Last updated: August 2023

1. PURPOSE AND SCOPE.
   1. Amplio Learning Technologies Inc. and its affiliate Amplio Learning Technologies Ltd. (“Amplio”, “We”, “Us” and/or “Our”) have implemented this privacy policy (“Privacy Policy”) because Your privacy is important to Us. This Privacy Policy explains how We process Personal Data that We collect, receive and store about individuals in connection with using, providing, performing and operating Our Services (as such terms are defined below).  
   2. This Privacy Policy applies to You (“Data Subject”, “You”, or “Your”) if You use Our Services as (i) schools, school districts, federal, state, or local education agencies, and other related entities and organizations (each an “Entity”); or (ii) any other user, including Students, Student parents or guardians, Educators, Administrators and any other Entity authorized user (“End users”);
   3. THIS PRIVACY POLICY IS IN ADDITION TO, AND IS INCORPORATED INTO, THE TERMS AND CONDITIONS RELATING TO OUR SERVICES (AVAILABLE AT HTTPS://AMPLIOLEARNING.COM/LEGAL/TERMS/) (“T&Cs”). Any capitalized term not defined herein shall have the meaning ascribed thereto in the T&Cs.
2. DEFINITIONS.
   1. “Personal Data” means:
      1. “Personal Data”, “Sensitive Data” “Special categories of Data”, or “Protected Health Information” (PHI) (including electronic PHI), “Educational Records”, as defined by Applicable Data Protection Laws;  (Sensitive Data, Special Categories of Data, PHI and ePHI, collectively “Sensitive Data”).
      2. As it refers to data of California consumers or individuals that is collected in the State of California: Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or California household such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers; and /or that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, their name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information; all as defined by the California Consumer Privacy Act of 2018 (“CCPA”).
3. PERSONAL DATA COLLECTED BY AMPLIO
   We strive to be transparent in our data collection and use practices. The following are types of Personal Data that We may collect:
   1. 1. TYPES OF PERSONAL DATA.  
         1. End User data may include: names; addresses or geographic data; email addresses; telephone and fax numbers; log-on credentials; gender, home language and Hispanic ethnicity; student, school and/or district names or IDs (including Rostering System IDs, SIS IDs, etc.); audio and/or video recordings; full face photographic images and any comparable images; performance information such as exercises practice, usage and duration; IP addresses and web URLs; cookies (including cookie ID); and statistical data.
         2. Student data may additionally include: birth date or age and/or student grade/graduation year; parent/guardian names and contact information; name and title of Educators and Administrators; administrative and clinical information regarding screening, evaluations and treatments (including IEP); clinical and educational measurements and notes; school attendance; health plan beneficiary number and/or eligibility data; any other information which may constitute educational records under Applicable Data Protection Law.
         3. Educator and/or Administrator data may additionally include title and certification/license numbers.
      2. CATEGORIES OF DATA SUBJECT. We receive, collect, process, use and store Personal Data regarding the following categories of Data Subjects: Entities, prospects, End Users including, Students, Student caregivers, Educators, Administrators and any other authorized staff members of Entities, and any other users of the Website.
4. LEGAL BASIS AND CONSENT.
   1. For Personal Data (whether provided to Us by You, through a Rostering Service or by an authorized third party), by accessing and using the Services, You declare that You: (a) voluntarily provide Your Personal Data; and (b) give Your consent to collect, create, receive, maintain, process, store, transfer and disclose the Personal Data to and by Us according to this Privacy Policy. Notwithstanding the above, We have legal basis to process Personal Data without Your consent where the processing is necessary to meet contractual obligations entered into by You or by a third party on Your behalf or for Your benefit, to comply with Our legal obligations or that of Entities, and for the purposes of legitimate interests pursued by Us or Entities. Processing Sensitive Data requires specific prior written consent from the individual or its parents and/or guardians.  
