May 25, 2018 Privacy Policy
Privacy Policy
Effective May 25, 2018 (Prior Version)
Guiding Principles
- We are parents first and foremost.
- We want all kids to achieve at their highest possible level.
- We expect kids to make mistakes.
- We believe kids are entitled to leave their mistakes behind.
- We believe kids have a right to approve and veto their presence online.
- We believe that kids own their own data, the rest of us are just custodians.
- We believe in transparency and feedback.
We wish it were enough to state these principles. Alas, there are people who do not share these values. And so, legislators and lawyers pass laws and write policies and agreements. Make yourself comfortable…we’ve got a lot to cover.
If you are in the European Economic Area (“EEA”) and are a student, your Educator was supposed to get consent from you before assigning Boom Cards. Speak to your Educator if you or your parents wish to revoke consent or object to being assigned a deck without explicit consent.
TRIVIA QUESTION (answer at the end)
Which Co-Founder of Boom Learning is a lawyer and which Co-Founder of Boom Learning is a former legislator?
Table of Contents
- Guiding Principles
- You Make Some Promises, We Make Some Promises
- We Exist to Educate
- Information We Collect
- Students Own Their Data
- How We Use Information
- Your Rights to Access and Control Your Personal Information
- The Keeping and Deleting of Information
- How We Share Data and Services Provided By Others
- Our Policies for Children
- Information Security and Breaches of Personal Information
- Data Transfers for Our International Customers
- Changes to This Policy
- Who We Are and How to Contact Us
You Make Some Promises, We Make Some Promises
This policy is an agreement. If you use Boom Learning (including Boom Cards apps) you agree to its terms. We tell you what data we collect, how we use it, the controls you have over your information, and the measures we take to keep it safe. We set out your roles and responsibilities because guarding Student Data is a shared responsibility.
Some things are really important. We’ll put those in red. Like this one: Customers in the European Economic Area (EEA) must enter into an additional Data Protection Addendum (“DPA“). The DPA contains all the legalese your school board attorney is looking for, in a handy already written form, signed by us. This Privacy Policy should be enough for most non-EEA schools. However, if your district requires a second signed agreement, we recommend you also use our DPA as a starting point. We took the time to include elements in there for you also.
We believe in transparency and feedback. Contact us if you have any questions.
We Exist to Educate
“If you are not paying for it, you are the product.”
We provide “for pay” services (as opposed to advertising supported), because we think amassing profiles about students for advertising purposes is creepy. Doing that is not our purpose. We don’t do it.
We exist so Educators can buy, make, sell and assign awesome digital educational resources that mostly grade themselves (the “Services“). The Services give you more time to teach students, intervene with those who need it, accelerate those who need it, and occasionally read a long privacy policy (or better yet a rollicking good book). We use any information we receive from you (“Educator Data“), as well as any student information, student records, or student-generated content (“Student Data”) we receive from your students, to fulfill that purpose.
Students Own Their Data
Student Data is the property of the student. You and we are just custodians. We don’t analyze, serve or transfer Student Data until you instruct us to do so by opening an account, adding students, and assigning resources to them. We don’t sell Student Data. If we, or our assets, happens to be acquired someday, that buyer will also be purchasing an obligation to fulfill the terms of this Privacy Policy. The buyer will be agreeing, in advance, to not chuck it all and start selling Student Data.
Information We Collect
There is some information we collect automatically and some information you provide us.
Information You Provide Us
ACCOUNT INFORMATION
Educators create teaching resources, sell resources, and teach students. Educators must have a membership, complete with authentication credentials. Why? Because allowing students to interact with random strangers online is a big ewww!
You can authenticate with a username and password, an e-mail address and password, or a third-party authentication service. If you choose a third-party authentication service, such as Google or Facebook (total stalkers ?), you will be sharing with us (and maybe a lot of other people, depending on your privacy settings) information you provided to that service. You can disconnect third-party authentication by going to My Settings. You need to at least set a username and password before disconnecting a third-party authentication service.
We store your teacher name and description. The information you include in your teacher profile is visible to your students. There is a variety of optional information that we store if you give it to us, such as your grade levels, subjects taught, and sellers you follow. These allow us to make adaptive and personalized learning recommendations to you based on you and your students’ educational needs. We do not provide personalized recommendations from third parties in exchange for compensation.
