1.2 Data Protection Principles
Schoox is dedicated to ensuring the security of your personal data and adhering to compliance with applicable data protection laws. As a summary of how Schoox protects and utilizes your personal data, the organization is committed to ensuring that your personal data is:
- used lawfully, fairly and in a transparent way;
- collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes;
- relevant to the purposes we have told you about and limited only to those purposes;
- accurate and kept up-to-date;
- allowed for you as the individual to request access to your personal data
- kept only as long as necessary for the purposes we have told you about; and
- kept securely
1.3 Summary of Personal Information Use
Schoox SaaS Application: The Schoox Application is a SaaS based Learning Management System which is hosted solely within the United States. Personal Data may be input and transferred by the client to the application from the originating country, which may be outside of the U.S. for the purpose of supporting the Learning Management requirements of the client. Additionally, Schoox may be required on the explicit direction on behalf of the client to transfer personal data from locations outside of the US to the Schoox application in the US. In this role, Schoox provides support to the application as a Data Processor. As a standard practice, as a Data Processor, Schoox does not access or disclose personal information within the Application unless directed by the Client or in support of the Contract and agreement.
Schoox as a Company: Schoox may collect or obtain Personal Data about you, if you are located outside of the United States this information may be transferred from a location outside of the U.S. to the U.S. through the following methods: directly from you (e.g., where you contact us); in the course of our relationship with you (e.g., if you make a purchase); when you make your Personal Information public, when you download, install, or use any of our Services; when you visit our Services; when you register to use any part of the Services; when you volunteer Personal Data about yourself in public areas of the Services; when you interact with any third party content or advertising; we may also receive Personal Information about you from third parties.
Purposes of Data Collection: For data collection methods as described for Schoox as a Company the following examples of uses of this Personal Information may be used for:
- Provision of Services to you
- Offering and Improving the Service
- User Engagement
- Lead Generation
- Legal Compliance
1.4 What types of personal data do we collect from you, for what purpose and on what legal basis?
Data Collection Methods: The personal data we collect from you, and the way we collect it from you, include the following methods when you:
- Visit our website
- Visit our Schoox Branded Social Media pages
- Visit our Schoox Offices
- Receive or provided communication from or to us through:
- Other electronic communication
- Use our cloud products and services as an authorized user
- Register for or attend Schoox events, webinars, or free trials
Information Collected and Stored Automatically (Web Analytics Data): When you visit schoox.com, we may store some or all of the following:
- The IP address from which you access schoox.com.
- The date and time of access.
- The Internet address of the website from which you linked to schoox.com.
- The name of the file or words you searched; items clicked on a page.
- The browser and operating system used, and any other related information.
This information is used for our legitimate purpose of measuring the number of visitors to the various sections of our site and identifying system performance or problem areas. We also use this information to help us develop the site, analyze patterns of usage, and to make the site more useful. This information is not used for associating search terms or patterns of site navigation with individual users.
Types of Data Collected: The type of personal data collected is listed as follows:
- Name (First Name, Last Name)
- Business Email Address
- Digital Identifiers, such as usernames, and passwords.
- Personal data required by various form fields, and/or for purposes of searching, retrieving, and downloading data from schoox.com.
Highly Sensitive Information: Schoox does not collect sensitive personal information such as: personal information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual for any purpose.
HR Schoox Employee Data:
- As a USA based corporation Schoox collects personal information regarding employees as required for HR and employment-based requirements. Personal data is kept for only HR related purposes and is not disclosed to third parties for purposes other than HR and employment required use. No personal employee data is provided to third parties for marketing, or non-HR related purposes.
- For all EU based employees, local law and jurisdiction takes precedence over what personal data is provided and disclosed.
- Restriction of personal data by the individual for non-HR / direct employment requirements is provided to the data subject and does not in any way hinder or restrict employment, or employment opportunities.
How we use this data:
This information is used in order to take steps to conclude a contract with you, or to provide our services to you, as well as to enable you to use them. We may also use these personal data for our legitimate purpose of contacting you with newsletters, marketing or promotional materials and other information concerning our activities that may be of interest to you.
Opt-Out: You may opt out of receiving any, or all, of these communications from us by following the unsubscribe link or instructions provided in any email we send or by contacting us. You as an individual retain the right to withhold in part or in full your personal information in order to limit our use and availably of this data. Please note that refusal to provide Personal Information may result in our inability to provide the Services to you, to manage our relationship with you, or to improve the Services provided to you.
