Xello Privacy Policy

Effective Date: July 11, 2023

Welcome to Xello!

The Xello websites, applications, and services (collectively, “Services”) are provided by Xello Inc., located at 1867 Yonge Street, Suite 700, Toronto, Ontario, M5S 1Y5, Canada or CASCAID Ltd, located at Dock, 75 Exploration Drive, Leicester, LE4 5NU, a subsidiary of Xello Inc. (hereinafter collectively “Xello,” “we,” “our”). This Privacy Policy applies to the information we collect about you through the Services operated by or on behalf of Xello, including the products specified in the quote or purchase order (“Order”) with the school or educational establishment (“School”) or other entity who has signed the Order. It does not apply to information collected about employees, former employees, job candidates, or independent contractors.

In the context of this Privacy Policy, if you are in the United Kingdom or European Economic Area, CASCAID acts as a data controller for the information we process and in all other jurisdictions, Xello Inc. is the data controller of the information we process, with the exception of information processed solely pursuant at the instruction of Xello customers, including your institution, business organization, or another controller, in which case Xello Inc. and CASCAID each act as a data processor.

We are committed to protecting your personal information and satisfying legal requirements such as the Children’s Online Privacy Protection Act (“COPPA”), the Personal Information Protection and Electronic Documents Act (“PIPEDA”), the Family Educational Rights and Privacy Act (“FERPA”) and the General Data Protection Regulation (“GDPR”) through our compliance with this Privacy Policy. If any translated version of this policy conflicts with the English version, the English version shall prevail.

For purposes of this Privacy Policy and our Terms of Service:

“Student Personal Information” means information that may, alone or in combination with other available information, be reasonably used to identify a current or former Student and shall be referred to as “Student Personal Information.” Student Personal Information may include, but is not limited to, FERPA Records.

Users include, each as described and/or defined below, Educators, Students, parents or guardians of a Student (“Parents”), Authorized Administrators, Schools, Ambassadors, Post-Secondary Staff, Work-Based Learning administrators and employers who offer work-based learning.

Capitalized terms that are not defined in this Privacy Policy shall have the meaning set forth in the Terms of Service.

How We Collect Information

We will collect, use, maintain and share your information as allowed by applicable law.

Information Provided by Schools and Districts and Educators

Schools and Districts that use the Services provide certain information about their students (“Students”), Parents, and teachers, counselors and administrators (“Educators”) to create accounts.

Schools and Districts may provide the following Student Personal Information:

  • Student ID, First Name, Last Name, Gender, Date of Birth, Current Grade, Current School, and Next Year School;
  • Student email address, as an optional part of the account creation process
  • For Schools and Districts that implement Course Planner information about courses Students have taken, including Course Codes, Course Names, Date Courses Completed or Grade Level Completed, Final
  • Grades, Credits Achieved, and the Term Achieved
  • For Schools and Districts that implement e-Transcript services, Student transcript data for submission to colleges and universities.

Schools and Districts may provide information about a Student’s parent or guardian, including name and email address, in order to enable Xello to invite such parent or guardian to create an account and review their Students’ information in Xello. Schools and Districts may provide Educator name and email address or Educators, when creating their own accounts, will be required to provide an email address as well as first and last name. Educators may submit support requests or User Content.
We may collect the following information from a School or Authorized Administrator to set up and administer a School account:

  • Authorized Administrator contact information as well as information about his/her School relevant to purchasing and setting up accounts such as School’s name, address, billing address, and number of students.
  • Support requests and any other information submitted by a School or Authorized Administrators.

Information Provided by Higher Education Institutions

Colleges and universities and other higher education institutions (“Post-Secondary Schools”) that use the Services as part of Xello for Higher Education Platform (“Higher Ed Platform”), provide certain information about their Authorized Administrators, counselors, staff or faculty who are authorized to participate in Higher Ed Platform (“Post-Secondary Staff” or “Staff”) and students who are authorized serve as ambassadors to the Post-Secondary School in the Higher Ed Platform. (“Ambassadors”). Ambassadors and Staff are also “Users”.

