VERSION 2.0 – EFFECTIVE AS OF FEBRUARY, 2023
At Nanomonx, we believe in the privacy of our users and the protection of their data. We commit ourselves to protect the confidentiality of the data we collect from Students and Managers using our Services. We assure users of our Services that we only collect user data that is essential for educational purposes and the proper functioning of our Services. We will at no time sell or share Personally Identifiable Information (PII) with third parties. Student data will never be used for marketing purposes.
The Services consist of
- The Website : The Website can be accessed from https://nanomonx.com and all its subdomains. Subdomains are separated this way :
- Troubadour users, both Students and Managers use https://troubadour.nanomonx.com/
- Boreal Tales Managers mostly use
This will not normally be available to students.
- Classroom management, subscription purchases and other administrative actions will be done on https://www.nanomonx.com by Managers. This will not normally be available to students.
- For Boreal Tales only, The Boreal Tales Application: Installed on the user’s device, the Boreal Tales Application is used by Students to do their work and by Managers to create reading assignments.
The Services are used by two types of users :
- Parents, teachers, tutors or school administrators that can connect to any of the previously mentioned interfaces. In this document, we will use the term Manager for any adult managing subscription packages, a class or a group.
- Students or children that connect only to the Boreal Tales Application and/or the Troubadour Website. In this document, we will use the term Student for any member of the classroom that is not a Manager.
Collectively, the Students of a class and the Manager who manages it.
CLASSROOM GENERATED CONTENT (CGC)
TERMS AND CONDITIONS
Nanomonx intends to be compliant with the requirements of Canadian and US privacy laws, such as the Personal Information Protection and Electronic Documents Act (“PIPEDA”) and the Children’s Online Privacy Protection Act (“COPPA”).
As mentioned above, consent to the collection of private information can be given either by the teacher or the parent. If the Student Account is created by a parent or teacher, accepting our User Terms will count as Consent..
We also have a system where students are able to join a Classroom through a Quick Access Code. A Student Account created this way will need to be validated within 72 hours by the Classroom’s Manager (parent or teacher) or it will be anonymized automatically since consent will not have been provided.
In order to provide the Services, Nanomonx collects personal information from Managers for the purposes of :
- Logging in a user to the Services
- Sales and billing
- Services functionality
- Managers submitting challenges to Students
- Students submitting creations to Managers
- Completing challenges as would a Student
- Ensure service availability and reliability
The following information, relative to the Manager, can be collected :
- Email address
- Billing and shipping address
- Browser and device used
- Name of the school, school level
- Payment information
- Services data
- Content created by the Manager (challenges, Student work corrections, comments to Students, etc.)
- Service Usage Data (connections, subscription packages purchased or transferred, etc.)
- Data related to errors and exceptions
In order to provide the Services, Nanomonx collects information about Students for the purposes of :
- Logging in a user in the application
- Services functionality
- Students submitting creations to Managers or correcting their work
The following information, relative to the Student, can be collected or inferred:
- Username, can be an email address.
- Display name, selected, entered and/or approved by the Manager
- School level, Manager’s name
- Services data (avatar, usage time, number of words written, etc.)
- Content created by the Student (worlds and text created by the Student)
- Data related to errors and exceptions
Note that the only personally identifiable information (PII) we might collect for a Student are :
- Display name : This can be anything and Nanomonx does not require real names to be used. Since it is often useful for Managers to use real names, they are often used in this case.
- Username : Again, the username does not have to be personally identifiable. Using a Student’s email as a username is very efficient and this information is sometimes collected.
Apart from the above, we never directly ask the Student for any personally identifiable data.
In order to provide the Services, Nanomonx does not collect the following information:
- Physiological and biometric data
- Geolocation data
- Contacts or friends list of the user
- Any data about other applications’ usage on the device
- Internet navigation history
In order to provide the Services, Nanomonx works with third parties. The collected Student data is only shared with third parties that have privacy policies that are consistent with our own Policy. Nanomonx shares data with the following third parties:
For non-student data
For Managers, we use a more diverse set of tools to maintain the business relationship:
- Customer support and relationship tools
- Newsletter subscriptions
- Business analysis
- Billing and Invoicing
- Online payment of subscriptions
While they are not restricted to a single vendor and geographical location, those tools and suppliers have proper privacy policies and terms of service that we can provide.
