XtraMath Privacy Policy

Introduction

XtraMath is a not-for-profit, 501(c)3 organization, committed to protecting everyone's data privacy. This is our current Privacy Policy, which explains what user data we collect and how we use it. This policy and our Terms of Service are known collectively as our "Terms." We may change these Terms from time to time, but will provide notice as specified in the Terms of Service document.

Summary

We collect the minimum amount of data required to operate our program.
We use parents' and teachers' Personal Data to operate our program and, with their permission, to contact them about the program.
We use students' Personal Data only to operate our program.
We use de-identified student data to improve our program.
We protect student data and have signed the Student Privacy Pledge.
We do not advertise to students, and will not sell or rent their data in any way.
We comply with applicable data privacy laws, such as FERPA, COPPA, CCPA, and GDPR.
We never sell user data to third parties.

What data we collect

XtraMath collects the minimum amount of data required to operate our program. In Appendix B, Record of Data Processing, we summarize the data we collect on students, teachers, and parents. It includes an up-to-date list of what user data we collect, and how we use that data,

DEFINITIONS

Data includes all information connected with a person’s or educational entity’s use of XtraMath. This includes, but is not limited to, Personal Data, metadata, usage and performance data.
Personal Data includes any data that can directly or indirectly identify an individual person. For example: an email address is always considered Personal Data; a student’s grade level generally is not, but could be in conjunction with other information.
School includes: individual schools; teachers acting on behalf of schools; school districts; and other local educational entities.

STUDENT DATA

We collect a student’s first name, grade level, and program settings from the student’s parent or teacher. As the student uses XtraMath, we collect usage and performance data, such as when they signed in, how many questions they answered correctly, and how long it took them to answer questions. If a student signs in via a single sign-on provider, such as Google, we collect an identifier from the provider that allows us to authenticate their sign-in. We do not collect the student email address that may be used for such a sign-in.

Other personal information about the student could be inferred from data that we collect. If a student account belongs to a class, for example, then we could infer that they attend a certain school.

PARENT DATA

We collect a parent’s name and email address when they sign up for an account. If they sign up using a single sign-on provider, we also collect an identifier that allows us to authenticate their sign-in. We also collect some metadata and account settings, such as their time zone, the language they used to sign up, and their email preferences.

A parent supplies a password when they create an account. The password is hashed (scrambled) on the user’s computer before it is ever sent to XtraMath. We do not have access to a user’s original password, and cannot obtain it from the hashed version that we receive.

Other personal information about the parent could be inferred from data that we collect. For example, we could infer that a parent whose account is linked to a student account is the parent or guardian of that student.

TEACHER DATA

We collect the same data for teacher accounts as parent accounts, with a few additions. For example, we collect the name by which students address the teacher, such as “Ms. Smith.” We also collect information about each class that the teacher creates, such as its name and its end date.

Other personal information about the teacher could be inferred from data we collect. For example, we could infer that the teacher works at a specific school based on their email address.

XtraMath processes user data in order to establish and maintain accounts, to provide educational activities to students, to compile and deliver reports about those activities to teachers and parents, and to understand and improve our program’s effectiveness.

STUDENT DATA

A student’s Personal Data is collected and used by our application logic to provide each student with the appropriate educational activities, and to report their performance to their parents and teachers. We may access student Personal Data when providing customer support or investigating a reported issue with our program.

PARENT AND TEACHER DATA

A parent’s or teacher’s Personal Data is used internally for sign-in purposes and, with permission, to send them reports, announcements, and alerts related to XtraMath. We may access a parent’s or teacher’s Personal Data when providing them with requested support.

XtraMath has never and will never release, trade, or sell anyone's Personal Data to any third-party advertising. We release Personal Data to third parties only in the following circumstances:

When the user requests the disclosure, such as a teacher sharing their class with another teacher.
When required by law or a court order.
When the third party is a trusted service provider, and the data is required to adequately perform the service. We carefully vet our service providers and their security practices. For details, see Appendix A, List of Third Party Providers.
In the event of a joint venture, sale or merger with another party is approved by our Board of Directors. In that case, the third party would still be required to uphold our Terms, including our Privacy Policy for all existing accounts. We would provide advance notice before any accounts were shared with the third party.

