Effective Date: April 2020
"Personal Data" means personally identifiable data, including without limitation, names, email addresses, or any other non-public identifying information about individuals as provided under applicable privacy laws or regulations. "Data Protection Laws" means all laws and regulations, including laws and regulations of the European Union ("EU") and the European Economic Area ("EEA") and their member states, Switzerland and the United Kingdom, applicable to the processing of Personal Data and including the EU General Data Protection Regulation 2016/679 ("GDPR").
What information do we collect and why do we collect it?
The sole purpose for processing your Personal Data is to provide our Service to our clients. In order to provide our Service, we may ask you to supply us with certain personally identifiable information, including but not limited to first name, last name and email address. Additionally, as with most websites and technology services delivered over the Internet, our servers automatically collect information when you access or use the Service and record it in log files. This log data may include the Internet Protocol (IP) address, browser type and settings, the date and time the Service was used, information about browser configuration and plugins, language preferences and cookie data.
How do we collect your data?
Sometimes, you provide your data directly to us when you register your account to receive the Service or when you download the Ed app. We may also receive your information from your employer (our client), who will have a contractual relationship with EdApp to provide learning to its employees. You may also choose to sign up on our website for webinars or to receive more information about our products and services.
What do we do with your data?
We require certain information so that we can create your account, deliver customer support to you and send you prizes that you may win through your activity on the Service. When you contact us, we may keep a record of your communication to help solve any issues you might be facing. We may contact you about billing, account management services and other administrative matters. We may also use your email address to inform you about our services, such as letting you know about webinars, upcoming changes or improvements. We also use some data in anonymized form to analyze the performance of our Service. We may share aggregated of de-identified information with third parties for research, marketing, analytics, and other purposes, provided such information does not identify a particular individual.
How long do we keep your data?
We may be required to keep some of your information for certain periods of time under law. When we no longer require your information, we will ensure that your information is destroyed or de-identified.
EdApp utilizes Amazon Web Services ("AWS") for data storage, with servers located in Australia and the United States. AWS is a participant in the EU/US Privacy Shield certification. EdApp may engage other third-party sub-processors in connection with the delivery of services. We have entered into written data processing agreements with all our sub-processors, which contain data protection obligations no less protective than those required by the GDPR.
We value your trust in providing us your Personal Data and we strive to use reasonable means of protecting it including the maintenance of appropriate technical and organizational security measures designed to protect the security of any Personal Data we store and process. Due to the inherent nature of the Internet, we cannot guarantee that Internet is 100% secure. Although we will do our best to protect your Personal Data, the transmission of information is at your own risk, therefore we advise you to only access the Service through a secure environment.
How do we comply with GDPR?
EdApp is committed to maintaining the highest degree of integrity in all dealings with potential, current and past clients, both in terms of normal commercial confidentiality and also the protection of all personal information received in the course of providing its services. In most circumstances, EdApp will process your Personal Data as a Data Processor (as defined in the GDPR) but in some situations, EdApp may operate as the Data Controller.
What is the legal basis for processing your information?
Under GDPR, the main grounds that we rely upon in order to process Personal Data collected via our websites and Services are the following:
(a) Necessary for entering into, or performing, a contract -- in order to perform obligations that we undertake in providing a Service to you, or in order to take steps at your request to enter into a contract with us, it will be necessary for us to process your Personal Data;
(b) Necessary for compliance with a legal obligation -- we may be subject to certain legal requirements which may require us to process your Personal Data. We may also be obliged by law to disclose your Personal Data to a regulatory body or law enforcement agency;
(c) Necessary for the purposes of legitimate interests -- either we, or a third party, will need to process your Personal Data for the purposes of our (or a third party's) legitimate interests, provided we have established that those interests are not overridden by your rights and freedoms, including your right to have your Personal Data protected. Our legitimate interests include contractual obligations to our clients, responding to requests and enquiries from you or a third party, optimising our website, applications and customer experience, informing you about our products and services and ensuring that our operations are conducted in an appropriate and efficient manner;
(d) Consent -- in some circumstances, we may ask for your consent to process your Personal Data in a particular way.
What are your rights under GDPR?
Your principal rights under the GDPR are:
- the right to access -- you have the right to request copies of your Personal Data. We may charge you a small fee for this service.
- the right to rectification -- you have the right to request that the EdApp corrects any information you believe is accurate or incomplete.
- the right to erasure -- you have the right to request that EdApp erase your Personal Data, under certain conditions.
- the right to restrict processing -- you have the right to request that EdApp restrict the processing of your Personal Data, under certain conditions.
- the right to object to processing -- you have the right to object to EdApp processing your Personal Data, under certain conditions.
- the right to data portability - you have the right to request that EdApp transfer the data that we have collected to another organization, or directly to you, under certain conditions.
- the right to complain to a supervisory authority; and
- the right to withdraw consent -- to the extent that we are processing your information based on your consent, you have the right to withdraw your consent at any time.
If you make a request, we have one month to respond to you. If you would like to exercise any of these rights, please contact us at firstname.lastname@example.org.
Data Transfers (for EEA users)
In the event that any Personal Data is provided to third parties outside the EEA, or who will access the information from outside the EEA, EdApp shall ensure that the level of security put in place will comply with GDPR, including the standard Contractual Clauses approved by the European Commission or the EU/US Privacy Shield.
