GDPR, COPPA, CCPA and FERPA

Last updated: 16.04.2021

EU General Data Protection Regulation (GDPR)

RESIDENT OF EUROPEAN UNION From the 25th of May 2018, the processing of Personal Information of users based in the European Union (“EU”) is subject to the EU General Data Protection Regulation (“GDPR”). This section provides information as relates to EU users’ rights, and CleverBooks’ responsibilities, under this regulation.

CleverBooks is headquaertered in Dublin, Ireland and has operations and service provided throughout the world. CleverBooks Ltd takes the protection and security of personal data extremely seriously and has standardised policies and procedures to manage and protect the data that we process on behalf of our clients. We have significant experience in the education sector, working with hundreds of primary schools in Europe and globally. With the General Data Protection Regulation (GDPR) coming into effect in May 2018, we carried out technical and organisational measures to ensure that we comply with GDPR, and updated our policies and procedures accordingly.

We have implemented a plan to achieve GDPR compliance:

  • All our staff have undergone GDPR awareness training sessions
  • DPO has been appointed to address GDPR queries
  • Conducted an audit of all personal data we hold or process, including where it comes from
  • Requested from all users data storing and processing consent
  • We have reviewed the legal basis for all personal data processing to ensure we are compliant and to ensure that, if required, we have the appropriate consent in place. Added GDPR consent confirmation request from all new subscribers (eg., Mailchimp email subscription)
  • We have reviewed and updated our policies and procedures to ensure that we comply with all the rights of individuals under GDPR including processes for secure data deletion, handling Subject Access Requests etc.
  • We have data protection by design throughout our processes and we will continue with this policy
  • We have updated our Privacy policy to make it clearer and more understandable

COPPA and FERPA compliance:

Because some of our users may be interested in it, we have included some information below related to the Children’s Online Privacy and Protection Act (“COPPA”) and he U.S. Family Educational and Privacy Act (FERPA).

Data collected by CleverBooks may include personally identifiable information from education records that are subject to FERPA (“FERPA Records”). In order to allow CleverBooks to provide the user with the Services, you hereby designate CleverBooks as a “school official” under the direct control of the school with regard to the use and maintenance of the FERPA Records and will comply with FERPA.

COPPA requires that online service providers obtain parental consent before they knowingly collect personally identifiable information online from children who are under 13. Therefore, CleverBooks only collects personal information through the Services from a student under 13 where their school, district, and/or teacher has agreed in order to obtain parental consent to use the Services and disclose personal information to us for the use and benefit of the learning environment. Such consent shall not be deemed as consent pursuant to Art. 6 (1) a) GDPR.

If you believe that a student under 13 may have provided us personal information in violation of this paragraph, please contact us at support@cleverbooks.eu

California Residents’ Privacy Rights/CCPA

California residents have rights to request access to or deletion of their personal information and may not be discriminated against because they exercise any of their rights under the California Consumer Privacy Act in violation of Cal. Civ. Code §1798.125. They can make requests as follows: (1) use our self-serve access and deletion tools available in your account settings or (2) send an email to dpo@cleverbooks.eu with details of your specific request. California residents also have the right to opt out of the sale of their personal information; CleverBooks does not provide this option as we do not sell your personal information. CleverBooks will not collect new categories of personal information or use previously collected personal information for materially different purposes without first notifying you. We do not collect and use personal information regarding California resident however below are the types of personal information under CCPA that would only be collected if you provided such personal information directly to CleverBooks:

  • Category A: Identifiers. Examples: A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, driver’s license number, passport number, or other similar identifiers. Collected: Yes.
  • Category B: Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)). Examples: A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. Some personal information included in this category may overlap with other categories. Collected: Yes.
  • Category C: Protected classification characteristics under California or federal law. Examples: Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information). Collected: No.
  • Category D: Commercial information. Examples: Records and history of products or services purchased or considered. Collected: Yes.
  • Category E: Biometric information. Examples: Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data. Collected: No.
  • Category F: Internet or other similar network activity. Examples: Interaction with our Service or advertisement. Collected: Yes.
  • Category G: Geolocation data. Examples: Approximate physical location. Collected: Yes.
  • Category H: Sensory data. Examples: Audio, electronic, visual, thermal, olfactory, or similar information. Collected: No.
  • Category I: Professional or employment-related information. Examples: Current or past job history or performance evaluations. Collected: No.
  • Category J: Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)). Examples: Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records. Collected: No.
  • Category K: Inferences drawn from other personal information. Examples: Profile reflecting a person’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. Collected: No.

Under CCPA, personal information does not include:

  • Publicly available information from government records
  • Deidentified or aggregated consumer information
  • Information excluded from the CCPA’s scope, such as:
    • Health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data
    • Personal Information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FRCA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver’s Privacy Protection Act of 1994.

“Do Not Track” Policy as Required by California Online Privacy Protection Act (CalOPPA)

Our Service does not respond to Do Not Track signals.

However, some third party websites do keep track of Your browsing activities. If You are visiting such websites, You can set Your preferences in Your web browser to inform websites that You do not want to be tracked. You can enable or disable DNT by visiting the preferences or settings page of Your web browser.

Under California Civil Code Section 1798 (California’s Shine the Light law), California residents with an established business relationship with us can request information once a year about sharing their Personal Data with third parties for the third parties’ direct marketing purposes.

California Business and Professions Code section 22581 allow California residents under the age of 18 who are registered users of online sites, services or applications to request and obtain removal of content or information they have publicly posted.

To request removal of such data, and if You are a California resident, You can contact Us using the contact information provided below, and include the email address associated with Your account.

Be aware that Your request does not guarantee complete or comprehensive removal of content or information posted online and that the law may not permit or require removal in certain circumstances.

Personal Information

CleverBooks relies on consent in connection with Personal Information collections or uses (if required to use CleverBooks services and/or receive information and/or communication from CleverBooks via email subscription) that are necessary to enhance the user experience, to enable optional services or features, or to communicate with you.

  • Withdrawal of consent – CleverBooks believes that we are only entitled to access or use your Personal Information if we have your consent to do so. Whenever we rely on your consent, you will always be able to withdraw that consent.
  • Deletion – If the user requests that his/ her personal information kept with CleverBooks be erased/deleted, the same will be obliged through us. User data will be deleted without any backup thus user when requesting data deletion needs to be aware of this consequence.
  • Access to personal information – CleverBooks does not share any personal information with third parties. CleverBooks educational platform collects and stores personal data from registered clients to enable work storage on the website for further user(s) reference.

Type of personal data

To provide the core service, CleverBooks processes the following personal data:

Pupils: No individual data is being processed on students, neither an individual is being recognized and/or identified when using CleverBooks solutions. When using mobile apps from CleverBooks, there is no data/information collected and/or stored about a user apart from standard information collected by Google Play (https://play.google.com/about/privacy-security-deception/user-data/) and iTunes (https://support.apple.com/en-ie/HT208477). In the case of use of CleverBooks educational platform the principle device=user is implemented. CleverBooks does not identify how many students are using the same mobile device at a time

Teacher/school staff: Name, email, registration group/classes only via CleverBooks education platform. When using CleverBooks apps, there is no data/information collected and/or stored about a user apart from standard information collected by Google Play (https://play.google.com/about/privacy-security-deception/user-data/) and iTunes (https://support.apple.com/en-ie/HT208477).

Parent/guardian: Name, email, registration group/classes only via CleverBooks education platform. When using CleverBooks apps, there is no data/information collected and/or stored about a user apart from standard information collected by Google Play (https://play.google.com/about/privacy-security-deception/user-data/) and iTunes (https://support.apple.com/en-ie/HT208477).

Who can access personal data?

Where it is necessary to access client data, for example to investigate a support case, only approved CleverBooks Ltd support and technical staff can access it.
CleverBooksLtd staff are vetted and are subject to contractual data access policies and confidentiality clauses.

How are errors in data corrected?

User data is obtained from the user who makes registration to use the software from CleverBooks, i.e. registers as account administrator. Account administrators can correct user data generated within CleverBooks platform.
Support and assistance is available from our support team dpo@cleverbooks.eu.

How do I make a Subject Access Request or implement the Right to be Forgotten?

Where Subject Access Requests and/or Right to be Forgotten are applicable to client data in an CleverBooks Ltd product we provide, or will provide, means for authorised client users to carry out activities directly. Support and assistance is available from our support team dpo@cleverbooks.eu.

How does CleverBooksLtd protect personal data and where is it processed?

Our platform and client data are stored on approved and compliant cloud infrastructure. Our servers are hosted in Europe to ensure client data is retained within the European Economic Area (EEA). We use multiple protective layers within the platform to protect our services, including encryption and firewalling. We routinely carry out vulnerability and penetration testing on our platforms and promptly address any issues identified.

All transfers of client data use TLS 1.2 whilst being transmitted over public and private networks. All data at rest is encrypted with AES256 block-based encryption.

Rights of the person concerned: 

Pursuant to Section III of the GDPR, the person concerned shall be entitled to exercise their right to:

  1. access personal data (you will therefore have the right to have free information about the personal data held by the Data Controller, as well as to obtain a copy thereof in an accessible format);
  2. amend incorrect, inaccurate or old data (upon your request, where the data do not express evaluation elements);
  3. withdraw consent (if you had consented to the processing, you may withdraw your consent at any time and upon such revocation of consent your data shall no longer be processed);
  4. cancel their personal data – right to be forgotten (for example, in case of withdrawal of consent, if there is no other legal basis for data processing);
  5. restrict data processing (in certain cases – dispute the accuracy of the data, within the timeframe necessary for verification; dispute the lawfulness of the processing with refusal to the cancellation; your need to use the data to exercise your defense rights, while they are no longer useful for the purposes of the processing; in the event that the processing has been denied, while the necessary checks are being carried out – the data will be stored in such a manner that they may be restored if need be, but, in the meantime, cannot be consulted by the Controller if not in relation to the validity of your request for restriction);
  6. deny consent to the processing due to legitimate reasons (under certain circumstances, you may in any case object to the processing of data, and in any case you may refuse processing for direct marketing purposes);
  7. data portability (upon your request, the data shall be transmitted to the subject indicated by you in such a format that they can be easily consulted and used);
  8. advance a dispute to the Supervisory Authority (Privacy Authority).

Exercise of users’ data protection rights:  You may contact us via email at dpo@cleverbooks.eu, in order to assert your rights, namely: the confirmation of the existence of data concerning yourself and their origin and processing and the purposes thereof; the cancellation, transformation into anonymous form or the blocking of data processed in violation of the law; the updating, rectification or integration of data; certification that the operations have been brought to the attention of those to whom the data were communicated or disseminated. You may also object at any time to the possible profiling of your personal data.

How can I contact CleverBooks’ DPO?

If your school would like further information on GDPR compliance in CleverBooks Ltd products then please contact our support team at dpo@cleverbooks.eu

You may exercise Your rights of access, rectification, cancellation and opposition by contacting Us. Please note that we may ask You to verify Your identity before responding to such requests. If You make a request, We will try our best to respond to You as soon as possible.

You have the right to complain to a Data Protection Authority about Our collection and use of Your Personal Data. For more information, if You are in the European Economic Area (EEA), please contact Your local data protection authority in the EEA.