Privacy Policy
This Privacy Policy provides information on how Clevr protects the data provided to us by our K-12 schools, school districts, and state education agencies/ministries of education (referred to collectively as “Customers”) to process on their behalf when they, their staff, parents/guardians, and students use our products; and how Clevr ensures the secure handling of Personal Information, access, usage, storage, disclosure, retention and disposal of your Personal Information.
In this Privacy Policy, “Personal Information” refers to any identifiable information about an individual and any identifiable information that is linked to an individual.
We have policies and procedures to ensure that all Personal Information is handled carefully and securely in accordance with applicable privacy laws.
Clevr is committed to protecting the privacy of your data that is collected and used in the course of commercial activities. Clevr will only seek to collect and use the minimal information necessary to provide the Services you have requested from Clevr.
Canada Federal and Provincial Privacy Laws
Clevr complies with the privacy laws of Canada and the United States with respect to Personal Information, particularly in the context of staff and student educational records. We do not use customer data for any purpose other than to provide the services requested, in accordance with our contractual agreements with our customers, our Terms of Service, and this Privacy Policy. Clevr neither owns nor controls customer data, as this information rightfully belongs to the individual and/or the Customer (schools, school districts, and state education agencies/ministries of education), who engage with Clevr to access our suite of products.
We ensure all customer data is handled confidentially with no unauthenticated access to your data, therefore fully meeting the needs of our customers and satisfying all local regulations and laws.
PIPEDA
The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian federal law that applies to the collection, use, and disclosure of Personal Information in the course of commercial activities in all Canadian provinces. PIPEDA sets national standards for privacy practices in the private sector.
Provincial laws that may apply instead of PIPEDA
A few provinces have privacy laws deemed substantially similar to PIPEDA. This means that in many circumstances, the provincial law applies instead of the federal law. Determining which law applies must be done on a case-by-case basis.
Clevr adheres to the Personal Information Protection and Electronic Documents Act (PIPEDA) and, where applicable, provincial privacy laws. It respects the specific language and requirements of these laws.
At Clevr, our policies and procedures are aligned with PIPEDA’s 10 fair information principles below:
Principle 1 – Accountability
A designated Privacy Officer has been identified to be accountable for our compliance with these fair information principles, and their contact information is communicated internally and externally. The Privacy Officer’s contact information is provided below in the Contact Us section of the Privacy Policy.
Principle 2 – Identifying Purposes
Our primary purpose in collecting information is to provide our Customers with a safe, secure online application so that they may perform their duties with regards to their functions.
The type of Personal Information collected will be directly related to the specified purpose it has been collected for. Clevr will not use it for any other purpose without your consent, unless permitted or required by law.
Principle 3 – Consent
We will ask for your consent before using any Personal Information for a purpose other than those that are set out in this Privacy Policy.
Principle 4 – Limiting Collection
Clevr receives customer data from its Customers, their authorized users (staff, faculty, parents/guardians and students), and processes this data on behalf of the Customer as a data processor. Clevr’s processing is strictly controlled by the Customer through contractual obligations, including data privacy agreements or privacy impact assessments.
Clevr will only seek to collect and use the minimal information necessary to access Clevr Products or provide the Services you have requested from Clevr.
Principle 5 – Limiting Use, Disclosure, and Retention
Clevr does not use, disclose, or retain customer data unless expressly authorized or required by our Customers, as outlined in our agreements with them. Given that Clevr neither owns nor controls customer data, any requests for access, review, correction, or deletion of such data must come directly from our Customers. With our customer’s consent, Clevr may receive information from third parties such as the Student Information System (SIS), Human Resources Management System (HRMS), Active Directory, etc. and integrate this information with the existing customer data stored in Clevr.
Clevr will only process data for the purposes of providing access to the Clevr products and professional services that our Customers have contracted with us to provide, and we will process such data according to instructions and the terms of our contract and data privacy agreements with our Customers.
Only information required to effectively use Clevr and deemed necessary by the Customer’s Clevr implementation team and the Privacy Officer is transferred from Customer servers and hosted on the Clevr server(s).