Unity (for The Boreal Tales Application only)
The Boreal Tales Application is developed using a software called Unity. Technical, anonymized data (data that cannot be linked to a precise user) is collected by Unity and consulted by Nanomonx. Information collected this way is solely used to find bugs, identify technical problems and improve the overall quality of the Boreal Tales Application. Note that CGC is never shared with Unity.
Unity can collect or infer the following information:
- Device IP address
- Model platform type and operating system
- Device manufacturer
- Unique device identifiers
- Graphics card type
- Technical details about the device’s components
Bugsnag (for Boreal Tales and Troubadour Services)
Bugsnag is a platform generating automated error reports. These errors (bugs) can occur during data manipulation by the Boreal Tales Application or when interacting with Nanomonx Product Websites. Error reports are provided to Nanomonx only and are deleted after 60 days. These reports are solely used by Nanomonx to identify the causes of the errors in order to fix them and provide a better experience with the Services.
The data that can be captured by Bugsnag consists of :
- The username (email address of the Teacher or username of the Student)
- The list of actions performed by the Teacher in the Nanomonx Product Websites prior to the error (stacktrace)
- The request made on our servers
- The data included in this request (this may contain CGC)
- The Teacher’s browser if the error occurred in the Nanomonx Products Websites
- The Teacher’s or Student’s browser if the error occurred in the Troubadour Services
- Language defined by the Teacher for the use of the Services
- The Teacher’s operating system if the error occurred in the Nanomonx Products Website
- The Teacher’s or the Student’s operating system if the error occurred in the Troubadour Services
Bugsnag neither uses nor consults the data collected, and only transfers it to us in the error reports.
If you choose to connect using your Google account, either a personal account, or one provided by your Employer/Education Institution by Google Workspace, Nanomonx will use that account to access sensitive data. Examples of that sensitive data include your name, email address and profile picture. If you are a teacher in a Google Classroom course, we will also access the names, email addresses and profile pictures of your students. This allows Google Classroom users to import their classrooms and configurations into Nanomonx, and allow for simple authentication and authorization. It is optional to use Google to connect to our service.
Nanomonx’s use and transfer to any other app of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.
WHERE DO WE KEEP THE DATA
All student data is stored through a central provider known as Amazon Web Services in secure environments across Canada. These devices are only accessible by our own technical staff. This also applies to backups. When you use our services, you always use a secure connection between your browser and our private environment on Amazon Web Service.
Cookies are small data files that can be saved on your device when you use web pages or other online services. They are frequently used to improve web sites’ functionality. Other types of technologies can also save small amounts of data on your devices, we will integrate them to the concept of Cookies for the purpose of this document.
In order to provide the Services, Nanomonx only uses the following type of Cookies :
- Performance and functionality : These cookies are not essential but they help us personalize and optimize the user experience. For example, they can save a user’s preferences so they do not have to enter them more than once. They may also remember a user’s username and password so they do not have to enter them each time they access a web page.
WHAT DOES NANOMONX DO WITH THE COLLECTED DATA?
Nanomonx’s business model is based on the sale of subscription packages to Teachers or educational institutions (schools, school boards or districts, etc.). This is the only way that Nanomonx generates revenue with the Services. Nanomonx will never generate revenue by selling or using its users’ data outside the scope of subscription packages sales.The information gathered is used for the following purposes :
- Allowing Managers to manage the Services and play with them
- Allowing Students to play
- Billing Managers or school administrations
- Communicating Services updates or important information about the Services
- Discovering bugs and fixing them
Nanomonx does not share any personal information outside the Classroom except for the above cases, without the written consent of the Manager.
If authorized by the Manager, the Students can see the finished creations of other Students in their Classroom. The Managers can limit or prevent this access if they wish to.
Anonymized data, where individual users are not identifiable, is collected and is used for the purposes of :
- Research and development
- Customer support
ADVERTISEMENTS AND MARKETING
The Services do not show Students any advertisements, whether for other Nanomonx products or other companies’ products.
Personal information can be deleted by written request from the Manager or parent or by the Students themselves if they are 14 years old or older.
Otherwise, student’s personal information will be deleted in the following scenarios :
Scenario 1 :
The Student does not have a Manager linked to their account with a valid email or a personal confirmed email and the student has not signed in for 23 months.
Result : The student account is automatically anonymized.
Scenario 2 :
The Student has a Manager linked to their account with a valid email address or a personal confirmed email but has not signed in for 23 months.
