Privacy

Effective October 15, 2020 (see archived versions)

SEE ALSO Terms of Service

Guiding Principles

  • We want all kids to achieve at their highest possible level.
  • We expect kids to make mistakes.
  • We believe kids are entitled to leave their mistakes behind.
  • We believe kids have a right to veto their presence online.
  • We believe in transparency and feedback.

We wish it were enough to state these principles. Alas it is not. Make yourself comfortable…we’ve got a lot to cover.

This policy applies to data processed by our Services and is part of our Terms of Service. If you work for a school or other organization, you must have authority to enter into this agreement. It sets forth your roles and responsibilities, because guarding Student Data is a shared responsibility.

We will not make material changes to the terms, including this Privacy Policy, without first providing notice via our newsletter service (ActiveCampaign). Mere reorganization of components between cross-referenced documents nor the addition of detail previously stated in our FAQs that does not alter fundamental commitments does not constitute a material change.

This Privacy Policy should be enough for most schools. We do have a Terms Addendum for Government Entities and an EEA/Canada Addendum (DPA) at the bottom of this document that you can download, sign and return if required for your district. We are signatories to several state Student Data Privacy Consortium Alliance agreements.

CUSTOMERS IN THE EUROPEAN ECONOMIC AREA (EEA) MUST ENTER INTO AN ADDITIONAL DATA PROTECTION ADDENDUM (“DPA”).

Table of Contents

We Exist to Educate

Educational Purpose

We (Omega Labs Inc. dba Boom Learning) have the following educational purposes (the Services):

  • To enable Educators to make, share, buy, sell and assign awesome digital educational resources (Boom Cards) that mostly grade themselves;
  • To provide Educators with rapid student performance reporting to give you more time to teach students, intervene faster with those who need it, accelerate those who need it, and occasionally read a long privacy policy (or better yet a rollicking good book).

These are services that take place at the direction of Educators for which Educators would otherwise use their own employees or agents and that aid in delivery of educational activities. We use any personal information we receive from you (Educator Data), as well as any student personal information, student records, or student-generated content (Student Data) we receive from your students, to fulfill those purposes. Collectively we call this User Data.

We Are Directed To Educators

Boom Learning is a platform marketed and directed to Educators for use with students, who may be minors. Educators create accounts for students under their charge. Although minors may use Boom Learning, a responsible adult Educator must accept terms and set up accounts on the minor’s behalf. Parents and legal guardians who are homeschooling or afterschooling their children may use the product as Educators.

Service Provider, Not Data Seller

We do not sell User Data. We are a service provider of data processing and mini-app creation services delivered to Educators.

Your Rights and Choices

You have rights regarding your User Data under a variety of laws (CCPA for California residents; GDPR for EU residents; and many more).

You’ve already read about our business purposes. By continuing to read this policy you will learn:

  • The categories of personal information we collect about you.
  • The categories of sources for the personal information we collected about you.
  • Subprocessors we use and the business purpose(s) for which we use them.
  • How you may obtain information about the specific pieces of information we collected about you.

Non-Discrimination (California Residents)

We will not discriminate against California residents for exercising your rights under the California Consumer Privacy Act (CCPA).

Information Controls and Requests

For Educators

We provide Educators with a number of controls that may be used to retrieve, correct, delete, or restrict User Data. We don’t analyze, process, serve or transfer Student Data until you instruct us to do so by opening an account, adding students, and assigning resources to them.

As an Educator, you may update or change most information you have provided to us about you in My Settings. There is a fee for changing your Pen Name once you have published your first resource to the store.

We will not delete information necessary to be maintained for our business purposes, including but not limited to:

  • at least one login authenticator if you are maintaining an active account;
  • Boom Cards decks you have sold to other Educators;
  • logs for detecting security incidents, fraud, deception and malicious and illegal activity;
  • records for internal uses, including debugging and repairing errors, transaction and payment records, and the like;
  • data legally required to be maintained (such as tax-related data).

For Parents and Students

Parents and students may review Student Data by either reviewing the student dashboard with the student or asking the Educator to show the teacher dashboard for that student.

