Albert is compliant with ISO 27001, the most rigorous global security standard for Information Security Management Systems (ISMS).
Albert is compliant with Utah Student Data Privacy requirements
Albert has signed the Student Privacy Pledge.
Last updated: 01/01/2021
1. WHAT IS ALBERT?
Albert helps students learn more effectively through engaging practice and real-time feedback. Educators use Albert to extend their instructional capacity by letting Albert challenge students with questions and providing detailed explanations that students can review at their own pace both in and out of school. Albert serves grades 5 through 12 and covers all core academic areas, including reading, writing, math, science, and social studies.
2. FORWARD AND DEFINITIONS
At Learn By Doing, Inc. (“us,” “we,” or “Albert”), we take the security and privacy of user data extremely seriously. We are committed to complying with the student data privacy laws that apply to your use of the Platform and helping our customers comply with FERPA, COPPA, and other regulatory requirements. Read more below and in our Terms of Use.
We use the term “User Information” in this policy to refer to information that personally identifies a user of Albert’s platform as well as other information we receive or create in the course of a User’s usage of the Platform that is linked to information that personally identifies a User. We use the term “Student Information” to refer to User Information that specifically pertains to Student Users of the Platform.
Capitalized words that are not defined herein have the definitions set forth in our Terms of Use.
3. DATA WE COLLECT
When you register for, and use the Platform, you may provide us with three types of User Information:
Personal Data
For the general purposes of authentication, class roster management, and compliance with applicable laws, we collect information that is used to identify individual Users (the “Personal Data”). Personal Data does not include Data that has been aggregated or made anonymous such that it can no longer be reasonably associated with a specific person.
The Personal Data that we collect from Users includes:
| Personal Data | User type | Purpose | Required? | Stored? |
|---|---|---|---|---|
| Salutation (Title) | Educators only | Identification | Yes | Yes |
| First and last name | Students and Educators | Identification | Yes | Yes |
| Email address | Students (or their Parents/Guardians) and Educators | Identification, authentication, notifications | Yes | Yes |
| Username | Students and Educators | Identification and authentication | Yes | Yes |
| Age | Students only | COPPA compliance | Yes | No |
| School ID code | Students only | Identification | No | Yes |
As a general matter, we do not request nor collect any of the following information from Users:
● physical address(es)
● telephone number(s
● photograph or physical likeness
● date or place of birth
● social security number
● dates of attendance in school
● grade level
● grades or test scores
● disciplinary records
● medical or health records
We collect Personal Data in different ways. For example, we collect Personal Data when Users register for an Albert account or when a teacher invites a student to join their class on the Platform by entering the student’s email into the Platform and sending the student an email invitation. . We also receive Personal Data from other sources (“Integrated Services”), such as identity verification services, like Google and Clever, contingent on Users granting such Integrated Services to share Personal Data with us.
You have the right to decline to share certain elements of Personal Data that we ask you to provide, but must note that doing so may limit your use of certain features and functionality of the Platform. You may edit the Personal Data you provide to Albert at any time by accessing your account through the Platform.
Device Data
Like most web-based services, we (or our Service Providers) may automatically receive and log information from your browser or your device when you use our Platform (“Device Data”). Examples of Device Data we may automatically receive and log when you use the Platform include web browser type, IP address, your device’s operating system, and your device’s geolocation, among others.
We take measures to ensure that our Platform and our Service Providers only collect the minimum amount of Device Data needed to deliver the Platform in a seamless way, help us improve our products, and deliver high-quality customer support. . The Device Data we collect is analyzed and may be aggregated and combined with similar aggregate Device Data of other users the Platform, as well as associated with the Personal Data of individual Users. If you use Albert on different devices, we may link the information we collect from those different devices to help us provide a consistent Platform experience across your different devices.
Usage Data
User interactions with our Platform generate data we refer to as “Usage Data”. Usage Data for Student Users may include, for example, the lessons a student chooses to complete and how they performed on those lessons, when a student starts and stops a lesson, and student responses in the lesson. Usage Data for Educator Users may include their class rosters, the lessons they have created and assigned, and their class preferences. Usage Data will be used for educational and product development purposes only.