Result : An email is sent to the email addresses linked to the account, mentioning the upcoming deletion of the account. The email contains a link to prevent the deletion, thus resetting the 23-month period. If the link is not clicked, the student account is automatically anonymized.
Scenario 3 :
The student creates an account via the fast access link (usually used in class) and no consent is given by the teacher or a tutor within 72 hours.
Result : The student account is automatically anonymized.
When the teacher, parent, tutor, school staff or any other adult has not signed in for 22 months and has no valid subscription, we will send an email to warn of the upcoming account anonymization.
If the link to prevent the anonymization is not clicked, we will send a second email later.
If the link in the second email is not clicked, the account will be anonymized a month later for a total of 24 months of inactivity.
Both warning emails also contain a link to anonymize the account right away.
Nanomonx uses industry standards of protection to prevent users’ data from being accessed, used, modified or destroyed by third parties. The methods used include, but may not be limited to:
- Containment of database(s) inside a Virtual Private Cloud (VPC), access to which is extremely restricted
- Encryption of database data in transit and at rest
- Use of SSL / HTTPS for all data transmission over the Internet
- Multi-factor authentication on administrator-level access to third-party tools
- Code reviews track security vulnerabilities
- Firewalls, private keys, anti-virus protection, and encrypted local hard drives
Note that data security cannot be 100% guaranteed due to constant advances in hacking methods and technologies. Nanomonx cannot be held responsible in the event of lost or altered user data. If any data breach occurs, concerned Manager users will be notified by email as soon as possible, and measures will be taken at the earliest opportunity to mitigate the risks associated with this data breach.
CLASSROOM GENERATED CONTENT
In their use of the Services, Teachers and Students generate a lot of content (CGC). It is the Teacher’s responsibility to make sure that CGC is appropriate for their Students. Nanomonx will neither monitor nor control this GCC nor be held responsible. The Services allow the Teacher to read and control this CGC before it is shared within, or outside of, the Classroom.
ACCESS TO PERSONAL DATA
If they forget their information and cannot login, Students cannot access their own private data. They can obtain this data (display name and username) only by asking their Teacher, who can access it through the Nanomonx Products Websites. Neither the Students or their Teacher have access to the Students’ passwords, except of course at the time of its creation or reinitialization. Even though the information collected on a Student is available to the Teacher, Nanomonx can also provide this data to the Students’ parents or the Students themselves if they are 14 years old or older, upon written request.
CHANGE IN OWNERSHIP
In the unlikely event that Nanomonx should cease its operations, all personal data will be deleted in the 12 months following the end of its operations.
DISCLOSURE OF INFORMATION TO COMPLY WITH LEGAL OBLIGATIONS
Nanomonx can disclose certain user personal information if it believes, in good faith, that this is mandatory to comply with certain legal obligations such as a subpoena or any other legal process. We could have the obligation to disclose personal information if it is needed in order to protect the rights, property and security of Nanomonx, its employees, its community or other, or to prevent the violation of our current contractual agreements. This includes, without restricting itself to, the sharing of information with other companies or organizations for fraud protection or to comply with governmental requirements.
At Nanomonx, we take incident handling and disclosure very seriously. A Nanomonx Security Committee ensures that the data security program and the data breach action plan are updated at all times. Those documents can be provided upon request.
Here is a brief summary of our action plan in case of a data breach :
- Once the breach has been contained, the Communications Manager will be able to communicate with affected 3rd parties.
- If the affected parties are internal to Nanomonx, the Product Manager will handle communications with employees.
- We must communicate the following information:
- Which users were affected
- What types of data was accessed
- E.g. Passwords, usernames, other personally identifiable information (PII)
- How long the data breach has been exposed
- If child data was breached
- If the breach has been dealt with
- Ideally, this will be done simultaneously with all affected parties. If a serious breach occurs, we will also notify users through social media.
- There are also certain situations where we are legally required to report breaches to the government and to affected parties.
- Link to the Canada regulations
- Link to the (in progress) Quebec regulations
- There may be other regulations that apply based on the localities of the affected users. Part of this step is working out if other notifications need to be sent out.
- The Quebec and Canada regulations require notification only if there is an "real risk of significant harm (RROSH) to an individual." At the time of writing this document, this is a standard that we will not follow as we do not retain this sensitive information on our users.
CONSENT FOR DATA COLLECTION AND INFORMATION MANAGEMENT