   2. Amplio relies on Entity to provide all necessary notices and obtain, in advance, all required End User consents, including without limitation the consent of parents or guardians of Students to receive the Services and to collect, use, process, and disclose End User information according to the Purpose as defined in this Privacy Policy, in accordance with any Applicable Data Protection Laws and / or the Agreement. In particular, under the United States’ Children’s Online Privacy Protection Act (COPPA), Amplio relies on Entity, acting as the parent’s agent and on its behalf, to obtain verifiable parental (or legal guardian) consent, regarding the collection of a child’s information (under the age of 13) . For such purpose, please find Our COPPA Direct Notice (including an example of a Consent Form) which Entity shall make available to parents.
   3. For the purposes of FERPA, Amplio is considered a “school official” and may receive PII including “educational records” through its contractual agreements with Entity, because Amplio is performing a service that furthers a “legitimate educational interest”. As set forth in this Privacy Policy, We maintain such Student Personal Data on behalf of, and at the direction of, the Entity and do not use it for other purposes except as permitted by Applicable Data Protection Laws and the Agreement.
   4. If You have a reasonable basis to assume or You know that any of the above mentioned is not met, You are required to inform Us, without due delay, by e-mailing Us at service@ampliolearning.com.
5. HOW WE RECEIVE OR COLLECT PERSONAL DATA.
   1. From authorized third parties. We provide the Services to Entities, Administrators  and/or Educators who are responsible for uploading and/or on-boarding Personal Data to the Platform (which may include the use of a Rostering Service) and/or transfer Personal Data to Us to upload to the Platform. Furthermore, Entities, Administrators and/or Educators may add to the Platform assessments records, feedback and notes that may involve Personal Data. 
   2. When You access the Services. In order to access the Services, You may be required to (1) create an account (directly by You, by Us or by an authorized third party (e.g. Entity)) and to provide Us with Personal Data, such as Your name (or the name of Your guardian), year of birth, country, language, email address and a password; or (2) use an existing Rostering Service account.
   3. When You use the Platform. When You use certain features of the Platform that analyze, collect and store Personal Data (such as using Our independent practice module, session planning module and remote sessions), We may collect and analyze Personal Data (such as speech recordings, session notes, attendance in sessions, usage and performance).
   4. When You use the Services. We may make use of log files when You use the Services. The information inside the log files includes internet protocol (IP) addresses, type of browser, Internet Service Provider (ISP), date/time stamp, referring/exit pages, clicked pages and any other information Your browser may send to us. We may use such information to analyze trends, administer the Services, track users’ movement around the Services, and gather demographic information.
   5. When You ask to ‘Contact Us’ and/or submit a registration form. If You send Us a “Contact Us” request, or ask to register to the Services, such as by submitting an online form or by sending email to an email address that We display, You may be required to provide Us with certain information such as Your name, telephone number country, region, school, and email address.
   6. When You purchase. We may include the option to purchase certain products or other services from Us via the Services. If You choose to make a purchase, We may require sufficient information from You to complete the transaction.  Such information could include a credit card number and related account and billing information, invoice related information, and other data required to process the order.
   7. Cookies and other tracking technologies. Our Services may utilize “cookies”, anonymous identifiers and other tracking technologies (such as MixPanel) in order to for Us to provide Our Services and present You with information that is customized for You.  A “cookie” is a small text file that may be used, for example, to collect information about activity on the Services.  Certain cookies and other technologies may serve to recall Personal Data, such as an IP address, previously indicated by a user.  Most browsers allow You to control cookies, including whether or not to accept them and how to remove them.  You may set most browsers to notify You if You receive a cookie, or You may choose to block cookies with Your browser.  However, if You do not accept cookies, You may not be able to use some portions of Our Services. Some tracking technologies are not enabled to be blocked and are necessary to perform and provide Our Services.
   8. Data from Your device. We may collect limited information from Your device in order to provide the Services. Such information may include Your device type, device ID, and date and time stamps of Services used. In addition, We may deploy tracking technologies within the Services to help Us gather aggregate statistics, but We will not use Personal Data for such purposes.
   9. Additional data. We may collect and receive additional data as part of new features, modifications and/or developments of the Services. We will update this Privacy Policy accordingly.
