Veracross Product Privacy Policy

Date created: June 2024

Veracross LLC (“Veracross”) takes the privacy of its users, including students, teachers, and parents, seriously. Veracross is committed to protecting users’ privacy while providing a personalized and valuable learning experience through its education technology products and services (the “Product”).

Veracross has taken the Student Privacy Pledge (2020 version) as a public commitment for the responsible collection and use of student data. Among other things, we have committed to the following:

• We only collect, store, process, or share student information that is needed for authorized education/school purposes, or as authorized by the parent/student.
• We do not sell student personal information.
• We do not use or disclose student information for behavioral targeting of advertisements to students.
• We do not retain student personal information beyond the time period required to support the authorized educational/school purposes.

The complete Student Privacy Pledge (2020 version) can be read here.

If users have any questions about our Privacy Policy, they may contact Veracross at privacy@veracross.com.

The School Environment

Collectively, the classroom, teachers, parents, guardians, students, and school and district administration and employees/agents are referred to in this Privacy Policy as the “School Environment.”

As Veracross is designed to be used in the classroom, much of the information collected is intended to be shared within the School Environment; Product-related or class-related activities, information, or communications may therefore be visible to anyone present in the classroom. Furthermore, some information will be available to other students, teachers, parents, guardians, and school or district administrators and/or employees (see “Veracross User Access Privileges” below). The sharing of the above information is subject to this Privacy Policy and the privacy policies of the relevant educational institutions. If users have any questions about the sharing of this information under those policies, Veracross recommends that users contact the relevant educational institutions.

Veracross has implemented security measures to ensure that this data will not be shared outside the School Environment, except as outlined in this Privacy Policy.

Collected Information

1. Personal Information

The specific information collected depends on the user type (i.e. teacher, district/school staff, parent, and student users). A list of the personal information collected for each user type of the Product, including the type of information collected, how the information is collected and used within the School Environment, whether other users can view the information, and whether the information is shared outside of the School Environment, is available here.

Veracross DOES NOT collect the following data:

• User’s contact lists or friends lists;
• Social medial information;

2. Cookies

Cookies are small data files that are commonly stored on your device when you use websites and online services. They are widely used to make websites work, or to work more efficiently, as well as to provide reporting information and assist with services or personalization. There are also other technologies that are similar to cookies, which may store small amounts of data on your device (“local storage”).

Veracross uses the following types of cookies and local storage (collectively called “Cookies” herein):

• Performance and functionality Cookies: These Cookies are not essential, but they help us personalize and enhance your user experience. For example, they may help us to remember your preferences and prevent you from needing to re-enter information more than once, or to remember your id and password so that you do not have to enter them each time you use our services.

The Veracross Product does not use cookies for advertising purposes.

If you wish to disable the use of Cookies, you may do so from the browser preferences menu of your browser software by either turning off Cookies or by using your browser’s privacy mode when using our services.

The Cookies notice can be obtained by contacting us at privacy@veracross.com.

What Does Veracross Do with the Collected Information?

Veracross only collects and uses user information that is required to fulfill its duties and provide and improve its services. Specifically, collected information is used for the following purposes:

• To operate the Product;
• To monitor & secure the Product;
• To enable users to login to the Product;
• To allow teachers, parents, guardians, students, and school and district administration and employees/agents to manage and engage with the Product as directed by the school;
• To enable class related activities such as classroom content, assignments/tasks, and communications;
• To provide analytic data to teachers and school administrators;
• For software and customer support purposes;
• For sales, invoicing, and/or billing purposes;
• To enable student billing & tuition management; and
• To enable 3^rd party integrations selected by and at the direction of the school;

 

Veracross does not advertise or market to students or their parents. No personally identifiable student information will be used for marketing purposes.

Veracross does not share personally identifiable information outside the School Environment, except for those purposes stated within this document, without first obtaining the express written consent of the individual.

Parents who login to the Product are not granted access to personally identifiable information of any student other than their child.

Collected information in aggregate form, whereby individual users are not identifiable (i.e. “de-identified data”), is used for the following purposes:

• To improve the Product;
• For research and statistical purposes;
• For marketing purposes related to the Veracross Product; and
• For customer support purposes.

