Privacy Policy
Introduction
Healthy Minds, Safe Schools (“HMSS,” “we,” “us,” or “our”) is committed to safety and wellness. This extends to the safety and integrity of the data we collect. As part of this commitment, we developed this Privacy Policy (“Policy”) to explain how HMSS collects, uses, shares, and protects the information you provide to us in the course of our assessment services and your rights with respect to such information. This Policy applies to information we collect or receive through assessment products and platforms. Please visit www.healthymindssafeschools.com. If you are a resident of the European Union (“EU”), the United Kingdom (“UK”), Illinois, California, or New York, you may have additional rights with respect to your Personal Information, as outlined below.
Summary of Key Points
Table of Contents
Introduction
Summary of Key Points
Table of Contents
Definitions
What Type of Information Do We Collect?
How Is Personal Information Collected?
How Do We Use Personal Information?
Disclosure of Personal Information
How Do We Protect Personal Information?
Accessing, Updating, or Deleting Personal Information
Compliance With COPPA and FERPA
Compliance With HIPAA
Children’s Privacy
Your California Privacy Rights
Your Rights Under the EU GDPR and the UK GDPR
NY Education Law 2-d
Illinois Student Online Personal Protection Act (“SOPPA”)
Other Websites and Services
De-Identified Information
Changes to Our Privacy Policy
Personal Information Transferred from the U.S.
Do Not Track
How to Contact Us
Definitions
“COPPA” means the Children’s Online Privacy Protection Act, 15 U.S.C. §§ 6501-6505, and the regulations promulgated thereunder, each as amended.
“Customer” means an institution or professional who licenses Services, such as school districts, educational agencies, universities, hospitals, clinical psychologists, and healthcare systems.
“Customer Personnel” means employees, staff, contractors, agents, and other authorized representatives of our Customers, such as administrators, authorized account holders, staff, teachers, and psychologists.
“FERPA” means the Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g, and the regulations promulgated thereunder, each as amended.
“HIPAA” means the Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. § 1320d et seq., and the regulations promulgated thereunder, each as amended.
“Personal Information” means information that, either alone or in combination with other information, identifies or relates to an individual.
“Platforms” means HMSS’s web-based platforms for assessment, scoring, and reporting.
“Products” means HMSS’s behavioral and risk screening assessments.
“Protected Health Information” or “PHI” has the definition provided under HIPAA.
“Services” means the Platforms and Products.
“Students/Examinees” means individuals who either directly use HMSS’s Services or whose information HMSS collects in the course of providing Services.
Additional defined terms are identified throughout the rest of this Policy.
What Type of Information Do We Collect?
In providing the Services, we may request Personal Information from you or other individuals affiliated with the Customer sponsoring your use of the Services, including Students/Examinees. The exact Personal Information we need to collect depends on which Service you are using and the optional data fields you or the Customer sponsoring your use of our Services chooses to provide. Our Services may collect three broad categories of Personal Information:
How Is Personal Information Collected?
We collect information that is provided by you. We may collect the following types of Personal Information through your use of the Services in the following manner:
How Do We Use Personal Information?
The primary use of any Personal Information we collect from you is to communicate assessment measurements, evaluations, and reports that are based on our psychometrically sound assessment results.
In addition, we may use Personal Information for the following purposes:
Disclosure of Personal Information
We will not disclose Personal Information except as set forth in this Policy or with your consent. This section describes to whom we disclose Personal Information and for what purposes:
Our Service Providers
We employ reputable service providers to assist us in providing aspects of our Services. A service provider is a third party engaged by HMSS who has or may have access to Personal Information for the purpose of helping us provide our Services to you. For example, we may engage third parties to provide hosting services, website and/or app security, remote proctoring services, customer communications, user and data subject rostering, user onboarding, and customer service. These service providers may have access to some of your Personal Information only if they are performing specific tasks on our behalf. We take commercially reasonable steps to interact or contractually engage with service providers that have adopted a privacy policy governing their processing of Personal Information that is consistent with this Policy.
Law Enforcement, Government Agencies, and Courts.
We may disclose Personal Information at the request of law enforcement or government agencies or in response to subpoenas, court orders, or other legal processes in order to establish, protect, or exercise our rights; to defend against a legal claim; to protect the rights, property, or safety of another person; or as otherwise required by law. We may also disclose Personal Information to investigate or prevent a violation by you of any contractual or other relationship with us or any alleged illegal or harmful activity by you.
