DreamBox and Privacy

Who We Are and What We Do

DreamBox Learning Math is an adaptive, online K-8 math program designed to complement classroom instruction and deliver results. We built DreamBox because we believe all children can excel at learning, no matter where they start, where they live, or who they are. We are dedicated to helping children realize their potential, working together with parents, guardians, teachers, principals, and district administrators. A critical part of our vision is that we will safeguard the privacy of every individual who uses DreamBox. (You can read more about our Mission and Vision Statement here.

Privacy Statement

In this policy, we’ve attempted to provide as much useful information as possible, from many different angles, to help you find whatever answers you might need about our approach to privacy. But, at the core, our approach to privacy is this:

DreamBox Learning understands that your data is important, personal, and that it is yours. You shared your data so we can provide you with the DreamBox service, but that we don’t own the data: you do. We will not use your data for third-party marketing or other unrelated purposes. We won’t sell it to or share it with any company not directly involved in providing the DreamBox service. We will not collect additional personal information directly from children, or market products to children using the data you provide. We will always protect your data, using world-class security measures and practices implemented by vetted, fully-trained personnel. We will be transparent about exactly what data we have from you or about you, how we got that data, how we use it, and how you can ask us to remove it. If you ask us to delete your data, we will remove you from the DreamBox service, delete destroy your data quickly and completely, and let you know when we’re done.

Effective Date

This policy is in effect as of November 18, 2019.

Why we have your information

DreamBox has your information for one of these reasons:

You signed up for the DreamBox service, or because an authorized educational institution (a school or school district) shared information about you with DreamBox.

Definition of Terms

Individual Customer or customers that are individuals: individuals or families who directly purchased the DreamBox service for personal or family use.

School Customer: an educational institution that has purchased the DreamBox service and provisions accounts for individual student users.

Student User: any individual using the DreamBox service, whether signed up by a parent or a school. Students may be any age, but DreamBox treats all students as though they are covered by legal protections for children age 13 or younger.

Individual Parent: a parent or guardian of a student who directly signed their student up to use the DreamBox service. (In other words, their student was not signed up by a school or district.)

School Parent: a parent or guardian of a student using the DreamBox service, who has been signed up by a school or district.

Parent: a parent or guardian of a student using the DreamBox service, regardless of how the student was signed up for DreamBox services.

The Information We Collect from Customers

Parent’s First and Last Name: You will need to provide a first and last name to access the parent dashboard to track your student’s progress. For Individual Customers, first and last name may also be required by our payment processor for initial processing of credit card payments.

Email Address: For customers who are parents and school administration officials, your email address will serve as your login username  (For customers that are individuals or students, your name or other identifier set up at registration, or a picture identifier chosen after registration, will serve as your login username.) Your email address may be used to send a confirmation email at registration, as well as information and updates to the DreamBox Service. In some cases, we will also email your student’s personal reports to you, with further information about the progress your student is making. We may use the email address as an additional means of communicating with you about the Programs and DreamBox Learning, including notifying you of updates to websites or policies.

Phone Number: Your phone number will serve as an alternate way of contacting you for the same purposes as the email address.  Providing a phone number is optional for Parents using the parent dashboard, though it may be required by our payment processor for initial processing of credit card payments. We do not collect phone numbers for students, and we will never call a student directly.

Student’s First and Last Name: Your student’s name will be used to customize your student’s participation in the Programs, and to personalize reports and updates about your student’s progress. Also, for Individual Customers, we may mail related material to you or your student using your name or his/her name, care of you, at the mailing address you provide.

Student’s Date of Birth: If provided, we will use a student’s age to group Performance Data (See “The Information We Collect from Children,” below) of children of similar age, to assess relative performance and improve the program.  Such information will be aggregated with other customers in an anonymous manner and will not include any information that could be used to identify a specific student.

Student’s School Grade Level: We will use a student’s grade level to group Performance Data of children of similar grade, to assess relative performance and improve the program. Such information will be aggregated with other customers in an anonymous manner and will not include any information that could be used to identify a specific student.

