collection heading above, and only in those limited circumstances, we will not disclose any PII relating to Students, Parents or School officials to third parties without your consent or the consent of your associated School. We hope it goes without saying that we do not and would not rent or sell information for marketing purposes. We may provide access to PII data storage and disclose PII with your permission to those contractors and other service providers that we use to support our business.  These may include individuals (such as data scientists and software developers) and commercial vendors that provide or support elements of our Services’ infrastructure or functionality. In all cases, these providers will be bound by contractual obligations to keep PII confidential and to use it only for the purposes for which we disclose it to them. We may also disclose PII to fulfil the purpose for which you provide it. For example, if you contact us using your email address, we will use that email address to respond to you. We may be required to disclose PII to comply with a court order, law or legal process (including a government or regulatory request), to meet national security or law enforcement requirements, to comply with statutes or regulations, to enforce our Terms of Use, or if we believe in good faith that the disclosure is necessary to protect the rights, property or personal safety of our users. Before we would do that, we would provide the applicable School with notice of the requirement so that, if the School so chooses, it could seek a protective order or other remedy.  If after providing that notice we remain obligated to disclose the demanded PII, we will disclose no more than that portion PII which, on the advice of our legal counsel, the order, law or process specifically requires us to disclose. Of course, if we ever were to engage in any onward transfers of PII with third parties for a purpose other than which it was originally collected or subsequently authorized, we would do so under your explicit consent.

In the event of a change of control: If a third party purchases all or most of our ownership interests or assets, or we merge with another organization, it is possible that we would need to disclose PII to the other organization following the transaction, for example, were we to integrate our Service(s) with the other organization’s product offerings.  However, we will not transfer personal information of our customers unless the new owner intends to maintain and provide our Service(s) as a going concern, and provided that the new owner has agreed to data privacy standards no less stringent than our own. To the extent any such transaction would alter our practices relative to this Policy, we will give you advance notice and any choices they may have regarding PII. We will retain PII for as long as the applicable School uses and/or maintains its subscriptions to our Service(s) in good standing.  Once subscriptions lapse or terminate, unless a written agreement between us and a School provides otherwise, we will retain PII for up to 12 months after which time it will be destroyed. Any retained PII will of course remain subject to the restrictions on disclosure and use outlined in this policy for as long as it resides with us.

How Student information is shared: In addition to the actions described above, our Service(s) may facilitate the sharing of Student information with third parties, though only when instructed and authorized to do so on behalf of the School. Some elements of our Service(s) enable Schools to interact with parents, students, teachers and third party applications, for the benefit of the student’s education. Our Service(s) do not facilitate the sharing of any Student information with third parties on our Service(s) except on behalf of the School after the School has authorized a third party or application to access Student information through the Service. Please remember that this Privacy Policy applies to our Services, and not other services or third party applications, which may have their own privacy policies. Schools should carefully read the privacy practices of each third party application before agreeing to engage with the application through our Service(s). Finally, although we outlined earlier in this Policy what constitutes PII, we also want to be clear what information is not PII.  Once PII, whether relating to a School official, Parent or Student has been de-identified, that information is no longer PII. PII may be de-identified through aggregation or various other means. The U.S. Department of Education has issued guidance on de-identifying PII in education records here.  In order to allow us to proactively address customer needs, we anticipate using de-identified information to improve our Services and other of our products and services.  That said, we will use reasonable de-identification approaches to ensure that in doing so, we are not compromising the privacy or security of the PII you entrust to us.

4. How We Store and Protect Your Information

We want you to know that data protection is at the very heart of everything we do, and we maintain strict administrative and technical procedures to keep all data safe and secure.

Hosting: Our Services are cloud-based solutions hosted on Amazon Web Services (AWS) and Microsoft Azure in multiple data centers in multiple regions. Consistent with guidance from the U.S. Department of Education and other agencies of what constitutes “best practice” when storing sensitive education records, we store such records used by our Service(s) in the cloud-based infrastructure locations in compliance with the respective regulations. For example, we store PII relating to Schools in the United States on the infrastructure located only in the United States.