Our newsletter provider, MailChimp, provides us with information about you, such as your country, state or province, history of reading or receiving newsletters, and your approximate longitude and latitude (we didn’t ask for this; they just provide it). We use our newsletter to send operational announcements, information about products that may be of interest to you, and more. Educators may decline to have us use their personal information for direct marketing (we don’t market to students). Update your MailChimp settings to control what we send you through MailChimp.
We store feedback you give. Feedback is a private communication between you and a seller. We store ratings you give. Ratings and accompanying comments are public information. You may edit any ratings you give after they have been published.
PAYMENT INFORMATION
To make a payment you will need to provide the information requested by our processor, such as your name, account number, and verification numbers. You may pay by check by contacting us for an invoice. Our payment processors, Paypal, Stripe, and Quickbooks Payments, store your information and make it available to us. We consider your use of a payment system as proof you are an adult. The payment processing industry is heavily regulated with respect to privacy and security. You can use My Settingsto change your credit card information stored by Stripe. You may edit your Paypal information from your Paypal account. If you pay by purchase order, we will store your payment information in our accounting records, which are stored in Microsoft and Intuit cloud services.
STUDENT INFORMATION
You create student accounts from within your Educator account. You control the Student Data; we process it on your behalf. When you create a student account you are acting in the role of a parent (in parentis loci). You must have all legal consents required of you to add a student before creating a student account. You can always work with students without student reporting by using Fastplay pins (see your Library actions to create Fastplay pins). To receive student reports, you must provide and verify an e-mail address.
You may add students to classrooms by either (1) sharing the classroom name and password with the student, who then creates a student username and password, or (2) adding the student manually and sharing the student’s username and password with the student. You provide us a student “nickname”, a short name by which you will recognize the student when reviewing progress reports. You will/shall/must (seriously, your local law has rules about this that apply to YOU) provide us with the absolute least amount of personally identifiable information about students necessary to perform your role as an educator. First name, final initial only if needed. That’s it, nothing more. We suggest usernames and passwords for classrooms and students. You may change these to something easier to remember.
You should understand that a classroom worker (volunteer or paid) can likely determine who a student is in real life (“IRL“) from the nickname. You are responsible for ensuring any classroom workers follow your organization’s and locale’s rules, regulations, and laws regarding access to Student Data.
SENSITIVE STUDENT DATA
You may not assign a resource that collects sensitive data. Depending on your governing jurisdiction, sensitive information may include political affiliation; trade union membership; health information; sexuality information; information about protected relationships such as lawyers or ministers; criminal behavior; firearm ownership; and/or biometric data. You are solely responsible for understanding what you may or may not assign in your jurisdiction. You agree to indemnify Boom Learning if you assign a resource that collects sensitive information in violation of a law that applies. If in doubt, consult your legal counsel and governing body.
ADDITIONAL SELLER ACCOUNT INFORMATION
We store the fonts, images and sounds you upload; and videos to which you link. We store your seller name and profile (if you have one) and make those available to the public. We store feedback responses you give. We store information you provide about resources you create, including name, grade levels, keywords, and content and make it public for resources listed in a store or shared. We store records of your sales. If you reach certain thresholds, we may request and store your taxpayer identification number. We also store information you give us to enable us to pay you. Because Boom Cards are effectively small applications unique to our platform, there is no ability to export created resources in a playable format. However, you may use the print feature to create .pdf versions of your creations.
Information We Receive From Use of Our Services
ALL USERS
For all users, we record the account created timestamp, last login timestamp, the type of device being played (i.e., iOS or Android, but not the device ID), the app version (if playing a Boom Cards app), the OS version of the device, the browser type and version. We use this information to improve our services.
ALL ADULT USERS
For all adult users, we also store a referral code if you clicked one to arrive,
which may tell us which user or author referred you or whether you arrived from a particular campaign. We keep records of the type of membership you have, expirations dates, newsletter enrollment, purchase and payment history. We keep track of which users follow you.