Student’s Gender: We use a student’s gender to group Performance Data of children of the same gender, so we can analyze aggregate performance, and improve the program.

Parent’s Mailing Address: Your mailing address may be used to allow DreamBox Learning to mail you various Program materials and ancillary program products. At a minimum, you must provide a postal code to use the Programs. Providing a street address is optional, though a full address including postal code may be required by our payment processor for initial processing of credit card payments.  We will never collect this information from a student, or use a mailing address to contact a student directly.

Credit Card Information: For our customers that are individuals, we may ask for your credit card information to bill you for each student that you register for the Programs. Credit card processing may require:

• Credit Card Number
• Credit Card Expiration Date
• First and Last Name
• Billing Address including Postal Code
• Phone Number

This information is never handled directly by DreamBox or stored on any of our systems. All credit card information is processed and stored by our processing partner, Stripe.com. Their privacy policy can be found here: https://stripe.com/privacy .

Secondary Uses: DreamBox Learning WILL NOT sell, trade, or assign any personal information we collect to third parties outside of DreamBox Learning nor will we ever directly target any type of communication to a student unless specifically requested by you to do so. DreamBox will not use your personal information, or your student’s personal information, to target advertising at you, or to market products to you.

The Information We Collect from Students

Participation History: Participation History (how often and how much a customer uses the service and its features) will be collected for customer support, product development, marketing, and other operational and business purposes, including improvements to the Programs; however, such information will not be disclosed to third parties or used for advertising to student users. To be clear: we will not use your student’s participation history to market or sell other products to parents.

Performance Data: DreamBox Learning collects information directly from your student, over the Internet, in the form of the interactions that your student makes when participating in the Programs. We refer to the resulting information as “Performance Data,” and it includes but is not limited to data on when your student starts and stops a lesson, the responses your student makes to questions asked, the timing of your student’s responses, your student’s choice of character and customizations, and the choice of lessons to play.
We will use Performance Data to:

• Measure your student’s performance in each lesson of the DreamBox Learning Programs and to adapt the Programs to his or her learning needs
• Analyze your student’s Performance Data, and provide you with periodic progress reports about your student’s performance in the Programs
• Improve the Programs.

DreamBox Learning does not collect personal information directly from students. DreamBox Learning will seek clear, informed authorization of a parent or guardian first if we ever need to collect information (other than Performance Data) directly from a student.

We may aggregate your student’s Performance Data with the Performance Data of other students participating in the Programs for marketing and other business-related purposes. Aggregate information will be ANONYMOUS and will not identify your student or be combined with other information that would allow individual students to be identified. It cannot be “de-anonymized” or otherwise connected back to individual students.

Our Rules about Collecting Information Directly from Children

DreamBox does not collect personal information directly from children under 13. Any personal information about children that we receive, process or store comes from one of two sources: parents who share information about their children, or schools and districts who share information about the students in their charge. If we ever need to collect personal information from children, we will do so only after receiving explicit permission from their parents or guardians.

How does DreamBox use Aggregated and Anonymous Information

Anonymized and aggregated information may be used for demographic profiling and advertising. In such cases, the information will always be aggregated and anonymous. Information used this way will never have a connection to any individual, or any personal identifier attached to it. It will not be possible to reverse the process and connect this aggregated information to individuals.

How We Protect Information

DreamBox takes great care to ensure we don’t misuse your data, or abuse the trust you placed in us when you shared that data. A significant part of our commitment to your privacy is the way we keep your data out of the wrong hands, either through accidental disclosure or the efforts of hostile actors. DreamBox Learning has multiple security measures in place to protect the information under our control against loss, misuse, or alteration.

Laws and guidelines that apply

DreamBox Learning complies with and enforces U.S. data protection laws across all aspects of our system. By signing up for or using the DreamBox Learning system, you agree:

• That your personal data can be used for the purposes identified in the Privacy Policy.

• That your data will be handled in accordance with U.S. privacy law. You waive any right or expectation enumerated under the data protection laws of other jurisdictions, and consent to the application of U.S. data protection law.

