-->
XtraMath is a not-for-profit, 501(c)3 organization, committed to protecting everyone's data privacy. This is our current Privacy Policy, which explains what user data we collect and how we use it. This policy and our Terms of Service are known collectively as our "Terms." We may change these Terms from time to time, but will provide notice as specified in the Terms of Service document.
XtraMath collects the minimum amount of data required to operate our program. In Appendix B, Record of Data Processing, we summarize the data we collect on students, teachers, and parents. It includes an up-to-date list of what user data we collect, and how we use that data,
We collect a student’s first name, grade level, and program settings from the student’s parent or teacher. As the student uses XtraMath, we collect usage and performance data, such as when they signed in, how many questions they answered correctly, and how long it took them to answer questions. If a student signs in via a single sign-on provider, such as Google, we collect an identifier from the provider that allows us to authenticate their sign-in. We do not collect the student email address that may be used for such a sign-in.
Other personal information about the student could be inferred from data that we collect. If a student account belongs to a class, for example, then we could infer that they attend a certain school.
We collect a parent’s name and email address when they sign up for an account. If they sign up using a single sign-on provider, we also collect an identifier that allows us to authenticate their sign-in. We also collect some metadata and account settings, such as their time zone, the language they used to sign up, and their email preferences.
A parent supplies a password when they create an account. The password is hashed (scrambled) on the user’s computer before it is ever sent to XtraMath. We do not have access to a user’s original password, and cannot obtain it from the hashed version that we receive.
Other personal information about the parent could be inferred from data that we collect. For example, we could infer that a parent whose account is linked to a student account is the parent or guardian of that student.
We collect the same data for teacher accounts as parent accounts, with a few additions. For example, we collect the name by which students address the teacher, such as “Ms. Smith.” We also collect information about each class that the teacher creates, such as its name and its end date.
Other personal information about the teacher could be inferred from data we collect. For example, we could infer that the teacher works at a specific school based on their email address.
XtraMath processes user data in order to establish and maintain accounts, to provide educational activities to students, to compile and deliver reports about those activities to teachers and parents, and to understand and improve our program’s effectiveness.
A student’s Personal Data is collected and used by our application logic to provide each student with the appropriate educational activities, and to report their performance to their parents and teachers. We may access student Personal Data when providing customer support or investigating a reported issue with our program.
A parent’s or teacher’s Personal Data is used internally for sign-in purposes and, with permission, to send them reports, announcements, and alerts related to XtraMath. We may access a parent’s or teacher’s Personal Data when providing them with requested support.
XtraMath has never and will never release, trade, or sell anyone's Personal Data to any third-party advertising. We release Personal Data to third parties only in the following circumstances:
We may use de-identified usage data internally to improve our educational services and develop new products. We will never attempt to re-identify data that has been de-identified. We may use aggregate de-identified data, such as the number of users of our service, for promotional purposes.
We may use de-identified data along with professional educational researchers for the purpose of evaluating the effectiveness of our program. We will not release de-identified data unless we are confident it cannot be re-identified, due to the removal of all direct and indirect personal identifiers, and the educational researchers have agreed in writing that they will not attempt to re-identify any individuals, classes, or Schools.
XtraMath takes security seriously. We implement a variety of industry-standard security measures to prevent any unauthorized access to our users’ data. Such measures include, but are not limited to: data minimization; encrypting data in transit via HTTPS; hashing sensitive data, like passwords; deletion of outdated data; locked physical facilities; employee training; and administrator account security.
XtraMath stores and processes all data on servers in the United States. All servers that store XtraMath data are operated by trusted third party processors with whom we have contractual Data Processing Addendums. Our providers are certified under the EU-US Privacy Shield and Swiss-US Privacy Shield, to better protect the data of our international users. For details, see Appendix A, List of Third Party Providers.
While we use industry-standard practices to safeguard data, no service can guarantee absolute data security. We have a Breach Response Plan, which we will follow if we ever discover that Personal Data has been accessed improperly. As part of our response, we will: take action to stop further data loss or unauthorized access; investigate how the breach occurred; promptly contact all affected users via email; and contact law enforcement and government agencies when appropriate.
XtraMath retains Personal Data only for as long as necessary to ensure continuity of math skill-building for students, and for the convenience of parents and teachers. We close user accounts, and delete all associated identifiable data, upon request. Most types of data are also deleted automatically after a certain amount of time has passed.
We may retain de-identified, aggregate data, which cannot identify any individual user, for research and program improvement purposes. Such data is deleted once no longer necessary for these purposes. We may provide certification of data deletion upon request.
We use industry-standard practices to safeguard all data including a Breach Response Plan, which we will follow if we ever discover that Personal Data has been accessed improperly. As part of our response, we will: take action to stop further data loss or unauthorized access; investigate how the breach occurred; promptly contact all affected users via email; and contact law enforcement and government agencies when appropriate.
The XtraMath website uses “LocalStorage” files to remember a user’s sign-in information (if they choose to do so). We also use “SessionStorage” to improve performance during student activities by temporarily storing activity data on the device. Use of LocalStorage and SessionStorage is not required to use XtraMath. Users can remove remembered sign-in information at any time via the appropriate sign-in page. Users can also clear all LocalStorage by using the “Clear now” button on our support page, or via browser settings.
The XtraMath mobile apps use application data for the same purposes as browser LocalStorage and SessionStorage. Users can still remove remembered sign-in information via the app’s sign-in pages. Uninstalling the app will remove all locally stored data. Some devices also allow users to clear locally stored app data without uninstalling the app.
For data privacy questions or concerns, to object to processing, or to request access to or deletion of your or your student's Personal Data, email us at [email protected]. You may also write to us at: XtraMath, 4742 42nd Ave SW #625 Seattle, WA 98116
This list will be kept up-to-date to include all third-party providers with which XtraMath shares user data.
We have compiled this record in order to provide users with as much transparency as possible into how we use their data. This record also helps us to comply with European law. Unless otherwise noted in the record below, we process user data based on our legitimate interests.
Current, last modified in July 2023.