Privacy Policy
Introduction
This privacy policy for Lumio® (“Privacy Policy”) forms part of the Terms agreed upon between you and SMART. This policy explains how SMART works with you to protect your information.
By using Lumio, you are consenting to SMART's collection, retention, use, and disclosure of certain information as necessary to provide Lumio to you. If you do not agree, you must not use Lumio.
Data Types
It is important to remember that customers and users are two distinct groups:
Customers are typically an organisation (e.g. local authority, school, company) and not a personally identifiable individual. The identifiable information we require is from the customer for transactional purposes. The customer shall not provide SMART with personally identifiable information unless permissible by law and the customers’ policies.
Users (e.g. teachers, students) are generally not the ones who purchased or set up the account (e.g. IT administrators) and only access Lumio because the customers’ IT administrator has granted them access. As such, SMART’s exposure to personally identifiable information only comes from how the customer operates when providing email addresses and names of users to SMART and from user-created Content. If you have a concern as a user about your PII, you must demand the customer provide only non-identifiable information to SMART and you as a user must only create Content with no PII in it.
We collect two types of data, depending on your interaction with us:
“Non-Personal Data” means aggregated non-identifiable information, which may be made available or gathered via your access to and interactions with our services. We are not aware of the identity or other identifiers of the individual from which the Non-Personal Data is collected. The Non-Personal Data being collected may include aggregated usage information (metadata), as well as technical information transmitted by your device, such as the type of browser or device, type of operating system, device settings and technical software data, etc.
“Personal Data” or “personal information” means individually identifiable information, namely information that identifies a natural person (not a corporation) or may, with reasonable effort, be used to identify a natural person.
We do not knowingly collect or process any Personal Data constituting or revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, or data concerning a person's health (“Special Categories of Personal Data”).
The Customer is responsible for obtaining consent and authorisation for a student to use our products and services from their parent or guardian. We do not knowingly collect any information from children. Where a customer instructs us to collect personal information from children, we collect, use, process and retain such information solely to provide the educational services on behalf of the customer and for the purpose of providing Lumio.
INFORMATION WE COLLECT
We collect and use information to allow us to provide our products and services to you. We collect information from you when you sign up for an account or voluntarily provide additional information.
We also collect information about the navigation pages users visit within Lumio using cookies and third-party analytics tools. This information includes information about the device(s) you use to access the websites including unique device identifiers, IP address, operating system, browser, and cookies. Depending on your device settings, we may also collect information about your geographical location. A list of cookies is provided at the end of this policy.
We collect data when you:
- use Lumio;
- create an account or make a purchase;
- request support;
- register for or participate in an online class, exam, certification, training, webcast or other event;
- request information or materials;
- participate in surveys or evaluations;
- submit questions, comments or crash reports; or
- submit content or posts on our forums or other interactive webpages.
HOW WE USE YOUR INFORMATION
We use the personally identifiable data we collect solely for the purpose of providing Lumio to you. We may share this data with third-party service providers to provide our services to you. All providers contracted by SMART are contractually bound to keep your personal data secure and use it only for necessary service delivery.
In addition to processing your personal data for the purposes of providing our services and facilitating correspondence, we may also process your data based on legitimate interests/lawful basis. These interests or basis include but are not limited to improving our services, managing our business operations and sending you information about our products, services, and offers that may be of interest to you, provided you have opted in or not opted out of receiving such communications.
We do not sell your data, and we do not share personal data with third parties without your informed consent, which is the purpose of this document. We share your information in accordance with this agreement and a list of the third parties we share data with to provide our services to you are detailed below. Data is not shared between sub-processors unless explicitly stated.
YOUR RIGHTS
You have the right to control how your personal information is used. You may have the right to request access to, rectification of, or erasure of personal information we hold about you. You also may have the right to object to or restrict certain types of use of your personal information. If you wish to exercise any of these rights, please contact privacy@smarttech.com.
Please note that many of these rights are not absolute. In some circumstances, we are not legally required to comply with your request because of relevant legal exemptions.
DATA RETENTION AND DELETION
SMART will only keep personal data for as long as required to provide the service or as required for tax and legal reasons. SMART adheres to an internal document retention policy to ensure this. SMART will respond to customer requests to delete personal data within 30 days. Users (teachers and students) must contact their school (i.e. our customer) to make this request to SMART on their behalf.
