Data We Collect and How We Use It
Learning.com gathers a minimum of information needed to support our educational purposes. The specific personally identifiable information (“PII”) we collect and how each value is used is detailed below:
Full Name is collected so it can be displayed back for personalization of the experience. Full Name is also used in reports provided back to the teacher and district.
District User ID
The district user ID is collected to use for synchronization with the district student information system (SIS) when a district is configured for sync with Learning.com. It is used to facilitate single sign on from certain external systems. It can also be used in reports provided to the teacher and district.
Usernames can be created and are used to log in directly with our service. Districts may also be configured using a single sign on solution without specifying usernames and in this case a random username will be generated and stored.
Grade level is displayed to educators for the purpose of locating specific students and identifying appropriate content.
The school a student attends is used in aggregate reporting to show activity and progress grouped by school within a district.
Student Generated Work
Some curriculum items allow a student to provide generated work as a response, such as question responses and document attachments. The student responses are made available to the teacher to review and score the work.
Learning.com only uses collected PII for educational purposes related to providing products and services to our users. It is never used for other commercial purposes and we will not repurpose PII for sale to third parties for their commercial use. We do not use any data collected to create student profiles for non-educational purposes and we do not provide behaviorally targeted advertisements to students.
We will sometimes share information (Name, District User Id, Username, and School Attending) with our third-party content providers in service of authorized educational purposes.
Anonymous Usage Data Collection
Learning.com collects usage data within our products and services. Examples of data collected include which curriculum items are used most often, how long curriculum items take to complete, and which features within our applications are interacted with most and least. This data is collected anonymously and cannot be used to identify an individual user.
We analyze this data internally to understand usage patterns and improve our products, services, and curriculum offerings. It is not sold to or shared with third parties.
Our online applications also utilize browser cookies for anonymous session and user preference information. PII is never stored in cookies. Cookie information is not aggregated or analyzed.
Data Retention Policy
Learning.com retains data only as long as is required to fulfill our educational purpose. Any PII provided to us is automatically deidentified 90 days after expiration of a customer agreement.
The deidentification process anonymizes all account level PII (Name, District ID, and Username). Any associated student generated work is deleted. Once this process has been completed, accounts cannot be reidentified and no attempt will be made to do so.
Upon contract expiration, an educational institution may request to have data deidentified immediately. This request must be submitted by an authorized representative in writing to our data protection officer. Send the request via email to firstname.lastname@example.org and use “Request for Deidentification of Data” in the subject of your communication. You must include the name of your educational institution or agency and your contact information for verification of the request. We will also honor a request for complete destruction of data in the event deidentification is not acceptable. Upon verification of the request, Learning.com will process within 30 calendar days and send acknowledgement when it is complete. For customers that maintain subscriptions across multiple years, any user account that shows no activity for more than 2 years is automatically deidentified during our annual archival process. This archival process takes place during the month of July.
Data Portability Policy
Upon contract expiration, an educational institution may request to have their data returned. Request to return data must be submitted by an authorized representative in writing to our data protection officer and must be submitted within 60 days following contract expiration. Send the request via email to email@example.com and use “Request for Return of Data” in the subject of your communication. You must also include the name of your educational institution or agency, a description of the data you wish to have returned, and your contact information for verification of the request. Upon verification, Learning.com will fulfill the request within 30 calendar days.
Learning.com will make reasonable efforts to return data in a format that preserves fidelity. Our service collects and stores information using various technologies including relational databases, key-value stores, and flat files. Due to the amount and format of the data, it’s not always feasible to deliver in the original format. Instead, data will be returned in the most appropriate representation which may include comma separated value (CSV) files, .zip files, and reports.
The security of your data is of utmost importance to us. We employ industry best practices with respect to personnel and technology to minimize risks of unauthorized access or misuse of PII.
We conduct background checks during our recruiting and hiring process to ensure good stewardship of your data. All personnel must complete annual security training that includes guidance on safe handling of data and a review of responsibilities under applicable laws and contracts. We limit access to PII to those who require it in service of our educational purpose.
We secure your data by various technologic means, such as firewalls, monitoring, and vulnerability scans to minimize the chances of a breach. Our servers are all physically located within the United States using secure AWS cloud services. All data transmitted between your devices and our servers uses industry standard SSL encryption. All data in our custody is stored using FIPS compliant encryption. We employ an independent firm to conduct penetration testing of our systems, keep up to date with all security patches and software versions, and are vigilant about mitigating any newly discovered vulnerabilities. Our comprehensive security program implements a security in depth methodology by addressing security on every level to ensure information is protected in the event any one layer is compromised. Internal policies and procedures are aligned with NIST 800-53 and all stored data is encrypted.
User accounts are required to access our services and use role-based access to ensure only authorized data can be accessed. You are the only person who can log in with your account and access your data. Learning.com will never ask you for your password and you should never give it to anyone. Ultimately, you are responsible for maintaining the secrecy of your password. Also remember to sign out properly and close your browser window when you have finished using our service. This helps ensure your information remains secure in the event the computer you used is physically accessible to others.
Parents’ Right to Review or Delete Information
A parent may review the information a child has submitted to us by sending us a written request addressed to Consumer Relations, Attn: Children’s Online Privacy Act – Information Request, 1618 SW 1st Ave, Suite 215, Portland, Oregon 97201. The request must include the name and address of the child, the child’s password and any other information that will allow us to verify the writer is the parent of the child whose information is being requested. In addition, a parent can instruct us to delete a child’s information at any time and can also instruct us not to collect any more personal information from the child by sending us a written request addressed to Consumer Relations, Attn: Children’s Online Privacy Act – Delete Request, 1618 SW 1st Ave, Suite 215, Portland, Oregon 97201. However, if such a request is made, such request may preclude the child’s participation in certain activities.
Data Breach Notifications
In the event of a breach we will notify impacted customers as soon as is practicable in accordance with applicable laws. Within 30 days of the initial breach notification, we will communicate detailed root cause information including complete scope of breach and remediation steps.
Changes to this Policy
General Compliance with Laws
Learning.com complies with all applicable state and federal laws, including the Family Educational Rights and Privacy Act of 1974 (FERPA) and the Children’s Online Privacy Protection Act of 1998 (COPPA).
For additional questions or concerns, please contact our data protection officer at firstname.lastname@example.org.
This policy was last updated January 13, 2020.