Curriculum Advantage, Inc. (“CAI”) is leading the way in K-12 curriculum and assessment. Curriculum Advantage’s programs provide teachers with powerful tools that help them understand and respond to the needs of every student and use data in a way that is safe, secure, and effective.
CAI is also an early adopter and proud signatory of the Student Privacy Pledge, an industry-wide pledge to safeguard privacy and security of student data. For more information on the pledge, see https://studentprivacypledge.org/.
Capitalized terms not defined in this section or above will have the meaning set forth by Applicable Laws.
“Agreement” means the underlying contractual Agreement between CAI and the School Customer.
“Authorized Users” means K-12 students, educators, staff and families using CAI’s Products pursuant to an Agreement.
“School Customer” means the School District or State Agency that is the party to the Agreement to provide the CAI Products to the School Customer’s Authorized Users.
“School District” means a local education agency, school network, independent school, or other regional education system.
“State Agency” means the educational agency primarily responsible for the supervision of public elementary and secondary schools in any of the 50 states, the Commonwealth of Puerto Rico, the District of Columbia or other territories and possessions of the United States.
“Student Data” means any information that directly relates to an identifiable current or former student that CAI collects, receives, or generates in the course of providing the Products to or on behalf of a School Customer. Student Data may include personal information from a student’s “educational records,” as defined by FERPA.
2. Student Data Collected
CAI receives Student Data in two ways: (i) from our School Customers to implement the use of our Products and (ii) from Authorized Users.
Information provided by our School Customers
Most of CAI’s educational Products require some basic information about who is in a classroom and who teaches the class. This roster information, including name, email address, grade level, and school ID numbers, is provided to CAI by our School Customers either directly from the School Customer’s student information system or via a third party with whom the School Customer contracts to provide that information.
Our Customers may also choose to provide additional student demographic data (e.g. socio-economic status, race, national origin) and other school records (e.g. grades, attendance, assessment results) to CAI for tailoring individual learning programs or enabling additional reporting capabilities through CAI Products. For example, a School District may wish to analyze student reading assessment results based on English Language Learner status in order to better differentiate instruction, and in that case may provide that data along with other roster information.
Information collected through our Products.
Schoolwork and student generated content. We collect information contained in student assignments and assessments, including information in responses to instructional activities and participation in collaborative or interactive features of our Products. As part of the digital learning experience, some of our Products may enable students to write texts and create and upload images, video and audio recordings.
Teacher comments and feedback. Some of our Products may enable educators to provide scores, written comments, or other feedback about student responses or student course performance.
Other Personal Information Collected
School Customer Information. We collect personal information when a teacher, administrator or other authorized person associated with a School District or State Agency Customer creates an account or uses our Products or communicates with us. This could include contact information, such as a name, phone number, email address, as well as information about the individual’s school and location.
Parent and Guardian Information. From time to time, we may collect personal information from or about a Student’s parent or legal guardian. This information may be provided by a School Customer or directly by the parent or guardian who communicates with us or creates an account.
Device and Usage Data.
Depending on the Product, we may collect certain information about the device used to connect to our Product, such as device type and model, browser configurations and persistent identifiers, such as IP addresses and unique device identifiers. We may collect device diagnostic information, such as battery level, usage logs and error logs as well as usage, viewing and technical information, such as the number of requests a device makes, to ensure proper system capacity for all Authorized Users. We may collect geolocation information from a user’s device, or may approximate device location based on other metrics, like an IP address. Some of our Products use “cookies,” Web beacons, HTML5 local storage and other similar technologies to collect and store such data. We use this information to remember returning users and facilitate ease of login, to customize the function and appearance of the Products, and to improve the learning experience. This information also helps us to track product usage for various purposes including website optimization, to ensure proper system capacity, troubleshoot and fix errors, provide technical assistance and customer support, provide and monitor the effectiveness of our Products, monitor and address security concerns, and to compile analytics for product improvement and other internal purposes.
With respect to cookies, you may be able to reject cookies through your browser or device controls, but doing so may negatively impact your experience as some features may not work properly. To learn more about browser cookies, including how to manage or delete them, check the “Help,” “Tools” or similar section of your browser. If we link or combine device and usage information with personal information we have collected directly from users that relates to or identifies a particular individual, we will treat the combined information as personal information.
Third-party website tracking. CAI does not track students across third-party websites and does not respond to Do Not Track (DNT) signals. CAI does not permit third party advertising networks to collect information from or about Students using CAI educational Products for the purpose of serving targeted advertising across websites and over time and CAI will never use Student Data for targeted advertising.
