March 25, 2020 Privacy

Effective March 25, 2020 (see archived versions)

SEE ALSO Terms of Service

Guiding Principles

  • We want all kids to achieve at their highest possible level.
  • We expect kids to make mistakes.
  • We believe kids are entitled to leave their mistakes behind.
  • We believe kids have a right to veto their presence online.
  • We believe in transparency and feedback.We support the Student Privacy Pledge.

We wish it were enough to state these principles. Alas it is not. Make yourself comfortable…we’ve got a lot to cover.

This policy applies to data processed by our Services and is part of our Terms of Service. If you work for a school or other organization, you must have authority to enter into this agreement. It sets forth your roles and responsibilities, because guarding Student Data is a shared responsibility.

This Privacy Policy should be enough for most non-EEA schools. If your district requires a second signed agreement, please contact us for more assistance. For New York schools, we have documents you need available upon request. We are signatories to several state Student Data Privacy Consortium Alliance agreements.


Table of Contents

We Exist to Educate

Business Purpose

We (Omega Labs Inc. dba Boom Learning) have the following business purposes (the Services):

  • To enable Educators to make, share, buy, sell and assign awesome digital educational resources (Boom Cards) that mostly grade themselves;
  • To provide Educators with rapid student performance reporting to give you more time to teach students, intervene faster with those who need it, accelerate those who need it, and occasionally read a long privacy policy (or better yet a rollicking good book).

We use any personal information we receive from you (Educator Data), as well as any student personal information, student records, or student-generated content (Student Data) we receive from your students, to fulfill those purposes. Collectively we call this User Data.

These business purposes break down further into these categories of uses:

  • audit and session logs and related analytics (audit);
  • detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecution of perpetrators (detect);
  • error identification and repair (debug);
  • services performed on our behalf, such as customer service, identity verification, order fulfillment, payment processing, personalized learning recommendations, user education, user analytics (business operations);
  • internal research for improvement or demonstration and activities to improve, upgrade, or enhance our services (R&D); and
  • advertising or marketing services (marketing).

We Do Not Sell Personal Information

Our business is to act as a service provider of data processing and mini-app creation services on behalf of Educators. We do not sell personal information. Our services are not advertising supported. If we, or our assets, happen to be acquired someday, that buyer will be purchasing an obligation to fulfill the terms of this Privacy Policy.

Your Rights and Choices

You have rights regarding your User Data under a variety of laws (CCPA for California residents; GDPR for EU residents; and many more).

We do not sell personal information. We do disclose personal information as follows:

  • The information of students to the Educator who created the student account or the school or organization employing that Educator.
  • The information of Educators to the school or organization for whom the Educator works.
  • The name of a user redeeming Boom Cards purchased from a marketplace other than the Boom Learning store may be disclosed to to the originating seller or marketplace to verify that a product redeemed was validly purchased.
  • To our service providers under obligations of confidentiality to carry out our business purposes. Keep reading to learn more.

You’ve already read about our business purposes. By continuing to read this policy you will learn:

  • The categories of personal information we collect about you.
  • The categories of sources for the personal information we collected about you.
  • Service providers we use and the business purpose(s) for which we use them.
  • How you may obtain information about the specific pieces of information we collected about you.

Non-Discrimination (California Residents)

We will not discriminate against California residents for exercising your rights under the California Consumer Privacy Act (CCPA).

Information Controls and Requests

For Educators

We provide Educators with a number of controls that may be used to retrieve, correct, delete, or restrict User Data. We don’t analyze, process, serve or transfer Student Data until you instruct us to do so by opening an account, adding students, and assigning resources to them.

As an Educator, you may update or change most information you have provided to us about you in My Settings. There is a small fee for changing your Pen Name once you have published your first resource to the store.

You may contact us for assistance to learn which specific personal information we have collected about you and for help deleting personal information. We will require that you

  • Provide sufficient information to allow us to reasonably verify that you are the person about who we collected the personal information or an authorized representative; and
  • Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

We cannot respond a request for which we cannot verify that you have the authority to make the request.