All student- and teacher-created content stored within a teacher’s account can be deleted by the teacher without contacting SMART. Customers (not users) may request deletion of their SMART account at any time by emailing privacy@smarttech.com or contacting our support department. Non-paying accounts are deleted after two (2) years of inactivity.
In some cases, we may not be able to remove the information or continue to provide services following removal of such information, in which case we will let you know why.
Right of Notification
If SMART becomes aware of a personal data breach, it shall without undue delay, and where feasible, no later than 72 hours after having become aware of it, notify the affected customer and the supervisory authority (if it was for data where SMART was the Data Controller) in accordance with Article 33 of the GDPR, unless the data breach is unlikely to result in a risk to the rights and freedoms of natural persons. SMART’s communication of a breach shall be in clear and plain language and contain a minimum of:
- Contact details of the Data Protection Officer or other contact person,
- A description of the nature of the breach,
- Likely consequences of the breach,
- Advice on steps data subjects can take to protect themselves, and
- The measures SMART has taken or proposes to take to address the breach.
Data Security
SMART's business processes are designed and applied to appropriately safeguard your personal information, having regard to the sensitivity and use of that information. Nevertheless, such security measures may not prevent all loss, misuse, or alteration of personal information provided to SMART, and SMART is not responsible for any damages or liabilities relating to any such security failures. By using our services, you understand that there is a risk that data and communications, including email and other electronic communications, may be accessed by unauthorised third parties when communicated over the Internet. The foregoing does not affect any liability which cannot be excluded or limited under applicable law.
If you have any questions or concerns regarding the security measures applied to collection, use or disclosure of your personal information, please contact us at privacy@smarttech.com.
If you are using a service that involves third-party elements (e.g. embedded videos in your lessons), please review the policies of such third-party service providers as they relate to security and data protection.
Encryption
We employ a variety of safeguards designed to protect personal information against loss, misuse, and unauthorised access or disclosure.
We use cloud services to provide several state-of-the-art security measures, including the same end-to-end 256-bit TLS encryption used by all major banks to secure your data. We do not store or handle any of your login credentials, including passwords, as these are managed by single-sign-on (SSO) identity providers.
For further information regarding how SMART protects your data, click here.
CHANGES TO THIS POLICY
We may update this Privacy Policy from time to time to reflect changes to our products and services, our operations, or to meet new legal and regulatory requirements. Any material amendments will be communicated to customers 30 days in advance and become binding once posted online.
PRODUCT USER DATA COLLECTED AND PROCESSED
This section outlines what data is collected and processed from our customers and the four types of Lumio users:
- guest (not signed in)
- student (signed in)
- teacher (signed in)
- account administrator (signed in via the SMART admin portal)
Remember, SMART only receives information because you provide it; you are the data controller. In this way, customers and users are obligated to comply with their local laws and customers are responsible for any obligations they owe to their users with respect to their personally identifiable information.
Sub-processor | Country where data is processed/stored | Purpose | Data |
---|---|---|---|
Amazon Web Services, Inc., Amazon Web Services EMEA SARL | USA or Germany | Required for content storage. We offer both an American and European data storage option. Also used for optional AI question creator (Amazon Bedrock). AWS Privacy AWS GDPR |
Guests (anonymous):
|
Google LLC, Google Germany GmbH | USA or Germany and Belgium (Firebase) |
Google Cloud Datastore: Required for login and account administration for SSO login with Google, Microsoft, and Salesforce. Google Firebase: Required for basic functionality (Firebase is a backend-as-a-service (BaaS) cloud-computing solution we use for real-time (temporary) automated computer processing). Google Memcache: Required for sign-in process, short-term shared cache. Google Single Sign-On (SSO): Required if you use Google as your single sign-on (SSO) provider to access Lumio. Google provides SMART with required account details.