1.5 Third Party Disclosures
Schoox as. Processor: As a standard practice Schoox does not disclose personal information to any third party or unauthorized party for any reason. Should Schoox be required to disclose any personal data to third parties, it will not do so unless fully authorized by the client agreement or in accordance with support of the agreement, or applicable law.
Schoox as a Controller: Schoox direct methods of personal data collection include through our website, marketing, sales outreach, and third party provided information. This information is used solely to contact individuals and or organizations about sales, adverting or marketing prospects of Schoox products. Any discloser of personal information to a third party is relegated to only be used on behalf of Schoox and at Schoox’ direction, and not for any other purpose.
When you visit some websites, their web servers generate pieces of information known as cookies. Cookies are commonly used to recognize your computer in the future. Schoox.com uses session cookies for its legitimate interest of pursuing technical purposes, such as providing seamless navigation through our site, allow you to carry information across pages of our site and avoid having to re-enter information. Schoox.com session cookies are available only during an active browser session. When you close your browser, the session cookie disappears.
Schoox.com also uses persistent cookies for a number of legitimate interests, such as to be able to track the number of unique visitors to the site. Additionally, persistent cookies enable Schoox to tailor content and related subject matter to match your preferred interests and/or for the purposes of not showing you the same content and related subject matter repeatedly.
We may also employ cookies to compile anonymous, aggregated statistics that allow us to understand how users use our site and to help us improve the structure of our website. We cannot identify you personally in this way.
Browser Information Collected on the Website
Various elements of data sets may be collected to track the usefulness of certain actions and to ultimately improve the value of schoox.com. Please note that Schoox does not gather, request, record, require, collect or track any type of Internet users’ personal data (as listed above) through these processes.
Schoox.com may contain links to websites created and maintained by other public and/or private organizations. schoox.com therefore provides these links as a service to our users, and when users click on a link to an external website, they are leaving schoox.com and are thus subject to the privacy and security policies/related terms and conditions of these external websites.
Schoox.com complies both with the Children’s Online Privacy Protection Act of 1998 (COPPA) and, with regard to EU data subjects, with GDPR. While children under the age of eighteen (18) may use the Site only with the consent of his or her parent or legal guardian, please be advised that this Site is not directed or otherwise promoted for use by children under the age of sixteen (16). By using the Service, you represent that you are at least sixteen (16) years of age. If you are between sixteen (16) and eighteen (18) years of age, you will need to have parental consent to use the Service. If you are below sixteen years of age, you should stop using the Site and Service immediately. Personal data from children under 16 is not knowingly collected, nor are children under 16 knowingly contacted by schoox.com. To be clear, schoox.com does not intend to solicit information of any kind from children under 16. It is possible that schoox.com may receive emails pertaining to children under 16. If this is the case and schoox.com is notified of this, as soon as the information is verified, parental consent will be immediately obtained, or the email will be deleted from any services being offered and/or performed by schoox.com.
We will make reasonable efforts to verify in such cases, where appropriate, that consent is given or authorized by the holder of parental responsibility over the child, taking into consideration available technology.
Compliance with Laws
- Except for authorized law enforcement investigations by local, state, and/or federal agencies, no other attempts are made by Schoox to identify individual users and/or their usage habits on schoox.com.
- Schoox as required by local, state, country or federal law will disclose your personal information where required to do so by law or subpoena or if we believe that such action is necessary to pursue our legitimate interest of complying with the law and the reasonable requests of law enforcement or of protecting the security or integrity of our services.
We will keep your personal data only for as long as necessary to fulfill the purposes for which we are processing it, unless the law permits or requires longer. For example, we might need to keep your personal data for quality assurance of the service we have provided, or we might need to keep it to defend future legal claims or to comply with a legal obligation.
For site security purposes and to ensure that this service remains available to all users, the platform for which schoox.com resides on – commonly known as a “production environment”, utilizes a wide-range of software tools and programs to for the ultimate goal of ensuring its confidentiality, integrity, and availability (CIA) – a concept known as the CIA triad of information security. Tools which are currently in use, or are to be deployed if necessary, for the security of schoox.com are to include, but are not limited to, the following:
- Network Security and Network Monitoring: Tools that assist in securing the network for which schoox.com resides on. Such tools include network and perimeter firewalls, web application firewalls, routers, switches, intrusion detection systems, and other related tools.
- Network Performance: Tools that assist in monitoring all aspects of schoox.com, such as performance monitoring for website uptime, etc.