If you are a student or parent, your Educator was supposed to get consent from you, in a manner consistent with law and school policy, before assigning Boom Cards. Speak to your Educator if you wish to revoke consent. Parents who contact us to review or delete Student Data will be redirected to the Educator. We will not release information to a person other than an Educator, unless we are provided satisfactory proof of a legal right to review or delete student information. We will respond to any request from your Educator authorizing us to make disclosures to you.

Data Consents and Data You May Not Collect

You agree to indemnify Boom Learning for any liability arising from your actions in assigning a resource that collects information in violation of a law that applies and for any failure by you to provide a student with required information regarding their rights. If in doubt, consult your legal counsel and governing body.

Your Obligations with Respect to Children and Students

We allow Educators to create accounts for K-12 students. We treat payment and verification of email address as proof of adult status. Educator accounts are for adults only. If we learn that a minor has created an Educator account, we will take steps to delete the information as soon as possible.

You must have a legal right to set up an account for students, such as being the parent or legal guardian of a student, the right to act in parentis loci under the Family Educational Rights and Privacy Act (FERPA) (as required by the Children’s Online Privacy Protection Act (COPPA), or a signed consent from the parent or legal guardian of the student.

Schools agree and understand that their legal right to engage us to process student data on their behalf arises under the school official exception of FERPA. Pursuant to that exception, Boom Learning performs a service for which a school would otherwise use employees and Boom Learning operates under the control of the school with respect to the use and maintenance of education records for a legitimate education interest. We use student data solely for the purpose of fulfilling our duties and providing and improving services under this agreement.

Data You May Not Collect

Schools must exercise their right of consent under FERPA within the confines of the Pupil Rights Amendment (PPRA) for sensitive data. You may not assign a resource that collects sensitive data. Depending on your governing jurisdiction, sensitive information may include political affiliation; trade union membership; health information; sexuality information; information about protected relationships such as lawyers or ministers; criminal behavior; firearm ownership; and/or biometric data. You are solely responsible for understanding what you may or may not assign in your jurisdiction.

For Therapy Interventions

Your collection of Student Data for health therapy interventions must be consistent with the Health Insurance Portability and Accountability Act (HIPAA), including meeting the requirements of consent and taking extra steps (pseudonyms, private rosters, and more) to protect the medical information of students.

User Data We Collect

We collect some User Data automatically and some you (or your school) provide to us. The next section covers the data we collect, the source of the data, and to which, if any, subprocessors, if at all, it is disclosed, and for which business purpose.

We collect certain data elements to provide the services (detailed here). Many of those data elements are optional. Author store names, avatars, descriptions, product titles, prices, descriptions, and product contents are public and not confidential if published to the Store.

Data Confidentiality

Student personal information, other than the user nickname for a classroom roster, is deemed confidential. Teachers may optionally disable visibility of a classroom roster to students. Teacher names, avatars and descriptions are displayed to students and teacher selected colleagues. All other information provided by or to teachers is confidential. All confidential information requires authentication to access.

Confidential data is disclosed as follows:

  • The information of students to the Educator who created the student account or the school or organization employing that Educator.
  • The information of students to parents and legal guardians who observe the student dashboard.
  • The information of Educators to the school or organization for whom the Educator works.
  • The name of a user redeeming Boom Cards purchased from a marketplace other than the Boom Learning store may be disclosed to to the originating seller or marketplace if there is evidence that the product may not have been validly purchase to verify and determine whether the product redeemed was validly purchased. Such disclosure is only after an investigation determining the user may have violated copyright law and licensing terms.

We use subprocessors to support our educational purpose. Our subprocessors have agreed that they process User Data on our behalf and that they do not own, control, or direct the use of the User Data. They also agree to implement technical, physical and administrative measures against unauthorized processing of data and against loss, destruction of, or damage to, data.

Student data stores

Student Data is stored in the Boom Learning database. The Boom Learning database is encrypted in motion and at rest. This database is hosted by (and thus disclosed to) the subprocessors MongoDB and Amazon Web Services under obligations of confidentiality and with no right of use of personal data. Information stored in the Boom Learning database is disclosed for the following business purposes: audit, detection, debugging, business operations, and R&D. De-identified User Data information may be used for internal marketing research. Educator Data may be stored in a variety of locations as further described herein.