Google Privacy |
Students (identifiable):
Guests (anonymous):
|
Microsoft, Inc., Microsoft Deutschland GmbH | USA or Germany | Required if you use Microsoft as your single sign-on (SSO) provider to access Lumio. Microsoft provides SMART with required account details. Microsoft SSO Microsoft Privacy Microsoft GDPR |
Students (identifiable):
|
Mixpanel, Inc | USA | Required for product improvement and service monitoring. MixPanel allows us to analyse how our de-identified users interact with Lumio. It is designed to identify trends and understand common aggregated usage behaviour, and helps us make better decisions on how to improve the usability and features of our product. This data is also used to track how long it takes our servers to complete actions like opening files, which helps us measure service health and up-/downtime. Mixpanel Privacy Mixpanel GDPR |
All users (anonymous):
|
MongoDB, Inc., MongoDB Deutsche GmbH | USA or Germany | Required. We use MongoDB Atlas for SMART ID mappings (Lumio teacher activation) and session management. MongoDB Privacy MongoDB GDPR |
Administrator Account (identifiable):
|
Redis Ltd., Redis EMEA Ltd. | USA or Germany | Required short term shared cache required for Lumio session management. Redis Privacy Redis GDPR |
Guests, Students, Teachers (identifiable):
|
Salesforce Inc. | USA | Required for the Account Administrator of the customer to access the SMART Admin Portal. Salesforce Privacy Salesforce GDPR |
Administrator Account (identifiable):
|
Sentry.io (Functional Software, Inc.) | USA | Required for automatic error reporting. If a SMART application encounters an issue, the application automatically sends anonymous information to Sentry.io and also Slack (see below). Optional self-error reporting: after automatic error reporting is complete, users are given the option to provide their name, email address, and additional information about the error. Users are also asked if they wish SMART to follow up with them. This optional personal information is stored in Salesforce (located in the United States) and shared with our customer support team. Sentry Privacy Sentry GDPR |
Guests, Students, Teachers Automatic Error Reporting (anonymous):
All Users Optional User Error Reporting (identifiable):
|
Slack Technologies LLC | USA | Required for error reporting. If a SMART application encounters an issue, the application automatically sends anonymous information to Sentry.io (see above) and Slack. Optional self-error reporting: after automatic error reporting is complete, users are given the option to provide their name, email address, and additional information about the error. Users are also asked if they wish SMART to follow up with them. This optional personal information is stored in Salesforce (located in the United States) and shared with our customer support and development teams via Sentry and Slack. Slack Privacy Slack GDPR |
Guests, Students, Teachers Automatic Error Reporting (anonymous):
All Users Optional User Error Reporting (identifiable):
|
Splunk Inc. | USA | Required metadata including system logs and performance. Splunk Privacy Splunk GDPR |
All users (anonymous):
|
Third-party content providers like YouTube® (Google LLC) | Depends on third-party providers | Optional content or activity a teacher may add to a lesson. We cannot control what data a third party directly collects when a teacher or student decides to include it in a lesson. By including YouTube videos in a lesson or activity, you are using YouTube's API Client that relies on YouTube API Services and thus you are agreeing to be bound by YouTube's Terms of Service and Google Privacy Policy. |
Guests, Students, Teachers
|
CUSTOMER DATA COLLECTED AND PROCESSED
This section outlines what data is collected, processed, and disclosed from customers (purchasers, prospects, and SMART’s authorised channel partners). Customer data is almost always non-personally identifiable business contact information. You can request data and account deletion at any time through our Customer Support team. However, we retain all data relevant to purchases and financial transactions until it is no longer required by applicable law. The term “identifiable” used in the below chart does not necessarily mean personally identifiable information.
