Student Data Policy

This Student Data Policy supplements our Privacy Policy with regard to Student Data that we process under a student data privacy agreement with an Educational Institution. Terms used but not defined in this Student Data Policy have the meaning set out in the Privacy Policy. Where there are any conflicts or inconsistencies between this Student Data Policy and our general Privacy Policy, the terms of this Student Data Policy shall prevail with respect to the processing of Student Data, as this policy is specifically designed to address the heightened privacy protections required under educational privacy laws including FERPA, COPPA, and applicable state student privacy statutes. This Student Data Policy operates in conjunction with our contractual agreements with Educational Institutions, and together these documents form the complete framework governing our collection, use, disclosure, and protection of Student Data, ensuring compliance with both our legal obligations as a school official and the Educational Institution's responsibilities as the primary data controller under applicable privacy laws.

1. Student Data Processing and Definition:

   When an Educational Institution customer makes our Dashboard available to students for an educational purpose, Hackersjack may process personal information that is directly related to an identifiable student that is: (i) provided to Hackersjack by an Educational Institution, or (ii) collected or generated by Hackersjack during the provision of Services to the Educational Institution ("Student Data"). Student Data may include information defined as "educational records" by the Family Educational Rights and Privacy Act ("FERPA") or "covered information" under California's Student Online Personal Data Protection Act ("SOPIPA"), or other information protected by similar student data privacy laws. Our processing of Student Data is limited to the educational purposes for which it was collected and is conducted in accordance with applicable federal and state privacy regulations, including but not limited to COPPA (Children's Online Privacy Protection Act) where applicable to students under 13 years of age. We recognize that Student Data may encompass a broad range of information types, from basic directory information to detailed learning analytics and behavioral data, and we apply consistent privacy protections across all categories of Student Data regardless of the specific legal classification, ensuring comprehensive protection of student privacy rights under the most restrictive applicable standard.

2. Student Data Confidentiality:

   We consider Student Data to be confidential and do not use Student Data for any purpose other than to provide our Services on the Educational Institution's behalf, in accordance with contractual agreements with the Educational Institution. To help Educational Institutions address their obligations to protect their students' data privacy, we have implemented additional controls and procedures for Educational Institutions when they enter into a contract with Hackersjack to make our Services available to students for an educational purpose such as our [Services]. Our confidentiality protections are designed to meet or exceed the standards required under FERPA, state student privacy laws, and applicable data protection regulations, ensuring that Student Data receives the same level of protection as if it were maintained directly by the Educational Institution. We treat all Student Data as educational records subject to heightened privacy protections, implementing role-based access controls, audit logging, and encryption both in transit and at rest to maintain the integrity and confidentiality of student information throughout our systems and processes.

3. Student Data Ownership and Governance:

   As between us and the Educational Institution, Student Data are owned and controlled by the Educational Institution. Our collection and use of Student Data is governed by our contracts with the Educational Institutions and by applicable privacy laws. For example, we provide our Services to Educational Institutions as a "School Official" under FERPA and we work with Educational Institutions to help protect personal data from the Student's educational record, as required by FERPA. This school official designation means we act under the direct control of the Educational Institution with respect to the use and maintenance of education records, and we use Student Data only for legitimate educational interests as defined by FERPA and applicable state privacy laws. We maintain detailed documentation of our data handling practices and provide Educational Institutions with the transparency and control mechanisms necessary to fulfill their own legal obligations as data controllers under federal and state educational privacy frameworks.

• We collect, maintain, use and share Student Data only for an authorized educational purpose and as described in our Agreement with the Educational Institution, or as directed by the Educational Institution or by the Student's parent or legal guardian (each, a "Parent").
• We do not use or disclose Student Data for targeted advertising purposes. Specifically, personalized advertising (ads based on a user's personal information) is not used or displayed in Hackersjack's products. We are committed to protecting the privacy and data of our students. We do not share student data with third-party advertisers or use it to create profiles for advertising purposes.
• We do not build a personal profile of a Student other than in furtherance of an educational purpose.
• We maintain a comprehensive data security program designed to protect the types of Student Data maintained by the Service.
• We will clearly and transparently disclose our data policies and practices to our users.
• We will never sell Student Data unless the sale is part of a corporate transaction, such as a merger, acquisition, bankruptcy, or other sale of assets, in which case we will require the new owner to continue to honor the terms provided in this Student Data Policy or we will provide the Educational Institution with notice and an opportunity to opt-out of the transfer of Student Data by deleting the Student Data before the transfer occurs.
• We will not make any material changes to our Student Data Policy or contractual agreements that relate to the collection or use of Student Data without first giving notice to the Educational Institution and providing a choice before the Student Data are used in a materially different manner than was disclosed when the information was collected.

4. How We Share and Disclose Student Data:

   We disclose Student Data solely as needed to provide our Services on behalf of specific Educational Institutions in accordance with our contractual agreements with those Educational Institutions or with the consent of the Educational Institution or Parent. For example, Student Data and account usage data may be disclosed to or accessible by users who are authorized to use the Service on behalf of the Educational Institution, such as the student's teacher or other administrative professional. We also disclose Student Data to our trusted service providers who have a legitimate need to access such information on our behalf, subject to appropriate contractual terms to protect such data. Furthermore, we may disclose Student Data in connection with a business transaction or to support our legal rights and obligations, as described in our Information Sharing and Disclosure section of the Privacy Policy. All third-party service providers who receive Student Data are contractually required to maintain the same level of privacy and security protections that we provide, and are prohibited from using Student Data for any purposes other than providing services to us in support of educational activities. We conduct regular assessments of our service providers' data handling practices and maintain oversight of their compliance with applicable privacy laws, including FERPA requirements and state student privacy regulations that govern the disclosure and use of educational records.

5. How We Use De-Identified Data:

   We may also generate, use, and disclose de-identified information for adaptive learning purposes or customized student learning purposes, to recommend content or services relating to Educational Institution purposes or other educational or employment purposes, to develop, research and improve our Services, or to demonstrate the effectiveness of our Services. In addition, we may use de-identified information for the development and improvement of other educational sites, services and applications or technologies more generally to the extent permitted under applicable law. Our de-identification processes follow industry-standard methodologies and applicable legal requirements to ensure that re-identification risks are minimized and that the resulting data cannot reasonably be linked back to individual students. We do not attempt to re-identify de-identified information and we contractually prohibit any third parties who receive de-identified data from us from attempting to re-identify such information or combine it with other data sources for identification purposes.

   "De-identified information" means data from which all personally identifiable information has been removed or obscured so that the remaining information does not reasonably identify an individual and there is no reasonable basis to believe that the information can be used to identify an individual.

6. How We Retain Student Data:

   We will not knowingly retain Student Data beyond the time period required to support an educational purpose, unless authorized by the Educational Institution. Educational Institutions are responsible for maintaining current class rosters, and for managing Student Data which they no longer need for an educational purpose by submitting a deletion request. Please note even in the absence of instruction by the Educational Institution, we may delete or de-identify data after a period of user inactivity in accordance with our standard data retention policies. Our retention practices are designed to comply with applicable federal and state privacy laws, including FERPA requirements, while balancing educational needs with privacy protection principles. We maintain appropriate technical and administrative safeguards to protect Student Data throughout the retention period, and our deletion processes ensure secure and complete removal of data from our systems and any backup storage when retention periods expire, or deletion is requested.

   If you are using our Services on behalf of an Educational Institution and wish to access Student Data, delete Student Data or close your account, please contact us (support@hackersjack.com). If you are a Parent or Student and wish to access Student Data, delete Student Data or close your account, please direct your request to your Educational Institution.

7. Questions About Student Data:

   If you are a Parent or Student and have questions about specific practices relating to Student Data provided to Hackersjack by an Educational Institution, please direct your questions to your Educational Institution. Your school or district is the primary data controller and can provide you with detailed information about what data is collected, how it is used, and your rights regarding that information. Under FERPA and applicable state privacy laws, Educational Institutions maintain the responsibility to inform parents and eligible students about their data practices and to facilitate the exercise of privacy rights, including access, correction, and deletion requests where appropriate.