 

De-identified data will have all direct and indirect personal identifiers removed. This includes, but is not limited to, name, user ID, date of birth, and location information. Furthermore, Veracross will not attempt to re-identify de-identified data or transfer de-identified data to any party unless that party agrees not to attempt reidentification

Veracross User Data Access

All user access and/or interactions within the Veracross Product occur in the School Environment among district/school administrators, district/school employees or agents, teachers (including paraprofessionals, aides, behavior specialists, or other school employees), students, and parents (“trusted users”) in the School Environment.

Teachers (including teachers, paraprofessionals, aides, substitute teachers, behavior specialists, or other school employees working with students in the classroom) are granted access to student data for the students in their classes and to parent data for the students in their classes. School/district administration officials may access teacher and student data to monitor in-app activities and student behavior/attendance. Other school employees or agents within the School Environment have appropriate privileges based on their role and need-to-know. These privileges are configured and maintained by the school, not Veracross. Students are granted access to their personal data and all content posted by their teachers or other school officials necessary for them to fulfil their roles within the school. This access is configured and maintained by the school, not Veracross.  Note that some data may be displayed by the teacher in front of the whole class or other groups who may not normally have access to this data. This is at the discretion of school officials and not within the control of Veracross. Parents are granted access to data related to their child and their child’s teacher, and to aggregate data for their child’s class.

Detailed information on user data access can be viewed here.

Student Records

Student records are the property of and under the control of the school and/or school district. Students can access their student records by logging in to their student account. Parents and guardians of students under the age of 18 can access their child’s information via their parent account or by contacting the school. Corrections of any erroneous information should be brought to the attention of the school administration. In the event that the teacher or school are unable to make the correction, the school will contact Veracross via normal support channels. Veracross will work with the teacher or school to facilitate correction of any erroneous information.

Third parties are not granted access to personally identifiable information or educational records or other student records except as provided in this Privacy Policy, or after first obtaining the express written consent of the parent or student over 18 years of age.

Should there be any unauthorized disclosure of a student’s records, Veracross will notify the school within 3 days following discovery of the unauthorized disclosure.

No Marketing to Students and Parents

Veracross does not share user data with third parties for marketing purposes. Furthermore, Veracross, does not use student data for marketing of any kind, including marketing to students or parents. For information on our privacy practices with respect to the operation of the corporate website, please see Veracross’s Website Privacy Policy here.

Deletion of Records

As our customers require access to records on a continuous basis, Veracross maintains records at the direction of our customers as long as we have an engagement with our customers. Upon termination of an engagement with our customers, records will be deleted within 30 days of the date of termination. Customers have complete control over records lifecycles, including the ability to delete records as they see fit or as directed by a student, parent, faculty, staff, or any other data subject at any time. If you have any concerns about records retention, please contact your school or email privacy@veracross.com.

Regional Compliance

1.  United States of America

FERPA

FERPA is an acronym for the Family Education Rights and Privacy Act, a US federal law to protect the privacy of student educational records. FERPA gives parents certain rights with respect to their non-adult children’s education records. These rights include the right to inspect and review the student’s education records maintained by the school, as well as the right to request that a school corrects records which they believe to be inaccurate or misleading.

Furthermore, under FERPA, schools generally must have written permission from the parent in order to release any information from a student’s education record, which includes records, files, documents, and other materials that contain information directly related to a student and are maintained by an educational agency/institution, or the personally identifiable information contained within those records. However, FERPA allows schools to disclose those records, without consent, to various parties under specified conditions, including the following (see 34 CFR § 99.31):

• School officials with legitimate educational interest;
• Other schools to which a student is transferring;
• Specified officials for audit or evaluation purposes;
• Appropriate parties in connection with financial aid to a student;
• Organizations conducting certain studies for or on behalf of the school;
• Accrediting organizations;
• To comply with a judicial order or lawfully issued subpoena;
• Appropriate officials in cases of health and safety emergencies; and
• State and local authorities, within a juvenile justice system, pursuant to specific State law.

 

Schools may also disclose, without consent, “directory” information such as a student’s name, address, telephone number, date and place of birth, honors and awards, and dates of attendance. However, schools must tell parents about directory information and allow parents a reasonable amount of time to request that the school not disclose directory information about them.

While this act is primarily directed towards educational institutions, Veracross recognizes their role as a “School Official” with a legitimate educational interest under FERPA, and our privacy policy is designed to secure student data in compliance with FERPA and to allow education institutions using Veracross to be compliant with FERPA. Veracross does not disclose student educational records or directory information outside of the School Environment.

