1. TYPES OF DATA COLLECTED AND PROCESSED.
Company stores and processes the information Company collects in the United States in accordance with this Privacy Statement. Company's sub-processors may store and process data outside the United States. User data collected on the site includes the User’s name, address, e-mail addresses, credit card information, order information, browser type, and the date and time of each User request. Company also collects potentially personally- identifying information like Internet Protocol (IP) addresses, and any other information voluntarily provided (hereafter "Personal Information"). Company understands that Users may be from different countries and regions with different privacy laws and expectations, and Company tries to meet or exceed those expectations even when the United States may not have the same privacy regulations as other countries. Company provides the same standard of privacy protection — as described in this Privacy Statement — to all Users around the world, regardless of their country of origin or location. Company strives to implement and adhere to the strictest standards of notice, choice, accountability, security, data integrity, access and recourse practically available. Company's vendors or User's school or educational institutions that have access to User Personal Information are also required to maintain the security and integrity of any User Personal Information. Company provides clear methods of unambiguous, informed consent at the time of data collection, when Company collects User's Personal Information using consent as a basis. Company collects only the minimum amount of Personal Information necessary for Company's purposes unless Users choose to provide more. Company offers Users simple methods of accessing, correcting, or deleting the User Personal Information collected by Company. Company provides Users notice, choice, accountability, security, and access, and limits the purpose for processing. Company also provides Users a method of recourse and enforcement. Company collects and stores Personal Information about Users of the site on third party servers to enable transactions and for site security and analytics.
Company may collect and store Personal Information or other data about patterns of usage and order history; which activities a User starts and finishes; when the User starts and stops an activity, and which areas of the site a User visits. Only Personal Information or other data necessary to the operation, maintenance, and improvement of Company’s business is collected.
Premium Group account holders represent and warrant that they have obtained written permission and consent for the student to use the service from the student user's parent or legal guardian. Users may review this data and request it be removed or corrected by contacting Company’s webmaster at: Privacy@EmotionalABCs.com. Company is not responsible for, and has no control over, Personal Information or other data collected by Schools or provided by Users to Schools or other third parties.
2. STUDENT PRIVACY PLEDGE
Company adheres to the Student Privacy Pledge, an industry standard approach to privacy for K-12 service providers ("The Pledge"). The Pledge was created by the Future of Privacy Forum (FPF) and The Software & Information Industry Association (SIIA) and has been endorsed by the National School Boards Association (NSBA), the National Parent-Teacher Association (PTA), and the White House.
As part of Company's commitment to The Pledge, when Company has access to User or student Personal Information through the provision of Company's Services, the following principles guide Company's practices regarding data, security, and technology:
Company commits to:
Company affirmatively commits to the following:
3. CROSS-BORDER DATA TRANSFERS
For cross-border data transfers from the European Union (EU) and the European Economic Area (EEA), Canada or Australia, in addition to providing Users methods of unambiguous, informed consent and control over their data, Company is committed to subject any Personal Information received from the EU, EEA, Australia, Canada or anywhere else to the same stringent protections and limitations. Company adheres to the federal privacy protection standards in the Children’s Online Privacy Protection Act (COPPA), the California Online Privacy Protection Act of 2003 ("CalOPPA"), the Student Privacy Pledge, the Family Educational Rights and Privacy Act ("FERPA"), The Student Online Personal Information Protection Act ("SOPIPA"), California Assembly Bill 1584 ("AB 1584") and the California Consumer Privacy Act ("CCPA" - AB 375). Further, Company uses reasonable efforts to comply with the General Data Protection Regulation ("GDPR"), the Canadian Personal Information Protection and Electronic Documents Act (PipEDA"), the Australian Commonwealth Privacy Act, and other applicable laws, statutes, regulations and treaties worldwide. Company does not intentionally collect Personal Information online from children without their parent’s consent other than as described herein. Children may visit any area of the site and may participate in activities without providing any Personal Information or other data. Online orders, however, may only be placed by adults over the age of 18 or by minors under the age of 18 with the consent of the minor’s parent or legal guardian. In authorizing persons under 18 to place orders through the site, the parent or legal guardian consents to the collection of Personal Information or other data necessary to process and complete the transaction and for security purposes. If a person under 18 sends a request to Company, Company webmaster will keep their e-mail address for long enough to respond to them. Company may delete this information from its system in the ordinary course of business, generally after the question is answered. Parents may request to review or delete any information submitted by his or her child by sending an email to Company's webmaster at "Privacy@EmotionalABCs.com" or by sending a written, postpaid request addressed to: Emotional ABCs, Inc., 3435 Ocean Park Blvd #107-259, Santa Monica, CA 90405-3300 - Attn: Webmaster, Children’s Online Privacy Act - Delete Request. Requests must include proof verifying that the requester is the parent of the child whose information is requested.