How Do We Protect Personal Information?
We use commercially reasonable safeguards that comply with accepted industry practice in protecting the confidentiality and security of Personal Information, including adherence to standards issued by the National Institute of Standards and Technology (“NIST”). Examples of how we protect your Personal Information include:
Despite these efforts to store Personal Information in a secure operating environment, we cannot guarantee the security of Personal Information during its transmission or storage in our systems. Further, while we attempt to ensure the integrity and security of Personal Information, we cannot guarantee that our security measures will prevent third parties, such as hackers, from illegally obtaining access to Personal Information. We do not represent or warrant that Personal Information about you will be protected against loss, misuse, or alteration by third parties.
Additionally, HMSS is a Nevada entity which collects and maintains certain data for individuals. HMSS has implemented and maintains reasonable security measures to protect any such records from unauthorized access, acquisition, destruction, use, modification, or disclosure pursuant to NRS 603A.210.
Also, any third parties to whom protected information is disclosed must, and expressly agree to, implement, and maintain reasonable security measures to protect any such records from unauthorized access, acquisition, destruction, use, modification, or disclosure pursuant to NRS 603A.210.
Accessing, Updating, or Deleting Personal Information
Depending on the data transfer process that the Customer uses, properly authorized Customer Personnel may access, update, and delete Personal Information collected by the Services. Other updating will transpire during regular data upload periods. If you would like to otherwise access, update, or delete Personal Information about the data associated with your account, or to have us complete any of the tasks described in this section on your behalf, you may submit a request to info@healthymindssafeschools.com. We will promptly review all such requests in accordance with applicable law.
Compliance With COPPA and FERPA
Many of our Services are designed for Customer Personnel working with K-12 students. We recognize the sensitive nature of Personal Information contained in educational records concerning children under age 13 and K-12 students generally. This Personal Information is protected under either or both of the following federal statutes: COPPA and FERPA. Our privacy practices comply with both COPPA and FERPA.
COPPA
COPPA permits a school, acting in the role of “parent,” to provide required consent regarding Personal Information of students who are under the age of 13. Where a school is the user of or subscriber to our Services, we rely on this form of COPPA consent. We provide the school with this summary, to ensure that the school, in providing its COPPA consent, has relevant information and assurance that our practices comply with COPPA.
FERPA
FERPA permits a school to provide educational records (including those that contain students’ Personal Information) to certain service providers without requiring the school to obtain specific parental/guardian consent. FERPA permits this disclosure where the service provider acts as a type of “school official” by performing services, for example, that would otherwise be performed by the school’s own employees. We fulfill FERPA requirements for qualifying as a school official by, among other steps, giving our school district Customers control with respect to the use and maintenance of the education records at issue (including associated Personal Information) and refraining from re-disclosing or using this Personal Information except provided under this Policy.
Compliance With HIPAA
To the extent that information qualifies as PHI under HIPAA, and HIPAA affords greater privacy protections than those set forth in this Policy, HMSS will comply with the relevant HIPAA requirements regarding privacy for that information.
Children’s Privacy
Except as necessary to provide our Services, we do not knowingly collect or solicit Personal Information directly from anyone under the age of 18 without a parent’s or guardian’s prior consent. The information collected from children under 18 through assessments are intended only with the consent and under the supervision of a parent or guardian, or, in the case of use through an institutional user, with the consent and supervision of such institutional user acting with authority and consent from the parent or guardian.
Your California Privacy Rights
The State of California provides its residents with certain rights concerning their Personal Information. This section describes how you may exercise your rights with respect to Personal Information collected through our Services.
Privacy Right | Description |
---|---|
Access | You have a right to request us to delete Personal Information that we collected from you. However, please be aware that we may not fulfill your request for deletion if we (or our service provider(s)) are required to retain your Personal Information for one or more of the following categories of purposes: (1) to complete a transaction for which the Personal Information was collected, provide a good or service requested by you, or complete a contract between us and you; (2) to ensure our website integrity, security, and functionality; (3) to comply with applicable law or a legal obligation or to exercise rights under the law; or (4) to otherwise use your Personal Information, internally, in a lawful manner that is compatible with the context in which you provided the information. |
Deletion | You have the right to request information on the categories of Personal Information that we collected in the previous twelve (12) months, the categories of sources from which the Personal Information was collected, the specific pieces of Personal Information we have collected about you, and the business purposes for which such Personal Information is collected and shared. You also have the right to request information on the categories of Personal Information that were disclosed for business purposes and the categories of third parties with whom such information was shared in the twelve (12) months preceding your request. You can also access certain of your Personal Information by contacting us at info@healthymindssafeschools.com. |
Opt-Out | We do not use Personal Information to market or advertise directly to Students/Examinees and do not otherwise sell Personal Information.