COPPA

COPPA is an acronym for the Child Online Privacy Protection Act, a US federal law to protect the privacy of children under the age of 13. COPPA requires that online service providers such as Veracross or teachers/schools acting as a parent’s agent, provide parental notification and obtain parental consent before knowingly collecting personal/individually identifiable information from children under the age of 13, except in limited situations (for exceptions to this consent requirement, please see 16 CFR § 312.5(c)).

Pursuant to the Terms of Use between Veracross and the users of the Veracross Product, teachers, or a teacher’s school or district administration, will obtain verifiable parental consent, should it be required under COPPA. Veracross provides information for teachers, including COPPA Direct Notice (available here) and a sample parental permission document should they require one (available here).

If such personal information is collected without parental consent or collected beyond the scope needed for participation in the Veracross Product will delete such information as soon as possible. If you believe that information from a student under the age of 13 has been provided in violation of these terms, please contact us at privacy@veracross.com.

Please review the foregoing sections for descriptions of the types of personal information we collect; how we collect that information; how that information is used; and our policies on protecting that information from third party access.

Veracross takes the rights of children and parents very seriously. To this end:

• Veracross won’t require a child to disclose more information than is reasonably necessary to participate using the Product within the School Environment;
• Parents can review their child’s personal information, direct Veracross to delete it, and refuse to allow any further collection or use of their child’s information; and
• Parents can agree to the collection and use of their child’s information, but still not allow disclosure to third parties unless it is part of the service.

Parents may contact Veracross about following the procedures outlined in the “Changes and Access to Personal Information” section below.

2. European Union

Since May 25, 2018, the European Union General Data Protection Regulation (GDPR) has defined the rules regarding the collection, use, and retention of personal information for residents of the European Union (EU). Veracross complies with applicable GDPR rules.

In order to operate its services, and in accordance with this Privacy Policy, Veracross may collect, use, and retain personal information from users of the Veracross Product who are based in the EU.

Furthermore, in order to operate its services, and in accordance with this Privacy Policy, Veracross also conducts business with third-party data processors in the United States, where personal information for users of the Veracross Product is stored. Accordingly, when Veracross transfers personal information outside of the European Economic Area to the United States, such transfers will be governed by data processing agreements and international data transfer mechanisms that comply with European Union data protection requirements.

3. United Kingdom

Following Brexit, the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI 2019/419) amended the GDPR, the UK Data Protection Act 2018 (which had implemented the GDPR into UK law) and other data protection legislation including the Privacy and Electronic (EC Directive) Communications Regulations 2003 (SI 2003/2426) (as amended) with the aim of ensuring that the UK data protection legal framework functioned correctly after exit day. Veracross and its US subsidiaries, Magnus Health, LLC, and Digistorm, LLC, comply with applicable UK data protection rules.

In order to operate its services, and in accordance with this Privacy Policy, Veracross may collect, use, and retain personal information from users of the Veracross Product who are based in the UK.

Furthermore, in order to operate its services, and in accordance with this Privacy Policy, Veracross also conduct business with third-party data processors in the United States, where personal information for users of the Veracross Product is stored. Accordingly, when Veracross transfers personal information outside of the United Kingdom to the United States, such transfers will be governed by data processing agreements and international data transfer mechanisms that comply with UK data protection requirements.

EU-U.S. Data Privacy Framework and Swiss-U.S. Data Privacy Framework

Veracross LLC and its US subsidiaries, Magnus Health, LLC, and Digistorm, LLC, comply with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Veracross LLC and its US subsidiaries, Magnus Health, LLC, and Digistorm, LLC, has certified to the U.S. Department of Commerce that they adhere to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF.  Veracross LLC and its US subsidiaries, Magnus Health, LLC, and Digistorm, LLC, has certified to the U.S. Department of Commerce that they adhere to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern.  To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/

Veracross LLC and its US subsidiaries, Magnus Health, LLC, and Digistorm, LLC, are responsible for the processing of personal data it receives, under the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, and subsequently transfers such personal data to a third party acting as an agent on its behalf.  Veracross LLC and its US subsidiaries, Magnus Health, LLC, and Digistorm, LLC, comply with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF Principles for all onward transfers of personal data from the EU, the UK, and Switzerland, respectively, including the onward transfer liability provisions.

