AN EDUCATIONAL SERVICE THAT IS TRULY PRIVATE
ReflEQ is designed with privacy in mind. It is a secure online platform, providing schools/universities with a methodology to develop student self-awareness and metacognition alongside the “nuts and bolts” steps of a project, unit or assignment.
To accomplish its goals, it is essential that ReflEQ is a safe place for students to document their learning, and that they (and their instructors) are in complete control of how their information is shared.
OUR PROMISE TO YOU
Students solely own the content they create in ReflEQ.
Student work is private to the student and their instructor(s) by default.
We use the latest security industry best practices to protect you.
We are transparent about our practices.
We are compliant with all applicable federal and state data privacy laws including the Family Educational and Privacy Rights Act (“FERPA”), the Children’s Online Privacy Protection Act (“COPPA”), and for EU subscribers the General Data Protection Regulation (“GDPR”).
We do not collect, maintain, use or share personal information beyond what is necessary for authorized educational/school or legal purposes.
There is no tracking of any personal information for third-party or marketing purposes on ReflEQ.
We will never expose any student, instructor or other user of ReflEQ to any third-party advertisements on our site.
We will never allow data collection by third-party advertisers or data brokers.
We do not, and never will, sell any student’s (or any individual’s) data to any third party.
The only instance in which we may share such personal information is if obligated to do so by law.
GUIDING PRINCIPLES FOR STUDENT/USER PRIVACY
For any Site subscribing to ReflEQ, we follow these guiding principles related to identifiable personal information and privacy:
ReflEQ upholds all COPPA, FERPA, General Data Protection Regulation (GDPR) and related regulations.
An organization has complete discretion as to which student and instructor accounts it wishes to create within its Site license.
Students own their own Student Content on ReflEQ.
Student Content is only visible to either the one or two instructors (Assigning Instructors) who are using ReflEQ with that student alongside a specific classroom project, assignment or unit.
Beyond the Assigning Instructor(s) of a project, the student may choose to share his/her own Student Content beyond that, for example by generating a secure weblink to a ReflEQ journal and sharing that weblink with another instructor, coordinator or parent. However this additional sharing of Student Content beyond the Assigning Instructors is by the student’s choice entirely.
COLLECTION AND PROCESSING OF PERSONAL INFORMATION (PI)
Any Account Information and Student Data collected and processed by ReflEQ will always be done so with the consent of its users and for the specific purposes outlined below, which are necessary for the operations of the Service.
(1) Site-Subscription Creation
A Site subscriber is typically a school, district or university department. There are no individual or single classroom subscriptions to ReflEQ.
When a Site subscribes to ReflEQ, we collect only the minimal pieces of Account Information that we need for subscription registration and billing purposes. Usernames, passwords, and IP addresses collected for the purpose of Site-access authentication are held in the strictest confidence.
For Site accounts, payment may be made by physical check, wire/ACH, or credit card. No credit card or other payment information is stored in our database, nor kept in any electronic or paper version.
(2) Account Creation
When instructor or school administrator accounts are generated in ReflEQ, we collect name, email address, password, and a profile icon or image if one is uploaded.
When student accounts are generated in ReflEQ, ReflEQ collects a small amount of personally identifiable Student Data about them including their names and email addresses. A student may also upload a profile icon or image on an optional basis only. The student email address is used for login. The student email may also be used if the instructor issuing a reflection question chooses that the student should receive email notifications to remind them of a due date for that reflection.
School administrators may generate both instructor and student accounts on ReflEQ by manual entry or CSV import.
Instructors may only create student accounts, by manual entry only.
ReflEQ Support can be requested by the Site to generate student and/or instructor accounts for the Site. In such cases, ReflEQ opens a secure single-use portal so that a Site administrator can securely provide ReflEQ the names and email addresses of those students and/or instructors whose accounts should be generated.
(3) Student Content
ReflEQ stores content that the student writes into a student ReflEQ journal for a specific classroom project or assignment. The purpose of such journal entry is to document student learning and is in written form only. Student Content may occasionally include an associated PDF if the student is requested by the instructor to upload such attachment. Student Content that is uploaded by a student may be considered a student education record as defined by FERPA.
(4) Withholding, Correction, Deletion of Personal Information
In situations where personal information is collected, if you choose to withhold any personal data requested by us, it may not be possible for you to gain access to certain parts of the site or for us to respond to your queries.
You have the right to access, correct, download for transport to a similar service, or delete any of your personal information collected by ReflEQ. If you are a instructor, you can update the information associated with your ReflEQ account directly by contacting ReflEQ directly. If you are a student (or parent who wants to correct, edit, download, or update information about your student), please work directly with your Site, or contact us directly at firstname.lastname@example.org.
If you would like to delete your ReflEQ account or any content submitted to ReflEQ, please send an email to email@example.com. If you request that your account or any content submitted to ReflEQ be deleted, ReflEQ may still retain information for up to 60 days to provide support and prevent accidental deletion.
If you are a instructor or school administrator within the US, please be aware that FERPA requires us to retain student education records once a valid request to inspect those records has been made.
