EFFECTIVE JULY 1, 2021 (see archived version)
- We want all kids to achieve at their highest possible level.
- We expect kids to make mistakes.
- We believe kids are entitled to leave their mistakes behind.
- We believe kids have a right to veto their presence online.
- We believe in transparency and feedback.
TABLE OF CONTENTS
- 1. Applicability
- 2. We are for Educators
- 3. Your role as a data controller
- 3.1 Entity specific considerations
- 3.2 Verification
- 3.3 Student safety is a shared responsibility
- 4. Changes
- 5. Data controls and requests
- 6. User Data we collect and its disclosure
- 6.1 Public author data
- 6.2 Confidential data
- 6.3 Student Data
- 6.4 Other data we may collect depending on your interactions with us
- 7. Cookies
- 8. Advertising
- 9. The Keeping and Deleting of Information
- 10. Information Security Plan
- 11. Legal authority data requests
- 12. Data Breaches
1.1 All users
This notice applies to data processed by our Services and is part of our Terms of Service. It incorporates by reference the following supplemental notices, as applicable to you.
- STUDENT PRIVACY NOTICE
- NOTICE FOR DATA EXPORTERS OF DATA ABOUT NON-US DATA SUBJECTS (EEA, Australia, Canada)
- COOKIE NOTICE
- DATA ELEMENTS disclosure
- INFORMATION SECURITY PLAN
- SUBPROCESSOR disclosure
These are provided as distinct documents to allow you to link to them from your website or to include them in parent notices.
1.2 Alternatives to this notice
We must have binding Privacy Notices in place. We cannot accept any Purchase Order that purports to negate our Privacy Notices unless an acceptable substitute Privacy agreement is in place. Contact us to put in place a subsitute agreement. Government Agencies may sign and return our Government Agency Terms of Service to modify certain terms of our Terms of Service and Privacy Notices.
1.3 Authority to agree on behalf of your entity or organization
You agree that you have the authority to enter into this agreement on behalf of your entity. It sets forth your roles and responsibilities regarding Student Data. If we have a direct privacy agreement with your district, state, or purchasing entity, those terms will prevail over any conflicting terms in this notice.
2. We are for Educators
2.1 Education purpose
Our business purposes (the Services) are
- To enable Educators to make, share, buy, sell, and assign awesome digital educational resources (Boom Cards) that mostly grade themselves;
- To provide Educators with rapid student performance reporting to give you more time to teach students, intervene faster with those who need it, accelerate those who need it, and occasionally read a long privacy notice (or better yet, a rollicking good book).
2.2 Service Provider directed to Educators
Our Services are provided at the direction of Educators and are Services for which Educators would otherwise use their own employees or agents. To fulfill those purposes, we use any personal information we receive from you (Educator Data), as well as any student personal information, student records, or student-generated content (Student Data) we receive from your students. Collectively we call this User Data. We are marketed and directed to Educators.
2.3 We are NOT a data reseller
We do not sell User Data.
2.4 Use with children
Educators create accounts for students under their charge. Although minors may use Boom Learning, a responsible adult Educator must accept terms and set up accounts on the minor’s behalf. Parents and legal guardians who are homeschooling or after schooling their children may use the product as Educators. We treat payment and verification of an email address as proof of adult status. Educator accounts are for adults only. If we learn that a minor has created an Educator account, we will take steps to delete the information as soon as possible.
2.5 Who we are and how to contact us
Boom Learning is a trade name of Omega Labs Inc, a Washington state C Corporation. Our mailing address is 9805 NE 116th St. Suite 7198, Kirkland WA 98034. You can call us at 833-969-2666. You can contact us to send us questions about or notifications relating to this policy.
3. Your role as a data controller
We are a service provider enabling you to engage in processing your student data and your teaching assets. We are a service directed toward adult service providers who work with students. When you create a student account you are acting in the place of the parent (in parentis loci) for the purposes of verifications and consents required under the law. You must have all legal consents required of you to add a student before creating a student account. You must have an account and a verified working email address to add students.
