Student Records Privacy Statement & Security Plan

We take the privacy of our K-12 educational customers and their staff, students and other users seriously, and we understand the need to safeguard personally identifiable information in records of staff and students who access and use our web- and mobile-based K-12 Educational language-learning, literacy and/or assessment subscription products and services (collectively, “Student Records”) through the K-12 educational institutions, schools and school districts that we serve (our “Education Customers”).

Student Records are the property of our Education Customers.  We receive those Student Records solely for the purposes of delivering and supporting our educational products, services and commitments under our agreements with our Education Customers.  We  are committed to working with our Education Customers to comply with all applicable laws, rules and regulations governing the use and protection of Student Records, including the Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. §1232g and its implementing regulations, and applicable state laws and statutes governing Student Records.   As such, we commit to implementing and maintaining this Student Records Privacy Statement & Security Plan (“Student Records Security Plan”), which is designed to protect the security, confidentiality and integrity of Student Records that we receive from our Education Customers, and protect against unauthorized access or other anticipated threats to those Student Records. 

In connection with our Student Records Security Plan, we maintain administrative, technical and physical safeguards designed to secure Student Records both during transmission and while in our custody.  These safeguards include technical and operational measures, such as firewalls, routers, encryption (at rest and in-transit), passwords, and vulnerability testing, as well as training, policies and procedures to limit access to Student Records to authorized staff, contractors and agents that have a legitimate need to access such data for purposes of enabling us to deliver and support our products and services to our Education Customers, and that are under appropriate contractual obligations of confidentiality, data protection and security.

We utilize various authorization and authentication technologies and processes to limit access to Student Records to authorized persons, including: (i) granting access rights on the basis of the least privilege, “need-to-know” principle; (ii) reviewing and maintaining records of employees who have been authorized or who can grant, alter or cancel authorized access to systems; (iii) requiring personalized, individual access accounts to use passwords with appropriate complexity, length and duration requirements; and (iv) encrypting and logging access to facilities with systems containing Student Records. We provide regular training on our information security and data policies and procedures to our personnel who are responsible for or have access to Student Records.  Our products and services do not currently utilize or enable students to upload student-generated content, but if we offer such functionality in the future, we will work in good faith with our Education Customers to develop processes to address requests through our Education Customers by students and/or parents or legal guardians for the transfer of such content generated by the student during the service term. 

We use Student Records only for the purpose for which they are provided to us and as authorized in the applicable agreement with the Education Customer and applicable law.  We do not sell Student Records or use them for targeted consumer marketing or similar commercial purposes, and do not authorize others to do so.  Teacher and administrator staff contact information may be used for purposes of communicating to those teachers and administrators information relating to our business and K-12 educational products and services (e.g., account activity reminders, best practices, contest and other classroom activities to support usage and user engagement, downtime or new product or feature notifications, technical and other support services, etc.).  We do not disclose Student Records to unauthorized third parties without the permission from the Education Customer, except as may be required by statute, agency or court order, subpoena or similar compulsory legal process. 

If a parent, legal guardian or student contacts us with a request to review, modify, export or delete the user’s Student Records, or if an agency, court, law enforcement or other entity contacts us and requests access to Student Records, we will (unless prohibited by writ or compulsory legal process) promptly direct the requesting individual or entity to contact the Education Customer and/or notify the Education Customer of the request, and thereafter, we will use reasonable and good faith efforts to assist the Education Customer in fulfilling such requests, if and as directed by the Education Customer.    

If we determine that an incident involving unauthorized access or use of Student Records has occurred that would be subject to reporting under applicable federal or state law, we will take prompt and appropriate steps to mitigate the incident and/or further impact to the Student Records; provide notice of the incident to the affected Education Customer promptly and without unreasonable delay; and work with the affected Education Customer to provide information and assistance necessary to comply with any notification to parents, legal guardians, students, or other persons or entities, as required under applicable law.

Following expiration or termination of the agreement under which the Education Customer purchased access to our web-based subscription products or services and/or upon receipt of written direction from the Education Customer, we will take steps to remove and destroy, or if agreed, return the Student Records in our possession to the Education Customer within a commercially reasonable period of time.  Upon completion of the remove and upon written request, we will provide written confirmation to our Education Customer that the Student Records have been disposed of in accordance with the foregoing.  For clarity, consistent with applicable law, data or data elements within Student Records generated by use of our products or services that are in aggregate form or that are de-identified or anonymized (i.e., where personally identifiable information and individually identifying attributes that would associate the data or element with an individual student or user have been removed), may be retained and used for benchmarking, development of best practices, improvement or development of our K-12 educational products and services, and/or for educational research and statistical purposes.  We will not attempt to re-identify de-identified data, and will not authorize others to do so on behalf.

This Student Records Security Plan is effective as of May 22, 2020.  From time to time, we may update this Student Records Security Plan to reflect changes to our privacy practices in accordance with changes in legislation, best practice or our products and services.  Notice of material changes to this Student Records Security Plan will be provided to Education Customers by email to the address on file for the account, by including a notice in our invoice documentation to the Education Customer, or by placing updates within our web-based applications or on our website.

Further information on our data privacy and security practices with respect to Student Records and our K-12 Education Products is available from our privacy team:

For Lexia Learning LLC:

For Rosetta Stone Ltd.: