PRIVACY POLICY

Last Updated: October 17, 2024 (previous version)

Introduction

At HEADRUSH Learning Inc. (“HEADRUSH”, “We”, or “Us”), we are committed to your privacy. This means we do not transfer, distribute, disclose, rent, or sell your personal information to third parties except as provided for in this policy (the “Privacy Policy”) or as specifically consented by you.

HEADRUSH has developed policies and procedures consistent with the Personal Information Protection and Electronic Documents Act, the Family Educational Rights and Privacy Act (“FERPA”), the Children’s Online Privacy Protection Act (“COPPA”), and other relevant privacy laws. By accepting this Privacy Policy in registration or by visiting and using our website (the “Site”) and/or utilizing the services through the Site (the “Services”), you expressly consent to our collection, use, and disclosure of your personal information in accordance with this Privacy Policy. This Privacy Policy is incorporated into and subject to our Terms of Service.

Scope and Overview

This Privacy Policy applies to all Personal Information (as defined below) collected, used, or disclosed by HEADRUSH from our customers and their representatives whom they give user access to their account, as well as students, advisors, and teachers who may use the Services (collectively “Users”).

While we cover the details of our collection, use, and disclosure of Personal Information in more detail below, we want to make sure that the following is clear:

• We DO NOT sell student data to third parties;

• We DO NOT target student Users with advertisements;

• We DO NOT share student data with third parties for targeted advertising purposes;

• We DO NOT use cross-site tracking technology for student Users;

• We DO NOT build marketing profiles of student Users; and

• We DO NOT own or otherwise claim ownership of student data or User generated data.

Changes to this Privacy Policy

We may update the Privacy Policy to address new issues, comply with new or amended privacy regulations, or reflect changes to our Services. If our updates involve material changes to the collection, protection, use, or disclosure of Personal Information, we will endeavor to provide you with advanced notice of the revisions using various methods. These methods may include, but are not limited to, e-mail, postal mail, or a conspicuously posted website notice. If you are an educational institution customer, you should ensure that you inform students, teachers, advisors, and parents of any material changes, as data handling practices can vary based on school-specific configurations and requests. Updates to this Privacy Policy are effective on the date it is posted. If you have any questions or concerns regarding intended Privacy Policy revisions, please contact us at the email address listed below.

Information We Collect

Personal Information

“Personal Information” means any information recorded in any form that identifies or can identify an individual and includes any information provided to us by you or your Users in using our Site and Services. Personal Information we collect includes, but not is not limited to, the following:

• registration information and user profile information that you provide to us in creating your account to use our Services (e.g. name, address, post code, email address, profile picture, and telephone number);

• financial and billing information (such as credit card number and expiration date); demographic information (such as age, education, occupation) and information about individual preferences;

• information about your school or educational institution, such as school name and location;

• teacher and advisor information, such as the grade level and subject matter they teach or advise;

• student information, including class assignment data; grades, results, and other classroom content;

• information input into the Services by Users; and

• information collected from third party services that you connect to our Service.

Non-Personally Identifiable Information

Each time a User accesses our Site, HEADRUSH automatically receives and stores certain types of non-personally identifiable information about users including IP address, web pages viewed, and date and time. The non-personally identifiable information collected through your use of the Site is used to do monitor website traffic and conduct internal research on our users’ demographics, interests and behavior to better understand and serve our customers. For example, we may collect information such as the length of time a user visited the site, the pages he or she visited, the type of browser used to access our site as well as to track the number of visitors to the Site.

Additionally, we may de-identify, anonymize, or aggregate Personal Information so that it cannot be connected to you or any User. This may include grades and participation rates aggregated among many Users. Such information by itself or together cannot be tracked to a specific individual’s personally identifiable information.

How do we use Personal Information?

HEADRUSH collects Personal Information for the following purposes:

• to provide Services to you and your Users; to establish and maintain responsible commercial relations and to communicate with you in order to provide service. This includes, but is not limited to, communications relating to billing and account verification;

• to respond to any correspondence you may direct to us;

• to understand, research, and improve our Services;

• customer and User needs and preferences;

• to direct HEADRUSH-related promotions and advertisements to our educational institution customers about Us and our products and services that may be of interest to them;

• to enforce our Terms of Service;

• to provide you with system or administrative messages;

• to meet legal and regulatory requirements; and

• for any other reasonable purposes for which you may have provided your express consent or in which your consent can be reasonably implied.

HEADRUSH does not and will not sell student Personal Information.

How do we use Non-Personally Identifiable Information?

