Effective Date: April 16th, 2023
1. Introduction
We care about privacy and believe that it is essential to the service we provide. You entrust us with the personal information of your employees and students, and we understand that our ability to continue providing services to our customers is based on showing proper respect for that trust. We are a proud signatory of the Student Privacy Pledge, and we are committed to continually improving our privacy program in alignment with recognized best practices, customer needs, and an evolving student privacy legal and regulatory framework.
2. Scope and Applicability of this Privacy Statement
This privacy statement (“Statement”) describes how Paper Education Company Inc. (“Paper,” “we,” “our,” “us”) processes Personal Information (as defined below) within the Paper Educational Support System (app.paper.co) (the “Platform”), including associated educational and support services, service providers, and methods of user access, and any other Paper websites and services that expressly state and link to this Statement as their governing privacy statement (collectively, together with the Platform, the “Services”).
Our Services are provided to you, a partnering local education agency who has contracted with Paper to provide the Services (“District” “you,” “your”, ) to your authorized students, parents/guardians, teachers, school administrators, and/or other District personnel (each an “end-user” or collectively “end-users”). This Statement is designed to tell you what information we collect or receive in order to provide the Services to you and your end-users under the executed services agreement between your District and Paper (“Contract”), and how that information is used, shared, and protected.
This Statement does not apply to our general website containing product and sales information (www.paper.co), which is governed by the Paper Website and Marketing Privacy Policy. This Statement also does not apply to any websites and services operated by third parties (“Third-Party Sites”) that may be linked from within the Paper Platform, such as when a tutor provides a student with a link to a video on YouTube or another site to learn more about a particular topic. Paper does not control any such third party websites and is not responsible for their information collection or privacy practices, as such sites are governed by their own policies. If an end-user chooses to access a third party website, we recommend that the end-user review the site’s privacy policies with their parent or guardian.
Key Points Regarding Our Privacy Practices
3. What is Personal Information?
This Statement applies to personally identifiable information that allows us to identify an end-user directly or indirectly (“Personal Information”). Paper may process non-Personal Information that cannot be linked or associated with any individual’s identity. When non-Personal Information is combined with other information so that it does identify an individual person, we treat that combination as Personal Information. This Statement is for transparency purposes and some of the data that we identify in this Statement as Personal Information may not be protected as personal information under applicable laws.
4. What Personal Information do we collect and process?
Overview of Student Data Collection and Processing. Student end-users are not required to provide Personal Information in order to begin accessing the Platform, all such information is provided by the District during the on-boarding process. Once the student end-user accounts have been created, additional Personal Information may be collected from end-users as part of the provision of Services, such as when receiving tutoring services, submitting essays for review, using Paper Reading or Paper Math to practice skills, participating in District or Platform-wide missions/contests/giveaways, or submitting support requests. Any Personal Information collected as part of the Services will be processed as set forth in this Statement and the Contract. Section 5 below addresses how Personal Information is used in order to provide the Services or comply with the Contract, and Section 6 describes why and when Personal Information may be shared with third parties. Parents or guardians of student end-users may contact us with any questions about our privacy practices by email at [email protected] or through the additional contact information available in Section 13. Parent/guardian requests for review, access, or deletion of your child’s Personal Information should be directed to your school or District as described in Section 10.
Setting up your End-User Accounts. Districts provide us with Personal Information during the Platform on-boarding process in order to begin providing Services to their end-users. This transfer of Personal Information may occur directly or, at the direction of the District where the capabilities are available, through the use of third-parties or integrations with student information systems in order to automatically update end-user data. Personal Information that we receive and process in order to begin providing Services typically includes the following:
Providing the Services to your End-Users. We may also collect the following types of Personal Information as end-users access and use the Services, including through related interactions or communications with us:
Type of cookie | Description |
Essential | Essential cookies are necessary to operate the core functions of our Services. These include login cookies, session ID cookies, language cookies as well as security cookies. |
Functional | Functional cookies are used to provide you with some functionalities, such as live chatting, and to remember preferences, consents and configurations. |
Analytics | Analytics cookies are used to generate aggregated statistical data about traffic and behavior of users when using our Services. |
You can manage your preferences for the handling of cookies through your device, application or browser. However, if essential and functional cookies are blocked, some parts or aspects of the Services may not be available. Note that some web browsers incorporate a Do Not Track (“DNT”) feature that signals to the websites that you visit that you do not want to have your online activity tracked. At this time, based on the nature of the services we provide, our website does not respond to DNT signals.
