Effective Date: 10/25/2024
Introduction
Pure Data Consulting Inc. (“PureData,” “we,” or “us”) is committed to protecting the privacy and security of our users’ data. We specialize in data integration, analytics, and educational technology solutions for K-12 institutions and educators. This Privacy Policy explains how we collect, use, share, and protect information in the course of providing our services. We understand the sensitive nature of student data and are dedicated to handling all personal information in compliance with applicable laws such as the Family Educational Rights and Privacy Act (FERPA) and the Children’s Online Privacy Protection Act (COPPA), as well as industry best practices. Our goal is to be transparent about our data practices and to give schools and users confidence that their data is safe with PureData.
Scope
This Privacy Policy applies to all products and services offered by PureData to K-12 schools, districts, educators, and related users, including:
- PowerSchool Plugins – software add-ons integrated with the PowerSchool Student Information System (SIS);
- Data Integration Tools – services that connect SIS data with other systems (e.g., identity management platforms like Google Workspace or Microsoft Azure AD);
- Data Analytics Solutions – services that involve storing educational data in a secure data warehouse and using analytics tools (such as Tableau) to provide dashboards, reports, and insights;
- Websites and Support Services – PureData’s corporate website, customer portals, and any online services where this policy is posted.
Throughout this policy, the term “Personal Information” refers to information about identifiable individuals, including Student Data (information that schools provide to us about their students, which may include “education records” protected by FERPA) and information about educators and school administrators. PureData acts primarily as a service provider to schools. This means that we collect and process student and school data only for educational purposes and on behalf of and at the direction of the schools we serve. Schools are responsible for obtaining any required parental or guardian consent for student information to be used with PureData’s services (for example, consent required under COPPA for children under 13), and for providing any necessary notices to parents about the use of PureData as a third-party service provider. This policy does not cover the practices of schools or other third parties that we do not control. It also does not apply to third-party services that PureData’s products may integrate with (such as PowerSchool, Google, Microsoft, or other applications); those services are governed by their own privacy policies.
Data Collection
PureData collects several types of information in order to deliver our integration and analytics services effectively. The information we collect includes:
Student Information (Student Data)
This is information about students that is provided to us by the school or district through secure means. It may include student names, student ID numbers, enrollment and attendance information, grade level, class schedules, teacher assignments, school email addresses, and other educational record details necessary for the service. For example, when our integration tools connect to a school’s PowerSchool SIS via the PowerSchool API, we retrieve student roster data (such as lists of students and their associated classes, teachers, and school affiliations) as needed to provision accounts or generate reports. We do not collect directly from students or children; all student data is obtained through the school and with the school’s authorization. If a school provides personal information about a student under 13, we presume the school has obtained any required parental consent in compliance with COPPA.
Teacher and Staff Information
We also collect information about educators and school/district staff who use our services. This can include names, work email addresses, job titles or roles (e.g. teacher, principal, IT administrator), and classes or sections taught. Such information is typically provided by the school (for example, via the SIS or during account setup) or by the individuals themselves when using our services. We use this data to manage user accounts, authenticate users, and tailor the service (for instance, linking teachers to their classes in an analytics dashboard).
Parent or Guardian Contact Information
PureData’s services generally do not require direct collection of parent data. However, in some cases, our tools facilitate communication from schools to parents. For example, if a PowerSchool Plugin includes an email notification feature (such as sending a parent an email about a student’s behavior or performance), the plugin will use a parent’s email address (as stored in the SIS) and the content of the message to send the notification. In such cases, the necessary parent contact information and message content are processed through our email service provider (Mailgun) solely for the purpose of sending the communication. We do not store parent contact information longer than needed to send the email, unless the school explicitly asks us to retain it for record-keeping.
Authentication and Identity Data
When integrating with identity management systems (like Google Workspace or Microsoft Azure AD), we may collect data needed to create or synchronize user accounts. This can include usernames, school-provided email addresses, and directory identifiers for students and staff. This information is pulled from the SIS or provided by the school’s IT administrators and is used to ensure each user has the correct accounts and access rights in the connected systems.
