Who We Are and What We Do
DreamBox Learning Math is an adaptive, online K-8 math program designed to complement classroom instruction and deliver results. We built DreamBox because we believe all children can excel at learning, no matter where they start, where they live, or who they are. We are dedicated to helping children realize their potential, working together with parents, guardians, teachers, principals, and district administrators. A critical part of our vision is that we will safeguard the privacy of every individual who uses DreamBox. (You can read more about our Mission and Vision Statement here: https://www.dreambox.com/company .)
In this policy, we’ve attempted to provide as much useful information as possible, from many different angles, to help you find whatever answers you might need about our approach to privacy. But, at the core, our approach to privacy is this:
DreamBox Learning understands that your data is important, personal, and that it is yours. You shared your data so we can provide you with the DreamBox service, but that we don’t own the data: you do. We will not use your data for third-party marketing or other unrelated purposes. We won’t sell it to or share it with any company not directly involved in providing the DreamBox service. We will not collect additional personal information directly from children, or market products to children using the data you provide. We will always protect your data, using world-class security measures and practices implemented by vetted, fully-trained personnel. We will be transparent about exactly what data we have from you or about you, how we got that data, how we use it, and how you can ask us to remove it. If you ask us to delete your data, we will remove you from the DreamBox service, delete destroy your data quickly and completely, and let you know when we’re done.
This policy is in effect as of September 1, 2019.
Why we have your information
DreamBox has your information for one of these reasons:
You signed up for the DreamBox service, or because an authorized educational institution (a school or school district) shared information about you with DreamBox.
Definitions of some terms used in this policy
Individual Customer or customers that are individuals: individuals or families who directly purchased the DreamBox service for personal or family use.
School Customer: an educational institution that has purchased the DreamBox service and provisions accounts for individual student users.
Student User: any individual using the DreamBox service, whether signed up by a parent or a school. Students may be any age, but DreamBox treats all students as though they are covered by legal protections for children age 13 or younger.
Individual Parent: a parent or guardian of a student who directly signed their student up to use the DreamBox service. (In other words, their student was not signed up by a school or district.)
School Parent: a parent or guardian of a student using the DreamBox service, who has been signed up by a school or district.
Parent: a parent or guardian of a student using the DreamBox service, regardless of how the student was signed up for DreamBox services.
The Information We Collect from Customers
Parent’s First and Last Name: You will need to provide a first and last name to access the parent dashboard to track your student’s progress. For Individual Customers, first and last
Email Address: For customers who are parents and school administration officials, your email address will serve as your login username (For customers that are individuals or students, your name or other identifier set up at registration, or a picture identifier chosen after registration, will serve as your login username.) Your email address may be used to send a confirmation email at registration, as well as information and updates to the DreamBox Service. In some cases, we will also email your student’s personal reports to you, with further information about the progress your student is making. We may use the email address as an additional means of communicating with you about the Programs and DreamBox Learning, including notifying you of updates to
Phone Number: Your phone number will serve as an alternate way of contacting you for the same purposes as the email address. Providing a phone number is optional for Parents using the parent dashboard, though it may be required by our payment processor for
Student’s First and Last Name: Your student’s name will be used to customize your student’s participation in the Programs, and to personalize reports and updates about your student’s progress. Also, for Individual Customers, we may mail related material to you or your student using your name
Student’s Date of Birth: If provided, we will use a student’s age to group Performance Data (See “TheInformation We Collect from Children,” below) of children of similar age, to assess relative performance and improve the program. Such information will be aggregated with other customers in an anonymous manner and will not include any information that could be used to identify a specific student.
Student’s School Grade Level: We will use a student’s grade level to group Performance Data of children of similar grade, to assess relative performance and improve the program. Such information will be aggregated with other customers in an anonymous manner and will not include any information that could be used to identify a specific student.
