Date of last revision of this policy: February 3rd, 2023
Edsby is a cloud-based suite of software services that modernizes how educators, students and parents engage with each other electronically. Edsby Services are owned and operated by CoreFour Inc.
1.0 What Does This Policy Apply To?
Our Services may contain links to other websites and services that we do not own or operate. By clicking on those links, you will leave our Services. Those third-party websites and services are governed by separate and independent privacy policies, which we recommend you read carefully.
For the purposes of this Policy, the following definitions apply:
“Personal Information” is any information provided to us or generated within Edsby that personally identifies an individual, such as name or email address, or other information which could be reasonably linked to such identifying information. Unless otherwise specified, Personal Information referenced in this Policy is interchangeable with Personally Identifiable Information, which is information that, that when used alone or in combination with other information, can identify an individual.
“Education Organization” refers to various types of organizations that select Edsby as one of their technology solution providers for managing student information aimed at improving student success, equity and well-being. These organizations may include private schools, public school districts, provinces/states, and national ministries of education. Edsby is selected by these Education Organizations, often through a formal competitive procurement process and rigorous evaluation of many factors including privacy and security of student user data. Education Organizations pay to use Edsby. Each Education Organization decides what information should be provided to Edsby, and retains ownership of all the information provided to Edsby as well as control over all the information created in Edsby by users within their organization.
“Parents” refers to the parents, guardians, and others such as aunts, uncles, step-parents, or grandparents that are identified by the Education Organization as someone with the right to have access to information in Edsby regarding a specific child.
3.0 Who Uses Edsby?
Edsby is a broad learning platform purpose-built to support in-classroom and remote learning across the spectrum of kindergarten through grade 12, commonly abbreviated as K-12. It is intended for use by learners of all K-12 age levels, including learners under the age of 13 and between the ages of 13 and 16, for which special handling is required in certain jurisdictions. It is also intended for use by their parents, teachers, school and district administrators and even regional government officials, and facilitates selected data sharing and interactions between these trusted K-12 stakeholders. It is not used in preschool or higher education or by general public, unauthenticated users.
3.1 How Are User Accounts Created?
Edsby creates a unique service instance for every Education Organization customer, and provisions and disables user accounts in each instance by synchronizing with the organizations’ systems of record, such as its Student Information/Student Management Systems (SIS/SMS), HR systems, official parent databases and government systems. Users cannot create their own accounts. Edsby is only ever deployed as an officially sanctioned system by an Education Organization under its umbrella opt-in and official data governance policies. User consent obligations are the responsibility of the Education Organization customer.
When Education Organizations choose to enable Edsby single sign-on through official directory providers, Edsby inherits the features of those systems. Multi-factor account protection is available in Edsby in conjunction with such directory providers when enabled via their internal security controls.
User accounts never require additional Personal Information for validation.
3.2 What May Users Do In The Services?
In the course of using Edsby Services, learners and their parents upload and share information in their private, closed Edsby system. Students and parents have no ability to ever designate anything publicly visible through privacy settings. All Services content and features default to a privacy-on setting. Only district or school level announcements specifically set to be seen by the general public, which are authored and approved with an audit trail by Education Organization officials, can ever be seen by unauthenticated users. Untrusted, unauthenticated users never interact with Edsby users, see any user content publicly, or any Personal Information.
The information users are able to access or upload in the Services and the ways they are able to interact with other users in Edsby is governed by their roles and class enrollments defined in the official Education Organization’s systems of record. This ensures teachers can only see information on students they currently teach, or that parents may only access information on their own children, for example. Collaboration between students and teachers, and optionally authenticated parents with teacher invitation, occurs within programmatically created and rosterized classrooms corresponding to real-world classes, or in teacher moderated groups, in which exchanges are limited to the programmatically maintained membership of the class or group. It is not possible for users of any type to contact anyone outside of the trusted, authenticated Edsby user base. Most Education Organizations disable student-to-student messaging in Edsby Services as a matter of policy, and some even disable the ability of parents of different families to message each other within Edsby.
