Product Privacy Policy- Digistorm

Digistorm Group – Version 1.0 - June 2024

The Digistorm Group (“Digistorm”) takes the privacy of its users, including students, teachers, and parents, seriously. Digistorm is committed to protecting users’ privacy while providing a personalised and valuable learning experience through its education technology products and services (our “Suite of Products”).

This Product Privacy Policy sets out how we collect, handle and use information about you when you access and use our Suite of Products. It does not govern the collection, use and disclosure of your personal information when you access and use our public website at digistorm.com, including its subdomains (collectively, the “Website”). To view our privacy policy governing our Website please see our Website Privacy Policy.

In our processing of personal information in connection with the provision of our Suite of Products to Institutions (as this term is defined below), we act as a data processor under applicable data privacy laws, and in that context our client Institutions act as data controllers on behalf of which we process the personal information for purposes of the provision of our Suite of Products. When we act as data processor our processing of personal information is governed by our Data Processor Addendum or other data processing terms in place between Digistorm and each Institution. For more information on our processing as a data processor, please contact the Institution that collected your personal information in connection with the use of our Suite of Products.

From time to time, we may change our Policy on how we handle personal information or the types of personal information which we hold about you. Any changes to our Product Privacy Policy will be published on our Product platform or in our Trust Center.

We are subject to the privacy laws of the jurisdictions in which we operate, including, as an Australia-based organisation, the Australian Privacy Principles (APPs) under the Australian Privacy Act 1988 (Cth).

Because we also collect, use, disclose and retain the personal information of users at our New Zealand-based Institutions, we are also subject, in our processing on behalf of those Institutions, to the New Zealand Privacy Act 2020 and the New Zealand Information Privacy Principles.

In certain circumstances we may also be subject to European data protection law, including the EU General Data Protection Regulation (Regulation 2016/679) (GDPR) and the UK GDPR and Data Protection Act 2018, as these legislations apply to residents of the European Union and the UK, respectively.

Because we also operate in the United States, through our U.S. subsidiary and as a subsidiary of Veracross LLC, a U.S.-based company, we are also subject to U.S. federal and state privacy and data security laws and regulations in our processing of the personal information of U.S. residents.

In support of our operations in the United States, we have also, as part of the Veracross Group, taken the Student Privacy Pledge (2020 version) as a public commitment for the responsible collection and use of student data from the United States. Among other things, we have committed to the following:

We only collect, store, process, or share student information that is needed for authorised education/school purposes, or as authorised by the parent/student.
We do not sell student personal information.
We do not use or disclose student information for behavioral targeting of advertisements to students.
We do not retain student personal information beyond the time period required to support the authorised educational/Institution purposes.

The complete Student Privacy Pledge (2020 version) can be read here.

If you have any questions about our Product Privacy Policy, you may contact us at privacy@digistorm.com.

The School Environment

As our Suite of Products are designed to be used in the classroom, much of the information collected is intended to be shared within the School Environment (as this term is defined below); Product-related or class-related activities, information, or communications may therefore be visible to anyone present in the classroom. Furthermore, some information will be available to other students, teachers, parents, guardians, and Institution or district administrators and/or employees (see “Digistorm User Access Privileges” below). The sharing of the above information is subject to this Product Privacy Policy and the privacy policies of the relevant Institutions. If you have any questions about the sharing of this information under those policies, we recommend that you contact the relevant Institutions that first collected your personal information and through which you have access to our Suite of Products.

Digistorm has implemented security measures to ensure that this data will not be shared outside the School Environment, except as outlined in this Product Privacy Policy.

Definitions

Organisation means a natural person, a body corporate, a partnership, any other unincorporated association, or a trust, that is not a small business operator, a registered political party, an agency, a state, territory or national authority or a prescribed instrumentality of a state, territory or nation.

Personal Information means information or an opinion about an identified natural person, or a natural person who is reasonably identifiable.

Digistorm Group, we, us, our means:

Digistorm Pty Ltd ACN 153 005 264;
Digistorm, LLC;
Digistorm Operations Pty Ltd ACN 153 005 317;
Digistorm Group Pty Ltd ACN 140 122 649; and
and affiliates to the above noted entities.

