Lighthaus Inc. Privacy Policy

Lighthaus’s mission is to harness the power of virtual reality to engage students in high-quality science learning. It’s important to use that to earn and keep your trust by enumerating and adhering to our principles of privacy.

This Privacy Policy ("Privacy Policy" or the "Policy") explains:

• What information Lighthaus collects from users, why we collect it and on which legal grounds such collection is based

• How we use and with whom we share that information.

• The choices you have, including how to access, update, delete and, where applicable, retrieve your information.

This Policy applies to all products and services offered by Lighthaus, Inc. (hereinafter referred to as “Lighthaus,” “we,” “us," “our”). We’ve written this policy in simple, clear terms, and we encourage you to read it carefully. 

If you have any questions, we are here to help. To learn more about how we protect your privacy, send us an email at privacy@lighthaus.us. BY USING THE SERVICE, YOU ACKNOWLEDGE THAT YOU ACCEPT AND AGREE TO THIS PRIVACY POLICY.

Personal information is any information we collect that personally identifies a user (e.g. a student), like a user’s name or email address, or any other information which we could reasonably link to the user’s identity. This could include indirect identifiers, such as an email, IP address, and the other kinds of information that are ‘technical’ and ‘non-personal.’ We will only collect, use, and share users’ personal information in accordance with this Privacy Policy. This Policy applies whether you use Lighthaus through Lighthaus.us (the “Lighthaus Website”), our applications (the “Lighthaus Apps”), your school's Learning Management Systems (LMS) with which Lighthaus has been integrated (e.g., Google Classroom, Canvas, Moodle, Schoology, etc.) or any of our other products or services that link to this Privacy Policy (collectively, the “Service”). In addition, this Privacy Policy also covers Lighthaus' treatment of any personal information about our users that our partners or other services might share with us.

This Policy does not apply to websites, services or practices of companies that Lighthaus does not own or control, such as third-party services users might access through links or other features (e.g., social media buttons; third-party integrations) on the Service. These other services have their own privacy policies, and we encourage you to review them before providing them with personal information. At the end of this Privacy Policy you will find a list with our third-party service providers and a link to their privacy policies, as well as an overview to how, why and under which conditions they might process your personal information.

Lighthaus is a signatory of the Student Privacy Pledge, agreeing to a set of principles intended to safeguard student privacy, including responsible stewardship, protection, and transparent handling of student personal information. Read more about the Student Privacy Pledge here.

What is Lighthaus?

Lighthaus is an immersive learning platform that makes use of virtual reality and web technologies to teach students science in an unprecedentedly rich, engaging and active way. 

Lighthaus Privacy Principles

What are Lighthaus's principles when processing personal information?

In collecting and processing your personal information, we will comply with the data protection laws and regulations in force at the time. This requires that the personal information we hold about you must be:

• Used lawfully, fairly and in a transparent way.

• Collected only for valid purposes that we have clearly explained to you and not used in a way that is incompatible with those purposes.

• Relevant to the purposes we have told you about and limited only to those purposes.

• Accurate and kept up-to-date.

• Kept only as long as necessary for the purposes we have told you about.

• Kept securely.

Why does Lighthaus collect personal information from its users and how is it used?

First and foremost, you should know that Lighthaus does not sell or rent any of your, or your students' personal information to any third party for any purpose, including for advertising or marketing purposes. We use the information we collect from you to provide you with the best Lighthaus experience. Concretely, the personal information of students and teachers is collected and used for the following purposes:

• To create the necessary accounts to use the Service.

• To provide teachers with analytics on student progress.

• To help teachers connect with other teachers from the same school or district.

• To send email updates to teachers, as applicable (e.g., by responding to your requests for information or customer support, or by sending you information about new features and Lighthaus products we believe you may be interested in).

• To send in-app and push notifications to users, if applicable (e.g., by letting students know if an assignment is due soon, or by notifying teachers when students have turned in their assignments).

• To assess the quality of the Service and improve it (e.g., by developing new products or features and improving your experience with the Service).

• To secure and safeguard personal information and our community.

• To access premium features, if applicable.

• To comply with applicable laws and regulations.

What are my rights when using Lighthaus?

Your rights relating to your personal information include:

• to be informed about how Lighthaus uses your personal information;

• to request access to personal information held by Lighthaus, and to have any incorrect, inaccurate or incomplete personal information rectified;

• where appropriate, to restrict processing concerning you or to object to processing;

• to have personal information erased when there is no compelling reason for its continued processing; and

• where applicable, to receive your personal information in a structured and commonly used format.

Which are my responsibilities when using Lighthaus?

We require that your personal information is accurate. Please let us know if the personal information you provided us for creating your account has changed. If we do not have the correct information, we cannot take responsibility for information-related errors.

Additionally, if we determine that you are in violation of this Policy, you will be subject to disciplinary action that could eventually lead to the banning of your account as described in our Terms of Service.

What are Lighthaus’s commitments to providing transparency and choice?

We try to be transparent about what information we collect, so that you can make meaningful choices about how it is used. For example, you can:

• Opt-out of providing certain information.

• Control whom you share information with.

• Remove information from Lighthaus, if applicable.