We may collect the following information from a Post-Secondary School or Authorized Administrator to set up and administer a Post-Secondary School account:

  • Authorized Administrator contact information as well as information about his/her Post-Secondary School relevant to purchasing and setting up accounts such as Post-Secondary School’s name, address, billing address, and number of students.
  • Support requests and any other information submitted by a School or Authorized Administrators.

Post-Secondary Schools and their Authorized Administrators may provide the following information about Ambassadors or other Post-Secondary Staff:

  • First and last name,
  • email address,
  • As applicable, current year of study (for Ambassadors), title (for Staff)

Information Provided by Students, Ambassadors and Post-Secondary Staff

With the Services, Students discover the unique pathway that’s right for them using an investigative, discovery-based learning process. As they gain self-knowledge through assessments and reflection, Students can save careers, schools, programs, and experiences to form a vibrant, visual roadmap that’s easy to update and share.

Given the purpose of the Services, Students may provide a variety of information including certain Student Personal Information in the Services. Students may provide information such as email address, phone number, mailing address, personal avatar, education goal, favorite clusters, interests, skills, test scores, work experiences, volunteer experiences, high school course plan, future readiness plans, and any other information or User Content that Students choose to provide.Students who are in Schools that have turned on access to the Higher Ed Platform, can post User Content, including comments and questions on Post-Secondary School pages and participate in one-to-one chats with Ambassadors and Staff. Ambassadors and Staff can post User Content on Post-Secondary School pages, including answers to questions and information about their Post-Secondary School. They can also participate in one-to-one chats with Students.

Information Provided by Work-Based Learning Administrators & Employers

Schools and Districts may offer student users the ability to find and participate in work-based learning (“Work-Based Learning”) opportunities. We may collect the following information from Work-Based Learning administrators and employers offering Work-Based Learning opportunities:

  • Work-Based Learning Administrator and employee administrator and authorized personnel contact information.
  • Support requests and any other information submitted by such individuals.

Information Provided by Visitors

We may collect the following information directly from Users and other visitors:

  • Requests for Information: If you submit a request for information or otherwise contact us, we collect your request and your identifying contact information (including name, email address, phone number and address).
  • Support Requests: If you submit a support request or question, we receive your request/question and your associated identifying contact information.

Automatically Collected Information

When a User uses the Services or a visitor visits the Xello website, we use cookies and similar technologies to collect information about how such individuals interact with the Services (e.g., the pages viewed, the links clicked, and other actions taken on the Services) and usage of the Services over time. A “cookie” is a text file that websites send to a visitor’s computer or other Internet-connected device to uniquely identify the visitor’s browser or to store information or settings in the browser. Our servers automatically collect other information about Users or visitors that may include web request, Internet Protocol (“IP”) address, cookie or device identifier, operating system, browser type, mobile device information. We may also collect analytics data about actions taken before or while using the Services, or use analytics tools (such as Google Analytics), to help us measure traffic and usage trends for the Services. These analytics services help us understand how users arrive at and use our Services.We may also use third-party advertising partners on our public websites to advertise the Services on other sites. These tools may set and access their own cookies and similar technologies on our websites and on third-party services to collect information that can be used to track users over time and across services. We only use these on our business information websites and do not use these third-party advertising cookies on the services we provide to schools or students.

How We Use Information

We use the information we collect, including Student Personal Information and User Content, to help Students create a successful future.

Specifically, we use such information to:

  • provide, improve and analyze the Services;
  • respond to questions, comments, and requests for information or provide customer support;
  • comply with applicable law or legal process.
  • detect, investigate and prevent activities that may be a violation of our Terms of Service or law
  • administer, troubleshoot and secure the Services;
  • as directed or authorized by a School, District or Post Secondary School that has licensed and/or uses the Services  —including as described in more detail for the Higher Ed Platform below.