Student’s Gender: We use a student’s gender to group Performance Data of children of the same gender, so we can analyze aggregate performance, and improve the program. Parent’s Mailing Address: Your mailing address may be used to allow DreamBox Learning to mail you various Program materials and ancillary program products. At a minimum, you must provide a postal code to use the Programs. Providing a street address is optional, though a full address including postal code may be required by our payment processor for
- Credit Card Number
- Credit Card Expiration Date
- First and Last Name
- Billing Address including Postal Code
- Phone Number
This information is never handled directly by DreamBox or stored on any of our systems. All credit
Secondary Uses: DreamBox Learning WILL NOT sell, trade, or assign any personal information we collect to third parties outside of DreamBox Learning nor will we ever directly target any type of communication to a student unless specifically requested by you to do so. Registration Information may be anonymized and aggregated, and the resulting aggregate information used for demographic profiling and advertising. In such cases, the information will always be aggregated and anonymous. If you request that DreamBox share any information provided by you (or in the case of School Customers, your student users) directly with a third party
The Information We Collect from Students
Participation History: Participation History (how often and how much a customer uses the service and its features) will be collected for customer support, product development, marketing, and other operational and business purposes, including improvements to the Programs; however, such information will not be disclosed to third parties or used for advertising to student users. To be clear: we will not use your student’s participation history to market or sell other products to parents.
Performance Data: DreamBox Learning collects information directly from your student, over the Internet, in the form of the interactions that your student makes when participating in the Programs. We refer to the resulting information as “Performance Data,” and it includes but is not limited to data on when your student starts and stops a lesson, the responses your student makes to questions asked, the timing of your
We will use Performance Data to:
- Measure your student’s performance in each lesson of the DreamBox Learning Programs and to adapt the Programs to his or her learning needs
- Analyze your student’s Performance Data, and provide you with periodic progress reports about your student’s performance in the Programs
- mprove the Programs.
DreamBox Learning does not collect personal information directly from students. DreamBox Learning will seek clear, informed authorization of a parent or guardian first if we ever need to collect information (other than Performance Data) directly from a student
We may aggregate your student’s Performance Data with the Performance Data of other students participating in the Programs for marketing and other business-related purposes. Aggregate information will be
How We Protect Information
DreamBox takes great care to ensure we don’t misuse your data, or abuse the trust you placed in us when you shared that data. A significant part of our commitment to your privacy is the way we keep your data out of the wrong hands, either through accidental disclosure or the efforts of hostile actors. DreamBox Learning has multiple security measures in place to protect the information under our control against loss, misuse, or alteration.
Laws and guidelines that apply
DreamBox Learning complies with and enforces U.S. data protection laws across all aspects of our system. By signing
- That your data will be handled in accordance with U.S. privacy law. You waive any right or expectation enumerated under the data protection laws of other jurisdictions, and consent to the application of U.S. data protection law.
- Some regions, such as the EU, do not permit you (the Customer) to grant this consent. DreamBox Learning is not currently available to customers in those jurisdictions.
DreamBox follows ISO 27001 and 27002 guidance for security structures, policies, and procedures.
- Our ISO compliance is reviewed annually by an external audit and certification process, and continually through internal processes and checks.
- We also refer to guidance from other sources, where those do not directly conflict with ISO 27001 standards. In particular, we measure our processes against
- NIST SP 800-53 Rev. 4 and to some degree the draft of Rev. 5.
- The OWASP Top 10 and other output from OWASP.
- HITRUST CSF v9.2.
How we protect information we
- Your data will be stored in the United States.
- Your data is always stored in an encrypted format. Encryption is done using a 256-bit symmetric key created by DreamBox and accessible only by DreamBox core operations staff.
- Your data is always stored in a protected network zone, isolated from employee systems, unprotected networks, and the public Internet.
- Backups and archives that include your data are also encrypted with a 256-bit symmetric key, and also stored in protected network zones.
