The Global Grid for Learning, A Public Benefit Corporation (“GG4L”, “we”, or “us”) is committed to protecting your privacy through our compliance with the policies and practices in this notice.
In an effort to make this Policy more readable, unless the context indicates or dictates otherwise, we refer to:
- our platform and all of our additional services and websites as “Service(s)”,
- schools and school districts that register for and/or purchase subscriptions to our Service(s) as “Schools”,
- students whose information we may access on behalf of a School as “Students”,
- teachers and other individuals authorized by a School to use our Service(s) in their work directly with Students as “Teachers”,
- principals and other supervisory or support personnel authorized by a School to use our Service(s) as “Administrators”,
- teachers and administrators together as “School officials”,
- adult parents or guardians of a minor Student authorized by a School to use our Service(s) as “Parents”,
- each authorized School official and Parent as “you”, and
- online visitors to our websites as “Website Visitors”.
This Policy applies to all of our Services which are often combined within our Platform and offered to Schools as an integrated solution.
- How You Can Help
a) Role of the School and School officials
b) Protecting Student Information
i. FERPA and Education Records
ii. COPPA and Children under the Age of 13
c) Information about School Officials and Parents
- Information We Collect and How We Use Information We Collect
- How We Share Your Information
- How We Store and Protect Your Information
- Your Choices About Your Information
- Children’s Privacy
- Student Privacy Pledge Signatory
- Links to Other Web Sites and Services
- EU Data Privacy Laws
- How to Contact Us
1. How You Can Help
We need your help in ensuring that we are together protecting any sensitive information to ensure compliance with all relevant data privacy legislation.
a) Role of the School and School officials
Although most of this Policy will focus largely on what we do — and what we confirm we will not do — with information entered in our Service(s), we believe Schools and School officials are critical partners in our collective efforts to protect and ensure only appropriate use of Student-related information entrusted to them and to us. In that regard, it is important that Schools and School officials using our Service(s) are mindful that in granting or allowing access to our Service(s), they are controlling who has access to Student information.
When we reference “granting or allowing access,” we are referring to both intentional actions, such as an administrator authorizing an account within our Service(s) for a teacher, as well as unintentional actions or consequences that may flow from, for example, allowing Students access to our Service(s) login credentials or a School’s failure to maintain sufficient data governance or security practices.
In cases where FERPA applies (more below), access to certain Student information remains the legal responsibility of the applicable School. In all situations, it is incumbent upon our customers to make an affirmative determination prior to granting access to anyone that the party has a legitimate need for access to our Service(s) and the sensitive information that may be accessible to that party through our Service(s).
b) Protecting Student Information
i. FERPA and Education Records
One of the core tenets of the Family Educational Rights and Privacy Act (FERPA) is the protection of the privacy of personally identifiable information (or “PII”) in Student education records. As defined in FERPA, “education records” are “those records, files, documents and other materials which: (i) contain information directly related to a Student; and (ii) are maintained by an educational agency or institution or by a person acting for such agency or institution.”
PII from education records includes information, such as a Student’s full name, email address or identification number, that can be used to distinguish or trace an individual’s identity, either directly or indirectly through linkages with other information. FERPA generally requires that educational institutions and agencies that receive certain federal funds (for example, public Schools) get prior consent from a parent before disclosing any education records regarding that Student to a third party.
Consequently, if you are using our Service(s) on behalf of an educational agency or institution and FERPA applies, before you enter, upload or access any data concerning a minor Student, you must confirm that your agency or institution has: (1) obtained appropriate consent from the parent or guardian of that Student, or (2) determined that one of the limited exceptions to the consent requirement applies.
You can find more information on FERPA and related guidance here, and a summary of the limited exceptions here. Although we hope it goes without saying, we will only use PII from Student education records to enable School officials and parents to access and use our Service(s). Unless a School official expressly instructs otherwise, we will not share or reuse PII from education records for any other purpose. While we think those statements are clear, to avoid any doubt, we will not use Student PII to target Students or their families for advertising or marketing efforts or sell rosters of Student PII to third parties (which we simply think is the wrong thing to do).
ii. COPPA and Children under the Age of 13
Some people tend to link (and sometimes confuse) FERPA and COPPA. The intent of the Children’s Online Privacy Protection Act (COPPA), is to give parents control over commercial websites’ and online services’ collection, use and disclosure of information from children under the age of 13.
