Conjuguemos Privacy Policy

User roles

When users choose to register on our site, they do so in one of three different roles: student, teacher, or school (a school account is set up by a school administrator). Depending on the role a user chooses, the user will be asked to give us personal information detailed below.

Administrators:

We keep securely the email address and state/location of the person or person allocated by the school as the administrator of the software for the school.

All passwords are encrypted and as soon as the administrator changes it, only the administrator knows what it is.

It is the responsibility of the administrator to ensure no student or any other unauthorised person has access to these logon credentials.

The administrator can add the names, usernames, passwords, and classes of students to the system. He/she can also add teacher details: names, usernames, email addresses and encrypted passwords.

The administrator can also attach students to teachers so that the teacher can see a list of students in that class, with names and usernames. Passwords are hidden.

Teachers:

We keep securely the name, password, and email address of teacher users.

The teacher can add the names, usernames, passwords, and classes of students to the system. Once added, students can change passwords on their own, and the teacher would not have access to these passwords.

Teachers have access to the names and usernames of the students in the classes to which they have been attached by the administrator. They can change their own details and those of the students in those classes. As referenced above, they do not have access to any secret student passwords but may change them, for instance if a student has forgotten theirs.

Students:

We keep securely the first name, last name, username, and password of users in student roles.

Students can register themselves with their name, username, and password. They are able to change their password whenever desired, and neither the teacher nor administrator has access to this encrypted password.

Students can choose to register with their email address. The purpose of this is to be able to send them their FORGOTTEN PASSWORD link in case it is necessary. If no email is linked in the student account, a student will have to go to their teacher to reset their password.

Data processing in motion and at rest

We use AWS Servers, where data is encrypted both in transition both in motion and at rest. We also use SSL encryption.

Categories of data collected/used by Conjuguemos

We collect the following data:

All users:

Session cookie (google ads, google analytics)

Teacher/Admin Users:

Name
Email
State

Student users:

First name
Last name
Email (optional)
App username
App password
In-app performance data

Disposition of Data

Any user can request to have their account deleted. Upon this request, the data for this user will be deleted according to the extent and timing of disposition defined below. To request your account to be deleted, please contact support and state your account information.

An admin user can immediately delete any student, teacher or groups of students from the list, or delete all students and all teachers. On request by the school a member of CONJUGUEMOS can carry out the task for the school. Schools that stop using the software will have all data deleted one year after the end of the subscription - or earlier if requested by the school.

What is the extent of the disposition of data?

Partial: We delete the name, id, username, password and email for the user. The grades remain in the database, but they are no longer linked to a user.

What is the nature of the disposition?

Disposition is by destruction of data

What is the timing of the disposition?

As soon as commercially practicable

Security Measures

Security Groups
2FA for network access
Multiple availability zone deployments
IAM policies for access control
Cloudwatch for monitoring VPCs
Minimal connectivity between VPCs
Minimal connectivity for the public
Hosting provider is AWS, which provides:
Common IT security standards (SOC, FISMA, DOD CSM 1-5, PCI DSS Level 1, ISO 9001 / 27001 / 27017 / 27018)
Physical and Environment security
Storage Device Decommissioning
Secure Network Architecture
Secure Access Points
Secure Transmission Protocols
Network Monitoring and Protection
Secure Design Principles
VPC to VPC communication limited to minimal ports required
VPCs limit port access
Access only by VPN to non public resources
Automated build management
Least privilege access
Leveraging AWS AMI for default server configuration
Automated platform updates
Role based platform access
Code is maintained and updated regularly
Code review process
Encrypted data transmission and storage
Passwords are encrypted at rest

Sharing of information:

CONJUGUEMOS will not sell, rent or lease your personal information to others. CONJUGUEMOS shares personal information in the following ways:

CONJUGUEMOS shares information on the programs, applications, practice activities, quizzes, and tests you access and the answers, results, and scores on these programs, applications, practice activities, quizzes, and tests with teachers, schools, and school officials designated to have access to this information.