Unless specified otherwise by agreement, consent, or legal requirements, EdApp may process your Personal Data on servers located outside your country of residence, including outside the EEA. For performance reasons, your Personal Data and other content uploaded to the Service may be cached and served from servers that are closer to your location.
If you believe that our processing of your Personal Data infringes data protection laws, you have a legal right to lodge a complaint with a supervisory authority responsible for data protection. You may do so in the EU member state of your habitual residence, your place of work or the place of the alleged infringement. You can find a list of the relevant authorities in the EEA and the European Free Trade Area here.
Your California Privacy Rights
This section provides additional details about the Personal Data we collect about California consumers and their rights under the California Consumer Privacy Act or "CCPA."
For more details about the Personal Data we have collected over the last 12 months, including the categories of sources, please see the What information do we collect and why do we collect it? section above. We collect this information for the business and commercial purposes. We share this information with the categories of third parties described in the Third-party sub-processors section above. EdApp does not sell (as such term is defined in the CCPA) any Personal Data that we collect.
Subject to certain limitations, the CCPA provides California consumers the right to request to know more details about the Personal Data we collect (including how we use and disclose this information), to delete their Personal Data, to opt out of any sales or marketing communication, and to not be discriminated against for exercising such rights.
California consumers may make a request pursuant to their rights under the CCPA by contacting us at email@example.com. We will verify your request using the information associated with your account, including email address. Government identification may be required. Consumers can also designate an authorized agent to exercise these rights on their behalf.
Our Services are not designed to appeal to minors. We do not knowingly attempt to solicit or receive any information from anyone under the age of 13. If we discover that a child under 13 has provided us with Personal Data, we will immediately delete this from our servers. If you are a parent or guardian and you are aware that your child has provided us with Personal Data, please contact us immediately at firstname.lastname@example.org.
If you have questions or comments about this Policy, please email us at email@example.com.
Appendix 1 (Data Protection Compliance)
In this Appendix and in Appendix 2 (Data Processing Agreement):
Data Protection Laws means the EU Data Protection Laws and the laws of other states and territories that create and regulate substantially similar concepts and legal principles as are contained in the EU Data Protection Laws in relation to the processing of personal data and sensitive personal data.
EU Data Protection Laws means, up to and including 24 May 2018, any legislation in force from time to time which implements the EU Directive 95/46/EC and relevant national implementations of the same and, with effect on and from 25 May 2018, means the GDPR and any relevant national implementations of the same;
personal data, sensitive personal data, consent, controller, processor, data subject and processing mean those concepts, roles and activities as defined in the applicable EU Data Protection Laws and on and from 25 May 2018 sensitive personal data means those classes of personal data that are described in Article 9 of the European General Data Protection Regulation 2016/679) or, where relevant, equivalent concepts, roles and activities as described in other Data Protection Laws.
We are the controller in respect of personal data and sensitive personal data, such as account registration details, that we collect directly from users of EdApp (End Users) and users of No-Charge Services, and which we use for the purposes of our business.
You are the controller and we are the processor in respect of any other personal data and sensitive personal data (including within Your Modifications) that is uploaded by End Users and/or users of No-Charge Services including data, templates, information, content, code, video, images or other material of any type (Materials), or which is provided by your administrators.
From 25 May 2018, to the extent that EdApp and/or Non-Charge Services comprise the processing of personal data or sensitive personal data where we are the processor and you are the controller and the processing of personal data or sensitive personal data is subject to the GDPR:
- you will comply with the requirements of the GDPR as the same apply to you as controller of the personal data or sensitive personal data; and
- the provisions of Appendix 2 (Data Processing Agreement) to these Terms shall apply
- There is a lawful basis for the collection and processing of personal data and/or sensitive personal data; and
Appendix 2 (Data Processing Agreement)
The provisions of this Appendix (Data Processing Agreement) form part of the Agreement to the extent that Section 6 of the Agreement applies.
The Company shall:
- process personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by European Union or the national law of an EU member state to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
- ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
- implement appropriate organisational and technical measures as required pursuant to Article 32 (security of processing) of the EU General Data Protection Regulation 2016/679. The measures that we consider appropriate are more fully described in our Architecture and Security document (a copy of which is available on request). This document outlines:
- our architecture and infrastructure through which Services and No-Charge Services are provided;
- security controls employed by us and our service providers in protecting personal and/or sensitive personal data; and
- security controls employed by our support channels which handle personal data or sensitive personal data.
- respect the conditions for engaging another processor referred to in paragraphs 2 and 4 of Article 28 (processor) of the EU General Data Protection Regulation 2016/679;
- taking into account the nature of the processing, assist the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of the EU General Data Protection Regulation 2016/679;
- assist the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the EU General Data Protection Regulation 2016/679 taking into account the nature of the processing and the information available to the processor;
- at the choice of the controller, delete or return all the personal data to the controller after the end of the provision of services relating to processing, and delete existing copies unless EU law or the national law of an EU member state or another applicable law, including any Australian state or Commonwealth law to which the processor is subject requires storage of the personal data;
- make available to the controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 (processor) of the EU General Data Protection Regulation 2016/679 and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller (in each case at the controller's cost).