We will not delete information necessary to be maintained for our business purposes, including but not limited to:

  • at least one login authenticator if you are maintaining an active account;
  • logs for detecting security incidents, fraud, deception and malicious and illegal activity;
  • records for internal uses, including debugging and repairing errors, transaction and payment records, and the like;
  • data legally required to be maintained (such as tax-related data).

For Parents and Students

Parents and students may review student information by either reviewing the student dashboard with the student or asking the Educator to show the teacher dashboard for that student.

If you are a student or parent, your Educator was supposed to get consent from you, in a manner consistent with law and school policy, before assigning Boom Cards. Speak to your Educator if you wish to revoke consent. Parents who contact us to review or delete student information will be redirected to the Educator. We will not release information to a person other than an Educator or school, unless we are provided satisfactory proof of a legal right to review or delete student information. We will respond to any request from your Educator authorizing us to make disclosures to you.

Data You May Not Collect – Sensitive & Health Data

You may not assign a resource that collects sensitive data. Depending on your governing jurisdiction, sensitive information may include political affiliation; trade union membership; health information; sexuality information; information about protected relationships such as lawyers or ministers; criminal behavior; firearm ownership; and/or biometric data. You are solely responsible for understanding what you may or may not assign in your jurisdiction. You agree to indemnify Boom Learning if you assign a resource that collects sensitive information in violation of a law that applies. If in doubt, consult your legal counsel and governing body.

User Data We Collect

We collect some User Data automatically and some you (or your school) provide to us. The next section covers the data we collect, the source of the data, and to which, if any, subprocessors, if at all, it is disclosed, and for which business purpose.

Our subprocessors have agreed that they process User Data on our behalf and that they do not own, control, or direct the use of the User Data. They also agree to implement technical, physical and administrative measures against unauthorized processing of data and against loss, destruction of, or damage to, data.

We will not provide, free or for a charge, identifiable Student Data to others, except (1) to an acquirer of the Boom Learning product assets for the continuation of the Boom Learning product with your consent, (2) to a legal, regulatory, judicial or public safety agency for a legitimate governmental purpose, and (3) to our subprocessors for the purpose of supporting our educational purpose (see below).

All User Data is stored in the Boom Learning database. This database is hosted by (and thus disclosed to) the subprocessors MongoDB and Amazon Web Services under obligations of confidentiality and with no right of use of personal data. Information stored in the Boom Learning database is disclosed for the following business purposes: audit, detection, debugging, business operations, and R&D. De-identified User Data information may be used for internal marketing research.

Information You Provide Us

Identifiers and Authenticators

All user accounts, Educator and Student, are authenticated. Why? Because allowing students to interact with random strangers online is a big ewww!

Educators can choose the authentication method: (a) username and password, (b) e-mail address and password, or (c) a third-party authentication service. Educators can see their connections and add, delete, or change connections by going to My Settings for adult accounts. To update a student account, the Educator must delete the student account to disconnect third-party authentication, edit the account to add a username, or contact us to set up or remove e-mail address authentication.

If you choose a third-party authentication service you will be sharing information with us from that third-party. The third-party authenticator may collection information about your use of our service. Select your third-party authenticator wisely.

Source and DirectionData Collected or StoredAccounts
You to Boom LearningIdentifiers (nickname, username, persistent identifier, encrypted password, email address)adults & students
Google (source) to Boom LearningIdentifiers (name, email address, persistent identifier, profile image)adults & students
Facebook (sourc) to Boom LearningIdentifiers (name, email address, persistent identifier, profile image)adults

The sources of these types of data are the Educator and/or the Educator’s chosen third-party authenticator.

Additional Personal Information: including address and employment

Educator name and description: We store your Educator name, profile picture, and description. The information you include in your Educator profile is disclosed to your students and their parents. You provide this information.

