Skip to content

Privacy Policy - Educational Support System

Latest update: December 2020

This Privacy Policy covers how we process personal information within our Educational Support System services, which includes our tutoring services, our platform, support and maintenance services, reporting and hosting (together, our “Services”).

If you have any questions, concerns or inquiries regarding the collection, use or disclosure of your personal information or concerning this Privacy Policy, do not hesitate to reach out to us. You can e-mail us at privacy@paper.co, or reach us by mail at the following address:

Paper Education Company Inc.
279 Sherbrooke St West, Suite 410
Montreal, QC, H2X 1Y2
Canada

1. What is personal information?

This Privacy Policy applies to personal information. We consider that “personal information” means any information which allows us to identify you directly or indirectly, including “cookies” and other electronic data. Some information may not be personal on its own but may become personal information if associated with other information or if the sum of the information allows us to identify individuals.

A “cookie” is an information that a website puts on a computer’s hard disk so that a website or web application can remember something about individuals at a later time. In this Privacy Policy, when we refer to “cookies” we also include other technologies with similar purposes, such as pixels, tags and beacons. For more information on cookies, you can refer to websites such as http://www.cookiecentral.com/ and https://www.allaboutcookies.org/.

This Privacy Policy is for transparency purposes and some of the data that we identify in this Privacy Policy as personal information may not be protected as personal information under applicable laws.

2. When is this Privacy Policy not applicable?


This Privacy Policy only applies to how we process the personal information of our users within our Services and does not apply to our marketing activities and website which are not within the Services. We do not leverage user data for marketing purposes.

Our Services may contain links towards external services which are not part of the Services. For instance, a tutor may provide a student with a link to a website to learn more about a certain topic. These external services are not covered by this Privacy Policy.

3. What personal information do we process, and for which reasons?

We collect the following types of personal information:

  • Educational and Identification Information

When we on-board new educational institutions, we receive the following information from educational institutions which is used to create accounts or to manage students and teachers’ accounts if an integration with Google G-Suite is used instead of accounts:

    • Name of students and teachers
    • Usernames
    • Classes that students are enrolled in
    • E-mail addresses
    • Other information which educational institutions may deem necessary, such as student IDs

This information is used to create an account and manage the Services, such as to offer e-mail notifications, if the user opt-in. We typically receive such information from educational institutions in a CSV file.

If the Services are integrated with Clever, then class rosters are automatically updated within our Services whenever students or teachers change classes or switch schools. Clever is a service that we use to integrate with most student information systems, and which securely syncs Educational and Identity information systems with our database. Clever is only available to educational institutions who are registered to use this service and is synchronized daily. We also use ClassLink as an additional integration tool. If an educational institution does not use Clever nor ClassLink, then the information is updated manually when we receive updates.

  • Credentials

Once accounts are created, students and teachers who are using our Services can connect using their username and passwords, or through a single sign-on services offered by third parties such as Google G-Suite with which our Services integrate without the need to create distinct accounts. Educational institutions using Clever may also connect through a single sign-on functionality integrated through Clever. The information related to each account includes full name, username, e-mail, password and grade levels for students. We also collect each student’s preferred language so that they are connected with appropriate tutors.

  • User Generated Information

User Generated Information includes any information generated by students or teachers when using our Services, such as:

    • Transcript of conversations, along with documents shared and emojis used;
    • Feedback on tutoring sessions;
    • Essays submitted for review, along with related information provided by students, such as the essay title, language, teachers instructions and similar educational requirements;
    • Essays reviewed through our tutoring services; and
    • Questions asked by students.

The Services have different views depending on the identity of the user. For instance, teachers, school administrators and district administrators each view the information related to students under their authority. This information includes transcripts of conversations, questions asked, student usage, active and expired licenses. School and administrators generally have access to the same information than teachers except that the identity of the students concerned may vary. When referring to teachers under this Privacy Policy, we imply such administrators as well.

When using the Services, students can ask questions which are then matched automatically by our algorithms with related topics associated with their grades. Students can also access live classrooms, in which they can share files but also use a digital whiteboard. Each session is recorded in the history tab and associated with an ID. All sessions’ transcripts are accessible by both the student and the teacher.