• Retrieve information from Lighthaus, if applicable.

Notice

When providing you with information on the processing of your personal information, such as its collection, transfer to other countries, types or identity of third parties to which we disclose that information and the purposes for which we do so, we will make sure that such information is provided in clear and understandable language. Also, initial notice on our practices and policies will be provided when you are first asked to provide personal information to us, or as soon as practicable thereafter, and in any event before we use the information for a purpose other than that for which it was originally collected.

Choice

We will offer you the opportunity to choose (by either opting-out or opting-in) if your personal information is (a) to be disclosed to a third party different from those listed in this Privacy Policy, or (b) to be used for a purpose materially different from the purpose for which it was originally collected or subsequently authorized by you.

Change of Purpose

We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason which is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Contract Performance

When, as a teacher or school representative, or when acting on behalf of a company or other organization, you create a Lighthaus account, you provide your first and last name and an email address. We require those data elements for you to enter into the Terms of Service agreement with us, and we process those elements on the basis of performing that contract.

Consent

If you are a teacher or school representative, or use the Service on behalf of a company or other organization, note that Lighthaus provides its Service upon explicit consent given by you when signing up. Prior to signing up, we will direct you to our Terms of Service and this Privacy Policy. When signing up, you will be declaring to have read such policies and to consent to them. Remember, nonetheless, that you will be able to withdraw your consent at any time by deleting your account in accordance with this Policy's Managing My Information section.

EDUCATIONAL INSTITUTIONS UTILIZING THE SERVICE ARE RESPONSIBLE FOR MONITORING THE RIGHTS AND INTERESTS OF THEIR STUDENTS AND MUST THEREFORE TAKE SPECIAL CARE WHEN REVIEWING THIS PRIVACY POLICY. EDUCATIONAL INSTITUTIONS SHALL BE RESPONSIBLE FOR OBTAINING, WHERE APPLICABLE, PERTINENT CONSENT FROM PARENTS, LEGAL GUARDIANS OR ELIGIBLE STUDENTS PRIOR TO UTILIZING THE SERVICE. Lighthaus SHALL NOT BE RESPONSIBLE FOR ANY NEGLIGENCE OF THE EDUCATIONAL INSTITUTION IN THE REVIEWING OF THIS PRIVACY POLICY OR THE OBTAINMENT, WHERE APPLICABLE, OF THE NECESSARY PARENTAL CONSENT.

U.S. Educational Institutions and Parental Consent: Consistent with the requirements of COPPA, if you or your school decide to utilize the Service with children under 13, you will be electing to either obtain parental consent or to consent on behalf of the children's parents directly, which is commonly referred to as "School Consent." At the same time, yet subject to exceptions, FERPA prohibits schools from disclosing personally identifiable information from a student's education record to a third party without written consent from the parent or eligible student. Accordingly, schools must either obtain parental consent, or ensure that their use of Lighthaus meets one of FERPA's exceptions to the written consent requirement. Typically, schools are exempted from obtaining parental consent under FERPA when Lighthaus is identified as a "school official," meaning Lighthaus is performing an institutional service or function for which the school would otherwise use its own employees.

European Educational Institutions and GDPR: According to article 8 of the GDPR, minors shall be entitled to give valid consent only if they are 16 years old (unless Member States have set a lower age limit which, nonetheless, cannot be under 13 years old). Under that age limit, processing of personal information related to minors shall be subject to parental consent. Schools are in control of their students’ personal information and are obliged to take all necessary measures for protecting said information. In terms of the GDPR, schools are data controllers and thus determine the purposes and means of the processing of student personal data. As a consequence, schools will also be responsible for informing students and their parents accordingly about what data is collected, which are the purposes of collection, how data is used and to which third parties it is disclosed, including Lighthaus.

Legitimate Interests

Generally, the remainder of the processing of personal information we perform is necessary for the purposes of our legitimate interests or those of third parties. For example, for legal compliance purposes or to maintain ongoing confidentiality, integrity, availability and resilience of Lighthaus's systems, website, and overall services, we must keep logs of technical information; and, in order to respond to legal process, we are required to keep records of users who have sent and received copyright takedown notices.

How will Lighthaus notify me of changes to this policy?

We may occasionally update this Privacy Policy. You can see when the last update was by looking at the “Last Updated” date at the top of this page. We will not reduce your rights under this Privacy Policy without your explicit consent. If we make any significant changes, we will provide prominent notice by posting a notice on the Service and/or notifying you by email (using the email address you provided and thereafter verified) prior to and after changes taking effect, so you can review and make sure you're aware of them.

We encourage you to review this Privacy Policy from time to time, to stay informed about our collection, use, and disclosure of personal information through the Service. If you do not agree with any changes to the Privacy Policy, you may delete your account (although we will be sad to see you go!). By continuing to use the Service after the revised Privacy Policy has become effective, you acknowledge that you accept and agree to the current version of the Privacy Policy.

Protecting Our Students

What information does Lighthaus collect from children, and how is it used?