Institution means preschools, primary schools, secondary schools, and further and higher education places for learning, whether public or private.

Suite of Products means those products made available as part of the services we provide to an Institution and its authorised users.

School Environment means, collectively, the classroom, teachers, parents, guardians, students, and Institution and district administration and employees/agents.

Collected Information

1. Personal Information

The specific information collected depends on the user type (i.e. teacher, district/Institution staff, parent, and student users). A list of the personal information collected for each user type of our Suite of Products, including the type of information collected, how the information is collected and used within the School Environment, whether other users can view the information, and whether the information is shared outside of the School Environment, is the Data Inventory Table, available here.

Digistorm DOES NOT collect the following data:

User’s contact lists or friends lists;
Social medial information;

2. Cookies

Cookies are small data files that are commonly stored on your device when you use websites and online services. They are widely used to make websites work, or to work more efficiently, as well as to provide reporting information and assist with services or personalization. There are also other technologies that are similar to cookies, which may store small amounts of data on your device (“local storage”).

Digistorm uses the following types of cookies and local storage (collectively called “Cookies” herein):

Strictly necessary Cookies: These are cookies that are required for the operation of our Suite of Products. These essential cookies are always enabled because our online platform through which our Suite of Products are provided won’t work properly without them. They include, for example, cookies that enable you to log into secure areas of our Services. You can switch off these cookies in your browser settings, but you may then not be able to access all or parts of our Services.
Performance and functionality Cookies: These Cookies are not essential, but they help us personalize and enhance your user experience. For example, they may help us to remember your preferences and prevent you from needing to re-enter information more than once, or to remember your id and password so that you do not have to enter them each time you use our services.

Our Suite of Products does not use cookies for advertising purposes.

If you wish to disable the use of Cookies, you may do so from the browser preferences menu of your browser software by either turning off Cookies or by using your browser’s privacy mode when using our services.

Please find our list of cookies that we use in our products here.

What Does Digistorm Do with the Collected Information?

Digistorm only collects and uses user information that is required to fulfill its duties and provide and improve its services. Specifically, collected information is used for the following purposes:

To operate our Suite of Products;
To monitor, improve, & secure our Suite of Products;
To enable users to login to our Suite of Products;
To allow teachers, parents, guardians, students, and Institution and district administration and employees/agents to manage and engage with our Suite of Products as directed by the Institution;
To enable class-related activities such as classroom content, assignments/tasks, and communications;
To provide analytic data to Institution administrators;
For software and customer support purposes; For sales, internal marketing, invoicing, and/or billing purposes;
To enable 3^rd party integrations selected by and at the direction of the Institution.

Digistorm does not advertise or market to students or their parents. No personally identifiable student information will be used for marketing purposes.

Digistorm does not share personally identifiable information outside the School Environment, except for those purposes stated within this document, without first obtaining the express written consent of the individual.

Parents who login to our Suite of Products are not granted access to personally identifiable information of any student other than their child.

Collected information in aggregate form, whereby individual users are not identifiable (i.e. “de-identified data”), is used for the following purposes:

To improve our Suite of Products;
For research and statistical purposes;
For marketing purposes related to our Suite of Products; and
For customer support purposes.

De-identified data will have all direct and indirect personal identifiers removed. This includes, but is not limited to, name, user ID, date of birth, and location information. Furthermore, Digistorm will not attempt to re-identify de-identified data or transfer de-identified data to any party unless that party agrees not to attempt reidentification.

Digistorm User Access Privileges

All user access and/or interactions within our Suite of Products occur in the School Environment among district/Institution administrators, district/Institution employees or agents, teachers (including paraprofessionals, aides, behavior specialists, or other school employees), students, and parents (“trusted users”) in the School Environment.