3.1 Entity specific considerations
3.1.1 FERPA Entities
United States schools governed by the Family Educational Rights and Privacy Act ("FERPA") agree and understand that their legal right to engage us to process student data on their behalf arises under the school official exception of FERPA. Pursuant to that exception, Boom Learning performs a service for which a school would otherwise use employees and Boom Learning operates under the control of the school with respect to the use and maintenance of education records for a legitimate education interest. We use student data solely for the purpose of fulfilling our duties and providing and improving services under this agreement. FERPA entities provide COPPA consent through in parentis loci.
3.1.2 COPPA Entities that are not FERPA entities
If you are an entity covered by the Children's Online Privacy Protection Act ("COPPA") but are not able to consent in parentis loci because you are not a FERPA entity (for example a music tutor), you must obtain consent from the parent or guardian before creating a student account as part of your normal business service.
3.1.3 HIPPA Entities
Your collection of Student Data for health therapy interventions must be consistent with the Health Insurance Portability and Accountability Act ("HIPAA"), including meeting the requirements of consent and using pseudonyms and private rosters to protect the medical information of patients. You may also need to obtain consent under COPPA.
3.1.4 GDPR Entities
Data controllers subject to the General Data Protection Regulation ("GDPR") must obtain consent from their data subjects and must enter into an additional data protection addendum (“DPA”) before adding students as data subjects. See NOTICE FOR DATA EXPORTERS OF DATA ABOUT NON-US DATA SUBJECTS.
3.1.5 Non-US, non-GDPR Entities
Data exporters must obtain any locally required consents from their data subjects. If the data controller is required to have a signed data export agreement to export student data to the United States, the data controller must enter into an additional data protection addendum (“DPA”) before adding students as data subjects. See NOTICE FOR DATA EXPORTERS OF DATA ABOUT NON-US DATA SUBJECTS.
3.1.6 Consumer Privacy Protection Acts (such as the CCPA, CPRA, CDPA and more)
The Services are typically governed by state laws applicable to student data in an education setting. If a state law regarding consumer privacy protection applies to the Services, we promise we will not discriminate against the residents of such state for exercising their rights under their applicable state law so long as such exercise comports with the requirements of the applicable state law.
You may contact us for assistance to learn which specific personal information we have collected about you and for help deleting personal information. We will require that you (a) provide sufficient information to allow us to reasonably verify that you are the person about whom we collected the personal information or an authorized representative; and (b) describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it. If you are an authorized representative, we will require proof of your authority to access personal information.
3.3 Student safety is a shared responsibility
We use appropriate physical, electronic, and managerial processes and procedures to safeguard data against unauthorized access and use, including designating and training the individuals responsible for ensuring the security of the data.
3.3.1 Use safeguards
You have a responsibility to use appropriate physical, electronic, and managerial processes and procedures to safeguard Student Data against unauthorized access and use. Passwords you assign to students should be appropriate to their age in complexity, with older students expected to master more complex passwords. You agree you are responsible for your secure use of Boom Learning, including providing or obtaining adequate training on the use of secure authentication, the dangers of open networks, and providing your employees with secure networks on which to use Boom Learning. You agree to use passwords for Educator accounts that are adequately secure to prevent intrusion. It is your responsibility to keep your login information confidential.
3.3.2 Your staff and volunteers
You will take reasonable steps to ensure the reliability of any of your employees, agents, or independent contractors-- including volunteers--who have access to Student Data, including:
- ensuring access is limited to those with a need to know and access the Student Data;
- ensuring that all such individuals are subject to obligations of confidentiality; and
- training such individuals on password security and privacy requirements for your organization.
3.3.3 We can reduce our liability to you if you fail to comply with your data security responsibilities
You agree that any regulatory penalties or other liabilities incurred by Boom Learning in relation to acts that arise as a result of or in connection with your failure to comply with your data security responsibilities will count towards and reduce Boom Learning’s liability to you.
We will not make material changes to the terms, including our Privacy Notices, without first providing notice via our newsletter service. Mere reorganization of components between cross-referenced documents or the addition of detail previously stated in our FAQs that do not alter fundamental commitments does not constitute a material change. You can review previous versions of the notices in our archive. Any version of this Privacy Notice in a language other than English is provided for convenience and the English language version will control if there is any conflict.
