Xello Privacy Policy
Welcome to Xello!
Xello is provided by Xello Inc., located at 1867 Yonge Street, Suite 700, Toronto, Ontario, M5S 1Y5, Canada or CASCAID Ltd, located at Dock, 75 Exploration Drive, Leicester, LE4 5NU, a subsidiary of Xello Inc. (hereinafter “Xello,” “we,” “our”), as specified in the quote or purchase order (“Order”) with the school or educational establishment or other entity who has signed the Order. In the context of this Privacy Policy, if you are in the United Kingdom or European Economic Area, CASCAID acts as a data controller for the information we process and in all other jurisdictions, Xello Inc. is the data controller of the information we process, with the exception of information processed solely pursuant at the instruction of Xello customers, including your institution, business organization, or another controller, in which case Xello Inc. and CASCAID each act as a data processor.
We are committed to protecting your personal information and satisfying all applicable legal requirements, including the Children’s Online Privacy Protection Act (“COPPA”), the Personal Information Protection and Electronic Documents Act (“PIPEDA”), the Family Educational Rights and Privacy Act (“FERPA”) and the General Data Protection Regulation (“GDPR”), through our compliance with this Privacy Policy. We agree to comply with all applicable laws concerning our collection and use of your personal information. If any translated version of this policy conflicts with the English version, the English version shall prevail.
For purposes of this Privacy Policy and our Terms of Service:
“Student Personal Information” means information that may, alone or in combination with other available information, be reasonably used to identify a current or former Student and shall be referred to as “Student Personal Information.” Student Personal Information may include, but is not limited to, FERPA Records.
Capitalized terms that are not defined in this Privacy Policy shall have the meaning set forth in the Terms of Service.
How We Collect Information
We will only collect, use, maintain and share your information in a manner allowed by applicable law.
Information Provided by Schools and Districts and Educators
Schools and Districts that use the Services provide certain information about their students (“Students”), parents or guardians of Students, and teachers, counselors and administrators (“Educators”) to create accounts. Educators, Students, parents or guardians of a Student, or authorized administrator of a School account, and School each is a “User” and are collectively referred to herein “Users.”
Schools and Districts may provide the following Student Personal Information:
- Student ID, First Name, Last Name, Gender, Date of Birth, Current Grade, Current School, and Next Year School;
- Student email address, as an optional part of the account creation process
- For Schools and Districts that implement Course Planner information about courses Students have taken, including Course Codes, Course Names, Date Courses Completed or Grade Level Completed, Final Grades, Credits Achieved, and the Term Achieved
- For Schools and Districts that implement e-Transcript services, Student transcript data for submission to colleges and universities.
Schools and Districts may provide information about a Student’s parent or guardian, including name and email address, in order to enable Xello to invite such parent or guardian to create an account and review their Students’ information in Xello. Schools and Districts may provide Educator name and email address or Educators, when creating their own accounts, will be required to provide an email address as well as first and last name. Educators may submit support requests or User Content.
We may collect the following information from a School or Authorized Administrator to set up and administer a School account:
- Authorized Administrator contact information as well as information about his/her School relevant to purchasing and setting up accounts such as School’s name, address, billing address, and number of students.
- Support requests and any other information submitted by a School or Authorized Administrators.
Information Provided by Students
With the Services, Students discover the unique pathway that’s right for them using an investigative, discovery-based learning process. As they gain self-knowledge through assessments and reflection, Students can save careers, schools, programs, and experiences to form a vibrant, visual roadmap that’s easy to update and share.
Given the purpose of the Services, Students may provide a variety of information including certain Student Personal Information in the Services. Students may provide information such as email address, phone number, mailing address, personal avatar, education goal, favorite clusters, interests, skills, test scores, work experiences, volunteer experiences, high school course plan, future readiness plans, and any other information or User Content that Students choose to provide.
Information Provided by Visitors
We may collect the following information directly from Users and other visitors:
- Requests for Information: If you submit a request for information or otherwise contact us, we collect your request and your identifying contact information (including name, email address, phone number and address).
- Support Requests: If you submit a support request or question, we receive your request/question and your associated identifying contact information.
Automatically Collected Information
When a User uses the Services or a visitor visits the Xello website, we collect information about how such individuals interact with the Services (e.g., the pages viewed, the links clicked, and other actions taken on the Services) and usage of the Services over time. Our servers automatically collect other information about Users or visitors that may include web request, Internet Protocol (“IP”) address, browser type, and mobile device information. We may also collect analytics data, or use third-party analytics tools, to help us measure traffic and usage trends for the Services. We do not allow any third-party advertising networks to collect information about Users of the Services.