No user is obliged to enter any information in a personal profile. Profile information is not required for usage of the Services.
Users may easily flag objectionable content across the Services, including anything deemed abusive or cyberbullying-related.
4.0 What Personal Information Do We Store?
Each Education Organization determines what information they collect and how it is used. We process a portion of that information in accordance with the specific contractual agreement with that Education Organization. The Education Organization maintains the master repository of this information and controls how your Personal Information is used, and manages parent consent to Edsby and its other applications.
Personal Information Education Organizations provide to us: Education Organizations integrate information about you into our Services. The information that is integrated depends on the Services set out in their specific contract with us. This information can include:
- Personal Information about students, including but not limited to name, date of birth, gender, grade level, school, student number, Ministry or State ID, address information, email address, photos for student profiles, certain health information kept in student records, course information, individual education program (IEP), indigenous status, and community service hours.
- Personal Information about educators and staff, including but not limited to name, salutation, email address, school, staff number, title, and role.
- Personal Information about parents, including but not limited to name, address, email, relationship to students, and flags about their access rights to information.
5.0 What Personal Information Do We Collect?
Personal Information collected by us on behalf of Education Organizations: Edsby may collect Personal Information directly through your interaction on our Services depending on the Services set out in our specific contract with your Education Organization. That Personal Information may include but is not limited to:
- Information about student progress, such as a student’s attendance status for each school date, a student’s score on an assessment along with comments by the educator, pictures of a student’s work along with observations by the educator, and report card information for each subject a student is taking.
- User-generated digital content, such as text, images, audio, video, files and web links. This digital content can appear in messages, profiles, private notes, calendar events, grade books, and postings in the Service. For instance, students may upload assignments, participate in class discussion groups or perform tests within Edsby, while parents may upload photos, video or audio of their child’s homework, or respond to teachers’ comments. Uploaded files may have metadata associated with them, which is preserved by the Service and will be available to anyone that can view or download the file.
- Sensitive data, such as emotional check in status information if entered by students, absence-related information if entered by parents, or individualized education plans entered by educators.
- Usage information, such as information about how many students and/or parents at the Education Organization use the Services and how the Services are being used. This information is also collected for security purposes, such as to identify suspicious activity. The information collected may include information such as unique device identifiers, IP addresses, and browser types.
Edsby does not collect biometric or geolocation data. We only collect and manage information as users use our Services and do not augment or cross reference it with other data sources. The information above is collected only to fulfill the Services we have contracted to provide for the education organization and is not used for other commercial purposes.
6.0 How Do We Use Your Personal Information?
The usage analytics information generated by user activity in Edsby Services is de-identified and aggregated and used for Edsby product improvement. Measurement of seasonal trends in user activity helps us forecast service provisioning requirements through the year, for instance. Knowing the most popular computing platforms of users accessing Edsby Services helps us determine which platforms to focus our engineering on. Internal analytics data also allow us to monitor the security of our Services. Edsby Service usage data is never collected by a third party, hosted elsewhere or shared with other parties or monetized.
We do not sell your Personal Information or the content you provide. We do not subject users to any advertising, contextual, personal or otherwise. There is no marketing to opt-out of, as the company does not send marketing messages to end users. Edsby does not make offers to end users like sweepstakes or contests. And we do not sell, rent or otherwise share any Personal Information with any third party that does. Please see Section 7.0, which describes who we may share your Personal Information with.
7.0 Who Do We Share Your Personal Information With?
We do not sell your Personal Information or the content you provide. There are certain circumstances in which we may disclose, transfer or share your Personal Information with third parties, such as under the following circumstances:
- Your Education Organization: The information we collect and store about you is accessible to authorized employees of your Education Organization. For example, a school principal may use Edsby to quickly find a Parent’s telephone number to call in the case of an emergency. Your Education Organization controls who has access to this information. We also make usage information available to your Education Organization.