4. HOW WE USE DATA
Personal Data
We and our third-party software vendors (“Service Providers”) use Personal Data to: (i) provide the Platform, ii) comply with applicable laws, and (iii) promote our products, systems, and tools. Examples of how we may use Personal Data include:
● To authenticate a user’s identity;
● To customize the features that we make available to you;
● To respond to inquiries, send service notices and provide customer support;
● To communicate regarding a payment, and provide related customer service;
● For regulatory purposes and compliance with industry standards;
● To send communications about new features and products;
● To determine if a student is under 13 for the purposes of COPPA compliance;
● We do not use Personal Data for maintenance, testing, or improvement of the Platform
Device Data
We use other Device Data to improve the product, deliver a consistent and enjoyable experience, debug, provide customer support, and for aggregate analysis.
Usage Data
We use Usage Data for reporting purposes to teachers and educational agencies, and to test and improve our product. We also use de-identified aggregate Usage Data to develop new products, improve or modify our Platform, conduct analysis and develop business intelligence that enable us to operate, protect, make informed decisions, and report on the performance of, our business.
Cookies and similar technologies
We and our Service Providers use cookies and local storage to help provide you with a better, faster, and safer experience. Cookies are small files that websites place on your computer as you browse the web. Local storage is an industry-standard technology that allows a website or application to store information locally on your computer or mobile device.
Here are some of the ways that we and our Service Providers use these technologies: to log you into the Platform, save your preferences, personalize your experience, and protect against abuse. You may set your browser to reject cookies; however, this may affect some functions of the Platform.
As a general matter, we consciously avoid and do not include Personal, Device and Usage Data in cookies and local storage. While we use these technologies to help identify user sessions, the information contained is only meaningful to the Platform itself.
5. HOW WE SHARE DATA
We do not disclose, share, rent, or sell any User Information to any third parties for commercial uses, such as targeted advertising. We only disclose or share User Information with bona fide Service Providers for purposes related to or arising out of the ordinary course of creation, development, operation, service, and maintenance of the Platform. Such bona fide Service Providers shall only use such User Information for such purposes and not to sell such User Information under any circumstances.
Service Providers who do help us operate our Platform must adhere to privacy and security obligations in a manner consistent with the Company’s policies and practices. Below is a list of our Service Providers with whom we may share User Information and the services they generally provide.
| Service Provider | Purpose of data sharing |
|---|---|
| Appsignal | Application performance monitoring |
| Bugsnag | Software error monitoring |
| Front | Email client |
| Google Cloud Platform | Cloud hosting and data warehousing |
| Amazon Web Services | Cloud hosting and data warehousing |
| Hotjar | Survey response collection and feature usage research |
| Customer.io | Customer messaging platform for teachers only |
| Intercom | Customer support, help center, and customer messaging |
| Mode Analytics | Data science; user and product research |
| Pipedrive | CRM |
| Sendgrid | Transactional email service (e.g., password reset emails) |
| Slack | Internal communication |
| Polytomic | Data ETL service |
| Stripe | Payment processing |
| Typeform | Survey response collection |
| Zapier | Web services integration |
6. EDUCATOR USERS AND STUDENT INFORMATION
If you are a Student User using the Platform in connection with a teacher, school, or district (a “School”), your School administrator(s) and teacher(s) (“Educator Users” and each an “Educator User”) may have the ability to access, monitor, use, edit, delete or disclose data related to Student Information. Additionally, Educator Users may create Student User accounts on behalf of students and in so doing, provide Albert with the Personal Data of students. If you are an Educator User, you agree that you will obtain and maintain all required consents from Student Users or their parents or legal guardians (when such Student Users are under the age of 13 or the age of consent in the state in which the Student resides) to allow: (i) your access, monitoring, use, editing, deleting, and disclosure of their Student Information and our providing you with the ability to do so, and (ii) your Student Users’ use of the Platform.
If a Student User enrolls in a “class” created by an Educator User on the Platform, the Student User grants permission to the Educator User to view their Personal Data and Usage Data. Enrollments are done via a unique class join code, a unique class join link, direct email invitation, or an Integrated Service.