We keep information collected on behalf of our Customers for as long as necessary to fulfill the purpose for which it was collected, pursuant to contractual terms or as otherwise required by applicable law. We dispose of information that is not held pursuant to contractual terms within a commercially reasonable time period or at the request of a customer using reasonable measures to protect against unauthorized access to or use of information.
In partnership with our Customers, Clevr identifies changes in data collection when the integration definitions change from the Customer’s source systems.
Principle 6 – Accuracy
We take all necessary steps to ensure that all information we collect, use or disclose about you is accurate, complete, up-to-date and relevant to the service being provided.
Data accuracy is maintained through regular imports from the Customer’s external systems such as the Student Information System (SIS), Human Resources Management System (HRMS), Active Directory, etc.
Customers can use administrative tools and reports within Clevr to verify accuracy of imported data, as well as data manually recorded from Users.
Principle 7 – Safeguards
Whether Clevr is a collector or processor of your data, Clevr is committed to safeguarding your Personal Information. Clevr uses commercially reasonable physical, administrative, and technical safeguards to preserve the confidentiality, integrity, and availability of your Personal Information. As Customers entrust Clevr with their data for processing, we exert commercially reasonable efforts to fortify the security of our systems.
Clevr employs a variety of physical, administrative, and technological safeguards designed to protect your data against loss, misuse, and unauthorized access or disclosure. Our ongoing efforts are dedicated to maintaining reasonable physical, administrative, and technical security measures. Our security measures consider the type and sensitivity of the data being collected, used, and stored, and the current state of technology and threats to data. Clevr also endeavors to align its privacy and security operations to best practices and relevant international regulations.
While we strive to take every precaution to protect your personal information and data, it’s important to note that, like any online service, we cannot provide an absolute guarantee against unauthorized access, disclosure, alteration, or destruction. We want to reassure you that we implement rigorous physical, administrative, and technical safeguards to fortify the security of your information. However, given the nature of the internet, including email communications, it’s essential to be aware that these channels may not be entirely secure. Despite these inherent challenges, we want you to feel confident that we are dedicated to making every effort to safeguard your data and privacy throughout your interactions with us.
Principle 8 – Openness
We make every effort to inform our Customers and employees about our policies and practices for managing Personal Information. We make these policies and practices easily understandable and easily available.
Principle 9 – Individual Access
User access to Clevr Products and Services is restricted and controlled by the Customer.
Only authorized Clevr personnel and contractors are provided access to Personal Information and have agreed to ensure the confidentiality of this information. Reasonable steps are taken to destroy or permanently de-identify any Personal Information that is no longer required.
Principle 10 – Challenging Compliance
Any person may ask questions or challenge our compliance with the Privacy Policy by contacting our Privacy Officer. We will receive and respond to complaints or inquiries about our policies and practices relating to the handling of Personal Information and Personal Health Information. We will inform Users who make inquiries or lodge complaints of other available complaint procedures. We will investigate all complaints. If a complaint is found to be justified, we will take appropriate measures to respond.
FIPPA
The Freedom of Information and Protection of Privacy Act — also known as FIPPA, FOIPPA, FOIP or FOIPOP — is a piece of Canadian provincial legislation which governs how public bodies treat Personal Information, and gives individuals the right to access and change their Personal Information.
FIPPA applies to the provinces of Alberta, British Columbia, Manitoba, Nova Scotia and Ontario
At Clevr, we take the following steps to comply with FIPPA:
- The collection, use, disclosure, retention and disposal of Personal Information collected and stored in Clevr will be regulated in accordance with FIPPA and other applicable legislation so as to protect the privacy of individuals who are the subject of that information.
- We respect the rights of individuals under FIPPA, including the right to access their Personal Information, correct inaccuracies, and request the deletion of their data. Clevr provides mechanisms for users to exercise these rights.
PHIPA
In accordance with the Personal Health Information Protection Act (PHIPA), the amount and type of Personal Health Information collected by authorized users is limited to that which is necessary to fulfill the purposes identified i.e. the provision of mental or health services, assessments, treatments etc. Our practices align with the provisions set forth in PHIPA, governing the collection, use, disclosure, and protection of health-related data. We implement robust safeguards, including physical, technical, and administrative measures, to preserve the confidentiality and integrity of any sensitive personal information.