USE OF DE-IDENTIFIED DATA

We may use de-identified usage data internally to improve our educational services and develop new products. We will never attempt to re-identify data that has been de-identified. We may use aggregate de-identified data, such as the number of users of our service, for promotional purposes.

We may use de-identified data along with professional educational researchers for the purpose of evaluating the effectiveness of our program. We will not release de-identified data unless we are confident it cannot be re-identified, due to the removal of all direct and indirect personal identifiers, and the educational researchers have agreed in writing that they will not attempt to re-identify any individuals, classes, or Schools.

How We Securely Store Data

XtraMath takes security seriously. We implement a variety of industry-standard security measures to prevent any unauthorized access to our users’ data. Such measures include, but are not limited to: data minimization; encrypting data in transit via HTTPS; hashing sensitive data, like passwords; deletion of outdated data; locked physical facilities; employee training; and administrator account security.

DATA STORAGE AND INTERNATIONAL TRANSFER

XtraMath stores and processes all data on servers in the United States. All servers that store XtraMath data are operated by trusted third party processors with whom we have contractual Data Processing Addendums. Our providers are certified under the EU-US Privacy Shield and Swiss-US Privacy Shield, to better protect the data of our international users. For details, see Appendix A, List of Third Party Providers.

DATA BREACH RESPONSE

While we use industry-standard practices to safeguard data, no service can guarantee absolute data security. We have a Breach Response Plan, which we will follow if we ever discover that Personal Data has been accessed improperly. As part of our response, we will: take action to stop further data loss or unauthorized access; investigate how the breach occurred; promptly contact all affected users via email; and contact law enforcement and government agencies when appropriate.

Data Retention and Deletion

XtraMath retains Personal Data only for as long as necessary to ensure continuity of math skill-building for students, and for the convenience of parents and teachers. We close user accounts, and delete all associated identifiable data, upon request. Most types of data are also deleted automatically after a certain amount of time has passed.
‍
We may retain de-identified, aggregate data, which cannot identify any individual user, for research and program improvement purposes. Such data is deleted once no longer necessary for these purposes. We may provide certification of data deletion upon request.

Compliance with Data Privacy Laws

We use industry-standard practices to safeguard all data including a Breach Response Plan, which we will follow if we ever discover that Personal Data has been accessed improperly. As part of our response, we will: take action to stop further data loss or unauthorized access; investigate how the breach occurred; promptly contact all affected users via email; and contact law enforcement and government agencies when appropriate.

UNITED STATES

Children’s Online Privacy Protection Act (COPPA): As a non-profit organization, XtraMath is not subject to COPPA. Nevertheless, we fully comply with the law as if we were subject to it. Children under the age of 13 may not create accounts. We only collect usage and performance data from students as a result of their performing educational activities, and we only use that data for educational purposes. If we gain actual knowledge that a child is using XtraMath without the appropriate consent, we terminate the account.
Family Education Rights Protection Act (FERPA): Schools in the United States may provide student data to XtraMath while complying with FERPA. When a School provides us with a student’s Personal Data (or PII — Personally Identifiable Information) under the FERPA school official exemption, they remain in control of that data. XtraMath will only use and disclose that data as specified in our Terms and as allowed by law.
General Data Protection Regulation (GDPR): XtraMath affirms and respects all data subject's rights under GDPR. We minimize the data we collect and process, and use data only as described in this policy. For detailed information about what data we process, for what purpose, for how long, and our basis for doing so under the GDPR, see Appendix B, Record of Data Processing. To object to processing, or to request data deletion or access, contact our Data Protection Officer at privacy@xtramath.org.

