Introduction
This Privacy Statement provides information to you on how Cacti Software W.L.L protects student records and personal information (referred to as “Client Data”) provided to us by our customers (educational institutions) to process on their behalf when they, their staff, parents/guardians, and students use our products, including mobile services; and how Cacti Software W.L.L collects and protects personal information (referred to as “Personal Information”). How we use the information may differ based on our relationship with you and our contractual obligations to our customers. Below, we’ve detailed the different relationships we may have with you. References to “us,” “we,” “our,” “EmpowerEd,” or “Cacti Software” in this Privacy Statement, are referring to Cacti Software W.L.L and its partners.
Types of Data
- Client Data: EmpowerEd receives Client Data from its customers, their authorized users (staff, faculty, parents/guardians and students), and processes that Client Data on behalf of the customer as a data processor. EmpowerEd’s processing is strictly controlled by the customer through contractual obligations, including data privacy agreements or privacy impact assessments. User access to these EmpowerEd products and services is restricted and controlled by the customer.
- Collected Data: In some instances, EmpowerEd collects personal information directly from a user of its publicly accessible websites or online services. For Collected Data, EmpowerEd acts as a data controller, serving both as collector and processor of the Personal Information of an individual. The collection and processing of personal information by any particular EmpowerEd website or service are consented to beforehand and subject to the Terms of Use or Service (TOU or TOS). You should not access or use a particular website or product if you do not agree with the TOU or TOS.
- Transaction Data: Transaction Data, also known as transaction data or metadata is created through the use of EmpowerEd products and services. This EmpowerEd proprietary data is normally found in application access and end-user usage monitoring logs, network access logs, web usage tools, communication logs, identity and access management logs, and database management system tables. This EmpowerEd proprietary data can be used to determine the health of the system, in incident investigation, for security information and event management or for troubleshooting a customer identified issue within a customer’s implementation of a product. EmpowerEd retains control and ownership of the Transactional Data.
Data Protection Commitment
Whether EmpowerEd is a collector or processor or your data, EmpowerEd is committed to protecting your personal information. EmpowerEd uses commercially reasonable physical, administrative, and technical safeguards to preserve the confidentiality, integrity, and availability of your personal information. As customers provide EmpowerEd with Client Data to process, EmpowerEd makes commercially reasonable efforts to ensure the security of our systems. Please note that this is not a guarantee that such information may not be accessed, disclosed, altered, or destroyed by breach of any of our physical, administrative, and technical safeguards. Regardless of whether the data is Client Data or Collected Data, both are covered under EmpowerEd’s privacy policy. EmpowerEd supports privacy rights and has developed and implemented policies, processes, procedures, and technologies for the collection, processing, use, and protection of your data at all times.
EmpowerEd employs a variety of physical, administrative, and technological safeguards designed to protect your data against loss, misuse, and unauthorized access or disclosure. We strive to continuously maintain reasonable physical, administrative, and technical security measures. Our security measures consider the type and sensitivity of the data being collected, used, and stored, and the current state of technology and threats to data. EmpowerEd is in the process of independently verifying its security management system to the internationally recognized standard for security management ISO 27001. EmpowerEd also endeavors to align its privacy and security operations to best practices and relevant international regulations.
Children’s Privacy
EmpowerEd has processes and procedures in place to protect the personal information of children under 13, as detailed below. We do not use such information for any purpose other than to provide our services and for the specific uses set forth below, in accordance with contractual agreements with our customers and our Terms of Service.
Children under 13 may only use EmpowerEd’s Products with the prior consent of a parent or educational institution acting on behalf of the child’s parent. We will not collect, use, or disclose any personally identifiable information from children under 13 without such consent. Educational institutions may consent to the collection, use, or disclosure of personally identifiable information from children under 13 by agreeing to subscribe or purchase our products.
EmpowerEd products may collect the following categories of personal information from children under 13, with the appropriate consent:
- Information provided via customers or through use of EmpowerEd’s Products, assessment data, conduct or behavior data, demographic data, enrollment data, contact information, course schedule data, online communications, student identifiers (e.g., school ID number), academic or extracurricular program membership, student-generated content, transcript data, college interests, college application list, college scholarships, career interests, and post-secondary planning data; and
- Usage, browser and device information: EmpowerEd does not allow personal information from children under 13 to be made publicly available via its Products. EmpowerEd does not share personal information from children under 13 with third parties unless consented to under our customer agreements or necessary under the law.
- Service providers, partners, and product integrations: Our service providers help us with data security, cloud hosting, information technology, customer support, usage and analytics, email delivery, application performance monitoring, and user identity and authentication.
- Administrative and legal reasons: When reasonably necessary to meet and comply with any applicable law, regulation, legal process or enforceable governmental request; enforce applicable Terms of Service, including investigation of potential violations; detect, prevent, or otherwise address fraud, security or technical issues; or protect against harm to the rights, property or safety of EmpowerEd, our users or the public as required or permitted by law.