   10. Providing the Services. Personal Data may be used to provide You with access to, and use of, the Services or certain functions thereof, and to monitor Your use of such functions (for example, to identify and authenticate Your access to the parts of the Services that You are authorized to access). We may also analyze Personal Data to provide certain information to its users (for example, to provide decision support information to Educators based on real measurable and recorded data, to provide feedback to Our users and/or guardians regarding performance and progress, to provide Entity with feedback and information regarding Educator usage of the Services, and to communicate with different Educators).
   11. Business purposes. Personal Data may be used to help Us improve the  Services, to better understand Our users, to protect against, identify or address wrongdoings, to enforce Our T&Cs, and to generally manage the Services and Our business. We also may use Personal Data for Our proper management and administration or to carry out Our legal responsibilities.
   12. Contacting You. We may use Your contact information to contact You: (a) in connection with the Services and certain programs or offerings; (b) to provide You with system notifications such as scheduling and messaging; (c) for administrative requests (e.g., to change Your password); (d) in response to Your request to contact You; and (e) to provide technical support. We may contact You via any communication channel, including e-mail, in-Platform messaging, SMS, phone, cellphone, video and audio sessions, etc.
   13. Demonstrating compliance. We may collect Your Personal Data in order for Us to demonstrate compliance, performance and progress to Our customers (i.e., Entities).
   14. Specific reasons. Personal Data provided to Us for a specific reason may be used in connection with that specific reason.
   15. Statistics. Personal Data may be used for statistical reports containing aggregated information.
   16. Security and dispute resolution. We may use Personal Data to protect the security of Our Services (including by way of example, to detect and prevent fraud, phishing, identity theft, and data leakage), to resolve disputes and to enforce Our agreements.
   17. Direct marketing. Personal Data may be used to contact You for Our marketing and advertising purposes, including without limitation to inform You about new services We believe might be of interest to You, and to develop promotional or marketing materials and provide those materials to You. For clarity, We will not use Personal Data of a Student to (i) advertise or market to Students or to direct targeted online advertising to Students or (ii) advertise or market to Students parents/ guardians without the consent of the parent/guardian or Entity. If by mistake You receive direct marketing without Your specific consent and/or wish to opt-out, You are required to contact Us at service@ampliolearning.com.
6. THE WAY WE USE PERSONAL DATA. We only use Personal Data for limited purposes, described below (the “Purpose”). We do not rent or sell Personal Data to third parties. If We intend to use any Personal Data in any manner that is not consistent with this Privacy Policy, You will be informed of such anticipated use prior to or at the time the Personal Data is processed.
   1. Legal Purposes. Personal Data may be used to (a) comply with any legal obligation, (b) protect or defend Our rights, interests or property or that of third parties, (c) prevent or investigate possible wrongdoing in connection with the Services, (d) act in urgent circumstances to protect the personal safety of users of the Services or the public, or (e) protect against legal liability (“Legal Purposes”).
7. DE-IDENTIFIED, ANONYMIZED OR AGGREGATED DATA.
   1. You agree that We may de-identify and/or anonymize and/or aggregate Personal Data in a way that does not enable identification of an individual. Since such data cannot be used to identify You in person, We may use, share and maintain such data for any purpose and in any way permitted by law.
   2. Research. Amplio may use data generated from the Services to conduct research and studies for Our purposes, in which case if such data contains Personal Data, We will de-identify, anonymize and/or aggregate such data prior to use. We may collaborate with third party research organizations for our research, who may use such de-identified, anonymized and/or aggregated data for their purposes.
8. HOW WE SHARE PERSONAL DATA WITH THIRD PARTIES.We only share, transfer and disclose Personal Data in limited circumstances, described below. We do not sell Personal Data or share or Personal Data with third parties for marketing purposes.
   1. For the Purpose. We may share, disclose and transfer Your Personal Data with Our subsidiaries, affiliated companies, partners, suppliers (such as cloud provider services), Our employees (such as marketing, sales, developers, technical support teams and Educators), contractors and service providers who process Personal Data on Our behalf for the Purpose (“Third Parties”). Any Third Party will be provided access to information only as is necessary for the Purpose and will be required to maintain such Personal Data in accordance with this Privacy Policy and subject to confidentiality. Certain Third Parties may be located outside the United States, unless prohibited in a Specific Agreement. In any case, where Personal Information is shared with Third Parties, We will implement reasonable information security techniques and technical measures accepted in Our industry and/or Third Parties contractual obligations to maintain their information security level adequate to Our level.