In an ongoing effort to better understand and serve the Users of our Services, and improve our Services and user functionality, we conduct research on our customer and User demographics and behavior based on anonymized or aggregated Personal Information and other information that we have collected. This research can be used to provide our customers with statistics and metrics that may be of interest to them (for example statistical data related to students). This research will be compiled and analyzed on an aggregate basis and this aggregate does not identify any individual and therefore is considered and treated as non-personally identifiable information under this Privacy Policy.

Consent

We respect your privacy and, unless otherwise required by law, we will not collect, use or disclose your Personal Information without your prior consent. Your consent may be expressed or implied. You may expressly give your consent in writing, verbally or through any electronic means. In certain circumstances, your consent may be implied by your actions. For example, providing us Personal Information to register for our Services is implied consent to use such information to provide you the associated services.

Where appropriate, HEADRUSH will generally seek consent for the use or disclosure of the information at the time of collection. In certain circumstances, consent with respect to use or disclosure may be sought after the information has been collected but before use (for example, when HEADRUSH wants to use information for a purpose other than those identified above). In obtaining consent, HEADRUSH will use reasonable efforts to ensure that a customer is advised of the identified purposes for which Personal Information collected will be used or disclosed.

The form of consent sought by HEADRUSH may vary, depending upon the circumstances and type of information disclosed. In determining the appropriate form of consent, HEADRUSH shall take into account the sensitivity of the Personal Information and the reasonable expectations of our customers and Users. HEADRUSH will seek express consent when the information is likely to be considered sensitive. Implied consent will generally be appropriate where the information is less sensitive.

You may withdraw consent at any time, subject to legal or contractual restrictions, and reasonable notice. In order to withdraw consent, you must provide notice to HEADRUSH in writing by email or mail at the address provided below.

Third Party Access to Personal Information

As noted above, HEADRUSH does not disclose your Personal Information to third parties, except HEADRUSH may transfer your Personal Information to third party suppliers, contractors, and agents (“Affiliates”) who are contracted by HEADRUSH to assist it in providing and developing products and services, which includes but is not limited to webhosting and providing customer service and user support. Such Affiliates will only use your Personal Information for the purposes identified in this Privacy Policy. In the event your Personal Information is disclosed to a third party pursuant to a business transaction, HEADRUSH will ensure that it has assessed such third party’s privacy policy and security practices and entered into an agreement under which the collection, use, and disclosure of student Personal Information is only used for purposes that relate to the transaction and that such Affilliate will comply with HEADRUSH’s privacy and security policies and practices. We review our Affiliate’s privacy practices at least annually and require they give HEADRUSH reasonable assurances they will continue to comply with our security and privacy policies and practices.

Subject to the foregoing, only HEADRUSH’s and our Affiliates’ employees with a business need to know, or whose duties reasonably require so, are granted access to Personal Information about our Users. All such employees will be required as a condition of employment to contractually respect and maintain the confidentiality of User’s Personal Information.

For a list of the third parties HEADRUSH engages to provide the Services and links to their privacy policies, please go to Third Party Services.

How can I Access and Rectify Personal Information Held by HEADRUSH?

Upon request and in coordination with our educational institution customers under FERPA, HEADRUSH will provide information to a User (or a User’s legal guardian if applicable) regarding the existence, use, and disclosure of his or her Personal Information by HEADRUSH. HEADRUSH will respond to an application for individual access to Personal Information within a reasonable time and at minimal or no cost to the individual. A User (or a User’s legal guardian if applicable) may challenge the accuracy and completeness of the information and have it amended as appropriate. For security purposes, HEADRUSH reserves the right to validate and verify requests for any User’s Personal Information before providing access to such Personal Information.

NOTE: In certain circumstances, HEADRUSH may not be able to provide access to all the Personal Information it holds about a User. Exceptions may include information that is prohibitively costly to provide, information that contains references to other individuals, information that cannot be disclosed for legal, security or commercial proprietary reasons, or information that is subject to solicitor-client or litigation privilege. HEADRUSH will provide the reasons for denying access upon request.

Safeguards

We store and process Personal Information using security safeguards appropriate to the sensitivity of the information in accordance with industry standards and applicable law. This helps ensure your Personal Information is protected from unauthorized access, disclosure, copying, use, or modification by utilizing methods of protection that include:

• Physical measures, such as keeping files physically locked when not being used and restricted access, both to HEADRUSH’s general place of business and our internal offices as well;

• Administrative measures, such as security clearances, background checks on employees who have access to student data, limiting access on a need to know basis, imposing confidentiality obligations on contractors, and the designation and regular training of personnel regarding maintaining the security and handling of student confidential information; and

• Technological measures, such as the use of strong passwords, firewalls, and encryption.