Lighthaus collects the minimal amount of information from students necessary to create accounts on our Service: we will generally collect student usernames, a unique email, their first and last name and a unique code they have been given by their teacher to join a class. Beyond this information, students may submit responses, comments, audio files, images or videos depending on the activities they are assigned, which will remain private between teacher and student. All this information will only be used for the purposes of the school/teacher. In addition to the information entered by the child, we automatically collect some information from any use of our Service as set forth in the "Information Collected Automatically" section.

We use this information to provide the Service to the child, for security and safety purposes, or as required by law or to enforce our Terms. We will not require children to provide more personal information than is reasonably necessary in order to participate in the Service. If we discover that we have collected information from a child in a manner inconsistent with COPPA, FERPA, GDPR, or any other applicable laws or regulations, we will take appropriate steps to delete the information. We do not disclose any personal information about children to third parties, except to service providers necessary to provide the Service, as permitted by law, or to protect the security of the Service or other users. Information collected from students (including personal information and information collected automatically) is never used or disclosed for third-party advertising, including any kind of first- or third-party behaviorally targeted advertising, and children’s personal information is never sold or rented to anyone, including marketers or advertisers.

What children’s information is visible to others?

No student’s profile is made available or visible to the public, or to any other students, through Lighthaus. Teachers may share their classes, including grades or scores, with other teachers they co-teach with in their school, to help them collaborate. If the teacher chooses to display Lighthaus in their classroom, either by utilizing the "live mode" feature of the Service or by projecting via a smartboard or interactive whiteboard, students physically present in that classroom may see other students’ names, responses, comments or total scores.

EDUCATIONAL INSTITUTIONS AND TEACHERS SHALL MAKE A RESPONSIBLE USE OF THE SERVICE AND AVOID COMPROMISING CHILDREN'S PERSONAL INFORMATION AT ALL TIMES WHEN DISPLAYING Lighthaus IN THE CLASSROOM. Lighthaus SHALL NOT BE HELD LIABLE FOR THE INAPPROPRIATE USE OF THE SERVICE BY THE EDUCATIONAL INSTITUTION OR THE TEACHER.

How long does Lighthaus keep children’s information?

We only keep a child’s personal information for as long as his or her student account is active, unless we are required by law to retain it, need it to ensure the security of our community or our Service, or to enforce our Terms of Service:

• Minimal information: Consistent with the requirements of FERPA and COPPA in the United States and of GDPR in Europe, among other applicable laws, we only collect, use, share, and retain student personal information for purposes for which we were authorized by the educational institution/agency, teacher or the student.

• Request for deletion: School officials may request deletion of student accounts at any time by reaching out to privacy@lighthaus.us. Lighthaus shall be entitled to require assistance and collaboration from the educational institution as reasonably necessary in order to appropriately attend the deletion request.

After deletion of the student's account Lighthaus may retain copies and/or backups of the mentioned information for a maximum term of thirteen (13) months. Nevertheless, Lighthaus shall not be responsible for the accidental loss or destruction of data on behalf of users. Lighthaus will not be obliged to recover erased data stored in backups when erasure is attributable to users.

EDUCATIONAL INSTITUTIONS UTILIZING THE SERVICE ARE RESPONSIBLE FOR COMPLYING WITH THE RETENTION OF STUDENT EDUCATION RECORDS FOR AS LONG AS LEGALLY APPLICABLE.

Lighthaus SHALL NOT BE RESPONSIBLE FOR ERASURE OF STUDENT PROGRESS DUE TO ACCOUNT DELETION AFTER AN EXTENDED PERIOD OF INACTIVITY OR BECAUSE OF THE TEACHERS' VOLUNTARY ELECTION TO DELETE THEIR ACCOUNTS.

Parental Choices

Any parents that want copies of their children’s personal information that we may have stored can contact their children’s school personnel to that end. At any time, the school can also refuse to permit us to collect further personal information from its students, and can request that we delete the personal information we have collected from them by contacting us at privacy@lighthaus.us. Please keep in mind that deleting records may require us to terminate the account in question. Also remember that before we can share the information with the school, or delete it per your request, we will, by reasonable means, proceed to verify the identity of the requester.

Information Collected

What information does Lighthaus collect?

We collect two types of information about you: (1) information that you voluntarily provide to us by using the Lighthaus Service (described below under "Information you provide to us"); (2) information collected automatically as result of your use of the Service (described below under “Information collected automatically”); and (3) information obtained through third-party sources (further outlined in “Information Provided by Others”). The types and amounts of information collected will vary depending on whether the user is a teacher or student (e.g. we collect minimal information from students) and how they use Lighthaus (e.g. if teachers join their school, we may need to collect school address information).

Information You Provide to Us

There are currently two categories of users on our Service: teachers and students. We collect and store the following types of information from each type of user:

• Account Sign-up and Profile Information: To create a Lighthaus account as a teacher, you may be asked to provide some basic information such as your first and last name, email address, password, and profile photo. If you create a Lighthaus account as a student, you will be asked to enter your first name, last name, password, and email. No student profile is made available or visible to the general public through the functionality of our Service.

• Subject, School Information and Collaboration Features: If you are a teacher, you'll be asked to choose to associate your account with an existing school or you may enter a new school name and possibly your school’s address if we do not have it already. If you are using the Service as a teacher, we may ask you for permission to collect and store your precise geolocation information to help us identify schools located nearby for you. By connecting you with your school, the Service may enable and provide additional collaboration features for teachers within the same school such as sharing videos.