• Some regions, such as the EU, do not permit you (the Customer) to grant this consent. DreamBox Learning is not currently available to customers in those jurisdictions.

DreamBox follows ISO 27001 and 27002 guidance for security structures, policies, and procedures.

• Our ISO compliance is reviewed annually by an external audit and certification process, and continually through internal processes and checks.

• We also refer to guidance from other sources, where those do not directly conflict with ISO 27001 standards. We measure our processes against

  • NIST SP 800-53 Rev. 4 and to some degree the draft of Rev. 5.

  • The OWASP Top 10 and other output from OWASP.

  • HITRUST CSF v9.2.

How we protect information we store

If you use or access the DreamBox system, please note:

• Your data will be stored in the United States.
• Your data is always stored in an encrypted format. Encryption is done using a 256-bit symmetric key created by DreamBox and accessible only by DreamBox core operations staff.
• Your data is always stored in a protected network zone, isolated from employee systems, unprotected networks, and the public Internet.
• Backups and archives that include your data are also encrypted with a 256-bit symmetric key, and stored in protected network zones.

How We Protect Information During Transmission

Information being sent to or retrieved from our service

• Registration details (“Roster Information”) sent through Clever.com are encrypted in transit using certificates, key exchange methods and cipher suites rated “A” or “A+.” Currently, that means an RSA 2048 bit key, using SHA256 with RSA, but Clever is continually reviewing best practices and updating their configuration to stay current. Clever’s own privacy policy can be found here: https://clever.com/about/privacy-policy .
• Registration details (“Roster Information”) uploaded to, and reports downloaded from our ExaVault SFTP partner are encrypted in transit using certificates, key exchange methods and cipher suites rated “A” or “A+.” Currently, that means an RSA 2048 bit key, using SHA256 with RSA, but ExaVault is continually reviewing best practices and updating their configuration to stay current. ExaVault’s own privacy policy can be found here: https://www.exavault.com/privacy/
• Information accessed through or exchanged with DreamBox’s site is encrypted in transit using certificates, key exchange methods and cipher suites rated “A” or “A+.” Currently, that means an RSA 2048 bit key, using SHA256 with RSA, but DreamBox is continually reviewing best practices and updating our configuration to stay current.

Who Can Access Your Information

• Only authorized employees, with a business need to handle your data, can access these protected network zones.
• Those employees sign a binding agreement acknowledging that they will safeguard your privacy, and protect your data. This agreement remains in force even if the employee leaves DreamBox Learning.
• DreamBox conducts a background check on all employees, to confirm there is no criminal history or other disqualifying histories
• We do not provide access to your data to 3^rd parties, with these specific exceptions:
  • Limited data is shared with processing partners during registration or updates to registration information. For instance, postal code, city, and state information are sent to a service to confirm an accurate postal code.
  • Credit card processing is handled entirely external to DreamBox, by our partner Stripe.com. Stripe’s privacy policy is found here: https://stripe.com/privacy

How and When We Remove Information

DreamBox retains information provided by the Customer (“Customer Data”) only so long as we have a business-related need for it. We will destroy Customer-supplied data, as well as any other customer-identifying data, at any time upon request. However, our service is dependent upon the use of Customer-supplied Data, so destroying your data will mean you will no longer be able to use the DreamBox service. Derivative, anonymous data such as aggregate performance data will be retained.

Our Rules on Sharing Information

Except as provided in this Privacy Policy, DreamBox Learning WILL NOT disclose the information that it obtains from you to third parties without your express written permission, or where we believe, in good faith, that the law requires us to disclose the information. If you request that DreamBox share information provided by or collected from you (or in the case of School Customers, student users) directly with a third party designated by you, you agree that you (and not DreamBox) will be solely responsible for the use, storage, and maintenance of such information by such third party.