Teachers (including teachers, paraprofessionals, aides, substitute teachers, behavior specialists, or other Institution employees working with students in the classroom) are granted access to student data for the students in their classes and to parent data for the students in their classes. Institution/district administration officials may access teacher and student data to monitor in-app activities and student behavior/attendance. Other Institution employees or agents within the School Environment have appropriate privileges based on their role and need-to-know. These privileges are configured and maintained by the Institution, not Digistorm. Students are granted access to their personal data and all content posted by their teachers or other Institution officials necessary for them to fulfil their roles within the Institution. This access is configured and maintained by the Institution, not Digistorm. Note that some data may be displayed by the teacher in front of the whole class or other groups who may not normally have access to this data. This is at the discretion of Institution officials and not within the control of Digistorm. Parents are granted access to data related to their child and their child’s teacher, and to aggregate data for their child’s class.

Detailed information on user data access can be viewed here.

Student Records

Student records are the property of and under the control of the Institution and/or Institution district. Students can access their student records by logging in to their student account. Parents and guardians of students under the age of 18 can access their child’s information via their parent account or by contacting the Institution. Corrections of any erroneous information should be brought to the attention of the Institution administration. In the event that the teacher or the Institution are unable to make the correction, the Institution will contact Digistorm via normal support channels. Digistorm will work with the teacher or the Institution to facilitate correction of any erroneous information.

Third parties are not granted access to personally identifiable information or educational records or other student records except as provided in this Product Privacy Policy, or after first obtaining the express written consent of the parent or student over 18 years of age.

Should there be any unauthorised disclosure of a student’s records, Digistorm will notify the Institution in accordance with applicable law following discovery of the unauthorised disclosure.

No Marketing to Students and Parents

Digistorm does not share user data with third parties for marketing purposes. Furthermore, Digistorm does not use student data for marketing of any kind, including marketing to students or parents. For information on our privacy practices with respect to the operation of the corporate website, please see Digistorm’s Website Privacy Policy here.

Deletion of Records

As our Institution customers require access to records on a continuous basis, Digistorm maintains records at the direction of our customers as long as we have an engagement with our customers. Upon termination of an engagement with our customers, records will be deleted within 30 days of the date of termination. Customers have complete control over records lifecycles, including the ability to delete records as they see fit or as directed by a student, parent, faculty, staff, or any other data subject at any time. If you have any concerns about records retention, please contact your Institution or email privacy@digistorm.com.

International Data Transfers

We collect and store personal information globally from each jurisdiction we operate in and from each legal entity that is owned or operated by us in different international jurisdictions and may transfer, process and store your personal information outside of your country of residence, to wherever we or our third-party service providers operate for the purpose of providing you our Suite of Products and services provided by that Suite of Products.

We have appointed Digistorm Pty Ltd to control and deal with all Personal Information that is collected globally by the Digistorm Group.

Regional Compliance

1. United States of America

FERPA

FERPA is an acronym for the Family Education Rights and Privacy Act, a US federal law to protect the privacy of student educational records. FERPA gives parents certain rights with respect to their non-adult children's education records. These rights include the right to inspect and review the student's education records maintained by the school, as well as the right to request that a school correct records which they believe to be inaccurate or misleading.

Furthermore, under FERPA, schools generally must have written permission from the parent in order to release any information from a student's education record, which includes records, files, documents, and other materials that contain information directly related to a student and are maintained by an educational agency/institution, or the personally identifiable information contained within those records. However, FERPA allows schools to disclose those records, without consent, to various parties under specified conditions, including the following (see 34 CFR § 99.31):

School officials with legitimate educational interest;
Other schools to which a student is transferring;
Specified officials for audit or evaluation purposes;
Appropriate parties in connection with financial aid to a student;
Organizations conducting certain studies for or on behalf of the school;
Accrediting organizations;
To comply with a judicial order or lawfully issued subpoena;
Appropriate officials in cases of health and safety emergencies; and
State and local authorities, within a juvenile justice system, pursuant to specific State law.

Schools may also disclose, without consent, "directory" information such as a student's name, address, telephone number, date and place of birth, honors and awards, and dates of attendance. However, schools must tell parents about directory information and allow parents a reasonable amount of time to request that the school not disclose directory information about them.