3. Use of Student Data
CAI uses Student Data collected from, or on behalf of, a School Customer to support the learning experience, to provide the Products to the School Customer and to ensure secure and effective operation of our Products, including:
to provide and improve our educational Products and to support School Customers’ and Authorized Users’ activities;
for purposes requested or authorized by the School Customer or as otherwise permitted by Applicable Laws;
for adaptive or personalized learning purposes, provided that Student Data is not disclosed;
for customer support purposes, to respond to the inquiries and fulfill the requests of our School Customers and their Authorized Users;
to enforce product access and security controls; and
to conduct system audits and improve protections against the misuse of our Products, or to detect and prevent fraud and other harmful activities.
CAI may use de-identified data as described in Section 5 below.
4. Disclosure of Student Data
We share or disclose Student Data only as needed to provide the Products under the Agreement and as required by law, including but not limited to the following:
as directed or permitted by the School Customer;
to other Authorized Users of the School Customer entitled to access such data in connection with the Products;
to our service providers, subprocessors, or vendors who have a legitimate need to access such data in order to assist us in providing our Products, such as platform, infrastructure, and application software. We contractually bind such parties to protect Student Data in a manner consistent with those practices set forth in this Policy;
to comply with the law, respond to requests in legal or government enforcement proceedings (such as complying with a subpoena), protect our rights in a legal dispute, or seek assistance of law enforcement in the event of a threat to our rights, security or property or that of our affiliates, customers, Authorized Users or others;
in the event CAI or all or part of its assets are acquired or transferred to another party, including in connection with any bankruptcy or similar proceedings, provided that successor entity will be required to comply with the privacy protections in this Policy with respect to information collected under this Policy, or we will provide School Customers with notice and an opportunity to opt-out of the transfer of Student Data by deleting such data prior to the transfer; and
except as restricted by Applicable Laws or contracts with our School Customers, we may also share Student Data with CAI’s affiliated education companies, provided that such disclosure is solely for the purposes of providing Products and at all times is subject to this Policy.
5. De-Identified Data
CAI may use de-identified or aggregate data for purposes allowed under FERPA and other Applicable Laws, to research, develop and improve educational sites, services and applications and to demonstrate the effectiveness of the CAI Products. We may also share de-identified data with research partners to help us analyze the information for product improvement and development purposes.
Records and information are considered to be de-identified when all personally identifiable information has been removed or obscured, such that the remaining information does not reasonably identify a specific individual. We de-identify Student Data in compliance with Applicable Laws and in accordance with the guidelines of NIST SP 800-122. CAI has implemented internal procedures and controls to protect against the re-identification of de-identified Student Data. CAI does not disclose de-identified data to its research partners unless that party has agreed in writing not to attempt to re-identify such data.
6. Prohibitions; Advertising; Advertising limitations
CAI will not:
sell Student Data to third parties;
use or disclose Student Data to inform, influence, or enable targeted advertising to a student based on Student Data or information or data inferred over time from the student’s usage of the Products;
use Student Data to develop a profile of a student for any purpose other than providing the Products to a School Customer, or as authorized by a parent or legal guardian;
use Student Data for any commercial purpose other than provide the Products to the School Customer, as authorized by the School Customer or the parent or guardian, or as permitted by Applicable Laws.
CAI may, from time to time, provide customized content, advertising, and commercial messages to School Customers, teachers, school administrators or other non-student users, provided that such advertisements shall not be based on Student Data. CAI may use Student Data to recommend educational products or services to users, or to notify users about new educational product updates, features, or services.
7. External Third-Party Services
Users may be able to log in to our Products using third-party sign-in services such as Classlink or Google. These services authenticate your identity and provide you with the option to share certain personal information with us, including your name and email address, to pre-populate the user account information. If you choose to enable a third party to share your third-party account credentials with CAI, we may obtain personal information via that mechanism. You may configure your accounts on these third party platform services to control what information they share.
CAI maintains a comprehensive information security program and uses industry standard administrative, technical, operational and physical measures to safeguard Student Data in its possession against loss, theft and unauthorized use, disclosure or modification. CAI performs periodic risk assessments of its information security program and prioritizes the remediation of identified security vulnerabilities.
In the event CAI discovers or is notified that Student Data within our possession or control was disclosed to, or acquired by, an unauthorized party, we will investigate the incident, take steps to mitigate the potential impact, and notify the School Customer in accordance with Applicable Laws.