DreamBox Learning WILL NOT sell, trade, or assign any unaggregated personal information that it collects to third parties. We, however, may aggregate the information that we collect from users of our website to create demographic profiles and performance profiles regarding the progress of students who use the Programs. DreamBox Learning may share aggregated information with researchers, other clients, marketing professionals or potential investors. This aggregated information will be compiled and reported in the form of ANONYMOUS group statistics only in such a manner that makes individual student users unidentifiable.

In addition, DreamBox Learning may share information about the students, parents, legal guardians, and school officials that register to participate in the Programs, along with such registrants’ Participation History, with contractual business partners of DreamBox Learning that are directly involved in the sale, distribution, operation, maintenance, and support of the Programs on behalf of DreamBox Learning. These partners function as an element of the DreamBox Programs, and do not have access to or use your information for any purpose other than providing the DreamBox Learning Programs.

If you request that DreamBox share any information provided by you (or in the case of School Customers, your student users) directly with a third party designated by you, then you agree that you (and not DreamBox) will be solely responsible for the use, storage, and maintenance of such information by such third party.

As DreamBox Learning continues to develop its business, it might sell some or all of its assets. In such transactions, customer information is generally one of the transferred business assets. An acquiring company would be required to protect all information that DreamBox Learning collects from users of our website and Programs in accordance with the terms of this Privacy Policy.

Consenting to Our Collection and Use of Your Information

To use the DreamBox Programs, you will be asked to submit certain personal information about you and your student, and to authorize DreamBox Learning to use that information in a limited number of ways. If you are signing up directly as a parent or legal guardian of a student that will use DreamBox, we will require you to review and submit a Parental Consent as part of the registration process, which will require you to consent to our collection and use of information directly from your student over the Internet as described above. If you are the parent of a student using DreamBox through a school or district, your school will authorize our use of your information on your behalf.

Opting Out of Providing the Information We Request

Because the DreamBox Learning Programs are individualized and customized for each student, all the information we request from you and your student is required for you and your student to participate in the Programs, except for certain information to be used for our communication purposes to you only. At any time, you may revoke your consent to allowing your student to participate in the DreamBox Learning Programs or refuse to allow DreamBox Learning to further use or collect your student’s personal information. Any Anonymous

Performance Data will be retained, but we will not retain any identifiable information regarding you or your student that you have provided. However, if you do any of the above, you and your student will not be able to participate in the Programs.

How You Can View, Change, or Remove Your Information

You can review and modify your Registration Information at any time by accessing our dashboard website using your login and password. You can also request that DreamBox remove your information: see “How to Contact Us” below for information on how to place a request.

How Does DreamBox Comply with Laws, Regulations, Industry Group Statements and Other Guidelines

The core of our privacy policy is expressed in the “Privacy Statement” at the top of this page. The following items illustrate how this policy aligns with government regulations, industry standards and guidelines, technical standards, and third-party privacy pledges. We make frequent updates to this list. If you are looking for a standard that is not included here, please contact us with details.

US Federal regulations

CIPA (Children’s Internet Protection Act)

The Children’s Internet Protection Act (CIPA) is a federal law enacted by Congress in December 2000 to address concerns about access to offensive content over the Internet on school and library computers. CIPA imposes requirements on any school or library that receives funding support for Internet access or internal connections from the “E-rate” program — a program that makes certain technology more affordable for eligible schools and libraries. Our Programs do not provide links to external resources or chat rooms and do not contain any offensive or inappropriate material.

For more information about CIPA, please go to http://www.fcc.gov/cgb/consumerfacts/cipa.html.

COPPA (Children’s Online Privacy Protection Act)

For our Individual Customers or parents or legal guardians of a student:  Congress has enacted a law called the Children’s Online Privacy Protection Act of 1998 (COPPA), designed to protect children’s privacy during use of the Internet. DreamBox Learning has implemented practices consistent with the guidelines provided by the Federal Trade Commission to date. DreamBox Learning will never knowingly request, obtain, use, or disclose personally identifiable information or private content from anyone under the age of 13 without parental consent.