• Class Information: As a teacher you may need to enter the grade level (e.g., first grade) and subject. You will have the opportunity to change the names and passwords of the students in your class (these may or may not be the student’s actual first and last names; it is entirely the teacher’s choice what they enter here: for example, teachers could enter ‘John S’, ‘John’, ‘JS’, or ‘Student 23’ to describe the same person). If a teacher opts to share the classes they set up on Lighthaus with other teachers in their school, such as teachers they co-teach with, then those teachers may also see that class’s information. Only if the teacher chooses to share them with the class, will the other students in the class be able to watch others’ videos. Date and/or time in which students have joined a classroom will be recorded and made available to the teacher.

• Responses, Grades and Feedback: As a student, you may have to write your own responses for open-ended questions included in your lessons. They can only be viewed by your teacher or your student activity partner, as well as any grades - corresponding to either multiple choice or open ended questions - and any private messages exchanged with the teacher for further discussion about a specific response.

• Contact Information: When you choose to provide us with your personal information through the Service in some other manner (e.g., when you request a quote for upgrading to a Premium plan at your school, when you submit a copyright claim or report any media on our platform, when you send us an email asking a question, submit a support request, participate in a video testimonial about our Service, or choose to participate in any research efforts with Lighthaus to improve the Service).

• Billing Information: When subscribing to any of our paid options, you will be asked to provide necessary information for processing the payment (e.g., credit/debit card number). 

Our use of the information above is described below in the "How Does Lighthaus Use the Information it Collects?” section. If you are using any Lighthaus App, we may ask you for certain permissions.

Information Collected Automatically

Like most web-based services, we (or our service providers) may automatically receive and log information on our server logs from your browser or your device when you use the Service. For example, this could include the frequency and duration of your visits to Lighthaus (similar to TV ratings that indicate how many people watched a particular show). If you use Lighthaus on different devices, we may link the information we collect from those different devices to help us provide a consistent Service across your different devices. If we do combine any automatically-collected information with personal information, we will treat the combined information as personal information, and it will be protected as per this Privacy Policy.

The technologies and information we automatically collect include:

• Cookies and Other Similar Technologies: We (or our service providers) may use various technologies to collect and store information when you visit our Service, including clear GIFs (also known as “web beacons”), “tags”, “scripts”, and “cookies”. We also make use of persistent secure cookies: a persistent cookie remains after you close your browser (although they can be removed) and may be used by your browser to identify you on subsequent visits to the Service. We may also use, collect and store information locally on your device using mechanisms such as browser web storage (including HTML 5). Like many services, Lighthaus uses these technologies to tailor the Service for you, and to help the Service work better for you - for example, by remembering your language preferences. Please review our Cookie Policy for further information.

• Device Information: We may collect, through our third-party analytics services, device-specific information such as your operating system, hardware version, device settings, file and software names and types, battery and signal strength, and device identifiers. This helps us measure how the Service is performing, improve Lighthaus for you on your particular device, and send you push notifications if you’ve opted in to receive them.

• Log Information: Like most online services, when you use our Service, we automatically collect and store certain information in our server logs. This information helps us make decisions about what we should work on next - for example, by showing which features are most (or least!) popular. Examples include:

• Details of how you used our service, such as your activity on the Service, and the frequency and duration of your visits to the Lighthaus Website or Lighthaus Apps.

• IP Address.

• Device event information such as crashes, system activity, hardware settings, browser type, browser language, the date and time of your request and referral URL.

• Location Information: When you use our Service we may collect and process information about your geographic location, for example through GPS, Bluetooth, or Wi-Fi signals. We collect coarse (i.e., city-level) location data.We will not store or track your device location on an ongoing basis or without your permission. We do not share precise geolocation data with third parties, other than our service providers as necessary to provide the Service.

• Learning Management System (LMS) Interfaces and other integrations: When accessing Lighthaus through your institution, company or organization's LMS (e.g., Google Classroom, Microsoft Teams, Blackboard, Canvas or Moodle, among others), or other collaborative services with which Lighthaus may be integrated (e.g., Clever), we may collect and process information related to this kind of use of the Service, such as your school user ID, your profile picture, information on the LMS interface and the LTI version used and/or your school domain name.

How long does Lighthaus keep information about me?

We do not not retain student personal information for longer than necessary to deliver services described herein, or for school partners’ purposes. This means that personal information will not be kept in backups, or will not avoid deletion because of data commingling. As a general rule, if your account is inactive for eighteen (18) months or more (meaning you have not logged into your account during that time), Lighthaus may automatically delete your account. Deletion will affect any on-going paid subscriptions, which will be immediately canceled. Following deletion, Lighthaus may retain specific portions of data in the terms outlined in section "How can I delete my account?" of this Privacy Policy.

In addition to the policy above that applies to all users, we only keep a student’s personal information while the student’s account is active, unless we are required by law to retain it or need it to ensure the security of our community or our Service, or to enforce our Terms. 