The Federal Trade Commission has jurisdiction over Veracross LLC’s and its US subsidiaries, Magnus Health, LLC, and Digistorm, LLC, compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF. In certain situations, Veracross LLC and its US subsidiaries, Magnus Health, LLC, and Digistorm, LLC, may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Veracross LLC and its US subsidiaries, Magnus Health, LLC, and Digistorm, LLC, commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU and UK individuals and Swiss individuals with inquiries complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF should first contact Veracross, LLC at privacy@veracross.com.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Veracross LLC and its US subsidiaries, Magnus Health, LLC, and Digistorm, LLC, commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF.

4. Canada

Rights of users located in Canada are governed by  the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5, the Personal Information Protection Act, R.S.A. 2003, c. P-6.5, the Personal Information Protection Act, R.S.B.C. 2003, c. 63 and an Act respecting the protection of personal information in the private sector, CQLR, c. P-39.1, as amended by Law 25, An Act to modernize legislative provisions as regards the protection of personal information (as applicable based on the location of the user in Canada).

Since the adoption of Law 25, Quebec residents have enhanced rights with respect to their personal information, including:

•  Access Rights: the right to receive confirmation of the processing of their personal information, of the nature of the information being processed, and to receive a copy of it.
• Data Portability Right: the right, subject to certain exceptions, to ask that the processing organization communicate to them computerized personal information in a written, intelligible transcript, and any collected personal information in a structured, commonly used, technological format.
  Rectification Right: subject to certain requirements and exceptions, the right to ask to correct the information in the processing organization’s possession t is inaccurate, incomplete, or ambiguous, or if collecting, communicating, or keeping it is not authorized by law.
  De-indexation Right or “Right to be Forgotten”: the right to ask organizations to stop disseminating their personal information or to de-index any hyperlink attached to their name giving access to information if this dissemination causes them harm or contravenes the law or a court order.
  Automated Decision Making: the right to be informed when they are the subject of a decision based exclusively on automated processing of their personal information. Organizations must also, on request, inform them about the personal information used to make the decision, the reasons and main factors leading to the decision, and the right to request correction of the personal information used to make the decision. They must also be given the opportunity to present their observations to a member of their staff for review of this decision.

Canadian users can access and modify their personal information in Veracross’s possession using your user login and password, or by following the instructions in the section of this document titled “Changes to and Access to Personal Information.”

To exercise their other access rights under Canadian law, residents of Canada shall contact the School on whose behalf Veracross processes their personal information.

Please note that because Veracross and their service providers are located in the United States and other countries outside Canada, we may transfer personal information that we collect or that you provide as described in this policy to contractors, service providers, and other third parties we use to support our business and who are contractually obligated to keep personal information confidential, use it only for the purposes for which we disclose it to them, and to process the personal information with the same standards set out in this policy.

We may process, store, and transfer your personal information in and to foreign countries, with different privacy laws that may or may not be as comprehensive as Canadian law. In these circumstances, the governments, courts, law enforcement, or regulatory agencies of that country may be able to obtain access to your personal information through the laws of the foreign country. Whenever we engage a service provider, we require that its privacy and security standards adhere to this policy and applicable Canadian privacy legislation.

Security Policy

Veracross uses industry standard methods to protect the confidentiality, security, and integrity of its customer’s data, including personal information collected from children, against unauthorized use or access, disclosure, alteration, unlawful or accidental destruction, or loss. We ensure that all such protected data is encrypted both at rest and in transit and is only retained or deleted in accordance with this Privacy Policy or any overriding agreements with educational agencies.

Veracross does not share the data covered by this policy informally among its employees. Only those employees who require the protected data to carry out their duties are granted access. In such cases, access is granted based on the principle of least privilege, which means that each program and employee are granted the fewest privileges necessary to complete their tasks. Employees with access to protected data are given training to apprise them of their responsibilities when handling data and the various laws and agreements covering data security. Such employees are also given a unique user ID for purposes of accountability.

Veracross performs periodic risk/vulnerability assessments and data privacy and security compliance audits. Veracross will remediate any identified security vulnerabilities in a timely manner. We also have a written incident response plan, which includes prompt notification to the school/district in the event of a security or privacy incident, as well as best practices for responding to a breach of personally identifiable information. We will share this incident response plan upon request.

While Veracross is committed to implementing best practices with regard to information and data security, we cannot make a 100% security guarantee due to constant advances in virus and hacking technology, as well as unforeseeable hardware or software failures and other risk factors. Veracross can therefore not be held responsible for data loss or alteration. Veracross will notify any affected customer of a personal data breach in accordance with applicable law.