Data encryption is an important element of our protection of sensitive data at rest and in transit, and is reviewed and updated as appropriate annually, based on the latest standards and guidelines published by OWASP and NIST.
In transit: CAI encrypts all student data in transit over public connections, using Transport Layer Security (TLS), commonly known as SSL, using industry-standard protocols, ciphers, algorithms, and key sizes.
At rest: CAI encrypts student data at rest using the industry-standard AES-256 encryption algorithm.
CAI Products recommend strong password at sign-up and account creation. CAI recommend usage of Single Sign-on (SSO) methods to ensure secure access to CAI Products based on the School Customer privacy and security policies.
CAI’s access control principles dictate that all student data we store on behalf of customers is accessible to district-authorized users and to a limited set of internal CAI users, with 2-factor authentication, who may only access the data for purposes authorized by the district. Districts maintain control over their internal users and may grant or revoke access.
9. Review and correction
FERPA requires schools to provide parents with access to their children’s education records, and parents may request that the school correct records that they believe to be inaccurate or misleading.
If you are a parent or guardian and would like to review, correct or update your child’s data stored in our Products, contact your School District. CAI will work with your School District to enable your access to and, if applicable, correction of your child’s education records.
If you have any questions about whom to contact or other questions about your child’s data, you may contact us using the information provided below.
10. Student Data retention
We will retain Student Data for the period necessary to fulfill the purposes outlined in this Policy and our agreement with that School Customer. We do not knowingly retain Student Data beyond the time period required to support a School Customer’s educational purpose, unless authorized by the School Customer. Upon notice from our School Customers, CAI will return, delete, or destroy Student Data stored by CAI in accordance with applicable law and customer requirements. We may not be able to fully delete all data in all circumstances, such as information retained in technical support records, customer service records, back-ups and similar business records. Unless otherwise notified by our School Customer, we will delete or de-identify Student Data after termination of our Agreement with the School Customer.
We do not knowingly collect personal information from a child under 13 unless and until a School Customer has authorized us to collect such information through the provision of Products on the School Customer’s behalf. We comply with all applicable provisions of the Children’s Online Privacy Protection Act (“COPPA”). To the extent COPPA applies to the information we collect, we process such information for educational purposes only, at the direction of the partnering School District or State Agency and on the basis of educational institutional consent. Upon request, we provide the School Customer the opportunity to review and delete the personal information collected from students. If you are a parent or guardian and have questions about your child’s use of the Products and any personal information collected, please direct these questions to your child’s school.
12. Updates to this policy
We may change this Policy in the future. For example, we may update it to comply with new laws or regulations, to conform to industry best practices, or to reflect changes in our product offerings. When these changes do not reflect material changes in our practices with respect to use and/or disclosure of Student Data, such changes to the Policy will become effective when we post the revised Policy on our website. In the event there are material changes in our practices that would result in Student Data being used in a materially different manner than was disclosed when the information was collected, we will notify School Customers affected by the changes via the email contact information provided by the customer and provide an opportunity to opt out before such changes take effect.
13. Contact us
If you have questions about this Policy, please contact us at:
Mail: Curriculum Advantage, Inc.
PO Box 3243
Duluth, GA 30096
Attn: General Counsel
To report a security vulnerability, email us at firstname.lastname@example.org.
Nevada. This section applies if you are a resident of the state of Nevada. While CAI does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personally identifiable information to email@example.com.
California. This section applies to you if you are a resident of the state of California and for purposes of this section the term “personal information” has the meaning provided by the California Consumer Privacy Act (the “CCPA”). Residents of California may be entitled to certain rights with respect to personal information that we collect about them under the CCPA: the Right to Know, the Right to Request Deletion and the Right to Opt-Out of Personal Information Sales. You also have the right to be free of discrimination for exercising these rights. However, please note that if the exercise of these rights limits our ability to process personal information (such as in the case of a deletion request), we may no longer be able to provide you the Products or engage with you in the same manner. To request to exercise your California consumer rights, please contact us at firstname.lastname@example.org with the subject line “California Rights Request.”
Note for students and other users who engage with CAI in connection with a School Customer’s use of CAI: Because CAI provides the Products to School Customers as a “School Official,” we collect, retain, use and disclose Student Data only for or on behalf of our School Customers for the purpose of providing the Products specified in our agreement with the Customer and for no other commercial purpose. Accordingly, we act as a “service provider” for our School Customers under the CCPA. If you have any questions or would like to exercise your California rights, please contact your School directly.