We do not sell or rent Student Personal Information or the User Content provided in the Services, including for the purpose of advertising. Nor do we disclose or provide any of the Student Personal Information or User Content provided to third parties for any purpose except as described in this Privacy Policy or directed by a School.

We do not serve third-party advertisements to you while using our Services. However, we do work with online advertising and analytics partners who may place cookies and similar technologies on our business information websites to deliver you more relevant Xello advertisements on third-party websites and to allow us to better tailor our own ads and communications on our Services. For example, they may use non-directly identifying information they collect from cookies on our business information websites to identify Xello services you might be interested in and to recognize your device so they can show you relevant Xello advertisements while you are using other services. Additionally, we may provide non-directly identifying information (such as “hashed” or encrypted versions of email addresses for customers or interested customers) to advertising and analytics partners, who may “match” this information in non-directly identifying form to cookies, mobile ad identifiers, and other proprietary IDs, in order to provide you with more relevant ads when you visit other online services or analyze ad performance.  We do not use student information for such purposes. You can opt out of this use of cookies for personalized ads using the “Change Cookie Preferences” link in the footer of our website.

We use and share de-identified and aggregate information for a variety of purposes including improving the design, features, and functionality of the Services, for marketing purposes, for general business purposes, and for administrative purposes.

In addition to the above, we use School or School Authorized Administrator information to send information about features on the Services or changes to our policies and communicate with Schools about the Services, including your account, transactions with us and security alerts.

How We Disclose Information

We may disclose personal information in certain special cases, including the following:

  • We are required to do so by law or as ordered by a court.
  • To detect, investigate and prevent activities that may be a violation of our Terms of Service, our other agreements with you, or any laws; to respond to claims of violations of the rights of third parties; or to protect the rights, property, or personal safety of Xello or others.
  • To resolve a technical problem or secure the Services.
  • As directed by a School or District that has licensed Xello.

We may permit certain trusted service providers and partners to analyze usage of the Services, as well as analyze information such as the source address that a page request is coming from, your IP address or domain name, the date and time of the page request, the referring website (if any), and other parameters in the URL. This is collected in order to better understand usage of our website and the Services and enhance the performance of and maintain and operate the Services. We may also use trusted service providers to host portions of the Services infrastructure, operate various features of the Services, store content, send emails, and store data on our behalf.  As described above, we also permit certain third-party advertising partners to collect information regarding visits to our business information websites to deliver relevant advertising about our Services.

We may also disclose personal information or User Content in connection with a merger, financing, acquisition, bankruptcy, dissolution, transaction, or proceeding involving sale, transfer, divestiture, or disclosure of all or a portion of our business or assets to another company (or in connection with related due diligence). In these circumstances, we will only disclose such information with a company that has agreed to data privacy standards no less stringent than our own and after providing advanced notice to you with an opportunity to opt out of our sharing of such information.

When a School turns on access to the Higher Ed Platform, Students may post questions and messages on a Post-Secondary School’s page within Xello, and Ambassadors and Staff may respond and post other information.  Such User Content will be visible to anyone who has access to the Post-Secondary School page within Xello.  When a School turns on access to the Higher Ed Platform, Students may also engage in one-to-one chat with Ambassadors or Post-Secondary Staff.  Participants in the one-to-one chat can view such messages.  Xello cannot control how others who view such posts or messages, or other User Content use and/or share those messages or User Content. 

For Schools that have turned on access to the Higher Ed Platform, Students may also choose to opt-in to “Profile Sharing” for one or more Post-Secondary Schools and the Post-Secondary School can view the Students’ profile information.  Please note, Students must opt in to Profile Sharing for each Post-Secondary School that they want to be able to view their information. Students can disable Profile Sharing at any time and Profile Sharing is turned off by default. Students in Schools who have not enabled the Community feature of the Higher Ed Platform cannot post on Post-Secondary Schools’ pages, engage in chats or opt in to Profile sharing.

