In an effort to make this Policy a bit more readable, unless the context indicates otherwise, we refer to:
schools and school districts that use Emote’s services collectively as “schools”,
teachers and other individuals authorized by a school to use Emote in their work directly with students as “teachers”,
principals and other supervisory or support personnel authorized by a school to use Emote as “administrators”,
teachers and administrators together as “school officials”,
adult parents or guardians of a minor student authorized by a school to use Emote as “parents”, and
each authorized school official and parent as “you.”
Although we may add new features in the future that contemplate direct student interaction as well as parent interaction, Emote is currently intended for use only by school officials.
Much of Emote’s value is its ability to accept and store, and ultimately process and present back in usable ways, information relating to students. In other words, when schools and school officials take advantage of Emote’s full potential, they are providing and accessing information relating to the students entrusted to them, and are in turn entrusting that information to us. That trust is something we take very seriously and have prepared this Policy in an effort to be transparent about the steps we take to protect information entered in Emote about both students and school officials, who has access to that information and how that information is used.
Role of school and school officials
Although the balance of this Policy will focus largely on what we do — and what we confirm we will not do — with information entered in Emote, we believe schools and school officials are critical partners in our collective efforts to protect and ensure only appropriate use of student-related information entrusted to them and to us.
In that regard, it is important that schools and school officials using Emote be mindful that in granting or allowing access to Emote, they are controlling who has access to student information. When we reference “granting or allowing access,” we are referring to both intentional actions, such as an administrator authorizing an Emote account for a teacher, as well as unintentional actions or consequences that may flow from, for example, allowing students access to Emote login credentials or a school’s failure to maintain sufficient data governance or security practices.
In cases where FERPA applies (more below), access to certain student information remains the legal responsibility of the applicable school. In all situations, it is incumbent upon our customers to make an affirmative determination prior to furnishing access to anyone that the party has a legitimate need for access to Emote and the sensitive information that may be accessible to that party through Emote.
How We Collect and Use Information
Information About Students
FERPA and Education Records
Although the Family Educational Rights and Privacy Act, or FERPA, was enacted roughly 40 years ago, and certainly well before internet-based services became ubiquitous in academic settings, one of its core tenets was and remains the protection of the privacy of personally identifiable information (often called “PII”) in students’ education records. As defined in FERPA, “education records” are “those records, files, documents and other materials which (i) contain information directly related to a student; and (ii) are maintained by an educational agency or institution or by a person acting for such agency or institution.” PII from education records includes information, such as a student’s name or identification number, that can be used to distinguish or trace an individual’s identity, either directly or indirectly through linkages with other information.
FERPA generally requires that educational institutions and agencies that receive certain federal funds (for example, public schools) get prior consent from a parent before disclosing any education records regarding that student to a third party. Consequently, if you are using Emote on behalf of an educational agency or institution and FERPA applies, before you enter, upload or access any data concerning a minor student, you must confirm that your agency or institution has (1) obtained appropriate consent from the parent or guardian of that student or (2) determined that one of the limited exceptions to the consent requirement applies. You can find more information on FERPA and related guidance here, and a summary of the limited exceptions here.
Although we hope it goes without saying, we will only use PII from students’ education records to enable school officials and parents to access and use Emote. Unless a school official expressly instructs otherwise, we will not share or reuse PII from education records for any other purpose. While we think those statements are clear, to avoid any doubt, we will not use student PII to target students or their families for advertising or marketing efforts or sell rosters of student PII to third parties (setting aside whether that violates FERPA, as a mission-driven organization, we simply think that is the wrong thing to do).
COPPA and Children under the Age of 13
Some people tend to link (and sometimes confuse) FERPA and COPPA. The intent of the Children’s Online Privacy Protection Act, or COPPA, is to give parents control over commercial websites’ and online services’ collection, use and disclosure of information from children under the age of 13. Many assume COPPA applies to all internet-based services, regardless of the identity of the end user. When Emote is used as intended by school officials, although that use may involve information relating to students under 13, the student is not the end user and COPPA does not apply.
Information About school officials
We collect information from and about you when you provide it to us, and automatically when you use Emote. (Again, “you” refers to an authorized school official Emote user, not students.)
Information You Provide to Us
When you register with or use Emote, you are expected to provide certain PII about you, such as first and last name, role, email address and associated school. You may also be asked to provide certain PII or other information as a means of validating that you are who you say you are. In addition, you may be asked to provide information from time to assist with ongoing support and maintenance; this may include information like records and copies of your correspondence (including email addresses and phone numbers) if you contact us.
Automatic Information Collection And Tracking
When you access and use Emote, it may use technology (such as cookies, discussed further below) to automatically collect:
certain details of that access and use, including traffic data, location data and logs, and
information about your computer or other device and internet connection, including the device’s unique device identifier, IP address, device location, operating system, and browser type.