5. Data controls and requests
5.1 Educator controls
We provide Educators with a number of self-help controls that may be used to retrieve, correct, delete, or restrict User Data. We don’t analyze, process, serve or transfer Student Data until you instruct us to do so by opening an account, adding students, and assigning resources to them. As an Educator, you may update or change most information you have provided to us
5.2 Parent and student access
Parents and students may review Student Data by either reviewing the student dashboard with the student or asking the Educator to show the teacher dashboard for that student. Parents who contact us to review or delete Student Data will be redirected to the Educator. We will not release information to a person other than an Educator unless we are provided satisfactory proof of a legal right to disclose, review or delete student information.
5.3 Data we retain
We will not delete information necessary to be maintained for our business purposes, including but not limited to:
- at least one login authenticator if you are maintaining an active account;
- Boom Cards decks you have sold to other Educators;
- logs for detecting security incidents, deception, and malicious activity;
- logs for detecting fraud and other illegal activity;
- records for internal uses, including debugging and repairing errors, transaction and payment records, and the like;
- data legally required to be maintained (such as tax-related and financial data).
5.4 Data you may not collect
Schools must exercise their right of consent within the confines of any law regarding sensitive data. You may not assign a resource that collects sensitive data unless you have all the required consents. Depending on your governing jurisdiction, sensitive information may include political affiliation; trade union membership; health information; sexuality information; information about protected relationships such as lawyers or ministers; criminal behavior; firearm ownership; and/or biometric data. You are solely responsible for understanding what you may or may not assign in your jurisdiction.
You agree to indemnify Boom Learning for any liability arising from your actions in assigning a resource that collects information in violation of a law that applies and for any failure by you to provide a student with the required information regarding their rights. If in doubt, consult your legal counsel and governing body.
6. User Data we collect and its disclosure
We collect some User Data automatically and some you (or your school) provide to us. See our Data Elements disclosure for details of Student and Educator data we collect. We collect the data elements to provide the Services. Many of those data elements are optional.
For all users, we record the account created timestamp, last login timestamp, the type of device being played (i.e., iOS or Android, but not the device ID), the app version (if playing a Boom Cards app), the OS version of the device, the browser type and version, decks redeemed or purchased, decks made, points available, and school affiliation.
6.1 Public author data
Author store names, avatars, descriptions, grade levels, keywords, product titles, prices, descriptions, and product contents are public and not confidential if published to the Store (information about "Public Authors"). We may share this public information on Facebook, Twitter, Pinterest, Instagram, Google, or any other appropriate public marketing service. We may announce publicly top-selling products, top sellers, and new sellers. You may contact us to be omitted from those announcements. Other Public Author data, such as payouts owed, address information, taxpayer identification information, and payouts information is held in confidence.
6.2 Confidential data
Confidential data is secured behind authentication and is encrypted in motion and at rest. Educator names, avatars and descriptions are displayed to students and Educator-selected colleagues.
6.2.1 Disclosures of Confidential Data to Public Authors or External Marketplaces
The name of a user redeeming Boom Cards purchased from a marketplace other than the Boom Learning store may be disclosed to the originating Public Author or marketplace to verify and determine whether the product redeemed was validly purchased if there is evidence that the product may not have been. Such disclosure is only after an investigation determining the user may have violated the law or licensing terms.
6.2.2 Disclosures of Confidential Data to Subprocessors
Our subprocessor disclosure details our sharing of data with subprocessors, including our current list of subprocessors. It also discusses your responsibilities with respect to Educator selected subprocessors. Read it carefully.
6.3 Student Data
When you assign an educational resource using a method other than Fastplay pins, we collect information about student performance on that resource and report it back to you for your educational use. You should share the Student Privacy Notice with your families. Student performance data includes information such as resources played, cards played, time to play a resource, time to play a card, correct answers, incorrect answers and other student actions with respect to a card. You can always work with students without collecting Student Data by using Fastplay.
Student Data, other than the user nickname for a classroom roster, is deemed confidential. Educators may optionally enable or disable visibility of a classroom roster to students. Student confidential data may be disclosed as follows:
- The information of students to the Educator who created the student account or to the school or organization employing that Educator or to an Educator provided the information through colleague student sharing.