Usage Data and Technical Information
Like most service providers, PureData collects information about how our services are accessed and used. This includes technical data such as IP addresses, browser type, device type, operating system, and timestamps of access when users (e.g., school staff) log in to our web portals or when our systems communicate with the school’s systems. We also keep logs of actions taken within our tools (for example, when a data sync runs, when an email notification is triggered, or when a dashboard is accessed). This usage data helps us monitor system performance, ensure security (e.g., detecting unauthorized access), and improve our services. If you visit our public website, we may collect similar information through cookies or other tracking technologies (see Cookies and Tracking Technologies below), such as analytics data about which pages were visited.
Support and Communications
If you contact PureData for support or with a question (via email, support ticket, or phone), we will collect whatever contact information you provide (such as your name, email address, phone number) and the contents of your inquiry. We use this information to respond to you and resolve any issues. We may keep a record of communications for training and quality assurance.
No Direct Collection from Students
PureData does not ask students to provide personal information directly to us. Students do not create accounts on a PureData platform directly; instead, they access educational applications or accounts (like Google Workspace accounts or learning apps) that the school manages with help from PureData’s integration tools. Any personal data about students that PureData processes is obtained from the school’s systems or staff as described above. In accordance with COPPA, we do not knowingly collect personal information from children under 13 unless it is authorized by their school for educational purposes. If we ever become aware that we have inadvertently received personal information directly from a child under 13 without proper consent, we will immediately inform the relevant school and delete that information.
Data Usage
PureData uses the collected information strictly to provide and enhance our educational services, in accordance with our agreements with schools and applicable privacy laws. Specifically, we use data for the following purposes:
Providing Our Services
The primary use of data is to operate the PureData products that the school has chosen to use. This includes using Student, Teacher, and Staff Information to set up and manage user accounts, class rosters, and permissions within our systems or connected systems. For example, we use student and staff data from PowerSchool to automatically create or update accounts in Google Workspace or Microsoft Azure AD (so that students and teachers can log into those platforms with correct access). We also use student data to populate our analytics data warehouse and to generate visual dashboards and charts via Tableau, giving educators insights into attendance, grades, or other metrics (depending on what data the school provides for analysis). If a PowerSchool Plugin includes an interactive feature within the SIS (such as tracking behavior incidents), we use the relevant data (incident details, student info, etc.) to display and update those records in PowerSchool as intended. All these uses are solely to ensure the school and its educators can effectively use the tools for their educational needs.
Communication and Notifications
We use contact information (such as teacher or administrator emails) to communicate with our users about the service. This can include sending service-related emails like system alerts, updates about new features or changes, training materials, or support responses. If the school uses the email notification feature of one of our products, we use the data provided (for example, a parent’s email address and a message regarding their child) to send out that notification via our email delivery service. We ensure that such communications are sent securely and that personal details are only used as needed to deliver the message. PureData does not send marketing emails to students or parents, nor do we use student personal information for any promotional purposes. We may occasionally send marketing or product update communications to school officials or teachers (for example, a newsletter or an invite to a webinar), but recipients can opt out of non-essential communications at any time by using the unsubscribe link or contacting us.
Service Improvement and Analytics
We may use aggregated data and usage information to analyze and improve our products. For instance, we might review how often a certain feature is used or the performance of data sync jobs to optimize speed and reliability. We also analyze support inquiries to identify common issues and improve user experience. Importantly, when using data for product development, research, or analytics purposes, we use it in aggregate or de-identified form whenever possible. This means removing or anonymizing personal identifiers so that individuals cannot be readily identified. Any insights gained are used internally to enhance our services for the benefit of the schools and users. We do not use personal data for advertising or sell it to data brokers.
Security and Fraud Prevention
Data (especially usage and technical data) is used to maintain the security of our systems and users. We monitor login activity and system logs to detect unusual patterns that might indicate unauthorized access or misuse of data. If we notice suspicious activity, we may use relevant information (such as IP addresses or account info) to investigate and take action to protect the accounts. We also enforce access controls based on the data (for example, ensuring that a teacher can only see data for their own students).