When a School turns on access to Work-Based Learning, Students may apply for Work-Based Learning opportunities within Xello.  Work-Based Learning administrators can have access to Student name, grade, and school to facilitate Work-Based Learning opportunities.  Potential employers offering work-based learning will have access to Students’ applications and contact information in order to contact Students about their applications. 

Third-Party Services

Certain third-party products or services (such as single sign on for test preparation services) may be available for Schools to choose to integrate within or use within the Services. A School is not required to use such additional products in the Services. Before electing to use such third-party services, Schools should review the terms, policies and practices of the third-party products and services to understand their terms and policies with respect to any personal information, including Student Personal Information, they may collect. We strive to make available third-party services that will be useful to Schools, but we are not responsible for their practices, including with respect to personal information.

How We Protect Information

We are committed to protecting personal information, including Student Personal Information, and User Content submitted to the Services. We have numerous systems in place to help safeguard against security breaches, denial of service attacks, and destruction of data. These measures include physical security and backups, employee restriction to data, and a comprehensive security breach policy.

All traffic transmitted to and from the Services is encrypted using Secure Socket Layers (SSL). We use industry-standard hashing mechanisms for sensitive data, such as passwords, and all backups are securely encrypted. Network infrastructure is monitored 24/7 by an intrusion detection system, while all servers use virus protection with full antivirus pattern updates. We maintain a detailed, and frequently tested, disaster recovery plan that includes multiple layers of redundancy in addition to a robust backup strategy.

Our employees who require access to personal information, including Student Personal Information, to perform their function must complete a criminal background check and sign a non-disclosure agreement prior to employment.

Your Choices

Information Provided by Schools and Districts

Information provided by Schools and Districts is controlled by such educational institutions. If you have any questions about reviewing, modifying, or deleting the personal information they have provided us, please contact your educational institution directly.

Schools may update account information and modify the Services by signing in to the administrator account or by contacting us.

Information Provided by Students

The Services offer a robust set of tools and features which allow Students to access, edit or delete Student Personal Information and Users (including Students) to access, edit or delete User Content that they have added to the Services.  If Students have enabled Profile Sharing in the Higher Ed Platform, they can disable it at any time.

Students may also request changes or deletions to Student Personal Information and User Content provided by emailing us at privacy@xello.world. We will respond to your request, when permitted by law, within 30 days. Please note, this request may be referred to the School for instruction.

Users can update their individual notification preferences for the Services to control certain service-related messaging. Other service-related messaging (such as password reset communication) cannot be disabled.

Automatically Collected Information 

You can manage your cookie preferences and disable targeted advertising using cookies on our business information websites here.

If you do not want Google Analytics to collect and use information about your use of our websites, then you can install an opt-out in your web browser at: tools.google.com/dlpage/gaoptout.

Information Provided by Other Visitors

Depending on a visitor’s jurisdiction, certain rights with respect to information may be available as further described below. Specifically, you may be able to request that we:

  • provide access to and/or a copy of certain information we collect;
  • confirm that we are processing your information;
  • prevent the processing of information for direct-marketing purposes (including any direct marketing processing based on profiling);
  • update information which is out of date or incorrect;
  • restrict the way that we process and disclose certain information;
  • transfer information to a third-party provider of services;
  • revoke previously provided consent for the processing of information; and
  • delete certain information which we are holding (request that you be forgotten).

Please note, however, that certain information may be exempt from such requests in some circumstances, which may include if we need to keep processing your information for our legitimate interests or to comply with a legal obligation.

To make such a request, you may email us at privacy@xello.world. We may ask you to provide us with information necessary to reasonably verify your identity before responding to your request. We will consider all requests and provide our response within the time period required by applicable law. If we deny your request in whole or in part, you may have the right to appeal the decision. In such circumstances, we will provide you with information regarding the appeals process.