Many assume COPPA applies to all internet-based services, regardless of the identity of the end user. When our Services are used as intended by School officials and parents, although that use may involve information relating to Students under 13, the Student is not the end user and COPPA does not apply.
c) Information about School Officials and Parents
We collect information from and about you when you provide it to us, and automatically when you use our Service(s). Again, “you” refers to an authorized School official or Parent user of our Service(s), not Students.
2. Information We Collect and How We Use Information We Collect
This section describes the types of information we may collect, or that you may provide, when registering with, accessing or using our Service(s).
Information about Schools When a School official registers a School with our Service(s), or if the School official corresponds with us, our system will collect a contact name, a school name, school district, school email address and/or account name, a phone number, message content, and information relating to the School’s information systems. We also collect information provided by a School if the School sends us a message, posts content to our website or through our Service(s), or responds to emails or surveys. Once a School begins using our Service(s), we will keep records of activities related to the Service.
We use information that you, as a School official or a Parent, provide through our Service(s) to (as applicable):
- operate, maintain, and provide the features and functionality of the Service(s),
- analyze our Services’ functionality,
- provide our Service(s) and any other products or services you may request from us,
- give you notices about your registration and subscription, including expiration and renewal notices,
- carry out our rights and responsibilities under agreements between us and your School, and
- notify you of changes to our Service(s) (including substantive changes to this Policy or other user policies).
Information about Students Our Service(s) may have access to PII about Students in the course of providing our Service(s) to a School. We consider Student information to be confidential and do not use such data for any purpose other than to provide our Service(s) on the School’s behalf. In most instances, our Service(s) receive Student information only from the School and never interact with the Student directly. The type of Student information we receive Schools may include students, teachers, courses, classes, roster, attendance, behavior, assessment data. Depending on the level and type of Service(s) selected by the School, the School may allow Students to log into our Service(s) to access third party applications that have been authorized by the School. In that instance, the School provides each student with login credentials and confirms that it has obtained appropriate parental consents, as needed, before the student is permitted access. Our Service(s) have access to Student information only as requested by the School and only for the purposes of acting on the School’s behalf. If you are a Student or Parent, please contact your School if you have questions about the School’s use of technology service providers like us. If a Student contacts us with a question about our Service(s), we will collect personal information from that Student only as necessary to respond to the Student’s request and direct the Student to contact the Student’s School, and we will then delete or anonymize the personal data of the Student after providing our response. See “How We Share Your Information” below for more information on the limited ways in which we share School and Student information. See “Children’s Privacy” below for more information on how we collect and use the personal information of children under 13.
Automatic Information Collection and Tracking We use various technologies to collect and store information when you use our Service. This may include using Google Analytics, browser storage and cookies (or similar technologies) to identify your browser and device and convey information to us about how you use the Service. In particular our Service(s) collects and aggregates anonymous usage information such as your web request details, Internet Protocol (“IP”) address and geolocation, browser type, information about your device, how you interact with the Service(s), pages viewed, and other such information that allows us to track usage of the Service(s) over time.
We do not allow third party advertising networks to collect information about the users of any of our Services. We use the data collected through user activity tracking technologies to: (a) remember information so that a user will not have to re-enter it during subsequent visits; (b) provide custom, personalized content and information; (c) to provide and monitor the effectiveness of our Services; (d) monitor aggregate metrics such as total number of visitors, traffic, and usage on our Services; (e) diagnose or fix technology problems; and (f) help users efficiently access information after signing in.
Third Party Information Collection As discussed further under “How We Share Your Information”, we may use third party providers to support elements of our Services’ infrastructure or functionality. These providers may, like us, use automatic information collection technologies to enable or streamline certain features they are providing on our behalf. In all cases, these providers will be contractually bound to us to keep PII confidential and to only use it in order to fulfill their responsibilities to us.
3. How We Share Your Information
Within our Platform, administrators provision user accounts (School officials, Students, Parents accounts) and Roster and other data from the School Information System (SIS) with the third party applications that they use, and, as we describe below, it is the Schools who decide which data are integrated with any of our Service(s), and the Schools who are responsible for determining whether data is ever shared with third party applications through any of our Service(s). When Schools and School officials take advantage of our Platform, they are providing and accessing information relating to the Students entrusted to them, and are in turn entrusting that information to us.
