last revised: August 30th, 2018
1. What's This?
1.3. Special provisions for Institutional End Users - Personal information of “Institutional End Users”, including Inclusive Access Students is additionally protected by the Family Education Rights and Privacy Act (“FERPA”). In order to safeguard confidentiality of such personal information, different / additional rules may apply to such Institutional End Users, which will be explicitly addressed where relevant in this Privacy Notice.
2. What information does RedShelf collect?
2.1. Types of Data - In order to provide End Users with the requested services, RedShelf collects different types of data, including personal information, as well as other non-public data (a). RedShelf also collects information regarding End Users’ Access Rights (b), as well as information based on the use of our services, including User Content (c) and Usage Data and other Metadata (d):
- a. User Information – When signing up for RedShelf, End user is asked to create RedShelf profile, and provide RedShelf with certain personal information necessary to identify them as a unique and legitimate RedShelf user. This minimum User Information encompasses End User’s name, email address, date of birth and an (automatically generated) RedShelf ID number . End user can choose to complete their RedShelf profile with a second email address, phone number, mailing address, billing address, profile picture or avatar, … This category of information is considered to be “User Information”.
For Inclusive Access-students, such User Information may include but is not limited to Personally Identifiable Information (PII) as mentioned in FERPA. Under FERPA and the regulations promulgated thereunder, students’ Educational records and any Personally Identifiable Information (PII) contained therein, are confidential, and thus protected.
RedShelf is an educational service provider considered to be a “School Official” with a “legitimate educational interest” as described in FERPA. In this capacity, RedShelf is allowed access to certain PII (which RedShelf will only use to fulfill its contractual obligations and services).
Based on said ‘school official’-label, the school or institution – upon setting up an IA Course with RedShelf – provides RedShelf with certain personal information about its students, like students’ name, email address, and “Student-Course Information” (which is information as to in which school and which course(s) a student is participating in the Inclusive Access Program). This may also include student ID, secondary email address, phone, and mailing address, billing address, financial aid, … to the extent the school chooses to provide that information to RedShelf.
RedShelf will only collect such information that is necessary to provide its IA Students with the services and access to digital content they are entitled to. Just like any other End User, Institutional End Users can choose to complete their RedShelf profile with a second email address, phone number, mailing address, billing address, profile picture or avatar, …
- b. Access Rights Information – For each End User, RedShelf needs to keep track of which Content such End User has a right to access, as well as the duration of such right to access. This information is referenced to as “Access Rights Information”.
c. User Content – The result of an End User’s activity on the RedShelf Platform, including all his/her highlights, notes, flashcards, study guides, comments, bookmarks, questions, assignments, assessments… added to any digital content, is logged and stored by RedShelf as End User’s personal version of such content. The collectivity of all such personal versions of all of End User’s content, together with any content shared with or by other RedShelf End Users, and any feedback from or to other Users, including assessment and reading scores, is considered to be “User Content”.
For Institutional End Users, User Content may also include submitted assessments, assessment scores, reading scores, feedback… within a certain IA Course.
- d. Metadata - “Metadata” is system information and user analytics, automatically collected using cookies, IP tracking and other or similar sensors and technologies, … The Metadata collected by RedShelf include:
- Device information such as hardware model, operating system version, browser type and version user agent;
- Log information including details of when and how an End User used our services, Internet Protocol address ("IP Address") including geolocation, time zone, failed login attempts, language;
- Usage information including the content and pages that End Users access on RedShelf, the dates, times and duration that they visit RedShelf and Content, navigation data (usage of features, opening / closing of menus), user actions (searches, dictionary lookups, creation of notes, flashcards, bookmarks, comments, printing, usage of offline mode, …), … .
- 2.2. No payment information - RedShelf does not store information used to complete and process payment transactions on RedShelf. RedShelf utilizes third-party payment gateway service providers to complete transactions and, therefore, does not store any payment information.