Nonetheless, we wish to inform you of your general right to opt-out of certain disclosures of Personal Information to third parties if such disclosures constitute a “sale” under California law. You may opt-out of interest-based advertising by visiting the Network Advertising Initiative’s Opt-out page or YourAdChoices, provided by the Digital Advertising Alliance. |
Additionally, you may be able to exercise the following supplemental rights under California law upon verification of your identity:
If you would like to exercise your rights listed above, please send (or have your authorized agent send) an email to info@healthymindssafeschools.com. We will not use discriminatory practices against you for exercising your California privacy rights.
While we take measures to ensure that those responsible for receiving and responding to your request are informed of your rights and how to help you exercise those rights, when contacting us to exercise your rights, we ask you to please adhere to the following guidelines:
Your Rights Under the EU GDPR and the UK GDPR
This GDPR section applies to individuals who are in the European Union (“EU”) and the United Kingdom (“UK”). For the purposes of this Policy, references to the GDPR include both the EU GDPR and the UK GDPR, and references to the EU also include Switzerland, and the European Economic Area countries of Iceland, Liechtenstein, and Norway.
For this GDPR section, we use the terms “Personal Data” and “processing” as they are defined in the GDPR. “Personal Data” generally means information that relates to an identified or identifiable person, and “processing” generally covers actions that can be performed in connection with data such as collection, use, storage, and disclosure.
If you have any questions about this section or whether any of the following applies to you, please contact us at info@healthymindssafeschools.com.
What Personal Data do we collect from you?
Please see the section above for details about the Personal Data we collect.
How do we use your Personal Data?
Please refer to the section above for details about how we use and process your Personal Data.
Lawful Basis for Processing.
We will only process your Personal Data if we have a lawful basis for doing so. Lawful bases for processing include consent, contractual necessity, and our “legitimate interests,” as further described below:
How and with whom do we share your Personal data?
We share Personal Data with service providers; organizations involved in mergers and acquisitions transactions; and law enforcement, government agencies, and courts. Please refer to the disclosure section above.
How long do we retain your Personal Data?
We retain Personal Data of users of our Services: (1) for as long as reasonably necessary to permit use of our Services and (2) as required by law or contractual commitment. After this period has expired, we will return or delete the Personal Data from our systems according to your written instruction; provided, we will maintain Personal Data in accordance with our backup or other disaster recovery policies and procedures. These deletion periods apply to Personal Data and do not apply to de-identified information. We retain de-identified information in accordance with our standard practices for similar information.
In addition, and subject to any data retention required under applicable law, if requested and as directed by a user of our Site, we will delete a user’s Personal Data collected via our Services. Deleting this information may limit some or all features of our Services. Where required by local law, we will delete such information and provide a certification of such deletion.
What security measures do we use?
Please refer to the security section above for more information on the security measures we use to protect your Personal Data.
What rights do you have regarding your Personal Data?
You may have certain rights with respect to your Personal Data, including those set forth below. For more information about these rights or to submit a request, please email info@healthymindssafeschools.com. Please note that in some circumstances, we may not be able to fully comply with your request, such as if it is impractical, if it jeopardizes the rights of others, or if it is not required by law. In those circumstances, we will still respond to notify you of such a decision. In some cases, we may also need you to provide us with additional information, which may include Personal Data, if necessary, to verify your identity and the nature of your request.
Your rights under the GDPR include:
Access. You can request more information about the Personal Data we hold about you and request a copy of your Personal Data.
Rectification. If you believe that any Personal Data we process about you is incorrect or incomplete, you can request that we correct or supplement such data.
Erasure. You can request that we erase some or all of your Personal Data from our systems.
