Privacy Policy

GENERAL

Respecting and protecting our users’ privacy and Personal Data is important to Kidsloop Limited and its related companies (including subsidiaries, affiliates, holding companies and companies held in common control) (collectively, we or us or Kidsloop Group). This Privacy Policy is intended to help users understand how we collect, use and safeguard Personal Data in our interactions with users on platform(s) owned and operated by us listed on the Kidsloop’s Platform (s) page (collectively, our Platform(s)) and /or on platform(s) operated by our Partners (Partner Platform(s)).

A Partner(s) means an entity which has entered into business partnership agreement with a Kidsloop Group company (Partnership Agreement) which may include a data processor agreement where we act as a Data Processor on behalf of that Partner, terms of which are set out in the (Data Processor Agreement) page.

This Policy also describes the data protection rights we respect, including a right to object to some of the processing which we carry out. More information about data protection rights, and how to exercise them, is set out in the section What rights do you have?

WHAT INFORMATION DO WE COLLECT?

We collect and process Personal Data about users on our Platform(s) (subject to this Privacy Policy) and process data about users on Partner Platform(s) (subject to that Partner’s Privacy policy, our User Policy and the Data Processor Agreement if applicable) who: 

– visit and/or register and use the Platform (s) or Partner Platform(s);

– use services we provide on the Platform(s) or Partner Platform(s);

– use third-party services offered by service providers such as analytics companies, advertising networks and any other third party service providers that we choose to collaborate or work with;

– provide us with Personal Data via: our Partners/social media platforms/networks or telephone enquiries, application for or use of our services on the Platform(s) or our Partner Platform(s);

– attend live and/or online classes or other educational events during which image/voice is captured by photography and/or video or sound recording on our Platform(s) or Partner Platform(s); and

In this Privacy Policy:

Personal Data means any information relating to an identifiable natural person including without limitation:  contact information (name, image, voice, email address, contact number, technical data; contact details of children, parents, guardians, teachers; Payment information (credit/debit card and other payment information), identity data (gender, date of birth, age, interests, reasons for participation, financial information, preferences, geographical location; communication: (messages between users, discussions, comments to posts, notifications, etc.); user profile data including course material ( assessments, assessment results and grades); user calendar entries and event data; user generated documents, presentations, images, homework and tasks; Platform(s) usage (including browsing behaviour / activities); sensitive data such as physiological data in images or video or sound recordings captured by photography, video and/or sound recordings at our events or Partner events and other Personal Data users provide to us; and    

Partner user means Partner’s employees including teachers, administrators, lecturers, mentors and others, the Partner’s other employees and contractors, and any other user authorised by the Partner who transmits Personal Data via the service, including children, parents or guardians.

HOW DO WE USE THIS INFORMATION AND WHAT IS THE LEGAL BASIS FOR ITS USE

We process Personal Data for the following purposes:

To operate our business and pursue legitimate interests, in particular:

– To provide our services to users on the Platform(s) and Partner users on the Partner Platform(s) by: providing educational materials, templates, and reports, animating and digitizing content, enhancing the user experience of our services, improving educational materials, content and learning outcomes using feedback from users and intelligence we generate from user behaviors, the consequences of those actions and observed learning patterns (Derivative Data) in order to deliver personalized lesson plans and reports on our Platform(s) and Partner Platform(s);

– To monitor use of our Platform(s) and Partner Platform(s), our services (both online and offline) and employ user information to help us monitor, improve and protect our products, content and services on our Platform(s) or Partner Platform(s), (both online and offline);

– To analyse trends, usage, user behavior and to predict behaviors (whether on an individualized, anonymized or aggregated basis), to help us better understand how individual users and our collective user base access use of content and services, on our Platform(s) or Partner Platform(s) for the purposes of:

– improving our services;

– responding to user and Partner requests, feedback and preferences;

– providing reports on learning outcomes and performance of users for our own use and for our use by our Partners;

– measuring the effectiveness of our content and/or content provided by our Partners and animation of that content;

– measuring the effectiveness of our analysis and feedback to users and our Partners from Derivative Data that we generate from the behavior patterns, learning outcomes and performance of users and course or content patterns and layout;

– measuring the effectiveness of live and virtual classes and other educational events;

– conducting marketing demonstrations targeted at potential partners (on an aggregated and anonymized basis only);    

– providing our Partners with support, gathering feedback and responding to questions from users of our product and services or our Partners or the general public;

– assessing and recruiting candidates for open positions with Kidsloop Group companies;

– managing third party developers that we have engaged; and

– crowdsource data analytics and hackathon activities (on an aggregated and anonymized basis only) and any data captured in AB testing for personalisation of our services to users.    

When users give us consent (if required) by opt in:

– To provide direct marketing communications in relation to products, services, events, offers or promotions under the categories stated below, provided by: (a) us or other Kidsloop Group companies, (b) Partners, and (c) other third party providers, such marketing communications may be in various forms, including advertisements, special events notifications or newsletters, and delivered via various methods (in accordance with the consent for use of Personal Data that you provide to us), such as by, email, SMS, WhatsApp, WeChat messages, smartphone app push notifications, notifications on your social media pages, completion of Google forms, in–app messaging or postal mail.

Such marketing communications may market or offer products or services (including special events and promotions) in the following categories: educational services, social networking services, payment services, on-line advertising services, other e-commerce, information and communications and services and other products and services related to any of the foregoing, which we think may be relevant to users and/or Partners based on information provided to us (for instance, via user participation in our user surveys); and

– To allow users to register for our services and participate in our trials, tests, demonstrations, events, courses and promotions, including verifying their identity at those events and promotions.

For purposes which are required by law:

– In response to requests by government or law enforcement authorities conducting an investigation.


RELYING ON LEGITIMATE INTERESTS

We have carried out an assessment on all the data processing activities described above in order to weigh up any privacy implications against our legitimate business interests. Users can obtain information on any of our assessments by contacting us using the details set out in Security Measures.