4. COOKIES, TRACKING
In addition to Personal Information, Company’s web servers automatically identify computers by their IP addresses. Company may use IP addresses to administer the site or gather other information. Further, the site may use “cookies” during the session transaction process to enable ordering. By using Company's website, Users agree Company can place these types of cookies on User's computer or device. If User disables User's browser or device's ability to accept these types of cookies User will not be able to login or use Company's website services. Company currently does not respond to Users' browser's Do Not Track signal. Company does not permit third parties other than Company's analytics and service providers to track Users' activities on the site. Company does not track Users' online browsing activities on other online sites or services. Company does not disclose cookie data to any third party.
5. USE OF DATA
Company may use Users’ Personal Information to identify Users for online activities such as online ordering or any other online interactive activities, to respond to specific requests from Users, to obtain parental consent from Users under 18 years of age when necessary and to protect the security or integrity of the website.
6. TYPE AND IDENTITY OF THIRD PARTIES TO WHOM DATA IS DISCLOSED
Company does not disclose the personally identifiable information of any User to third parties for any marketing or promotional purposes. Company may disclose de-identified and/or aggregated User information for any other purpose as permissible by applicable law—for example, the distribution of de-identified User records to outside researchers or the distribution of reports containing aggregate user demographic and traffic patterns—provided that no individual User or any specific end user device can be readily identified.
7. PURPOSES FOR WHICH DATA IS PROCESSED
Under certain international laws (including GDPR), Company is required to notify you about the legal basis on which we process User Personal Information. Company processes User Personal Information on the following legal bases: When Users create a Company account, Users provide username and an email address. Company requires those data elements for User to enter into the Terms of Service agreement with Company, and Company processes those elements on the basis of performing that contract. Company also processes Users' username and email address on other bases. Company does not collect or process a credit card number, but our third-party payment processor does.
On Individual or Family accounts, the parent uses the parent's own email, password and credit card information. Parents and children together create a username of their own choice and choose a picture password. Child Users require the parent's email and parent's password to begin using the service. On Free Teacher accounts, teachers get a single user account for themselves. Teachers use their own email address and password and create a single user account for themselves.
On Premium Group accounts teachers or administrators use their school email address and password and school related information when they sign up for the service. School administrators or teachers are able to add student rosters with no other identifying information about students. Teachers assign students into their accounts with a QR code or a website link in the classroom. Parents get an email from the school or the teacher allowing them to sign into the Premium Group individual student account with the parents own email and password to allow the child/student to use their school account from home.
When Users fill out the information in User's user profile, Users have the option to provide User Personal Information such as User's full name, an avatar, and first name or nickname. Company processes this information on the basis of consent. All of this information is entirely optional, and Users have the ability to access, modify, and delete it at any time. Generally, the remainder of the processing of Personal Information by Company is necessary for the purposes of Company's legitimate interests. For example, for security purposes, Company must keep logs of IP addresses that access Company, and in order to respond to legal process, Company is required to keep records of users who have sent and received DMCA takedown notices. If you would like to request erasure of data we process on the basis of consent or object to our processing of Personal Information, Users or Parents of Users may request to review, correct or delete any information submitted by User or User's child by sending an email to Company webmaster at: "Privacy@EmotionalABCs.com" or a written request addressed to Emotional ABCs, Inc., 3435 Ocean Park Blvd #107-259, Santa Monica, CA 90405-3300 - Attn: Webmaster, Children’s Online Privacy Act - Delete Request. Requests must include proof verifying that the requester is the User or parent of the child whose information is requested.
Company will not retain Personal Information longer than necessary and will delete all student Personal Information at the termination of the contract or when it is no longer needed by Company.
Users to the website select a password to access the Materials and Content and other features of the website and allow Users to review and change the information Company collects about them or their child. Users' passwords should be kept confidential.