No advertising, marketing and commercial uses of Student Data

We will not use or disclose Student Data for advertising to students or their families or guardians. We will not build a personal profile of a student, or family member or guardian, other than for our educational service provided to the Educator. We do not use Student Data to inform, influence, or enable marketing, advertising, or for other commercial efforts unrelated to our educational service provided to the Educator. We do not use the Student Data for the development of commercial products or services other than as necessary to provide and improve the service provided to the Educator. We will allow a successor entity to maintain Student Data, in the case of our merger or acquisition by another entity, provided the successor entity is subject to these same commitments for previously collected Student Data.

Is is not a marketing, advertising or commercial purpose for Boom Learning to use and disclose Student Data to a parent or eligible student who requests a service or product from Boom Learning and provides express consent to the use or disclosure of Student Data by Boom Learning for the purposes of provided the requested product or service.

Information You Provide Us

When discussing subprocessors, we identity the data purpose for which we employ each using these categories of uses:

  • audit and session logs and related analytics (audit);
  • detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecution of perpetrators (detect);
  • error identification and repair (debug);
  • services performed on our behalf, such as customer service, identity verification, order fulfillment, payment processing, personalized learning recommendations, user education, user analytics (business operations);
  • internal research for improvement or demonstration and activities to improve, upgrade, or enhance our services (R&D); and
  • advertising or marketing services (marketing).

Identifiers and Authenticators

All user accounts, Educator and Student, are authenticated. Why? Because allowing students to interact with random strangers online is a big ewww!

Educators can choose the authentication method: (a) username and password, (b) e-mail address and password, or (c) a third-party authentication service. Educators can see their connections and add, delete, or change connections by going to My Settings for adult accounts. To update a student account, the Educator must delete the student account to disconnect third-party authentication, edit the account to add a username, or contact us to set up or remove e-mail address authentication.

If you choose a third-party authentication service you will be sharing information with us from that third-party. The third-party authenticator may collection information about your use of our service. Select your third-party authenticator wisely.

Source and DirectionData Collected or StoredAccounts
You to Boom LearningIdentifiers (nickname, username, persistent identifier, encrypted password, email address)adults & students
Google (source) to Boom LearningIdentifiers (name, email address, persistent identifier, profile image)adults & students
Microsoft (source) to Boom LearningIdentifiers (name, email address, persistent identifier, profile image)adults & students
Facebook (source) to Boom LearningIdentifiers (name, email address, persistent identifier, profile image) being discontinuedadults

The sources of these types of data are the Educator and/or the Educator’s chosen third-party authenticator.

Additional Personal Information: including address and employment

Educator name and description: We store your Educator name, profile picture, and description. The information you include in your Educator profile is disclosed to your students and their parents. You provide this information.

Contact Information and Teaching Profile: There is a variety of optional information that we store if you give it to us, such as your grade levels and subjects taught.

We may record your personal email, postal address, and telephone number and/or your school name, postal address, and telephone number. You provide us with your personal contact information. We may obtain your school name and address from you, your school or publicly available sources. We keep records of your purchases.

Contact methods for adults and uses of Educator Data

We contact adult users via email in a variety of ways: (a) directly from our hosted email accounts, (b) through our third-party support desk platform, (c) with transactional email (such as notices, password resets, expiration notices, and such) – these are not opt out, and (d) through our news provider – from which we provide educational information about our services and personalized learning recommendations. Educator accounts are added to our educational messages and personalized learning recommendations newsletters upon sign-up (with the option to opt-out). Product users must opt-in to marketing messages. Our news provider emails include a link allowing you to opt into and out of a variety of types of messages so you can receive only what you need. Certain accounts, such as seller accounts, are required to subscribe to special email lists to receive seller account services.

Our email services providers may supply us with a range of information about your communications with us, including IP addresses, your country, state or province, history of reading or receiving newsletters, and your approximate location. The source of this information is your interactions with the email service and/or third-parties.