Contact Information and Teaching Profile: There is a variety of optional information that we store if you give it to us, such as your grade levels and subjects taught.

We may record your personal email, postal address, and telephone number and/or your school name, postal address, and telephone number. You provide us with your personal contact information. We may obtain your school name and address from you, your school or publicly available sources.

We contact adult users via email in a variety of ways: (a) directly from our hosted email accounts, (b) through our third-party support desk platform, (c) with transactional email (such as notices, password resets, expiration notices, and such) – these are not opt out, and (d) through our news provider – from which we provide educational information about our services and personalized learning recommendations. Educator accounts are added to our educational messages and personalized learning recommendations newsletters upon sign-up (with the option to opt-out). Product users must opt-in to marketing messages. Our news provider emails include a link allowing you to opt into and out of a variety of types of messages so you can receive only what you need. Certain accounts, such as seller accounts, are required to subscribe to special email lists to receive seller account services.

Our email services providers may supply us with a range of information about your communications with us, including IP addresses, your country, state or province, history of reading or receiving newsletters, and your approximate location. The source of this information is your interactions with the email service and/or third-parties.

This information is stored in (and disclosed to) the following additional service providers:

ProviderBusiness Purpose
Intuitbusiness operations, detect, audit
Freshworksbusiness operations, detect, debug, R&D, marketing
Stamps.combusiness operations, marketing
SparkPostbusiness operations, audit, detect
Microsoftbusiness operations, R&D, marketing, audit, detect, debug
ActiveCampaignbusiness operations, R&D, audit, detect, debug, marketing
Atlassianaudit, debug, R&D
Poeta Digitalaudit, debug, R&D
A4 Technologiesaudit, debug, R&D

Feedback and Ratings: We store feedback you give. Feedback is a private communication between you and a seller. We store ratings you give. Ratings and accompanying comments are public information. You may edit any ratings you give after they have been published. Feedback you provide via our support Helpdesk may also be stored in our systems for debugging and development management.

Student Information: You create student accounts from within your Educator account. You control the Student Data; we process it on your behalf. When you create a student account you are acting in the role of a parent for the purposes of verifications and consents required under law (including FERPA, GDPR, and COPPA as applicable). You must have all legal consents required of you to add a student before creating a student account. You must have an account and a verified working email address to add students.

You can always work with students without collecting Student Data by using Fastplay pins (see your Library actions to create Fastplay pins). To receive student reports, you must provide and verify an e-mail address. Student Data is provided to us by you (username, nickname, email address, persistent identifier, password) or by the student (task performance data).

When you assign an educational resource using a method other than Fastplay pins, we collect information about student performance on that resource and report it back to you for your educational use. Student performance data includes information such as resources played, cards played, time to play a resource, time to play a card, correct answers, incorrect answers and other student actions with respect to a card. When a school purchases an account, the school can transfer an account with students from one teacher to another (for example, during parental leave).

You should understand that a classroom worker (volunteer or paid) can likely determine who a student is in real life (“IRL“) from the nickname. You are responsible for ensuring any classroom workers follow your organization’s and locale’s rules, regulations, and laws regarding access to Student Data.

Author/Seller Information: We store your seller name, avatar and profile (if you have one) and make those available to the public. We store information you provide about resources you create, including name, grade levels, keywords, and content and make it public for resources listed in a store or shared. We may further share your public information on Facebook, Twitter, Pinterest, Instagram, Google, or any other appropriate public marketing service. We may announce publicly top selling products, top sellers, and new sellers. You may contact us to be omitted from those announcements.

We store the fonts, images and sounds you upload; and videos to which you link. We store feedback responses you give.