Security Measures

Will Lighthaus share any information it collects?

As stated in previous sections Lighthaus does not sell or rent your, or your students' personal information to any third party for any purpose - including for advertising or marketing purposes. Furthermore, we do not share personal information with any third parties except in the limited circumstances described in this Privacy Policy:

• Other Users You Share and Communicate with on Lighthaus: No student profiles are made available to the general public through our Service. Furthermore, students cannot share their account information with anyone on Lighthaus, except when needed for establishing a student-partner link for learning activities. If you are a teacher you may choose to share information or content through the Service with other Lighthaus teachers - for example, things like your account information or videos. Please keep in mind that information (including personal information or children's personal information) or content that you voluntarily disclose to others - including other Lighthaus users you interact with through the Service can be viewed, copied, stored, and used by the people you share it with. We cannot control the actions of people with whom you choose to share information.

• Third-party Integrations on Our Service: When, as a teacher, you use third-party apps, websites or other services that use, or are integrated with, our Service, they may receive information about what you post or share. For example, when you invite others via Facebook or Twitter, these services receive the information that you share through this functionality, and that you are sharing it from Lighthaus. Information collected by these apps, websites or integrated services is subject to their own terms and policies.

• Service Providers: We do work with vendors, service providers, and other partners to help us provide the Service by performing tasks on our behalf. We may need to share or provide information (including personal information) to them to help them perform specific business functions, for example sending emails on our behalf, database management services, database hosting, providing customer support software, and security. Generally, these service providers do not have the right to use your personal information we share with them beyond what is necessary to assist us. Additionally, these service providers must adhere to confidentiality and security obligations that are consistent with this Privacy Policy. Teachers and students may see advertisements at some point on lessons streaming from YouTube. These advertisements are governed by the terms of use and privacy policy of YouTube and under no circumstances is Lighthaus responsible for any content that may show up on them.

• Distributors, Resellers and other Partners: We may, now or in the future, work with distributors, resellers and other partners to assist in the commercialization and sale of our products in your country or region. In such cases, we may share information (e.g., contact information customers submitted with your request for a quote) with them to provide you with appropriate assistance and/or services.

• Testimonials: We post testimonials on our Service which may contain personal information such as the name, photo and/or a video of the individual in the testimonial. We obtain the individual’s consent in advance to ensure we have permission to post this content publicly. To request removal of your personal information from our testimonials, please contact us at privacy@lighthaus.us.

• Analytics Services: We use analytics services, including mobile analytics software, to help us understand and improve how the Service is being used. These services may collect, store and use information in order to help us understand things like how often you use the Service, the events that occur within the application, usage, performance data, and from where the application was downloaded.

• Aggregated Information and Non-Identifying Information: We may share aggregated, non-personally identifiable information publicly, including with users, partners or the press in order to, for example, demonstrate how Lighthaus is used, spot industry trends, or to provide marketing materials for Lighthaus. Any aggregated information shared this way will not contain any personal information.

• Legal Requirements: We may disclose personal information if we have a good faith belief that doing so is necessary to comply with the law, such as complying with a subpoena or other legal process. We may need to disclose personal information where, in good faith, we think it is necessary to protect the rights, property, or safety of Lighthaus, our employees, our community, or others, or to prevent violations of our Terms of Service or other agreements. This includes, without limitation, exchanging information with other companies and organizations for fraud protection or responding to government requests.

• Sharing with Lighthaus Companies: Over time, Lighthaus may grow and reorganize. We may share your personal information with affiliates such as a parent company, subsidiaries, joint venture partners or other companies that we control or that are under common control by us, in which case we will require those companies to agree to use your personal information in a way that is consistent with this Privacy Policy.

• Change of Control: In the event that all or a portion of Lighthaus or its assets are acquired by or merged with a third party, personal information that we have collected from users would be one of the assets transferred to or acquired by that third party. This Privacy Policy will continue to apply to your information, and any acquirer would only be able to handle your personal information as per this policy (unless you give consent to a new policy). We will provide you with notice of an acquisition within thirty (30) days following the completion of such a transaction, by posting on our homepage, and by email to your email address that you provided to us. If you do not consent to the use of your personal information by such a successor company, you may request its deletion from the company. In the unlikely event that Lighthaus goes out of business, or files for bankruptcy, we will protect your personal information, and will not sell it to any third party.

• With your Consent: Other than the cases above, we won’t disclose your personal information for any purpose unless you consent to it. Additionally, as discussed above, we will never sell or rent your personal information to advertisers or other third parties.

Do Not Track

Lighthaus does not track its users over time and across third-party websites to provide targeted advertising and therefore does not respond to Do Not Track (DNT) signals. For more information on “do not track,” please visit www.allaboutdnt.org.

Third parties that have content embedded on our website, such as a social feature, may set cookies on a user’s browser and/or obtain information about the fact that a web browser visited the Lighthaus website from a certain IP address. Third parties cannot collect any other personally identifiable information from Lighthaus’ website unless you provide it to them directly.

Which are Lighthaus's Third-Party Service Providers?