How We Protect Information During Transmission
Information being sent to or retrieved from our service
- Information accessed through or exchanged with DreamBox’s site is encrypted in transit using certificates, key exchange methods and cipher suites rated “A” or “A+.” Currently, that means an RSA 2048 bit key, using SHA256 with RSA, but DreamBox is continually reviewing best practices and updating our configuration to stay current.
Who Can Access Your Information
- Only authorized employees, with a business need to handle your data, are able to access these protected network zones.
- Those employees sign a binding agreement acknowledging that they will safeguard your privacy, and protect your data. This agreement remains in force even if the employee leaves DreamBox Learning.
- DreamBox conducts a background check on all employees, to confirm there is no criminal history or other disqualifying histories
- We do not provide access to your data to 3rd parties, with these specific exceptions:
- Limited data is shared with processing partners during registration or updates to registration information. For instance, postal code, city, and state information are sent to a service to confirm an accurate postal code.
How and When We Remove Information
DreamBox retains information provided by the Customer (“Customer Data”) only so long as we have a business-related need for it. We will destroy Customer-supplied data, as well as any other customer-identifying data, at any time upon request. However, our service is dependent upon the use of Customer-supplied Data, so destroying your data will mean you will no longer be able to use the DreamBox service. Derivative, anonymous data such as aggregate performance data will be retained.
Our Rules on Sharing
DreamBox Learning WILL NOT sell, trade, or assign any unaggregated personal information that it collects tothird parties. We, however, may aggregate the information that we collect from users of our website to create demographic profiles and performance profiles regarding the progress of students who use the Programs.
DreamBox Learning may share aggregated information with researchers, other clients, marketing professionals or potential investors. This aggregated information will be compiled and reported in the form of ANONYMOUS group statistics only in such a manner that makes individual student users unidentifiable.
In addition, DreamBox Learning may share information about the students, parents, legal guardians, and
Our Rules about Collecting Information Directly from Children
DreamBox does not collect personal information directly from children under 13. Any personal information about children that we receive, process or store comes from one of two sources: parents who share information about their children, or schools and districts who share information about the students in their charge. If we ever need to collect personal information from children, we will do so only after receiving explicit permission from their parents or guardians.
Consenting to Our Collection and Use of Your Information
To use the DreamBoxPrograms, you will be asked to submit certain personal information about you and your student, and to authorize DreamBox Learning to use that information in a limited number of ways. If you are signing up directly as a parent or legal guardian of a student that will use DreamBox, we will require you to review and submit a Parental Consent as part of the registration process, which will require you to consent to our collection and use of information directly from your student over the Internet as described above. If you are the parent of a student using DreamBox through a school or district, your school will authorize our use of your information on your behalf.
Opting Out of Providing the Information We Request
Because the DreamBox Learning Programs are individualized and customized for each student, all the information we request from you and your student is required for you and your student to participate in the Programs, except for certain information to be used for our communication purposes to you only. At any time, you may revoke your consent to allowing your student to participate in the DreamBox Learning Programs or refuse to allow DreamBox Learning to further use or collect your student’s personal information. Any Anonymous Performance Data will be retained, but we will not retain any identifiable information regarding you or your student that you have provided. However, if you do any of the above, you and your student will not be able to participate in the Programs.
How You Can View, Change, or Remove Your Information
You can review and modify your Registration Information at any time by accessing our dashboard website using your login and password. You can also request that DreamBox remove your information: see “How to Contact Us” below for information on how to place a request.
How Does DreamBox Comply with Laws, Regulations, Industry Group Statements and Other Guidelines
US Federal regulations
CIPA (Children’s Internet Protection Act)
The Children’s Internet Protection Act (CIPA) is a federal law enacted by Congress in December 2000 to address concerns about access to offensive content over the Internet on school and library computers. CIPA imposes requirements on any school or library that receives funding
support for Internet access or internal connections from the “E-rate” program — a program that makes certain technology more affordable for eligible schools and libraries. Our Programs do not provide links to external resources or chat rooms and do not contain any offensive or inappropriate material. For more information about CIPA, please go to http://www.fcc.gov/cgb/consumerfacts/cipa.html.