Payment and Purchasing History

To make a payment you will need to provide the information requested by one of our payment processors, such as your name, account number, and verification numbers. Our payment processors use Payment Card Industry Security Data Security Standard (PCI DSS) compliant processes to process payments. They process payments directly. We do not have access to or store your full payment card details. We do have some information, such as your email address, approximate location, and name and payment and purchase history. You can use My Settings to remove a credit card stored by Stripe. You may edit your Paypal information from your Paypal account.

You may pay by check by contacting us for an invoice. If you pay by purchase order or check, we will store your payment information and tax exemption information, if any, in our accounting records. In some cases, your information may be shared with our accountant or with tax authorities.

We record the authors you redeem, purchase and assign. These allow us to make adaptive and personalized learning recommendations to you based on you and your students’ educational needs. We do not provide personalized recommendations from third parties in exchange for compensation.

We store records of your sales. If you reach certain thresholds, we may request and store your taxpayer identification number. We also store information you give us to enable us to pay you. Because Boom Cards are effectively small applications unique to our platform, there is no ability to export created resources in a playable format. However, you may use the print feature to create .pdf versions of your creations.

Intuitbusiness operations
Stripebusiness operations
PayPalbusiness operations
Microsoftbusiness operations
The Hagen Firmbusiness operations
BECUbusiness operations

Information We Receive From Use of Our Services or Third-Parties (network activity and geolocation)

We describe how we use cookies and similar tracking tools in our Cookie Policy.

All Users: For all users, we record the account created timestamp, last login timestamp, the type of device being played (i.e., iOS or Android, but not the device ID), the app version (if playing a Boom Cards app), the OS version of the device, the browser type and version, decks redeemed or purchased, decks made, points available, and school affiliation. As necessary, that information may be further disclosed for these purposes:

Freshworksbusiness operations, audit, detect, debug, R&D
Microsoftbusiness operations, audit, detect, debug, R&D
Atlassianbusiness operations, audit, detect, debug, R&D
Poeta Digitalbusiness operations, audit, detect, debug, R&D
A4 Technologiesbusiness operations, audit, detect, debug, R&D
Your Employeraudit, detect and business operations – applies to accounts purchased by your employer or having a domain associated with your employer

Educators: We may store a referral code if you clicked one to arrive, which may tell us which user or author referred you or whether you arrived from a particular campaign. We keep records of the type of membership you have, expiration dates, newsletter enrollment, purchase and payment history. We keep track of which users follow you or redeem your products. We keep track of newsletter clicks, opens and site actions to better serve you. This information may be sourced from our disclosed to:

Freshworksbusiness operations, audit, detect, debug, R&D, marketing
Microsoftbusiness operations, audit, detect, debug, R&D, marketing
Atlassianaudit, detect, debug, R&D
Poeta Digitalaudit, detect, debug, R&D
A4 Technologiesaudit, detect, debug, R&D
Googleaudit, detect, marketing research (advertising features are turned off, search console is on)
ActiveCampaignbusiness operations, audit, detect, debug, R&D, marketing

We have selected ActiveCampaign because their privacy practices and policies are consistent with the needs of the education market. We use ActiveCampaign on our website. We do not use ActiveCampaign site tracking. We do tell ActiveCampaign about key user actions for adult users. This allows us to provide just-in-time support and to run our recommendation engine for our adult users. We provide you with a variety of tools to opt in and out of how we use ActiveCampaign data. Options include notices only, newsletters about teaching, creating, and selling Boom Cards. Any marketing use of your personal ActiveCampaign data is opt-in. We may use aggregate ActiveCampaign data to evaluate and plan external marketing, but will not use that data to target you specifically. You can always request to see your full ActiveCampaign data map and to have us update or delete information in the map.

Additional Vendors

We use these additional providers in support of our operations. They may collect information and provide it to us but we do not provide personal information to them.

WordPress: When you click on a link hosted at, WordPress will collect technical data about you, your interactions with the site, and your inferred location. We do not enable ads on our blog.

Facebook: Your participation in our Facebook groups and messaging us through Facebook is optional. Comments sent to us through our Facebook Page are forwarded to our Help Center (Freshworks). You participation with us through Facebook is governed by Facebook’s terms.