While this act is primarily directed towards educational institutions, Digistorm recognises its role as a “School Official” with a legitimate educational interest under FERPA, and our Product Privacy Policy is designed to secure student data in compliance with FERPA and to allow education institutions using Digistorm to be compliant with FERPA. Digistorm does not disclose student educational records or directory information outside of the School Environment.

COPPA

COPPA is an acronym for the Child Online Privacy Protection Act, a US federal law to protect the privacy of children under the age of 13. COPPA requires that online service providers such as Digistorm, or teachers/Institutions acting as a parent’s agent, provide parental notification and obtain parental consent before knowingly collecting personal/individually identifiable information from children under the age of 13, except in limited situations (for exceptions to this consent requirement, please see 16 CFR § 312.5(c)).

Pursuant to the Terms of Use between Digistorm and the users of the Digistorm Suite of Products (Product Terms of Service), teachers, or a teacher’s Institution or district administration, will obtain verifiable parental consent, should it be required under COPPA. Digistorm provides information for teachers, including COPPA Direct Notice and a sample parental permission document. Should they require one, both are available in the Trust Centre.

If such personal information is collected without parental consent or collected beyond the scope needed for participation in the Digistorm Suite of Products, Digistorm will delete such information as soon as possible. If you believe that information from a student under the age of 13 has been provided in violation of these terms, please contact us at privacy@digistorm.com.

Please review the foregoing sections for descriptions of the types of personal information we collect; how we collect that information; how that information is used; and our policies on protecting that information from third party access.

Digistorm takes the rights of children and parents very seriously. To this end:

Digistorm won’t require a child to disclose more information than is reasonably necessary to participate using its Suite of Products within the School Environment;
Parents can review their child’s personal information, direct Digistorm to delete it, and refuse to allow any further collection or use of their child’s information; and
Parents can agree to the collection and use of their child’s information, but still not allow disclosure to third parties unless it is part of the service.

Parents may contact Digistorm following the procedures outlined in the “Changes and Access to Personal Information” section below.

2. European Union

Since May 25, 2018, the European Union General Data Protection Regulation (GDPR) has defined the rules regarding the collection, use, and retention of personal information for residents of the European Union (EU). Digistorm complies with applicable GDPR rules.

In order to operate its services, and in accordance with this Product Privacy Policy, Digistorm may collect, use, and retain personal information from users of the Digistorm Suite of Products who are based in the EU.

Furthermore, in order to operate its services, and in accordance with this Product Privacy Policy, Digistorm also conducts business with third-party data processors in the United States, where personal information for users of the Digistorm Suite of Products is stored. Accordingly, when Digistorm transfers personal information outside of the European Economic Area to the United States and/or Australia, such transfers will be governed by data processing agreements and international data transfer mechanisms that comply with European Union data protection requirements.

3. United Kingdom

Following Brexit, the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI 2019/419) amended the GDPR, the UK Data Protection Act 2018 (which had implemented the GDPR into UK law) and other data protection legislation including the Privacy and Electronic (EC Directive) Communications Regulations 2003 (SI 2003/2426) (as amended) with the aim of ensuring that the UK data protection legal framework functioned correctly after exit day. Digistorm complies with applicable UK data protection rules.

Furthermore, in order to operate its services, and in accordance with this Product Privacy Policy, Digistorm also conducts business with third-party data processors in the United States, where personal information for users of the Digistorm Suite of Products is stored. Accordingly, when Digistorm transfers personal information outside of the United Kingdom to the United States and/or Australia, such transfers will be governed by data processing agreements and international data transfer mechanisms that comply with UK data protection requirements.

4. Canada

Rights of users located in Canada are governed by the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5, the Personal Information Protection Act, R.S.A. 2003, c. P-6.5, the Personal Information Protection Act, R.S.B.C. 2003, c. 63 and an Act respecting the protection of personal information in the private sector, CQLR, c. P-39.1, as amended by Law 25, An Act to modernize legislative provisions as regards the protection of personal information (as applicable based on the location of the user in Canada).

Since the adoption of Law 25, Quebec residents have enhanced rights with respect to their personal information, including:

Access Rights: the right to receive confirmation of the processing of their personal information, of the nature of the information being processed, and to receive a copy of it.
Data Portability Right: the right, subject to certain exceptions, to ask that the processing organization communicate to them computerized personal information in a written, intelligible transcript, and any collected personal information in a structured, commonly used, technological format.

Rectification Right: subject to certain requirements and exceptions, the right to ask to correct the information in the processing organization’s possession that is inaccurate, incomplete, or ambiguous, or if collecting, communicating, or keeping it is not authorized by law.

De-indexation Right or "Right to be Forgotten": the right to ask organizations to stop disseminating their personal information or to de-index any hyperlink attached to their name giving access to information if this dissemination causes them harm or contravenes the law or a court order.

Automated Decision Making: the right to be informed when they are the subject of a decision based exclusively on automated processing of their personal information. Organizations must also, on request, inform them about the personal information used to make the decision, the reasons and main factors leading to the decision, and the right to request correction of the personal information used to make the decision. They must also be given the opportunity to present their observations to a member of their staff for review of this decision.

Canadian users can access and modify their personal information in Digistorm’s possession using your user login and password, or by following the instructions in the section of this document titled “Changes to and Access to Personal Information.”

To exercise their other access rights under Canadian law, residents of Canada shall contact the Institution on whose behalf Digistorm processes their personal information.

Please note that because Digistorm and its service providers are located in the United States and other countries outside Canada, we may transfer personal information that we collect or that you provide as described in this policy to contractors, service providers, and other third parties we use to support our business and who are contractually obligated to keep personal information confidential, use it only for the purposes for which we disclose it to them, and to process the personal information with the same standards set out in this policy.

We may process, store, and transfer your personal information in and to foreign countries, with different privacy laws that may or may not be as comprehensive as Canadian law. In these circumstances, the governments, courts, law enforcement, or regulatory agencies of that country may be able to obtain access to your personal information through the laws of the foreign country. Whenever we engage a service provider, we require that its privacy and security standards adhere to this policy and applicable Canadian privacy legislation.

Data Security

Digistorm uses industry standard methods to protect the confidentiality, security, and integrity of its customers data, including personal information collected from children, against unauthorised use or access, disclosure, alteration, unlawful or accidental destruction, or loss. We ensure that all such protected data is encrypted both at rest and in transit, and is only retained or deleted in accordance with this Product Privacy Policy or any overriding agreements with educational agencies.

Digistorm does not share the data covered by this policy informally among its employees. Only those employees who require the protected data to carry out their duties are granted access. In such cases, access is granted based on the principle of least privilege, which means that each program and employee are granted the fewest privileges necessary to complete their tasks. Employees with access to protected data are given training to apprise them of their responsibilities when handling data and the various laws and agreements covering data security. Such employees are also given a unique user ID for purposes of accountability.

Digistorm performs periodic risk/vulnerability assessments and data privacy and security compliance audits. Digistorm will remediate any identified security vulnerabilities in a timely manner. We also have a written incident response plan, which includes prompt notification to the Institution/district in the event of a security or privacy incident, as well as best practices for responding to a breach of personally identifiable information. We will share this incident response plan upon request.

While Digistorm is committed to implementing best practices with regard to information and data security, we cannot make a 100% security guarantee due to constant advances in virus and hacking technology, as well as unforeseeable hardware or software failures and other risk factors. Digistorm can therefore not be held responsible for data loss or alteration. Digistorm will notify any affected customer of a personal data breach in accordance with applicable law.

For additional information about our security measures and for a copy of our Data Security Policy, please visit our Trust Centre.

Third Parties

1. Third Party Links

Any member of the Institution community may make postings that contain links to third party services in various sections of the Digistorm Suite of Products. Common examples of this would be links to videos hosted by YouTube or Vimeo, links to Wikipedia or other reference material, and so on. It is the responsibility of the user to ensure that this content is appropriate and free from links to sites which may compromise their privacy. Digistorm does not actively monitor content and has no responsibility for this content.

2. Third Party Integrations

Third Party software may, at the initiative and discretion of the Institution, be integrated with the Digistorm Suite of Products. Digistorm has no responsibility for the content, policies, or actions of these websites and they are entirely separate from Digistorm and are not covered by this Product Privacy Policy.