   2. Compliance with the law. Personal Data may be disclosed as required by law (for example, in response to a subpoena or other request from law enforcement, a court or a government agency, including in response to public authorities to meet national security or law enforcement requirements), or if We have good faith belief that such disclosure is necessary to comply with Legal Purposes.
   3. Corporate sale, merger, reorganization, dissolution or comparable event. Personal Data may be part of the transferred assets in any of the events described above. You acknowledge and agree that any successor or purchaser of ours or Our assets (including the Services) will continue to have the right to use Your Personal Data and other information in accordance with the terms of this Privacy Policy.
9. HOW WE STORE PERSONAL DATA
   1. We aim to store Personal Data in the same region where it was collected. For Services provided in the United States, We store the Personal Data including its backups in the United States. However, if permitted by Applicable Data Protection Laws and/or by Our customers, Personal Data may be transferred to other countries. In such cases We will implement reasonable information security techniques and technical measures accepted in Our industry and/or Third Parties contractual obligations to maintain their information security level adequate to Our level.
   2. Data Retention. 
      1. We only keep Personal Data for as long as necessary to fulfill the Purpose, after which it will be deleted, archived, anonymized and/or de-identified, unless We are required to keep it for Legal Purposes, as required to meet contractual obligations and/or for other legitimate and lawful purpose. In addition, After We delete Your Personal Data it may remain stored on backup or archived for an additional period of time due to technical issues.
      2. Your data will be available in accordance with our internal retention policies and our SaaS Services Level Agreement. We do not provide an archiving and backup service, and agree only that We will not intentionally delete any Personal Data from the Platform prior to expiration of the Term and expressly disclaim all other obligations with respect to storage and backup. You shall be responsible for backup of your data and We shall not be liable or responsible for any backups or lack thereof.
10. SECURITY.
    1. We are strongly committed to protecting Your Personal Data and information, and We will take reasonable technical steps, accepted in Our industry, to keep Your information secure and protect it against loss, misuse or modification. However, no network, server, database or internet or email transmission is ever fully secure or error-free. If You notice any security risks or violations, We advise You to report them to Us at service@ampliolearning.com 
    2. We implement legal, technical and organizational information security measures based on the ISO certification mechanisms specified in ISO 27001:2013 – Information Security Management Systems and 27799:2016 – Health informatics — Information Security Management in Healthcare; and are certified under both. We have also been granted a Provisional Certification Level under the Texas Risk and Authorization Management Program Certification (TX-RAMP).
11. YOUR RIGHTS. In accordance with Applicable Data Protection Laws and Our internal policies and procedures, You have the following data protection rights:
    1. Right of access. You have the right to obtain (i) confirmation of whether, and where, We are processing Your Personal Data; (ii) information about the categories of Personal Data We are processing, the purposes for which We process Your Personal Data and information as to how We determine retention periods; (iii) information about the categories of recipients with whom We may share Your Personal Data; and (iv) a copy of the Personal Data We hold about You.
    2. Right of portability. You have the right, in certain circumstances, to receive a copy of the Personal Data in a structured, commonly used, machine-readable format that supports re-use, or to request the transfer of Your Personal Data to another person.
    3. Right to rectification. You have the right to obtain rectification of any inaccurate or incomplete Personal Data We hold about You without undue delay.
    4. Right to erasure. You have the right, in certain circumstances, to require Us to erase Your Personal Data without undue delay if the continued processing of that Personal Data is not justified.
    5. Right to restriction. You have the right, in certain circumstances, to require Us to limit the purposes for which We process Your Personal Data if the continued processing of the Personal Data in this way is not justified, such as where the accuracy of the Personal Data is contested by You.
    6. Right to object. You have a right to object to any processing based on Our legitimate interests where there are grounds relating to Your particular situation. There may be compelling reasons for continuing to process Your Personal Data, and We will assess and inform You if that is the case.  You can object to marketing activities for any reason.