YouTube and/or Vimeo: If you select a resource that included a video hosted by YouTube or Vimeo, the hosting provider may place a cookie and/or collect data about the use. We take steps to ensure that such collection, if any, is anonymous and ad free, but we cannot control these vendors.

Automattic (WordPress)business operations, marketing
Facebookbusiness operations, marketing

Advertising Vendors

We do not serve advertisements on the Boom Learning platform to Educators or students. Nor do we advertise to students through any providers. If you discover author created content that appears to be an advertisement, please report it to use immediately as an abuse of our terms. Boom Learning is a “for pay”, not advertising, supported service. We allow adult customers to “opt in” to receive email marketing from us or others.

Like other business, we advertise to adults to attract new customers. All such advertisements are placed with third-party providers, such as blogs, newsletters, magazines, search sites or social sites. We receive analytics on the performance of those advertisements from the services with which we place the ads. These companies may use cookies and similar technology to collect information about your interactions with the Services and other websites and applications. Your interactions with such ads are governed by the terms of the site on which they are displayed.

The Keeping and Deleting of Information

At any time Educators may delete a student, or contact us to request that we delete a student or your account. You agree to give us 10 days so we can confirm that the person making the request is you and has the right to delete the account. Deletion cannot be undone.

To transfer an account from one teacher to another, or to receive a machine-readable data dump from an account, you must contact us. We can only make full account transfers between employees of the same purchasing entity.

For account transfers and or deletion requests, we may require multiple indicia of identity and authority before fulfilling the request.

To minimize privacy risk, we schedule deletion of stale accounts as follows:

  • student accounts 90 days after the associated paid Educator membership expires – we assume these students will have a new teacher in the next session; renew early to avoid.
  • student accounts 180 days after the last Educator login for free accounts – we assume these are homeschool or small tutor accounts; login in at least once every 179 days to avoid.
  • Educator accounts not owned by a school 365 days after last login, at our sole discretion – deletion results in the loss of purchased and redeemed decks, created decks, classrooms, and unused points.

Boom Learning retains copies of all Educator resources sold or shared to serve the recipients. Deletions take place after the triggering event during the next scheduled data sweep.

Our Policies for Children

We allow Educators to create accounts for K-12 students. We treat payment and verification of email address as proof of adult status. As the data controllers, Educators are responsible for obtaining affirmative consent from parents or for having a legal right, such as under Family Educational Rights and Privacy Act in the United States, to give consent. Student accounts are only created through the Classes tab. Educator accounts are for adults only. If we learn that a minor has created an Educator account, we will take steps to delete the information as soon as possible. Educators or parents who believe that their child has submitted personal information to us and would like to have it deleted should contact us.

Information Security and Breaches of Personal Information

Privacy and Security by Design

Boom Learning engages in privacy and security by design and conducts annual audits of its privacy and security practices. Student data is only accessible for Educators with confirmed email addresses. Authenticated data exchanges are transported using HTTPS using Transport Layer Security (TLS). We take advantage of Amazon Web Services security environment. No method of transmitting or storing data is completely secure, however. If you have a security-related concern, please contact us.

Data is only accessible through authenticated accounts. We require passwords at both the Educator and Student level to keep data safe. Passwords are encrypted. We cannot see your password or your students’ passwords. We provide tools in the app for you to reset passwords. Student passwords are set and reset by teachers. Use good password practices to keep your students safe. Our team members use password managers and you should also. This allows you to avoid risks from reusing passwords.

Student Safety is a Shared Responsibility

We use appropriate physical, electronic, and managerial processes and procedures to safeguard data against unauthorized access and use, including designating and training the individuals responsible for ensuring the security of the data. If you add students to your account, you also have a responsibility to use appropriate physical, electronic, and managerial processes and procedures to safeguard Student Data against unauthorized access and use, including designating and training the individuals responsible.

