- We collect the minimum amount of data required to operate our program.
- We use parents’ and teachers’ Personal Data to operate our program and, with their permission, to contact them about the program.
- We use students’ Personal Data only to operate our program.
- We use de-identified student data to improve our program.
- We protect student data and have signed the Student Privacy Pledge.
- We do not advertise to students, sell their data, or profile them in any way.
- We comply with applicable data privacy laws, such as FERPA, COPPA, and GDPR.
- We never sell user data to third parties.
What Data We Collect
XtraMath collects the minimum amount of data required to operate our program. Below we summarize the data we collect on students, teachers, and parents. For an up-to-date list that shows what user data we collect, and how we use that data, see Appendix B, Record of Data Processing.
- Data includes all information connected with a person’s or educational entity’s use of XtraMath. This includes, but is not limited to, Personal Data, metadata, usage and performance data.
- Personal Data includes any data that can directly or indirectly identify an individual person. For example: an email address is always considered Personal Data; a student’s grade level generally is not, but could be in conjunction with other information.
- School includes: individual schools; teachers acting on behalf of schools; school districts; and other local educational entities.
We collect a student’s first name, grade level, and program settings from the student’s parent or teacher. As the student uses XtraMath, we collect usage and performance data, such as when they signed in, how many questions they answered correctly, and how long it took them to answer questions. If a student signs in via a single sign-on provider, such as Google, we collect an identifier from the provider that allows us to authenticate their sign-in. We do not collect the student email address that may be used for such a sign-in.
Other personal information about the student could be inferred from data that we collect. If a student account belongs to a class, for example, then we could infer that they attend a certain school.
We collect a parent’s name and email address when they sign up for an account. If they sign up using a single sign-on provider, we also collect an identifier that allows us to authenticate their sign-in. We also collect some metadata and account settings, such as their time zone, the language they used to sign up, and their email preferences.
A parent supplies a password when they create an account. The password is hashed (scrambled) on the user’s computer before it is ever sent to XtraMath. We do not have access to a user’s original password, and cannot obtain it from the hashed version that we receive.
Other personal information about the parent could be inferred from data that we collect. For example, we could infer that a parent whose account is linked to a student account is the parent or guardian of that student.
We collect the same data for teacher accounts as parent accounts, with a few additions. For example, we collect the name by which students address the teacher, such as “Ms. Smith.” We also collect information about each class that the teacher creates, such as its name and its end date.
Other personal information about the teacher could be inferred from data we collect. For example, we could infer that the teacher works at a specific school based on their email address.
How We Use and Share Data
XtraMath processes user data in order to establish and maintain accounts, to provide educational activities to students, to compile and deliver reports about those activities to teachers and parents, and to understand and improve our program’s effectiveness. For an up-to-date list that shows the specific types of user data we collect, and how we use that data, see Appendix B, Record of Data Processing.
A student’s Personal Data is used internally to provide the student with appropriate educational activities, and to report their performance to their parents and teachers. We may access student Personal Data when providing customer support or investigating a reported issue with our program.
Parent and Teacher Data
A parent’s or teacher’s Personal Data is used internally for sign-in purposes and, with permission, to send them reports, announcements, and alerts related to XtraMath. We may access a parent’s or teacher’s Personal Data when providing them with requested support.
Sharing Personal Data with Third Parties
We release Personal Data to third parties only in the following circumstances:
- When the user requests the disclosure, such as a teacher sharing their class with another teacher.
- When the third party is a trusted service provider, and the data is required to adequately perform the service. We carefully vet our service providers and their security practices. For details, see Appendix A, List of Third Party Providers.
- When required by law or a court order.
XtraMath never releases Personal Data for any kind of third-party advertising.
Use of De-identified Data
We may use de-identified usage data internally to analyze and improve our educational services, and to develop new products or features. We will never attempt to re-identify data that has been de-identified.
We may release de-identified data to educational researchers for the purpose of evaluating the effectiveness of our program. We will not release de-identified data unless we are confident it cannot be re-identified, due to the removal of all direct and indirect personal identifiers, and the educational researchers have agreed in writing that they will not attempt to re-identify any individuals, classes, or Schools.
We may use aggregate de-identified data, such as the number of users of our service, for promotional purposes.
How We Securely Store Data
XtraMath takes security seriously. We implement a variety of industry-standard security measures to prevent any unauthorized access to our users’ data. Such measures include, but are not limited to: data minimization; encrypting data in transit via HTTPS; hashing sensitive data, like passwords; deletion of outdated data; locked physical facilities; employee training; and administrator account security.
Data Storage and International Transfer
XtraMath stores and processes all data on servers in the United States. All servers that store XtraMath data are operated by trusted third party processors with whom we have contractual Data Processing Addendums. Our providers are certified under the EU-US Privacy Shield and Swiss-US Privacy Shield, to better protect the data of our international users. For details, see Appendix A, List of Third Party Providers.
Data Breach Response
While we use industry-standard practices to safeguard data, no service can guarantee absolute data security. We have a Breach Response Plan, which we will follow if we ever discover that Personal Data has been accessed improperly. As part of our response, we will: take action to stop further data loss or unauthorized access; investigate how the breach occurred; promptly contact all affected users via email; and contact law enforcement and government agencies when appropriate.
Data Retention and Deletion
XtraMath retains Personal Data only for as long as necessary to ensure continuity of math skill-building for students, and for the convenience of parents and teachers. We close user accounts, and delete all associated identifiable data, upon request. Most types of data are also deleted automatically after a certain amount of time has passed. For details, see Appendix B, Record of Data Processing.