CONJUGUEMOS shares any problems, programs, applications, practice activities, quizzes, and tests that you post to the website for general use with our customers and website users and visitors. Also, we may disclose personal information with non-affiliated companies and regulatory authorities as permitted or required by applicable law. For example, we may disclose personal information to investigate and help prevent potential fraud, other unlawful activity or activity that threatens the network; as required by law or regulation, such as to comply with a subpoena, court orders, or similar legal process or official requests; when we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request; to any other third party with your prior consent to do so. If CONJUGUEMOS is involved in a merger, acquisition, or sale of all or a portion of its assets, you will be notified via a prominent notice on our website of any change in ownership or uses of your personal information, as well as any choices you may have regarding your personal information. Your information is used only for education purposes as defined by the teachers that registered the school account. We will retain and use your information as necessary to comply with any (unlikely) legal obligations, resolve disputes and enforce our agreements. We will destroy your information once it is no longer needed, and student data can be deleted upon teacher and parent request. Problems, programs, applications, practice activities, quizzes, and tests that you post for general use by our customers and website users and visitors may be retained indefinitely. Except as described in this privacy policy, we will not use your personal information for any other purpose unless we describe how such information will be used at the time you disclose it to us or we obtain your permission to do so. Any personally identifiable information (PII) will be de-identified for any use of data for product development, research, or other purposes. We will not share PII without prior written consent of the user except as required by law, nor use any of the data for sales, marketing, or advertising. Finally, we make every effort to comply with FERPA, CIPA, and COPPA.

Servers

CONJUGUEMOS uses AWS Servers. Contact information: https://aws.amazon.com/contact-us/

Privacy impact assessment

Only the school administrators have access to the full data, i.e. the list of students the administrator has assigned to the CONJUGUEMOS license. Class teachers only have access to data for individual classes to which they have been assigned. The owner (Alejandro Yegros) of CONJUGUEMOS is the only CONJUGUEMOS employee to have access to the data. All data is protected by secret usernames and passwords. Passwords are hidden and encrypted, and no one has access to them.

In the extremely unlikely event of data being stolen, the impact will be limited to student names, usernames and classes and some email addresses (if the student user chose to register themselves with one). No student phone numbers, gender information, age, date of birth or address are stored.

The only other data stored consists of the teacher's names, school email addresses and school address.

Data Breach:

How to report if you suspect a breach

Any user who suspects that a breach or exposure of data has occurred should immediately provide a description of what occurred via email to support@conjuguemos.com. We investigate all reported data breaches and exposures to confirm if a breach or exposure has occurred.

How we will respond to a suspected breach

Once a data breach or exposure has been confirmed, we will determine how the breach or exposure occurred, the types of data involved, confirm any protective measures around the involved data (such as encryption), and the number of users impacted. We will then communicate with affected parties about the breach or exposure, and work with the appropriate parties to remediate the root cause of the breach or exposure.

GDPR training

The manager of CONJUGUEMOS (Alejandro Yegros) will be enrolled (9/1/2018) in a GDPR course.

On-Line Eraser for Minors In California

California law provides for the ability of minors that are registered users of the website to request and obtain removal of material, information, and content posted on the website. Registered users 17 years of age or younger who are California residents, may request CONJUGUEMOS to remove their own posted content on the website by sending a notice of the request to CONJUGUEMOS at support@conjuguemos.com. Such request must include the name and user ID and account number of the minor making the request and the posted information, material and content on the website they are requesting to have removed. Upon receipt of such a request, CONJUGUEMOs will remove material, information, and content posted on the website, including answers, results, scores, and other information provided as part of the use of programs, applications, practice activities, quizzes, or tests on the website. Please note that in complying with such a request, the posted information, material, and content will no longer be visible to other users of the website or public, including teachers, schools, and school officials who have set up the programs, applications, practice activities, quizzes, or tests as part of a school program or class activity. The material, information, and content will not be deleted from the CONJUGUEOMO’s server; it will just no longer be visible or accessible by other users or the general public. There are exceptions to complying to the request where the posted information, material, and content will not be removed from visibility to or access by other users, such as where federal or state law requires CONJUGUEMOS or its third parties to maintain the information, material, and content, the information, material, and content is stored on or posted to the CONJUGUEMO’s website by a third party, the information, material, and content is provided and maintained anonymously, the minor fails to follow the instructions regarding removal, or the minor has received compensation or other consideration for providing the information, material, and content.

Policy Changes

CONJUGUEMOS reserves the right to change its privacy policy by publishing new terms on its website at any time. If we make any material changes we will notify you by means of a notice on our website. Your continued access and use of our websites constitutes your acknowledgment and acceptance of such amended policy. This privacy policy does not create any legal right for you or any third parties.

Questions?

Please direct any questions or comments regarding our privacy policy to us at 1-857-445-3002 or at:
CONJUGUEMOS Inc.
P.O. Box 86
Newton, MA 02456
(617) 209-9465
support@conjuguemos.com