- The information of students to parents and legal guardians who observe the student dashboard.
- The information of Educators to the school or organization for whom the Educator works.
Student Data is also disclosed to the Student.
6.4 Other data we may collect depending on your interactions with us
6.4.1 Feedback and Ratings
We store feedback you give. Feedback is a private communication between you and a Public Author. We store ratings you give. Ratings and accompanying comments are public information. You may edit any ratings you give after they have been published. Feedback you provide via our support Helpdesk may also be stored in our systems for debugging and development management.
6.4.2 Assets uploaded
We store the fonts, images, and sounds you upload; and videos to which you link. We will retain those so long as the deck to which they were added has active student data records, or for publicly published decks so long as they are in user libraries.
6.4.3 Payment records
To make a payment you will need to provide the information requested by one of our payment processors, such as your name, account number, and verification numbers. Our payment processors use Payment Card Industry Security Data Security Standard (PCI DSS) compliant processes to process payments. They process payments directly. We do not have access to or store your full payment card details. We do have some information, such as your email address, approximate location, and name and payment, and purchase history. You can use My Settings to remove a credit card stored by Stripe. You may edit your Paypal information from your Paypal account. You may pay by check or ACH. If you pay by purchase order or check, we will store your payment information and tax exemption information, if any, in our accounting records. In some cases, your information may be shared with our accountant or with tax authorities.
We record the authors you redeem, purchase, and assign. These allow us to make adaptive and personalized learning recommendations to you based on you and your students’ educational needs. We do not provide personalized recommendations from third parties. We keep track of which users follow you or redeem your products. If you redeem a product we automatically add you to the follow list for the author. Followers are not disclosed to your author without your consent.
6.4.5 Sales history and taxpayer identification
We store records of your sales. If you reach certain thresholds, we may request and store your taxpayer identification number. We also store the information you give us to enable us to pay you.
6.4.6 Created resources
We store the Boom Cards you create and the assets you upload. Any asset added to a deck assigned to a student is retained, even if you delete it. Because Boom Cards are effectively small applications unique to our platform, there is no ability to export created resources in a playable format. However, you may use the print feature to create .pdf versions of your creations.
6.4.7 Referral codes
We may store a referral code if you clicked one to arrive, which may tell us which user or author referred you or whether you arrived from a particular campaign. We do not provide your name to the referring party.
6.4.8 Newsletters and emails
We keep track of newsletter clicks, opens and site actions to better serve you. We have selected ActiveCampaign because their privacy practices and policies are consistent with the needs of the education market. We tell ActiveCampaign about key user actions for adult users. This allows us to provide just-in-time support and to run our recommendation engine for our adult users. We provide you with a variety of tools to opt in and out of how we use ActiveCampaign data. Options include notices only and newsletters about teaching, creating, and selling Boom Cards. We may use aggregate ActiveCampaign data to evaluate and plan external marketing. You can request to see your full ActiveCampaign data map and to have us update or delete information in the map.
When you click on a link hosted at blog.boomlearning.com, WordPress will collect technical data about you, your interactions with the site, and your inferred location. We do not enable ads on our blog.
6.4.10 Social Media
Your participation in any of our social media sites, including our Facebook groups is optional. Direct messages sent to us via social media may be forwarded to our Help Center (Freshworks). Your participation with us through social media is governed by the terms of the social media site.
6.3.11 Sales and Marketing Contact Information
If you contact us from a marketing, or sales campaign or to make a purchase for a school, we will collect information about you in our sales CRM and will send you follow up messages about our products and services. You can opt out of receiving these messages. We may choose to use these contacts for remarketing and retargeting purposes.
Please see our Student Privacy Notice regarding advertising and marketing to students (we don't do it).
Aspects of the Boom Learning platform provide adults with instructional materials recommendations based on the teacher choices made for the student populations served by the teachers. Such recommendations are in furtherance of our shared educational purpose and do not constitute use for an advertising, marketing, or commercial purpose. Further, for the absence of doubt, the parties agree that it shall not constitute an advertising, marketing, or commercial purpose for Boom Learning to inform Educators of new Boom Cards or Boom Learning features or functionality.
We allow adult customers to “opt in” to receive email marketing from us or others.
