Subscriber and Student Data Privacy and Security Policy

Learning.com provides solutions to help students, teachers, and schools excel in a digital world.  We are excited to help support student growth, but also realize that we are being entrusted with great responsibility. We take this responsibility seriously and it is reflected in our day to day operations. The following policy outlines what we do to ensure that you get most out of our products while maintaining our commitment to privacy and security.

Data We Collect and How We Use It

Learning.com gathers the minimum information needed to support our educational purposes. The specific personally identifiable information (PII) we collect and how each value is used is detailed below:

First and Last Name

Name is collected so it can be displayed back for personalization of the experience. Name is also used in reports provided back to the teacher and district.

District User ID

The district user ID is collected to use for synchronization with the district student information system (SIS) when a district is configured for sync with Learning.com. It is used to facilitate single sign on from certain external systems. It can also be used in reports provided back to the teacher and district.

Username

Usernames can be provided by the district and are used to log in directly with our service. Districts may also be configured using a single sign on solution without specifying usernames and in this case a random username will be generated and stored.

Grade Level

Grade level is displayed to educators for the purpose of locating specific students and identifying appropriate content.

School Attending

The school a student attends is used in aggregate reporting to show activity and progress grouped by school within a district.

Student Generated Work

Some curriculum items allow a student to provide generated work as a response, such as question responses and document attachments. The student responses are made available to the teacher to review and score the work.

Learning.com only uses collected PII for educational purposes related to providing our products and services. It is never shared, sold, or used for other commercial purposes. We are a signatory on the student privacy pledge (https://studentprivacypledge.org/) that provides additional enumeration of what we will and will not do with student data.

We will sometimes share information (Name, District User Id, Username, and School Attending) with third parties, such as our partner content vendors, in service of our educational purpose. We require these third parties to also adhere to applicable laws and the student privacy pledge.

Anonymous Usage Data Collection

Learning.com collects usage data within our products and services. Examples of data collected include which curriculum items are used most often, how long curriculum items take to complete, and which features within our applications are interacted with most and least. This data is collected anonymously and cannot be used to identify an individual user.

We analyze this data internally to understand usage patterns and improve our products, services, and curriculum offerings. It is not sold to or shared with third parties.

Our online applications also utilize browser cookies for anonymous session and user preference information. Personally identifiable information is never stored in cookies. Cookie information is not aggregated or analyzed.

Data Retention Policy

Learning.com retains data only as long as required to fulfill our educational purpose. Any PII provided to us is automatically deidentified upon expiration of a customer agreement. The expiration of the agreement is 90 days after the end of the purchased license period. The 90-day grace period allows for delays in agreement renewal with continuity of data.

The deidentification process anonymizes all account level PII (Name, District ID, and Username). Any associated student generated work is deleted. Once this process has been completed, accounts cannot be reidentified and no attempt will be made to do so.

Upon contract termination, an educational institution may request to have data deidentified immediately. This request must be submitted by an authorized representative in writing to our data protection officer. Send the request via email to privacy@learning.com and use “Request for Deidentification of Data” in the subject of your communication. You must include the name of your educational institution or agency and your contact information for verification of the request. We will also honor a request for complete destruction of data in the event deidentification is not acceptable. Upon verification of the request, Learning.com will process within 30 calendar days and send acknowledgement when it is complete. For customers that maintain subscriptions across multiple years, any user account that shows no activity for more than 2 years is automatically deidentified during our annual archival process. This archival process takes place during the month of July.

Data Portability Policy

Upon contract termination, an educational institution may request to have their data returned. Request to return data must be submitted by an authorized representative in writing to our data protection officer and must be submitted within 60 days following contract termination. Send the request via email to privacy@learning.com and use “Request for Return of Data” in the subject of your communication. You must also include the name of your educational institution or agency, a description of the data you wish to have returned, and your contact information for verification of the request. Upon verification, Learning.com will fulfill the request within 30 calendar days.

Learning.com will make reasonable efforts to return data in a format that preserves fidelity.  Our service collects and stores information using various technologies including relational databases, key-value stores, and flat files.  Due to the amount and format of the data, it’s not always feasible to deliver in the original format. Instead, data will be returned in the most appropriate representation which may include comma separated value (CSV) files, .zip files, and reports.

Data Security

The security of your data is of utmost importance to us. We employ industry best practices with respect to personnel and technology to minimize risks of unauthorized access or misuse of personally identifiable information.

We conduct background checks during our recruiting and hiring process to ensure good stewardship of your data. All personnel must complete annual security training that includes guidance on safe handling of data and a review of responsibilities under applicable laws and contracts. We limit access to personally identifiable information to those who require it in service of our educational purpose.

We secure your data by various technologic means, such as firewalls, monitoring, and vulnerability scans to minimize the chances of a breach. Our servers are all physically located within the United States using secure AWS cloud services. All data transmitted between your devices and our servers uses industry standard SSL encryption. All data in our custody is stored using FIPS compliant encryption. We employ an independent firm to conduct penetration testing of our systems, keep up to date with all security patches and software versions, and are vigilant about mitigating any newly discovered vulnerabilities. Our comprehensive security program implements a security in depth methodology by addressing security on every level to ensure information is protected in the event any one layer is compromised. Internal policies and procedures are aligned with NIST 800-53 and all data is stored

User accounts are required to access our services and use role-based access to ensure only authorized data can be accessed. You are the only person who can log in with your account and access your data. Learning.com will never ask you for your password and you should never give it to anyone. Ultimately, you are responsible for maintaining the secrecy of your password. Also remember to sign out properly and close your browser window when you have finished using our service. This helps ensure your information remains secure in the event the computer you used is physically accessible to others.

Data Breach Notifications

In the event of a breach we will notify impacted customers as soon as is practicable in accordance with applicable laws. Within 30 days of the initial breach notification, we will communicate detailed root cause information including complete scope of breach and remediation steps.

General Compliance With Laws

Learning.com complies with all applicable state and federal laws, including the Family Educational Rights and Privacy Act of 1974 (FERPA) and the Children’s Online Privacy Protection Act of 1998 (COPPA).

Contact Information

For additional questions or concerns, please contact our data protection officer at privacy@learning.com.

This policy was last updated August 20, 2019.

 

Pin It on Pinterest