- Other: Additionally, a variety of physical, electronic and procedural safeguards are implemented for helping ensure the safety and security of schoox.com.
Information Security: All information accessed through schoox.com is in compliance with the required information security mandates of Article 32 of the GDPR. Specifically, Article 32 mandates the following:
- Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk:
- Encryption of personal data
- The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
- The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
- A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
International Data Transfers
Your Personal Information may be transferred to, and maintained on, systems located outside of your state, province, country or other governmental jurisdiction where the data protection laws may differ than those from your jurisdiction. If you are located outside United States and choose to provide information to us, please note that we transfer the information, including Personal Information, to the United States and process it there. If you are in the EU, in transferring your Personal Information to countries outside of the EU, we will take appropriate steps to ensure that such recipients act in accordance with applicable laws. To the extent that we transfer the personal data to recipients who are located outside the European Union or the European Economic Area, we will provide an adequate level of protection of your personal data, including appropriate technical and organizational security measures and through the implementation of appropriate contractual measures to secure such transfer, in compliance with applicable law. Security Management at Schoox is designed to protect personal information of its employees and customers. Security processes and measures are further explained in the Standard Contractual Clauses (SCC) for our EU customers. Please reach out to us at [email protected] for more details. Please also read our Privacy Shield disclosure, below, for further information about our self-certification under the SWISS-US, and EU-U.S. Privacy Shield Framework.
If you are located in California: Pursuant to Section 1798.83 of the California Civil Code, residents of California have the right to request from a business, with whom the California resident has an established business relationship, certain information with respect to the types of personal information the business shares with third parties for direct marketing purposes by such third party and the identities of the third parties with whom the business has shared such information during the immediately preceding calendar year.
1.6 Data Privacy Regulatory Frameworks and Requirements
GDPR Data Privacy Rights
If you are an EU resident and Schoox is processing, and/or transmitting your personal data, then you - as an “EU data subject” – benefit from the following rights and privileges under the General Data Protection Regulation (GDPR):
- Right of Access: you have the right to obtain from us, as controllers, confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to the following personal data and information:
- the purposes of the processing;
- the categories of personal data concerned;
- the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations’;
- where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
- the existence of the right to request from us rectification or erasure of personal data or restriction of processing of personal data concerning you or to object to such processing;
- the right to lodge a complaint with a supervisory authority (for a list of supervisory authorities, see https://edpb.europa.eu/about-edpb/board/members_en);
- where the personal data are not collected from you, any available information as to their source;
- the existence of automated decision-making, including profiling, along the lines indicated by Article 22(1) and (4) GDPR, and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for you.
- Right to Rectification: you have the right to obtain from us without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
- Right to Erasure (‘Right to be Forgotten’): you have the right to obtain from us the erasure of your personal data without undue delay, and we have the obligation to erase personal data without undue delay when: a) your data are no longer necessary for the purposes for which they were collected; b) you had consented to the processing; c) you have objected to the processing, as per below; d) your personal data had been unlawfully collected; e) your personal data need to be erased as a matter of compliance with a legal obligation.
- Right to Restriction of Processing: you have the right to obtain from us the restriction of processing if you: a) contest the accuracy of the personal data, until this is verified; b) the processing is unlawful but you don’t want erasure; c) we no longer need the personal data, but you require them to establish, exercise or defend a legal claim; d) you have objected to processing but there is a need to verify whether our legitimate grounds override your rights to object.
- Right to Data Portability: where your personal data have been provided on the basis of your consent or for the performance of a contract, and their processing occurs in an automated way, you have the right to receive the personal data you have provided to us in a structured, commonly used and machine-readable format and have the right to transmit those data– or have directly transmitted - to another controller.
- Right to Object: you have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data based on a legitimate ground point (e) or (f) of Article 6(1), including profiling based on those provisions. In this case, we can no longer process your personal data unless we show that there is a compelling legitimate ground for the processing which override your interests, rights and freedoms or for our establishment, exercise or defense of legal claims.
California Consumer Privacy Act (CCPA)
The California Consumer Privacy Act (CCPA) requires covered businesses to disclose whether they sell Personal Data, as well as detail the categories of Personal Data that is shared or disclosed for certain Business Purposes.
Schoox does not sell any Personal Information with any third parties for any purpose, including, marketing, securing of services, or otherwise.
