Family Educational Rights and Privacy Act (FERPA)
Last updated: June 5, 2020
EZcheeze Inc. (EZcheeze) provides cloud solutions and educational content (collectively referred to as Service(s). EZcheeze may be used by schools, school districts, or teachers (collectively referred to as “Schools”) in a classroom setting. When Schools purchase our Services to provide the Service as part of the School's educational curriculum, we may have access to personal information about students (“ School Users ”).
We strive to implement best practices to protect the privacy of all of our student and non-student users, alike. To help our School partners address their obligations to protect their students' data privacy, we have implemented additional controls and procedures for schools, school districts, and teachers (collectively referred to as “ School(s ”) when they enter into a contract with EZcheeze to use the Service as part of the School's educational curriculum. When the Service is used as part of the School's educational curriculum, the personal information related to the School's School Users that is (i) provided to EZcheeze by a student or by a School, or (ii) collected by EZcheeze during the provision of the Service to a School, may include information defined as “educational records” by the Family Educational Rights and Privacy Act (“ FERPA ”) or other information protected by similar student data privacy laws. We call this information “ Student Records. ”
What is FERPA?
FERPA is a US federal law that protects the privacy of students’ education records, including personally identifiable and directory information. FERPA was enacted to ensure that parents and students age 18 and older can access those records, request changes to them, and control the disclosure of information, except in specific and limited cases where FERPA allows for disclosure without consent. FERPA requires that entities implement policies that protect parental rights to inspect and review educational records, seek to amend student records, and consent to the disclosure of personally identifiable information from educational records. The law applies to schools, school districts, and any other institution that receives funding from the US Department of Education — that is, virtually all public K–12 schools and school districts, as well as most post-secondary institutions, both public and private.
Security is central to compliance with FERPA, which requires the protection of student information from unauthorized disclosures. Schools that use our Services are provided contractual reassurances that EZcheeze manages sensitive student data appropriately. Many of our user accounts are used for both School and non-School purposes, only personal information relating to user accounts which are (1) created by a School (for example, when a teacher creates the user name, login, and password to establish School User accounts, or when the teacher rosters a class using a software sign-on service), or (2) created by a School User at the direction of a School, using a School email address and associated with a School's class on the Service, and (3) created pursuant to a contract between EZcheeze and the School, are designated as Student Records on EZcheeze. Student Records shall not include information a student or other individual may provide to EZcheeze independent of the student's use of the Service at the direction of the School. For example, if a user connects their existing EZcheeze account (i.e., an account associated with a non-School email address and created outside of their use of the Service for the School's purposes) to a School’s class on the Service, the personal information and profile data associated with the account shall not be considered Student Records.
We collect, maintain, use and share Student Records only for an authorized educational and as described in this FERPA Policy, or as directed by the School, the School User, and/or the student's parent or legal guardian (a “ Parent ”).
We do not disclose Student Records for targeted advertising purposes. While we do permit third-party advertising partners to operate on our Service for the purpose of retargeting, analytics, and attribution services, we disable third-party ad networks when a School User logs into a School User account on the Service.
We do not build a personal profile of a School User other than in furtherance of an educational purpose or as authorized by a Parent.
We maintain a comprehensive data security program designed to protect the types of Student Records maintained by the Service.
We clearly and transparently disclose our data policies and practices to our users.
Depending on the features and account controls applicable to the School User accounts, we may share usernames and profile information with other users on the Service, such as teachers, coaches, or School administrators, and this information is visible when a School User uses the Services.
Depending on the manner in which EZcheeze is used by a School and the terms of the agreement between the School and EZcheeze, EZcheeze may provide access to certain Student Records, School User account usage data (“ School Analytics ”), and Teacher User account usage data to the School for the purpose of monitoring student usage and activity and evaluating the effectiveness of the School's use of Service. In some circumstances, School Analytics may only be available for Student accounts using a School email address or login and which are associated with a School’s teacher, coach, or School administrator.
