Effective Date: November 28, 2020
The information we collect from users of our Services include the following:
School information for your Wavely network (e.g., school name, mailing address, time zone, payment, and billing information)
Profile information for each network admin user profile (e.g., first and last name, email, position/title, and password).
Profile information for each student and responder user profile (e.g., first and last name, email, student or employee ID, grade level (of students), position/title (of responders), and password).
When this information is collected, we use it in the following ways:
To provide and maintain our Services.
To notify you about changes to our Services.
To provide customer support.
To gather analysis or valuable information so that we can improve our Services.
To monitor the usage of our Services.
To detect, prevent and address technical issues.
To notify users about important app updates and changes via email (e.g., account verification, changes/updates to features of our Services, technical or security notices. You may not opt-out of Service-related emails).
We will not collect, maintain, use, sell or share this collected information or Student PII. We will also not build a personal profile of a student other than for supporting an authorized school purpose or as authorized by a parent or legal guardian. Additionally, we will not use or disclose Personal Data or Student PII collected through our Services for behavioral ad targeting.
The Student PII that is collected, used, shared, and retained will only be used for purposes for which we are authorized by a school, school administrator, staff member, or the parent or legal guardian of a student. We will also support access to and correction of Student PII by a student or their authorized parent or legal guardian, either by assisting the school in meeting its requirements or directly when the information is collected directly from the student with parental consent.
We may also collect information that your browser sends whenever you visit our website or when you access our Services by or through a mobile device ("Usage Data"). This Usage Data may include information such as your computer's Internet Protocol address (e.g. IP address), browser type, browser version, the pages of our Services that you visit, the time and date of your visit, the time spent on those pages, unique device identifiers and other diagnostic data. When you access our Services with a mobile device, this Usage Data may include information such as the type of mobile device you use, your mobile device unique ID, the IP address of your mobile device, your mobile operating system, the type of mobile Internet browser you use, unique device identifiers and other diagnostic data.
Tracking Cookies Data.
Examples of Cookies we use:
Session Cookies which we use to operate our Services.
Preference Cookies which we use to remember preferences and various settings.
Security Cookies which we use for various security purposes.
Legal Basis for Processing Personal Data Under the General Data Protection Regulation (GDPR).
We need to perform a contract with you.
You have given us permission to do so.
The processing is in our legitimate interests and it is not overridden by your rights.
For payment processing purposes.
To comply with the law.
Retention of Data.
Transfer of Data.
Disclosure of Data.
Business Transaction: If Wavely is involved in a merger, acquisition, or asset sale, we will allow a successor to maintain your Personal Data and Student PII only if the successor entity agrees to act in accordance with the Student Privacy Pledge. If they do not, users will be given the option to send their information to the future entity or have their information deleted.
Disclosure for Law Enforcement: Under certain circumstances, Wavely may be required to disclose your Personal Data and Student PII if required to do so by law or in response to valid requests by public authorities (e.g. a court or a government agency).
Legal Requirements: Wavely may disclose your Personal Data and Student PII in the good faith belief that such action is necessary to:
To comply with a legal obligation.
To protect and defend the rights or property of Wavely.
To prevent or investigate possible wrongdoing in connection with our Services.
To protect the personal safety of users of our Services or the public.
To protect against legal liability.
Data Protection and HIPAA/FERPA Compliance.
Onboarded students and staff will receive a welcome email that includes a unique authorization code and access code assigned to their student or employee ID. This information, along with a secure password, is required to activate and access their profile. All data passing through the platform, whether it is through our online or our mobile application, is encrypted. This means that all user data is converted into complex code to ensure that its contents cannot be understood, intercepted, or collected - read further for more details.
Here is a breakdown of current security safeguards we've established to ensure data encryption in compliance with HIPAA and FERPA:
Our AWS EC2 Instance is encrypted. No one can use it without the MyKeyStore.pem file. All of our code is placed inside the encrypted directory. Our code is placed in a private repository on Bitbucket.org. Only we have complete access to the code.
No one can deploy the code without the AWS Sign-In Password and Username. The FTP server also cannot be connected without the MyKeyStore.pem file.
In our EC2 instance on AWS, we have only enabled secure communication options such as HTTPS-based or TCP/SSL-based to protect the confidential PHI data for the end-to-end communication, and all the list of PHI data is encrypted.
To access the RDS database the MyKeyStore.pem file is also required.
We are using the SHA-256 Cryptographic Hash encoding method. If we have a message “hello how are you”. Its encrypted form is “f5bf53fcd6980fedeb2495657a489cd10f5fef01b52de3e309d42dca10908948“.All the data of schools and user is encrypted. No one can decrypt the data without the key.
All the data which is passing through the internet gateway whether it is on our web or mobile application(s) is encrypted.
We use the Indirection strategy. When a new object containing PHI is written to S3 via S3 Transfer Acceleration, an S3 trigger signals AWS Lambda to write the appropriate metadata to an Amazon SQS queue. A service running on Amazon EC2 polls the SQS queue, and if new data is available, pulls the PHI data from S3. A second Lambda function triggers a mobile alert, notifying that processing of data has begun. In this example only S3 and EC2 are used to store, process, and transmit all PHI data; Lambda and SQS are only used to orchestrate services or notify when jobs should begin.
Please also know that the security of your data is important to us but remember that no method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your Personal Data and Student PII, we cannot guarantee its absolute security. Additionally, we cannot control the actions of anyone with whom you or any other Wavely users may choose to share information transmitted through our Services. Therefore, we cannot and do not guarantee that content you or any user shares through our Services will not be viewed by unauthorized persons. It also is your responsibility to keep your phone, computer, and access to our Services secure. We, therefore, recommend that you do not jailbreak or root your phone, which is the process of removing software restrictions and limitations imposed by the official operating system of your device. It could make your phone or computer vulnerable to malware, viruses, malicious programs, compromise your phone’s or computer’s security features and it could mean that our Services will not work properly or at all.
Lastly, keep in mind that you are responsible for any content you provide in connection with our Services. We cannot control the actions of anyone with whom you or any other Wavely users may choose to share information. Therefore, we cannot and do not guarantee that content you or any user shares on our Services will not be viewed by unauthorized persons. We will occasionally provide schools with resources to help protect the security and privacy of Student PII while using our Services.
Enforcing Development Privacy and Security.
Wavely incorporates privacy and security procedures when developing or improving our products, tools, and services and comply with applicable laws. We do this by taking a programmatic approach to privacy and security, applying privacy and security by design principles; considering privacy and security best practices; or analyzing guidance concerning reasonable privacy and security measures and comprehensive privacy and security programs. Factors we consider include the potential for misuse or unexpected use of Student PII; the privacy and security practices of third party vendors (if any); the potential harms that could result from product development or improvement; and whether any of these risks could be mitigated with additional training or resources for product users, educational institutions, or parents and students. We also carefully evaluate the use and development of new technologies in our products and services to consider the potential impact on the privacy and security of Student PII.
Our Policy on "Do Not Track" Signals under the California Online Protection Act (CalOPPA).
We do not support Do Not Track ("DNT"). Do Not Track is a preference you can set in your web browser to inform websites that you do not want to be tracked. You can enable or disable Do Not Track by visiting the Preferences or Settings page of your web browser.
Your Data Protection Rights under the General Data Protection Regulation (GDPR).
If you are a resident of the European Economic Area (EEA), you have certain data protection rights. Wavely aims to take reasonable steps to allow you to correct, amend, delete or limit the use of your Personal Data and Student PII. If you wish to be informed about what Personal Data and Student PII we hold about you and if you want it to be removed from our systems, please contact us. In certain circumstances, you have the following data protection rights:
The right to access, update or delete the information we have on you: Whenever made possible, you can access, update or request deletion of your Personal Data and Student PII directly within your account settings section. If you are unable to perform these actions yourself, please contact us to assist you.