Data Retention

Following termination or deactivation of a School’s account, we will retain User personal information and User Content for a period of 90 days. Should the School decide to renew their contract within this 90-day period, your account and all related information will be restored. At the end of 90 days, or earlier at the request of the School, we will delete or transfer (and direct any subcontractors to delete or transfer) to School with rights in the information: Student Personal Information (including FERPA Records), personal information of Educators, and User Content in our or our subcontractor’s possession. Notwithstanding the foregoing, we may retain any such information as required by or to demonstrate compliance with applicable law.

At any time upon termination of an agreement or otherwise at their discretion, Schools can request we delete all Student Personal Information and User Content. We will follow these instructions within 30 days of receipt.

For other visitors’ information, we maintain information as long as necessary to provide the requested Services or as necessary under law.

Legal Basis for Use (e.g., processing) of information

The laws in some jurisdictions require companies to tell you about the legal grounds they rely on to process your information. Our legal bases for processing your information as described in this Privacy Policy are as follows:

  • Where use of information is necessary to perform our obligations under a contract (for example, to comply with the terms of service of our Services; and/or our contract to provide our Services);
  • Where use of information is necessary for our legitimate interests or the legitimate interests of others (for example, to provide security for our Services; operate our Services; make and receive payments; comply with legal requirements and defend our legal rights; prevent fraud);
  • For legal compliance;
  • With consent; or
  • Other grounds, as required or permitted by law in the specific respective context.

Location of Data Storage and Processing

Please note that data collected in the US, Canada and the UK will remain stored in the country of origin. Data collected from users in other countries will be stored in the country where the application originates. For example, if a user is accessing the US version of Xello, their data will be stored in the US.

In addition, in providing the Services, we may process your data in other jurisdictions where Xello (and its service providers) operates which includes the US, Canada and the UK. Please be aware that the privacy protections and legal requirements, including the rights of authorities to access your information, in these countries may not be equivalent to those in your country.

Children’s Privacy

Students are not allowed to create their own accounts in the Services. Student accounts are created under the direction of School or Educators. Only Educators provided access by the School in the Services have access to that Student’s personal information and content.

In the United States, we are required under the Children’s Online Privacy Protection Act (“COPPA”) to obtain verifiable parental consent in order to collect, use, or disclose personal information from Children under the age of 13. As provided for by COPPA, we rely upon the School to obtain parental consent for the online collection of personal information from Children who are Students of such School.

Additional Information for California Residents

If you are a California resident, California law requires us to provide you with the following additional information about the purpose for which we use each category of “personal information” (as defined in the California Consumer Privacy Act (“CCPA”) that we collect, and the categories of third parties to whom we either disclose such personal information for a business purpose, or to whom we “sell” personal information or “share” personal information for cross-context behavioral advertising. Under the CCPA, “sale” and “sharing” are broadly defined such that they may include allowing third parties to receive certain information, such as cookies, IP address, and/or browsing activity, to deliver targeted advertising or provide analytics on the Services or other websites and apps. When the terms “sale” and “sharing” are used in this Privacy Policy with quotes, we are referring to the CCPA definitions of these terms.

Category of Personal Information Purposes of Use Categories of Third Parties to Which Xello Discloses Personal Information Categories of Third Parties to Which Xello “Sells” or “Shares” Personal Information
Contact and account information Provide the Services; Communicate with you; Marketing and advertising; Personalize the Services; Improve the Services; Business Operations; With your consent Affiliated entities; Service providers; Online advertising partners; Connected third-party services; Entities for legal purposes; Entities for business transactions  Online advertising partners; Online analytics providers for potential customers or current customers only
Gender, date of birth, education, and employment history Provide the Services; Communicate with you; Marketing and advertising; Personalize the Services; Improve the Services; Business Operations; With your consent Affiliated entities; Service providers; Entities for legal purposes; Entities for business transactions We do not “sell” or “share”
Customer service interaction information Communicate with you; Improve the Services; Business Operations; With your consent Affiliated entities; Service providers; Entities for legal purposes; Entities for business transactions We do not “sell” or “share”
Information collected through automated technologies Provide the Services; Marketing and advertising; Personalize the Services; Improve the Services; Business Operations; Recognize a user across multiple touchpoints across Services; With your consent Affiliated entities; Service providers; Online advertising partners; Connected third-party services; Entities for legal purposes; Entities for business transactions Online advertising partners; Online analytics providers for our business websites only