For additional information about our security measures and for a copy of our Data Security Policy, please visit our Trust Center.

Third Parties

1. Third Party Links

Any member of the school community may make postings that contain links to third party services in various sections of Veracross. Common examples of this would be links to videos hosted by YouTube or Vimeo, links to Wikipedia or other reference material, and so on. It is the responsibility of the customer to ensure that this content is appropriate and free from links to sites which may compromise the privacy of their students.  Veracross does not actively monitor content and has no responsibility for this content.

2. Third Party Integrations

Third Party software may be integrated with Veracross. Veracross has no responsibility for the content, policies, or actions of these websites and they are entirely separate from Veracross and are not covered by this Privacy Policy.

Veracross also provide users with the option of registering/logging into the Product with single sign-on authentication through Third-Party software. If you choose to access our Product through single sign-on authentication, Veracross may exchange personal information such as the user’s email address with the authentication service, depending on your privacy settings with that service. Veracross will only collect and store such information in accordance with this policy. We recommend familiarizing yourself with any authentication service’s terms of use and privacy settings and policies before using such services to connect to Veracross.

A list of these Third-Party Integrations, including the services they provide to Veracross, the information we share with them or that they share with us, their privacy policies, and their contact information, can be found.

3. Third Party Service Providers

Veracross may use trusted Third-Party Service Providers to support our Product by assisting us with providing, maintaining, and improving our services. To this end, Veracross may share information with these providers, but only to the extent necessary to provide our services, and only in accordance with our needs, this Privacy Policy, and all other applicable privacy agreements, laws, and/or requirements.

A list of these Providers, including the services they provide to Veracross and the information we share with them or that they share with us, their privacy policies, and their contact information, can be found here.

Changes to and Access to Personal Information

Users have access to their personal information via their Veracross user account, or by contacting the teacher or school administration. Users may also request a copy of their personal information, make modifications to any incorrect information, or exercise any other rights available to them under applicable law by sending a written request to

Users can also correct and update their personal information by contacting the school.

Change of Control

In the event that all or a portion of Veracross or their assets are acquired by or merged with a third party, personal information that we have collected from users would be one of the assets transferred to or acquired by that third party. This Privacy Policy will continue to apply to your information, and any acquirer would only be able to handle your personal information as per this policy (unless you give consent to a new policy). We will provide you with notice of an acquisition within thirty (30) days following the completion of such a transaction, by posting on our homepage, or by email to your email address that you provided to us. If you do not consent to the use of your personal information by such a successor company, you may request its deletion from the company.

Disclosure of Information to Satisfy Legal Obligations

Veracross may disclose personal information if we have a good faith belief that doing so is necessary to comply with the law, such as complying with a subpoena or other legal process. We may need to disclose personal information where, in good faith, we think it is necessary to protect the rights, property, or safety of Veracross, our employees, our community, or others, or to prevent violations of our Terms of Use or Terms of Service or other agreements. This includes, without limitation, exchanging information with other companies and organizations for fraud protection or responding to government requests.

Changes and Updates to the Privacy Policy

This Privacy Policy is effective as of June 2024. Veracross may, at its sole discretion, update, revise, modify, and/or supplement from time to time this Privacy Policy. Should we make modifications to this policy or the related Terms of Service, we’ll post a notice that you will receive when you login to the Product and/or we will send an email directly to the school. Veracross’s updated Privacy Policy and Terms of Service will also be posted on Veracross’s corporate website. Veracross asks users to review the updated Privacy Policy and/or Terms of Service before continuing to use our services. The user’s continued use of the services provided by Veracross after the updated Privacy Policy takes effect will constitute the user’s acceptance of the updated Privacy Policy.

Consent to the Gathering and Processing of Information

By accepting the Terms of Service, users are expressly giving Veracross a special declaration that users have agreed to the terms of this Privacy Policy governing the collection and processing of their personal information for purposes of services provided by Veracross. Users are further declaring that users are aware of the purpose for Veracross collecting, processing, and using such information, how the processing will be conducted, and how users’ privacy will be protected.

Contact

Veracross provides service to their users and users’ trust is of utmost importance to Veracross. If users have any questions about this Privacy Policy, users should contact Veracross at: privacy@veracross.com.