As a processor Schoox may disclose certain personal information such as your name and business email, and training records in order to provide required services to your LMS account. These processes will only be processed on behalf of your request or your employer who utilizes Schoox as their Learning Management Platform. No Personal Information is disclosed or sold for any other purpose than to provide the requested services or on behalf of contractual obligations.
California law grants state residents’ certain rights, including the rights to access specific types of Personal Data, to learn how we process Personal Data, to request deletion of Personal Data, and not to be denied goods or services for exercising these rights. These rights are detailed as follows:
- Right of Access: Upon validated request Schoox will provide in compliance with CCPA, user information in a portable and easily accessible format within 45 days of the request
- Right to Deletion: Upon validated request Schoox will delete and or fully anonymize personal information of the consumer. The following exceptions to this Right are:
- Information is required to provide services to you
- Information is utilized to detect or resolve security or functionality issues
- Compliance with the law or regulations
- Right to Non-Discrimination: Schoox will not discriminate against you in any way for exercising your rights under CCPA and will not:
- Deny you services
- Charge you different prices or deny for services provided
- Provide you a different level of services
- Suggest or threaten in any way a different level of services for exercising your rights under CCPA
1.7 Privacy Shield Framework
Privacy Shield Statement:
Data Subject Rights:
Pursuant to the Privacy Shield Frameworks, EU, UK and Swiss individuals, have the right to obtain our confirmation of whether we maintain personal information relating to you in the United States. Upon request, we will provide you with access to the personal information that we hold about you. You may also correct, amend, or delete the personal information we hold about you. An individual who seeks access, or who seeks to correct, amend, or delete inaccurate data transferred to the United States under Privacy Shield, should direct their query to [email protected]. If requested to remove data, we will respond within a reasonable timeframe.
We will provide an individual opt-out choice, or opt-in for sensitive data, before we share your data with third parties other than our agents, or before we use it for a purpose other than which it was originally collected or subsequently authorized. To request to limit the use and disclosure of your personal information, please submit a written request to [email protected].
In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
Schoox’s accountability for personal data that it receives in the United States under the Privacy Shield and subsequently transfers to a third party is described in the Privacy Shield Principles. In particular, Schoox remains responsible and liable under the Privacy Shield Principles if third-party agents that it engages to process the personal data on its behalf do so in a manner inconsistent with the Principles, unless Schoox proves that it is not responsible for the event giving rise to the damage.
Complaint Process and Independent Recourse Mechanism:
You as the data subject in the EU or Switzerland have the right to bring a complaint directly to Schoox as the Privacy Shield participant and receive a response within 45 days of receipt of the complaint. This complaint as provisioned by the Privacy Shield framework is of no cost to you.
In compliance with the Privacy Shield Principles, Schoox Inc. commits to resolve complaints about your privacy and our collection or use of your personal information transferred to the United States pursuant to Privacy Shield. European Union, United Kingdom and Swiss individuals with Privacy Shield inquiries or complaints should first contact [email protected].
Schoox has further committed to refer unresolved privacy complaints under the Privacy Shield Principles to an independent dispute resolution mechanism, the BBB EU PRIVACY SHIELD. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www.bbb.org/EU-privacy-shield/for-eu-consumers for more information and to file a complaint. This service is provided free of charge to you.
HR Data Recourse:
If your complaint involves human resources data transferred to the United States from the EU, or the United Kingdom in the context of the employment relationship, and Schoox does not address it satisfactorily, Schoox commits to cooperate with the panel established by the EU data protection authorities (DPA Panel) [the UK Information Commissioner’s Office, and Information Commissioner, as applicable] and to comply with the advice given by the DPA panel [ICO, as applicable] with regard to such human resources data. Additionally, Schoox has committed to cooperate with EU data protection authorities (DPAs) and comply with the advice given by such authorities with regard to human resources data transferred from the EU in the context of the employment relationship. To pursue an unresolved human resources complaint, you should contact the state or national data protection or labor authority in the appropriate jurisdiction. Complaints related to human resources data should not be addressed to the BBB EU PRIVACY SHIELD. Contact details for the EU data protection authorities can be found at https://edpb.europa.eu/about-edpb/board/members_en.
If your Privacy Shield complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See Privacy Shield Annex 1 at https://www.privacyshield.gov/article?id=ANNEX-I-introduction.
Jurisdiction: The Schoox Self-Certification to the EU and Swiss Privacy Shield frameworks is governed by the Federal Trade Commission (FTC).
1.8 Contact Us