       If You wish to exercise one of these rights, please contact Your Entity, who will contact Us on Your behalf. If Your account permissions allow, You may also review and edit the Personal Data You have submitted to Us through Your account within the Services. You also have the right to lodge a complaint to Your national data protection authority. However, prior to doing so, You are welcome to contact Us by email as set forth above to resolve the issue for the benefit of all parties.   
12. LINKS TO AND INTERACTION WITH THIRD-PARTY SERVICES. The Services may enable You to interact with, or contain links to Third-Party Services. We are not responsible for the privacy practices or the content of such Third-Party Services. Please be aware that the Third-Party Services may collect Personal Data from You. Accordingly, We encourage You to read the terms and conditions and privacy policy of each Third-Party Services that You use or interact with.
13. OUR POLICY ON CHILDREN.
    1. The Services are also directed to children, but We do not knowingly collect Personal Data from children under 13 without the specific written consent of a parent/legal guardian. Because such information would be collected and used by Us at the director of an Entity, in order to obtain such verifiable parental (or legal guardian) consent under the United States’ Children’s Online Privacy Protection Act (COPPA), Amplio relies on Entity, acting as the parent’s agent and on its behalf, with regard to the collection of a child’s information. For such purpose, please find Our COPPA Direct Notice (including an example of a Consent Form) which Entity shall make available to parents.
    2. If Your child is under the age of 13, and You become aware that Your child or any other person has provided Us with Personal Data without Your consent, then please contact Your Entity, who will contact Us on Your behalf, so that We can take steps to remove such information and terminate Your child’s account. As the child’s parent/legal guardian, please be advised that We will not require a child to disclose more information than is reasonably necessary to participate in the Services.
14. CHANGES AND MODIFICATIONS. We reserve the right, at Our sole discretion, to update or modify this Privacy Policy at any time (collectively, “Modifications”). When we materially change this Agreement We will notify You in advance. Modifications to this Privacy Policy will be posted on the Website or through the Services with a revised ‘Last Updated’ date at the top of this Privacy Policy. Please review this Privacy Policy periodically, and especially before You provide any Personal Data or information. This Privacy Policy was last updated on the date indicated above. Your continued use of the Services following the implementation of any Modifications to this Privacy Policy constitutes acceptance of those Modifications. If You do not accept any Modification to this Privacy Policy, Your sole remedy is to cease accessing, browsing and otherwise using the Services.
15. HOW TO CONTACT US.
    1. Protecting Your privacy online is an evolving area, and We are constantly evolving Our Services to meet these demands. If You have any comments or questions regarding Our Privacy Policy please contact Us at  service@ampliolearning.com.
    2. Please contact Your Entity if You have questions regarding Entity’s management of the Amplio Services and account; use of Your child’s information; and exercising Your privacy rights. Your Entity may contact Us on Your behalf.

FOR CALIFORNIA RESIDENTS

1. INDIVIDUAL/CALIFORNIA CONSUMER RIGHTS. 
   1. The rights: Accessing, Updating, Correcting, and Deleting Information, Restricting Information Processing.
   2. You may have the right to request access to some of Your Personal Data being stored by us. California consumers have the right to request that We disclose certain information to them about Our collection and use of their personal information over the past 12 months. 
   3. Once We receive and confirm Your verifiable consumer or individual request, We will disclose, inter alia:
      1. The categories of personal information We collected about You;
      2. Our business or commercial purpose for collecting such  personal information;
      3. The categories of third parties with whom We share such personal information;
      4. Certain copies of personal information We collected about You.
   4. You can also request to correct and update any inaccurate Personal Data or ask to delete Personal Data that We process about You. The foregoing is subject to Our policies and the applicable laws and regulations. Once We receive and confirm Your verifiable consumer/individual request, We will delete (and direct Our service providers to delete) Your personal information from Our records, unless an exception applies.
   5. According to the CCPA, We may deny California consumer’s deletion request if retaining the information is necessary for Us or Our service providers to:
      1. Complete the transaction for which We collected the personal information, provide Our services that You requested, take actions reasonably anticipated within the context of Our ongoing business relationship with You, or otherwise perform Our contract with You.