 

For more information about each category, purpose of use, and the third parties to which we disclose, “sell,” or “share” information, please see the sections “How We Collect Information,” “How We Use Information,” and “How We Share Information” above.

Your Choices Regarding “Sales” and “Sharing.”
To opt out of our “sales” of your personal information or our “sharing” of your personal information for purposes of cross-context behavioral advertising, please click here.

Other CCPA Rights.  The CCPA also allows you to limit the use or disclosure of your “sensitive personal information” (as defined in the CCPA) if your sensitive personal information is used for certain purposes.  Please note that we do not use or disclose sensitive personal information as defined by the CCPA.

Please see the “Your Choices” section of our Privacy Policy above for information about the additional rights you have with respect to your personal information under California law and how to exercise them.

Retention of Your Personal Information. Please see the “Data Retention” section above for information about how long we retain your information. 

Notice Concerning Do Not Track. Do Not Track (“DNT”) is a privacy preference that users can set in certain web browsers. We do not currently recognize or respond to browser-initiated Do Not Track signals. Learn more about Do Not Track

California “Shine the Light” Disclosure. The California “Shine the Light” law gives residents of California the right under certain circumstances to opt out of the disclosure of certain categories of personal information (as defined in the Shine the Light law) with third parties for their direct marketing purposes.  We do not currently disclose your personal information to third parties for their own direct marketing purposes.

Changes to Our Privacy Policy

We may modify or update this Privacy Policy from time to time, so you should review this page periodically. If we make a material change to this Privacy Policy with respect to how we collect and use personal information, we will provide at least 30 days’ prior written notice to Schools and Users by email to the email address specified in the applicable account. Schools are responsible for ensuring that we have an up-to-date, active, and deliverable email address to provide such notice to Schools and for periodically visiting this Privacy Policy to check for any changes. Similarly, Schools that license the Services for their Students will be notified by email of material changes to our Privacy Policy at least 30 days prior to any changes.

Whistleblower Policy

Xello is committed to the highest standards of openness and accountability. As a community we have a professional responsibility to speak up and report unethical behavior. If a Xellion (current or former), contractor, volunteer, or user/customer believes Xello, or a member of staff, has taken action that is of concern towards malpractice or impropriety, all reasonable steps should be taken to communicate concerns through appropriate channels. These concerns could include:

  • Financial malpractice or impropriety or fraud
  • Failure to comply with a legal obligation or Statutes
  • Dangers to Health & Safety or the environment
  • Criminal activity
  • Improper conduct or unethical behavior
  • Attempts to conceal any of these

All individuals who disclose such concerns will be protected provided the disclosure is made:

  • in good faith
  • in the reasonable belief of the individual making the disclosure that it tends to show malpractice or impropriety and if they make the disclosure to an appropriate person (see below). It is important to note that no protection from internal disciplinary procedures is offered to those who choose not to report through the identified channels.

Xello will treat all such disclosures in a confidential and sensitive manner. We will work to keep the identity of the individual making the allegation confidential so long as it does not hinder or frustrate any investigation. However, the investigation process may reveal the source of the information and the individual making the disclosure may need to provide a statement as part of the evidence required. An individual can disclose through the following designated channel: Confidential email submission – cultureteam@xello.world

How to Contact Us

If you have any questions regarding this Privacy Policy, please email us at privacy@xello.world.