Digistorm also provides users with the option of registering/logging into its Suite of Products with single sign-on authentication through Third-Party software. If you choose to access our Suite of Products through single sign-on authentication, Digistorm may exchange personal information such as the user’s email address with the authentication service, depending on your privacy settings with that service. Digistorm will only collect and store such information in accordance with this policy. We recommend familiarizing yourself with any authentication service’s terms of use and privacy settings and policies before using such services to connect to the Digistorm Suite of Products.

A list of these Third-Party Integrations, including the services they provide to the Institution, the information we share with the third-party software providers or that they share with us, their privacy policies, and their contact information, can be found here.

3. Third Party Service Providers

Digistorm may use trusted third-party service providers to support our Suite of Products by assisting us with providing, maintaining, and improving our services. To this end, Digistorm may share information with these providers, but only to the extent necessary to provide our services, and only in accordance with our needs, this Product Privacy Policy, and all other applicable privacy agreements, laws, and/or requirements.

In particular, where your personal information is stored electronically, it is done so by a third-party cloud service provider that may store your personal information or a backup of your personal information in Australia, the United States of America or such other locations that the third-party cloud service provider determines from time to time. The data that we collect from you may be transferred to, and stored to, these servers or processed by staff operating in other countries, who work for us or an Institution.

A list of these providers, including the services they provide to Digistorm, the information we share with them or that they share with us, the jurisdiction(s) in which they store your personal information on our behalf, their privacy policies, and their contact information, can be found here.

Changes to and Access to Personal Information

Users have access to their personal information via their Digistorm user account, or by contacting the teacher or Institution administration.

Users may also request a copy of their personal information, make modifications to any incorrect information, or exercise any other rights available to them under applicable law by sending a written request to the Institution.

Change of Control

In the event that all or a portion of Digistorm or its assets are acquired by or merged with a third party, personal information that we have collected from users would be one of the assets transferred to or acquired by that third party. This Product Privacy Policy will continue to apply to your information, and any acquirer would only be able to handle your personal information as per this policy (unless you give consent to a new policy). We will provide you with notice of an acquisition within thirty (30) days following the completion of such a transaction, by posting on our homepage, or by email to your email address that you provided to us. If you do not consent to the use of your personal information by such a successor company, you may request its deletion from the company.

Disclosure of Information to Satisfy Legal Obligations

Digistorm may disclose personal information if we have a good faith belief that doing so is necessary to comply with the law, such as complying with a subpoena or other legal process. We may need to disclose personal information where, in good faith, we think it is necessary to protect the rights, property, or safety of Digistorm, our employees, our community, or others, or to prevent violations of our Terms of Use or Terms of Service or other agreements. This includes, without limitation, exchanging information with other companies and organizations for fraud protection or responding to government requests.

Changes and Updates to the Product Privacy Policy

This Product Privacy Policy is effective as of June 2024. Digistorm may, in its sole discretion, update, revise, modify, and/or supplement from time to time this Product Privacy Policy. Should we make modifications to this policy or the related Terms of Service, we’ll post a notice that you will receive when you login to our Suite of Products and/or we will send an email directly to the Institution. Digistorm’s updated Product Privacy Policy and Terms of Service will also be posted on Digistorm’s corporate website. Digistorm asks users to review the updated Product Privacy Policy and/or Terms of Service before continuing to use our services. The user’s continued use of the services provided by Digistorm after the updated Product Privacy Policy takes effect will constitute the user's acceptance of the updated Product Privacy Policy.

Consent to the Gathering and Processing of Information

By accepting the Terms of Service, users are expressly giving Digistorm a special declaration that users have agreed to the terms of this Product Privacy Policy governing the collection and processing of their personal information for purposes of services provided by Digistorm. Users are further declaring that users are aware of the purpose for Digistorm collecting, processing, and using such information, how the processing will be conducted, and how users’ privacy will be protected.

Contact

Digistorm’s service to its users and users’ trust is of utmost importance to Digistorm. If users have any questions about this Product Privacy Policy, users should contact Digistorm at: privacy@digistorm.com.