- Business transitions: In the event that EmpowerEd goes through a business transition such as a merger, acquisition by another company, sale of all or a portion of its assets, bankruptcy, or other corporate change (including during the course of any due diligence process), this personal information may be shared or transferred based on consent of our customers.
Our customers, educational institutions, may share personal information of students with educators as needed for educational purposes. EmpowerEd does not control and is not responsible for this type of sharing. If you are a parent and have questions about this, please contact your child’s educational institution.
EmpowerEd does not share personally identifiable information from children under 13 for advertising or marketing purposes.
For EmpowerEd Products provided to educational institutions, the collection, maintenance, and use of personal information from children under 13 is controlled by the educational institution that contracts with EmpowerEd for use of its Products. If you are a parent and have questions regarding personally identifiable information collected from your child as part of their educational institution’s use of EmpowerEd’s Products, including your rights to review, delete, and refuse further collection of such information from your child, please contact your child’s educational institution. EmpowerEd cannot delete such information unless authorized by your child’s educational institution.
Data Retention
We keep information collected on behalf of our Customers for as long as necessary to fulfill the purpose for which it was collected, pursuant to contractual terms or as otherwise required by applicable law. We dispose of information that is not held pursuant to contractual terms within a commercially reasonable time period or at the request of a customer using reasonable measures to protect against unauthorized access to or use of information.
Data Service Providers
To comply with EmpowerEd’s obligations under applicable data protection laws and to our customers, we provide a list of significant third-party suppliers and service providers that enable us to provide our products and services and operate our business. These third-party suppliers and service providers perform the functions described below and are considered Subprocessors under applicable data protection laws (“Subprocessors”). We require and expect our Subprocessors to implement proper security measures to safeguard and to respect the privacy rights attendant to Client Data and Collected Data.
| Service Provider | Processing Activity | Location |
|---|---|---|
| Data Storage | United States | |
| MongoDB | Database | Various |
| Digital Ocean | Application Processing | Germany |
| Twilio | Cloud Communications | United States |
Other Third Party Providers and Partners
EmpowerEd works with service providers and partners to fulfill our obligations to our Customers.
- Service Providers. We engage directly with certain service providers to help us provide EmpowerEd Products. Our service providers are required to abide by our privacy and security requirements and are contractually restricted from using any Client Data or Collected Data accessed or received through us for any purposes other than as needed to perform such services. We may use service providers to help us conduct marketing campaigns or events and disclose customer contact information collected on our website as necessary for those activities.
- Partners. Educational institutions may work with EmpowerEd Partners to provide additional content and functionality, which may require access to Client Data maintained within EmpowerEd Products. Only with your educational institution’s permission, EmpowerEd will share (provide access) to Client Data. With your educational institution’s permission, and subject to an agreement between your educational institution and the Partner, EmpowerEd will share (i.e., provide access) to your data.
- Other Types of Disclosures. We may also need to share certain portions of Client Data or Collected Data under the following circumstances:
- We may need to disclose Client Data or Collected Data to comply with legal or regulatory requirements and to respond to lawful requests, such as court orders and subpoenas within a legal proceeding. Where such disclosures relate to personal information we hold as a data processor on behalf of our customers, we will refer such requests to our customers where permissible.
- We may need to disclose Client Data or Collected Data to protect and defend the rights, property, or safety of our customers or users, including enforcing contracts or policies, or in connection with investigating and preventing fraud or other misuse of our systems.
- Where permitted by applicable law, we may utilize aggregated or de-identified, or anonymized information that is no longer associated with a person for internal purposes, such as to enhance and promote the EmpowerEd Products. EmpowerEd does not rent, sell, or otherwise provide access to student personal information to third parties for marketing or advertising purposes.
Links to Other Sites
Our Websites may provide links to third party websites or resources. The information practices of those websites are not covered by this Privacy Statement or any other policies or terms applicable to the EmpowerEd Products or Websites. We recommend that you review any terms of use and privacy policies of any linked third-party website before providing any personal information.
Corporate Transition
In the event that EmpowerEd is acquired by or merged with a third-party entity, we reserve the right, in any of these circumstances, to transfer or assign the personal information our Customers have provided to us from our Users as part of such merger, acquisition, sale, or other change of control to the new data processor. In the unlikely event of our bankruptcy, insolvency, reorganization, receivership, or assignment for the benefit of creditors, or the application of laws or equitable principles affecting creditors’ rights generally, we may not be able to control how your personal information is treated, transferred, or used. Nevertheless, in such an unlikely circumstance and if feasible, EmpowerEd would encrypt and hand over all data to its customers.
Changes to the Policy
We may update this Privacy Policy and its last updated date to reflect changes to our data governance practices. If we propose to make any material changes, we will notify you by means of a notice on our public facing web page prior to the change becoming effective. We encourage you to periodically review our web page for the latest information on our privacy practices.
Contact Us
If you have any questions or concerns about your privacy or this Privacy Statement, please contact us at empowered.privacy@cactisoft.com