Educator Data is stored in (and disclosed to) the following additional service providers:

ProviderBusiness Purpose
Intuitbusiness operations, detect, audit
Freshworksbusiness operations, detect, debug, R&D, marketing
Stamps.combusiness operations, marketing
SparkPostbusiness operations, audit, detect
Microsoftbusiness operations, R&D, marketing, audit, detect, debug
ActiveCampaignbusiness operations, R&D, audit, detect, debug, marketing
Atlassianaudit, debug, R&D
Poeta Digitalaudit, debug, R&D
A4 Technologiesaudit, debug, R&D

Feedback and Ratings: We store feedback you give. Feedback is a private communication between you and a seller. We store ratings you give. Ratings and accompanying comments are public information. You may edit any ratings you give after they have been published. Feedback you provide via our support Helpdesk may also be stored in our systems for debugging and development management.

Student Information: You create student accounts from within your Educator account. You control the Student Data; we process it on your behalf. When you create a student account you are acting in the role of a parent for the purposes of verifications and consents required under law (including FERPA, GDPR, and COPPA as applicable). You must have all legal consents required of you to add a student before creating a student account. You must have an account and a verified working email address to add students.

You can always work with students without collecting Student Data by using Fastplay (see your Library actions to create Fastplay pins). To receive student reports, you must provide and verify an teacher e-mail address. Student Data is provided to us by you (username, nickname, email address, persistent identifier, password) or by the student (task performance data).

When you assign an educational resource using a method other than Fastplay pins, we collect information about student performance on that resource and report it back to you for your educational use. Student performance data includes information such as resources played, cards played, time to play a resource, time to play a card, correct answers, incorrect answers and other student actions with respect to a card. When a school purchases an account, the school can transfer an account with students from one teacher to another (for example, during parental leave).

You should understand that a classroom worker (volunteer or paid) can likely determine who a student is in real life (“IRL“) from the nickname. You are responsible for ensuring any classroom workers follow your organization’s and locale’s rules, regulations, and laws regarding access to Student Data.

Author/Seller Information: We store your seller name, avatar and profile (if you have one) and make those available to the public. We store information you provide about resources you create, including name, grade levels, keywords, and content and make it public for resources listed in a store or shared. We may further share your public information on Facebook, Twitter, Pinterest, Instagram, Google, or any other appropriate public marketing service. We may announce publicly top selling products, top sellers, and new sellers. You may contact us to be omitted from those announcements.

We store the fonts, images and sounds you upload; and videos to which you link. We store feedback responses you give.

Payment and Purchasing History

To make a payment you will need to provide the information requested by one of our payment processors, such as your name, account number, and verification numbers. Our payment processors use Payment Card Industry Security Data Security Standard (PCI DSS) compliant processes to process payments. They process payments directly. We do not have access to or store your full payment card details. We do have some information, such as your email address, approximate location, and name and payment and purchase history. You can use My Settings to remove a credit card stored by Stripe. You may edit your Paypal information from your Paypal account.

You may pay by check by contacting us for an invoice. If you pay by purchase order or check, we will store your payment information and tax exemption information, if any, in our accounting records. In some cases, your information may be shared with our accountant or with tax authorities.

We record the authors you redeem, purchase and assign. These allow us to make adaptive and personalized learning recommendations to you based on you and your students’ educational needs. We do not provide personalized recommendations from third parties in exchange for compensation.

We store records of your sales. If you reach certain thresholds, we may request and store your taxpayer identification number. We also store information you give us to enable us to pay you. Because Boom Cards are effectively small applications unique to our platform, there is no ability to export created resources in a playable format. However, you may use the print feature to create .pdf versions of your creations.

ProviderPurpose
Intuitbusiness operations
Stripebusiness operations
PayPalbusiness operations
Microsoftbusiness operations
The Hagen Firmbusiness operations
BECUbusiness operations

Information We Receive From Use of Our Services or Third-Parties (network activity and geolocation)

We describe how we use cookies and similar tracking tools in our Cookie Policy.

