Branching Minds Privacy Policy

    This privacy policy was last modified on August 12, 2020.

     

    Branching Minds (“Branching Minds,” “we,” or “us”) empowers teachers, administrators and parents to more effectively identify a student's learning challenges and to identify the right learning interventions for those challenges (the “Services”). We know that privacy is tremendously important to our users. For the purposes of this Privacy Policy, “District” means a school district or other Local Education Agency.

    This privacy policy applies to our company website, accessible at https://www.branchingminds.com (the "Site") and to the Branching Minds platform (the "Platform"), and outlines our compliance with federal privacy laws and details our data safeguarding and security practices.

    Data Collection

    When the District’s staff or students use the Platform, certain student and staff information is electronically synced from your student information system to the Platform. Some of this information may constitute personally identifiable information ("PII") (either individually or when combined with other data we collect), or other sensitive data.

    The Platform automatically generates an account for District staff and students, based on information the District provides via its student information system. This information may include, for example, first and last name, e-mail address, school and district name, student grade level, student English language proficiency, student IEP status, student date of birth, and student Ethnicity.

    As the Platform is used, District staff and students may have the ability to add additional data, including assessment scores and survey responses. District staff may also have the ability to upload documents and files that you create.

    Information collected through technology

    Whenever District staff or students interact with the Platform or the Site, we automatically receive and record information on our server logs from their browser or device, which may include IP address, “cookie” information, the type of browser and/or device used to access the Platform or the Site, and the page or feature requested. “Cookies” are identifiers we transfer to a browser or device that allow us to recognize the browser or device and tell us how and when pages and features in the Platform or the Site are visited and by how many people. Users may be able to change the preferences on their browser or device to prevent or limit their device's acceptance of cookies, but this may prevent them from taking advantage of some of our features. If users click on a link to a third-party website or service, such third party may also transmit cookies to you. Again, this Privacy Policy does not cover the use of cookies by any third parties, and we aren't responsible for their privacy policies and practices. We may also collect analytics data, or use third-party analytics tools, to help us measure traffic and usage trends for the Service.

    When we collect the usage information described above, we only use this data in aggregate form, and not in a manner that would identify a student or staff member personally. For example, this aggregate data can tell us how often users use a particular feature of the Platform, and we can use that knowledge to make the Platform valuable to as many users as possible.

    We do not collect geolocation, biometric or health data.

    We do not allow third party advertising networks to collect information about users.

    We do not:

    • display traditional or contextual advertisements;

    • provide promotional sweepstakes, contests, or surveys;

    • or send marketing messages.

    Data use

    Data we collect is used solely:

    • To provide contracted educational services to Districts. For example, the Platform collects information about a student’s English language proficiency in order to determine the best learning interventions to recommend for that student.

    • To conduct statistical research. Any data used for this purpose is de-identified (made anonymous by removing all personally identifiable information). This research helps us evaluate the effectiveness of the Platform and improve our product.

    We do not sell any information we collect on the platform, including student personal information, nor do we use or disclose any information we collect for (a) behavioral targeting of advertisements to students or (b) any other marketing or commercial purpose. We do not facilitate the use or disclosure of any student personal personal information by any other party for any marketing or commercial purpose or permit another party to do so.

    Data disclosure and access

    Branching Minds acknowledges the right parents and legal guardians have under FERPA to review any educational data we collect pertaining to their children. Parents may submit a request to Branching Minds directly at support@branchingminds.com or by mail to Branching Minds, Inc., 157 Columbus Avenue, 4th Floor, New York, NY 10023. Upon request, and after verifying identity, we will provide parents and legal guardians access to this data within 45 days. However, we recommend that parents or legal guardians first contact their District.

    If a parent or legal guardian has questions about modifying, or deleting educational data of a student, we will direct them to contact their District and will work with the District to properly resolve the matter.

    PII data collected by Branching Minds is accessible only to a limited number of Branching Minds employees who need the data to perform their job, as well as in a few limited circumstances, described below. We do not rent or sell information for marketing purposes.

    Who we may share information with

    • We may share information with third party contractors or services (e.g. web hosting and user authentication services), but strictly for the purpose of carrying out their work for us in providing the District with any contracted educational services and in compliance with any applicable state or federal laws.

    • We may be required to share information with law enforcement or other third parties when compelled to do so by court order or other legal process, to comply with statutes or regulations, to enforce our Terms of Use, or if we believe in good faith that the disclosure is necessary to protect the rights, property or personal safety of our users.

    • In the event of a change of control: If we sell, divest or transfer the business or a portion of our business, we may transfer information, provided that the new provider has agreed to data privacy standards no less stringent than our own. We may also transfer personal information – under the same conditions – in the course of mergers, acquisitions, bankruptcies, dissolutions, reorganizations, liquidations, similar transactions or proceedings involving all or a portion of our business.

    In addition to the actions described above, Branching Minds may facilitate the sharing of student data with third parties, though only when instructed and authorized to do so on the District’s behalf.

    What right do you have to the data?

    • Districts retain all ownership rights to any data collected by us.

    • Districts may request that we (i) delete, (ii) export, or (iii) modify any inaccurate data collected by us, at any time.

    • Districts may access and review the data we have collected at any time, by either logging in to our platform or requesting an export.

    Product Safety

    Branching Minds is intended solely for use by LEA employees solely for educational purposes and does not provide access or use to students for any purpose.