- Third parties at the request of the Education Organization: Education Organizations may request that we share your Personal Information with additional parties that also provide processing services to the Education Organization. We only do this when specifically requested and approved in writing by an authorized, verified senior member of the Education Organization.
- Microsoft and Google: Our Services can be integrated with Microsoft 365 and Google Workspace for Education if directed to do so by the Education Organization to enhance productivity. For example, when a student writes an essay in Microsoft 365 or Google Docs and submits it to their educator via the Edsby platform, Edsby can make a copy of the selected file and make it available to the educator via the Edsby Services. Also, when Edsby integrates with these systems it provides a way for the End-User to log into Edsby by using Microsoft or Google authentication credentials.
- Cloud service providers: A carefully selected small number of companies provide essential elements of our cloud-based Service. We limit the information we share with these service providers through contractual, administrative and technical means. For example, we store Personal Information with Microsoft, the provider of our Azure hosting service, and protect it with encryption. Our cloud service providers may not use the information disclosed to them for any other purpose other than to provide us with a specific service.
- Legal authorities, as required by law: The information we process and store may be disclosed by us to legal authorities if we are required to do so by law. We may also disclose to them, at our discretion, select information we collect and store where we have reason to believe that disclosing this information is necessary to identify, contact or bring legal action against someone who may be causing interference with the rights, property or rules of the Education Organization using our Services, or someone who may cause or be at risk of imminent bodily harm, or someone who may be violating the Usage Policy of our Services. In such cases, the Education Organization that is managing this instance of our Service will be informed and will notify affected parties as it sees fit.
- Business transaction: We may transfer our assets and rights to our Services, including information in our Services, in the event of a merger or sale (including any transfers made as part of an insolvency or bankruptcy proceeding) involving all or part of our business or as part of a corporate reorganization, stock sale or other change in control. In such a case, your Education Organization will be provided with notice and will have the option of socializing pending changes to Edsby with its users or of opting out of our Services. We will limit the disclosure of Personal Information to only what is necessary and limit the use of the information to the purpose for which the Personal Information was collected before the transaction and in accordance with applicable laws and honor any data update or deletion requests using the process as detailed in 9.2 How Does Edsby Manage Data Update & Deletion Requests?
We limit who we share your Personal Information with. We also limit what information we share and how third parties may use, access, process or store such information in the course of performing their duties for us. When we disclose Personal Information, we minimize the disclosure to only what is necessary in accordance with instructions from our Education Organization customers, de-identifying if appropriate (removing any name and unique identifier) and contractually prohibiting attempts at re-identifying, and in compliance with appropriate privacy, confidentiality, and security measures. We do not combine customers’ data with data from other sources.
We do not have control over the Personal Information that Education Organizations themselves may disclose to third parties. For example, an Education Organization may export certain Personal Information collected in Edsby and make it accessible to others at the Organization’s discretion.
8.0 How Do We Protect Your Information?
We are committed to protecting the information we store about you. Edsby employs a variety of physical, administrative, and technical safeguards designed to protect Personal Information against loss, misuse and unauthorized access or disclosure. We have taken measures to protect the Personal Information on our Services, which include data encryption, firewalls and access controls for staff and vendors, as well as physical access controls to our facilities. Some other security measures we implement include:
- Limiting account creation to only those individuals the Education Organization selects. Persons outside the Education Organization cannot create an account.
- You may only access Edsby within an Education Organization with your user ID and password. Typically these credentials are provided and managed by the Education Organization.
- The ability for Education Organizations to implement role-based access and usage of an account, which limits what you can do and what information you can see. For example, educators have limited access to students they can view on the Services (e.g. only students in their school) and what they can see on the student profile. Parents can only see the profile of their own children and staff at the school(s) that their children attend.