Compliance with Legal Requirements
On rare occasions, we may need to use personal information to comply with legal obligations. For example, if a school or PureData receives a lawful subpoena or request for records, we might use stored data to respond, but only as permitted by law (and typically in coordination with the school). We also use data to comply with FERPA requirements (e.g., to produce education records for the school in response to a parent’s request) or to demonstrate our compliance during audits.
Data Sharing
PureData understands that sharing of personal data must be done carefully and only when necessary. We do not sell personal information to third parties. We only disclose or share data with others in the following circumstances:
With the School and Authorized Users
Data collected and processed by PureData is ultimately for the school’s use. We make student and staff information available to those authorized by the school through our services. For example, a district administrator or teacher may view student analytics on a Tableau dashboard that PureData has set up for them, or receive a report generated from our data warehouse. Within the school district, data will be shared between and among teachers, principals, and other school officials based on the permissions the school establishes. PureData only facilitates these internal data shares at the direction of the school.
Integration with Third-Party Systems (at the School’s Direction)
A core feature of PureData’s integration tools is to transfer data to other platforms that the school uses. When a school instructs us, we will send relevant personal information to third-party systems such as Google Workspace (Google for Education), Microsoft Azure Active Directory, or other identity management or educational platforms in order to provision or update accounts, rosters, or content. For example, if a student roster is updated in PowerSchool, our tool might share the updated student name and email with Google Workspace to create the student’s Google account. This kind of data sharing is done on behalf of and as directed by the school. The third-party platforms are typically under the school’s control and governed by agreements between the school and that provider (e.g., the school’s contract with Google or Microsoft). We encourage schools to review those providers’ privacy policies as well. PureData only shares the data required for the integration’s purpose and does not grant these third-party platforms any independent rights to use the data beyond providing services to the school.
Service Providers (Third-Party Vendors to PureData)
We use a limited number of trusted third-party service providers to support our own operations. These service providers process data on our behalf and under our instructions, and they are contractually obligated to protect the data to at least the same standards that PureData does. Key service providers we use include:
- Amazon Web Services (AWS): We host our applications and databases on AWS cloud infrastructure. Personal data (such as student records in the data warehouse, or account information for integration services) is stored on AWS servers. AWS provides robust physical and network security and is SOC 2 and FERPA compliant as a hosting provider. PureData leverages AWS’s encryption and security features to safeguard stored data.
- Tableau (Salesforce): We utilize Tableau’s analytics software for creating interactive dashboards and visualizations. In some cases, the Tableau platform is deployed on our AWS environment, and in others we may use a secure Tableau cloud service. In either case, student and school data may be processed by Tableau software to produce charts and reports for authorized users. Tableau (by Salesforce) is a well-established business intelligence tool with its own strict privacy and security practices. We ensure that any data passed to Tableau remains under our control (or the school’s control) and is used only for visualization purposes.
- Mailgun (Email Service Provider): For sending automated email notifications (such as the PowerSchool plugin’s parent email feature or system alert emails to admins), we use Mailgun, a third-party email delivery service. When such a feature is used, Mailgun will receive the recipient’s email address and the content of the email in order to transmit the message. Mailgun is a reputable email platform and is bound by contract to use this information only to send the emails and not for any other purposes. They employ security measures to protect email data in transit and at rest.
- Other Operational Tools: We might use additional services for ancillary purposes, such as a customer support ticketing system (to manage support requests) or an analytics service (to track website visits). For example, if we use a support platform or a live chat tool on our site, that provider might process the name or email a user enters when requesting help. Any such providers are similarly held to confidentiality and security obligations. We do not allow any service provider to use personal data for their own marketing or other independent uses.
In all cases, service providers only get the information necessary for their function. For instance, AWS stores data but does not read it; Mailgun transmits email addresses and content but does not retain them longer than necessary; our support system holds your contact info only to assist you. We conduct due diligence on our vendors and ensure they meet high standards for data protection.
Legal Requirements and Safety
PureData may disclose information to third parties (such as courts, law enforcement, or regulatory agencies) if we determine that such disclosure is necessary to comply with a legal obligation or process. This includes responding to subpoenas, court orders, or legal requests, or to enforce our agreements or rights. We will only do so to the extent the law requires (or permits) and, whenever feasible, we will notify the affected school beforehand so they can be involved or take appropriate action. Additionally, if we believe in good faith that disclosure is necessary to protect the rights, safety, or property of PureData, our client schools, or others (for example, to prevent imminent harm or investigate fraud), we may share limited information for that purpose. Any such sharing will be handled with caution and documentation.