Withdrawal of Consent. If we are processing your Personal Data based on your consent (as indicated at the time of collection of such Personal Data), you have the right to withdraw your consent at any time. Please note, however, that if you exercise this right, you may have to provide express consent on a case-by-case basis for the use or disclosure of certain Personal Data when such use or disclosure is necessary to enable you to use some or all features of a Site.
Portability. You can ask for a copy of your Personal Data in a machine-readable format. You can also request that we transmit the Personal Data to another entity where technically feasible.
Objection. You can contact us to let us know that you object to the further use or disclosure of your Personal Data for certain purposes.
Restriction of Processing. You can ask us to restrict further processing of your Personal Data.
Right to File Complaint. You have the right to lodge a complaint about HMSS’s practices with respect to your Personal Data with the supervisory authority of your country or EU Member State.
NY Education Law 2-d
New York’s Education Law 2-d and the New York Parents’ Bill of Rights for Data Privacy and Security (collectively, “Ed Law 2-d”) addresses the relationship between schools and their third-party contractors, in addition to the schools’ relationships with parents/guardians. The only elements of Ed Law 2-d that are incorporated herein are those provisions directed to third-party contractors (“Contractor Ed Law 2-d Provisions”). We agree to comply with the Contractor Ed Law 2-d Provisions for schools in the State of New York. If there is a direct conflict between this Privacy Policy and the Contractor Ed Law 2-d Provisions, the Contractor Ed Law 2-d Provisions will control. The full text of Ed Law 2-d is available at the New York State Education Department website (as of the date of this publication: https://www.nysenate.gov/legislation/laws/EDN/2-D).
Illinois Student Online Personal Protection Act (“SOPPA”)
The Illinois Student Online Personal Protection Act (“SOPPA”) requires school districts to take certain precautions with respect to the student data collected by educational technology companies. SOPPA applies to all Illinois school districts, the Illinois State Board of Education, and operators of online services and applications. The only elements of SOPPA that are incorporated herein are those provisions directed to third-party contractors (“Contractor SOPPA Provisions”). We agree to comply with the Contractor SOPPA Provisions for schools in Illinois. If there is a direct conflict between this Privacy Policy and the Contractor SOPPA Provisions, the Contractor SOPPA Provisions will control. As of the date of this publication: the full text of SOPPA is available at: https://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=3806&ChapterID=17.
Other Websites and Services
Our Services may direct you to or integrate with third-party services or websites. As noted above, we exercise commercially reasonable efforts to partner with service providers whose privacy policies governing their processing of Personal Information align with this Policy. We understand that you may want to examine and inquire about our service providers’ privacy practices, and we encourage you to do so.
De-Identified Information
The specific definition of “de-identified information” applicable to you depends on the laws applicable to your data. In general, however, de-identified information is information from which all personal identifiers have been removed or obscured such that it does not identify an individual and there is no reasonable basis to believe that the information can identify an individual.
HMSS collects and uses aggregated, de-identified information to assess the quality of and improve our Services and for purposes of assessment development, research, and publications relevant to our services and industry. As part of our assessment development efforts, we may share aggregated, de-identified information with reputable third-party development partners, who are considered experts in the field of assessments and subject to strict obligations of security and confidentiality with respect to information they receive from us. These development partners only use the de-identified information we share with them for analysis on our behalf and for purposes permitted under this Policy.
Finally, while assessments are in progress, we use de-identified information in order to authenticate a user’s identity, maintain links between Students/Examinees and their respective proctors during assessment sessions, and update certain features of our Services.
Changes to Our Privacy Policy
We reserve the right to update this Policy at any time. We will post the revised Policy on our main Site (www.healthymindssafeschools.com) and such changes will be effective immediately unless otherwise stated. If these changes are material, we will provide notice to you through email notifications and/or prominent statements on our website and, where required by applicable law, we will obtain your consent.
Personal Information Transferred from the U.S.
If you are located outside of the United States, please be aware that information we collect, including Personal Information, may be transferred to, and processed, stored, and used in the United States. The data protection laws in the United States may differ from those of the country in which you are located.
Do Not Track
Your browser may offer you a “Do Not Track” option, which allows you to signal to operators of websites, web applications, and services (including behavioral advertising services) that you do not wish such operators to track certain of your online activities over time and across different websites. Our Services currently do not support Do Not Track requests.
How to Contact Us
If you have any questions about this Policy, we encourage you to please email us at info@healthymindssafeschools.com.