      2. Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
      3. Debug products to identify and repair errors that impair existing intended functionality.
      4. Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.
      5. Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 seq.).
      6. Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if You previously provided informed consent.
      7. Enable solely internal uses that are reasonably aligned with consumer expectations based on Your relationship with us.
      8. Comply with any legal obligation and make other internal and lawful uses of that information that are compatible with the context in which You provided it.
2. In order to exercise these rights, You can contact Your Entity, who will contact Us on Your behalf. Only You, someone You authorize to act on Your behalf, a California resident or a person registered with the California Secretary of State that a California resident authorized to act on its behalf, may make a verifiable individual or consumer request related to their Personal Data. California residents may only make a verifiable consumer request for access or data portability twice within a 12-month period.
3. The verifiable consumer or individual request must:
4. Response Timing and Format. We endeavor to respond to a verifiable consumer request within 45 days of its receipt.  If We require more time, We will inform You of the reason and extension period in writing.  We will deliver Our written response via email.  For California residents, any disclosures We provide will only cover the 12-month period preceding the verifiable consumer request’s receipt. The response We provide will also explain the reasons We cannot comply with a request, if applicable.  For data portability requests, We will select a format to provide Your personal information that is readily usable and should allow You to transmit the information from one entity to another entity without hindrance.
5. We do not charge a fee to process or respond to Your verifiable consumer or individual request unless it is excessive, repetitive, or manifestly unfounded.  If We determine that the request warrants a fee, We will tell You why We made that decision and provide You with a cost estimate before completing Your request.
6. Non-Discrimination.  We will not discriminate against You for exercising any of Your Privacy rights. Unless permitted by the Applicable Data Protection Law, We will not deny You use of Our Services and/or provide You a different level or quality of Services.
7. The verifiable consumer or individual request must:
   1. Provide sufficient information that allows Us to reasonably verify You are the person about whom We collected personal information or an authorized representative.
   2. Describe Your request with sufficient detail that allows Us to properly understand, evaluate, and respond to it.
   3. We cannot respond to Your request or provide You with personal information if We cannot verify Your identity or authority to make the request and confirm the personal information relates to You.  We will only use personal information provided in a verifiable consumer/Individual request to verify the requestor’s identity or authority to make the request.
8. Response Timing and Format. We endeavor to respond to a verifiable consumer request within 45 days of its receipt.  If We require more time, We will inform You of the reason and extension period in writing.  We will deliver Our written response via email.  For California residents, any disclosures We provide will only cover the 12-month period preceding the verifiable consumer request’s receipt. The response We provide will also explain the reasons We cannot comply with a request, if applicable.  For data portability requests, We will select a format to provide Your personal information that is readily usable and should allow You to transmit the information from one entity to another entity without hindrance.
9. We do not charge a fee to process or respond to Your verifiable consumer or individual request unless it is excessive, repetitive, or manifestly unfounded.  If We determine that the request warrants a fee, We will tell You why We made that decision and provide You with a cost estimate before completing Your request.
10. Non-Discrimination.  We will not discriminate against You for exercising any of Your Privacy rights. Unless permitted by the Applicable Data Protection Law, We will not deny You use of Our Services and/or provide You a different level or quality of Services.
11. We may retain Your Personal Data for any period permitted or required under applicable laws. Even if We delete Your Personal Data it may remain stored on backup or archival media for an additional period of time due to technical issues or for legal, tax or regulatory reasons, or for legitimate and lawful business purposes.
12. You may have the right to restrict processing if one of the following applies:
    1. The accuracy of the Personal Data is contested by the data owner;
    2. The processing is unlawful, and the data owner objects to having their Personal Data erased, instead requesting that its use be restricted;
    3. Your service provider no longer needs the Personal Data for the purposes of the original processing, but the data is required by the data owner for establishing, exercising or defending legal claims;
    4. The data owner has objected to processing pending verification of whether the legitimate grounds of Your service provider override those of the data owner.

If You wish to object to processing, You are required to contact your Entity, who will contact us on Your behalf.