PASSIVE INFORMATION COLLECTION TECHNOLOGIES FOR INTERNAL OPERATIONS
Some privacy frameworks like GDPR consider IP address logs to constitute personal information. Thus, no identifiers are ever used except for to provide support for our internal operations, site and service. Furthermore, IP addresses are never shared with any third parties. In order to compile usage statistics for subscribing organizations, we also record the date and time that users access the Service, and from what IP address they log in.
Cookies are small text files that we transfer to your web browser that allow us to identify your web browser and store information about your account. We use these cookies to keep you logged in to ReflEQ. If the ‘Remember Me’ checkbox is checked on login, it sets a cookie that will expire two days after login. This cookie will persist across browser restarts. If that box is not checked, it uses a ‘session cookie’ that will expire when the browser is closed. You can choose to remove or disable cookies via your browser settings. Please be aware that ReflEQ will not work properly if you disable or decline cookies.
EXTERNAL LINKS AND THIRD-PARTY INTEGRATIONS
OUR SECURITY PRACTICES
ReflEQ maintains a security program that is designed to protect the security, privacy, confidentiality and integrity of the student personal information against risks such as unauthorized access or use, or unintended or inappropriate disclosure. There are no software development activities occurring outside the U.S., and the code is written in languages with gold-standard security parameters. Our data is stored in the United States with robust digital and procedural safeguards in place to protect your personal information. All passwords are securely encrypted within our database, which has daily backups and is protected by SSH and a firewall. Users are authenticated with email address and password that are hashed by bcrypt. All actions that involve the digital transmission of personal data are handled by 256-bit encryption.
As previously noted, the service has minimal collection of personal information, and minimal integration with services that could cause any unintended transference of personal information. If you have any questions about the security at our website, you can contact us via our Support Desk.
Security Breach Response
In the unlikely situation of private user data breach, we will quickly respond to, and mitigate, any private user data breach based on our Breach Response Plan:
In the event that personal information is accessed or obtained by an unauthorized individual, ReflEQ (“Provider”) shall provide notification to the school or district (“Subscriber”) within forty-eight (48) hours. Provider shall email a Notice of Data Breach (“Notice”) to account contacts on record that details what happened, what Student Data was involved, and what is being done to resolve the issue. Subscriber will be given Provider email and phone contact information to obtain more information.
The Notice will specifically include:
- A description of the breach in plain language.
- Specific personal information that ReflEQ believes to have been compromised.
- Estimated date or date range the breach occurred.
- A description of what ReflEQ has done to protect against further data breach.
- Advice to individuals whose information has been breached.
- ReflEQ contact information to obtain further details.
Provider agrees to adhere to all requirements in applicable State and federal law with respect to a data breach related to the personal information, including, when appropriate or required, the required responsibilities and procedures for notification and mitigation of any such data breach.
Provider maintains and keeps updated a written incident response plan that reflects best practices and is consistent with industry standards and federal and state law for responding to a data breach, breach of security, privacy incident or unauthorized acquisition or use of personal information or any portion thereof, including personally identifiable information.
(1) REFLEQ and Parental Consent
COPPA regulations state that teachers or schools have parental consent to use ReflEQ with children who are under the age of 13. You should check your local laws to determine the relevant age in your country. If you are aware ReflEQ is collecting information from a student under the age of 13 without parental consent, please contact us immediately and we will delete the data.
(2) REFLEQ and FERPA
Data collected by ReflEQ may include personally identifiable information from education records that are subject to the Family Educational Rights and Privacy Act, “FERPA”, (“FERPA Records”). To the extent that Student Data includes FERPA Records, you designate ReflEQ as a “School Official” (as that term is used in FERPA and its implementing regulations) under the direct control of the school with regard to the use and maintenance of the FERPA Records and ReflEQ agrees to comply with FERPA.
(3) REFLEQ AND GDPR
ReflEQ has opened to schools and students in the European Union. ReflEQ complies with the European Union General Data Protection Regulation (the “GDPR”). We meet the privacy requirements of all EU members. All technical and procedural measures are in place to protect personally identifying information.
Under GDPR, ReflEQ stands behind your fundamental rights regarding how we will collect, use and store data:
- We strive to be transparent and inform you in how we use personal data.
- Users of ReflEQ shall have the right to know exactly what information is held about them and how it is processed, and are entitled to have personal data rectified if it is inaccurate or incomplete, or deleted if so requested.
- With respect to personal information, we respect the right for subscribers to block or suppress its processing.
- Users of ReflEQ have the right to retain and reuse their personal data for their own purpose.
- Personal data is not used for the purpose of direct marketing, scientific and historical research, or the performance of tasks outside the scope of operation of the ReflEQ platform.
ReflEQ processes personal data as both a Processor and as a Controller, as defined in the EU Directive and the GDPR. ReflEQ has a “Data Protection Officer” who is responsible for matters related to privacy and data protection. The Data Protection Officer is Rigele Abilock, who can be reached per the contact information listed at the bottom of this agreement.
TERMS OF SERVICE
380 Hamilton Ave, Suite 172
Palo Alto, CA 94301