    COPPA

    At a District’s election, the Platform provides students with the ability to enter information about themselves through survey responses. That information may include or be closely tied to PII if it is necessary to provide the Services requested by the District. We do not gather any information directly from students under the age of 13, as defined by applicable law, unless we believe we have legal permission to do so, as indicated by Districts acting on behalf of parents or guardians. We require our Districts to obtain any necessary parental consent or provide any required disclosures to parents or guardians. We will gather information from students directly only as requested by a District and only for the purposes of providing our Services to the District. Please contact us at infosec@branchingminds.com if you believe we have inadvertently collected personal information of a child under 13 without the proper consents.

    For more information about COPPA, you may visit OnGuard Online.

    California Online Privacy Protection Act

    CalOPPA is the first state law in the nation to require commercial websites and online services to post a privacy policy on its website stating exactly the information being collected and those individuals with whom it is being shared. We comply with CalOPPA by: (i) placing a link to this privacy policy on our home page which includes the word 'Privacy’ and can be easily be found and (ii) prominently notifying users of any privacy policy changes on our Privacy Policy Page. In addition, users are able to change some of their personal information by logging in to their Branching Minds account or by contacting their district’s administrator directly.

    For more information about CalOPPA, you may visit Consumer Federation of California

    FERPA

    The Family Educational Rights and Privacy Act ("FERPA") provides parameters for what is permissible when sharing student information. Branching Minds is authorized by schools and districts under the FERPA “school official” exception to receive and use educational data to provide educational services. This data has significant educational value; enabling teachers to teachers to identify students’ cognitive learning strengths and challenges, match them with research-backed learning supports, and tracks and reports data on student growth.  This information is used only for academic purposes. We do not collect data for collection’s sake, and access is limited and appropriate. See Data Safeguarding for more information about how we use and protect data we collect.

    Data retention and management

    Data maintained by Branching Minds is protected in a secure environment. See Security Overview below for more information about Branching Minds’ security practices.

    Unless otherwise requested by your LEA, all PII provided to Branching Minds will be destroyed upon termination of our relationship with you (typically during September of the school year following the school year in which your LEA opts to terminate our relationship), or when it is no longer needed for the purpose for which it was provided.

    Data destruction: Branching Minds employs United States Office of Education best practice recommendations for data destruction.

    Security Overview

    We take steps to make all information received from you as secure as reasonably possible against unauthorized access and use. If we know or have reason to know of a systems security breach by an unauthorized party or that any of your Information was used for an unauthorized purpose, then we will immediately notify you electronically so that you can take appropriate protective steps.

    Software Security

    Branching Minds has implemented privacy and security practices which are compliant with FERPA and COPPA; however, to achieve comprehensive protection of student PII, it is necessary for you to use secure practices as well.

    NIST CSF Alignment

    Branching Minds regularly aligns its security practices with the NIST Cybersecurity Framework.

    Data encryption

    Data is encrypted in transit and at rest.

    File transfer protocol

    Data is securely transferred to Branching minds using File Transfer Protocol (FTP) over secure (SSL/TLS) cryptographic protocol.

    Firewalls

    Anti-virus software and firewalls are installed and configured to scan our system. The firewall is periodically updated and configured so users cannot disable the scans.

    Data storage provider

    We store all of our data and host the Platform at secure off-site facilities managed by industry-leading Amazon Web Services (AWS) at their secured data centers in the United States. These data centers are housed in nondescript facilities and physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication a minimum of two times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff. AWS only provides data center access and information to employees and contractors who have a legitimate business need for such privileges. When an employee no longer has a business need for these privileges, his or her access is immediately revoked, even if they continue to be an employee of Amazon or AWS. All physical access to data centers by AWS employees is logged and audited routinely.

    All access to the information within the Platform stored on these servers is encrypted. User passwords are also encrypted and all data stored with AWS on their computers is secured behind a firewall.

    Security audits

    Branching Minds conducts internal security audits and code reviews.

    Secure programming practices

    Branching Minds software developers are aware of secure programming practices and strive to avoid introducing errors in our application (like those identified by OWASP and SANS) that could lead to security breaches.

    Account protection and Identity Verification

    Branching Minds supports account authentication and identity verification exclusively through single sign-on technologies and protocols, such as SAML..

    Facility Security

    Branching Minds is located inside the continental United States. Physical access is protected by electronic access devices, with monitored security and fire/smoke alarm systems.

    We store all of our data and host Branching Minds at secure off-site facilities managed by industry-leading Amazon Web Services (AWS) at their secured data centers in the United States. These data centers are housed in nondescript facilities and physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication a minimum of two times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff. AWS only provides data center access and information to employees and contractors who have a legitimate business need for such privileges. When an employee no longer has a business need for these privileges, his or her access is immediately revoked, even if they continue to be an employee of Amazon or AWS. All physical access to data centers by AWS employees is logged and audited routinely. All access to the information within Branching Minds stored on these servers is encrypted. User passwords are also encrypted and all data stored with AWS on their computers is secured behind a firewall.

    Links to Other Web Sites and Services

    Please remember that this privacy policy applies to the Platform and the Site, and not other websites or third-party applications, which may have their own privacy policies. You should carefully read the privacy practices of each third-party application before agreeing to engage with the application through the Service.

    How to Contact Us

    If you have any questions about this Privacy Policy or the Service, please contact us at support@branchingminds.com.

    Changes to Our Privacy Policy

    This privacy policy may be updated from time to time. If we modify this privacy policy we will post notice of the modification on www.branchingminds.com or provide you with such notice by email directly.  We will also update the "Last updated" at the top of this privacy policy. We advise you to consult this policy regularly for any changes and to contact us with any questions.

     

    This privacy policy was last modified on August 12, 2020.