2.3. De-identified Data - Some of the above data will be de-identified before processing or sharing. De-identified Data has all direct and indirect personal identifiers removed, including name, ID, date of birth, demographic information, location information, and school. RedShelf will not attempt to re-identify any de-identified Data.
3. How will RedShelf use all this data?
3.1. Authorized purposes - RedShelf will only use the collected Data to fulfill the services it has been contracted for, which is to serve its End Users and provide them with access to all the digital content and services they are entitled to. These authorized purposes include:
- a. Identification / Authentication – RedShelf verifies End Users’ identity upon every login, and to verify each End User’s License to access certain Content.
c. Copyright protection – RedShelf may use the End Users’ User Information, Access Rights Information and User Content to the extent necessary to comply with the Digital Millennium Copyright Act (DMCA) as a service provider.
d. Communication – RedShelf may use End User’s contact information for administrative and communication purposes such as notifying End Users of account activity, updates, customer service, addressing possible copyright infringement, or to contact End Users regarding any content that they may have posted to or purchased from RedShelf.
e. Improving RedShelf products & services – RedShelf uses (aggregate) Metadata and Google Analytics Data in the analytics section in order to improve its products and services in general: to assess usage of products and features and build new ones, to improve its User Experience, …;
RedShelf may use End User’s User Information, Access Rights Information and User Content (identifiable) Metadata for malware/spam detection, for personalization purposes, as well as to provide End User with help and support faced with any kind of problem they encounter and contact our customer service for.
f. Learn and Report on study behavior – RedShelf additionally uses Usage Data about IA-students, to research and allow Institutions to analyze student reading and study habits, student performance, …
3.2. What about Marketing and Advertising? - RedShelf will not use any personal information to serve End Users with third-party advertisements or marketing. Individual End Users may receive emails from RedShelf informing them about new products or services, discounts, contests, events, … RedShelf only uses online behavioral / targeted advertising to deliver interest-based ads to redshelf.com visitors when they visit other websites.
RedShelf does not direct any advertisement or marketing towards Inclusive Access-Students. Advertising or marketing may be directed to End User’s Institution only if student information is properly de-identified. RedShelf does not apply data mining or data scanning for the purpose of advertising or marketing to IA-Students.
4. Will RedShelf share any of your personal information?
4.2. Exceptional Disclosures
- a. Required by law – RedShelf may disclose personal information if required to do so by law or in the good-faith belief that such action is necessary to comply with state and federal laws (such as U.S. Copyright law) or respond to a court order, judicial or other government subpoena, or warrant in the manner required by the requesting entity;
- b. Court order or subpoena – In case RedShelf receives a court order or lawfully issued subpoena, RedShelf may re-disclose personal information from education records on behalf of End User’s institution in response to that order or subpoena. Unless said court order or subpoena explicitly precludes it, RedShelf will – prior to any re-disclosure in response to the court order or subpoena – make a reasonable effort to notify impacted End Users so they may seek protective action;
c. Protection – RedShelf reserves the right to disclose personal information that RedShelf believes, in good faith, is appropriate or necessary: to take precautions against liability; to protect RedShelf from fraudulent, abusive, or unlawful uses; to investigate and defend ourselves against third-party claims or allegations; to assist government enforcement agencies; to protect the security or integrity of RedShelf’s Platform and systems; or to protect the rights, property, or personal safety of RedShelf, our employees, other Users, or others.
d. In the event of a Merger or Sale – In the event that RedShelf is acquired by or merged with a third-party entity, RedShelf reserves the right, in any of these circumstances, to transfer or assign the information that RedShelf has collected from End Users as part of that merger, acquisition, sale, or other change of control. Any such assignment would, along with the data, transfer any and all of RedShelf’s obligations as well as rights regarding data security and privacy protection to the assignee, not affecting and thus safeguarding End Users’ personal information.
- For Institutional End Users, any such assignment will safeguard the Institution’s control over the use and maintenance of the education records and any PII contained therein.