Aggregate or De-Identified Data
We may share aggregated, anonymized information that does not identify any individual student or user. For instance, we might publish or share statistics like “Overall, student attendance improved by X% after using our system” or “We serve Y number of schools in a certain region” – without revealing personal details. This kind of data might be shared in marketing materials, research, or with partners to demonstrate service effectiveness. Before sharing, we ensure that any data is stripped of personal identifiers and cannot be linked back to any person or school. No identifiable Student Data is included in such aggregate disclosures.
Business Transactions
In the event PureData is involved in a merger, acquisition, bankruptcy, or sale of all or a portion of its assets, personal data may be transferred to the successor entity or acquiring party as part of that transaction. However, any new owner will be required to honor the commitments we have made in this Privacy Policy with respect to the previously collected personal data. If such a transfer of personal information occurs, we will provide notice to our client schools (and, if appropriate, to affected individuals) explaining the change in ownership and the options available (for example, an opportunity for a school to discontinue the service before data transfer, if allowed by law). Even in a business transition, Student Data would remain subject to the same protections and used only for the same authorized educational purposes.
With Consent or at Your Direction
Aside from the situations above, we will share personal information with third parties only if you (or the school, as the data controller) explicitly direct or consent to such sharing. For example, if a school requests that we send data to an application not originally covered in our standard integrations, and provides consent for that specific transfer, we will do so under the terms agreed. Similarly, if an educator or administrator asks us to collaborate with another vendor or consultant and share certain data to troubleshoot an issue, we would only do so with proper authorization.
No Selling or Unauthorized Use
PureData does not sell student information or any personal data to advertisers or other businesses for marketing or monetary gain. We also do not use data for targeted advertising. All data sharing is done to fulfill our service obligations, improve our services, or as required by law, as outlined above.
Data Security
We take strong measures to keep data safe and secure. Protecting student and staff information is a top priority at PureData. We maintain a comprehensive security program following industry standards and best practices to prevent unauthorized access, misuse, or disclosure of personal data. Our data security approach includes:
Encryption
All data that PureData handles is protected by encryption both in transit and at rest. When data travels between the school’s systems (for example, PowerSchool) and our systems, or between our data warehouse and an integration target (like Google or Microsoft), we use secure protocols such as HTTPS and SSL/TLS encryption. Within our infrastructure, personal data stored in databases or backups on AWS is encrypted at rest using strong encryption algorithms. This means that even if someone were to access the storage without authorization, the data would be unreadable without the proper keys.
Access Controls and Employee Training
Access to personal data within PureData is strictly limited on a need-to-know basis. Only those employees and personnel who need access to school data to perform their duties (for example, a support engineer troubleshooting an issue or a developer maintaining the system) are granted permission, and even then, only to the minimum data necessary. We implement role-based access controls and require strong authentication measures (such as complex passwords and multi-factor authentication) for any system that contains sensitive data. All PureData employees undergo background checks as permitted and are trained on confidentiality, data privacy, and security practices. They are bound by confidentiality agreements to protect the information they handle. Contractors or sub-processors we work with are similarly vetted and bound by strict data protection terms.
Network and Application Security
We employ firewalls, intrusion detection systems, and regular security monitoring on our networks to guard against external threats. Our development practices include regular code reviews, testing, and adherence to security-by-design principles to minimize vulnerabilities in our software. We keep our systems and software dependencies up to date with security patches. We also regularly test our systems (through vulnerability scanning and, at times, third-party penetration testing) to identify and fix potential weaknesses.
Physical Security
PureData’s systems are hosted on Amazon Web Services, which maintains state-of-the-art physical security at its data centers. This includes 24/7 surveillance, controlled access, and environmental protections. Any off-site backups or physical copies of data (if ever made) are stored securely and access controlled. In our own offices, we enforce physical security controls as well – for instance, devices that have access to personal data are password-protected and encrypted, and our offices (if where data access occurs) are secured by keycard or other access controls.