It is important to us that we keep your information safe and secure. To best provide our services, and keep your information safe, we work with a few other companies (we can’t do it all ourselves!). These companies ("third-party service providers", "collaborators" or "agents") will only have access to the information they need to provide the Lighthaus service.

Below is a list of the service providers which, subject to their terms of service and privacy policies as linked below, may have access to personal data to process on our behalf in accordance with our instructions, Privacy Policy and any other requirements regarding confidentiality, security or integrity:

• Amazon Web Services (AWS) for hosting and managing Lighthaus’s infrastructure

• Google Services for analytics on our website ("Google Analytics") and for mobile analytics ("Fabric").

• MongoDB Atlas for securely storing and organizing data.

• Quickbooks for invoice management.

This list may change over time, and we will work hard to keep it up-to-date. However, disclosure of your personal information to additional third parties or use of it for different purposes than those indicated in this Privacy Policy shall only be done after notifying you all necessary information on any key elements affecting the processing of your personal data, either by directly emailing you with it or by updating this Policy and giving appropriate notice of it. You will then have the right to exercise an 'opt out' choice if your personal information is about to be used and/or disclosed in a way that you believe is not consistent with this Policy.

Accountability for Onward Transfer

We will transfer your personal information to third-party service providers only for limited and specific purposes. We will obtain contractual assurances from our collaborators that they will safeguard personal information in a manner consistent with this Policy and that they will provide the same level of protection as per best industry standards. We recognize our responsibility and potential liability for onward transfers to agents. Where we have knowledge that an agent is using or disclosing personal information in a manner contrary to this Policy and/or level of protection as required by applicable laws and regulations, we will take reasonable steps to prevent, remediate or stop such use or disclosure. If we transfer personal information to non-agent third parties, that is to say, any new collaborators that are not included in the previously mentioned list, we will (1) notify you with all necessary information on any key elements affecting the processing of your personal data, and (2) obtain contractual assurance from these parties that they will provide the same level of security as per best industry standards and in accordance with any applicable laws and regulations.

How does Lighthaus protect and secure my information?

Your Lighthaus account is protected by a password. You can help us protect your account from unauthorized access by keeping your password secret at all times. The security of your personal information is important to us. We work hard to protect our community, and we maintain administrative, technical and physical safeguards designed to protect against unauthorized use, disclosure of or access to personal information, such as:

• Security Protocols: We periodically review our information collection, storage and processing practices, including physical security measures, to protect against unauthorized access to systems.

• Security Technology: We continually develop and implement features to keep your personal information safe - for example, when you enter any information anywhere on the Service, we encrypt the transmission of that information using secure socket layer technology (SSL) by default.

• We ensure passwords are stored and transferred securely using encryption and salted hashing.

• Employee Access: We use best-effort practices to secure usernames, passwords and any other means of gaining access to users data. All employees sign confidentiality agreements.

• Employee Training: We provide periodic security training to those employees that operate or have access to users’ data.

How would Lighthaus deal with a security breach?

Although we make concerted good faith efforts to maintain the security of personal information, and we work hard to ensure the integrity and security of our systems as per best industry standards, no practices are 100% immune, and we can’t guarantee the security of information. Outages, attacks, human error, system failure, unauthorized use or other factors may compromise the security of user information at any time.

• Initial Notice: Upon the discovery of a security breach that results in the unauthorized release, disclosure or acquisition of personal information, we will notify electronically, no later than forty-height (48) hours of such discovery to all affected users, schools and districts so that you can take appropriate protective steps. This initial notice will include, to the extent known at the time of the notification, the date and time of the breach, its nature and extent, and the Service’s plan to investigate and remediate the breach. Schools and districts will also be provided with a list of students and employees whose data was released, disclosed or acquired.

• Detailed Notification: Upon discovery of a breach, we will conduct a deep investigation in order to electronically provide, no later than five (5) calendar days, all affected users, schools and districts with a more detailed notice of the breach, including but not limited to the date and time of the breach; nature and extent of the breach; and measures taken to ensure that such breach does not occur in the future. Schools and districts will also be provided with the name(s) of student(s) and employee(s) whose data was released, disclosed or acquired. We may also post a notice on our homepage (Lighthaus.com) and, depending on where you live, you may have a legal right to receive notice of a security breach in writing. When it is not possible to provide all of the aforementioned information at the same time, we will provide you with the remaining information without undue further delay.

Both notifications will be written in plain language, will be titled “Notice of Data Breach” and will present the information described above under the following heading: “What Happened,” “What Information Was Involved,” “What We Are Doing,” “What You Can Do” and “For More Information”. Additional information may be provided as a supplement to the notice.

Managing My Information

How can I access and manage my personal information?

Upon request and in accordance with the applicable laws and regulations, we will grant you reasonable access to your personal information that is held by Lighthaus. In addition, we will take reasonable steps to permit you to correct, amend, or delete your personal information that is demonstrated to be inaccurate, incomplete or processed in violation of this Privacy Policy. It is Lighthaus’ goal to provide you with easy access to any personal information we have collected about you. If that information is incorrect, we also want to make sure to give you easy ways to update it, or delete it, unless we have to keep that information for legal purposes.