4.3. Sharing of de-identified Data – RedShelf will only transfer de-identified Data to third parties who agree not to attempt any re-identification.
4.4. Necessary disclosure of select information – As a rule, RedShelf only shares de-identified information with third parties. In some instances however, in order to render our services and to provide End User with access to the Content, RedShelf needs to share User Information (name, email address and RedShelf ID number) with other parties.
- a. Disclosures to other School Officials – For Institutional End Users, RedShelf will share certain User Information, Course Information, Usage Data and User Content with relevant administrative and academic staff and faculty within the Institution, which RedShelf may assume to be school officials under FERPA as well.
- b. Disclosures to Content holders – RedShelf needs to share certain User Information, Access Rights Information and Usage Data with Content holders and other educational service providers that are instrumental in the delivery of and reporting on the Content and services to End Users.
- For Institutional End Users, RedShelf may assume these Content holders and other educational service providers to be school officials as well, pursuant to FERPA.
5. How long will RedShelf collect/keep your personal information?
5.1. Request to anonymize – Under certain circumstances, End User can request that RedShelf anonymizes his/her user account. In order to file a request to anonymize, End User can contact email@example.com. As a result of such (confirmed) request, RedShelf will de-identify as much personal information as possible, given the restrictions mentioned in section 5.3. After a RedShelf account has been anonymized, RedShelf will have no means whatsoever to retrieve/re-identify any User Information, any Access Rights Information or any Usage Data or any other information linked to such anonymized End User. End User will be warned thereof and asked to confirm his request through email (see section 5.2).
5.2. Final notice – Prior to proceeding with the anonymization of an End User’s account, RedShelf will notify such End User: (i) to inform End User that the anonymization of his/her account will be permanent and not-reversible; (ii) if applicable, to inform End User that he/she will lose access to any and all Content; (iii) to ask End User to confirm his/her request to de-identify his/her personal information; (iv) to ask the End User for feedback on our services and the reason for anonymizing. RedShelf will notify End User based on the email address RedShelf has on record.
5.3. Exceptions/ limitations:
- a. Active access rights - End Users who still have active access rights to certain Digital Content, will irreversibly lose access to such Content upon anonymization, and RedShelf will only proceed with such anonymization (i) after such End User explicitly confirms the Digital Content can be de-activated; and (ii) to the extent that no other limitations preclude anonymization (see this Section 5.3);
- b. Accessed content less than 2 years ago – In case End User has accessed any Digital Content in the 2 years prior to the anonymization request, User cannot be de-identified;
- c. Transaction data – Certain User information contained in transaction data cannot be removed from RedShelf’s records for tax, audit and liability purposes, and will therefore survive any un-subscription or request for anonymization;
- d. Inclusive Access – For Institutional End Users, the Institution through which an End User was provided access to Content on the RedShelf Platform, has authority over their students’ personal data. Therefore, RedShelf cannot independently anonymize information of Institutional End User linked to an Institution’s Inclusive Access Program and the following restrictions apply:
- i. Individual request from End User – Institutional End Users cannot request to have their account anonymized directly by RedShelf, but are advised to contact their Institution’s administration, who will then coordinate with RedShelf over any such request. In any case, RedShelf can only anonymize user accounts to the extent described in section 5.3. a. through c.
- ii. Students with Continued access – In the event the Institutional End User graduates, or for any other reason is no longer enrolled in or linked to the Institution, but still has active access rights to certain content, such Institutional End User will have Continued Access. RedShelf will keep the personal information unless and until such End User requests and confirms that RedShelf anonymize his/her account, pursuant to sections 5.1 through 5.3.
- iii. Institution’s request to anonymize – In the event an Institution directs RedShelf to de-identify certain or all Personally Identifiable Information relating to its students, RedShelf will only do so to the extent described in section 5.3. a. through c.
