Paper Educational Support System
Latest update: December 1, 2022
We care about privacy and believe that it is essential to the service we provide. You entrust us with your personal information or that of your employees and students, and we understand that our ability to continue providing services to our customers is based on showing proper respect for that trust. We are committed to continually improving our privacy program in alignment with recognized best practices, customer needs, and an evolving student privacy legal and regulatory framework.
- Scope and Applicability of this Privacy Statement
This privacy statement (“Statement”) describes how Paper Education Company Inc. (“Paper,” “we,” “our,” “us”) processes Personal Information (as defined below) within the Paper Educational Support System (app.paper.co) (the “Platform”), including associated educational and support services and methods of user access (collectively, together with the Platform, the “Services”).
Our Services are provided pursuant to our agreement with partnering local education agencies, such as district school boards (“District”), for the benefit of their authorized students, and we provide access to the Services to their authorized students, parents/guardians, teachers, school administrators, and/or other District personnel (each an “end-user” or collectively “end-users”, “you,” “your”), and are generally acting as a service provider to the District with respect to the collection, use and disclosure of end-users’ Personal Information. In some cases, in accordance with our agreement with the District, we may collect enrollment information directly from students and their parents/guardians and are acting as the organization in control of students and parents/guardians’ Personal Information (“data controller”) and are ultimately accountable for the collection, use and disclosure of such Personal Information.
- Key Points Regarding Our Privacy Practices
- We collect, use and disclose end-user Personal Information only as necessary to provide our Services and, where applicable under this Privacy Statement or as agreed-upon with our District partners.
- We do not use or disclose Personal Information of students for direct marketing purposes, unless permitted by applicable law. We may, however, advertise to parents/guardians (or students, where permitted by applicable law) as further described in Section 8 below (How do we Market our Services?).
- We may revise this Policy to reflect changes to the Services such as new functionality, however, we will never make material changes to this Policy without notifying the Districts (or to students or parents/guardians directly when we are acting in a controller capacity).
- Paper promotes the adoption and use of the Platform by end-users as part of our Services, which includes sending communications such as reminders and updates to end-users regarding the Services available to them.
- Various methods of Platform access are available for end-users (e.g., website, downloadable mobile app, chrome extension), and Personal Information collected may vary by the method of access an end-user chooses.
- End-user communications within the Services, including tutoring sessions, are routinely retained for quality assurance, service improvement, student safety/health and legal/regulatory compliance purposes.
- What is Personal Information?
This Statement applies to any information that allows us to identify an end-user directly or indirectly (“Personal Information”). Paper may process information that cannot be linked or associated with any individual’s identity, either directly or indirectly (“anonymized information”). When anonymized information is combined with other information so that it does identify an individual, we treat that combination as Personal Information.
- What Personal Information do we collect and process?
We limit the collection of Personal Information to what is reasonably required to provide our Services, to respond to any other requests you may make and for the other purposes described below in Section 6 (How do we use Personal Information?).
Setting up your accounts. We may collect Personal Information from students and parents/guardians directly (when we are acting as a data controller) or we may receive it from Districts during the Platform on-boarding process in order to begin providing Services to end-users. This transfer of Personal Information may occur directly or, at the direction of the District where the capabilities are available, through the use of third-parties or integrations with student information systems in order to automatically update end-user data. Personal Information that we may collect and process in order to begin providing Services typically includes the following:
- First name and last name
- Email address
- Student ID
- Relevant rostering information such as grade level, class rosters, and classes that students are enrolled in
- Where applicable, additional end-user data that we have mutually agreed should be received and processed as part of the Services, such as data for assessing efficacy
Providing the Services. We may also collect the following types of Personal Information as end-users access and use the Services, including through related interactions or communications with us:
- Account/Profile Data such as usernames, passwords, nicknames, student IDs, Zoom name or nickname, or similar personal identifiers.
- Contact Information such as end-user email addresses, postal addresses, phone numbers, or parent/guardian name and contact information.