STUDENT INFORMATION
When you assign an educational resource using a method other than Fastplay pins, we collect information about student performance on that resource and report it back to you for your educational use. Student performance data includes information such as resources played, cards played, time to play a resource, time to play a card, correct answers, incorrect answers and other student actions with respect to a card. At this time, students cannot be shared among teachers. When a school purchases an account, the school can transfer an account with students from one teacher to another (for example, during parental leave).
COOKIES
We describe how we use cookies and similar tracking tools in our Cookie Policy.
How We Use Information
Your Information
To further our educational purpose, we use your contact and account information to respond to requests for assistance and support, including to verify that you are who you say you are. We use aggregate information about assignments, resource play and student performance to improve our systems and to make recommendations for additional educational materials to support your students.
We may use information available to us to identify you if you appear to be in breach of our Terms of Service. We may use that information to ban you from our sites, services, or apps. If you appear to be a repeat offender of our terms, we may collect all information available to us about you and your devices to identify you sufficiently to ban you temporarily or permanently from the Services.
Student Data
We process Student Data to provide you with student performance reports. Student performance reports can only be viewed by you and by your students. Parents may view them using the student dashboard. We use aggregated and de-identified student performance information to provide quality ratings and recommendations to our users. If you ask us to, and you have the proper consents, we will grant access to Student Data to an educational researcher on your behalf. We may also independently conduct research on Student Data to improve our operations, using anonymized, aggregated data.
Your Rights to Access and Control Your Personal Information
We provide you with a number of controls that may be used to retrieve, correct, delete, or restrict you and your Student Data. In the rare case where we have not provided a control, you may contact us to request that data be modified or deleted. You may update or change most information you have provided to us in My Settings. You may not change your Pen Name once you have published your first resource to the store.
Parents may review student information by either reviewing the student dashboard with the student or asking the teacher to show the teacher dashboard for that student. Parents who contact us to review or delete student information will be redirected to the teacher. We will not release information to a person other than an account holder, unless we are provided satisfactory proof of a legal right to review or delete student information.
The Keeping and Deleting of Information
At any time you may delete a student, or contact support to request that we delete a student or your account. You agree to give us 10 days so we can confirm that the person making the request is you and has the right to delete the account. Deletion cannot be undone.
To transfer an account from one teacher to another, or to receive a machine-readable data dump from an account, you must contact us. We can only make full account transfers between employees of the same purchasing entity.
To avoid retaining student records unnecessarily and creating risk for students, we will automatically delete all students (a) 90 days after a paid account has expired and failed to renew and (b) 180 days after the last time you log in to a non-paid account. To prevent such deletion, you must renew within 90 days (paid) or log in once per 180 days (free).
Likewise, to protect adults from risks arising from stale accounts, we will delete unpaid (either free or not renewed) accounts that have not had a login in 365 days. If you decide to take a break from Boom Learning and have created resources, you must log in at least once every 365 days to avoid having your resources deleted. A deleted adult account includes deletion of all resources created that were never sold. Boom Learning retains copies of all sold resources to serve your customers.
How We Share Data and Services Provided By Others
We share Student Data that we process on your behalf with you, the Educator. We do not permit any other entity to use Student Data. Our partners provide processing services for Student Data and agree that they have no right of access to the Student Data.
Why We Use Partners
We are a cloud-based company. A variety of companies provide us with services to run our business, including analytics and advertising services. Analytics help us understand how users interact with the Services. We have agreements with these providers under which they agree to host our information and they agree that our information is our information, not their information. If you choose to sign in with Facebook or Google, you are choosing to share your information with them under their terms. Your decision, your choice: choose wisely.
We will not provide, free or for a charge, identifiable student information to others, except (1) to an acquirer of the Boom Learning product assets for continuation of the Boom Learning product, (2) to a legal, regulatory, judicial or public safety agency for a legitimate governmental purpose, and (3) to our partners for the purpose of supporting our educational purpose (see below Operations Partners).
Advertising Vendors
We place advertisements from time to time in various locations across the internet, including Pinterest, Twitter, Instagram, YouTube, and Facebook. We receive analytics on the performance of those advertisements from the services with which we place the ads. These companies may use cookies and similar technology to collect information about your interactions with the Services and other websites and applications. Your interactions with such ads are governed by the terms of the site on which they are displayed.