In the event of a change of control If a third party purchases all or most of our ownership interests or assets, or we merge with another organization, it is possible that we would need to disclose PII to the other organization following the transaction, for example, were we to integrate our Service(s) with the other organization’s product offerings. However, we will not transfer personal information of our customers unless the new owner intends to maintain and provide our Service(s) as a going concern, and provided that the new owner has agreed to data privacy standards no less stringent than our own. To the extent any such transaction would alter our practices relative to this Policy, we will give you advance notice and any choices they may have regarding PII. We will retain PII for as long as the applicable School uses and/or maintains its subscriptions to our Service(s) in good standing. Once subscriptions lapse or terminate, unless a written agreement between us and a School provides otherwise, we will retain PII for up to 12 months after which time it will be destroyed. Any retained PII will of course remain subject to the restrictions on disclosure and use outlined in this policy for as long as it resides with us.
4. How We Store and Protect Your Information
We want you to know that data protection is at the very heart of everything we do, and we maintain strict administrative and technical procedures to keep all data safe and secure.
Hosting: Our Services are cloud-based solutions hosted on Amazon Web Services (AWS) and Microsoft Azure in multiple data centers in multiple regions. Consistent with guidance from the U.S. Department of Education and other agencies of what constitutes “best practice” when storing sensitive education records, we store such records used by our Service(s) in the cloud-based infrastructure locations in compliance with the respective regulations. For example, we store PII relating to Schools in the United States on the infrastructure located only in the United States.
Keeping information safe: We maintain strict administrative, technical and physical procedures to protect information stored in our servers. Access to information is limited (through multi-factor authentication) to those employees who require it to perform their job functions; in addition, we conduct thorough background checks for these employees, as well as conducting comprehensive activity audits and ensuring that their work is entirely separate from the rest of our team. Among other things, PII is encrypted at rest and in transit to and from our Service(s) using industry-standard encryption technology. We have implemented measures designed to secure PII from accidental loss and from unauthorized access, use, alteration and disclosure. In addition, all PII is securely stored behind firewalls in the Virtual Private Cloud environment protected by our hosting providers. All environments are equipped with intrusion detection systems. Our software, infrastructure and processes are subject to a regular internal and external security audit.
Complaint Handling: We are subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC).
Data Breaches: Depending on the nature of the data breach, our customers might be required to promptly notify both the users affected and the supervising authorities. GG4L is required to notify its customers when becoming aware of a data breach, and to help them in fulfill obligations in notifying users.
5. Your Choices About Your Information
Account information and settings School officials may update account information and modify Service(s) by signing into the administrator account. Schools and other Website Visitors shell explicitly consent to receiving any emails from us and can opt-out by clicking on the “unsubscribe” feature at the bottom of each email. We apologize for the fact that you cannot unsubscribe from Service-related messaging. If you have any questions about reviewing or modifying account information, please contact us directly at firstname.lastname@example.org.
Depending on where you are resident, you may have some or all of the following rights under applicable law in respect of data about you which we hold. You may have a right to
- request us to give you access to it, and have us provide you with a copy of any data we hold about you,
- request us to rectify or update it,
- request us to erase it in certain circumstances,
- request us to restrict our using it, under certain circumstances,
- object to our using it, in certain circumstances,
- withdraw your consent to our using it, where our processing is based on consent,
- data portability, in certain circumstances,
- opt out from our using it for electronic direct marketing, through all or selected channels (We will always comply with this request.), and
- lodge a complaint with the supervisory authority in your country (if there is one). You can exercise these rights, or learn more about them, by contacting us using the details in “How to Contact Us” section.
We may be required to confirm your identity before we action any request from you in connection with your data. This may involve asking you to provide identification documents.
Access to data from School Information System (SIS) and Learning Management Systems (LMS). Data from SIS are provided and controlled by the Schools. If you have any questions about reviewing, modifying, or deleting personal information, please contact your School directly.
Deleting or disabling use of browser cookies and storage. You may be able to disallow cookies to be set on your browser. Please look for instructions on how to delete or disable cookies and other tracking/recording tools on your browser’s technical settings. You may not be able to delete or disable cookies on certain mobile devices and/or certain browsers. For more information on cookies, visit www.allaboutcookies.org. Remember, disabling cookies may disable many of the features available on our Service(s), so we recommend you leave cookies enabled.
How long we keep User Content. The period for which we may retain data about you will depend on the purposes for which the data was collected, whether you have requested the deletion of the data, and whether any legal obligations require the retention of the data (for example, for regulatory compliance).