12. DISPUTE RESOLUTION
13. (a) CALIFORNIA PRIVACY RIGHTS
This Section applies to the use of Company’s service by Schools located in the State of California. This section documents compliance with applicable California state laws that may apply to the use of Company’s service by Schools in California, such as the California Consumer Privacy Act, California Civil Code §§ 1798.100 et seq. ("CCPA"), California Online Privacy Protection Act of 2003 ("CalOPPA"), California Assembly Bill 1584 ("AB 1584"), and the California Consumer Privacy Act ("CCPA") - AB 375. Effective January 1, 2020, the California Consumer Privacy Act California Civil Code §§ 1798.100 et seq. ("CCPA") provides California residents with specific rights regarding their Personal Information. This section describes User CCPA rights and explains how to exercise those rights. The CCPA can be reviewed at oag.ca.gov/privacy/ccpa. In this section "User" or "Users" refers to California residents. Under the CCPA Company is required to disclose categories of sources from which Company collects Personal Information, and the third parties with whom Company shares such information. Company is also required to communicate information about rights Users have under California law, such as:
Right to access Personal Information. [CC § 1798.100] Users may be entitled to receive the specific pieces of User Personal Information Company holds.
Right to data portability. [CC § 1798.100] Users may be entitled to receive a copy of User electronic Personal Information in a readily usable format.
Right to disclosure. [CC §§1798.110, 1798.115] User may be entitled to receive information regarding the categories of Personal Information Company collected, the sources from which Company collected Personal Information, the purposes for which Company collected and shared Personal Information, the categories of Personal Information that Company sold, the categories of third parties to whom the Personal Information was sold, and the categories of Personal Information that Company disclosed for a business purpose in the 12 months preceding the User request. In the 12 months preceding January 1, 2020, Company did not disclose to any third party any categories of User Personal Information for business purposes or otherwise, including without limitation: identifiers, commercial information, electronic network and Internet activity information, geolocation data, or inferences about Users drawn from such data.
Right to deletion. [CC § 1798.105] Users may be entitled to request that Company delete the Personal Information that Company has collected from User. Company will use commercially reasonable efforts to honor User requests in compliance with applicable laws. Please note, however, Company may need or be required to keep such information, such as for Company's legitimate business purposes or to comply with applicable law.
Right to opt-out of certain sharing with third parties. [CC § 1798.120] Users are entitled to direct Company to stop disclosing User Personal Information to third parties for monetary or other valuable consideration. Company does not currently disclose any User Personal Information to any third parties for monetary or other valuable consideration. If Company ever does disclose any User Personal Information to third parties, Users can exercise such right to opt-out by clicking on the link on Company's homepage titled “Do Not Sell My Personal Information,” which will direct Users to an Internet Company page that enables Users, or a person authorized by the User, to opt-out of the sale of the User's Personal Information. Company does not require a User or consumer to create an account in order to direct Company not to sell the User's/consumer’s Personal Information. User/consumers can also opt-out by sending an email to Company's webmaster at Support@EmotionalABCs.com, sending a written, postpaid request addressed to: Emotional ABCs, Inc., 3435 Ocean Park Blvd #107-259, Santa Monica, CA 90405-3300- Attn: Company webmaster, or by calling toll-free (877) 399-8763.
Company will never monetize User Personal Information by providing it to a third party in exchange for money. The CCPA has a broader definition of the term "sell" which includes disclosing Personal Information to any third party for valuable consideration. Company does not share any Personal Information with any of Company's advertising partners, nor does Company disclose any of its cookie data to any third parties.
In addition, Company is required to provide User certain information about the business and commercial purposes for which Company collects and shares User Personal Information. Company may use or disclose User Personal Information Company collect for the business purposes described in this policy, including but not limited to: processing payments, conducting research, detecting security incidents, preventing fraud, debugging and repairing errors, maintaining User account, providing customer service, and other activities to improve Company's service, market Company's services, and understand how Users interact with Company's services. Non-Discrimination. [CC § 1798.125] Company fully supports User privacy rights and will not discriminate against Users for exercising any of User CCPA rights.
Exercising Access, Disclosure, Data Portability, and Deletion Rights
To exercise the access, disclosure, data portability, and deletion rights described above, please submit a verifiable consumer request by either contacting Company by email to Company's webmaster at Privacy@EmotionalABCs.com, or send a postpaid written, request addressed: to Emotional ABCs, Inc., 3435 Ocean Park Blvd #107-259, Santa Monica, CA 90405-3300 - Attn: Webmaster, or by calling toll-free: (877) 399-8763.
Only a User or a person registered with the California Secretary of State that User has authorized to act on User's behalf may make a verifiable consumer request related to User Personal Information. Users may also make a verifiable consumer request on behalf of User's child.