If you are a Student User using the Platform in connection with a School and do not believe you or your parent or guardian has provided consent for the School or its Educator Users to access, monitor, use, edit, delete, or disclose data related to your Usage Data and Personal Data, please contact us immediately at hello@albert.io.
7. SECURITY
Albert secures User Information both in transit and at rest via encryption. We use modern cryptographic algorithms like AES256 with strict user access control and multi-factor authentication.
8. DATA RETENTION
We retain User Information to provide the Platform to you and our other Users and to provide a useful user experience, and not longer than is necessary to do so. When you update your User Information, we usually keep a backup copy of the prior version for a reasonable period of time in case you need to need to go back to that version.
Users may deactivate their account at any time by accessing their account through the Platform. Deactivating an account means the following:
● Users will no longer be able to access their account.
● No further activity may take place on the deactivated account.
● User accounts will no longer be publicly visible in the Platform.
● All data associated with User accounts will be kept for reporting and compliance reasons.
● User Information for Student Users up until their deactivation time will continue to be shared with any Educator User(s) and the school(s) to which they belonged.
● School(s) that previously had access to such data will not have access following the deactivation.
A deactivated account can be restored, with all User Information intact, upon request
For Student Users who deactivate their account, except for Users (including Minor Users) who make a request for deactivation and de-identification (as discussed below), Albert will retain all of their Student Information for four years after their deactivation date. If no request for re-activation is received during that time, all Student Information will be de-identified and the account will no longer be eligible for restoration.
Following the termination of a license, a School may request that we deactivate and de-identify Student Information and we will do so, unless the School or applicable regulations require the retention of such data, in which case the records shall be de-identified upon the expiration of the retention period.
Minor Users (or their parents and/or guardians) may also request to deactivate and de-identify their accounts for any reason, including infancy, and we will do so. If you are a Minor User and would like to deactivate and de-identify your account for any reason, including infancy, please contact us at hello@albert.io.
In the case of a request for deactivation and de-identification, the following happens:
● We will obfuscate all of the Personal Data in the relevant Student User accounts. This means that their email, first name, last name, salutation, and username get replaced with a long, meaningless identifier that is randomly assigned. This is a one way change, and we can never recover the identity associated with the account after this step. We will perform this obfuscation in our database, all backups that we maintain, and in any Service Providers that we use to deliver the Platform.
● We will retain all Usage Data associated with the accounts to improve the Platform. These reasons include, but are not limited to: internal data analytics and prevention of fraud and abuse.
● This action results in the deactivation of the impacted Student User accounts, preventing them from being used or restored in the future.
● In order to request an account reactivation, please contact us at hello@albert.io. To request that Student Information be de-identified, please contact us at schools@albert.io.
Please note that the requested deletion will be as comprehensive as possible but is always subject to issues outside of our control, including applicable regulations and laws, your actions and the actions of third parties. We may also need to retain a copy of certain information for legal compliance purposes, including, without limitation, to avoid identity theft or fraud.
9. VIEWING AND CORRECTING INFORMATION
A parent or guardian may review Student Information in the applicable student’s records by viewing the Student’s Albert.io account. The Platform enables any Educator User to permit parents, legal guardians, and eligible pupils to review personally identifiable information contained in Student Information, and to correct erroneous information, in accordance with procedures established by the School.
To the extent that a User opts to share his or her profile with his or her parent or guardian, such User expressly agrees to such sharing and all related responsibilities and liabilities therewith. Minor Users or Child Users cannot opt of sharing his or her profile with his or her parent or guardian.
We fully comply with the Requirements for Accessible Electronic and Information Technology Design as laid out by the U.S. Department of Education here.
10. STUDENT DATA OWNERSHIP
Any and all student data provided to Albert, or to which Albert has been granted access, are and shall remain the sole property of the educational agency or school that provided or granted access to such records.