- User Generated Content such as recordings or transcripts of text, audio, or other conversations generated by end-users through their use of our Services (along with documents or images shared, emojis used, etc.), message content from support requests, feedback on tutoring sessions, questions asked by students, and documents submitted for review (along with related information provided by students, such as the title, language, related instructions and similar document requirements), and which may contain further types of Personal Information added by the end-user.
- Usage and Performance Data including information about how end-users interact with our Services, such as statistics regarding the opening of communications sent by Paper, URL data collected by the Paper Chrome Extension, clickstream information, Platform activity (e.g. top questions asked and which students use our Services the most), bugs, errors and logs which are generated by end-users, and other similar Platform usage and performance data.
- Technical Data such as end-user IP address, browser information, screen resolution, operating system name and version, device ID, and device manufacturer and model.
- Communications Information such as preferences for receiving communications from us and a history of communications sent or received.
Type of cookie
Essential cookies are necessary to operate the core functions of our Services. These include login cookies, session ID cookies, language cookies as well as security cookies.
Functional cookies are used to provide you with some functionalities, such as live chatting, and to remember preferences, consents and configurations.
Analytics cookies are used to generate aggregated statistical data about traffic and behavior of users when using our Services.
You can manage your preferences for the handling of cookies through your device, application or browser. However, if essential and functional cookies are blocked, some parts or aspects of the Services may not be available.
Accessing the Platform. In addition to standard website access to the Platform, Paper may make additional Platform access methods available to end-users (“Alternative Access Methods”). Examples of the Alternative Access Methods that Paper has made available include our iOS Mobile App, Android Mobile App, and the Paper Chrome extension. Paper reserves the right to modify the available Alternative Access Methods as needed for delivery of the Services, for compliance purposes and for other purposes set forth below in Section 6 (How do we use Personal Information?). As an example, we may need to modify mobile apps or temporarily suspend their use due to adverse changes in App store guidelines.
Personal Information collected through Alternative Access Methods may differ from what is collected through standard Platform web access, due to the functionality and capabilities offered by the associated hardware, operating systems and environments. Regardless of the method by which an end-user accesses the Platform, Personal Information is processed as set forth in this Statement.
- How do we use Personal Information?
We collect and process Personal Information in order to set up and provide our Services to Districts and end-users, including for the following purposes:
- Operating the Platform and providing the Services
- Providing customer support and troubleshooting problems/issues that may arise
- Customizing, measuring, and improving our Services and content
- Communicating with end-users through messages or notifications
- Awareness activities to encourage adoption and use by end-users
We may also process end-users’ Personal Information for the following purposes:
- To protect the health and safety of end-users
- To protect the security or integrity of our end-users, sites, applications, and other technology used to provide the Services
- To prevent fraud, to cooperate with law enforcement and regulatory authorities, and to stop other prohibited, illegal, or harmful activities
- For marketing purposes in accordance with Section 8 below (How do we Market our Services?)
- For purposes disclosed at the time you provide Personal Information to us, or as otherwise set forth in this Statement or our signed agreement with a District
- To resolve disputes or enforce customer agreements
- To protect our interests, including establishing, exercising and defending legal rights and claims
- As necessary to comply with legal or regulatory requirements
- How do we share Personal Information?
We disclose Personal Information only for the purposes set forth in Section 6 (How do we use Personal Information?) above in order to provide the Services. The instances where we may disclose Personal Information include the following:
With the District and its Personnel. Personal Information collected through the Services is available to the contracting Districts and its school and district administrators. Teachers generally have access to the same categories of information as school and district administrators, except that their access is limited to students enrolled in the classes they teach.
With Third-Party Service Providers. We may share information with our service providers in order to support our provision of the Services. Service providers are only allowed to use, disclose or retain the Personal Information in order to provide their services to us, which include, but are not limited to, hosting and IT services, customer support services, communications services, website development services, performance services, marketing, advertising and analytics services. For additional information, please review our Paper Service Providers list.