Sub-processor | Country where data is processed/stored | Role | Purpose | Customer Data |
---|---|---|---|---|
Amazon Web Services, Inc. | USA | Processing, back office | Required cloud hosting provider. Data contained in user account information. AWS Privacy AWS GDPR |
Identifiable account information |
BigCommerce, Inc. | USA | Ordering | Optional. Only used when a customer purchases through our e-commerce store. BigCommerce Privacy BigCommerce GDPR |
Identifiable:
|
Blue Ocean Contact Centers, Inc. | Canada | Support | Optional. Blue Ocean is a subcontractor providing live (telephone, email, and web) support. Information collected includes organisation name, caller name (can use company title only if preferred for GDPR reasons), email (can provide non-PII version to comply with GDPR), title, phone, address and a description of the issue and any shared details to help solve the problem. Calls are recorded. Blue Ocean Privacy GDPR - EC Adequacy Decision |
Identifiable:
|
Call Miner | Canada | Support | Optional. Processing for telephone interactions (option to opt out of call recordings), required for email. Call Miner is a sub-processor providing omnichannel interaction analytics powered by AI and machine learning. Call Miner analyses customer support interactions, including recorded calls and emails, which are temporarily stored in CallMiner. The metadata is retained in CallMiner for analysis of the customer experience and trending information regarding the interactions between agent and customer. Call Miner Privacy and Security |
Identifiable:
|
Digital River | USA or Europe | Ordering | Optional. Online (e-commerce) order taking. Only used when purchases are made through our e-commerce store. SMART does not have access to credit card information, only Digital River. Digital River Privacy Digital River GDPR |
Identifiable:
|
Fivetran Inc. | Canada | Processing, back office | Required data connector service. Moves data from system applications into Snowflake. Fivetran Privacy Fivetran Security |
Identifiable account and purchase information |
Gainsight, Inc. | USA | Customer communications | Required if you opt in to receive marketing communications. Applicable only to North American Customers. We use Gainsight, which is a customer relationship management (CRM) tool, for email (name, email address, company information) marketing to individuals and organisations. Gainsight Privacy |
Identifiable account and purchase information |
Google, LLC | USA | Marketing & Support | Required if you opt in to receive marketing communications. Used to create a lookalike audience who may be interested in SMART because they are similar to individuals that have already expressly opted in to receive certain communications, such as marketing, SMART solutions, events and special offers. Required if you use the optional method of online customer support via Google Forms. Only used for processing support forms. Google Forms are also used when a purchaser is engaged with our Field Services (i.e. on-site support). Google Privacy Google GDPR |
Identifiable contact information |
HubSpot Germany GmbH | Germany | Required customer communications | Required. We use HubSpot, which is a customer relationship management (CRM) tool, for certain communications, such as customer transactional emails, outreach, and training. Hubspot Privacy Hubspot GDPR |
Identifiable account and purchase information |
Kluster Enterprises Limited | UK | Sales Forecasting | Required to provide analytics on our sales data. Kluster Privacy Kluster GDPR |
Identifiable account and purchase information |
USA | Marketing | Required if you opt in to receive marketing communications. Used to create a lookalike audience who may be interested in SMART because they are similar to individuals that have already expressly opted in to receive certain communications, such as marketing, SMART solutions, events and special offers. LinkedIN Privacy LinkedIN GDPR |
Identifiable contact information | |
Meta Platforms, Inc. | USA | Marketing | Required if you opt in to receive marketing communications. Used to create a lookalike audience who may be interested in SMART because they are similar to individuals that have already expressly opted in to receive certain communications, such as marketing, SMART solutions, events and special offers. Meta Platforms Privacy |
Identifiable contact information |
Microsoft, Inc. | Canada | Processing, back office | Required for our enterprise resource planning (ERP) system, which is software to manage the day-to-day business activities such as accounting, procurement, project management and supply chain operations, as well as our email (Outlook), Confluence, PowerBI (data visitation), Azure DevOps, and SharePoint (document management), as well as all the other standard Microsoft Office software titles, like Word, Excel, and PowerPoint. Microsoft Privacy Microsoft GDPR |
Identifiable account and purchase information |
Mixpanel, Inc. | USA | Monitoring | Required for product improvement and service monitoring. Mixpanel allows us to analyse how our de-identified users interact with Lumio. It is designed to identify trends and understand common aggregated usage behaviour, and helps us make better decisions on how to improve the usability and features of our product. This data is also used to track how long it takes our servers to complete actions like opening files, which helps us measure service health and up-/downtime. Mixpanel Privacy Mixpanel GDPR |
Pseudonymised metadata |