11. USERS UNDER 13 YEARS OF AGE
In accordance with the Children’s Online Privacy Protection Act (“COPPA”), we require parental consent for students under the age of 13 who wish to use Albert (“Child Users”). Albert does not knowingly permit Child Users to register directly for our Platform without the consent of a Parent (defined below) or Educator User on behalf of a Parent. If Albert learns that Personal Data of a Child User has been collected on our Service without parental consent, then Albert will take appropriate steps to delete this information. If you are a parent or guardian (“Parent”) and discover that your child under the age of 13 has an account with our Platform without your consent, please alert us at hello@albert.io.
There are two acceptable ways for Child Users to sign up for the Platform:
1 - Self registration. When a Child User registers for our Platform, we request an active class enrollment code, birthdate, username, email, password, and a parent’s email address so that we can email the Child User’s Parent in order to seek consent for the Child to use the Platform. Albert does not ask the Child User for any more information than is necessary to provide the Services to the Child User or to seek parental consent. The Child User will not be able to use the Platform while request for consent from the Parent is pending. If we do not receive Parental consent within 14 days, the Child User’s account will be deactivated, and their Personal Data will be deleted from our systems.
2 - School registration. When the Platform is used by a School in the classroom for an educational purpose, we permit the School to create Child User accounts and to provide the requisite consent for Albert to collect User Information of a Child User for this purpose, in lieu of parental consent. Schools may create Child User accounts using tools that we provide. When Schools create accounts in this manner, we do not request additional consent from the Parent, as we require Schools to gather those consents. Similarly, when a School or Educator User invites a Child User to join the Platform and connect to an Educator User’s class using a class code, we do not require parental consent as it is the responsibility of that School or Educator User to acquire parental consent for each Child User.
Parents may provide consent for a Child User to use the Platform by responding affirmatively to an email sent by Albert to the Parent’s email address provided by the Child User during account creation. If we do not receive consent from the Parent within fourteen 14) days, the Child User’s account will be deactivated and the Child’s Personal Data is deleted from our systems. Until a Parent provides consent in this manner, the Child User will be unable to meaningfully use the Platform.
Parents may review their child’s personal information on Albert, direct us to delete it, and refuse to allow any further collection or use of their child’s information by Albert by revoking their consent. Parents seeking to revoke their consent, review their child’s information, and request a deletion of their child’s data should contact us at schools@albert.io.
12. DATA BREACHES
Within 48 hours of learning about a data breach, or longer reasonable time as may be required by the legitimate needs of applicable law enforcement or as to take measures necessary to determine the scope of the breach and restore reasonable integrity of its systems, we will notify all Users, teachers, Parents, principals, and district administrators whose information may have been improperly disclosed, via email communication to the email address on file for each User. We will inform any Users who oversee those students (i.e. relevant teachers, Parents, principals, and district administrators) if any Student Information or Child User data is involved. This email notification will describe the nature of the data breach, the date of the breach, the types of information that were subject to the breach, and steps that are being taken to protect their Albert.io accounts going forward.
13. USER DATA RIGHTS AND DATA REQUESTS
Certain Users may have additional personal information rights and choices based on where they live. We have tried to provide links to websites that provide more information below. If you feel that this list does not cover your rights, please alert us at hello@albert.io.
If you are a California resident, California law may provide you with additional rights regarding our use of your personal information. To learn more about your California privacy rights, visit https://oag.ca.gov/privacy.
If you are a resident of the European Union or European Economic Area, the General Data Protection Law (“GDPR”) may provide you with additional rights regarding our use of your personal information. To learn more about your GDPR privacy rights, visit https://eugdpr.org/the-regulation/.
You have the right to lodge a complaint with the supervisory authority of your habitual residence, place of work or place of alleged infringement, if you consider that the processing of your personal data infringes applicable law. A list of EU data protection authorities is available at: http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612080.
For example, certain Users (such as Users in California or the European Union/European Economic Area may have the following rights with respect to their User Information:
● The right to know what information Albert collects from you, why it is collected, and how it is shared.
● The right to have access to your User Information in a portable format, to the extent technically feasible.
● The right to have your User Information deleted by Albert and its Service Providers and to be notified when such deletion has been completed, colloquially known as the “right to be forgotten”.
● The right to have incomplete or inaccurate User Information rectified and to be notified upon rectification.
● Withdraw your consent to the processing of your User Information.