United States Federal and State Education Privacy Laws
The Family Educational Rights and Privacy Act (FERPA) is a U.S. federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education. This policy is designed to comply with FERPA.
The Children’s Online Privacy Protection Act (COPPA) is a U.S. federal law that imposes certain requirements on the online collection of Personal Information from children under 13 years of age. This policy is designed to comply with COPPA.
Pursuant to State Legislations, the following state specific language is incorporated into the Privacy Policy:
California: In accordance with the California Consumer Privacy Act (CCPA), California residents have the right to request disclosure regarding the categories of Personal Information collected, the purposes for collection, and any third parties with whom this information is shared. For more information, please contact our Privacy Officer.
New York: In accordance with New York’s Education Law 2D, Clevr acknowledges and respects the privacy and security requirements governing the collection, storage, and use of student data. We recognize the importance of safeguarding the personally identifiable information of students, educators, and educational institutions. Clevr adheres to the stipulations of Education Law 2D, ensuring that the handling of student data aligns with the law’s provisions. Additionally, we acknowledge the significance of the Parent’s Bill of Rights for Data Privacy and Security, and as applicable, Clevr will comply with and attach it to contracts.
Pennsylvania: In accordance with Pennsylvania’s Breach of Personal Information Notification Act, Clevr is committed to promptly notifying affected Customers in the event of a security breach that compromises their Personal Information. If a breach occurs, we will take immediate steps to investigate the incident, mitigate potential harm, and notify impacted parties as required by law. Notifications will include the nature of the breach, the types of compromised Personal Information, and the steps recommended to protect oneself.
Collection of Data
Clevr receives data from its Customers, their authorized users (staff, parents/guardians and students), and processes that Customer data on behalf of the Customer as a data processor. Clevr’s processing is strictly controlled by the Customer through contractual obligations, including data privacy agreements or privacy impact assessments.
Clevr’s involvement is confined to granting access to its products and services in line with the instructions and terms established with its Customers. User access to Clevr Products and Services is restricted and controlled by the Customer.
The mix of data provided by each Customer will vary based on how the Customer configures the Clevr Product or Service for data collection. For this reason, it is not possible for Clevr to fully document the data that it will process for each Customer until after the Customer has fully implemented and configured the Clevr Product and Service. The configuration may also be dynamic in that the school or school district may change its data collection configuration over time. If you have questions about which data is being collected, you should direct those questions directly to the Clevr Customer (school, school district, or state education agencies/ministries of education) that controls your data.
Clevr’s Privacy Policy does not supersede the terms of any consent form, privacy notice or privacy statement from your school, school district or education institution, or stated alternatively, the terms of any agreements between you and our Customers.
Each type of data serves distinct purposes and is governed by specific controls and ownership protocols.
Personal Information
Clevr will use the Personal Information that has been provided to us in order to fulfill contracts we have with our Customers. Clevr will use the provided Personal Information for the purpose for which is intended per the terms of our customer agreement. Clevr will not use it for any other purpose without your consent, unless permitted or required by law.
Clevr acquires Personal Information through the direct data entry of Users within the application or via integration from the Customer’s external systems, such as the Student Information System (SIS), Human Resources Management System (HRMS), Active Directory, etc.
When you contact Clevr customer support services, we may collect Personal Information, such as name, email address and phone number, in order to help solve any issues you might be facing or provide the Services you have requested from Clevr.
When gathering Personal Information directly from Users via its Websites and online services, Clevr operates as a data controller. User consent is mandatory for data collection, adhering to the stipulated terms of use or service.
Transaction Data
Transaction Data is unique data generated from the use of products and services. For example, the logging of a user session may contain a unique ID that identifies the User. The unique ID is necessary for monitoring the health and security of Clevr Products and Services.
Transaction Data is identified as a distinct category, crucial for overseeing system functionality and security. Although it might incorporate elements from other data categories, it is transient and routinely purged. Control and ownership of this data rest with Clevr, and it is shared with third party service providers only as required.
