Student Privacy and Storyboard That

This is an addendum to our Terms of Use and Privacy Policy that only apply for our educational edition. Learn about our educational edition.

We are constantly looking to improve our policies. Please contact us at Contact-Us@StoryboardThat.com if you feel we need further clarification, or are missing something.

Although no system is 100% perfect, we have designed our system and taken reasonable precautions and then some to follow these policies to address concerns of FERPA, CCPA, GDPR, and COPPA. We have also signed the Student Privacy Pledge.

Table of Contents

• Our Business Model
• Contacting Us
• Personally Identifiable Information (PII)
  • How is PII Used
    • User Names
    • Storyboards, User Generated Content and Privacy
    • Rostering
• Data Policies
  • Downloading Storyboards
  • Disclosing Data
  • Reviewing PII
  • Transferring Data
  • Data Ownership
  • Deleting Your Data
    • Backup Exception
• Data Breach
• Our Promises
• IT Security and Data Storage Practices
• State Specific
  • California and SOPIPA
  • Connecticut
  • Illinois (Illinois Student Online Personal Protection Act)
  • New York (Ed 2D)
  • Washington State

Our Business Model

Our business model in the education space is to provide an amazing product leveraging the power of digital storytelling to positively improve Critical Thinking, Communication, Collaboration, and Creativity. We sell this product directly to teachers and schools, and all of our marketing efforts are centered on this objective.

We do not market to kids and students, since they are not a target purchaser and as a result we have no need to collect, mine, or advertise to them. We do not show any advertisements within the educational version to students.

In order to provide recommended resources we may look at data a teacher has generated to recommend activities/content to the teacher. An example would be if we detect a teacher is teaching Romeo and Juliet, we might recommend other activities for Shakespeare. This is only internal to Storyboard That, and not based on any student data, and designed specifically for the teachers.

There are some small advertisements on the site to order school-related supplies off of Amazon, Teachers Pay Teachers, or similar websites, but these are targeted towards Adults.

We can be Contacted at

Email at Contact-Us@StoryboardThat.com
Phone at +1-617-607-4259
Mailing Address:

Storyboard That
PO Box 920504
Needham, MA 02492

Personally Identifiable Information (PII)

We want to know as little as possible about our student users as we can to protect their privacy. We do not ask for email addresses when signing up in the educational version, nor is there a place to add it later. In general, it is our policy not to collect, maintain, use, or share PII beyond that needed for educational purposes, or as authorized by a parent, guardian, or student 13 years of age or older. We do not sell PII. We also do not use PII for the purpose of behavioral targeting of advertisements to students, nor for the building of personal profiles of students except as authorized by a parent, guardian, or student 13 years of age or older.

Subject to the foregoing, we collect limited personal information and other personal identifiers, as explained in in the “What Information Do We Collect” section of our Privacy Policy. As further explained in our Privacy Policy, such categories of personal information include IP addresses of users, metadata collected through the use of cookies, usernames and passwords of student users, names of student users, and content generated by students through their use of the service.

As also explained in the Privacy Policy we receive and utilize hashed information regarding email addresses.

How is Personally Identifiable Information (PII) Used

Use of PII is subject to our Privacy Policy and to the provisions explained below.

User Names

User names and display names (friendly human readable name) are shown internally within your educational account and appear in URLs for user created content. If a student has PII in their user name, either an account admin or a member of the Storyboard That staff can delete their account, or change the user name.

Storyboards, User Generated Content and Privacy

Due to the nature of Storyboard That, students every day create absolutely amazing original and creative content. By default all storyboards created under an educational account are private.

• The image files are stored encrypted and need a token to access them that expires after a short time period
• The URL to a storyboard will only be visible to a school teacher/admin and the student

At the sole discretion of the account administrator this security can be removed allowing the storyboard to be shared which will expose the user name and display name of a user to the internet. There is a reminder that this should only be done after verifying with your own policies and the security requirements of your students / school.

Other notes:

• It is a violation of our policies to include photos of anyone under the age of 13 (and there is a warning when uploading)
• It is a violation of our policies to provide personal information like name or address (and there is a warning when saving)

Rostering / Class Information

If the information is available, Storyboard That uses the relationship between teachers, students and classes to organize student and teacher dashboards. This allows the website to give only a subset of students in an account access to an assignment.

Data Policies

Disclosure, review, transfer, and ownership of PII is subject to our Privacy Policy and to the provisions explained below.

Downloading Storyboards

One of the best part of Storyboard That is making storyboards, and students and teachers alike have a desire to download their creations. When viewing a storyboard, a storyboard can be printed out or downloaded in a variety of digital formats. Please see our Storyboard Copyright and FAQ page for an understanding of the extensive uses we permit. Once downloaded we have no ability to control or monitor what is in the storyboard, or how it is shared.

Disclosing Data

Since we collect minimal PII, we have no way to contact users outside of the admin. We will happily work with a school admin to provide any and all data that is relative to their account. We will also provide any data to any valid legal, regulatory, or judicial request.