We may retain de-identified, aggregate data, which cannot identify any individual user, for research and program improvement purposes. Such data is deleted once no longer necessary for these purposes.
We will provide certification of data deletion upon request.
Compliance with Data Privacy Laws
XtraMath intends to comply with the data privacy and data protection laws of all jurisdictions where it operates. See the XtraMath and Student Data Privacy whitepaper for the latest information on compliance. Some specific examples of legislation that we comply with are described below.
Children’s Online Privacy Protection Act (COPPA): As a non-profit organization, XtraMath is not subject to COPPA. Nevertheless, we fully comply with the law as if we were subject to it. Children under the age of 13 may not create accounts. We only collect usage and performance data from students as a result of their performing educational activities, and we only use that data for educational purposes. If we gain actual knowledge that a child is using XtraMath without the appropriate consent, we terminate the account.
Family Education Rights Protection Act (FERPA): Schools in the United States may provide student data to XtraMath while complying with FERPA. When a School provides us with a student’s Personal Data (or PII — Personally Identifiable Information) under the FERPA school official exemption, they remain in control of that data. XtraMath will only use and disclose that data as specified in our Terms and as allowed by law.
General Data Protection Regulation (GDPR): XtraMath affirms and respects all data subject's rights under GDPR. We minimize the data we collect and process, and use data only as described in this policy. For detailed information about what data we process, for what purpose, for how long, and our basis for doing so under the GDPR, see Appendix B, Record of Data Processing. To object to processing, or to request data deletion or access, contact our Data Protection Officer at email@example.com.
Cookies and Local Storage
XtraMath uses two types of cookies. These cookies can be cleared via browser settings — aboutcookies.org provides cookie management instructions for many specific browsers.
- Google Analytics cookies allow us to see data such as the number of site visitors we get, and which pages they visit the most.
- Vimeo cookies are stored when users play the videos on our homepage, and primarily keep track of the video player settings.
The XtraMath website uses “LocalStorage” files to remember a user’s sign-in information (if they choose to do so). We also use “SessionStorage” to improve performance during student activities by temporarily storing activity data on the device. Use of LocalStorage and SessionStorage is not required to use XtraMath. Users can remove remembered sign-in information at any time via the appropriate sign-in page. Users can also clear all LocalStorage by using the “Clear now” button on our support page, or via browser settings.
The XtraMath mobile apps use application data for the same purposes as browser LocalStorage and SessionStorage. Users can still remove remembered sign-in information via the app’s sign-in pages. Uninstalling the app will remove all locally stored data. Some devices also allow users to clear locally stored app data without uninstalling the app.
For data privacy questions or concerns, to object to processing, or to request access to or deletion of your or your child’s Personal Data, email us at firstname.lastname@example.org. You may also write to us at: XtraMath, 4700 42nd Ave SW #580, Seattle, WA 98116
Appendix A: List of Third Party Providers
This list will be kept up-to-date to include all third-party providers with which XtraMath shares user data.
|Provider Name||Data shared with Provider||Purpose||Relevant Policies|
Opt-out Browser Add-on
Appendix B: Record of Data Processing
We have compiled this record in order to provide users with as much transparency as possible into how we use their data. This record also helps us to comply with European law. Unless otherwise noted in the record below, we process user data based on our legitimate interests.
|Account Type||Type of Data||Processing Purpose||Deletion|
|Student||First name, PIN, parent or teacher email, class||Account access and identification||Upon account closure1. Some information is deleted upon removal from the class or linked account.|
|Single-sign-on provider and hashed ID||Account access using optional 3rd party credential||Upon request or account closure1|
|Grade level||Determine initial activity level. When de-identified and aggregated, used to analyze program usage.||Upon account closure1|
|Program settings: current program, UI options, preferred language, etc.||Activity customization. When de-identified and aggregated, used to analyze program usage.||Upon account closure1|
|Activity data||Activity customization and creation of progress reports. When de-identified and aggregated, used to analyze program usage.||Upon account closure1. Some data is deleted when user restarts a program. Detailed activity data is deleted after one year.|
|Parent or Teacher||Name, “addressed as” name, email address, hashed password||Account access and identification||Upon account closure2, 3|
|Email address||Send announcements, alerts, reports, and/or reminders via email||Processing ceases upon request. Data deletion upon account closure2, 3|
|Email address||Share with linked accounts that have access to same student or class (for increased transparency and security of student data)||Data deletion upon account closure2, 3|
|Account settings: account type, email preferences, time zone, etc.||Create progress reports and maintain data preferences||Upon account closure2, 3|
|Electronic identifiers: account change timestamps, version number, etc.||Technical support and account security||Upon account closure2, 3|
|Single-sign-on provider and hashed ID||Account access using optional 3rd party credential||Upon request or account closure2, 3|
|IP address||Determine time zone upon sign-up||Not stored|
|Hashed IP address||Account security||After 1 year or upon account closure2, 3|
|Teacher||Hashed IP address||Expedite classroom setup on multiple devices||After 24 hours|
|Class name, class end date, student names||Create progress reports and facilitate program usage||Upon request, account closure3, or one year after class end date.|
|All users||Hashed IP address, change logs||Network security||After 90 days|
|De-identified and aggregated usage data||Product improvement and development, promotional activities, and educational research||Until no longer useful|
- Student accounts: account closure occurs upon request, automatically after two years of account inactivity, or one month after being unlinked from all parent and teacher accounts.
- Parent accounts: account closure occurs upon request, or automatically after two years of account inactivity.
- Teacher accounts: account closure occurs upon request.