 

WITHDRAWING CONSENT OR OTHERWISE OBJECTING TO DIRECT MARKETING

Wherever we require user or Partner consent under applicable law, the user or Partner will always be able to withdraw any consent provided to us. We shall cease to use Personal Data for the purpose in respect of which the user or Partner has withdrawn their consent, but we may still use, process, store and transfer such data for other purposes, such as those set out above. Specifically, in the case of users or Partners from the European Economic Area (EEA), we are able to send direct marketing without their consent, where we rely on our business or legitimate interests. Irrespective of the legal basis on which we rely to send direct marketing, users and Partners have an absolute right to opt-out of direct marketing, or profiling we carry out for direct marketing, at any time. They can do this by contacting us using the details in the section below How to get in touch with us.         

WHO WILL WE SHARE USER DATA WITH, WHERE AND WHEN?

We may share user or Partner Personal Data with the related companies of Kidsloop Limited located within or outside Hong Kong, SAR for the purposes set out in How do we use this information, and what is the legal basis for this use? section above.

     Personal Data may be shared with government authorities and/or law enforcement officials if required for the purposes set out in How do we use this information, and what is the legal basis for this use? section above, if mandated by law or if required for the legal protection of our legitimate interests in compliance with applicable laws.

     Personal Data will also be shared with third party service providers located within or outside of Hong Kong, SAR, who will process it on our behalf for the purposes identified in this Privacy Policy. In particular, we use the following third party service providers and sub processors on the Sub-Processor List page:

– E-mail/SMS/MMS/WeChat/WhatsApp blasting services;

– Data storage and cloud service providers (for storage of Personal Data and hosting of applications that process Personal Data for the purposes identified in this policy);

– Google, Facebook, Instagram, Linked In and other networks (for matching of Personal Data with their database in order to send users our direct marketing materials through your Google, Facebook and/or Linked In account(s));

– Marketing (including digital marketing) and analytic agencies (for display of advertising materials on our Platform(s) and other platforms that users may visit, and analysis of user online behaviour and usage of our Platform(s) – these agencies use cookies; please refer to our separate Cookies Policy for details); and

-Data analytics, AB testing, hackathon service providers and agencies (for the purposes stated in section above How do we use this information, and what is the legal basis for this use?

– Derivative Data collected on the Platform(s) or Partner Platform(s) and stored separately from Personal Data will be used to generate intelligence delivered as part of our services and may also be sold or licensed to Partners and/or third parties for their own purposes.

Derivative data will have a link via a controlled encrypted key back to Personal Data. The key can be deleted if a user stops using the Platform(s) so that the Derivative Data can remain stored by us without identifying the user personally. Ownership of such Derivative Data will vest in the Kidsloop Group on creation and will be retained on termination of a relationship with a user or with a Partner, the key having been deleted.

In the event, that our business or any part of it is sold or integrated with another business, or the shares in Kidsloop Group companies are sold in private or public share offerings user=r and Partner(s) details will be disclosed to our advisers and any prospective purchaser’s adviser and will be passed to the new owners of the business or shares.

     User Personal Data may be transferred to or from jurisdictions in which the Company has operating subsidiaries or Partner(s) subject to applicable laws.     

WHAT RIGHTS DO USERS HAVE?

Where permitted by law, users of the Platform(s) have the right to ask us for a copy of their Personal Data; to correct, delete or restrict (stop any active) processing of their Personal Data; and to obtain their Personal Data in a structured, machine-readable format, and to ask us to share (port) this data to another controller.

HOW TO GET IN TOUCH WITH US

We hope that we can satisfy queries users of the Platform(s) may have about the way we process data. If users have any concerns about how we process data, or would like to opt out of direct marketing, they can get in touch  by: (a) contacting our Privacy Officer at privacy@kidsloop.live;

or (b) sending their request by post to; Data Protection Assurance Officer, Kidsloop (UK) Limited, Fora – Spitalfields, 35-41 Folgate St, London E1 6BX, United Kingdom.     

WHO IS THE DATA CONTROLLER?

The data controllers in respect of users on the Platform(s) are Kidsloop Group Companies. Contact details for respective privacy officers can be found in the section above How to get in touch with us. The data controller on a Partner Platform(s) is the Partner and we process user data to provide services on Partner Platform(s) subject to the User Policy.

HOW LONG WILL WE KEEP USER DATA?

Where we process registration data, we do this for as long as users are active on our Platform(s) or Partner Platform(s) and provided it is required for business and legitimate interests or legal requirement.

Where we process data in connection with a Partnership Agreement of Data Processor Agreement, we do not keep users’ Personal Data if they are no longer a registered user on the Partner’s Platform(s) or if we are no longer in partnership with that Partner. An identifier via controlled encryption key to user Personal Data in Derivative Data (which we will retain) will be broken to protect the privacy of users’ Personal Data if they are no longer a user on the Partner Platform(s) or we are no longer in partnership with that Partner.

Where we process Personal Data for marketing purposes or with user consent, we process the data until the user asks us to stop and for a short period after this (to allow us to implement their requests). We also keep a record of the fact that the user has asked us not to send them direct marketing or to process their data so that we can respect their request in the future.

Derivative Data is retained in perpetuity and in the sole discretion of the Company after a user stops using the Platform(s). The controlled encryption key identifier user Personal Data is deleted from the last user interaction so that the Derivative Data can remain stored with the Company without identifying the user personally.  

We will keep the images captured by our analytics cameras or cameras operated by our Partners only for the authorized purposes detailed in How do we use this information, and what is the legal basis for this use? section above.    

PHOTOGRAPHY POLICY

We or our Partners may take photographs and/or video recordings of users in live classes and make recordings of virtual classes or other school events for authorized purposes detailed in How do we use this information, and what is the legal basis for this use? section above. By participation in these events and acceptance of this Privacy Policy users agree to publication of these images and/or videos and sound recordings on our Platform(s) or Partner Platform(s) for delivery, marketing and promotional purposes of our products and services. We do not permit unauthorised photography, sound and/or video recording for any other commercial use, private gain, use in press or media, or for promotional purposes in live classes or recording of virtual classes or other school events.    

APPLICABLE LOCAL LAWS FOR VISITORS FROM:

EUROPEAN UNION

EU GENERAL DATA PROTECTION REGULATION (GDPR) 

Notice for residents of EEA

Last updated: 2021

WHO WILL WE SHARE USER DATA WITH, WHERE AND WHEN?

Where information is transferred outside the EEA, and where this is to a Partner or third party service provider in a country that is not subject to an adequacy decision by the EU Commission, data will be adequately protected by EU Commission approved standard contractual clauses, an appropriate Privacy Shield certification or third party or Partner’s Processor Binding Corporate Rules. A copy of the relevant mechanism can be provided for user review on request using the details set out in the section How do I get in touch with you above.    

WHAT RIGHTS DO USERS HAVE?

Users of the Platform(s) or Partner Platform (s) located in the EEA can object to the processing of their Personal Data in some circumstances (in particular, where we do not have to process the data for business or other legitimate interests, purposes for which consent has been given (including direct marketing) or other legal requirements).

These rights may be limited, for example if fulfilling their request would reveal Personal Data about another person, where they would infringe the rights of a third party (including our rights) or if a user of the Platform(s) asks us to delete information which we are required by law to keep or have compelling legitimate interests in keeping. Relevant exemptions are available under applicable laws. We will inform users of relevant exemptions we rely upon when responding to any request they make.

To exercise any of these rights, or to obtain other information, such as a copy of a legitimate interests’ assessment, users can get in touch with us – or our privacy officer – using the details set out in the section How do I get in touch with you above.  If users have unresolved concerns, they have the right to complain to an EU data protection authority where they live, work or where they believe a breach may have occurred.

HOW LONG WILL WE KEEP USER DATA?

Where we process Personal Data for site security purposes, we retain it for 7 years after any business and legitimate interests no longer exists and where we process Personal Data in connection with performing a contract with us (other than a Data Processor Agreement with a Partner), we retain the data for 7 years from the last user interaction with us. 

CALIFORNIA

CALIFORNIA CONSUMER PRIVACY POLICY

Notice for California Residents

Last updated: 2021

This notice applies solely to all users of our Platform(s) who reside in the State of California and is presented in compliance with the California Consumer Privacy Act of 2018 (CCPA).

WHAT INFORMATION DO WE COLLECT?    

We are required to disclose to users the categories and sources of Personal Data we collect from them within the previous 12 months. Please refer to the sections What information do we Collect? and How do we use this information, and what is the legal basis for its use? for details on the Personal Data we collect.    

WHO WILL WE SHARE USER DATA WITH, WHERE AND WHEN?

Sharing Personal Data/Do not sell my Personal Data

We may disclose user Personal Data to third parties for a variety of business purposes. Please refer to the Who will we share this data with, where and when? section for details.

We do not sell users’ Personal Data to third parties for their own marketing and advertising or other business purposes.

Other California User Privacy Rights    

Right to Know

Users have the right to request us to disclose certain information about our collection of their      Personal Data over the past 12 months. Upon receipt and confirmation of a verifiable user request, we will disclose:

    • The categories of Personal Information we collected about the user
    • The categories of sources from which we collected Personal Information about the user
    • Our business or commercial purpose for collecting or selling such Personal Information
    • The categories of third parties with whom we share such Personal Information
    • The specific pieces of Personal Information we collected about the user
    • If we sold or disclosed the user’s Personal Information for a business purpose, two separate lists disclosing the categories of Personal Information involved in:

– sales, and the category third party to whom the data was sold (if at all)

– disclosures for a business purpose, and the category of third party to whom the data was disclosed

Right to Request Deletion

Users have the right to request us to delete Personal Information we collected from them. Upon receipt and confirmation of a verifiable customer request, we will delete such Personal Information from our records, unless it is necessary for us our Partners or our service providers to:

    • Complete the transaction for which such Personal Information was collected, fulfill the terms of a written warranty or product recall conducted in accordance with applicable law, provide a good or service requested by the user, take actions reasonably anticipated within the context of our ongoing business relationship with the user, or otherwise perform our contract with the user;
    • Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities;
    • Debug products to identify and repair errors that impair existing intended functionality;
    • Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law;
    • Comply with the California Electronic Communications Privacy Act;
    • Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when our deletion of the information is likely render impossible or seriously impair the achievement of such research, if the user previously provided informed consent;
    • Enable solely internal uses that are reasonably aligned with consumer expectations based on the user’s relationship with us;
    • Comply with a legal obligation; or
    • Use such Personal Data, internally, in a lawful manner that is compatible with the context in which the user provided such Personal Information.

Right to access Personal Data

The user may submit requests to exercise their rights in relation to Personal Data by sending an email to the address set out in the How to get in touch with us? section. We will seek to disclose and deliver the required information to the user in accordance with the CCPA.

Right not to be discriminated against

We will not discriminate against a user because they exercise California privacy rights, and will not deny them goods or services, charge a different price or rates for goods or services, or provide a lower quality of goods or services to them due to the exercise of such rights.

KIDSLOOP PLATFORM LIST

We rely on public cloud providers to offer our services: Tencent, AWS, Google and BizFly. This list will be updated in our website as new Platform(s) are incorporated into our IT estate.

SECURITY MEASURES

Kidsloop has implemented the security measures set out below in accordance with industry standards to protect personal information. Kidsloop may update or modify such security measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the services. The updated version can be found at https://www.kidsloop.net/policies/privacy-notice/#securitymeasures

Organizational Measures

The Kidsloop management team has been actively involved in developing an information security culture within the Group and has a management structure in place to manage the implementation of information security in its services with clear roles and responsibilities within the organization.

Operations Management

Multiple industry best-practice processes and policies exist to ensure the best possible confidentiality, availability and integrity of the platform. These policies are built around strict requirements in a number of areas, such as;

    • Information security
    • Hosting environment security
    • Third party access
    • Capacity control
    • Change management
    • Backup and recovery
    • Access control
    • Documentation
    • Logging and monitoring
    • Incident response
    • Release management

Information Security team

Kidsloop has a team of Information security experts who are responsible for the overall information security of the organization. Their role include responsibility for;

    • Coordinating security related tasks
    • Securing corporate environment, network and devices
    • Security of the application (in-house penetration testing and application audits)
    • Monitoring and logging
    • Process and policy management (disaster recovery, path management etc.)
    • Training and education of employees, in the field of information security
    • Coordinating third-party security audits, and follow up on any findings
    • Reviewing code for potential security vulnerabilities.

Roles and responsibilities

All employees have clear roles within the Group and are only given access to data required for their specific role. A limited number of employees have administrative access to our production environment and their rights are strongly regulated and reviewed at set intervals. Any major change to the application, environment or hardware of the production environment is always verified by a minimum of two individuals.

Personnel security

All Kidsloop employees are required to enter into a strict confidentiality agreement. All staff are required to follow corporate policies regarding confidentiality, business ethics and professional standards. Staff involved in securing, handling and processing customer data are required to complete training appropriate for their role.

Access Control

Strict requirements are in place for any employee, hired consultants or third party requesting access to Kidsloop information systems. Access control is controlled by an authentication system. The user is required to:

    • Have management approval for the requested access
    • Have strong passwords that are in accordance with the corporate password policy
    • Change their password at regular intervals
    • Document that the access requested is required for their specific role/task
    • Ensure that the device (PC, tablet, cellphone) used is adequately secured, and locked when the user is absent.

Kidsloop employs automatic temporary lock-out of the user terminal if left idle.

Internal data access processes and policies are designed to prevent unauthorized persons and/or systems from gaining access to systems used to process Personal Data. Any changes to data are logged to create an audit trail for accountability.

Physical security

Data Centres

     Kidsloop operates all its customer services from data centres separated from the corporate office work space. Access to data centres is strictly controlled and protected to reduce the likelihood of unauthorized access, fire, flooding or other damage to the physical environment. Physical access to data centres is limited to a small number of employees within Kidsloop and/or its hosting centre providers. Strict security clearances are required and must be approved by security management prior to entering a data centre.

Technical measures – System availability

Kidsloop has implemented industry standard measures to ensure that Personal Data are protected from accidental destruction or loss, including:

    • infrastructure redundancy (including full network, power, cooling, database, server and storage redundancy)
    • backup is stored at an alternative site and available for restore in case of failure of the primary system.
    • appropriate denial-of-service protection
    • 365/24/7 personnel on duty to monitor and troubleshoot

Data protection

Kidsloop has implemented a series of industry standard measures to prevent the Personal Data from being read, copied, altered or deleted by unauthorized parties during transport or at rest. This is accomplished by various industry standard measures including:

    • Use of layered firewalls, VPNs and encryption technologies to protect gateways and pipelines
    • HTTPS encryption (also referred to as SSL or TLS connection) with secure cryptographic keys
    • Remote access to data centres is protected with a number of layers of network security
    • Particular sensitive customer data at rest is protected by encryption and/or hashing (pseudonymisation)
    • Every decommissioned disk is subject to a disk erasure process according to our “Disk erase policy”, and decommissioning is logged by disk serial number
    • Regular third-party security audits (minimum annually), including penetration testing, that are made available to partners

Data centres

Kidsloop uses only state-of-the-art data centres, with 365/24/7 on-site security and monitoring operations. The data centres are housed in modern fire-resistant facilities that require electronic keycard access, with alarms that are linked to the on-site security operation. Only authorized employees and contractors are permitted to request electronic keycard access to these facilities.

System development

     Kidsloop’s Platform(s) is based on industry standard technologies from well-known vendors, including [Microsoft, Linux, Dell, Fujitsu, Amazon, Cloudflare, F5 and Cisco]. Systems are periodically patched to the latest version to ensure that the latest security enhancements are applied. The platform is in general updated several times per quarter, and bug fixes are released swiftly based on priority, following rigorous quality checks.

Kidsloop has measures in place to minimize the risk of introducing code in its platform that can degrade the security or integrity of the customer services and Personal Data processed. Measures include:

    • Regular training of staff
    • Code review by security architects
    • QA process for rigorous testing of changes prior to deployment

Sub-processor security

When onboarding sub-processors, Kidsloop performs an audit of the security and privacy practices of sub-processors to ensure sub-processors provide a level of security and privacy appropriate to their access to data and the scope of the services they are engaged to provide. Kidsloop performs regular security audits of the practices and delivery for existing sub-processors.

SUB-PROCESSOR LIST

None to date – to be updated as required.    

USER POLICY

USER PRIVACY INFORMATION

Kidsloop Group companies (Kidsloop) are committed to keeping its users’ Personal Data safe.

The information on this page is aimed at users of the Kidsloop services on Partner Platform(s). Under these circumstances we operate as a data processor. If you are looking for information on how Kidsloop manages data privacy for its own purposes (as a data controller and processor) please refer to the Privacy Policy page.

Kidsloop operates its services on Partner Platform(s) and subject to and in accordance with the Partner’s privacy policy as follows:

    • We do not own, control or process our users’ data independently. All Personal Data is controlled by the Partner. We do not determine the purpose or lawfulness of how user data is processed by our Partner.
    • We never transfer Personal Data to anyone including third parties without written instruction from our Partners. Users are advised to contact the Partner if they have questions about their Personal Data.
    • We do not sell or try to make money out of our Partner’s users’ Personal Data. We do not build profiles using our users’ data for our own purposes other than Derivative Data.
    • We delete Personal Data promptly when instructed by our Partners.
    • We and our Partners are both responsible for keeping users’ Personal Data safe. We employ physical, technical, and organizational measures as part of our security procedures. You can read about the security measures we take to keep our users’ data safe on the Kidsloop Security Measures page.
    • We never let our third party service providers or sub-processors process Personal Data unless it is approved by the Partner. You can see a list of our sub-processors here. These sub-processors are legally bound to protect our users’ privacy in the same manner as we are.
    • For all our users, we take strict measures to ensure that we are compliant with applicable laws. For more information, visit our Partner Applicable Data Protection Regulations page.
    • In case of a data breach that could affect our Partners, we will always inform our Partners about this as soon as we become aware of it.
    • Our users might have a right to be informed in detail about what their Personal Data is used for and what their legal rights are. Users are advised to contact the Partner Platform(s) that they are registered to find out more about this.

The relationship between Kidsloop and our Partners is always based on a legal contract. To see an example of how we make legal arrangements for users’ Personal Data, you can review our Data Processor Agreement.

DATA PROCESSOR AGREEMENT

 

THIS AGREEMENT IS MADE BETWEEN:

  1. [PARTNER NAME] (the Data Controller)
  2. [KIDSLOOP ENTITY party to the PARTNERSHIP AGREEMENT] (the Data Processor)

 

DEFINITIONS

In this Agreement the Data Controller and the Data Processor are individually referred to as Party and collectively as the Parties.

Applicable Data Protection Regulations means legislation in respect of Personal Data protection applicable in the jurisdiction of operation of the Data Controller in connection with the performance of the Partnership Agreement detailed in section below;

Derivative Data means historic, aggregated, anonymised data, in which the Data Processor has full right, title and interest in or to, derived by the Data Processor from operational data collected on the Platform(s) or Partner Platform(s) from user behaviors on the Platform(s) or in respect of Platform(‘s) content which is used to create intelligence to deliver personalized lesson plans and reports as part of the Data Processor(s)’ services to Partners. Derivative Data will include predictive data from modelling (including without limitation artificial intelligence, probabilistic, machine learning and segmentation (clustering) models). Derivative Data is held in a form such that the identifier (via a controlled encrypted key) may be de linked from user Personal Data.  It may be sold or licensed to other Partners and/or third parties for their own purposes when the user stops using the Platform (s) or the partnership with Partner Platform(s) is terminated and the controlled encrypted key identifying the user personally is delinked.       

Partnership Agreement means the partnership agreement made between the Parties to this Agreement in connection with the licence and delivery of content and/or platform services. Terms defined in the Partnership Agreement shall have the same meaning in this Agreement unless the context requires otherwise;    

Personal Data means any information relating to an identifiable natural person including without limitation:  contact information (name, image, voice, email address, contact number, technical data; contact details of children, parents, guardians, teachers; Payment information (credit/debit card and other payment information), identity data (gender, date of birth, age, interests, reasons for participation, financial information, preferences, geographical location; communication: (messages between users, discussions, comments to posts, notifications, etc.); user profile data including course material ( assessments, assessment results and grades); user calendar entries and event data; user generated documents, presentations, images, homework and tasks; Platform(s) usage (including browsing behaviour / activities);  sensitive data such as physiological data in images or video or sound recordings captured by photography, video and/or sound recordings at our events or Partner events and other Personal Data users provide to the Data Controller and/or Processor.

IT IS AGREED THAT:

 

1. Purpose

Pursuant to this Agreement, the Parties agree to ensure that Personal Data processed pursuant to the terms of the Partnership Agreement shall be undertaken lawfully in accordance with Applicable Data Protection Regulations and shall not come into the possession of any unauthorized third party.

 

2. Processing and Primary Responsibility

This Agreement regulates the Data Processor’s processing of Personal Data on behalf of the Data Controller, including the collection, recording, alignment, storage and disclosure or a combination of such data. Subject matter and details of Personal Data being processed are detailed in Appendix 1.

The Data Processor itself has no right of disposal over the Personal Data and cannot process Personal Data for its own purposes, with the exception of Derivative Data. The Personal Data shall be solely used to fulfil the purposes of the Partnership Agreement within the limits that the Data Controller has laid down.

 If the Data Processor is obliged by law to process Personal Data in any other manner than as instructed by the Data Controller, the Data Processor must notify the Data Controller before such processing commences, unless applicable legislation or legal process prevents it from providing such notice.

 

3. The Data Controller’s role and responsibilities

The Data Controller is responsible for ensuring that there is a lawful basis for the processing of the      Personal Data, and that the actual processing is in accordance with Applicable Data Protection Legislation.

As part of this responsibility, the Data Controller is responsible for ensuring that system administrator(s) holds the necessary authorisation, prior to processing of Personal Data on behalf of the Data Controller.

The Data Controller shall also carry out any necessary privacy and data protection impact assessments, i.e., an assessment of the impact of the envisaged processing operations on the protection of Personal Data, prior to the processing.

The Data Controller is responsible for requests from end users for access to Personal Data held by the Data Controller or the Data Processor pursuant to the agreement. If such requests are received by the Data Processor, the Data Processor will advise the end user to submit its request to the Data Controller, who is responsible for responding to any such request.

If the Partnership Agreement allows for the Data Controller to install and enable additional products from external third parties (including extensions). The Data Controller acknowledges that if it installs, uses, or enables such third party products, which gain access to Personal Data, this data processor agreement does not apply to the processing of data transmitted to or from such external third party products. The Data Controller can enable or disable use of external third party products, and it is not required to use such products pursuant to the Partnership Agreement.

 

4. The Data Processor’s role and obligations

The Data Processor shall process Personal Data solely on behalf of the Data Controller and only as instructed by the Data Controller. Incidental processing of Personal Data by the Data Processor to ensure the security, operational maintenance, analysis or evaluation of the services provided under the Partnership Agreement and not having any adverse impact on the level of data protection of the data subjects, shall not be presumed to constitute processing for the Data Processor’s own purposes. For the avoidance of doubt the Data Processor is authorized to process data to create Derivative Data for the purpose of delivering the services and its own purposes. 

The Data Processor undertakes to give the Data Controller access to all information which is necessary to document compliance with Applicable Data Protection Legislation, and to provide assistance so that the Data Controller can fulfil its responsibilities pursuant to the law and the regulations.

 Unless otherwise agreed or pursuant to statutory requirements, the Data Controller has a right of access to Personal Data that is processed by the Data Processor on behalf of the Data Controller and to all systems that are used for this purpose. The Data Processor undertakes to give assistance in this respect. However, the Data Processor shall not be obliged to disclose any business confidential or commercially sensitive information to the Data Controller. Furthermore, the Data Controller has no right of access where this implies a risk to the security or integrity of the relevant Personal Data.

The Data Processor, including employees, has a duty of confidentiality regarding documentation and      Personal Data that the Data Processor has access to pursuant to this Agreement. This provision also applies after the termination of this Agreement. All necessary confidentiality agreements shall be entered into if the employees are not already bound by a statutory duty of confidentiality or secrecy. The duty of confidentiality also includes employees of Sub-Processors who carry out maintenance (or similar tasks) of systems that the Data Processor uses to provide or administer the service.

The Data Processors internal data access processes and policies are designed to prevent unauthorized persons and/or systems from gaining access to systems used to process Personal Data. The Data Processor designs its systems to only allow authorized persons to access data they are authorized to access; and ensure that Personal Data cannot be read, copied, altered or removed without authorization during processing, use and after recording. Approvals are managed by workflow tools that maintain audit records of all changes. Access to systems is logged to create an audit trail for accountability. The logs shall be kept by the Data Processor for a minimum of 3 months. The Data Controller shall, upon so requesting, be given access to such logs.

 

5. Data Protection Officer

The Data Processor will appoint a data protection officer, if required, in accordance with the requirements of the Applicable Data Protection Legislation.

 

6. Use of sub-processors and export of data

The Data Processor’s use of sub-processors to process Personal Data shall be agreed in writing with the Data Controller before the processing by the sub-processor commences unless the use of sub-processor already results from the Partnership Agreement. The Data Processor will ensure that any sub-processors only access and use Personal Data in accordance with the terms of this data processor agreement and that such sub-processors are bound by written agreements that require them to provide at least the level of data protection required by Applicable Data Protection Legislation. The Data Controller may, on reasonable and justifiable grounds, refuse to approve new sub-processors.

The sub-processor’s listed on the following website, are hereby approved by the Data Controller: https://www.kidsloop.net/policies/privacy-notice/#subprocessor. Should the Data Controller require more detailed information related to processing locations in order to comply with legal requirements or requests from data protection authorities, the Data Processor shall assist the Data Controller to address such compliance needs, provided that, prior to any such provision of information, the Data Controller has entered into appropriate confidentiality obligations where this is deemed necessary by the Data Processor.

Changes concerning an addition or a replacement of an entity listed in the sub-processor list shall be made available to the Data Controller, including by announcing them to the Data Controller through automated notices or other means where appropriate. Within 4 weeks of receiving such notice, the Data Controller may object to any such change or addition solely on reasonable grounds.

The Data Processor is responsible towards the Data Controller for the sub-processor’s actions and omissions in the same manner as if these were the Data Processor’s own acts or omissions. The Data Processor is responsible for ensuring that the sub-processor is familiar with the Data Processor’s contractual and statutory duties, and that the sub-processor performs them in a similar manner vis-à-vis the Data Processor.

The Data Processor, and any potential sub-processor, cannot transfer Personal Data outside the territory of operation of the Partnership or pre-approved third countries without the prior written consent of the Data Controller. Data Controller’s access to or use of Personal Data from or in a third country shall not, on the account of the Data Processor or any sub-processor, be considered Transfer of Personal Data to such third country.

To the extent such transfer of Personal Data is taking place, either to Data Processor entities or other third party sub-processors located in countries outside the territory of operation, such transfers shall be subject to binding and appropriate transfer mechanisms which provide an adequate level of protection in compliance with Applicable Data Protection Legislation.

 

7. Security

7.1 Security measures and documentation

The Data Processor shall fulfil the requirements for security measures stipulated in Applicable Data Protection Legislation. The Data Processor has a duty to document its security measures. Appendix 3 contains an overview of the Data Processors security measures. More detailed documentation can be made available to the Data Controller upon its request.

The Data Processor shall implement and maintain appropriate technical and organisational security measures to ensure a level of security appropriate to the risk involved, including by considering the nature of any cloud service provided to the Data Controller. The measures must protect the Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to      Personal Data transmitted, stored or otherwise processed. The Data Processor shall, in establishing such measures, take into account the confidentiality, integrity, availability and resilience of the information and the processing systems and services.

When processing Personal Data, appropriate security measures shall include inter alia as appropriate:

    • the pseudonymisation and encryption of Personal Data;
    • the ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services;
    • the ability to restore availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
    • a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

The Data Controller and Data Processor shall take steps to ensure that any person acting under the authority of the Data Controller and Data Processor who has access to Personal Data does not process them except on instructions from the Data Controller, unless he or she is required to do so by Applicable Data Protection Legislation or other legislation.

 

7.2 Overview of processing activities

The Data Processor, and, where applicable, the Data Processor’s representative shall set up and maintain a list of all categories of processing activities carried out on behalf of the Data Controller, containing:

a) the name and contact details of the Data Processor and the data protection officer;

b) the categories of processing carried out on behalf of the Data Controller;

c) where applicable, transfers of Personal Data to a country outside the territory of operation, including the identification of that third country and the documentation of suitable safeguards as when required;

d) where possible, a general description of the technical and organisational security measures applied

 

The list shall be updated in accordance with clause 8 below. The Data Processor shall make the list available to the relevant data protection authority on request.

 

7.3 Notifications regarding data breach

In case of a data breach that has compromised the security or privacy of the Personal Data, this shall be reported to the contact point specified in clause 12 (Notices). Such notification should be issued without undue delay, but in no event later than 72 hours after the Data Processor becoming aware of the data breach.

The notification shall contain:

    • A description of the Personal Data and, when possible, which types and the number of data subjects that are affected as well as which types and quantity of Personal Data are affected
    • The name and contact details of any data protection officer or other contact person
    • A description of the likely consequences of the incident
    • A description of the measures which are taken or proposed to be taken to address the incident and, where appropriate, the measures to mitigate its possible adverse effects. The Data Controller is responsible for formally notifying a relevant Personal Data breach to data protection authorities and, where applicable, to those effected by the data breach.

 

7.4 Access management and equipment

The Data Processor must ensure that it has proper security of the service, including servers, databases and other relevant equipment or software, such that no unauthorised person can get access to      Personal Data. The same applies with regard to any print-outs and other physical documents.

The Data Processor shall furthermore have a system for security control in accordance with Applicable Data Protection Legislation. The system shall include – but is not limited to routines for:

    • Treatment of non-conformities which includes the provision of notification upon wrong use of the information system, including breach of security
    • Security audits The Data Processor shall establish and maintain those security measures that security and technology risk assessments have revealed a need for.

 

8. Updates of processing activities and security audits

The list of processing activities, cf. clause 7.2 (b) above, shall be subject to verification and updated at least once a year or after substantial changes to the processing activities.

The Data Processor shall regularly, at least once a year or after substantial changes or discrepancies, carry out security audits of systems and anything else which is relevant for the processing of Personal Data pursuant to this agreement. The security audit shall verify that the technical, physical and organisational security measures which have been established, are complied with and function as planned, as well as identify potential improvements.

The result of the security audit shall be documented and be made available to the Data Controller, inter alia for use in the Data Controller’s security audit.

The Data Processor’s systems and processes will be regularly audited and certified, and any applicable certifications will be made available to the Data Controller upon request.

Expenses that accrue as a consequence of special audits requested or performed by the Data Controller shall be covered by the Data Controller.

 

9. Term of the Agreement

This Agreement is valid from the date of the Partnership Agreement and will be in effect as long as the Partnership Agreement is in force and supersedes any previous Data Processor Agreements of the Parties. Upon breach of this Agreement or Applicable Data Protection Legislation, the Data Controller can instruct the Data Processor to stop further processing of Personal Data.

 

10. Return and deletion upon termination of the Agreement

Upon termination of this agreement, the Data Processor shall return, overwrite, delete, cf. routines on deletion included in Appendix 2, and/or properly destroy all documents, storage media and anything else which contains Personal Data falling within the scope of this agreement. This applies also in respect of any back-up copies. The Data Processor shall document in writing that such action has taken place in accordance with this agreement within a reasonable time after the termination of this agreement. The Data Controller shall bear all costs in connection with the fulfilment of this clause, unless otherwise specified in the Partnership Agreement.

 

11. Governing Law

Governing Law is regulated in the Partnership Agreement, or as otherwise agreed between the Parties to this Agreement.

 

12. Notices

Notices given pursuant to this Agreement shall be sent to the contacts referenced in the Partnership Agreement.

Technical enquires from the Data Controller regarding the services provided under this Agreement shall be sent to the Data Processor’s Data Privacy Officer:

[insert contact name and address]

Agreed for and on behalf of Kidsloop (DATA PROCESSOR)

[Kidsloop Group Company Name]

Signed:

Name:

Title:

Date:

Agreed for and on behalf of Partner (DATA CONTROLLER)

[Name of Partner entity]

Signed:

Name:

Title:

Date:

APPENDIX 1

Subject matter and details of Personal Data being processed

Native and purpose of processing

Kidsloop as Data Processor is processing Personal Data received via the applicable Service (i.e., Kidsloop platform), on the Platform(s) or Partner Platform(s) upon the terms set out in the Partnership Agreement, on behalf of the Data Controller for the following purposes:

    • Providing the Services in accordance with the Data Processor Agreement and the Partnership Agreement
    • Providing basic and technical support related to the Services in accordance with the Data Processor Agreement and the Partnership Agreement
    • Secure backup of the Data Controller’s data
    • Data Processor may collect information on the Data Controller’s use of the Service for internal statistical and invoicing purposes and Derivative Data

Duration of the Processing

The term in the Partnership Agreement plus the period from the expiry of the term until deletion of all Customer Data by Data Processor in accordance with the term.

Categories of Personal Data

Data Processor processes Personal Data that is submitted, stored, imported, sent or received via the service, by (or at the direction of) the Data Controller and by authorised Partner users. The extent of the data is determined and controlled by these subjects’ sole discretion.

Personal Data means any information relating to an identifiable natural person including without limitation:  contact information (name, image, voice, email address, contact number, technical data; contact details of children, parents, guardians, teachers; Payment information (credit/debit card and other payment information), identity data (gender, date of birth, age, interests, reasons for participation, financial information, preferences, geographical location; communication: (messages between users, discussions, comments to posts, notifications, etc.); user profile data including course material ( assessments, assessment results and grades); user calendar entries and event data; user generated documents, presentations, images, homework and tasks; Platform(s) usage (including browsing behaviour / activities);  sensitive data such as physiological data in images or video or sound recordings captured by photography, video and/or sound recordings at our events or Partner events and other Personal Data users provide to the Data Controller and/or Processor.

Data subjects

The Data Processor’s processing of Personal Data via the service on behalf of Data Controller, may include, but is not limited to Personal Data relating to the Data Subjects.

Data subjects or authorized Partner user include the Partner’s employees including teachers, administrators, lecturers, mentors and others, the Partner’s other employees and contractors, and any other user authorised by the Partner who transmits Personal Data via the service, including children, teacher and parents or guardians.

APPENDIX 2 | ROUTINES OF DELETION

Deletion of data upon termination of the Agreement

Within 12 months from the termination of the Agreement between the Data Controller and Data Processor, all data processed on behalf of the Data Controller will be permanently deleted, including backups other than Derivative Data.

Decommissioned storage media and erase policy

Storage media/Disks (including HDDs, SSDs, memory sticks and tapes) containing data may experience performance issues, errors or hardware failure that lead them to be decommissioned. Every decommissioned storage media is subject to a series of data destruction processes before leaving Data Processor’s premises either for reuse or destruction, to ensure that all data is completely and securely wiped off and destructed. The erase results are logged by the decommissioned storage media’s serial number for tracking. We are also relying on public cloud storage. When data is deleted from the cloud, removal of the mapping from the public name to the stored information starts immediately and is generally processed across the distributed system within several seconds. Once the mapping is removed, there is no external access to the deleted object. That storage area is then made available only for write operations and the data is overwritten by newly stored data.

APPENDIX 3 | SECURITY MEASURES

PARTNER Applicable Data Protection Regulations      

GDPR Partner requirements

In general, GDPR requires you to:

    • Document and assess all processing of Personal Data and the systems being used. The purpose and lawfulness of the processing should be defined and you should make sure you do not process Personal Data that is not needed for the defined purpose.
    • Ensure the organisational and technical security of the processing and be able to demonstrate it. Assess your internal processes for data retention and security, and document it. Ensure that your own technology can provide sufficient technical security, and document it.
    • When you are using third-party services, like ours, to process Personal Data, you need to make sure that the data processing requirements are compliant with GDPR.
    • When acquiring new technology that is likely to result in a high risk to Personal Data, you need to perform a risk analysis – a Data Protection Impact Assessment (DPIA). As an existing Partner, our services are not new technology to you. But doing a DPIA might still be a good idea and will help you in documenting compliance.
    • Users (data subjects) have stronger rights under GDPR. Our Partners need to have a process in place for taking data subject requests, and for assessing the validity of the requests.
    • A particularly important data subject right is transparency and information. Make sure the information to your users on everything required under GDPR is easily accessible, including how they can exercise their rights. If your users are young, you should make sure this information is available to parents too.
    • Review the Kidsloop Data Processor Agreement, which purpose is to regulate the rights and duties pursuant to the European Data Protection Legislation, including the GDPR regulations, applicable to the Data Controller in connection with the Partnership Agreement.

COOKIES POLICY

WHAT ARE COOKIES

Cookies (or similar technologies) are pieces of information which include a unique reference code that a website transfers to your device to store and sometimes track information about you. A number of cookies we use last only for the duration of your web session (session cookies) and expire when you close your browser. Other cookies are used, for example, to remember you when you return to platform(s) owned and operated by us (Platform(s) listed on Kidsloop Platform(s) page) and will last for longer (persistent cookies). Cookies cannot be used to run programs or deliver viruses to your computer. They are uniquely assigned to your device and are sent back to the originating website on each subsequent visit (if they last longer than a web session) or to another website that recognises that cookie.

Some of the cookies used on our Platform(s) are set by us, and we may use some set by third parties who are delivering services (such as interest based advertising and web analytics) on our behalf.

WHAT DO WE USE COOKIES FOR?

We use the following categories of cookies on our Platform(s):

Category 1: Strictly Necessary Cookies

These cookies are essential to enable you to move around the Platform(s) and use its features, such as accessing secure areas of the Platform(s) or areas with paid-for content. Without these cookies, certain services cannot be provided. As cookies are essential for using the Platform(s), these cookies cannot be turned off without severely affecting your use of the Platform(s).

Category 2: Performance Cookies

These cookies collect anonymous information on how people use our Platform(s). For example, we use Google Analytics cookies to help us understand how customers arrive at our Platform(s), browse or use our Platform(s) and highlight areas where we can improve our Platform(s) such as navigation, use of course materials. The data stored by these cookies never shows personal details from which your individual identity can be established.

Category 3: Functional Cookies

These cookies remember choices you make such as the country you visit Platform(s) from, language and search parameters. These can then be used to provide you with an experience more appropriate to your selections and to make the visits more tailored and pleasant. The information these cookies collect may be anonymised and they cannot track your browsing activity on other websites.

Category 4: Targeting cookies or advertising cookies

These cookies collect information about your browsing habits in order to make advertising more relevant to you and your interests. They are also used to limit the number of times you see an advert as well as help measure the effectiveness of an advertising campaign. The cookies are usually placed by third party advertising networks. They remember the websites you visit and that information is shared with other parties such as advertisers.

Category 5: Social Media Cookies

These cookies allow you to share what you have been doing on the platform(s) on social media such as Facebook and Twitter. These cookies are not within our control. Please refer to the respective privacy policies for how their cookies work.

HOW TO VIEW YOUR COOKIE SETTINGS AND CHANGE THEM?

If you want to delete any cookies that are already on your device, please refer to the help and support area on your internet browser for instructions on how to locate the file or directory that stores cookies.

Please refer to the useful links below for your browser:

Chrome: https://support.google.com/chrome/answer/95647

Internet Explorer:  https://support.microsoft.com/en-gb/help/17442/

Firefox:  https://support.mozilla.org/en-US/kb/enable-and-disable-cookies-website-preferences

Safari:  https://support.apple.com/kb/ph21411

Opera:  https://www.opera.com/help/tutorials/security/cookies/

Please note that by deleting our cookies or disabling future cookies you may not be able to access certain areas or features of our Platform(s).

OTHER USEFUL LINKS

You can also learn more about cookies in general by visiting www.allaboutcookies.org which includes additional, useful information on cookies and how to block cookies using different types of browsers.

For more general information about online behavioural (interest based) advertising and how it uses cookies, you may wish to visit www.youronlinechoices.com.

If you are visiting from the European Union, you can visit https://www.cookielaw.org/your-cookie-law-rights/ to get additional detail on EU cookie law.

last update: Sep. 02. 2021