For our customers who are individuals, provided you are 18 years of age or older, you will be asked, at the time of registration, whether you consent to allowing users under the age of 13 to use your subscription and to be subject to this Privacy Policy. You must be the parent or legal guardian to grant such consent. If we receive this parental consent, we may receive personal information about children under the age of 13 listed on your subscription account in order to provide our Programs and services to them. DREAMBOX LEARNING DOES NOT SHARE CHILDREN’S PERSONALLY IDENTIFIABLE INFORMATION WITH THIRD PARTIES. If you are a parent or legal guardian of a user under 13 you may, at any time, revoke your consent to allow your student to use the Programs under your subscription, refuse to allow DreamBox Learning to further use or collect your student’s personal information, or direct DreamBox Learning to delete all identifiable information regarding your student that you have provided. To do so, please contact our Privacy Officer at the contact information below. However, if you do any of the foregoing, your student will not be able to use the Programs.

For administrative officials of our School Customers, to the extent that DreamBox Learning collects, uses, or discloses personal information from children under the age of 13, it is done in strict accordance with this Privacy Policy and for the sole purpose of providing services to the School Customer and Individual Customer.

For more information about COPPA, visit the FTC site at http://www.ftc.gov/ogc/coppa1.htm.

To report a COPPA violation, you can visit https://www.ftccomplaintassistant.gov/#crnt&panel1-1 or call (877) FTC-HELP.

FERPA (The Family Educational Rights and Privacy Act)

For our School Customers:  The Family Educational Rights and Privacy Act (FERPA) is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education. FERPA gives parents certain rights with respect to their children’s education records. These rights transfer to the student when he or she reaches the age of 18 or attends a school beyond the high school level. DreamBox Learning helps our School Customers be compliant with FERPA. Specifically:

• Any sensitive online information is transmitted over secure channels
• All student data are stored in ways that are not publicly accessible
• Security audits are regularly performed to ensure data integrity
• DreamBox Learning does not share information with third parties that could be used to identify students without consent from the student’s parent, guardian, or school.

If a School Customer requests that student data be sent to a third party DreamBox Learning will:
(i) send the data to the School Customer directly to transfer to the third party or
(ii) send the data directly to the third party designated by School Customer if requested by that customer, provided the School agrees that School Customer is solely responsible for use, storage, and maintenance of such information by such third party.

For more information about FERPA, please go to the US Department of Education site at http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html.

To report a FERPA violation, please visit https://studentprivacy.ed.gov/file-a-complaint.

HIPAA (Health Insurance Portability and Accountability Act)

Originally enacted in 1996, Health Insurance Portability and Accountability Act introduced most of the security and privacy guidelines now in place for US healthcare, as well as establishing guidelines for the insurance industry, guaranteeing interoperability of healthcare systems, and various other key reforms. In the context of education, the elements of HIPAA most likely to come into play are from HIPAA Title II (Administrative Simplification), particularly around Privacy, Security and Enforcement.

While HIPAA does not directly cover DreamBox’s business or operations, as we are not a healthcare provider, insurance company, or healthcare information clearinghouse, some specific elements of HIPAA might be invoked in special circumstances. For instance, if a school or parent were to inadvertently share HIPAA-protected information with DreamBox, such as vaccination history or illness-related absence information, DreamBox would not be allowed to share that information, or utilize it for any purpose. Should HIPAA-protected information be inadvertently shared with us, DreamBox will notify the school or parent (as dictated by state law), and destroy the HIPPA-protected information.

In summary: DreamBox fully complies with HIPAA in all cases where it might apply, but HIPAA is not a direct guideline for DreamBox’s security or privacy practices, being superseded by FERPA, COPPA, and other education and privacy laws.

For more information on HIPAA please refer to the US Dept of Health and Human Services site at https://www.hhs.gov/hipaa/index.html .

PPRA (Protection of Pupil Rights Amendments)

The Protection of Pupil Rights Amendments, originally established in 1978 and updated by the No Child Left Behind Act in 2001, says parents must first consent before a school (or their agent) may collect personal information from minor students as part of a survey, study, or evaluation. Personal information is defined to include things that are considered PII, as well as attitudes and opinions about sex, embarrassing personal history, and critical appraisals of family members.