All Users: For all users, we record the account created timestamp, last login timestamp, the type of device being played (i.e., iOS or Android, but not the device ID), the app version (if playing a Boom Cards app), the OS version of the device, the browser type and version, decks redeemed or purchased, decks made, points available, and school affiliation. As necessary, that information may be further disclosed for these purposes:

ProviderPurpose
Freshworksbusiness operations, audit, detect, debug, R&D
Microsoftbusiness operations, audit, detect, debug, R&D
Atlassianbusiness operations, audit, detect, debug, R&D
Poeta Digitalbusiness operations, audit, detect, debug, R&D
A4 Technologiesbusiness operations, audit, detect, debug, R&D
Your Employeraudit, detect and business operations – applies to accounts purchased by your employer or having a domain associated with your employer

Educators: We may store a referral code if you clicked one to arrive, which may tell us which user or author referred you or whether you arrived from a particular campaign. We do not provide your name to the referring party. We keep records of the type of membership you have, expiration dates, newsletter enrollment, purchase and payment history. We keep track of which users follow you or redeem your products. We keep track of newsletter clicks, opens and site actions to better serve you. This information may be sourced from our disclosed to:

ProviderPurpose
Freshworksbusiness operations, audit, detect, debug, R&D, marketing
Microsoftbusiness operations, audit, detect, debug, R&D, marketing
Atlassianaudit, detect, debug, R&D
Poeta Digitalaudit, detect, debug, R&D
A4 Technologiesaudit, detect, debug, R&D
Googleaudit, detect, marketing research (advertising features are turned off, search console is on)
ActiveCampaignbusiness operations, audit, detect, debug, R&D, marketing

We have selected ActiveCampaign because their privacy practices and policies are consistent with the needs of the education market. We use ActiveCampaign on our website. We do not use ActiveCampaign site tracking. We do tell ActiveCampaign about key user actions for adult users. This allows us to provide just-in-time support and to run our recommendation engine for our adult users. We provide you with a variety of tools to opt in and out of how we use ActiveCampaign data. Options include notices only, newsletters about teaching, creating, and selling Boom Cards. Any marketing use of Educator ActiveCampaign data is opt-in, and make include information about Boom Learning profession development and Boom Cards resources of interest to the Educator. We may use aggregate ActiveCampaign data to evaluate and plan external marketing, but will not use that data to target you specifically on an advertising media that is not ActiveCampaign (for example we will not upload your ActiveCampaign information to deliver a targeted ad to you on Facebook). You can always request to see your full ActiveCampaign data map and to have us update or delete information in the map.

Additional Vendors

We use these additional providers in support of our operations. They may collect information and provide it to us but we do not provide personal information to them.

WordPress: When you click on a link hosted at blog.boomlearning.com, WordPress will collect technical data about you, your interactions with the site, and your inferred location. We do not enable ads on our blog.

Facebook: Your participation in our Facebook groups and messaging us through Facebook is optional. Comments sent to us through our Facebook Page are forwarded to our Help Center (Freshworks). You participation with us through Facebook is governed by Facebook’s terms.

YouTube and/or Vimeo: If you select a resource that included a video hosted by YouTube or Vimeo, the hosting provider may place a cookie and/or collect data about the use. We take steps to ensure that such collection, if any, is anonymous and ad free, but we cannot control these vendors.

ProviderPurpose
Automattic (WordPress)business operations, marketing
Facebookbusiness operations, marketing

Advertising Disclosure

We do not serve advertisements on the Boom Learning platform to Educators or students. We do NOT advertise to students through any providers.

If you discover author created content that appears to be an advertisement, please report it to use immediately as an abuse of our terms. Boom Learning is a “for pay”, not advertising, supported service.

Aspects of the Boom Learning platform provide adults with instructional materials recommendations based on the teacher choices made for the student populations served by the teachers. Such recommendations are in furtherance of our shared educational purpose and do not constitute use for an advertising, marketing, or a commercial purpose. Further, for the absence of doubt, the parties agree that it shall not constitute an advertising, marketing, or commercial purpose for Boom Learning to inform Educators of new Boom Cards or Boom Learning features or functionality.

We allow adult customers to “opt in” to receive email marketing from us or others.