Per our Terms of Use and Privacy Policy we do use 3rd party tools like Google Analytics to aggregate site usage and performance. We are not in the business, nor do we want to be of selling student data in any way.

We will respond to the best of our abilities to basic customer service inquiries initiated by a student/parent, but we strongly prefer to work directly with the school. Basic inquiries are typically limited to “how do I do X in the storyboard creator?” Requests for more detailed information must come through the school directly.

Reviewing Personal Data

Students can review all of their work and PII from their student dashboard while logged in. If a parent / legal guardian would like to discuss anything about an account we will need the account admin to make an introduction to verify the authenticity of the request. After we know the authenticity we are happy to work to address any issues.

Transferring Data

If a student wishes to transfer their data to a personal account the process is as follows:

1. A parent/guardian must purchase a premium account
2. The school admin must notify Contact-Us@StoryboardThat.com of the user name of both the student and the new user name purchased AND
3. The school admin must tell Storyboard That to either: move data from one account to another, or to copy the data so it still also exists in the school account
   • Once the accounts are linked the parent/guardian may request additional transfers of data

A student may also download their data – see (download section)

Data Ownership

We know some schools require the ownership of their data per their policies. If you require this please write in and we will mark your data as owned by you

Deleting Your Data

At any time, any school administrator can delete students and their storyboards off of our systems. We can also delete all of your data upon explicit request. After 4 years (or less at our discretion) of inactivity we will delete student data. If a parent would like their child's data deleted, that request must come through the school to verify authenticity of the request. Due to the interactive and user generated content nature of Storyboard That, user data needs to be retained for the duration of a user wanting their content.

By Default all educational accounts are set to automatically delete student data 30 days after the account has expired. This can be changed for paying users in their dashboard, or by contacting support. Every step of the deletion process sends written confirmation

Per notes elsewhere on this document the data is used for educational purposes, improving the product, and supporting customer support needs. We do not use student data for advertising or marketing

Backup Exception

Storyboard That is a very complicated program and uses a number of industry standard backup policies as well as maintaining error and audit logs. After deleting your data there may be historical remnants in backups that due to their snapshot nature cannot be scrubbed. The majority of these systems are automatically deleted on a regular basis, and the remainder are manually deleted on a regular basis as part of our ongoing site maintenance policies.

Data Breach

In the event of a data breach, we will notify school admins within a reasonable time period after we fully understand the impact and can effectively communicate the situation. Since we do not have contact information for students it will be up to the school/admin to notify parents.

Our Promises

• We do not create profiles of students for anything other than school purposes
• We do not sell our student data
  • With an exception if we were to sell / merge the company (merger, acquisition, asset sale or similar transaction) our service and data would go to our acquirer / combined venture.
• We do not target advertisements at students
• We do not knowingly disclose student data unless that data is explicitly and intentionally made public by the school/teacher, or required by law
• At any time any administrator can delete any and all data from our systems
  • Excluding backups, see above
• We do have access to view and edit your data which we use to improve our product offering (ex: by looking at which features/art are used and how), assist with customer care issues, and verify our systems are running the way we intend.
  • Any employee or contractor with access has signed an extensive NDA, and must follow our IT policies
  • Repeating our policies again, we do not sell or license this data to any third party, or use this data in any way to advertise to students

IT Security and Data Storage Practices

We use Microsoft Azure for all of our hosting and as their customer we get world class security – see for full details Azure Security. Among other protections, they provide physical security of our servers.

Answers to Common IT Security Questions

• All data transmitted between our servers, and between us and our users, is encrypted with industry-standard TLS1.2 or better.
• Data stored on our databases are encrypted at rest, secured by firewalls, and utilize encrypted channels for all connections.
• User content with privacy settings enabled is stored on encrypted drives and accessed with short-lifetime access keys.
• All internal secure systems require a username / password or greater security (including Two Factor Authentication (TFA) and/or IP Whitelists) and administrative rights.
• All employees and contractors with access to systems have undergone criminal background checks and have yearly privacy training.
• We conduct a yearly internal IT Audit using the NIST framework .

---

State Specific

California Schools Subject to SB-1177 (SOPIPA) and AB-1584

If you are subject to SOPIPA you may write into Contact-Us@StoryboardThat.com to:

• Have your data marked as owned by you (see data ownership)
• Have all of your data deleted on a specified date (see deletion policies)
  • Note: If you ask us to delete your data the day your account is no longer actively paying, we will have no choice but to delete all your student data. You may ask us for a “30-day hold” on data deletion to give you time to make sure there is no lapse in payment

Connecticut State

Addendum for Connecticut only

Illinois

We are Illinois Student Online Personal Protection Act Compliant.

New York State

New York - We are Ed 2D Compliant

Washington State

Washington State - We are SUPER Act (Senate Bill 5419) Compliant