• Accessing Your Information: To request access to the personal information we have about you on file, any school personnel can contact us at privacy@lighthaus.us. In some cases, we will not be able to guarantee complete access due to legal restrictions; for example, you will not be allowed to access files that contain information about other users or information that is confidential to us. Furthermore, we may not be able to fulfill requests that are unreasonably repetitive, require disproportionate technical effort or would be extremely impractical.

• Limitations: Without prejudice to the aforementioned, please note that we may limit or deny access to personal information (a) where the burden or expense of providing access would be disproportionate to the risks to your privacy; (b) where the legitimate rights of persons other than you would be violated or if necessary to safeguard important countervailing public interests (e.g., national security) or in other limited circumstances (e.g., disclosure would breach a legal privilege), and (c) where applicable law or regulatory requirements allow or require us to refuse to provide some or all of the personal information that we hold about you. In addition, the personal information may have been destroyed, erased or made anonymous in accordance with our record retention obligations and practices. In the event that we cannot provide you with access to your personal information, we will attempt to inform you of the reasons why, subject to any legal or regulatory restrictions.

How can I delete my account?

Parents, legal guardians, or eligible students may delete their accounts by contacting their educational institution. School officials may then request student account deletion by reaching out to us at privacy@lighthaus.us, as indicated in section ‘How long does Lighthaus keep children’s information?’ above. Lighthaus SHALL BE ENTITLED TO REQUIRE ASSISTANCE AND COLLABORATION FROM YOU OR YOUR EDUCATIONAL INSTITUTION AS REASONABLY NECESSARY IN ORDER TO APPROPRIATELY ATTEND ANY ACCOUNT DELETION REQUESTS.

When we delete your account, we delete any personal information that you provided in your profile (such as your name, username, password, email address, and profile photo) and depending on the category of the user you are (i.e., teacher or student) , also questions, responses and comments. Please note that information that you have shared with others, that others have shared about you, or content other users may have copied and stored, is not part of your account and may not be deleted when you delete your account.

We may retain and use de-identified data (i.e., data which has been properly stripped off of all information that can be used to identify a person) for purposes of research, improvement of our products and services, and/or the development of new products and services. We may also have to retain some information after your account is deleted, to comply with legal obligations, to protect the safety and security of our community or our Service, or to prevent abuse of our Terms.

Student Data Control by the School

Access to the Service by the students is subject to the obtainment of a specific code provided by the teacher. The school is, at the same time, responsible for its students' personal information and in control of student academic records. As a consequence, modification or deletion of student personal information that is part of or affects student academic records is subject to the school's discretion.

Consumer Complaints

How can I lodge any complaints?

You may file a complaint concerning Lighthaus' processing of your personal data to privacy@lighthaus.us or by regular mail to the following address:

We will take steps to remedy issues arising out of Lighthaus' alleged failure to comply with the principles set out in this Privacy Policy. We will respond to your complaints within thirty (30) days.

If your complaint cannot be resolved through our internal processes, we will direct you to the state or national data protection authority in the jurisdiction where you reside.

Liability

In the event that Lighthaus or the aforementioned authorities determine that Lighthaus failed to comply with this policy, Lighthaus will take appropriate steps to address any adverse effects arising directly from such failure and to promote future compliance.

Transfers of Data to the United States

Lighthaus is headquartered and hosted in the United States, as well as most of our service providers (see section Security Measures for further information on Lighthaus’ third-party service providers and the purpose of transfer and processing). Hence, personal data we collect from you will be processed in the United States.

The United States has not sought, nor received, a finding of “adequacy” from the European Union under Article 45 of the GDPR, and the Court of Justice of the European Union (CJEU) declared in its July 2020 Schrems II judgment the European Commission’s Privacy Shield Decision invalid on account of invasive U.S. surveillance programs, making data transfers under the Privacy Shield Framework unlawful.

Lighthaus relies on derogations for specific situations under Article 49 of the GDPR for performing transfers of data to the United States. In particular, Lighthaus collects and transfers to the United States personal data, with your explicit consent, to perform a contract with you, and/or for reasons of public interest. The latter will apply in those instances where data is processed and logged for the purpose of protecting our community and other users’ personal information from unauthorized access, disclosure and/or manipulation (e.g., advanced attacks).

If your personal data is transferred outside the EU to other Lighthaus affiliates or to third party service providers in the United States, we will take steps to ensure application of suitable safeguards to protect the privacy and security of your information, and to use it only in consistency with your relationship with Lighthaus. Please note, however, that the level of data protection in the United States is not equivalent to that in the EU. In particular, it is possible for United States government agencies to access your personal data based on statutory authorizations without you knowing about this. Additionally, there are no comparable options for legal enforcement of your rights in the United States.

Remember, your information is under your control and you may elect to stop using our Services at any time, and at your discretion. See section Lighthaus Privacy Principles, item “What are my rights when using Lighthaus?” for further detail on the rights that assist you.

California

California AB 1584

Regarding California AB 1584 (Buchanan) Privacy of Pupil Records: 3rd-Party Digital Storage & Education Software (Education Code section 49073.1), Lighthaus will adhere to the following:

• Student records obtained by Lighthaus from an educational institution continue to be the property of and under the control of the educational institution. The educational institution retains full ownership rights of the personal information and education records it provides to Lighthaus.