How We Use Information
We use the information we collect, including Student Personal Information and User Content, to help Students create a successful future.
Specifically, we use such information to:
- provide, improve and analyze the Services;
- respond to questions, comments, and requests for information or provide customer support;
- comply with applicable law or legal process.
- detect, investigate and prevent activities that may be a violation of our Terms of Service or law
- administer, troubleshoot and secure the Services;
- as directed by a School or District that has licensed the Services.
We do not sell or rent Student Personal Information or the User Content provided in the Services, including for the purpose of advertising. Nor do we disclose or provide any of the Student Personal Information or User Content provided to third parties for any purpose except as described in this Privacy Policy or directed by a School.
We use and share de-identified and aggregate information for a variety of purposes including improving the design, features, and functionality of the Services, for marketing purposes, for general business purposes, and for administrative purposes.
In addition to the above, we use School or School Authorized Administrator information to send information about features on the Services or changes to our policies and communicate with Schools about the Services, including your account, transactions with us and security alerts.
How We Share Information
We may permit certain trusted service providers to analyze usage of the Services, as well as analyze information such as the source address that a page request is coming from, your IP address or domain name, the date and time of the page request, the referring website (if any), and other parameters in the URL. This is collected in order to better understand usage of our website and the Services and enhance the performance of and maintain and operate the Services. We may also use trusted service providers to host portions of the Services infrastructure, operate various features of the Services, store content, send emails, and store data on our behalf.
We may also disclose personal information in certain special cases, including the following:
- We are required to do so by law or as ordered by a court.
- To detect, investigate and prevent activities that may be a violation of our Terms of Service or law.
- To resolve a technical problem or secure the Services.
- As directed by a School or District that has licensed Xello.
We may also share personal information or User Content in connection with a merger, financing, acquisition, bankruptcy, dissolution, transaction, or proceeding involving sale, transfer, divestiture, or disclosure of all or a portion of our business or assets to another company (or in connection with related due diligence). In these circumstances, we will only share such information with a company that has agreed to data privacy standards no less stringent than our own and after providing advanced notice to you with an opportunity to opt out of our sharing of such information.
Third-Party Services
Certain third-party products or services (such as single sign on for test preparation services) may be available for Schools to choose to integrate within or use within the Services. A School is not required to use such additional products in the Services. Before electing to use such third-party services, Schools should review the terms, policies and practices of the third-party products and services to understand their terms and policies with respect to any personal information, including Student Personal Information, they may collect. We strive to make available third-party services that will be useful to Schools, but we are not responsible for their practices, including with respect to personal information.
How We Protect Information
We are committed to protecting personal information, including Student Personal Information, and User Content submitted to the Services. We have numerous systems in place to help safeguard against security breaches, denial of service attacks, and destruction of data. These measures include physical security and backups, employee restriction to data, and a comprehensive security breach policy.
All traffic transmitted to and from the Services is encrypted using Secure Socket Layers (SSL). We use industry-standard hashing mechanisms for sensitive data, such as passwords, and all backups are securely encrypted. Network infrastructure is monitored 24/7 by an intrusion detection system, while all servers use virus protection with full antivirus pattern updates. We maintain a detailed, and frequently tested, disaster recovery plan that includes multiple layers of redundancy in addition to a robust backup strategy.
Our employees who require access to personal information, including Student Personal Information, to perform their function must complete a criminal background check and sign a non-disclosure agreement prior to employment.
Your Choices
Information Provided by Schools and Districts
Information provided by Schools and Districts is controlled by such educational institutions. If you have any questions about reviewing, modifying, or deleting the personal information they have provided us, please contact your educational institution directly.
Schools may update account information and modify the Services by signing in to the administrator account or by contacting us.
Information Provided by Students
The Services offer a robust set of tools and features which allow Students to edit or delete Student Personal Information and User Content that they have added.
Students may also request changes or deletions to Student Personal Information and User Content provided by emailing us at privacy@xello.world. We will respond to your request, when permitted by law, within 30 days. Please note, this request may be referred to the School for instruction.
Users can update their individual notification preferences for the Services to control certain service-related messaging. Other service-related messaging (such as password reset communication) cannot be disabled.
Information Provided by Other Visitors
Depending on a visitor’s jurisdiction, certain rights with respect to information may be available as further described below. Specifically, you may be able to request that we:
- provide access to and/or a copy of certain information we collect;
- prevent the processing of information for direct-marketing purposes (including any direct marketing processing based on profiling);
- update information which is out of date or incorrect;
- restrict the way that we process and disclose certain information;
- transfer information to a third-party provider of services;
- revoke previously provided consent for the processing of information; and
- delete certain information which we are holding (request that you be forgotten).