COPPA (Children’s Online Privacy Protection Act)
For our Individual Customers or parents or legal guardians of a student: Congress has enacted a law called the Children’s Online Privacy Protection Act of 1998 (COPPA), designed to protect children’s privacy during
For our customers who are individuals, provided you are 18 years of age or older, you will be asked, at the time of registration, whether you consent to
For more information about COPPA, visit the FTC site at http://www.ftc.gov/ogc/coppa1.htm.
To report a COPPA violation, you can visit https://www.ftccomplaintassistant.gov/#crnt&panel1-1 or call (877) FTC-HELP.
FERPA (The Family Educational Rights and Privacy Act)
For our School Customers: The Family Educational Rights and Privacy Act (FERPA) is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education. FERPA gives parents certain rights with respect to their children’s education records. These rights transfer to the student when he or she reaches the age of 18 or attends a school beyond the high school level. DreamBox Learning helps our School Customers be compliant with FERPA. Specifically:
• Any sensitive online information is transmitted over secure channels
• All student data are stored in ways that are not publicly accessible
• Security audits are regularly performed to ensure data integrity
• DreamBox Learning does not share information with third parties that could be used to identify students without consent from the student’s parent, guardian, or school.
• If a School Customer requests that student data be sent to a third party DreamBox Learning will:
(i) send the data to the School Customer directly to transfer to the third party or
(ii) send the data directly to the third party designated by School Customer if requested by that customer, provided the School agrees that School Customer is solely responsible for
For more information about FERPA, please go to the US Department of Education site at http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html.
To report a FERPA violation, please visit https://studentprivacy.ed.gov/file-a-complaint.
HIPAA (Health Insurance Portability and Accountability Act)
Originally enacted in 1996, Health Insurance Portability and Accountability Act introduced most of the security and privacy guidelines now in place for US healthcare, as well as establishing guidelines for the insurance industry, guaranteeing interoperability of healthcare systems, and various other key reforms. In the context of education, the elements of HIPAA most likely to come into play are from HIPAA Title II (Administrative Simplification), particularly around Privacy, Security
While HIPAA does not directly cover DreamBox’s business or operations, as we are not a healthcare provider, insurance company, or healthcare information clearinghouse, some specific elements of HIPAA might be invoked in special circumstances. For instance, if a school or parent were to inadvertently share HIPAA-protected information with DreamBox, such as vaccination history or illness-related absence information, DreamBox would not be allowed to share that
In summary: DreamBox fully complies with HIPAA in all cases where it might apply, but HIPAA is not a direct guideline for DreamBox’s security or privacy practices, being superseded by FERPA, COPPA, and other education and privacy laws.
For more information on HIPAA please refer to the US Dept of Health and Human Services site at
PPRA (Protection of Pupil Rights Amendments)
The Protection of Pupil Rights Amendments, originally established in 1978 and updated by the No Child Left Behind Act in 2001, says parents must first consent before a school (or their agent) may collect personal information from minor students as part of a survey, study, or evaluation.
Personal information is defined to include things that are considered PII, as well as attitudes and opinions about sex, embarrassing personal history, and critical appraisals of family members. In all cases, DreamBox complies with this law. DreamBox does not collect personal information directly from students. If a student submits or provides personal information of their own
For more information about PPRA, visit the US Department of Education site at
CalOPPA (California Online Privacy Protection Act)
CCPA (California Consumer Privacy Act)
For all our customers, parents, and students who are residents of California: The California Consumer Privacy Act (CCPA) is a California law that codifies some privacy and consumer rights. It was passed in 2018 but is scheduled to take effect on January 1, 2020. It guarantees that California residents have, among other rights,
- The right to know what personal data any company has about them, where that data came from, and how it
- The right to know whether their data is sold or disclosed, and to whom
- The right to opt-out (prevent) the sale or disclosure of their data
- The right to have their data deleted
CCPA provides some specific guidelines on how these rights will be protected and enabled by companies doing business with California residents.