We perform periodic risk assessments and security audits of our information security program and prioritize remediation of identified vulnerabilities. We also allow our educational institution customers or their representatives to audit our systems per the terms of our agreements with them. However, it is important to remind you that security is a shared responsibility and no method of data transmission over the Internet or method of electronic storage is 100% safe or secure.

HEADRUSH will promptly give notice to all our educational institution customers if we ever change a safeguard that materially reduces the security of their Personal Information in our custody.

Breach Notification

HEADRUSH maintains and trains its personnel on its data breach notification procedures. In the event of a security incident affecting our systems that involves your Personal Information, we will notify you as required by applicable law and per the terms of our agreements with our educational institution customers. We will always attempt to notify you of any security incident affecting your Personal Information that we believe poses a material risk of harm to educational institutions, their staff, and their students.

Use, Retention, and Deletion

Unless required by law, or in connection with a business transaction, HEADRUSH shall not use, disclose, or transfer Personal Information for any purpose other than those described above without first identifying and documenting the new purpose and obtaining your consent, where such consent may not reasonably be implied.

Depending on how your school (i.e. school principal, administrator or other individual authorized by the school to administer our Service) (“School Administrator”) chooses to use our Service, student Personal Information and other User information may be shared to other teachers, advisors, and school staff who are authorized by the School Administrator to view and access such information. Each student and his or her parent will only have access to view, submit, and delete information relative to that particular student. Neither students (nor their parents) will be able to view or otherwise access the student information of other students unless, in limited circumstances, it is provided to that student account by the School Administrator (e.g. a class photo or class list containing the names and photos of other students). HEADRUSH is and will remain under the direct control of our educational institution customers regarding the use and disclosure of student User Personal Information. Our educational institution customers retain ultimate ownership of all student User records.

HEADRUSH retains Personal Information for only as long as required to fulfill the identified purposes or as required by law. Personal Information that is no longer required to fulfill the identified purposes will be regularly destroyed, erased, or made anonymous according to the guidelines and procedures established by HEADRUSH and the terms imposd upon Us in our agreements with our customers.

If HEADRUSH ceases to provide the Services to one of our educational institution customers, HEADRUSH will work with the institution to transfer all applicable User Personal Information back to the institution or an appropriate third party designated by such customer, delete all User Personal Information related to that institution, and reasonably ensure that all third parties HEADRUSH has shared applicable User Personal Information with does the same.

If you have general questions for us regarding the use, retention, and deletion of your Personal Information, please reach out to us using the contact information listed below.

Compliance

FERPA

HEADRUSH and our educational institution customers must comply with all applicable provisions of FERPA. We receive Student Data from Customers who are educational institutions as a “school official” under FERPA and only process Student Data for educational purposes. In the event we receive a subpoena or judicial order for the disclosure of education records, we will notify the associated education institution customer(s) prior to fulfilling the request in accordance with FERPA. For additional information on FERPA, please visit the U.S. Department of Education’s Privacy Technical Assistance Center.

COPPA

To the extent COPPA applies to information we collect, we process information for educational purposes only, at the direction of the partnering Customer. For additional information on COPPA and educational institution consent, please refer to the Federal Trade Commission’s Complying with COPPA: Frequently Asked Questions. Headrush is a proud member of the iKeepSafe COPPA Safe Harbor Certification Program.

[If you have any questions or concerns regarding our COPPA policies and practices, please contact COPPAPrivacy@ikeepsafe.org.

Contact Information

HEADRUSH is responsible for the Personal Information under our possession and control. We have designated a Privacy Officer to be responsible for our compliance with this Privacy Policy and privacy legislation.

If you have questions or would like to address a concern regarding compliance with this Privacy Policy, please contact HEADRUSH’s Privacy Officer using the information below. HEADRUSH will maintain procedures for addressing and responding to all inquiries or complaints from Users about HEADRUSH’s handling of Personal Information. HEADRUSH shall investigate all complaints. All inquiries or complaints involving HEADRUSH’s handling of Personal Information or compliance with this policy or with PIPEDA shall be directed to HEADRUSH’s Privacy Officer.

The Privacy Officer will respond to all such inquiries or complaints within 14 business days of receipt. The Privacy Officer will make reasonable efforts to resolve all such complaints within 30 days of receipt of the initial complaint. If HEADRUSH finds a complaint to be justified, it will take appropriate measures, including, if necessary, amending its policies and procedures.

For more information, please contact our Privacy Office as follows:

E-mail: info@headrushlearning.com Mail: 152 Ward Court, Oakville, Ontario, L6L 5X7 Phone: 416-294-2040