Personal Information Breach

In the event of a breach of Educator or Student Data that contains personal information, we will contact the account holder for the affected individual(s) using the information we have on file. We will provide notice as soon as reasonably possible, provided that we may delay notice if a law enforcement agency determines that the notice will impede a criminal investigation. Schools will be notified without undue delay and within 72 hours of determining that a data breach affecting school Student or Educator Data has occurred. If the specific jurisdiction in which school is based requires a shorter notification period, the school shall inform Boom Learning in a signed writing and specify the shorter time period and the legal authority for such shorter time period. We will provide schools with sufficient information to allow the school to meet any obligations to report or inform students or staff of the breach. In many cases, we do not collect or store information about students that would enable us to contact students or their parents directly. We will provide notices of breaches to the appropriate regulators where required by law, and we may elect to provide such notice, at our option and in our sole discretion, where not required by law.

Legal Authority Demands for Access to User Data

We are required to disclose Personal Information in response to lawful requests by legal authorities, including to meet national security and law enforcement requirements. In the event a legal authority asks to access your data, we will direct the requestor to you and will not take action without your prior authorization, unless legally compelled to do so. If we are legally compelled to respond to such a request, we will promptly notify you and provide you with a copy of the request unless legally prohibited from doing so. If a legal authority is asking for information about a student, the account holder agrees to pass on the notification to the student’s legal guardian and indemnifies us for failing to do so.

Data Transfers for Our International Customers

Most of our customers are in the United States and Canada. Some people in other parts of the world have chosen to use Boom Learning. We transfer the information you submit or that we gather to the United States for the purposes described in this policy.

Your country may assert oversight over your data or provide you with less protection than this document. By signing up for a Boom Learning account, you acknowledge and accept the risk should the laws of the country in which you reside provide you or your students with less protection than this document with regards to your local government.

We comply with the EU.-U.S. & Swiss-U.S. Privacy Shield Frameworks as set forth by the U.S. Department of Commerce. These frameworks relate to the collection, use, sharing and retention of personal information transferred from the European Union, the United Kingdom, and Switzerland to the United States in reliance on the Privacy Shield. We have certified to the Department of Commerce that we adhere to the Privacy Shield Principles with respect to such information. If there is any conflict between this Privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. Click to learn more about the Privacy Shield programs, and to view our certification . We have submitted to the oversight of the US Federal Trade Commission for the purposes of Privacy Shield Enforcement. We remain liable for personal information we transfer to others who process it on our behalf. If you have a question, concern or complaint about our compliance or your rights, you can contact us. We will review your request in light of applicable laws.

For our subprocessors, PayPal uses intercompany agreements to comply with international data transfer regulations. The remaining subprocessors are EU-US Privacy Shield and Swiss-US Privacy Shield compliant.

You have the option of referring any complaint to our independent dispute resolution body: JAMS, an alternative dispute resolution provider with locations in the UK and US and online. Any matter referred to JAMS will be administered by JAMS in accordance with JAMS International Arbitration Rules. Online mediation is also an option. The services of JAMS are provided at no cost to you. In certain circumstances and if you are in the EEA, you can invoke the Privacy Shield arbitration process. To learn more about this method of resolution and its availability to you, please click here.

Who We Are and How to Contact Us

Boom Learning is a trade name of Omega Labs Inc. Our mailing address is 9805 NE 116th St Suite 7198, Kirkland WA 98034. You can call us at 833-969-2666. You can contact us to send us questions about or notifications relating to this policy.

Changes to This Policy

We will notify you before we make material changes to this policy and give you an opportunity to review and consent to the revised policy before deciding if you would like to continue to use the Services. You can review previous versions of the policy in our archive. Any version of this Privacy Policy in a language other than English is provided for convenience and the English language version will control if there is any conflict. Given the importance of this Privacy Policy, we encourage you to study it carefully.