Local Storage

The XtraMath website uses “LocalStorage” files to remember a user’s sign-in information (if they choose to do so). We also use “SessionStorage” to improve performance during student activities by temporarily storing activity data on the device. Use of LocalStorage and SessionStorage is not required to use XtraMath. Users can remove remembered sign-in information at any time via the appropriate sign-in page. Users can also clear all LocalStorage by using the “Clear now” button on our support page, or via browser settings.

The XtraMath mobile apps use application data for the same purposes as browser LocalStorage and SessionStorage. Users can still remove remembered sign-in information via the app’s sign-in pages. Uninstalling the app will remove all locally stored data. Some devices also allow users to clear locally stored app data without uninstalling the app.

Contact Us

For data privacy questions or concerns, to object to processing, or to request access to or deletion of your or your student's Personal Data, email us at privacy@xtramath.org. You may also write to us at: XtraMath, 4742 42nd Ave SW #625 Seattle, WA 98116

Appendix A: List of Third Party Providers

This list will be kept up-to-date to include all third-party providers with which XtraMath shares user data.

Provider Name	Data shared with Provider	Purpose	Relevant Policies
AWS	Main account data, including name, email address, and program usage.	Database hosting via remote servers	Privacy Policy
Google	Anonymous ID	Public website ONLY, not used in the XtraMath application.	Privacy Policy
MaxMind	IP address	To geolocate school districts	Privacy Policy

Appendix B: Record of Data Processing

We have compiled this record in order to provide users with as much transparency as possible into how we use their data. This record also helps us to comply with European law. Unless otherwise noted in the record below, we process user data based on our legitimate interests.

Account Type	Type of Data	Processing Purpose	Deletion
Student	First name, PIN, parent or teacher email, class	Account access and identification	Upon account closure¹. Some information is deleted upon removal from the class or linked account.
	Single-sign-on provider and hashed ID	Account access using optional 3rd party credential	Upon request or account closure¹
	Grade level	Determine initial activity level. When de-identified and aggregated, used to analyze program usage.	Upon account closure¹
	Program settings: current program, UI options, preferred language, etc.	Activity customization. When de-identified and aggregated, used to analyze program usage.	Upon account closure¹
	Activity data	Activity customization and creation of progress reports. When de-identified and aggregated, used to analyze program usage.	Upon account closure¹. Some data is deleted when user restarts a program. Detailed activity data is deleted after one year.
Parent or Teacher	Name, “addressed as” name, email address, hashed password	Account access and identification	Upon account closure^{2, 3}
	Email address	Send announcements, alerts, reports, and/or reminders via email	Processing ceases upon request. Data deletion upon account closure^{2, 3}
	Email address	Share with linked accounts that have access to same student or class (for increased transparency and security of student data)	Data deletion upon account closure^{2, 3}
	Account settings: account type, email preferences, time zone, etc.	Create progress reports and maintain data preferences	Upon account closure^{2, 3}
	Electronic identifiers: account change timestamps, version number, etc.	Technical support and account security	Upon account closure^{2, 3}
	Single-sign-on provider and hashed ID	Account access using optional 3rd party credential	Upon request or account closure^{2, 3}
	IP address	Determine time zone upon sign-up	Not stored
	Hashed IP address	Account security	After 1 year or upon account closure^{2, 3}
Teacher	Hashed IP address	Expedite classroom setup on multiple devices	After 24 hours
Teacher	Class name, class end date, student names	Create progress reports and facilitate program usage	Upon request, account closure³, or one year after class end date.
All users	Hashed IP address, change logs	Network security	After 90 days
All users	De-identified and aggregated usage data	Product improvement and development, promotional activities, and educational research	Until no longer useful

Student accounts: account closure occurs upon request, automatically after two years of account inactivity, or one month after being unlinked from all parent and teacher accounts.
Parent accounts: account closure occurs upon request, or automatically after two years of account inactivity.
Teacher accounts: account closure occurs upon request.

Current, last modified in July 2023.