DreamBox will comply with all provisions of CCPA, and detailed information about how to place CCPA-protected requests with DreamBox will be provided on the DreamBox main website by January 1, 2020.
SOPIPA (Student Online Personal Information Protection Act)
California’s SB-1177, often referred to as the Student Online Personal Information Protection Act (SOPIPA) forbids websites and online service operators from knowingly selling, disclosing, using or allowing a 3rd party to use the personal
DreamBox fully complies with all aspects of SOPIPA and similar laws. We do not use individual or identifiable studentpersonal information for marketing. We don’t resell or share that information with third parties or allow them toreference that information for sales or marketing.
If you believe you have observed or experienced a SOPIPA violation, you should notify the office of the California Attorney General.
Other State and Municipal Regulations
The European Union’s (EU) General Data Protection Regulation (GDPR) is a comprehensive privacy and security law that governs how companies of all sizes must behave when handling, storing, transmitting and removing the personal data of individuals who are residing in the EU. DreamBox does not currently market to customers or
GDPR provides guidelines on
Industry Groups, Pledges, and Statements
Student Privacy Pledge
The Future of Privacy Forum (FPF) and The Software & Information Industry Association (SIIA) put together a statement of principles that they believe should be endorsed by every responsible company that collects, handles or stores student personal information. DreamBox is a long- standing signatory of that pledge, and we fully endorse its overall principles and individual elements. The pledge is structured as a set of commitments, covering specific actionsa company will or won’t do; for example, we commit to:
- Not collect, maintain, use or share student personal information beyond that needed for authorized educational purposes, or as authorized by the parent/student
- Not sell student personal information
- Not knowingly retain student personal information beyond the time period required to support the authorized educational purposes, or as authorized by the parent/student
- Maintain a comprehensive security program that is reasonably designed to protect the security, privacy, confidentiality, and integrity of student personal information against risks
The full Student Privacy Pledge is here: https://studentprivacypledge.org/privacy-pledge/. Answers to common questions about the pledge:
Software and Technical Standards
As a standard practice, DreamBox Learning uses “cookies.” A cookie is a small amount of data sent to your browser from our web server and stored on your computer, then sent back to the server by your browser each time you access our website. Cookies are used solely for the required operations of our website and services. We do not use
Do Not Track (DNT signals)
In response to an FTC privacy report in 2010, the major browser manufacturers implemented a feature called “Do Not Track” or simply, “DNT.” The idea was that, by enabling DNT signals in your browser configuration, you would tell sites
There is no legal obligation for any company to honor these DNT signals. Also, there is no clear guidance or common understanding of what DNT means for collecting information necessary to operate a site. Because of the lack of clarity and usable best practice information, DreamBox does not currently respond to or interact with DNT signals. We will continue to evaluate DNT as
When we make significant updates to this policy, we will notify all customers whose data we currently hold. Wewill also prominently display information about the change on our primary information website, https://www.dreambox.com . We will generally not send direct notification for additions to reference lists and items: state standards, or links to government and third-party sites providing supporting information.
How to Contact Us
Our Data Privacy Officer is J.B. Krewson, VP of Security and Operations. If you have any questions about your privacy or security measures at DreamBox Learning, please contact his group at:
Or call our security hotline at 1-888-867-2750
Or, you can contact us through our primary location and main phone number:
DreamBox Learning, Inc.
600 108th Ave NE, Suite805
Bellevue, WA 98004
How to Contact Other Sources and Authorities about Privacy Issues
US Federal Government – Protecting Your Privacy: https://www.usa.gov/privacy (general)
https://tech.ed.gov/privacy/ (From the Office of Educational Technology) Federal Trade Commission –Protecting Your Child’s Privacy Online: