Introduction

Last updated: 12th December, 2024

Epraise Limited (“Epraise”) takes the privacy of its users, including students, teachers, and parents, seriously. Epraise is committed to protecting users’ privacy while providing a personalised and valuable learning experience through its education technology products and services (our “Services”).

This Product Privacy Policy sets out how we collect, handle and use information about you when you access and use our Services. It does not govern the collection, use and disclosure of your personal information when you access and use our public website at epraise.co.uk, epraise.com.au, and/or epraise.us (collectively, the “Website”), including its subdomains (collectively, the “Website”). To view our privacy policy governing our Website please see our Website Privacy Policy.

In our processing of personal information in connection with the provision of our Services to our School customers and their users, we act as a data processor under applicable data privacy laws, and in that context our School customers act as data controllers on behalf of which we process the personal information for purposes of the provision of our Services. When we act as data processor our processing of personal information is governed by our Data Processor Addendum or other data processing terms in place between Epraise and each School. For more information on our processing as a data processor, please contact the School that collected your personal information in connection with the use of our Services.

From time to time, we may change our Policy on how we handle personal information or the types of personal information which we hold about you. Any changes to our Product Privacy Policy will be published on our website.

We are subject to the privacy and data protection laws of the jurisdictions in which we operate, including, as a UK-based organisation, the UK Data Protection Act 2018 and the UK GDPR. In connection with our collection and processing of the personal information of EU residents, we are also subject to the EU General Data Protection Regulation (Regulation 2016/679) (GDPR).

Because we also collect, use, disclose and retain the personal information of users at our U.S.-based Schools, we may also be subject, in our processing of such personal information on behalf of those Schools, to applicable U.S. federal and state privacy laws. In support of our operations in the United States, we have also, as part of the Veracross Group, taken the Student Privacy Pledge (2020 version) as a public commitment for the responsible collection and use of student data from the United States. Among other things, we have committed to the following:

  • We only collect, store, process, or share student information that is needed for authorised education/school purposes, or as authorised by the parent/student.
  • We do not sell student personal information.
  • We do not use or disclose student information for behavioural targeting of advertisements to students.
  • We do not retain student personal information beyond the time period required to support the authorised educational/School purposes.

The complete Student Privacy Pledge (2020 version) can be read here.

Because we also collect, use, disclose and retain the personal information of users at our Australia-based Schools, we may also be subject, in our processing of such personal information on behalf of those Schools, to the Privacy Act 1988 (Cth) (Privacy Act) and the Australian Privacy Principles (APPs)

If you have any questions about our Product Privacy Policy, you may contact us at privacy@epraise.co.uk.

The School Environment

As our Services are designed to be used in the classroom, much of the information collected is intended to be shared within the School Environment (as this term is defined below); Product-related or class-related activities, information, or communications may therefore be visible to anyone present in the classroom. Furthermore, some information will be available to other students, teachers, parents, guardians, and School or district administrators and/or employees (see "Epraise User Access Privileges" below). The sharing of the above information is subject to this Product Privacy Policy and the privacy policies of the relevant Schools. If you have any questions about the sharing of this information under those policies, we recommend that you contact the relevant School that first collected your personal information and through which you have access to our Services.

Epraise has implemented security measures to ensure that this information will not be shared outside the School Environment, except as outlined in this Product Privacy Policy.

Definitions

School means the educational institution that is a customer of Epraise and that provides students, teachers, parents, and School employees access to our Services.

Personal Information means any information or opinion about an identified individual, or an individual who is reasonably identifiable, and includes a person's name or address, bank account information, employment details, family information, credit history or photos, as well as Sensitive Information, or as otherwise defined under applicable privacy and data protection laws.

Product shall mean the Epraise cloud-based software, accessed via a website or application accessible at application stores, including but not limited to the Apple App and Android Store(s).

Product Website shall mean the areas of the epraise.co.uk/au/us and other relevant websites from where the User accesses and uses the Services area, including any content or functionality offered on or through them, but not including the Product.

Sensitive Information shall mean any information or opinion (that is also personal information) about an individual’s (i) racial or ethnic origin; political opinions; membership of a political association; religious beliefs or affiliations; philosophical beliefs; membership of a professional or trade association; membership of a trade union; sexual orientation or practices; and criminal record; (ii) health and/or wellbeing information; (iii) genetic information (that is not otherwise health information); (iv) biometric information that is to be used for the purpose of automated biometric verification or biometric identification; and (v) biometric templates (for example, certain facial images and faceprints (algorithmic representations of facial images); or as otherwise defined under applicable privacy and data protection laws.

Services means the Epraise Product, Product Websites, and domain name, all other websites and domain names affiliated with Epraise and any other linked pages, features, content, or mobile application services offered from time to time by Epraise, and shall include, without limitation, any service Epraise performs for users at our School customers and the content offered by Epraise on the Product, Product Websites, or any other platform associated with the Services.

School Environment means, collectively, the classroom, teachers, parents, guardians, students, and School and district administration and employees/agents.

Student Data shall include records, files, documents, and other materials that contain information directly related to a student, and that are maintained by an educational agency or institution or by a person acting for such agency or institution.

User” shall mean any user of our Services, including Teacher, Student, Parent, and/or School Employee users

If you are based in the United States, the following additional definitions shall apply:

  1. Education Records” shall have the meaning ascribed to it by the U.S. Family Educational Rights and Privacy Act (FERPA), and include records, files, documents, and other materials that contain information directly related to a student, and that are maintained by a U.S.-based educational agency or institution or by a person acting for such agency or institution.
  2. Personal Information” shall have the meaning ascribed to it by the Children's Online Privacy Protection Act (COPPA), and include individually identifiable information such as: first and last name; physical address; online contact information; user name; telephone number; Social Security number; persistent identifier that can be used to recognize a user over time and across different websites or online services; media containing a child’s image or voice; and geolocation information sufficient to identify street name and name of a city or town (see 16 CFR § 312.2).
  3. Personally Identifiable Information” shall have the meaning ascribed to it by the Family Educational Rights and Privacy Act (FERPA), and include information that can be used to distinguish or trace an individual’s identity either directly (such as a student’s or other family member’s name) or indirectly (such as a student’s date of birth, place of birth, or mother’s maiden name) (see 34 CFR § 99.3).

Collected Information

1. Personal Information

The specific information collected depends on the user type (i.e. teacher, district/School staff, parent, and student users). A list of the personal information collected for each user type of our Services, including the type of information collected, how the information is collected and used within the School Environment, whether other users can view the information, and whether the information is shared outside of the School Environment, is available on request in our Data Inventory Table.

2. Cookies

Cookies are small data files that are commonly stored on your device when you use websites and online services. They are widely used to make websites work, or to work more efficiently, as well as to provide reporting information and assist with services or personalisation. There are also other technologies that are similar to cookies, which may store small amounts of data on your device (“local storage”).

Epraise uses the following types of cookies and local storage (collectively called “Cookies” herein):

  • Strictly necessary Cookies: These are cookies that are required for the operation of our Services. These essential cookies are always enabled because our online platform through which our Services are provided won’t work properly without them. They include, for example, cookies that enable you to log into secure areas of our Services. You can switch off these cookies in your browser settings, but you may then not be able to access all or parts of our Services.
  • Performance and functionality Cookies: These Cookies are not essential, but they help us personalize and enhance your user experience. For example, they may help us to remember your preferences and prevent you from needing to re-enter information more than once, or to remember your id and password so that you do not have to enter them each time you use our Services.

Our Services does not use cookies for advertising purposes.

If you wish to disable the use of Cookies, you may do so from the browser preferences menu of your browser software by either turning off Cookies or by using your browser’s privacy mode when using our Services.

Please find our list of cookies that we use in our products here.

What Does Epraise Do with the Collected Information?

Epraise only collects and uses user information that is required to fulfil its duties and provide and improve its services. Specifically, collected information is used for the following purposes:

  • To operate our Services;
  • To monitor, improve, & secure our Services;
  • To enable users to login to our Services;
  • To allow teachers, parents, guardians, students, and School and district administration and employees/agents to manage and engage with our Services as directed by the School;
  • To enable class-related activities such as classroom content, assignments/tasks, and communications;
  • To provide analytic data to School administrators;
  • For software and customer support purposes; For sales, internal marketing, invoicing, and/or billing purposes;
  • To enable 3rd party integrations selected by and at the direction of the School.

Epraise does not advertise or market to students or their parents. No personally identifiable student information will be used for marketing purposes.

Epraise does not share personally identifiable information outside the School Environment, except for those purposes stated within this document, without first obtaining the express written consent of the individual.

Parents who login to our Services are not granted access to personally identifiable information of any student other than their child.

Collected information in aggregate form, whereby individual users are not identifiable (i.e. “de-identified data”), is used for the following purposes:

  • To improve our Services;
  • For research and statistical purposes;
  • For marketing purposes related to our Services; and
  • For customer support purposes.

De-identified data will have all direct and indirect personal identifiers removed. This includes, but is not limited to, name, user ID, date of birth, and location information. Furthermore, Epraise will not attempt to re-identify de-identified data or transfer de-identified data to any party unless that party agrees not to attempt reidentification.

Epraise User Access Privileges

All user access and/or interactions within our Services occur in the School Environment among district/School administrators, district/School employees or agents, teachers (including paraprofessionals, aides, behaviour specialists, or other school employees), students, and parents (“trusted users”) in the School Environment.

Teachers (including teachers, paraprofessionals, aides, substitute teachers, behaviour specialists, or other School employees working with students in the classroom) are granted access to student data for the students in their classes and to parent data for the students in their classes. School/district administration officials may access teacher and student data to monitor in-app activities and student behaviour/attendance. Other School employees or agents within the School Environment have appropriate privileges based on their role and need-to-know. These privileges are configured and maintained by the School, not Epraise. Students are granted access to their personal information and all content posted by their teachers or other School officials necessary for them to fulfil their roles within the School. This access is configured and maintained by the School, not Epraise. Note that some data may be displayed by the teacher in front of the whole class or other groups who may not normally have access to this data. This is at the discretion of School officials and not within the control of Epraise. Parents are granted access to data related to their child and their child’s teacher, and to aggregate data for their child’s class.

Student Records

Student records are the property of and under the control of the School and/or School district. Students can access their student records by logging in to their student account. Parents and guardians of students under the age of 18 can access their child’s information via their parent account or by contacting the School. Corrections of any erroneous information should be brought to the attention of the School administration. In the event that the teacher or the School are unable to make the correction, the School will contact Epraise via normal support channels. Epraise will work with the teacher or the School to facilitate correction of any erroneous information.

Third parties are not granted access to personally identifiable information or educational records or other student records except as provided in this Product Privacy Policy, or after first obtaining the express written consent of the parent or student over 18 years of age.

Should there be any unauthorised disclosure of a student’s records, Epraise will notify the School in accordance with applicable law following discovery of the unauthorised disclosure.

No Marketing to Students and Parents

Epraise does not share user data with third parties for marketing purposes. Furthermore, Epraise does not use student data for marketing of any kind, including marketing to students or parents. For information on our privacy practices with respect to the operation of the corporate website, please see Epraise’s Website Privacy Policy.

Deletion of Records

As our School customers require access to records on a continuous basis, Epraise maintains records at the direction of our customers as long as we have an engagement with our customers. Upon termination of an engagement with our customers, records will be deleted within 30 days of the date of termination. Customers have complete control over records lifecycles, including the ability to delete records as they see fit or as directed by a student, parent, faculty, staff, or any other data subject at any time. If you have any concerns about records retention, please contact your School or email privacy@epraise.co.uk.

International Data Transfers

We collect and store personal information globally from each jurisdiction we operate in and from each legal entity that is owned or operated by us in different international jurisdictions and may transfer, process and store your personal information outside of your country of residence, to wherever we or our third-party service providers operate for the purpose of providing you our Services.

Regional Compliance

1. United States of America

FERPA

FERPA is an acronym for the Family Education Rights and Privacy Act, a U.S. federal law to protect the privacy of student educational records. FERPA gives parents certain rights with respect to their non-adult children's education records. These rights include the right to inspect and review the student's education records maintained by the school, as well as the right to request that a school correct records which they believe to be inaccurate or misleading.

Furthermore, under FERPA, schools generally must have written permission from the parent in order to release any information from a student's education record, which includes records, files, documents, and other materials that contain information directly related to a student and are maintained by an educational agency/School, or the personally identifiable information contained within those records. However, FERPA allows schools to disclose those records, without consent, to various parties under specified conditions, including the following (see 34 CFR § 99.31):

  • School officials with legitimate educational interest;
  • Other schools to which a student is transferring;
  • Specified officials for audit or evaluation purposes;
  • Appropriate parties in connection with financial aid to a student;
  • Organizations conducting certain studies for or on behalf of the School;
  • Accrediting organizations;
  • To comply with a judicial order or lawfully issued subpoena;
  • Appropriate officials in cases of health and safety emergencies; and
  • State and local authorities, within a juvenile justice system, pursuant to specific State law.

Schools may also disclose, without consent, "directory" information such as a student's name, address, telephone number, date and place of birth, honors and awards, and dates of attendance. However, schools must tell parents about directory information and allow parents a reasonable amount of time to request that the school not disclose directory information about them.

While this act is primarily directed towards educational institutions, Epraise recognizes its role as a “School Official” with a legitimate educational interest under FERPA, and our Product Privacy Policy is designed to secure student data in compliance with FERPA and to allow education institutions using Epraise to be compliant with FERPA. Epraise does not disclose student educational records or directory information outside of the School Environment.

COPPA

COPPA is an acronym for the Child Online Privacy Protection Act, a U.S. federal law to protect the privacy of children under the age of 13. COPPA requires that online service providers such as Epraise, or teachers/Schools acting as a parent’s agent, provide parental notification and obtain parental consent before knowingly collecting personal/individually identifiable information from children under the age of 13, except in limited situations (for exceptions to this consent requirement, please see 16 CFR § 312.5(c)).

Pursuant to the Terms of Use between Epraise and the Users of the Services Product Terms of Service, teachers, or a teacher's School or district administration, will obtain verifiable parental consent, should it be required under COPPA. Epraise provides information for teachers, including COPPA Direct Notice and a sample parental permission document.

If such personal information is collected without parental consent or collected beyond the scope needed for participation in the Services, Epraise will delete such information as soon as possible. If you believe that information from a student under the age of 13 has been provided in violation of these terms, please contact us at privacy@epraise.co.uk.

Please review the foregoing sections for descriptions of the types of personal information we collect; how we collect that information; how that information is used; and our policies on protecting that information from third party access.

Epraise takes the rights of children and parents very seriously. To this end:

  • Epraise won’t require a child to disclose more information than is reasonably necessary to participate using its Services within the School Environment;
  • Parents can review their child’s personal information, direct Epraise to delete it, and refuse to allow any further collection or use of their child’s information; and
  • Parents can agree to the collection and use of their child’s information, but still not allow disclosure to third parties unless it is part of the Services.

Parents may contact Epraise following the procedures outlined in the “Changes and Access to Personal Information” section below.

2. European Union

Since May 25, 2018, the GDPR has defined the rules regarding the collection, use, and retention of personal information from residents of the European Union (EU). Epraise complies with applicable GDPR rules.

In order to operate its services, and in accordance with this Product Privacy Policy, Epraise may collect, use, and retain personal information from users of the Services who are based in the EU.

Furthermore, in order to operate its services, and in accordance with this Product Privacy Policy, Epraise also conducts business with third-party data processors in the United States, where personal information for users of the Services is stored. Accordingly, when Epraise transfers personal information outside of the European Economic Area to the United States and/or Australia, such transfers will be governed by data processing agreements and international data transfer mechanisms that comply with European Union data protection requirements.

3. United Kingdom

Following Brexit, the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI 2019/419) amended the GDPR, the UK Data Protection Act 2018 (which had implemented the GDPR into UK law) and other data protection legislation including the Privacy and Electronic (EC Directive) Communications Regulations 2003 (SI 2003/2426) (as amended) with the aim of ensuring that the UK data protection legal framework functioned correctly after exit day. Epraise complies with applicable UK data protection rules.

In order to operate its services, and in accordance with this Product Privacy Policy, Epraise may collect, use, and retain personal information from users of the Services who are based in the UK.

Furthermore, in order to operate its services, and in accordance with this Product Privacy Policy, Epraise also conducts business with third-party data processors in the United States, where personal information for users of the Services is stored. Accordingly, when Epraise transfers personal information outside of the United Kingdom to the United States and/or Australia, such transfers will be governed by data processing agreements and international data transfer mechanisms that comply with UK data protection requirements.

4. Canada

Rights of users located in Canada are governed by the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5, the Personal Information Protection Act, R.S.A. 2003, c. P-6.5, the Personal Information Protection Act, R.S.B.C. 2003, c. 63 and an Act respecting the protection of personal information in the private sector, CQLR, c. P-39.1, as amended by Law 25, An Act to modernize legislative provisions as regards the protection of personal information (as applicable based on the location of the user in Canada).

Since the adoption of Law 25, Quebec residents have enhanced rights with respect to their personal information, including:

  • Access Rights: the right to receive confirmation of the processing of their personal information, of the nature of the information being processed, and to receive a copy of it.
  • Data Portability Right: the right, subject to certain exceptions, to ask that the processing organization communicate to them computerized personal information in a written, intelligible transcript, and any collected personal information in a structured, commonly used, technological format.
  • Rectification Right: subject to certain requirements and exceptions, the right to ask to correct the information in the processing organization’s possession that is inaccurate, incomplete, or ambiguous, or if collecting, communicating, or keeping it is not authorised by law.
  • De-indexation Right or "Right to be Forgotten": the right to ask organisations to stop disseminating their personal information or to de-index any hyperlink attached to their name giving access to information if this dissemination causes them harm or contravenes the law or a court order.
  • Automated Decision Making: the right to be informed when they are the subject of a decision based exclusively on automated processing of their personal information. Epraise must also, on request, inform you about the personal information used to make the decision, the reasons and main factors leading to the decision, and the right to request correction of the personal information used to make the decision. You must also be given the opportunity to present their observations to a member of their staff for review of this decision.

Canadian users can access and modify their personal information in Epraise’s possession using your user login and password, or by following the instructions in the section of this document titled “Changes to and Access to Personal Information.”

To exercise their other access rights under Canadian law, residents of Canada shall contact the School on whose behalf Epraise processes their personal information.

Please note that because Epraise and its service providers are located in the United States and other countries outside Canada, we may transfer personal information that we collect or that you provide as described in this policy to contractors, service providers, and other third parties we use to support our business and who are contractually obligated to keep personal information confidential, use it only for the purposes for which we disclose it to them, and to process the personal information with the same standards set out in this policy.

We may process, store, and transfer your personal information in and to foreign countries, with different privacy laws that may or may not be as comprehensive as Canadian law. In these circumstances, the governments, courts, law enforcement, or regulatory agencies of that country may be able to obtain access to your personal information through the laws of the foreign country. Whenever we engage a service provider, we require that its privacy and security standards adhere to this policy and applicable Canadian privacy legislation.

5. Australia

We may disclose your personal information to recipients which are located outside Australia.

Those recipients are likely to be located in the UK and the United States.

Before disclosing personal information to an organisation that is outside Australia (for example, for processing or storage) we take reasonable steps to make sure the overseas recipient will not breach the APPs (for example, contractually bind the overseas recipient to comply with the APPs).

Data Security

Epraise uses industry standard methods to protect the confidentiality, security, and integrity of its customers’ data, including personal information collected from children, against unauthorised use or access, disclosure, alteration, unlawful or accidental destruction, or loss. We ensure that all such protected data is encrypted both at rest and in transit, and is only retained or deleted in accordance with this Product Privacy Policy or any overriding agreements with educational agencies.

Epraise does not share the data covered by this policy informally among its employees. Only those employees who require the protected data to carry out their duties are granted access. In such cases, access is granted based on the principle of least privilege, which means that each employee is granted the fewest privileges necessary to complete their tasks. Employees with access to protected data are given training to apprise them of their responsibilities when handling data and the various laws and agreements covering data security. Such employees are also given a unique user ID for purposes of accountability.

Epraise performs periodic risk/vulnerability assessments and data privacy and security compliance audits. Epraise will remediate any identified security vulnerabilities in a timely manner. We also have a written incident response plan, which includes prompt notification to the School/district in the event of a security or privacy incident, as well as best practices for responding to a breach of personally identifiable information. We will share this incident response plan upon request.

While Epraise is committed to implementing best practices with regard to information and data security, we cannot make a 100% security guarantee due to constant advances in virus and hacking technology, as well as unforeseeable hardware or software failures and other risk factors. Epraise can therefore not be held responsible for data loss or alteration. Epraise will notify any affected customer of a personal data breach in accordance with applicable law.

For additional information about our security measures please see our Trust Centre.

Third Parties

1. Third Party Links

Any member of the School community may make postings that contain links to third party services in various sections of the Services. Common examples of this would be links to videos hosted by YouTube links to Wikipedia or other reference material, and so on. It is the responsibility of the user to ensure that this content is appropriate and free from links to sites which may compromise their privacy. Epraise does not actively monitor content and has no responsibility for this content.

2. Third Party Integrations

Third Party software may, at the initiative and discretion of the School, be integrated with the Services. Epraise has no responsibility for the content, policies, or actions of these websites and they are entirely separate from Epraise and are not covered by this Product Privacy Policy.

Epraise also provides users with the option of registering/logging into its Services with single sign-on authentication through Third-Party software. If you choose to access our Services through single sign-on authentication, Epraise may exchange personal information such as the user’s email address with the authentication service, depending on your privacy settings with that service. Epraise will only collect and store such information in accordance with this policy. We recommend familiarizing yourself with any authentication service’s terms of use and privacy settings and policies before using such services to connect to our Services.

A list of these Third-Party Integrations, including the services they provide to the School, the information we share with the third-party software providers or that they share with us, their privacy policies, and their contact information, can be found here.

3. Third Party Service Providers

Epraise may use trusted third-party service providers to support our Services by assisting us with providing, maintaining, and improving our services. To this end, Epraise may share information with these providers, but only to the extent necessary to provide our Services, and only in accordance with our needs, this Product Privacy Policy, and all other applicable privacy agreements, laws, and/or requirements.

In particular, where your personal information is stored electronically, it is done so by a third-party cloud service provider that may store your personal information or a backup of your personal information in the UK/EU, the United States of America or such other locations that the third-party cloud service provider determines from time to time. The data that we collect from you may be transferred to, and stored to, these servers or processed by staff operating in other countries, who work for us or a School.

A list of these providers, including the services they provide to Epraise, the information we share with them or that they share with us, the jurisdiction(s) in which they store your personal information on our behalf, their privacy policies, and their contact information, can be found here.

Changes to and Access to Personal Information

Users have access to their personal information via their Epraise user account, or by contacting the teacher or School administration.

Users may also request a copy of their personal information, make modifications to any incorrect information, or exercise any other rights available to them under applicable law by sending a written request to the School.

Change of Control

In the event that all or a portion of Epraise or its assets are acquired by or merged with a third party, personal information that we have collected from users would be one of the assets transferred to or acquired by that third party. This Product Privacy Policy will continue to apply to your information, and any acquirer would only be able to handle your personal information as per this policy (unless you give consent to a new policy). We will provide you with notice of an acquisition within thirty (30) days following the completion of such a transaction, by posting on our homepage, or by email to your email address that you provided to us. If you do not consent to the use of your personal information by such a successor company, you may request its deletion from the company.

Disclosure of Information to Satisfy Legal Obligations

Epraise may disclose personal information if we have a good faith belief that doing so is necessary to comply with the law, such as complying with a subpoena or other legal process. We may need to disclose personal information where, in good faith, we think it is necessary to protect the rights, property, or safety of Epraise, our employees, our community, or others, or to prevent violations of our Terms of Service or other agreements. This includes, without limitation, exchanging information with other companies and organizations for fraud protection or responding to government requests.

Changes and Updates to the Product Privacy Policy

This Product Privacy Policy is effective as of July 2024. Epraise may, in its sole discretion, update, revise, modify, and/or supplement from time to time this Product Privacy Policy. Should we make modifications to this policy or the related Terms of Service, we’ll post a notice that you will receive when you login to our Services and/or we will send an email directly to the School. Epraise’s updated Product Privacy Policy and Terms of Service will also be posted on Epraise’s corporate website. Epraise asks users to review the updated Product Privacy Policy and/or Terms of Service before continuing to use our Services. The User’s continued use of the Services provided by Epraise after the updated Product Privacy Policy takes effect will constitute the User's acceptance of the updated Product Privacy Policy.

Contact

Epraise's service to its Users and Users' trust is of utmost importance to Epraise. If Users have any questions about this Product Privacy Policy, Users should contact Epraise at privacy@epraise.co.uk.