- Encrypting all data sent between the Edsby server and Edsby client (web browser, smartphone app, tablet app) in transit and at rest.
- Restricting access to Personal Information to those Edsby staff members who need to know that information for the purpose set out in this Policy and ensuring those staff members are trained in the company’s information protection policies.
- Ensuring any software libraries used in our application are never sent Personal Information. For example, Edsby uses Google Firebase Cloud Messaging (FCM) for push notifications, but Edsby Services never send private information in notifications, simply using them to redirect the user to the secure, authenticated Edsby Services. We only use the minimal Firebase messaging toolkit, and do not engage Firebase’s analytics or wider features. Nor does Firebase ever get associated with a user’s Google account. And while Edsby uses Google’s ML Kit for QR code scanning in our mobile apps, processing is fully on-device and we ensure any data available to ML Kit is anonymous and de-identified.
- Adhering to a formal standard for Information Security. CoreFour Inc. is ISO 27001 certified.
9.0 How Do We Manage Your Information?
Our general practice is to not retain Personal Information any longer than is necessary for educational purposes and legal obligations. Personal Information becomes immediately unavailable in Edsby in the event of account cancelation or termination, triggered by updates from the Education Organization’s systems of record. It becomes fully deleted from the Services per the Education Organization’s policy as described below.
9.1 How Long Do We Keep Your Personal Information?
Edsby retains Personal Information on behalf of Education Organizations pursuant to its specific contractual terms with each Education Organization. The Education Organization defines the parameters for data retention and destruction in Edsby in terms of the number of school years’ worth of data to be held. It may choose to hold 3 years’ worth of data in Edsby, or 7 years, for instance, for access to archived information and/or audit purposes. Edsby does not retain data longer than 7 years unless by special arrangement with a customer.
9.2 How Does Edsby Manage Data Update & Deletion Requests?
Edsby is best characterized as a processor that manages data at the direction of the education organization, the controller. If an end user sends a request to update or delete their Personal Information, these requests are routed to the Education Organization for their review and potential action.
If Edsby receives a specific request from an authorized individual at the Education Organization to destroy specific records, Edsby complies and provides a certificate of data destruction within one week.
10.0 What Are Your Rights?
As a user of our Services, you have rights to access, download, correct and/or delete your Personal Information in accordance with applicable laws. Parents may manage their children’s Personal Information, including withdrawing consent, or opting out of any data sharing.
Some Education Organizations enable users to access and make changes to their Personal Information through Edsby Services. Where your Education Organization does not enable this access and you seek changes to Personal Informationor its general management, make your request directly with your Education Organization. It will update its systems of record from which Edsby inherits, and we will assist the Education Organization however else we can in fulfilling your request in accordance with our legal obligations.
Similarly, contact your Education Organization to request information about any third parties it may be sharing data with, or has requested Edsby to share data with.
If your Education Organization relies on your consent to process your Personal Information, such as making it available in Edsby Services, you have the right to withdraw your consent at any time. You may withdraw your consent by contacting your Education Organization. Note this will not affect the lawfulness of the processing before it’s withdrawn nor when applicable laws allow for continued processing.
Users may download data themselves from Edsby Services at any time, such as assessments, progress reports, report cards and online portfolios of their best work. Teachers have broad ability to download data, including class rosters, parent lists, gradebook data and more.
11.0 What About Children’s Privacy?
We comply with our obligations outlined in the Family Educational Rights and Privacy Act (“FERPA”) and the Children’s Online Privacy Protection Rule (“COPPA”), U.S. federal laws designed to protect the privacy rights of children.
We are a service provider to Education Organizations, which disclose Personal Information to us about students and parents either via existing student records or those developed directly on our Services. The information we collect is limited to what we need to fulfill our obligations as outlined in our contracts with Education Organizations. The disclosures are authorized by FERPA. We do not use your Personal Information for any purpose other than to provide our Services to Education Organizations and improve our Services to you.