Additionally, device and usage information are collected during the utilization of products.
Direct Marketing
Clevr will only use customer Personal Information for the purpose of direct marketing activities to our Customers where we have obtained your consent to do so, or in circumstances where we have collected the information directly from you and you would reasonably expect that your Personal Information would be used or disclosed for this purpose. We may use your email address to inform you about our services, such as letting you know about upcoming changes or improvements. If you send us personal correspondence, such as emails or requests for demos, we may collect Personal Information, such as name, email address and phone number for the purpose of scheduling a demonstration or sales related meeting. Clevr will provide you with the opportunity to opt out of receiving marketing materials at the time of collection and/or at any time afterwards by either unsubscribing from the email service or contacting our Privacy Officer via the contact details provided below. Clevr does not rent, sell, or otherwise provide access to student personal information to third parties for marketing or advertising purposes.
Clevr Service Providers, Partners, and Other Third Party Disclosures
Clevr works with service providers and partners to fulfill our obligations to our Customers. Customers may also contract directly with a third party and ask Clevr to share access to Customer data with that third party. Some disclosures may also be required by law.
When third parties are given access to Personal Information, we will take appropriate contractual, technical and organizational measures designed to ensure that Personal Information is processed only to the extent that such processing is necessary, consistent with this Privacy Policy, and in accordance with applicable law.
1. Service Providers.
To comply with Clevr’s obligations under applicable data protection laws and to our Customers, we provide a list of significant third party service providers that enable us to provide our Products and Services and operate our business. These service providers perform the functions described below and are considered “Subprocessors” under applicable data protection laws. We require our Subprocessors to implement proper security measures to safeguard and to respect the privacy rights with regards to Customer data and collected data.
| Data Subprocessors | Functions | Locations |
|---|---|---|
| Microsoft Azure | Cloud Services, Data Processing, and Storage | United States |
| Microsoft Azure | Cloud Services, Data Processing, and Storage | Canada |
Microsoft Azure maintains FedRAMP High P-ATOs issued by the FedRAMP Joint Authorization Board (JAB) which is the primary governance and decision-making body for FedRAMP. In addition, Azure maintains more than 400 Moderate and High Authorization to Operate (ATOs) issued by individual federal agencies for the in-scope services. More information on this can be found here: Azure and FedRAMP
2. Partners. We engage directly with certain K-12 partners to help us deliver project management services and provide additional content and functionality where the Customer has expressly requested and authorized the involvement of a subcontractor to support their implementation. Our partners are required to abide by our privacy and security requirements and are contractually restricted from using any Customer data or collected data accessed or received through us for any purposes other than as needed to perform such services.
3. Other types of Disclosures. In certain circumstances, courts, law enforcement agencies, regulatory agencies or security authorities may be entitled to access your Personal Information in accordance with applicable law.
Under no circumstances will Clevr sell or receive payment for disclosing your Personal Information.
Exercising Your Privacy Rights
To exercise your privacy rights under state, federal, provincial or country privacy legislation related to Clevr and the Customer data it processes on behalf of your educational institution, please contact your educational institution.
Changes To The Policy
Clevr reserves the right to modify or amend this Privacy Policy at any time to reflect changes to our data governance practices. If we propose any new uses of Personal Information or other material changes to the Privacy Policy we will notify you by posting them on our Websites and, if you are a User, by contacting you through your email listed in your Clevr account. The effective date of the current version of the Privacy Policy will be displayed at the bottom of the policy. We encourage you to periodically review this page for the latest information on our privacy practices.
Contact Us
If you have any questions or concerns about your privacy or this Privacy Statement, please Contact us at privacy@clevr.ca
You may also write to us at:
Clevr
413 Bird Road RR#4
Stirling, ON K0K3E0
Canada
ATTN: Privacy
Chief Privacy Officer – Kari Fraser Park
All privacy concerns related to Clevr access, personal data, processes, software features or functionality should be addressed to Clevr’s Privacy Officer.
Revision: 12/04/2024