9. The Keeping and Deleting of Information
9.1 Self-help tools for Educators
At any time, Educators may delete a student, or contact us to request that we delete a student or your account in the event you are unable to use the self-help tools. You agree to give us 10 days so we can confirm that the person making the request is you and has the right to delete the account. Deletion cannot be undone.
9.2 Account transfer for entities only
To transfer an account from one Educator to another, or to receive a machine-readable data dump from an account, you must contact us. We can only make full account transfers between employees of the same purchasing entity.
9.3 Scheduled deletion for expired accounts
To minimize privacy risk, we schedule deletion of stale accounts after the trigger dates set forth below. Deletions take place after the triggering date during the next scheduled data sweep.
- student accounts 90 days after the associated paid Educator membership expires – we assume these students will have a new teacher in the next session; renew early to avoid.
- student accounts 180 days after the last Educator login for free accounts – we assume these are homeschool or small tutor accounts; login in at least once every 179 days to avoid.
- Educator accounts not owned by a school 365 days after last login, at our sole discretion – deletion results in the loss of purchased and redeemed decks, created decks, classrooms, and unused points.
Boom Learning retains copies of all Public Author Boom Cards resources sold and, in its sole discretion, Educator shared Boom Cards to serve the recipients.
10. Information Security Plan
See our Information Security Plan for details on how we protect Student and Educator data. You may post this link on your website to comply with local requirements.
11. Legal authority data requests
We are required to disclose Personal Information in response to lawful requests by legal authorities, including to meet national security and law enforcement requirements. In the event a legal authority asks to access your data, we will direct the requestor to you and will not take action without your prior authorization, unless legally compelled to do so. If we are legally compelled to respond to such a request, we will promptly notify you and provide you with a copy of the request unless legally prohibited from doing so. If a legal authority is asking for information about a student, the account holder agrees to pass on the notification to the student’s legal guardian and indemnifies us for failing to do so.
12. Data Breaches
12.1 Security incidents that constitute data breaches
The definition of a security incident that rises to the level of a data breach varies by jurisdiction. Typically a breach is an incident of data loss or unauthorized data access that (a) compromises the confidentiality or integrity of the data and in doing so (b) is likely to cause harm to the data subjects impacted. A breach typically includes harms that can be substantial (financial information, account credentials, medical information). It does not include speculative harms — a harm must be reasonably likely.
12.2 Security incidents that do not constitute a data breach
Unauthorized access to data that is encrypted is not a breach if the encryption key is not accessed or acquired.
It is not a breach for another person at the same entity with a similar confidentiality obligation to the data subject as the account holder to access the User Data. Nonetheless, your entity may require you to report accidental, inadvertent or deliberate access by another person at your entity with a similar confidentiality obligation to you to your information security department. Such reporting is the obligation of the Educator who becomes aware of the incident. Boom Learning has no reporting obligation for security incidents involving persons at the same entity unless agreed otherwise in writing. You should understand that a classroom worker (volunteer or paid) can likely determine who a student is in real life (“IRL“) from the nickname. You are responsible for ensuring any classroom workers follow your organization’s and locale’s rules, regulations, and laws regarding access to Student Data.
12.4 Breach response procedures
12.4.1 Notice content
In the event of a breach of User Data that contains personal information, we will contact the account holder for the affected individual(s) using the information we have on file. We will provide notice as soon as reasonably possible, provided that we may delay notice if a law enforcement agency determines that the notice will impede a criminal investigation. Such notice will include in plain language What Happened, What Information Was Involved, When It Occurred, What We are Doing, What You Can Do, and For More Information.
12.4.2 Notice timeline
Educators will be notified without undue delay and within 7 days of determining that a data breach affecting school User Data has occurred. We will provide Educators with sufficient information to allow the school to meet any obligations to report or inform students or staff of the breach. In many cases, we do not collect or store information about students that would enable us to contact students or their parents directly.
12.4.3 Notices to regulators
We will provide notices of breaches to the appropriate regulators where required by law, and we may elect to provide such notice, at our option and in our sole discretion, where not required by law. Governmental Agencies that do not want us to provide notice to regulators must complete and return the Government Agency Terms of Service.