Like other business, we advertise to adults to attract new customers. All such advertisements are placed with third-party providers, such as blogs, newsletters, magazines, search sites or social sites. We receive analytics on the performance of those advertisements from the services with which we place the ads. These companies may use cookies and similar technology to collect information about your interactions with the Services and other websites and applications. We do not use their pixels or other tools that allow them to track your behavior at https://wow.boomlearning.com. Your interactions with such ads are governed by the terms of the site on which they are displayed.

The Keeping and Deleting of Information

At any time Educators may delete a student, or contact us to request that we delete a student or your account in the event you are unable to use the self-help tools. You agree to give us 10 days so we can confirm that the person making the request is you and has the right to delete the account. Deletion cannot be undone.

To transfer an account from one teacher to another, or to receive a machine-readable data dump from an account, you must contact us. We can only make full account transfers between employees of the same purchasing entity.

For account transfers and or deletion requests, we may require multiple indicia of identity and authority before fulfilling the request.

To minimize privacy risk, we schedule deletion of stale accounts as follows:

  • student accounts 90 days after the associated paid Educator membership expires – we assume these students will have a new teacher in the next session; renew early to avoid.
  • student accounts 180 days after the last Educator login for free accounts – we assume these are homeschool or small tutor accounts; login in at least once every 179 days to avoid.
  • Educator accounts not owned by a school 365 days after last login, at our sole discretion – deletion results in the loss of purchased and redeemed decks, created decks, classrooms, and unused points.

Boom Learning retains copies of all Educator resources sold or shared to serve the recipients. Deletions take place after the triggering event during the next scheduled data sweep.

Information Security

Privacy and Security by Design

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity of a data breach, Boom Learning shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk posed by exposure of the User Data to unauthorized persons.

Data Minimization. Boom Learning provides you with choices on the Data Elements to deliver to Boom Learning. You should exercise those options in light risk of harm to the data subject should data be exposed, taking into account the sensitivity of the data being collected, the risk of exposure, and the potential for harm if exposed. You have the option to prevent display of directory information to students and parents.

Data Accuracy/Correction Practices. Boom Learning provides Educators with the ability to delete data logs to remove data. Educators also have detailed log screens of student answers to evaluate the reliability of data reporting. Parents and students may challenge the accuracy of data by contacting their Educator. Educators may challenge the accuracy of data by contacting help@boomlearning.com and requesting Technical Support.

NIST Cybersecurity Framework. Boom Learning uses privacy by design and industry best practices to protect data, taking into account the nature of the data at risk and the risk of harm to data subjects. Boom Learning has adopted the NIST Cybersecurity Framework as it is updated from time to time as its primary guidepost for selecting and implementing technologies, safeguards, and privacy practices, provided however, that Boom Learning may refer to and implement other protection models where appropriate. Security practices implemented include but are not limited to (a) limiting unsuccessful login attempts, (b) not persisting mobile app data, (c) remote log out for devices for Educators in the event of a lost, missing or stolen device, (d) audit logs for activities posing a risk of breach and for actions that require accountability, and (e) enforcing minimum password complexity. Adoption includes periodic risk assessment practices of our and our subcontractors and subprocessor practices.

Need to know access. Boom Learning employees, agents and subcontractors are provided access to User Data on a need to know basis. Those with access to Student Data or Educator financial data are required to pass a background check. Such users are subject to obligations of confidentiality and consistent with the promises and obligations in this Privacy Policy.

Encryption. Data is encrypted in transit and at rest using technologies and methodologies specified and permitted by the Secretary of the United States Department of Health and Human Services in guidance issued under Section 13402(H)(2) of Public Law 111-5. Secure transport layers are used to prevent unauthorized access.

Authenticated Access. Data is only accessible through authenticated accounts. We require passwords at both the Educator and Student level to keep data safe. Passwords are encrypted. We cannot see your password or your students’ passwords. We provide tools in the app for you to reset passwords. Student passwords are set and reset by teachers. Use good password practices to keep your students safe. Our team members use password managers and you should also. Student Data is only accessible for Educators with confirmed email addresses.