In accordance with COPPA, we do not knowingly collect information from children under the age of 13 unless and until an Education Organization has provided us with authority for a student under the age of 13 to use our Services. Further, we do not knowingly collect or solicit Personal Information from anyone under the age of 13 in a manner not permitted by COPPA.
If you are a parent or guardian who believes that we have inadvertently collected or stored Personal Information about your child without proper consent, please contact your Education Organization and we will work with them to investigate and delete any such information to the extent required by applicable law.
12.0 Where Is Your Information Stored?
Edsby Services are hosted in various regions throughout the world, including in the U.S., Canada and Australia. We store and process your Personal Information in the country in which your Education Organization is located whenever we can. From time to time, your Personal Information may be accessed by Edsby-authorized services or staff in another country where Edsby or authorized third parties operate. We implement measures to protect your information and to ensure compliance with applicable laws.
13.0 Cookies and Similar Technologies
13.1 What Information Do We Collect Using Cookies?
We use first-party cookies, such a session cookie, to help us authenticate you. The session cookie is deleted when the browser session is ended. We may also use third-party cookies to help staff file a customer support ticket with us. Other third-party cookies include firewall cookies for security purposes. Most of the cookies on our Services collect information that is not identifiable to you. To learn more about cookies, visit www.allaboutcookies.org.
13.2 How Can You Manage Cookies?
Although most browsers accept cookies, you can set your browser to reject cookies. You will need to follow the instructions contained in your browser’s help file (usually located within the “Help,” “Tools,” or “Edit” settings). If you have more than one browser, the opt-out or settings you set will only apply to that specific browser and not the others. If you choose to disable cookies, some Edsby Services might not function properly.
14.0 What About Breach Reporting?
We maintain procedures and recordkeeping regarding breach reporting consistent with our ISO 27001 certification obligations.
We adhere to our obligations in the event of a breach of confidential information as required in the jurisdictions in which we host Edsby Services. For instance, in Canada, laws require we report any breach involving personal information under our control if it is reasonable in the circumstances to believe that the breach of security safeguards creates a real risk of significant harm (RROSH) to an individual, as defined by Canada’s PIPEDA. In the U.S., each state has its own breach reporting requirements as summarized here.
Edsby intends no change to the longstanding data collection or handling practices fundamental to its business model. Should we do so, however, we will notify all Education Organization customers and their users in advance of any significant change.
16.0 How To Contact Us?
You may contact us at firstname.lastname@example.org with any questions, concerns or grievances you may have related to your Personal Information. We may also be reached as follows:
68B Leek Crescent, Suite 200
Richmond Hill, Ontario
+1 (877) 337-0070
17. California Privacy Notice Addendum
If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA).
We may make changes to the Addendum. Please refer to the Addendum from time to time to keep yourself informed of how we may collect, use and disclose your Personal Information.
“Personal Information” means information that identifies, relates to, or could reasonably be linked directly or indirectly with a particular California resident. Personal Information does not include publicly available information from government records or de-identified or aggregated consumer information.
17.1 Categories of Personal Information
Over the past 12 months, we have stored or collected the following categories of Personal Information for business purposes:
|A. Identifiers||Contact details, such as real name, alias, postal address, telephone or mobile contact number, unique personal identifier, online identifier, Internet Protocol address, email address, and account name||
|B. Personal information categories listed in the California Customer Records statute||Name, contact information, education history||YES|
|C. Protected classification characteristics under California or federal law||Gender and date of birth||YES|
|D. Commercial information||Transaction information, purchase history, financial details, and payment information||YES|
|E. Biometric information||Fingerprints and voiceprints||NO|
|F. Internet or other similar network activity||Interactions with our Services, applications and systems||YES|
|G. Geolocation data||Device location||NO|
|H. Audio, electronic, visual, thermal, olfactory, or similar information||Images and audio or video in connection with our business activities||YES|
|I. Professional or employment-related information||Job title, employer name, identification number for educator and administrator accounts||
|J. Education Information||Student records and directory information||YES|
|K. Inferences drawn from other personal information||Inferences drawn from any of collected information to create a profile or summary about, for example, an individual’s preferences and characteristics||
|L. Sensitive Personal Information||Account login information, contents of email or text messages, emotional state, racial or ethnic origin||
Category L information may be used, or disclosed to a service provider or contractor, for additional, specified purposes. You have the right to limit the use or disclosure of your sensitive personal information with your Education Organization.