Operations Partners
Listed in these tables are our operations partners (our subprocessors) with whom we may store one or more classes of data and where you can find their Privacy
Policies and Privacy Controls. These Operations Partners have agreed that they
process the data on our behalf and that they do not own, control or direct the
use of our data. They also agree to implement technical, physical and
administrative measures against unauthorized processing of data and against
loss, destruction of, or damage to, data. Our data operations partners include
the following companies that are EU-US Privacy Shield and Swiss-US Privacy
Shield compliant:
| Company Name | Purpose | Data Collected or Stored | Policies and Controls |
|---|---|---|---|
| IBM Cloud | Database services for cloud-based data (storage is on AWS). | Stores data contained in your Boom Learning accounts, including Student Data. | Privacy Policy |
| Amazon Web Services (AWS) | Hosting services for cloud-based data. | Stores data contained in your Boom Learning accounts, including Student Data. | Privacy Policy |
| Freshdesk by Freshworks | Processor for helpdesk tickets and solutions. Triggered by use of our FAQ or Support systems. | Email address, name, payment status, device model, IP address, browser used, usage pattern, query logs, and messages sent to us. | Privacy Policy |
| Stripe | Payment processing, membership renewals, and payment records. <>/td> | Name, address, email address, payment method, payment details, payment records, and messages sent to us. | Privacy Policy |
| Quicken and Quicken Payments by Intuit | Payment processing, invoicing, estimating, and payment records. | Name, address, email address, payment method, payment details, payment records, and messages sent to us. | Privacy Policy |
| MailChimp | Newsletter support. | Email address, teacher name, author name, newsletter subscription status, picture, referral source, last login, membership status, location, language, newsletter history. | Privacy Policy |
| SparkPost | Transactional email, such as password resets and expiration notices. | Email address, name, email, email history. | Privacy Policy |
| Microsoft Office 365 | Business and email services for cloud-based data. | Data processor acting at our direction on our behalf. | Privacy Policy |
| Atlassian (Trello, Jira, BitBucket) | Development and business management | Organizational and development management. Occasionally will enter user request information, including user personal data, into these systems. | Privacy Policy |
| Facebook (including Instagram) | Authentication, technical support, groups participation, analytics, video, video conferencing, social media contacts, and advertising. | De-identified data and identified data you disclose through using their services (such as image, name, email address). | Privacy Policy |
| Google (including Authentication, YouTube and Analytics) | Authentication, analytics, video (YouTube), video conferencing, social media contacts, and advertising campaign success rates (aggregate data). We do not enable Google Analytics Advertising Features. | See your Google Privacy Checkup to see what they are collecting about you. Only you can decide how much of your data you want to give the Googleplex. | Privacy Policy |
Some of our providers rely on intercompany agreements to comply with international data transfer regulations. Those companies are listed here.
| Company Name | Purpose | Data Disclosed | Policies and Controls |
|---|---|---|---|
| Paypal | Payment processing and payment records. | Name, address, email address, payment method, payment details, payment records, and messages sent to us | Privacy Policy |
We use these additional providers in support of our operations. They may collect information using cookies or similar tracking devices, but we do not provide personal information to them, nor do they store personal information on our behalf.
| Company Name | Purpose | Data Disclosed | Policies and Controls |
|---|---|---|---|
| WordPress (Automatic) | Blog publication and other pages published at the URL “blog.boomlearning.com” | Activity and tracking information. | Privacy Policy |
| Social media and advertising. | Activity and tracking information. | Privacy Policy | |
| Social media and advertising. | Activity and tracking information. | Privacy Policy |
Our Policies for Children
We allow Educators to create accounts for K-12 students. As the data controllers, Educators are responsible for obtaining affirmative consent from parents or for having a legal right, such as under Family Educational Rights and Privacy Act in the United States, to give consent. Student accounts are only created through the Classes tab. Educator accounts are for adults only. If we learn that a minor has created an Educator account, we will take steps to delete the information as soon as possible. Teachers or parents who believe that their child has submitted personal information to us and would like to have it deleted may contact us.