With Your Integration Partners. Our Services can be integrated with other learning management platforms through Single Sign-On and APIs, such as Google, Azure, Clever or ClassLink (“Integration Partners”). Integration Partners are not our suppliers or service providers. Districts may enter into separate agreements with Integration Partners to which we are not a party, and plug-ins, APIs or other accesses to Integration Partners are only activated at an District’s request. We may share Personal Information with such Integration Partners when directed to by a District, who has full control over what Personal Information they share with their preferred Integration Partner(s).
For Legal Process. We may disclose Personal Information if permitted or required by law; for example, in response to a court order or a subpoena. To the extent permitted by applicable law, we also may disclose Personal Information: (i) in response to a law enforcement or public agency’s (including educational institutions or children services) request; (ii) if we believe disclosure may prevent the commission of a crime, facilitate an investigation related to public safety, or protect the safety of a child using our Services; (iii) to protect the security or integrity of our sites, applications, and other technology, as well as the technology of our service providers; or (iv) to enable us to take precautions against liability. Where required in our agreement with the District, we will take commercially reasonable measures to notify the District prior to making any such disclosures, unless we are prohibited by law.
Where Required for Corporate Transactions. If we go through a corporate restructuring or reorganization, financing, initial public offering, merger, sale, or other commercial transaction involving some or all of our assets, Personal Information may be transferred or disclosed in such context, subject to any limitations under applicable contracts or laws. In these circumstances, we will comply with applicable laws, and will use commercially reasonable measures to limit any permitted or required disclosures or transfers of Personal Information. If such transactions are completed, our successor(s) (if any) or recipients of such Personal Information may only process your Personal Information in the same way as set out in this Statement and in compliance with applicable laws and any applicable customer contracts.
- How do we Market our Services?
We may use Personal Information to send marketing communications about promotions, new features of our Services and other content that may be of interest to you. We may also share Personal Information to third-party advertising management partners to conduct interest-based advertising to market our Services to you, including through audiences on social media.
You can opt-out of any marketing email communications by following the unsubscribe instructions included in our promotional emails or by contacting us at firstname.lastname@example.org. Youcan also opt-out of interest-based advertising by emailing us at email@example.com and can adjust how Paper ads are shown to you on social media through the respective social media account settings.
- How do we obtain consent from students for processing Personal Information?
When we act as a service provider for Districts, Districts are responsible for obtaining valid consent from end-users to the processing of their Personal Information and providing such consent as part of the contracting process in accordance with applicable laws. If the end-user is under the legal age required by applicable laws to provide valid consent, the District is responsible for obtaining consent from the parent/guardian.
When we provide our Services to end-users directly, we obtain consent from students or from their parent/guardian when a student does not have the legal age required by applicable laws to provide valid consent. Districts are always responsible for obtaining valid consent from teachers, school administrators and/or school personnel.
Collection of Children Personal Information. We do not knowingly collect any information from children under the age of 13 in Canada (or 14 in Quebec) unless and until the relevant District or the end-user’s parent/guardian has provided consent and authorization for a student under 13 (or 14 in Quebec) to use our Services and for us to collect information from or about such student. When instructed to collect Personal Information about children under the age of 13 (or 14 in Quebec), we process such information solely to provide our Services to the student and for the purposes set forth in our agreement with the District and as described in this Statement and, where we are acting as a service provider for the District, on behalf of the District. We process only as much information as is necessary to provide our Services. End-users and/or Districts may request access or correction of Personal Information or withdraw consent for continued processing of the Personal Information as further described in Section 13 (How can end-users exercise their privacy rights?).
If you believe we have inadvertently collected Personal Information from a child under 13 (or 14 in Quebec) without proper consent, please promptly contact us using the contact information provided in Section 16 (Who can I contact if I have questions or feedback about this Statement or if I wish to exercise my privacy rights?). This will allow us to correct such information as soon as possible.
10. How long do we retain Personal Information?
We retain Personal Information for as long as necessary to provide our Services in accordance with our contract with a District, or as required to comply with applicable laws, whichever is longer. Once no longer required, Personal Information will be securely destroyed or anonymized (so that it is, at all times, reasonably foreseeable in the circumstances that the information irreversibly no longer identifies you directly or indirectly).
- Where do we store Personal Information?