Please note, however, that certain information may be exempt from such requests in some circumstances, which may include if we need to keep processing your information for our legitimate interests or to comply with a legal obligation.
To make such request, you may email us at privacy@xello.world.
Data Retention
Following termination or deactivation of a School’s account, we will retain User personal information and User Content for a period of 90 days. Should the School decide to renew their contract within this 90-day period, your account and all related information will be restored. At the end of 90 days, or earlier at the request of the School, we will delete or transfer (and direct any subcontractors to delete or transfer) to School with rights in the information: Student Personal Information (including FERPA Records), personal information of Educators, and User Content in our or our subcontractor’s possession. Notwithstanding the foregoing, we may retain any such information as required by or to demonstrate compliance with applicable law.
At any time upon termination of an agreement or otherwise at their discretion, School can request we delete all Student Personal Information and User Content. We will follow these instructions within 30 days of receipt.
For other visitors’ information, we maintain information as long as necessary to provide the requested Services or as necessary under law.
Legal Basis for Use (e.g., processing) of information
The laws in some jurisdictions require companies to tell you about the legal grounds they rely on to process your information. Our legal bases for processing your information as described in this Privacy Policy are as follows:
- Where use of information is necessary to perform our obligations under a contract (for example, to comply with the terms of service of our Services; and/or our contract to provide our Services);
- Where use of information is necessary for our legitimate interests or the legitimate interests of others (for example, to provide security for our Services; operate our Services; make and receive payments; comply with legal requirements and defend our legal rights; prevent fraud);
- For legal compliance;
- With consent; or
- Other grounds, as required or permitted by law in the specific respective context.
Location of Data Storage and Processing
Please note that data collected in the US, Canada and the UK will remain stored in the country of origin. Data collected from users in other countries will be stored in the country where the application originates. For example, if a user is accessing the US version of Xello, their data will be stored in the US.
In addition, in providing the Services, we may process your data in other jurisdictions where Xello (and its service providers) operates which includes the US, Canada and the UK.
Children’s Privacy
Students are not allowed to create their own accounts in the Services. Student accounts are created under the direction of School or Educators. Only Educators provided access by the School in the Services have access to that Student’s personal information and content.
In the United States, we are required under the Children’s Online Privacy Protection Act (“COPPA”) to obtain verifiable parental consent in order to collect, use, or disclose personal information from Children under the age of 13. As provided for by COPPA, we rely upon the School to obtain parental consent for the online collection of personal information from Children who are Students of such School.
Changes to Our Privacy Policy
We may modify or update this Privacy Policy from time to time, so you should review this page periodically. If we make a material change to this Privacy Policy with respect to how we collect and use personal information, we will provide at least 30 days’ prior written notice School and Users by email to the email address specified in the applicable account. Schools are responsible for ensuring that we have an up-to-date, active, and deliverable email address to provide such notice to School and for periodically visiting this Privacy Policy to check for any changes. Similarly, Schools that license the Services for their Students will be notified by email of material changes to our Privacy Policy at least 30 days prior to any changes.
Whistleblower Policy
Xello is committed to the highest standards of openness and accountability. As a community we have a professional responsibility to speak up and report unethical behaviour. If a Xellion (current or former), contractor, volunteer, or user/customer believes Xello, or a member of staff, has taken action that is of concern towards malpractice or impropriety, all reasonable steps should be taken to communicate concerns through appropriate channels. These concerns could include:
- Financial malpractice or impropriety or fraud
- Failure to comply with a legal obligation or Statutes
- Dangers to Health & Safety or the environment
- Criminal activity
- Improper conduct or unethical behaviour
- Attempts to conceal any of these
All individuals who disclose such concerns will be protected provided the disclosure is made:
- in good faith
- in the reasonable belief of the individual making the disclosure that it tends to show malpractice or impropriety and if they make the disclosure to an appropriate person (see below). It is important to note that no protection from internal disciplinary procedures is offered to those who choose not to report through the identified channels.
Xello will treat all such disclosures in a confidential and sensitive manner. We will work to keep the identity of the individual making the allegation confidential so long as it does not hinder or frustrate any investigation. However, the investigation process may reveal the source of the information and the individual making the disclosure may need to provide a statement as part of the evidence required. An individual can disclose through the following designated channel: Confidential email submission – cultureteam@xello.world
How to Contact Us
If you have any questions regarding this Privacy Policy, please email us at privacy@xello.world.