Protected Data Stores. The Primary data store is the Boom Learning database. This database contains the Student Data and Educator Data. It is hosted by (and thus disclosed to) the subprocessors MongoDB, which in turn is hosted on Amazon Web Services under obligations of confidentiality and with no right of use of Protected Data. Protected Data is encrypted in transit and at rest, stored in secure facilities and with firewall protection. See MongoDB Security Policy and AWS data center controls. Additional Educator data may be stored in Microsoft, ActiveCampaign, Freshworks, Stripe, PayPal, or Quickbooks online data stores. All subprocessors are selected based on their agreement to secure data in a manner consistent with these terms.

Subprocessors and subcontractors. Boom Learning engages subcontractors (acting in roles similar to employees) and subprocessors (cloud-based service providers) to process User Data. This Privacy policy details the current subcontractors and subprocessors. With respect to each subcontractor that receives User Data from Boom Learning, Boom Learning will enter into a written agreement under which the subcontractor must participate in annual privacy and security training, be subject to background checks if the subcontractor has access to Student Data, and use security measures consistent with those imposed on Boom Learning. With respect to each subprocessor that receives User Data from Boom Learning, Boom Learning will enter into a written agreement under which the subprocessor agrees it has no right of access, use or disclosure to the Protected Data and subprocessor applies security measures consistent with those imposed on Boom Learning. Boom Learning will carry out adequate due diligence to ensure that any subcontractor or subprocessor can meet its obligations to Boom Learning. Boom Learning will remain responsible for its compliance with its data protection obligations and for any acts or ommissions of a subcontractor or subprocess that cause Boom Learning to breach any of its data privacy and security obligations to you.

Training. All employees and subcontractors who are granted authorization to access data are trained annually on Boom Learning’s security and privacy responsibilities and obligations, including threat awareness, threat protection, best security practices and safeguards, and company policies and procedures. Training is conducted more frequently as a response to evolving threats within the education community. Boom Learning provides users with information bulletins about how to maintain the security of Protected Data. Users who opt our of our newsletters will not receive such bulletins. Educator may contact us if there are security concerns or questions.

Portable Devices. You acknowledge and agree that Boom Learning uses portable computers and devices to access its servers and that such portable computers and devices are secured with passcodes and passwords and are subject to remote erasure in the case of loss. In the rare instance that Student Data is temporarily stored offline, the data is stored encrypted at rest.

Verification. You may contact us for assistance to learn which specific personal information we have collected about you and for help deleting personal information. We will require that you (a) provide sufficient information to allow us to reasonably verify that you are the person about who we collected the personal information or an authorized representative; and (b) describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it. We cannot respond a request for which we cannot verify that you have the authority to make the request. Requests by a person who is not the account holder or owner will require the consent of the account holder.

Legal authority data requests. We are required to disclose Personal Information in response to lawful requests by legal authorities, including to meet national security and law enforcement requirements. In the event a legal authority asks to access your data, we will direct the requestor to you and will not take action without your prior authorization, unless legally compelled to do so. If we are legally compelled to respond to such a request, we will promptly notify you and provide you with a copy of the request unless legally prohibited from doing so. If a legal authority is asking for information about a student, the account holder agrees to pass on the notification to the student’s legal guardian and indemnifies us for failing to do so.

Continuous backups. Boom Learning performs continuous data backups for system failure and disaster recovery purposes. Backups are encrypted. Backups are not used or accessed to recover Educator deleted data. If you say we should delete it, we take you at your word. Backups are stored only for so long as necessary to serve their recovery purpose.

Student Safety is a Shared Responsibility

We use appropriate physical, electronic, and managerial processes and procedures to safeguard data against unauthorized access and use, including designating and training the individuals responsible for ensuring the security of the data. 

If you add students to your account, you also have a responsibility to use appropriate physical, electronic, and managerial processes and procedures to safeguard Student Data against unauthorized access and use, including designating and training the individuals responsible. Passwords you assign to students should be appropriate to their age in complexity, with older students expected to master more complex passwords.

You agree you are responsible for your secure use of Boom Learning, including providing or obtaining adequate training on the use of secure authentication, the dangers of open networks, and providing your employees with secure networks on which to use Boom Learning. You agree to use passwords for Educator accounts that are adequately secure to prevent intrusion. It is your responsibility to keep your login information confidential.