● The right to request information about the categories of information that are sold and/or to opt out of the sale of personal information. (Note: what is covered as a “sale” under California law is not yet clear, but we currently do not “sell” your information, as we understand it.)
Albert is committed to the free exercise of these rights without fear of being denied the opportunity to use the Platform. If you would like to request to review, correct, restrict or delete personal information that you have previously provided to us, object to the processing of User Information, or if you would like to request to receive an electronic copy of your User Information for purposes of transmitting it to another company (to the extent this right to data portability is provided to you by applicable law), or exercise any other rights according to applicable law, please contact us at hello@albert.io. We will respond to your request in accordance with the applicable law that governs the collection, use and deletion of your data and information. The requested deletion will be as comprehensive as possible but is always subject to issues outside of our control, including applicable regulations and laws, your actions and the actions of third parties. It is important to note that we may retain a copy of the information for archival purposes and to avoid identity theft or fraud.
14. NOTICE OF CHANGES
If we are going to make any changes to this Privacy Policy that would change our practices around what data we collect, how we collect that data, or that would lessen the previously noted protections around student data privacy in a material way, we will notify all users at least 30 calendar days in advance of making such a change. We will provide notification via the emails associated with the profiles of our users.
15. CONTACTING US
If you have any questions or comments about this Privacy Policy, please contact us at:
Privacy Director
Learn By Doing, Inc.
909 Davis St, Suite 500
Evanston, IL 60201
hello@albert.io
(312) 470-2290
16. CALIFORNIA AB 1584 COMPLIANCE STATEMENT
This Statement describes the policies and procedures employed by Learn By Doing, Inc. to ensure compliance with the requirements set forth in Section 49073.1 of the California Education Code (the “Code”).
1. Ownership of Student Information. See Section 10 of this Privacy Policy
2. Student-generated content. The Platform does not collect or store any student-generated content. In the event the Platform is updated to incorporate such a feature, we will amend this statement to describe the means by which students may retain possession and control of student-generated content
3. Third-party access and use. See Section 5 of this Privacy Policy.
4. Parent and pupil review procedures. See Section 9 of this Privacy Policy.
5. Security and confidentiality of Student Information. Albert.io is committed to maintaining the security and confidentiality of Student Information. It has designated a Security Compliance Officer (SCO), who is responsible for: (a) ensuring that the Company’s servers are protected against unauthorized access to the greatest degree possible; (b) limiting employee access to Student Information to whatever extent is required for them to perform their job functions; and (c) regularly training employees in data security procedures to further ensure compliance with company data security policies.
6. Unauthorized disclosure. See Section 12 of this Privacy Policy.
7. Post-contract data deletion. See Section 8 of this Privacy Policy.
8. FERPA compliance. Albert.io offers schools and districts utilizing the Platform the means to comply with their obligations under the Family Educational Rights and Privacy Act (20 USC §1232(g)), by enabling Educator Users to inspect and review Student Information and to correct any inaccuracies therein as described in Section 8 of this Statement.
9. Prohibition against targeted advertising. See Section 5 of this Privacy Policy.
17. INTERNATIONAL PRIVACY PRACTICES
If you are using the Platform, including the Site outside of the United States, your data and information is collected in the country in which you are located and is transferred to the United States or another country where our servers are located.
18. CHANGE OF CONTROL
Over time, Albert may grow and reorganize. We may share your User Information with affiliates such as a parent company, subsidiaries, joint venture partners or other companies that we control or that are under common control with us, in which case we will require those companies to agree to use your User Information in a way that is consistent with this Privacy Policy.
In the event of a change to our organizations such that all or a portion of Albert or its assets are acquired by or merged with a third-party, or in any other situation where User Information that we have collected would be one of the assets transferred to or acquired by that third-party, this Privacy Policy will continue to apply to your User Information, and any acquirer would only be able to handle your User Information as per this policy (unless you give consent to a new policy). If you do not consent to the use of your Personal Data by such a successor company, subject to applicable law, you may request its deletion from the company.
In the unlikely event that Albert goes out of business, or files for bankruptcy, we will protect your Personal Data, and will not sell it to any third-party.