User Generated Information is also used to create reporting for teachers. For instance, teachers receive a monthly report on how students in their classes are using our Services, such as the top questions asked and the top students users.

We process User Generated Information in order to offer our Services to educational institutions, such as to allow students to obtain tutoring services and teachers to oversee what their students are doing within our Services.

  • Usage and Performance Data

In order to understand how our Services perform and which functionalities are used, we collect Usage and Performance Data. These may include bugs, errors and logs which are generated by users, and other data collected in using an anonymous ID associated with users. Such personal information can be used for support and maintenance, and for troubleshooting.

  • Support Data

When users are navigating the Services, they may have some questions on how to use the Services or face some bugs or errors. To assist users, we have a support desk available to respond to support requests. We collect any information shared with us through support services.

  • Electronic Data

Online services automatically collect Electronic Data about users in order to allow us to deliver the Services. Electronic Data includes:

    • IP address
    • Device and browser information
    • Screen resolution
    • Operating system name and version
    • Device manufacturer and model

This information is used to fix bugs, to remember important information, to present the Services in the preferred language and enhance security. Electronic Data is also used to provide notifications to users about activities within the Services. For instance, our service provider automatically places a single pixel gif, also known as web beacons, which enable us to recognize when a user has opened an e-mail or clicked a certain link in an e-mail. This technology requires collecting e-mail addresses, IP addresses as well as the date and time associated with each open and click for a notification. The data generated is then considered Usage and Performance Data. Our Services also include browser notifications which require Electronic Data.

4. Do you use any cookies as part of the Services?

We only use cookies as necessary to provide the functionalities within our Services, which means that our Services do not contain any marketing cookies and that we do not conduct interest-based advertising. Our Services only contain essential, functional and analytic cookies as described below.

 

Type of cookie

Description

Essential

Essential cookies are necessary to operate the core functions of our Services. These include login cookies, session ID cookies, language cookies as well as security cookies.

Functional

Functional cookies are used to provide you with some functionalities, such as live chatting, and to remember preferences, consents and configurations.

Analytics

Analytics cookies are used to generate aggregated statistical data about traffic and behavior of users when using our Services.

You can manage your cookie preferences through your browser using the instructions provided below by clicking on the browser that you are using. However, by blocking essential and functional cookies, parts of the Services may not be available.

Google Chrome
Firefox
Safari
Internet Explorer
Opera

5. How do we obtain consent from students?

Most of the students who are using our Services cannot consent to the processing of their personal information under applicable laws, and a parental consent is required. The educational institutions which retain our Services are responsible for obtaining such consent in accordance with applicable laws from parents.

6. Where is personal information stored?

We offer hosting in both Canada and the United States depending on where the educational institution which retains our Services is located. However, we use third-party service providers which may be in other countries than where education institutions are located.

7. How is personal information protected?

We seek to implement controls that are proportional to the risks to protect the privacy of students and other users. For instance, we use multi-factor authentication, SSL encryption, physical access controls to files and buildings and secure file transfer protocols with encryption. Our cloud service provider, Google Cloud Platform, maintains several independent verifications of its security, privacy and compliance control, such as ISO 27017, ISO 27018 and ISO 27001. You can review Google Cloud Platform’s safeguards on Google’s Trust & Security Center available here.

We also expect our service providers to provide adequate level of security for personal data.

8. How is personal information shared with third parties within the Services?

We do not sell any personal information of our users, and we do not use personal information for any other purposes than to provide the Services, which means that we do not share it with marketing partners. We do not have any marketing cookies installed within our Services. Paper is subject to the same conditions on use and redisclosure of education records that govern school officials under the Family Educational Rights and Privacy Act known as FERPA. This means that we only share personal information if required for the Services and with third parties that have legitimate educational interests unless otherwise authorized or required by law.

If we receive a request to access personal information by the authorities, we will transfer this request to educational institutions. If we are prevented by law from doing so or forced to respond, we will first validate that the request is legitimate and disclose only the minimum required with the help of a legal counsel.

Any personal information of students collected through the Services is available to teachers and may be reviewed by teachers.