Accessing the Platform. In addition to standard website access to the Platform, Paper may make additional Platform access methods available to end-users (“Alternative Access Methods”). Examples of the Alternative Access Methods that Paper has made available include our iOS Mobile App, Android Mobile App, and the Paper Chrome extension. Paper reserves the right to modify the available Alternative Access Methods as needed for delivery of the Services, for compliance purposes and for other purposes set forth below in Section 5 (How do we use Personal Information?). As an example, we may need to modify mobile apps or temporarily suspend their use due to adverse changes in App store guidelines.
Efficacy and Reporting. Outcome, diagnostic or achievement data may be required in order to assess and report on the efficacy and utilization of the Services by student end-users. For example, state, district, or local exam data may be collected at the account creation stage as well as on a periodic basis thereafter in order to assess the impact that Paper usage has on student performance.
5. How do we use Personal Information?
We collect and process Personal Information in order to set up and provide the Services to you and your end-users as set forth in the Contract, including:
We may also process end-users’ Personal Information for the following purposes:
6. How do we share Personal Information?
We disclose Personal Information only for the purposes set forth in Section 5 (How do we use Personal Information?) above in order to provide the Services. The instances where we may disclose Personal Information include the following:
With Your Personnel. Personal Information collected through the Services is available to the contracting Districts and its school and district administrators. Teachers generally have access to the same categories of information as school and district administrators, except that their access is limited to students enrolled in the classes they teach.
With Affiliates and Third-Party Service Providers. We may share information with our affiliate and third-party service providers in order to support our provision of the Services. Service providers are only allowed to use, disclose or retain the Personal Information in order to provide their services to us, which include, but are not limited to, efficacy analysis and reporting, hosting and IT services, customer support services, communications services, website development services, performance services, and analytics services. For additional information, please review our Service Provider and Affiliate List. Paper use and transfer of information received from Google APIs to any other app will adhere to Google API Services User Data Policy, including the Limited Use requirements.
With Your Integration Partners. Our Services can be integrated with other learning management platforms through Single Sign-On and APIs, such as Clever or ClassLink (“Integration Partners”). Integration Partners are not our suppliers or service providers. Districts enter into separate agreements with Integration Partners to which we are not a party, and plug-ins, APIs or other accesses to Integration Partners are only activated at an District’s request. We may share Personal Information with such Integration Partners when directed to by a District, who has full control over what Personal Information they share with their preferred Integration Partner(s).
For Legal Process. We may disclose Personal Information if permitted or required by law; for example, in response to a court order or a subpoena. To the extent permitted by applicable law, we also may disclose Personal Information: (i) in response to a law enforcement or public agency’s (including educational institutions or children services) request; (ii) if we believe disclosure may prevent the commission of a crime, facilitate an investigation related to public safety, or protect the safety of a child using our Services; (iii) to protect the security or integrity of our sites, applications, and other technology, as well as the technology of our service providers; or (iv) to enable us to take precautions against liability. We will take commercially reasonable measures to notify Districts prior to making any such disclosures, unless we are prohibited by law.
Where Required for Corporate Transactions. If we go through a corporate restructuring or reorganization, financing, initial public offering, merger, sale, or other commercial transaction involving some or all of our assets, Personal Information may be transferred or disclosed in such context, subject to any limitations under applicable contracts or laws. In these circumstances, we will comply with applicable laws, and will use commercially reasonable measures to limit any permitted or required disclosures or transfers of Personal Information. If such transactions are completed, our successor(s) (if any) or recipients of such Personal Information may only process your Personal Information in the same way as set out in this Statement and in compliance with applicable laws and any applicable customer contracts.
7. How do we obtain consent from students for processing, and how do we comply with student privacy laws and regulations?
Most of the students who are using our Services cannot consent to the processing of their Personal Information under applicable laws, and parental or school consent is required. Districts that retain our Services are responsible for obtaining and providing such consent as part of the contracting process in accordance with applicable laws. To the extent that the Contract does not explicitly address consent for the processing of Personal Information, District acknowledges and agrees that it has collected all necessary and appropriate consents and authorizations for the processing of Personal Information in order for Paper to provide the Services to District and for both parties to comply with all applicable privacy laws and regulations.
Family Educational Rights and Privacy Act (FERPA). FERPA sets forth the requirements for sharing of Education Records by Districts with service providers like Paper for the delivery of educational services. Paper is authorized by Districts as a “school official” to receive and process Education Records, which include Personal Information, to provide the contracted educational services.
Children’s Online Privacy Protection Act (COPPA). We do not knowingly collect any information from children under the age of 13 in the United States unless and until the relevant District has provided consent and authorization for a student under 13 to use our Services and for us to collect information from or about such students. Where the District instructs us to collect Personal Information about children under the age of 13, we process such information solely to provide our Services to the student on behalf of and for the purposes set forth in the Contract and as described in this Statement. We process only as much information as is necessary to provide our Services. Districts may request access or deletion of Personal Information or withdraw consent for continued processing of the Personal Information at any time.
If you believe we have inadvertently collected Personal Information from a child under 13 without proper consent, please promptly contact us at [email protected]. This will allow us to delete such information as soon as possible.
Paper Education Company Inc. is a member of the PRIVO Kids Privacy Assured COPPA safe harbor certification Program (“the Program”). The Program certification applies to the digital properties listed on the certification page that is viewable by clicking on the PRIVO Seal. PRIVO is an independent, third-party organization committed to supporting online services to safeguard children’s personal information collected online. The PRIVO COPPA safe harbor certification Seal posted on this page indicates PaperEducation Company Inc. has established COPPA compliant privacy practices and has agreed to submit to PRIVO’s oversight and consumer dispute resolution process. If you have questions or concerns about our privacy practices, please contact us at 1-888-585-4754 or [email protected]. If you have further concerns after you have contacted us, you can contact PRIVO directly at [email protected].”
8. How long do we retain Personal Information?
We retain Personal Information for periods required by applicable law/regulation, our Contract, or Paper’s industry standard retention policies (in order of precedence). Districts may request the deletion of Personal Information by contacting us. End-user requests for deletion of Personal Information should be directed towards their educational institution as set forth in Section 10 (How can end-users exercise their privacy rights?) below.
9. How do we protect Personal Information?
Our Security Program. We maintain an industry standard information security program and have implemented reasonable and appropriate security controls designed to protect the Personal Information that we collect and process in order to provide the Services. These controls include, where and as appropriate, use of multi-factor authentication, at-rest and in-transit data encryption, physical access controls to files and buildings, and more. Unfortunately, no data transmission over the internet can be guaranteed to be 100% secure. While we strive to appropriately protect all Personal Information we process, we cannot guarantee or warrant its complete security. However, Paper does maintain an industry standard incident response plan designed to identify, contain, and prevent the recurrence of any incident or breach that could impact the security of the Personal Information we process.
Our SOC 2 Report. Paper also complies with AICPA SOC 2 requirements, which certify that its information security practices, policies, procedures and operations meet SOC 2 standards. Our SOC 2 attestation reaffirms the company’s commitment to providing its customers with industry standard safeguards.
Our Platform Hosting Provider. Personal Information stored within the Platform is hosted on infrastructure in the United States using reputable cloud service providers such as Google Cloud Platform and Amazon Web Services. Our Platform hosting providers maintain several independent verifications of their security, privacy and compliance controls, such as ISO 27017, ISO 27018 and ISO 27001. For additional information, visit Google’s Trust & Security Center and Amazon’s Cloud Security site.
10. How can end-users exercise their privacy rights?
End-users may be entitled to exercise their privacy rights under applicable law based on where they reside, such as withdrawing consent, or accessing or correcting their Personal Information. End-users must contact the District where the end-user is registered to exercise any such rights, as the District has sole control of end-users’ Personal Information as between us and the end user.
11. Can we modify this Statement?
Yes, we may modify this Statement from time to time, such as to reflect new or modified Platform functionality, technology, service providers, or other changes to our collection and use of Personal Information. Any changes will be effective upon the revised Statement being posted to our Website.
When we make material changes to this Statement, we will provide notice to Districts for whom we have contact information in advance of the effective date of those changes. We will also post a notice at the start of the Statement by updating the last updated date.
12. How does this Statement differ for customers in Canada?
For Canadian residents whose Personal Information is subject to Canadian privacy laws, the provisions in the Canadian Services Privacy Policy apply.
13. Who can I contact if I have questions or feedback about this Statement?
For questions, concerns or inquiries regarding the collection, use or disclosure of Personal Information or concerning this Statement, we can be contacted as follows:
Preferred: E-mail us at [email protected]
Call us at 1-888-585-4754
Reach us by mail at the following address:
Paper Education Company Inc.
279 Sherbrooke St West, Suite 410
Montreal, QC, H2X 1Y2
Canada
© Paper 2024 All rights reserved.