Information Security and Breaches of Personal Information
Privacy and Security by Design
Boom Learning engages in privacy and security by design and conducts annual audits of its security practices. Data is only accessible through authenticated, (username and password protected), accounts. Student data is only accessible for teachers with confirmed email addresses. Authenticated data exchanges are transported using HTTPS using Transport Layer Security (TLS). We use Amazon Web Services and IBM Cloud to provide our core data services. By doing so, we are able to take advantage of their security environments. No method of transmitting or storing data is completely secure, however. If you have a security-related concern, please contact us.
We require passwords at both the Educator and Student level to keep data safe. Our team members use password managers and you should also. This allows you to avoid risks from reusing passwords. We cannot see your password or your students’ passwords. We provide tools in the app for you to reset passwords. Student passwords are set and reset by teachers. Use good password practices to keep your students safe. You may reach out to customer support for directions.
Student Safety is a Shared Responsibility
We use appropriate physical, electronic, and managerial processes and procedures
to safeguard data against unauthorized access and use, including designating and training the individuals responsible for ensuring the security of the data. If you add students to your account, you also have a responsibility to use appropriate physical, electronic, and managerial processes and procedures to safeguard student data against unauthorized access and use, including designating and training the individuals responsible.
Personal Information Breach
In the event of a breach of Educator or Student Data that contains personal information, we will contact the account holder for the affected individual(s) using the information we have on file. We will provide notice as soon as reasonably possible, provided that we may delay notice if a law enforcement agency determines that the notice will impede a criminal investigation. In the event of a breach of Student Data, we will inform the owner of the account and provide the account holder with information to provide to the families of their students. We do not collect or store information about students that would enable us to contact students or their parents directly.
Legal Authority Demands for Access to Personal Information
We are required to disclose Personal Information in response to lawful requests by legal authorities, including to meet national security and law enforcement requirements. In the event a legal authority asks to access your data, we will direct the requestor to you and will not take action without your prior authorization, unless legally compelled to do so. If we are legally compelled to respond to such a request, we will promptly notify you and provide you with a copy of the request unless legally prohibited from doing so. If a legal authority is asking for information about a student, the account holder agrees to pass on the notification to the student’s legal guardian and indemnifies us for your failure to do so.
Data Transfers for Our International Customers
Most of our customers are in the United States and Canada. Some people in other parts of the world have chosen to use Boom Learning. We transfer the information you submit or that we gather to the United States for the purposes described in this policy.
Your country may assert oversight over your data or provide you with less protection than this document. By signing up for a Boom Learning account you acknowledge and accept the risk should the laws of the country in which you reside provide you or your students with less protection that this document with regards to your local government.
We comply with the EU.-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce. This framework relates to the collection, use, sharing and retention of personal information transferred from the European Union to the United States. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/. If there is any conflict between this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. We have submitted to the oversight of the US Federal Trade Commission for the purposes of Privacy Shield Enforcement. We remain responsible for personal information we transfer to others who process it on our behalf. If you have a question, concern or complaint about our compliance or your rights, you can contact us. We will review your request in light of applicable laws.
You have the option of referring any complaint to our independent dispute resolution body: JAMS, an alternative dispute resolution provider with locations in the UK and US and online. Any matter referred to JAMS will be administered by JAMS in accordance with JAMS International Arbitration Rules. Online mediation is also an option. The services of JAMS are provided at no cost to you. In certain circumstances and if you are in the EEA, you can invoke the Privacy Shield arbitration process. To learn more about this method of resolution and its availability to you, please visit https://www.privacyshield.gov/.
Changes to This Policy
We will notify you before we make material changes to this policy and give you an opportunity to review the revised policy before deciding if you would like to continue to use the Services. You can review previous versions of the policy in
our archive. Any version of this Privacy Policy in a language other than English is provided for convenience and the English language version will control if there is any conflict. Given the importance of this Privacy Policy, we encourage you to study it carefully.
Who We Are and How to Contact Us
*Boom Learning is a trade name of Omega Labs Inc. Our mailing address is 9805
NE 116th St Suite 7198, Kirkland WA 98033. You can call us at 425-296-0886. You can contact us to send us questions about or notifications relating to this policy.
Trivia Answers
Mary Oemig is a technology and privacy lawyer, in addition to being an educator.
Eric Oemig is a former Washington State Senator, where he was Vice-Chair of the K-12 Subcommittee, in addition to being a technical guru (he prefers “god”, but we like to keep him humble).