Here are the categories of recipients with whom your personal data is shared so that we can provide you with the functionalities within our Services. Each service provider is bound by an agreement with us which limits their rights to use your personal data for other purposes:

Category of recipients

Examples and explanations

Support Service Providers

We use Zendesk to provide support to our users. Zendesk does not use personal information for any other purpose than to provide us with their services and does not sell personal information. We have an agreement in place with Zendesk which complies with legislations such as the California Consumer Privacy Act.

You can consult Zendesk’s Privacy Policy here.

We may use other tools for support purposes, such as for tracking tickets. These tools may temporarily contain personal information of our users.

IT Service Providers

We use service providers to provide and host our Services online. For instance, our Services are hosted on Google Cloud Platform. IT Service Providers may also be used for security purposes, such as for log monitoring.

You can find Google Cloud Platform’s Privacy Policy here.

Performance Service Providers

We use tools to monitor our online application such as to diagnose, fix and optimize the performance of our Services.

Analytics Service Providers

We use third parties to obtain analytics based on how users are leveraging our Services.

We use such analytics to provide reporting capabilities to educational institutions. Our analytic service providers are also used to build interactive and visual analysis for educational institutions or to generate reporting capabilities in accordance with our agreements with educational institutions.

Communication Partners

We use third parties to provide you with e-mail notification. For instance, we use Mailchimp and Mandrill, an add-on to Mailchimp, to provide teachers and students with notifications. You can find MailChimp’s Privacy Policy here. We have not enabled any marketing functions within MailChimp’s additional add-ons.

Our Services can be integrated with other learning management platforms through Single Sign-On and APIs, such as Clever. Integration Partners are not our suppliers or service providers. Educational institutions enter into separate agreements with integration partners to which we are not party, and plug-ins, APIs or other accesses to Integration Partners are only activated at educational institutions’ request. This allows educational institutions to integrate our Services with other educational technologies and services relevant to students such as to simplify education. If required to do so to comply with the instructions of educational institutions, we may share personal information with such integration partners. Educational institutions have full control over which personal information they share.

We may also be required to share personal information with law enforcements if we are legally compelled to do so. We will take all commercially reasonable measures to notify educational institutions prior for doing so, unless we are prevented to do so by law.

If we go through a restructuration, a merger and acquisition or a sale of parts of all of our assets, personal information may also be transferred in such context, subject to any limitations under applicable laws.

9. How long is personal information retained within the Services?

We retain personal information for as long as we have an active contract with an educational institution, or as required by applicable laws, whichever is longer. Users may delete personal information on their own, and educational institutions may also do so through built-in functionalities or by reaching directly to us.

10. Are there any rights that can be exercised on such personal information, and how?

Depending on your location, different rights may be applicable. However, students may not be able to exercise their rights on their own and may need a parent to do. For instance, the Family Educational Rights and Privacy Act known as FERPA in the United States gives rights to eligible students (i.e., over 18 years old) or parents to request that a school correct records which they believe to be inaccurate or misleading. In many cases, the educational institutions where the student is registered is the best entity to contact to exercise privacy rights, as they have the complete records of students. We may be prevented by law to respond to requests to exercise some privacy rights, such as access to records of students, without the authorization of the relevant educational institution.

We respond to rights found under the California Consumer Privacy Act, under which we are a service provider. These rights must be exercised by reaching out to educational institutions which will notify us, such as when personal information should be deleted. We have mechanisms in place to respond to deletion requests.

Applicable laws generally contain a minimum of two rights: (1) the right to access personal information and (2) the right to modify personal information in certain circumstances.

To exercise your rights or your children’s rights, you may reach out to us at privacy@paper.co. You can also reach out to us by mail at the following address:

Paper Education Company Inc.
279 Sherbrooke St West, Suite 410
Montreal, QC, H2X 1Y2
Canada

11. Can this Privacy Policy be modified?

Yes, we may modify this Privacy Policy, such as to reflect additional functionalities. Please refer to the Latest Update above. We will also provide an update to users when we do so. However, we will not materially change this Privacy Policy or our practices to make them less protective of students’ privacy without the prior written consents of relevant educational institutions.