Keeping information safe: We maintain strict administrative, technical and physical procedures to protect information stored in our servers. Access to information is limited (through multi-factor authentication) to those employees who require it to perform their job functions; in addition, we conduct thorough background checks for these employees, as well as conducting comprehensive activity audits and ensuring that their work is entirely separate from the rest of our team. Among other things, PII is encrypted at rest and in transit to and from our Service(s) using industry-standard encryption technology. We have implemented measures designed to secure PII from accidental loss and from unauthorized access, use, alteration and disclosure.  In addition, all PII is securely stored behind firewalls in the Virtual Private Cloud environment protected by our hosting providers. All environments are equipped with intrusion detection systems. Our software, infrastructure and processes are subject to a regular internal and external security audit.

Complaint Handling: We are subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC).

Data Breaches: Depending on the nature of the data breach, our customers might be required to promptly notify both the users affected and the supervising authorities. Edutone is required to notify its customers when becoming aware of a data breach, and to help them in fulfill obligations in notifying users.

5. Your Choices About Your Information

Account information and settings: School officials may update account information and modify Service(s) by signing into the administrator account. Schools and other Website Visitors shell explicitly consent to receiving any emails from us and can opt-out by clicking on the “unsubscribe” feature at the bottom of each email. We apologize for the fact that you cannot unsubscribe from Service-related messaging. If you have any questions about reviewing or modifying account information, please contact us directly at info@edutone.com.

Depending on where you are resident, you may have some or all of the following rights under applicable law in respect of data about you which we hold.  You may have a right to

  • request us to give you access to it, and have us provide you with a copy of any data we hold about you,
  • request us to rectify or update it,
  • request us to erase it in certain circumstances,
  • request us to restrict our using it, under certain circumstances,
  • object to our using it, in certain circumstances,
  • withdraw your consent to our using it, where our processing is based on consent,
  • data portability, in certain circumstances,
  • opt out from our using it for electronic direct marketing, through all or selected channels (We will always comply with this request.), and
  • lodge a complaint with the supervisory authority in your country (if there is one).

You can exercise these rights, or learn more about them, by contacting us using the details in “How to Contact Us” section.
We may be required to confirm your identity before we action any request from you in connection with your data. This may involve asking you to provide identification documents.

Access to data from School Information System (SIS) and Learning Management Systems (LMS): data from SIS are provided and controlled by the Schools. If you have any questions about reviewing, modifying, or deleting personal information, please contact your School directly.

Deleting or disabling use of browser cookies and storage: You may be able to disallow cookies to be set on your browser. Please look for instructions on how to delete or disable cookies and other tracking/recording tools on your browser’s technical settings. You may not be able to delete or disable cookies on certain mobile devices and/or certain browsers. For more information on cookies, visit www.allaboutcookies.org. Remember, disabling cookies may disable many of the features available on our Service(s), so we recommend you leave cookies enabled.

How long we keep User Content:

The period for which we may retain data about you will depend on the purposes for which the data was collected, whether you have requested the deletion of the data, and whether any legal obligations require the retention of the data (for example, for regulatory compliance).
We will not retain data about you for longer than is necessary to fulfil the purposes for which the data was collected.
Following termination or deactivation of a School account, our Service(s) may retain profile information and content for a commercially reasonable time and according to our data retention policies for backup, archival, or audit purposes, but any and all Student, Teacher and Parent information associated with the School will be deleted promptly. Any publicly shared comments or ratings on our Service(s) may remain in view to other subscribers after an account deletion, but nobody will be able to see the identity of a deleted account holder. We may maintain anonymized or aggregated data, including usage data, for analytics purposes. If you have any questions about data retention or deletion, please contact info@edutone.com.

6. Children’s Privacy

Our Services do not knowingly collect any information from children under the age of 13 unless the School has obtained appropriate parental consent for the Student to use our Services. Please contact us immediately at info@edutone.com if you believe we have inadvertently collected personal information of a Student under 13 without proper parental consent so that we may delete such data as soon as possible.