The right of rectification: You have the right to have your information rectified if that information is inaccurate or incomplete.
The right to object: You have the right to object to our processing of your Personal Data and Student PII.
The right of restriction: You have the right to request that we restrict the processing of your personal information.
The right to data portability: You have the right to be provided with a copy of the information we have on you in a structured, machine-readable, and commonly used format.
The right to withdraw consent: You also have the right to withdraw your consent at any time where Wavely relied on your consent to process your personal information.
Please note that we may ask you to verify your identity before responding to such requests. You have the right to complain to a Data Protection Authority about our collection and use of your Personal Data and Student PII. For more information, please contact your local data protection authority in the European Economic Area (EEA).
Children’s Online Privacy Protection Act.
The Children's Online Privacy Protection Act ("COPPA") requires that we inform parents and legal guardians about how we collect, use, and disclose Personal Data and Student PII information from children under thirteen (13) years of age. COPPA also requires us to obtain the consent of parents and legal guardians for children under thirteen (13) years of age to use our Services. Parents and legal guardians may be referenced collectively as “Parents” herein.
For Children Under 13 - Please Read: Prior to using our Services, your parent or legal guardian is required to sign a technology consent form that gives you authorized permission to use our Services. It is the responsibility of your school to distribute and maintain a record of these completed consent forms. You will only be onboarded to your school’s Wavely network if your school administration has a record of this signed technology consent form.
For Parents of Children Under 13 - Please Read: If your child is using our Services without your consent, contact your school administration immediately. Prior to your child using our Services, you are required to sign a technology consent form that gives your child authorized permission to use our Services. It is the responsibility of your school to distribute and maintain a record of these completed consent forms. Your child will only be onboarded to your school’s Wavely network if your school administration has a record of this signed technology consent form.
When you send us an email or complete a contact form on our website, we use your email address to thank you for your comment and/or reply to your question, and we will store your communication and our reply for any future correspondence. Beyond our initial reply, we will never use your email address to send any unsolicited message or information, nor will we share it with or sell it to anyone else for such use.
When you accept to receive information about our Services, promotions, newsletters, press releases, and/or new offers, we use your email address and other information you give to provide you with information or other Services, until you ask us to stop (using the “unsubscribe” instructions provided with each email communication).
When you request information or other Services from us, we use your email address and any other information you give us to provide you with the information or other Services that you requested until you ask to stop (using the “unsubscribe” instruction provided with email, and/or on the site where you signed up, and/or as we otherwise provide), or until the information or Service is no longer available.
We will never use your email address or other information to provide you with unsolicited messages or information (unless that is part of the Service you are requesting), nor will we share it with or sell, rent, or lease it to any third party for such use.
We may employ third-party companies and individuals to facilitate our Services ("Service Providers"), provide our Services on our behalf, perform Service-related services or assist us in analyzing how our Services are used. These third parties have access to your Personal Data and Student PII only to perform these tasks on our behalf and are obligated not to disclose or use it for any other purpose. The third parties who have access to this information are required by Wavely to have the same privacy policies that are consistent with those of the Student Privacy Pledge.
We may use third-party Service Providers to monitor and analyze the use of our Services. A third-part Service Provider we use is “Google Analytics”. Google Analytics is a web analytics service offered by Google that tracks and reports website traffic. Google uses the data collected to track and monitor the use of our Services. This data is shared with other Google services. Google may use the collected data to contextualize and personalize the ads of its own advertising network. For more information on the privacy practices of Google, please visit the Google Privacy Terms web page:
Links to Other Sites.
Wavely will from time to time provide resources to support educational institutions/agencies, teachers, or parents/students to protect the security and privacy of Student PII while using our technology. The primary security tips we encourage all users to follow are as follows: use a secure password; secure your phone or computer with a password or passcode; disable lock screen notifications; stay private on wi-fi networks.