Outreach Corporation | USA | Marketing | Required if you opt in to receive marketing communications. Outreach is used to contact our customers in North America that have expressly opted in to receive certain communications, such as marketing, training, news, and offers from us. Outreach also provides analytics. Outreach Privacy Outreach Security |
Identifiable account and purchase information |
Salesforce.com, Inc | USA | Ordering, marketing, channel support | Required order information (product, quantity, price and tax, delivery). Required for our customer relationship management (CRM). Required to allow our authorised distributors and resellers to work together with SMART. Basic customer and purchase information is shared between SMART and its authorised distributors and resellers. Salesforce Privacy Salesforce GDPR |
Identifiable account and purchase information |
Sana Commerce | Canada | Ordering | Required only if Customer purchases parts. Process orders and payments (if using Sana Pay). Sana Privacy Sana GDPR |
Identifiable account and purchase information |
Sigma Computing, Inc. | USA | Processing, back office | Required for web application that presents Snowflake data (see below) to internal users. Sigma Privacy |
Non-identifiable account information |
SMART Authorised Distributors, Resellers and SMART’s Regional Office(s) | Global | Ordering and Support | Required contact and order processing. |
Identifiable account information
|
Snowflake, Inc. | Canada | Processing, back office | Required. Snowflake aggregates and centralises SMART’s customer data from multiple sources (Salesforce, Microsoft Dynamics, HubSpot, Oracle/OBIEE, Pivotal). Required for processing and back-office. Snowflake Privacy Snowflake Security |
Identifiable account and purchase information |
Stripe, Inc. and Stripe Payments Europe, Ltd. | USA or Ireland | Ordering | Optional. Only used when a customer purchases through our e-commerce store using a credit card. Residents of the European Economic Area (EEA), the UK and Switzerland. The entity responsible for the collection and processing of credit card personal data for residents of the EEA, the UK and Switzerland is Stripe Payments Europe, Ltd., a company incorporated in Ireland and with offices at 1 Grand Canal Street Lower, Grand Canal Dock, Dublin. To exercise your rights, the Data Protection Officer may be contacted via dpo@stripe.com. Stripe Privacy Stripe GDPR |
Identifiable account information
|
THIRD-PARTY CODE IN OUR SOFTWARE
Portions of Lumio use third-party open-source code. To find out more about third-party code in Lumio and its licences, visit our Lumio third-party code attribution page.
COOKIES
SMART and some of its processors use cookies to provide Lumio to you. Cookies are small files that are placed on your computer or device. Most web browsers allow some control over cookies through the browser settings. Blocking all cookies will, however, have a negative impact upon the usability of Lumio. Thus, you may prefer to accept cookies and then delete them later or upon exiting your session.
Who | Cookie | Purpose |
---|---|---|
SMART |
|
Required for providing navigation, login status, and user identification for the purpose of providing Lumio to the user, including the proper linking of user-created Content. |
Microsoft |
|
Required for providing single sign-on functionality and identification of the user for the purpose of providing Lumio to the user. These cookies are installed by Microsoft and SMART has no control over what Microsoft does with the information. |
|
Required for providing single-sign-on functionality and identification of the user for the purpose of admin providing Lumio to the user. YouTube cookies are installed during sign-on and support additional functionality (adding videos) within Lumio. These cookies are installed by Google and SMART has no control over what Google does with the information. | |
Salesforce |
|
Required for providing single-sign-on functionality and identification of the user for the purpose of providing Admin Portal to the user. These cookies are installed by Salesforce and SMART has no control over what Salesforce does with the information. |
FEIDE |
|
Required if using FEIDE for providing single-sign-on functionality and identification of the user for the purpose of providing Lumio to the user. These cookies are installed by FEIDE and SMART has no control over what FEIDE does with the information. |
VIDIS |
|
Required if using Vidis for providing single-sign-on functionality and identification of the user for the purpose of providing Lumio to the user. These cookies are also installed by VIDIS and SMART has no control over what VIDIS does with the information. |
Sitecore |
|
Stores context language of the current Sitecore website. Sample values:
|
SMART ID |
|
Required. These cookies are written to your browser when you sign in to SMART ID. Signing out of your SMART ID deletes this cookie. These cookies store encrypted authentication information that only our servers can decrypt. This cookie is persistent and lasts for several hours. |
Mixpanel |
|
Required. These cookies are used to track user analytics on Mixpanel. The data includes device/user IDs, referrer, and common app-specific properties among all Mixpanel metrics. |
Stripe |
|
Required for B2C purchase of a Lumio subscription. These cookies are installed by Stripe and SMART has no control over what Stripe does with the information. Click here for additional information on Stripe's cookies. |
If you have any questions or concerns related to this Privacy Policy or the processing of your Personal Data, you may contact our privacy team as follows:
By email to our Data Protection Officer: privacy@smarttech.com