We will not retain data about you for longer than is necessary to fulfil the purposes for which the data was collected.
Following termination or deactivation of a School account, our Service(s) may retain profile information and content for a commercially reasonable time and according to our data retention policies for backup, archival, or audit purposes, but any and all Student, Teacher and Parent information associated with the School will be deleted promptly. Any publicly shared comments or ratings on our Service(s) may remain in view to other subscribers after an account deletion, but nobody will be able to see the identity of a deleted account holder. We may maintain anonymized or aggregated data, including usage data, for analytics purposes. If you have any questions about data retention or deletion, please contact email@example.com.
6. Children’s Privacy
Our Services do not knowingly collect any information from children under the age of 13 unless the School has obtained appropriate parental consent for the Student to use our Services. Please contact us immediately at firstname.lastname@example.org if you believe we have inadvertently collected personal information of a Student under 13 without proper parental consent so that we may delete such data as soon as possible.
7. Student Privacy Pledge Signatory
GG4L is a signatory of the Student Privacy Pledge, which requires us to adhere to 11 stringent standards as a further assurance of our commitment to protecting your data. These include the following commitments:
OUR COMMITMENTS TO STUDENT PRIVACY PLEDGE
|Not collect, maintain, use or share student PII beyond that needed for authorized educational/ school purposes, or as authorized by the parent/ student.||Collect, use, share, and retain student PII only for purposes for which we were authorized by the educational institution/agency, teacher or the parent/student.|
|Not use or disclose student information collected through an educational/school service (whether personal information or otherwise) for behavioral targeting of advertisements to students.||Disclose clearly in contracts or privacy policies, including in a manner easy for parents to understand, what types of student PII we collect, if any, and the purposes for which the information we maintain is used or shared with third parties.|
|Not build a personal profile of a student other than for supporting authorized educational/school purposes or as authorized by the parent/student.||Support access to and correction of student PII by the student or their authorized parent, either by assisting the educational institution in meeting its requirements or directly when the information is collected directly from the student with student/parent consent.|
|Not sell student personal information.|
|Not knowingly retain student personal information beyond the time period required to support the authorized educational/school purposes, or as authorized by the parent/student.||Require that our vendors with whom student PII is shared in order to deliver our Service(s), are obligated to implement these same commitments for the given student PII.|
8. Links to Other Web Sites and Services
We are not responsible for the practices employed by websites, applications or services that are linked to or from our Service(s) by Website visitors and by School officials. We recommend that you review the privacy policies of other applications before authorizing any usage.
9. EU Data Privacy Laws
We recognize that the European Union (“EU”) has established strict protections regarding the handling of personal data originating in the EU, including requirements to protect fundamental rights and freedoms of individuals and to provide adequate protection for EU personal data transferred outside of the EU. We are committed to processing personal data in accordance with our obligations as a data “processor” under applicable EU data protection laws. If your organization is based in the EU or is otherwise directly or indirectly subject to EU data protection laws, including Regulation 2016/679 (the “General Data Protection Regulation”), we have executed, or upon request by your organization will execute, and have otherwise committed to comply with the applicable standard contractual clauses approved by the European Commission related to our processing of personal data in connection with the Services we provide to your School as our customer. For our customers to which such EU data protection laws apply, these requirements include:
- processing personal data only in compliance with our customers’ instructions, and promptly informing them if we cannot comply;
- promptly notifying our customers if we have any reason to believe that law applicable to us would prevent us from complying with our customers’ processing instructions;
- implementing and maintaining specific and appropriate technical and organizational security measures to protect personal data;
- promptly notifying our customers about any legally binding request for disclosure of personal data by law enforcement, or any accidental or unauthorized access to any personal data, or any request received by us from an EU-based individual whose personal data we may be processing pursuant to the customers’ instructions;
- providing a copy or summary of the applicable contract between us and our customer to individuals who are unable to obtain such a copy or summary directly from their organization;
- obtaining consent from our customers for our use of any service providers who will be processing any personal data; and
- ensuring that any such service providers agree in writing to comply with these requirements.
10. How to Contact Us
You can and should ask questions about this Policy and our privacy practices. You should always feel free to contact us at:
Mail: Global Grid for Learning, A Public Benefit Corporation Attn: Data Policies
1101 Marina Village Parkway, Suite 201, Alameda, CA 94501 USA
Of course, you can always opt out by deleting your account before the change take effect.