17.2 Sources of Personal Information
We collect the categories of Personal Information in the following ways:
- (i) Your Education Organization uploads data into Edsby Services about you
- Directly from you
- (i) When you use Edsby Services and voluntarily input information
17.3 Disclosure of Personal Information for a Business Purpose
In the past 12 months, we disclosed the following categories of Personal Information for a business purpose:
|Category of Personal Information||Personal Information Disclosed To a Third Party For a Business Purpose|
Contact details, such as name, postal address, telephone or mobile contact number, unique personal identifier, Internet Protocol address and email address
|B. Personal information categories listed in the California Customer Records statute
Name, contact information, education history
|C. Protected classification characteristics under California or federal law
Gender and date of birth
|D. Commercial information||Yes|
|F. Internet or other similar network activity
Interactions with our Services, applications and systems
|H. Audio, electronic, visual, thermal, olfactory, or similar information
Images and audio, video or call recordings created in connection with our business activities
|J. Education Information
Student records and directory information
|L. Sensitive Personal Information
Account login information, contents of email or text messages, emotional state, racial or ethnic origin
We disclosed these categories of Personal Information to the following categories of third parties: your Education Organization, cloud service providers, and in very rare occasions third parties at the request of your Education Organization, and legal authorities as required by law.
Please refer to 7.0 Who Do We Share Your Personal Information With.
In the preceding twelve (12) months, we have not sold any Personal Information.
17.4 Use of Personal Information
For more information about how we use your Personal Information, please see sections 3-6 of this policy.
17.5 Sale of Personal Information
Edsby does not sell your Personal Information for money to anyone. If you are a user of the platform, you may opt out of your Personal Information management in Edsby Services directly with your Education Organization which will provide us with instructions.
17.6 What Are Your Rights?
As a California resident, you have the following rights, subject to certain exceptions and limitations:
- Right to know, over the past 12 months, the categories and specific Personal Information we collect, use, disclose, and sell about you, the categories of sources from which we collected your Personal Information, our purposes for collecting or selling your Personal Information, the categories of your Personal Information that we have either sold or disclosed for a business purpose, and the categories of third parties with which we have shared Personal Information.
- Right to access and portability of Personal Information that we collected over the past 12 months. You also have the right to request we provide you with a copy of the Personal Information we collected in a portable, readily reusable format that allows you to transmit the information to a third party.
- Right to delete the Personal Information we have collected from you or maintain about you.
If you are under 18 years of age, reside in California, and have a registered account with Services, you have the right to request the removal of unwanted data that you publicly post on the Services. To request the removal of such data, please contact us using the contact information provided below and include the email address associated with your account and a statement that you reside in California. We will ensure the data is not publicly displayed on the Services, but please be aware that the data may not be completely or comprehensively removed from all our systems (e.g., backups, etc.).
California Civil Code Section 1798.83, also known as the “Shine The Light” law, permits our users who are California residents to request and obtain from us, once a year and free of charge, information about categories of personal information (if any) we disclosed to third parties for direct marketing purposes and the names and addresses of all third parties with which we shared personal information in the immediately preceding calendar year. If you are a California resident and would like to make such a request, please submit your request in writing to email@example.com.
Please see section 10.0 What Are Your Rights for more information, including contacting your Education Organization to exercise your rights.
We will not discriminate against you for exercising your CCPA rights.