We will not knowingly retain Student Records beyond the time period required to support an educational purpose or law unless authorized by a School, student, or parent. Many of our users continue to use their accounts for a personal, non-School purpose and may associate their accounts with the account of their Parent. In such cases, the user (or the user's Parent) shall be responsible for account deletion requests.
The School is responsible for managing Student Records which the School no longer needs for an educational purpose by submitting a deletion request when such data is no longer needed. Schools should contact EZcheeze at email@example.com to request the deletion of Student Records associated with the School's use of EZcheeze. Please note that EZcheeze cannot comply with a School's request to delete personal information in a user account except for School User accounts created by a School (i.e., using a School email address and/or an account login provided by a School) pursuant to a contractual agreement between the School and EZcheeze, or unless the user (or the user's Parent) requests deletion directly. We will also not be able to delete information associated with School User accounts that the School User has associated with a personal account.
If you have questions about specific practices relating to Student Records provided to EZcheeze by a School, please direct your questions to your School.
EZcheeze does not permit children under the age of 13 (a “Child” or “Children”) to create an account without the consent and at the direction of a Parent or School. Please contact us at EZcheeze@ezcheeze.com if you believe we have inadvertently collected information from a child under 13 without parental consent so that we may delete the information as soon as possible.
When EZcheeze is used by a School in an educational setting, we may rely on the School to provide the requisite consent for EZcheeze to collect information from a School User under the age of 13, instead of parental consent.
Our Service is operated and managed on servers located within the United States. If you choose to use our Service from the European Union or other regions of the world with laws governing data collection and use that differ from United States law, then you acknowledge that EZcheeze will transfer your personal information to the United States to perform the Service according to our contract (e.g., our Terms of Service) and for any other purpose for which you provide explicit, informed consent.
Residents in the European Union are entitled to certain rights with respect to personal information that we hold about them:
Right of access and portability. The right to obtain access to your personal information, along with certain related information, and to receive that information in a commonly used format and to have it transferred to another data controller;
Right to rectification. The right to obtain rectification of your personal information without undue delay where that personal information is inaccurate or incomplete;
Right to erasure. The right to obtain the erasure of your personal information without undue delay in certain circumstances, such as where the personal information is no longer necessary in relation to the purposes for which it was collected or processed;
Right to restriction. The right to obtain the restriction of the processing undertaken by us on your personal information in certain circumstances, such as where the accuracy of the personal information is contested by you, for a period enabling us to verify the accuracy of that personal information; and
Right to object. The right to object, on grounds relating to your particular situation, to the processing of your personal information, and to object to the processing of your personal information for direct marketing purposes, to the extent it is related to such direct marketing.
You may also have the right to make a complaint to the relevant Supervisory Authority. A list of Supervisory Authorities is available here: http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm . If you need further assistance regarding your rights, please contact us using the contact information provided below and we will consider your request in accordance with applicable law. In some cases, our ability to uphold these rights for you may depend upon our obligations to process personal information for security, safety, fraud prevention reasons, compliance with regulatory or legal requirements, or because processing is necessary to deliver the services you have requested. Where this is the case, we will inform you of specific details in response to your request.
EZcheeze Series and FERPA
FERPA does not require or recognize audits or other certifications, so any academic institution that is subject to FERPA must assess for itself whether and how its use of a cloud service affects its ability to comply with FERPA requirements. However, EZcheeze Series has made the following contractual commitments that attest to its compliance:
EZcheeze agrees to be designated as a “school official” with “legitimate educational interests” in customer data as defined under FERPA. (Customer data would include any student records provided through a school’s use of EZcheeze Services.) When handling student education records, EZcheeze agrees to abide by the limitations and requirements imposed by 34 CFR 99.33(a) just as school officials do.
Services for which EZcheeze agrees to be designated as a 'school official' with 'legitimate educational interests' in customer data include:
Audits, reports, and certificates
FERPA does not require or recognize audits or certifications.
Where can I find more information on FERPA?