We are a Canadian company with headquarters in the province of Quebec but our service providers may access, process or store personal information outside of Canada, including in the United States. As a result, your personal information may be subject to the laws foreign jurisdictions, including any law permitting or requiring disclosure of the information to the government, government agencies, courts and law enforcement in that jurisdiction. We will only transfer personal information to a third party outside of Quebec if we are confident that it will receive adequate protection in the foreign jurisdiction.
- How do we protect Personal Information?
Our Security Program. We maintain an industry standard information security program and have implemented reasonable and appropriate security controls designed to protect the Personal Information that we collect and process in order to provide the Services. These controls include, where and as appropriate, use of multi-factor authentication, at-rest and in-transit data encryption, physical access controls to files and buildings, and more. Unfortunately, no data transmission over the internet can be guaranteed to be 100% secure. While we strive to appropriately protect all Personal Information we process, we cannot guarantee or warrant its complete security. However, Paper does maintain an industry standard incident response plan designed to identify, contain, and prevent the recurrence of any incident or breach that could impact the security of the Personal Information we process.
Our SOC 2 Report. Paper also complies with AICPA SOC 2 requirements, which certify that its information security practices, policies, procedures and operations meet SOC 2 standards. Our SOC 2 attestation reaffirms the company's commitment to providing its customers with industry standard safeguards.
Our Platform Hosting Provider. Personal Information stored within the Platform is hosted on infrastructure in the United States using Google Cloud Platform, which maintains several independent verifications of its security, privacy and compliance controls, such as ISO 27017, ISO 27018 and ISO 27001. You can review Google Cloud Platform’s safeguards in greater detail by visiting Google’s Trust & Security Center.
Data Governance. In addition to our strong Security Program, we maintain several policies and practices, which ensure the protection of your personal information, including:
- Employee privacy and data security training;
- Procedures for receiving, investigating and responding to complaints or inquiries regarding Paper’s information handling practices, including any security incidents involving Personal Information;
- Contractual protections and other measures to ensure that service providers with whom we share Personal Information maintain adequate privacy protections and standards. For example, we generally require our service providers to limit their use and retention of personal information to what is necessary to provide their services and to notify us in case of any actual or suspected security incident.
- How can end-users exercise their privacy rights?
End-users are entitled to exercise their privacy rights under applicable laws, namely: withdrawing consent, or accessing or correcting their Personal Information. End-users must generally contact the District where the end-user is registered to exercise any such rights, as the District has sole control of end-users’ Personal Information as between us and the end user. However, students and parents/guardians that have provided their information directly to Paper through the enrollment process (in which case we are acting as a data controller) must contact us directly to exercise their privacy rights, using the contact information provided in Section 16 (Who can I contact if I have questions or feedback about this Statement or if I wish to exercise my privacy rights?).
14. Can we modify this Statement?
Yes, we may modify this Statement from time to time, such as to reflect new or modified Platform functionality, technology, service providers, or other changes to our collection and use of Personal Information. Any changes will be effective upon the revised Statement being posted to our Website.
When we make material changes to this Statement in order to reflect the changes described above, we will provide notice to Districts (when are acting as their service provider) or to their parent/guardian as required by applicable laws (when we are acting as a data controller) in advance of the effective date of those changes. We will also post a notice at the start of the Statement by updating the last updated date.
- How does this Statement differ for customers in the United States?
- Who can I contact if I have questions or feedback about this Statement or if I wish to exercise my privacy rights?
For questions, concerns or inquiries regarding the collection, use or disclosure of Personal Information or concerning this Statement or if you want to exercise your privacy rights, please contact our Privacy Officer as follows:
- E-mail us at firstname.lastname@example.org
- Call us at 1-855-800-2082
- Reach us by mail at the following address:
Paper Education Company Inc.
279 Sherbrooke St West, Suite 410
Montreal, QC, H2X 1Y2
Please note that, as mentioned in Section 13 (How can end-users exercise their privacy rights?), we may require any end-user to direct their request to the District they are registered with, where Paper holds their personal information in its capacity as a service provider for that District.