6. Data Security
6.1. RedShelf’s Security measures – RedShelf uses commercially reasonable physical, managerial, and technical safeguards to preserve the integrity and security of RedShelf’s systems and End Users’ personal information. These measures can only be effective to the extent End User applies equally reasonable precautionary measures.
- a. Identification – RedShelf verifies End User’s identity (through double authentication) before granting account access to his/her account and Content, or before making corrections to End User’s User Information or User Content. However, END USER IS RESPONSIBLE FOR MAINTAINING THE SECRECY OF HIS/HER LOGIN INFORMATION AT ALL TIMES.
- b. Security Incidents – If RedShelf learns of a security systems breach, RedShelf will electronically notify both the relevant authorities (security breach agencies) as well as impacted End Users so that they can take appropriate protective steps. REDSHELF THEREFORE INSISTS END USER TO KEEP HIS/HER USER INFORMATION UP TO DATE AT ALL TIMES. RedShelf may post a notice on redshelf.com if a security breach occurs.
6.2. No warranty – RedShelf cannot, however, ensure or warrant the security of any information End User transmits to RedShelf, and End User does so at his/her own risk. Once RedShelf receives End User’s transmission of information, RedShelf makes commercially reasonable efforts to ensure the security of our systems. However, please note that RedShelf does not guarantee that such information will not be accessed, disclosed, altered, or destroyed by breach of any of our physical, technical, or managerial safeguards. No data transmission over the Internet or information storage technology can be guaranteed to be 100% secure. SECURITY MECHANISMS IN THE SERVICES HAVE INHERENT LIMITATIONS.
7. RedShelf's commitment to Children's Privacy
7.1. Children’s Privacy Protection – Protecting the privacy of young children is especially important. For that reason, RedShelf does not knowingly collect or maintain personal information from persons under 13 years-of-age.
- a. If RedShelf learns that personally-identifiable information of persons less than 13-years-of-age has been collected on or through RedShelf, then RedShelf will take the appropriate steps to delete this information.
- b. RedShelf invites the parent or legal guardian of a child under 13 who has become a RedShelf End User, to contact RedShelf at firstname.lastname@example.org to have that child’s account terminated and information deleted.
For Inclusive Access Students between 13 and 18, parental consent forms are collected by the students’ Institution.
7.3. Monitoring tools for parents - The following are some resources that may help parents and legal guardians in monitoring and limiting your children’s access to certain types of material on the internet. While RedShelf does not endorse these products, RedShelf provides information about them as a public service to our community.
- "OnGuard Online," maintained by the Federal Trade Commission.
- The Child Safety Network
- Control Kids
- Cyber Sitter
- Net Nanny
8. International visitors
For users visiting RedShelf from non-U.S. Territories, please note that any data that passes through RedShelf will be transferred outside such non-U.S. Territory for use by RedShelf and its affiliates for any of the purposes outlined in this Privacy Notice. By providing data to RedShelf, End User hereby expressly consents so such transfers of data to the United States or other countries.
9. Changes and update to this privacy notice
This Privacy Notice may be revised periodically, which will be reflected by an updated “last modified” date mentioned at the top of this document. End User will be notified of any updates to this Privacy Notice and will be asked to re-accept them.
For Institutional End Users, RedShelf will not change what Data is collected, or how Data is used or shared under the terms of this Privacy Notice without notice to End Users’ Institution.
10. RedShelf Contact Information
RedShelf is committed to addressing and resolving any complaints about End User privacy and RedShelf’s collection or use of End Users’ personal information. For all questions, inquiries or complaints regarding this Privacy Notice or RedShelf’s privacy practices, please first contact RedShelf at: RedShelf, Inc., 500 N Dearborn St. Suite 1200, Chicago, IL 60654, or by email: email@example.com. RedShelf will respond to your inquiry within 30 days of its receipt.
END USER ACKNOWLEDGES TO HAVE READ AND UNDERSTOOD THIS PRIVACY NOTICE, AND TO AGREE TO REDSHELF’S PRIVACY PRACTICES HEREIN.