In all cases, DreamBox complies with this law. DreamBox does not collect personal information directly from students. If a student submits or provides personal information of their own initiative – such as through an email or phone message – DreamBox quarantines that information from online systems, notifies the school or parent (as dictated by state law), and then removes the information. For more information about PPRA, visit the US Department of Education site at  https://www2.ed.gov/policy/gen/guid/fpco/ppra/parents.html .

California regulations

CalOPPA (California Online Privacy Protection Act)

In 2004, California enacted a law that places certain requirements on all businesses collecting personal information from residents of California. Notably, this law requires the conspicuous posting of a clear, detailed privacy policy. It requires that companies comply with the elements of their privacy policy. It further specifies that privacy policies must contain this information:

CalOPPA Privacy Policy Requirement	Found in these sections of our privacy policy
A list of the categories of personally identifiable information an operator collects	What information do we collect from you What information do we collect from students
A list of the categories of third parties with whom an operator may share personally identifiable information	Who can access your information
A description of the process (if any) by which the consumer can review and request changes to his or her personally identifiable information as collected by an operator	How you can view, change, or remove your information
A description of the process by which the operator notifies consumers of material changes to an operator’s privacy policy	How and when this privacy policy can change
The effective date of the privacy policy	Effective Date

CCPA (California Consumer Privacy Act)

For all our customers, parents, and students who are residents of California: The California Consumer Privacy Act (CCPA) is a California law that codifies some privacy and consumer rights. It was passed in 2018 but is scheduled to take effect on January 1, 2020. It guarantees that California residents have, among other rights,

• The right to know what personal data any company has about them, where that data came from, and how it is used
• The right to know whether their data is sold or disclosed, and to whom
• The right to opt-out (prevent) the sale or disclosure of their data
• The right to have their data deleted

CCPA provides some specific guidelines on how these rights will be protected and enabled by companies doing business with California residents.

You can review your CCPA rights and place CCPA requests here. (Note – this link will take you away from the www.dreambox.com site.)

SOPIPA (Student Online Personal Information Protection Act)

California’s SB-1177, often referred to as the Student Online Personal Information Protection Act (SOPIPA) forbids web sites and online service operators from knowingly selling, disclosing, using or allowing a 3^rd party to use the personal information of a minor for marketing or advertising. It was enacted in 2016, and since that time, has been the model for laws in at least eight other states.

DreamBox fully complies with all aspects of SOPIPA and similar laws. We do not use individual or identifiable student personal information for marketing. We don’t resell or share that information with third parties or allow them to reference that information for sales or marketing.

If you believe you have observed or experienced a SOPIPA violation, you should notify the office of the California Attorney General.