Users may only make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must: i) Provide sufficient information to allow Company to reasonably verify User is the person about whom Company collected Personal Information or an authorized representative of User; and ii) describe User's request with sufficient detail to allow Company to properly understand, evaluate, and respond to it.
Company cannot respond to User requests or provide Users with Personal Information if Company cannot verify User's identity or authority to make the request and confirm the Personal Information relates to User. Making a verifiable consumer request does not require Users to create an account with Company. Company will only use Personal Information provided in a verifiable consumer request to verify the requestor's identity or authority to make the request.
13. (b) CONNECTICUT PRIVACY LAWS
This Section applies to the use of Company’s service by Schools located in the State of Connecticut. This section documents compliance with Connecticut state laws that may apply to the use of Company’s service by Schools in Connecticut, such as Conn. Gen. Stat. Ann. § 10-234aa-dd, and incorporates by reference the definitions set forth in Conn. Gen. Stat. Ann. § 10-234aa.
If you open a Company account to provide the service to students in a School located in the State of Connecticut, you represent and warrant that you are authorized to do so on behalf of the local or regional board of education with authority over the School and that you are authorized to communicate with Company on behalf of the local or regional board of education.
Company and you shall comply with all applicable sections of Conn. Gen. Stat. Ann. § 10-234aa-dd. The following terms shall apply as required by Conn. Gen. Stat. Ann. § 10-234bb. To the extent that any such required terms conflict with other terms in this Agreement, the terms of this Section shall apply.
Student information, student records and student-generated content are not the property of or under the control of Company.
The local or regional board of education may request the deletion of any student information, student records or student-generated content in the possession of Company by sending a request to Privacy@EmotionalABCs.com. As permitted by Conn. Gen. Stat. Ann. § 10-234bb(2), Company is not required to delete information prohibited from deletion or required to be retained under state or federal law or stored as a copy as part of a disaster recovery storage system and that is (i) inaccessible to the public, and (ii) unable to be used in the normal course of business by the contractor. Company will, however, comply with requests for deletion of student information, student, records, or student-generated content that is restored from such disaster recovery storage systems.
Company will not use student information, student records and student-generated content for any purposes other than those authorized pursuant to this Agreement.
A student, parent or legal guardian of a student may review personally identifiable information contained in student information, student records or student-generated content and correct erroneous information, if any, in such student record by contacting their School. Company will respond to such requests in accordance with instructions sent by an authorized School representative to Privacy@EmotionalABCs.com.
Company will take actions designed to ensure the security and confidentiality of student information, student records and student-generated content.
Company will promptly notify the local or regional board of education in accordance with the provisions of section 10-234dd when there has been an unauthorized release, disclosure or acquisition of student information, student records or student-generated content.
Student information, student records or student-generated content shall not be retained or available to Company upon expiration of this Agreement. This restriction shall not apply to the extent that a student, parent or legal guardian of a student independently establishes or maintains an electronic account with Company for the purpose of storing their student-generated content.
Company and the local or regional board of education shall ensure compliance with the Family Educational Rights and Privacy Act of 1974, 20 USC §1232g, as amended from time to time.
The laws of the state of Connecticut shall govern the rights and duties of Company and the local or regional board of education.
If any provision of this Section is held invalid by a court of competent jurisdiction, the invalidity does not affect other provisions or applications of the contract which can be given effect without the invalid provision or application.
13. (c) NEW YORK PRIVACY LAWS
This Section applies to the use of Company’s service by Schools located in the State of New York. This section documents compliance with applicable New York state laws that may apply to the use of Company’s service by Schools in New York, such as New York State Education Law Section 2-d (Ed Law 2-d) and Part 121 of Title 8 of the Codes, Rules and Regulations of the State of New York (8 CRR-NY § 121) and incorporates by reference the definitions set forth in Ed Law 2-d § 3 and 8 CRR-NY § 121.1.
If you open a Company account to provide the service to students in a School located in the State of New York, you represent and warrant that you are authorized to do so on behalf of the educational agency with authority over the School and that you are authorized to communicate with Company on behalf of the educational agency.
Company and you shall comply with all applicable sections of Ed Law 2-d and 8 CRR-NY § 121. The following terms shall apply as required by Ed Law 2-d § 5(b)(3) and 8 CRR-NY § 121.3, 121.6. To the extent that any such required terms conflict with other terms in this Agreement, the terms of this Section 5.2 shall apply.
8 CRR-NY § 121.6(a)(2): specify the administrative, operational and technical safeguards and practices it has in place to protect personally identifiable information that it will receive under the contract –
8 CRR-NY § 121.6(a)(3): demonstrate that it complies with the requirements of section 121.3(c) of this Part –
The Parent Bill of Rights, along with any other supplemental documentation relating specifically to your School, is included in this contract unless Company and your School or District have entered into a separate signed written agreement regarding that subject matter. If your School does not have a Parent Bill of Rights, the New York State Parent Bill of Rights is applicable and is included in this contract.
8 CRR-NY § 121.3(c)(1) the exclusive purposes for which the student data or teacher or principal data will be used by the third-party contractor, as defined in the contract –
To provide the Company service as set forth in this Agreement. Student data and teacher or principal data will not be used for any other purpose.
8 CRR-NY § 121.3(c)(2) how the third-party contractor will ensure that the subcontractors, or other authorized persons or entities to whom the third-party contractor will disclose the student data or teacher or principal data, if any, will abide by all applicable data protection and security requirements, including but not limited to those outlined in applicable State and Federal laws and regulations (e.g., FERPA; Education Law section 2-d) –
Subcontractors and other authorized persons or entities will be provided such information pursuant to contractual obligations to maintain the confidentiality of such data in a manner consistent with this Agreement.
8 CRR-NY § 121.3(c)(3) the duration of the contract, including the contract's expiration date and a description of what will happen to the student data or teacher or principal data upon expiration of the contract or other written agreement (e.g., whether, when and in what format it will be returned to the educational agency, and/or whether, when and how the data will be destroyed) –
This Agreement will be in effect for a School so long as that School has an active subscription to the Company service. Upon expiration or termination of a School's subscriptions without renewal, Company will delete student data and teacher or principal data in accordance with the terms of any applicable written agreement with the School, written requests from authorized School administrators, and our standard data retention schedule. Authorized School administrators may contact Company at Privacy@EmotionalABCs.com. to request additional information about our standard data retention schedule and available options for customizing Company's standard data retention schedule to meet individual School requirements.
8 CRR-NY § 121.3(c)(4) if and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected –
Parents, students, eligible students, and teachers or principals may contact their School to exercise this right. Company will cooperate with the School to effectuate such requests at the School's direction.
8 CRR-NY § 121.3(c)(5) where the student data or teacher or principal data will be stored, described in such a manner as to protect data security, and the security protections taken to ensure such data will be protected and data security and privacy risks mitigated –
Student data and teacher or principal data for Schools located in New York will be stored in the United States. Such data will be stored in a manner consistent with the NIST Cybersecurity Framework to mitigate against data security and privacy risks.
8 CRR-NY § 121.3(c)(6) address how the data will be protected using encryption while in motion and at rest –
Company will utilize a technology or methodology specified or permitted by the Secretary of the United States Department of Health and Human services in guidance issued under section 13402(H)(2) of Public Law 111-5.
8 CRR-NY § 121.6(a)(4) specify how officers or employees of the third-party contractor and its assignees who have access to student data, or teacher or principal data receive or will receive training on the Federal and State laws governing confidentiality of such data prior to receiving access –
Company periodically provides training to its employees regarding data security and privacy obligations with respect to such data.
8 CRR-NY § 121.6(a)(5) specify if the third-party contractor will utilize sub-contractors and how it will manage those relationships and contracts to ensure personally identifiable information is protected –
While Company does not sub-contract portions of any particular contract with a customer, Company may utilize vendors in the course of providing the Company service. Such vendors will only be provided personally identifiable information to the extent necessary for them to provide their contracted-for services and will be subject to obligations of confidentiality and security consistent with this Section.
8 CRR-NY § 121.6(a)(6) specify how the third-party contractor will manage data security and privacy incidents that implicate personally identifiable information including specifying any plans to identify breaches and unauthorized disclosures, and to promptly notify the educational agency –
8 CRR-NY § 121.6(a)(7) describe whether, how and when data will be returned to the educational agency, transitioned to a successor contractor, at the educational agency's option and direction, deleted or destroyed by the third-party contractor when the contract is terminated or expires –
Upon expiration or termination of a School's subscriptions without renewal, Company will delete student data and teacher or principal data in accordance with the terms of any applicable written agreement with the School, written requests from authorized School administrators, and our standard data retention schedule. Authorized School administrators may contact Company at Privacy@EmotionalABCs.com to request additional information about our standard data retention schedule and available options for customizing Company's standard data retention schedule to meet individual School requirements.
Last Updated: August 25, 2021