7. Student Privacy Pledge Signatory

EduTone is a signatory of the Student Privacy Pledge, which requires us to adhere to 11 stringent standards as a further assurance of our commitment to protecting your data. These include the following commitments:

OUR COMMITMENTS TO THE STUDENT PRIVACY PLEDGE
Not collect, maintain, use or share student PII beyond that needed for authorized educational/ school purposes, or as authorized by the parent/ student. Collect, use, share, and retain student PII only for purposes for which we were authorized by the educational institution/agency, teacher or the parent/student.
Not use or disclose student information collected through an educational/school service (whether personal information or otherwise) for behavioral targeting of advertisements to students. Disclose clearly in contracts or privacy policies, including in a manner easy for parents to understand, what types of student PII we collect, if any, and the purposes for which the information we maintain is used or shared with third parties.
Not build a personal profile of a student other than for supporting authorized educational/school purposes or as authorized by the parent/student Support access to and correction of student PII by the student or their authorized parent, either by assisting the educational institution in meeting its requirements or directly when the information is collected directly from the student with student/parent consent.
Not sell student personal information.
Not make material changes to school service provider consumer privacy policies without first providing prominent notice to the account holder(s) (i.e., the educational institution/agency, or the parent/student when the information is collected directly from the student with student/parent consent) and allowing them choices before data is used in any manner inconsistent with terms they were initially provided; and not make material changes to other policies or practices governing the use of student personal information that are inconsistent with contractual requirements. Maintain a comprehensive security program that is reasonably designed to protect the security, privacy, confidentiality, and integrity of student PII against risks – such as unauthorized access or use, or unintended or inappropriate disclosure – through the use of administrative, technological, and physical safeguards appropriate to the sensitivity of the information. Require users to confirm their acceptance of our Privacy Policy if and whenever we make a material change to the Policy.
Not knowingly retain student personal information beyond the time period required to support the authorized educational/school purposes, or as authorized by the parent/student. Require that our vendors with whom student PII is shared in order to deliver our Service(s), are obligated to implement these same commitments for the given student PII.

8. Links to Other Web Sites and Services

We are not responsible for the practices employed by websites, applications or services that are linked to or from our Service(s) by Website visitors and by School officials. We recommend that you review the privacy policies of other applications before authorizing any usage.

9. EU Data Privacy Laws

We recognize that the European Union (“EU”) has established strict protections regarding the handling of personal data originating in the EU, including requirements to protect fundamental rights and freedoms of individuals and to provide adequate protection for EU personal data transferred outside of the EU. We are committed to processing personal data in accordance with our obligations as a data “processor” under applicable EU data protection laws. If your organization is based in the EU or is otherwise directly or indirectly subject to EU data protection laws, including Regulation 2016/679 (the “General Data Protection Regulation”), we have executed, or upon request by your organization will execute, and have otherwise committed to comply with the applicable standard contractual clauses approved by the European Commission related to our processing of personal data in connection with the Services we provide to your School as our customer. For our customers to which such EU data protection laws apply, these requirements include:

  • processing personal data only in compliance with our customers’ instructions, and promptly informing them if we cannot comply;
  • promptly notifying our customers if we have any reason to believe that law applicable to us would prevent us from complying with our customers’ processing instructions;
  • implementing and maintaining specific and appropriate technical and organizational security measures to protect personal data;
  • promptly notifying our customers about any legally binding request for disclosure of personal data by law enforcement, or any accidental or unauthorized access to any personal data, or any request received by us from an EU-based individual whose personal data we may be processing pursuant to the customers’ instructions;
  • providing a copy or summary of the applicable contract between us and our customer to individuals who are unable to obtain such a copy or summary directly from their organization;
  • obtaining consent from our customers for our use of any service providers who will be processing any personal data; and
  • ensuring that any such service providers agree in writing to comply with these requirements.

10. How to Contact Us

You can and should ask questions about this Policy and our privacy practices.  You should always feel free to contact us at:

Email:  info@edutone.com
Mail:   EduTone Corporation Attn: Data Policies
1101 Marina Village Parkway, Suite 201, Alameda, CA 94501 USA

11. Changes to our Privacy Policy

We may update this Privacy Policy from time to time. If and whenever we change the Policy in a material manner, for example if we seek to use PII in a materially different way than we had previously, we will ask you to confirm your acceptance of our Policy by opting in each time at least 30 days prior to any of the change taking effect. Of course, you can always opt out by deleting your account before the change take effect. This Privacy Policy was last modified on April 21, 2018. Effective Date: May 25, 2018