The Site and its related products and services (collectively, “the Services”) are operated by BrightFish Learning, LLC. (“us”, “we”, “BrightFish”, “BrightFish Learning” or “the Company”), except and unless otherwise indicated. The Services consist of an online provider of educational tools and other materials and content. The text, images, data, illustrations, files, audio, videos, designs, documents, and other materials and content (collectively, the “Content”). Collectively, the Site, Services and Content are referred to in these Terms as the “Platform”. We use the term “Student Information” in this policy to refer to information that personally identifies a student and other information we receive about a student that is linked to information that personally identifies a student. Student Information does not include de-identified or aggregated information that does not personally identify an individual student.
When you use the Platform, you provide us with three types of Student Information:
We do not disclose, share, rent, or sell any Personal Data or other personally identifiable information about students to any third parties for commercial uses, such as targeted advertising. We only disclose or share such Personal Data with bona fide service providers for purposes related to or arising out of the ordinary course of creation, development, operation, service, and maintenance of the Platform. Such bona fide third-party service providers shall only use such information for such purposes and not to sell such information under any circumstances. Third party providers who do help us operate our Services must adhere to privacy and security obligations in a manner consistent with the Company’s policies and practices.. For the purposes of illustration, examples of bona fide third-party service providers to us are services facilitating cloud-based hosting, online customer support, log-in monitoring and customer engagement services.
If you are a student using the Platform in connection with a “class”, your school administrator(s) and teacher(s) (“Educator Users”) may have the ability to access, monitor, use, or disclose data related to User Performance Data and Personal Data. If you are an Educator User, you agree that you will obtain and maintain all required consents from End Users to allow: (i) your access, monitoring, use, and disclosure of this data and our providing you with the ability to do so, and (ii) your End User’s use of the Programs. If a User enrolls in a “class” created by a teacher, on the Platform, the User grants permission to the teacher to view their Personal and Performance Data. Enrollments are done via a unique class join code, direct email invitation, a print out of student logins via PDF, or integration with a Third Party Application.
All student Personal Data is securely encrypted within our database, which has daily backups and is protected by SSH (Secure Shell) and a firewall. All actions that involve the digital transmission of Personal Data are handled by a 256-bit SSL (Secure Sockets Layer) encryption.
We retain Student Information to provide the Services to you and our other users and to provide a useful user experience, and not longer than is necessary to do so. Backups of our database are kept for a reasonable period of time and used only in the exceptional circumstances of data recovery due to system failures. Users may deactivate their account at any time by accessing their account through the Platform. Deactivating an account means the following:
Following the termination of a license, a school or district may request that we deactivate and de-identify Student Information and we will do so, unless the school, district, or applicable regulations require the retention of such data, in which case the records shall be de-identified upon the expiration of the retention period. Prior to de-identifying any Student Information, we will first ensure that the school or district has downloaded backups of the same. This shall apply even in the case when the termination of a license is initiated by the Company. In the case of a request for deactivation and de-identification, the following happens:
In order to request an account reactivation, please contact us at firstname.lastname@example.org. To request that Student Information be de-identified, please contact us at email@example.com.
A parent or guardian may review Student Information in the applicable student’s records by viewing their BrightFish account. The Platform enables any Educator User to permit parents, legal guardians, and eligible pupils to review personally identifiable information contained in Student Information, and to correct erroneous information, in accordance with procedures established by the school district or educational agency To the extent that a User opts to share his or her profile with his or her parent or guardian, such User expressly agrees to such sharing and all related responsibilities and liabilities therewith. We fully comply with the Requirements for Accessible Electronic and Information Technology Design as laid out by the U.S. Department of Education here.
Any and all student data provided to BrightFish, or to which BrightFish has been granted access, are and shall remain the sole property of the educational agency that provided or granted access to such records.
In accordance with the Children’s Online Privacy Protection Act (“COPPA”), we require parental consent for students under the age of 13. Children under the age of 13 should not register for their own BrightFish account. Setup of accounts for children under the age of 13 is coordinated with a child’s teachers and parent for licensed school customers only. If you are a parent, please coordinate with your child’s teacher to set up an BrightFish account for your child. If you are a teacher interested in using BrightFish with children under 13, please contact us at firstname.lastname@example.org and we will work with you toward a school license and collecting the necessary parental consents. Parents may review their child’s personal information on BrightFish, direct us to delete it, and refuse to allow any further collection or use of their child’s information by BrightFish by revoking their consent. Parents seeking to revoke their consent, review their child’s information, and request a deletion of their child’s data should contact us at email@example.com.
Within 48 hours of learning about a data breach, or longer reasonable time as may be required by the legitimate needs of applicable law enforcement or as to take measures necessary to determine the scope of the breach and restore reasonable integrity of its systems, we will notify all teachers, parents, principals, and district administrators whose information may have been improperly disclosed, via email communication to the email address on file for each user. We will inform any users who oversee those students (i.e. relevant teachers, parents, principals, and district administrators) if any Student Information is involved. This email notification will describe the nature of the data breach, the date of the breach, the types of information that were subject to the breach, and steps that are being taken to protect their BrightFish accounts going forward.