Other State and Municipal Regulations

Jurisdiction/Regulation	DreamBox Response
Alabama: 2018 S.B. 318	DreamBox fully complies
Arkansas: Ark. Code § 4-110-104(b)	DreamBox fully complies
Colorado: HB18-1128	DreamBox fully complies
Connecticut: Conn. Gen. Stat. § 4e-70	DreamBox fully complies
Delaware: Computer Security Breaches (Title 6, Sub II, Chap. 12B) Online Privacy Protection Act (Title 6, Sub II, Chap. 12C) Student Data Privacy Protection Act (Title 14, Chap.81A) – including required clauses CS1-B, CS1-C, CS2, CS3, and CS4 of the Cloud Services Terms & Conditions Safe Destruction Act (Title 6 Sub II Chap. 50C)	DreamBox fully complies with each of these regulations
Florida: Fla. Stat. § 501.171(2)	DreamBox fully complies
Illinois: 815 ILCS 530/45	DreamBox fully complies
Indiana: Ind. Code § 24-4.9-3-3.5	DreamBox fully complies
Kansas: K.S. § 50-6,139b (supplement to Kansas Consumer Protection Act)	DreamBox fully complies
Louisiana: Database Security Breach Notification (SB205 Act 499) & Act 382 (2018) La. Rev. Stat. § 3074 (2018 S.B. 361)	DreamBox fully complies with each of these regulations
Maryland: Personal Information Protection Act (14-3501), including amendments through HB 974 (2018)	DreamBox fully complies
Massachusetts: General Law Ch. 93H, particularly sections 2-5.	DreamBox fully complies
Minnesota: Chapter 325M (Internet Privacy and Service Providers) [NOTE: this does not directly apply to DreamBox, only to ISPs]	DreamBox complies with all relevant clauses.
Nebraska: 2018 L.B. 757	DreamBox fully complies
Nevada: Nev. Rev. Stat. Section 603A.210 and 603A.220	DreamBox fully complies
New Mexico: 2017 H.B. 15, Chap. 36	DreamBox fully complies
New York: New York Privacy Act (Proposed)	DreamBox is tracking progress of this proposal
Ohio: GA132-SB220 (sections concerning electronic security)	DreamBox fully complies
Oregon: Revised Statute 646A.622	DreamBox fully complies
Rhode Island: Title 11, Chap. 11-49.3 (Identity Theft Protection Act)	DreamBox fully complies
South Carolina: Title 39, Section 39-1-90 (Breach notification) Title 37, Chapter 20, section 37-20-190 (Data Destruction) Title 59, Chapter 1, Section 59-1-490 (Education Data Use)	DreamBox fully complies
Texas: Title 11, Subtitle B, Chapter 521 (Use of Identifying Information), HB 4390 (Breach Notification)	DreamBox fully complies
Utah: Title 13, Chapter 44 (Protection of Personal Information Act)	DreamBox fully complies
Vermont: Title 9, Chap. 62 (Protection of Personal Information)	DreamBox fully complies
Wyoming: W.S. 40-12-501 (definitions) and W.S. 40-12-502 (Breach Notifications), including amendments S.F. 35 and S.F. 36 (2015)	DreamBox fully complies

European regulations

GDPR

The European Union’s (EU) General Data Protection Regulation (GDPR) is a comprehensive privacy and security law that governs how companies of all sizes must behave when handling, storing, transmitting and removing the personal data of individuals who are residing in the EU. DreamBox does not currently market to customers or intentionally perform business activities in the EU. However, we are working to align our privacy policy and practices to be in compliance with the overall principles and restrictions of GDPR.

GDPR provides guidelines on necessary components of a Privacy Policy. Below is that list, with DreamBox’s information or response, included for each. Again, DreamBox is not currently operating in or marketing to residents of the EU, but we are working to align our policies with GDPR principles, and we are providing this information for customers concerned about the issues raised by GDPR and similar pending legislation in other jurisdictions:

GDPR Privacy Policy Requirement	DreamBox response
The identity and contact details of the organization, its representative, and its Data Protection Officer	In this policy, see: Who we are and what we do How to contact us
The purpose and legal basis for the organization to process an individual’s personal data	In this policy, see: Why we have your information What information do we collect from you
The legitimate interests of the organization	In general, DreamBox data uses are under the “consent” exceptions of GDPR, but we may obtain and use your data in some specific instances under the “legitimate interests” exception, for exigent circumstances such as Investigating possible security violations
Any recipient or categories of recipients of an individual’s data	All personal information provided by individual customers and school customers is received through automated processes and interfaces into systems administered by the Site Reliability Engineering (SRE) Team of DreamBox Learning, Inc.
Details regarding transfer of personal data to any country outside the EU, and the safeguards taken with that data	DreamBox data is stored and processed in the United States. Details on the protection of that data is found in several sections of this policy.
The retention period or criteria used to determine the retention period of the data	DreamBox retains your data as long as there is a business need for this data, to allow us to provide the educational service we’ve contracted to provide.
The existence of each data subject’s rights Right to Information Right of Access Right of Redress Right of Removal Right of Restriction Right to Data Portability Right to Object Rights concerning automated processing	In this policy, see: How to contact us Why we have your information What information do we collect from you Opting out of providing the information we request How you can view, change, or remove your information DreamBox does not provide any reports or extract relevant to the “Data Portability” right.
The right to withdraw consent at any time	In this policy, see: Opting out of providing the information we request
The right to lodge a complaint with a supervisory authority	In this policy, see the sections for individual regulations, such as FERPA, COPPA, and SOPIPA.
The categories of personal data obtained	In this policy, see: What information do we collect from you What information do we collect from students
The existence of an automated decision-making system, including profiling, and information about the significance, set up, and consequences of this system	DreamBox does not employ any automated decision-making systems that leverage or refer to personal data. The DreamBox system does employ automated decision-making systems that rely on responses and inputs from students during completion of lessons.

Industry Groups, Pledges, and Statements

Student Privacy Pledge

The Future of Privacy Forum (FPF) and The Software & Information Industry Association (SIIA) put together a statement of principles that they believe should be endorsed by every responsible company that collects, handles or stores student personal information. DreamBox is a long-standing signatory of that pledge, and we fully endorse its overall principles and individual elements. The pledge is structured as a set of commitments, covering specific actions a company will or won’t do; for example, we commit to:

• Not collect, maintain, use or share student personal information beyond that needed for authorized educational purposes, or as authorized by the parent/student
• Not sell student personal information
• Not knowingly retain student personal information beyond the time period required to support the authorized educational purposes, or as authorized by the parent/student
• Maintain a comprehensive security program that is reasonably designed to protect the security, privacy, confidentiality, and integrity of student personal information against risks

The full Student Privacy Pledge is here: https://studentprivacypledge.org/privacy-pledge/.

Answers to common questions about the pledge: https://studentprivacypledge.org/faqs/ .

Please contact DreamBox (see “How to contact us” below) if you believe we are not fully complying with the Student Privacy Pledge.

 

Software and Technical Standards

Cookies

As a standard practice, DreamBox Learning uses “cookies.” A cookie is a small amount of data sent to your browser from our web server and stored on your computer, then sent back to the server by your browser each time you access our website. Cookies are used solely for the required operations of our website and services. We do not use cookies to collect any personal information, nor do we use them for behavioral advertising, to build a student profile unrelated to the use of DreamBox, or for any other reason.  Please note that if you refuse the DreamBox Learning cookie (by turning cookies off in your browser or by clicking “don’t accept” if you have set your browser to warn you before accepting cookies), our Programs will not work. Cookies cannot be used to gather personal information from your computer.

Do Not Track (DNT signals)

In response to an FTC privacy report in 2010, the major browser manufacturers implemented a feature called “Do Not Track” or simply, “DNT.” The idea was that, by enabling DNT signals in your browser configuration, you would tell sites and services that they were not allowed to track your movements, responses, and choices.

There is no legal obligation for any company to honor these DNT signals. Also, there is no clear guidance or common understanding of what DNT means for collecting information necessary to operate a site.

Because of the lack of clarity and usable best practice information, DreamBox does not currently respond to or interact with DNT signals. We will continue to evaluate DNT as a technology and may consider a change to this policy in the future.

How to Contact Us

Our Data Privacy Officer is J.B. Krewson, VP of Security and Operations. If you have any questions about your privacy or security measures at DreamBox Learning, please contact:

privacy@dreambox.com

Or call our security hotline at

1-888-867-2750

Or, you can contact us through our primary location and main phone number:

DreamBox Learning, Inc.
600 108th Ave NE, Suite 805
Bellevue, WA 98004
(425) 637-8900

Effective Date

This policy is in effect as of November 18, 2019.

Upload Date

This policy was made available on November 18, 2019.

How and When This Privacy Policy Can Change

DreamBox updates this privacy policy at least annually, and whenever we need to express changes to business practices or to clarify how we address a specific law, policy, or technical issue.

When we make significant updates to this policy, we will notify all customers whose data we currently hold. We will also prominently display information about the change on our primary information website, https://dreambox.com . We will generally not send direct notification for additions to reference lists and items: state standards, or links to government and third-party sites providing supporting information.