• Lighthaus users may retain possession and control of their own generated content by signing into and accessing their Lighthaus account and deleting, where applicable, modifying or updating their information within Lighthaus. Students have access to and control of their own information and student-generated content subject to the limitations imposed by the student’s teacher.

• Lighthaus will not use any information in a student record for any purpose other than those required or specifically permitted by Lighthaus’ Terms of Service and Privacy Policy.

• Parents, legal guardians, or eligible students may review personally identifiable information in the student’s records and correct erroneous information by contacting their educational institution. 

• Lighthaus is committed to maintaining the security and confidentiality of student records. Towards this end, we take the following actions: (a) we limit employee access to student data to only those employees with a need to such access to fulfill their job responsibilities; (b) we protect personal information with technical, contractual, administrative, and physical security safeguards in order to protect against unauthorized access, release or use.

• In the event of an unauthorized disclosure of a student’s records, Lighthaus will promptly notify users unless specifically directed not to provide such notification by law enforcement officials. Notification shall identify: (i) the date and nature of the unauthorized use or disclosure; (ii) the private data used or disclosed; (iii) a general description of what occurred including who made the unauthorized use or received the unauthorized disclosure; (iv) what Lighthaus has done or shall do to mitigate any effect of the unauthorized use or disclosure; (v) what corrective action Lighthaus has taken or shall take to prevent future similar unauthorized use or disclosure; and (vi) who at Lighthaus the user can contact. Lighthaus will keep the User fully informed until the incident is resolved.

• Lighthaus will delete or de-identify personal information when it is no longer needed, upon expiration or termination of our agreement with an educational institution with any deletion or de-identification to be completed according to the terms of our agreement with the educational institution, or at the direction or request of the educational institution.

• Lighthaus agrees to work with educational institutions to ensure compliance with FERPA and the Parties will ensure compliance by providing parents, legal guardians or eligible students with the ability to inspect and review student records and to correct any inaccuracies therein as described in statement (4) above.

• Lighthaus prohibits using personally identifiable information in student records to engage in targeted advertising.

New York

New York Ed. Law § 2-D

In compliance with the requirements set forth in New York Education Law § 2-D, Lighthaus shall incorporate a Data Privacy and Security Plan ("DPSP") to each contract or other written agreement it enters into with an educational agency from the State of New York. Such DPSP shall outline how all state, federal, and local data security and privacy contract requirements will be implemented over the life of the agreement, consistent with the educational agency's policy on data security and privacy. Such plan shall also include, but shall not be limited to, a signed copy of the parents bill of rights for data privacy and security, which shall be provided by the educational agency prior to the commencement of the agreement, and a requirement that any officers or employees of Lighthaus and its assignees who have access to student, teacher or principal data have received or will receive training on the federal and state law governing confidentiality of such data prior to receiving access.

In attention to the foregoing, Lighthaus hereby commits to:

• (1) limit internal access to education records to those individuals that are determined to have legitimate educational interests (e.g., Lighthaus employees or third-party service providers);

• (2) not use the education records for any other purposes than those explicitly authorized in the Agreement (i.e., our Terms of Service and this Privacy Policy);

• (3) except for authorized representatives of Lighthaus to the extent they are carrying out the agreement, not disclose any personally identifiable information to any other party: (i) without the prior written consent of the parent or eligible student; or (ii) unless required by statute or court order and Lighthaus provides a notice of the disclosure to the department, district board of education, or institution that provided the information no later than the time the information is disclosed, unless providing notice of the disclosure is expressly prohibited by the statute or court order;

• (4) maintain reasonable administrative, technical and physical safeguards to protect the security, confidentiality and integrity of personally identifiable student information in its custody;

• (5) use encryption technology to protect data while in motion or in its custody from unauthorized disclosure using a technology or methodology specified by the secretary of the United States department of health and human services in guidance issued under Section 13402(H)(2) of Public Law 111-5; and

• (6) notify the educational agency, in the most expedient way possible and without unreasonable delay, of any breach of security resulting in an unauthorized release of student, teacher or principal data, as outlined in applicable State and Federal laws.

Other Countries

Lighthaus is hosted in the United States. If you use the Service from any other regions with laws governing data collection, protection and use that may differ from United States law, please note that you may be transferring your personal information outside of those jurisdictions to the United States. By using the Service, you expressly consent to this, and to the use and storage of personal information in accordance with this Privacy Policy.

Third parties that have content embedded on the Lighthaus website, such as a social feature, may set cookies on a user’s browser and/or obtain information about the fact that a web browser visited the Lighthaus website from a certain IP address. Third parties cannot collect any other personally identifiable information from Lighthaus’ websites unless you provide it to them directly.

Lighthaus will make sure that all appropriate physical, technical and organizational safeguards are adopted in accordance with this Privacy Policy against accidental, unauthorized or unlawful destruction, loss alteration, disclosure, access, use or processing of users' personal information in Lighthaus' possession. Lighthaus will promptly notify the user in the event of any known unauthorized access to, or use of, the user's personal information as foreseen in the Security Measures section of this Privacy Policy.