Compliance and Standards
We design our security program to meet or exceed the requirements of laws like FERPA, which mandates protecting the confidentiality of education records. While FERPA is directed at schools, PureData as a “school official” under FERPA implements administrative, technical, and physical safeguards in line with FERPA’s requirements for protecting student records. We also adhere to relevant provisions of state student privacy laws and strive to align with industry standards such as SOC 2 and ISO 27001 for information security management. Our use of reputable third-party infrastructure (AWS, etc.) further ensures compliance with high security standards.
Regular Audits and Reviews
We periodically review our data handling and security policies to adapt to new threats or changes in technology. Security practices are updated as needed, and all staff are kept informed of any new procedures. We also support our client schools in their own security assessments; upon request and as appropriate, we can share information about our security measures (such as summaries of audit reports or answers to security questionnaires) to help schools fulfill their oversight obligations.
Data Minimization
Wherever possible, we minimize the amount of personal data we collect and store. If a service feature does not require certain personally identifiable information, we do not collect it. By limiting the data in our systems, we reduce risk. Similarly, when data is no longer needed for its purpose, we aim to delete or anonymize it (as described in Data Retention below).
User Rights
PureData is committed to supporting the rights of individuals (schools, educators, parents, and students) regarding their personal data. Because we primarily act on behalf of schools, some rights are exercised through the school rather than directly with PureData. Here’s how we address user data rights:
Access and Review
Schools and their authorized users (such as district administrators or teachers) have access to the data they provide to PureData through our services. For instance, an administrator can review the student information that has been synced to an identity system or displayed in an analytics dashboard. If any school official needs assistance retrieving data that has been stored by PureData, they can contact us and we will help provide the requested information. Parents and students generally should request access to student records through their school, per FERPA. If a parent or eligible student (a student who has reached 18 years of age or is attending a post-secondary institution) contacts PureData directly to request access to data about a student, we will refer them to the appropriate school official. We will assist the school as needed in providing the parent or student with access to their records that we store, in accordance with the school’s policies and applicable law.
Correction and Updates
If any personal information we hold is inaccurate or outdated, we will work with the school to correct it. Schools typically manage the source data (for example, updates to a student’s info would be made in PowerSchool and then synced to our system). PureData will promptly update our records when we receive corrected data from the school. If a school or user finds an error in data that we display (for example, a typo in a student’s name on a dashboard), they can notify us or correct it in the source system, and we will refresh the data. Educator and staff users who have accounts in a PureData system may be able to update certain profile information directly (such as their own contact information) or can request changes through our support. Again, for parents or students seeking to correct student data, the standard process is to go through the school. Under FERPA, parents have the right to request correction of any inaccuracies in their child’s education records. We will support the school in fulfilling such requests by making any necessary changes to the data we store once the school authorizes the correction.
Deletion and the Right to Be Forgotten
As a data processor for schools, PureData will delete personal data upon a school’s request or in accordance with our contractual commitments (see Data Retention below for more details on when deletion occurs, such as at service cancellation). If an individual (such as a parent, student, or teacher) would like their personal data removed, they should direct that request to the school that uses PureData’s services. The school can then instruct us to delete the data if appropriate. We will comply with deletion requests from schools, except in cases where we are required to retain certain data by law or for legitimate business purposes (like security incident logs, which might be retained for a period even after deletion requests, but those would not be used for any other purpose). It’s worth noting that if a teacher or administrator user leaves their school or no longer uses our service, their personal data will typically be removed when the school updates its records or terminates the service, but users can also contact us to ensure any account information of theirs is deleted or deactivated.
Opt-Out of Communications
If we send any non-essential communications (for example, a newsletter or announcements to educators), recipients will have the ability to opt out or unsubscribe. Each such email will include instructions (like an “Unsubscribe” link) to opt out of future mailings. Please note that we do not offer an opt-out for essential service communications, such as notices about system downtime, security alerts, or responses from support, because those are necessary for using the service safely and effectively. However, these communications are typically only sent to school staff, not students or parents.
Parental Consent and COPPA
As noted earlier, PureData relies on schools to obtain any required parental consent for student participation in our services. If a parent has concerns about the collection or use of their child’s information, they should contact their school officials. We will cooperate with the school to address any such concerns. For example, if a parent were to withdraw consent for the use of a certain online service, and the school decides to honor that request, we would work with the school to segregate or delete that student’s data from our systems as needed. Under COPPA, parents have the right to review personal information collected from their children and to retract consent. While PureData does not collect from children directly, any COPPA-related requests forwarded to us by a school (such as to provide a parent with a view of data stored, or to delete a child’s information) will be handled promptly and fully.
Additional Rights (California, etc.)
Some privacy laws (like the California Consumer Privacy Act (CCPA) or other state laws) may grant additional rights to individuals, such as the right to know what information has been collected or disclosed, or the right not to be discriminated against for exercising privacy rights. Generally, because PureData is an education service provider and student data is protected under FERPA and similar laws, the treatment of that data under laws like CCPA is often exempt or handled through the school. However, we want to be transparent and accommodating: if you are an individual with legal rights under any privacy law, you or your school can reach out to us with your request and we will do our best to honor it consistent with our role and legal obligations.
In summary, PureData supports user privacy rights by working closely with the schools that oversee the data. We encourage parents and students to communicate with their schools regarding any data questions or requests, and we stand ready to assist the schools in meeting those needs. If you have any questions or direct requests regarding your data in our systems, you can always contact us (see Contact Information at the end of this policy), and we will guide you on the appropriate process or work with the relevant school to resolve your concern.
Data Retention
PureData retains personal data only for as long as necessary to fulfill the purposes for which the data was collected, or as required by our contractual obligations or applicable law. We recognize the importance of not holding onto personal information indefinitely. Our data retention practices are as follows:
During the Service Relationship
For as long as a school or district is actively using PureData’s services, we will retain the data that has been provided to us in order to continually provide the service. This includes maintaining up-to-date student and staff information in our integration systems and data warehouse so that integrations and analytics continue to function. We also retain historical data (for example, past years’ data in an analytics platform) if that is part of the service offering to the school, and as needed for backup and recovery purposes. Throughout this period, we update the data regularly to ensure accuracy and purge any data that the school intentionally removes from their source systems during normal operations (e.g., if a student record is deleted or anonymized in the SIS and the school syncs those changes to us, we mirror those deletions in our system).
Upon Service Termination or Cancellation
If a school decides to stop using PureData’s services (for example, by not renewing a contract or explicitly cancelling), we will delete the school’s personal data from our systems after a 30-day period following the termination. In other words, within 30 days after services are canceled or terminated, PureData will permanently delete or anonymize all personal information related to that school’s students, staff, and any other individuals, so that it can no longer be retrieved or associated with the school. We set this 30-day window to account for any final data transfer the school might request, or in case the school reconsiders and needs a quick reactivation of service, but after 30 days, the data is purged. We will also, upon request, provide the school with a final export of their data (in a common format) before deletion, so the school can retain a copy if needed.
Backup and Archive Deletion
Our deletion process also extends to removing data from active databases and any primary storage. PureData maintains backups for disaster recovery – these backups may retain fragments of data for a short period beyond the 30 days. However, all backup data is stored securely and is subject to scheduled deletion or overwriting in the normal backup cycle. In any case, we ensure that within a reasonable time after service termination (not significantly beyond the 30-day mark), all personal data including in backups is rendered unrecoverable or is anonymized. During that interim, any retained backups are not accessible for routine operational use and remain protected.
Data Retention During Active Use
For certain categories of data, we have specific retention routines even during active use. For example, logs of system activity may be kept for a rolling period (say, 6 months or 1 year) to support security auditing and debugging, after which they are automatically deleted or archived. Email communications through the system (like notification emails) might not be stored at all on our end once sent, except as necessary in log form. If a school requires that certain data be purged on a different schedule (perhaps due to state laws requiring deletion after a certain time), we will accommodate those requirements contractually and technically where possible.
Retention for Legal Obligations
In some cases, PureData might need to retain certain information for longer than the service period if required by law. For instance, if there’s a legal dispute or an investigation, or if we are required to keep a record of an action (like consent to terms, or records of a security incident), we may retain the relevant information until the issue is resolved. However, this type of retention will be for specific needs and we will not use the data for any other purpose during that time.
De-identified Data
As mentioned, PureData may retain de-identified or aggregated data (which can no longer be linked to any individual or to a specific school) for analytical purposes, even after personal data is deleted. For example, after a school stops using our service, we might keep anonymized statistics like overall usage counts or performance metrics that do not contain personal details. This helps us improve our services and understand trends, but it involves no personal identifiable information.
In summary, when our relationship with a school ends, we purge the personal data entrusted to us in a timely manner (generally within 30 days). We also will delete or de-identify data earlier if a legitimate request or legal requirement compels us to. Our retention and deletion processes are designed to ensure we do not retain personal information longer than necessary and that we respect the wishes and requirements of our school clients regarding data lifecycle. If you are a school or user and have questions about how long specific data is kept, please contact us – we can provide details or accommodate special requirements as needed.
Policy Updates
This Privacy Policy may be updated or revised from time to time to reflect changes in our practices, our services, or to ensure compliance with new laws and regulations. PureData reserves the right to make changes to this policy, and we want to ensure you are informed of any significant updates:
Notification of Changes
If we make any material changes to the way we collect, use, or share personal information, we will provide a clear notice to our users (the schools and, where appropriate, directly to educators or administrators using our services). For schools, we may send an email to the primary contact on file or post an alert in the administrator dashboard. We may also post a prominent notice on our website informing visitors of the change. We will indicate at the top of the Privacy Policy the date of the latest revision so you know when it was last updated.
Advance Notice for Material Changes
When changes are significant or could potentially affect how your data is handled, we will strive to give advance notice. In cases where we propose to use personal data in a manner materially different from what is stated in our current policy or under our agreement, we will provide at least 30 days’ notice to the affected schools before the new practice takes effect. This gives our clients the opportunity to review the changes and contact us with any concerns or even to opt out of the service if they deem the change unacceptable (though we hope that never happens). Minor changes that do not substantially affect privacy (such as reordering of sections, clarifications, or grammatical fixes) may be made with immediate effect and will simply be reflected by the updated Effective Date.
Consent for Certain Changes
If any update to the Privacy Policy would require additional consent under law (for example, if we ever introduced a new feature requiring a different kind of personal data collection not covered before), we would obtain the necessary consent from the school or individuals before applying those changes to their data. Typically, because PureData acts on behalf of schools, we would work with the schools to ensure any new data use is acceptable and properly consented to by parents or students if needed.
Keeping Informed
We encourage our users to review this Privacy Policy periodically to stay informed about how we are protecting the personal information we process. If you continue to use PureData’s services after a Privacy Policy update takes effect, that use indicates acceptance of the revised policy (except as otherwise provided in our agreement with the school). However, we will not materially reduce any privacy protections without obtaining appropriate permission.
The “Effective Date” at the top of this policy reflects the date of the most recent changes. Historical versions of this policy may be kept by PureData or made available upon request so you can see how the policy has evolved. If you have any questions about any changes, feel free to reach out to us (see Contact Information below).
Breach Notification
PureData takes the security of personal data very seriously, and we have measures in place to prevent data breaches. However, in the unfortunate event of a data breach or any unauthorized access or disclosure of personal information, we are prepared to respond quickly and transparently in accordance with applicable laws and our contractual obligations. Our breach notification protocol includes the following steps:
Investigation and Containment
Upon discovering or being notified of a potential security incident, our security team will immediately investigate to confirm whether a breach of personal data has occurred. We work to quickly contain the incident – for example, by isolating affected systems, changing access credentials, or shutting down certain functions – to prevent further unauthorized access. We also work to remedy the vulnerability that led to the breach (if applicable) as soon as possible.
Assessment of Impact
We will assess what data and which individuals are affected by the breach. This involves determining the scope of information that may have been compromised – for instance, which school(s) data, and whether it included Student Data, teacher information, etc. We also determine if the data was encrypted or not, and the likelihood of misuse. As an education technology provider, we especially prioritize incidents involving Student Data and will handle those with utmost urgency and care.
Notification to Schools
If any personally identifiable information (particularly Student Data) is accessed or disclosed by an unauthorized party, we will promptly notify the affected school(s). We recognize that schools may have their own legal obligations (under state data breach laws, FERPA, or other regulations) to inform parents, guardians, or regulatory authorities of breaches involving student information. Our goal is to empower the school with timely and clear information so they can take appropriate action. Typically, our initial notice to the school will include known details about what happened, the data involved (to the extent known), what we have done to secure the data, and our next steps. We will provide updates to the school as more information becomes available from our ongoing investigation.
Notification to Individuals (if applicable)
In many cases, schools prefer to handle communication to parents, students, or staff about a data breach affecting their data, since the school has the direct relationship with those individuals. PureData will cooperate with and assist the school in this process. We can help by drafting notification language, providing lists of affected individuals and their contact info (as needed and as we have it), or even coordinating sending out notices if requested by the school. If law or contract requires PureData to notify individuals directly, we will do so in accordance with those requirements, but usually in an education context, we act in tandem with the school’s own notification efforts. Any notifications to individuals will include the information about the nature of the breach, the data affected, steps we have taken to address it, and steps the individuals can take to protect themselves (such as changing passwords, if relevant).
Notification to Regulators
If the law requires, we will notify relevant regulatory bodies of the breach. For example, certain state laws require notification to state authorities or agencies (like a state’s Department of Education or Attorney General) when a breach involving student data occurs. If FERPA-protected data is involved, the school may decide to report the incident to the U.S. Department of Education. We will assist the school in fulfilling any regulatory reporting obligations by providing factual details of the incident. We will also comply with any independent obligations that might apply to PureData (though typically, as a service provider, our obligations flow through the school under laws like FERPA or state statutes).
Remediation and Future Prevention
After the immediate incident is handled, PureData will take steps to prevent a similar event in the future. This might include further strengthening security controls, providing additional training to employees if the breach was due to human error, or enhancing monitoring. We will also review our policies and possibly update them if needed. We often share the summary of remediation steps with the affected school(s) so they know the issue is being thoroughly addressed.
Documentation
We document all data breach incidents and our responses, both for internal learning and to have a record for accountability. This documentation can be shared with client schools upon request to the extent it relates to their data, so they can see what occurred and how it was handled.
Throughout the breach response process, PureData is committed to transparency and cooperation. We understand that trust is paramount, especially when it comes to student information. In our contracts with schools, we include commitments to timely breach notification (often within a specific period like 1-2 business days of confirmation of a breach) and we stand by those commitments. If you (as a school or user) ever suspect any security issue or have concerns about the privacy of your data with PureData, please contact us immediately (see Contact Information below). We will promptly investigate and address your concerns.
Appendix: AI Services Policy
For schools utilizing our AI-driven features, please visit our AI Services Policy for more details on how data is collected, used, and protected when using our AI functionalities.
Contact Information
If you have any questions, concerns, or requests regarding this Privacy Policy or how PureData handles personal information, please do not hesitate to contact us. We are here to help and address any privacy or security inquiries you may have. You can reach PureData through the following ways:
By Email
Send us an email at [email protected]. This is the email address for privacy inquiries and will route your question to our privacy team. If you are a school official or parent writing to us, please include the name of your school or district and relevant context so we can assist you more effectively.
By Mail
PureData Consulting Inc.Attn: Privacy Team
6042 Oakton St.
Morton Grove, IL 60053 (USA)
Help Desk/Support Portal
If your school has access to our support ticketing system or portal (e.g., a helpdesk at support.puredata.io), you can submit a privacy question or request through that channel as well. Just indicate that your request is privacy-related, and it will be routed appropriately.
We will respond to inquiries as quickly as possible, generally within a few business days. If you are contacting us to exercise any of your rights as described in the User Rights section (such as accessing or deleting data), we may need to verify your identity and coordinate with the relevant school, for security and authorization purposes. Rest assured, we will take your inquiry seriously and work to resolve it in accordance with applicable laws and our commitments to our customers.
Thank you for trusting PureData Consulting Inc. with your data. We value that trust and are committed to maintaining the privacy and security of the information in our care.