With respect to technology that automates this information collection and tracking, we may use the following on Emote’s web pages and in emails from us to you:
cookies, which are small files placed on the hard drive of your computer or other device, and
small electronic files known as web beacons (also referred to as clear gifs, pixel tags and single-pixel gifs) that permit us to, for example, count users who have visited those pages or opened an email and for other related statistics.
We use or may use the data collected through cookies, log files, device identifiers, and web beacons to: (a) remember information so that a user will not have to re-enter it during subsequent visits; (b) provide custom, personalized content and information; (c) provide and monitor the effectiveness of Emote; (d) monitor aggregate metrics such as total number of visitors, traffic, and usage; (e) diagnose or fix technology problems; and (f) help users efficiently access information after signing in.
Third-Party Information Collection
As discussed further under Disclosure and Retention of PII, we may use third-party providers to support elements of Emote’s infrastructure or functionality. These providers may, like us, use automatic information collection technologies to enable or streamline certain features they are providing on our behalf. In all cases, these providers will be contractually bound to us to keep PII confidential and to only in use it in order to fulfill their responsibilities to us.
How We Use Your Information
We will use information that you, as a school official or parent, provide through Emote to (as applicable):
provide Emote and any other products or services you may request from us,
give you notices about your subscription, including expiration and renewal notices,
carry out our rights and responsibilities under agreements between us and your school, and
notify you of changes to Emote (including substantive changes to this Policy or other user policies).
How We Store and Protect Your Information
Disclosure and Retention of PII
Except as expressly set forth below and under the Third-Party Information Collection heading above, and only in those limited circumstances, we will not disclose any PII relating to students, parents or school officials to third parties without your consent or the consent of your associated school.
We may disclose PII to those contractors and other service providers that we use to support our business. These may include individuals (such as data scientists and software developers) and commercial vendors that provide or support elements of Emote’s infrastructure or functionality. In all cases, these providers will be bound by contractual obligations to keep PII confidential and to use it only for the purposes for which we disclose it to them.
We may also disclose PII to fulfill the purpose for which you provide it. For example, if you give us an email address to use the “email a friend” feature, we will transmit the contents of that email and your email address to the recipients.
If a third party purchases all or most of our ownership interests or assets, or we merge with another organization, it is possible that we would need to disclose PII to the other organization following the transaction, for example, were we to integrate Emote with the other organization’s product offerings. To the extent any such transaction would alter our practices relative to this Policy, we will give schools advance notice of those changes and any choices they may have regarding PII.
We may also disclose PII to comply with a court order, law or legal process (including a government or regulatory request), but before we would do that, we would provide the applicable school with notice of the requirement so that, if the school so chooses, it could seek a protective order or other remedy. If after providing that notice we remain obligated to disclose the demanded PII, we will disclose no more than that portion PII which, on the advice of our legal counsel, the order, law or process specifically requires us to disclose.
We will retain PII for as long as the applicable school maintains its Emote subscriptions in good standing. Once those subscriptions lapse or terminate, unless a written agreement between us and a school provides otherwise, we will retain PII for up to 12 months after which time it will be destroyed. Any retained PII will of course remain subject to the restrictions on disclosure and use outlined in this policy for as long as it resides with us.
Finally, although we outlined earlier in this Policy what constitutes PII, we also want to be clear what information is not PII. Once PII, whether relating a school official, parent or student has been de-identified, that information is no longer PII. PII may be de-identified through aggregation or various other means. The U.S. Department of Education has issued guidance on de-identifying PII in education records here. In order to allow us to proactively address customer needs, we anticipate using de-identified information to improve Emote and other of our products and services. That said, we will use reasonable de-identification approaches to ensure that in doing so, we are not compromising the privacy or security of the PII you entrust to us.
When setting up Emote for the first time, we require three sets of information be provided by the school. First, student roster information. Second, teacher roster for school teacher that are participating in Emote. Third, school class schedule information which defines students and teachers for each class section. These are the minimum information sets to provide Emote’s service to you.
The initial data upload can take place either through 1) integration with the school’s Student Information System (SIS), or 2) secure upload of comma separated value (CSV) files by an administrator into Emote. Both services abide by our Data Security policy discussed below.
We have implemented administrative, technical and physical measures designed to secure PII from accidental loss and from unauthorized access, use, alteration and disclosure. Among other things, PII is encrypted in transit to and from Emote using SSL technology. In addition, all PII is stored on secure servers behind firewalls by our hosting providers. In addition, consistent with guidance from the U.S. Department of Education that storing sensitive education records within the United States is a “best practice”, all the servers used by Emote are located in the United States.
All that said, unfortunately, the transmission of information via the internet is not completely secure and, although we do our best to protect PII, neither we nor any other hosted service provider can absolutely guarantee the security of all personally identifiable information.
You can and should ask questions about this Policy and our privacy practices. You should always feel free to contact us at:
Emote Education Inc
Effective: December 1, 2015
Last modified: December 20, 2016