You will take reasonable steps to ensure the reliability of any of your employees, agent or independent contractors, including volunteers, who have access to Student Data, ensuring access is limited to those with a need to know and access the Student Data and ensuring that all such individuals are subject to obligations of confidentiality.

You agree that any regulatory penalties or other liabilities incurred by Boom Learning in relation to acts that arise as a result of, or in connection with, your failure to comply with your data security responsibilities will count towards and reduce Boom Learning’s liability to you.

Data Breach

Data Breach

A security incident that rises to the level of a data breach varies by jurisdiction. Typically a breach is an incident of data loss or unauthorized data access that (a) compromises the confidentiality or integrity of the data and in doing so (b) is likely to cause harm to the data subjects impacted. A harm that rises to a breach varies by jurisdiction, but typically includes harms that can be substantial (financial information, account credentials, medical information). It does not include speculative harms, a harm must be reasonably likely. Unauthorized access to data that is encrypted is not a breach if the encryption key is not accessed or acquired. Nor is it a breach for another person at the same entity with a similar confidentiality obligation to the data subject as the account holder to access the User Data. This section is for incidents that constitute a breach.

In the event of a breach of User that contains personal information, we will contact the account holder for the affected individual(s) using the information we have on file. We will provide notice as soon as reasonably possible, provided that we may delay notice if a law enforcement agency determines that the notice will impede a criminal investigation. Such notice will include in plain language What Happened, What Information Was Involved, When It Occurred, What We are Doing, What You Can Do, and For More Information.

Educators will be notified without undue delay and within 7 days of determining that a data breach affecting school User Data has occurred. If the specific jurisdiction in which Educator is based requires a shorter notification period, the school shall provide Boom Learning with that time frame in the Terms Addendum (see the Terms of Service). We will provide Educators with sufficient information to allow the school to meet any obligations to report or inform students or staff of the breach. In many cases, we do not collect or store information about students that would enable us to contact students or their parents directly.

We will provide notices of breaches to the appropriate regulators where required by law, and we may elect to provide such notice, at our option and in our sole discretion, where not required by law. Schools that do not want us to provide notice to regulators must complete a Terms Addendum.

Data Transfers for Our International Customers

Most of our customers are in the United States and Canada. Some people in other parts of the world have chosen to use Boom Learning. We transfer the information you submit or that we gather to the United States for the purposes described in this policy.

Your country may assert oversight over your data or provide you with less protection than this document. By signing up for a Boom Learning account, you acknowledge and accept the risk should the laws of the country in which you reside provide you or your students with less protection than this document with regards to your local government.

For our European Economic Area and United Kingdom customers, please download, sign and return the attached DPA, which includes the standard contractual clauses for data export to the United States. Our Canadian customers who require a data export agreement may use the DPA.

We value our EEA and UK customers’ privacy and rights as data subjects. We have appointed Prighter Ltd (UK)/ Maetzler Rechtsanwalts GMBH & Co Kg (EEA) as our privacy representative. If you want to contact us via our representative or make use of your data subject rights (e.g., request to access or erase personal data), please visit: https://prighter.com/q/18732339.

You have the option of referring any complaint to our independent dispute resolution body: JAMS, an alternative dispute resolution provider with locations in the UK and US and online. Any matter referred to JAMS will be administered by JAMS in accordance with JAMS International Arbitration Rules. Online mediation is also an option. The services of JAMS are provided at no cost to you. In certain circumstances and if you are in the EEA, you can invoke the Privacy Shield arbitration process. To learn more about this method of resolution and its availability to you, please click here.

Who We Are and How to Contact Us

Boom Learning is a trade name of Omega Labs Inc. Our mailing address is 9805 NE 116th St Suite 7198, Kirkland WA 98034. You can call us at 833-969-2666. You can contact us to send us questions about or notifications relating to this policy.

Changes to This Policy

We will notify you before we make material changes to this policy and give you an opportunity to review and consent to the revised policy before deciding if you would like to continue to use the Services. You can review previous versions of the policy in our archive. Any version of this Privacy Policy in a language other than English is provided for convenience and the English language version will control if there is any conflict. Given the importance of this Privacy Policy, we encourage you to study it carefully.