SMART AMG1 (the “AMG1”) Privacy Policy

Introduction

The following information explains the privacy policy (the “Policy”) and practices of SMART Technologies ULC (together with its subsidiaries, collectively "SMART", “we” or “us”) regarding the collection, use and disclosure of your personal information. The purpose of this Policy is to clarify what information we collect from you, how we use and disclose this information, and the ways in which you can help manage the information we collect. SMART is devoted to making sure that your privacy rights are respected, and personal data is collected and used in accordance with the current and applicable privacy and data protection law.

SMART supports numerous privacy laws including the European Union’s General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA). We currently offer American and European data storage for user created content and we are satisfied our out-of-region user data processors provide appropriate safeguards for the data they handle. The AMG1 is not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13. Therefore, the Children's Online Privacy Protection Act (COPPA) does not apply. If you become aware that a child under the age of 13 has provided any personal data to us while using the GX please email us at privacy@smarttech.com and we will investigate the matter and, if appropriate, delete the personal data.

By using the AMG1, you are agreeing to this Policy and consent to SMART's collection, use and disclosure of your personal information as necessary for the identified purposes or as otherwise identified herein.

About AMG1

The SMART AMG1 is EDLA-licensed by Google and can be installed in compatible SMART Board interactive displays to provide a Google-based user experience. Featuring integrated Google with Play Certification, the AMG1 appliance lets users access native Google apps and the Play store without connecting an external computer. Adding a Google account enables access to Google Drive and your YouTube account, plus easy access to Google Classroom, Docs, Slides, and Sheets.

The AMG1 appliance also comes with the latest Android OS and includes an upgrade path to future Android updates via over-the-air updates.

Android^™

The Android operating system is open-source software by Google LLC. If you’re using an Android device with Google apps, your device periodically contacts Google servers to provide information about your device and connection to Google services. This information includes things like your device type and carrier name, crash reports, which apps you've installed, and, depending on your device settings, other information about how you’re using your Android device. By using Android and Google Play Store, you agree to Google’s terms and privacy policy.

Data Types

It is important to remember that SMART’s customers and users are two distinct groups:

Customers are typically an organization (e.g., district, school, company) and not a personally identifiable individual. The identifiable information we require is from the customer for transactional purposes. The customer shall not provide SMART with personally identifiable information unless permissible by law and the customers’ policies.

Users (e.g., teachers, students) are generally not the ones who purchased or set up the account (e.g., IT administrators) and only access Lumio because the customers’ IT administrator has granted them access. As such, SMART’s exposure to personally identifiable information only comes from how the customer operates when providing e-mail addresses and names of users to SMART and from user created Content. If you have a concern as a user about your PII you must demand the customer provide only non-identifiable information to SMART and you as a user must only create Content with no PII in it.

We collect two types of data, depending on your interaction with us:

“Non-Personal Data” means aggregated non-identifiable information, which may be made available or gathered via your access to and interactions with our services. We are not aware of the identity or other identifiers of the individual from which the Non-Personal Data is collected. The Non-Personal Data being collected may include aggregated usage information, as well as technical information transmitted by your device, such as the type of browser or device, type of operation system, device settings and technical software data, etc.

“Personal Data” or “Personal Information” means individually identifiable information, namely information that identifies a natural person (not a corporation) or may, with reasonable effort, be used to identify a natural person.

We do not knowingly collect or process any Personal Data constituting or revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning a person's health (“Special Categories of Personal Data”).

Encryption

We encrypt all your credentials and separate them from your personally identifiable information. We do not store any of your login credentials, including passwords as these are managed by our single-sign-on (SSO) providers.

Your rights

Subject to applicable law, including exceptions, you have the following rights with regard to the personal data that we collect about you:

• right to ask what personal data we have about you and how we use;
• right to request a copy of the personal data that we hold about you;
• right to request that we correct or amend your personal data;
• right to portability of your data;
• right to request deletion of your personal data; and
• right to ask us to stop or limit how we process your personal data.

To protect your privacy and security, we may need to verify your identity before acting on certain requests, to the extent permitted by law. If someone is making the request on your behalf (like an authorized agent) and they don’t provide proof of authority (such as a power of attorney), we may ask for additional evidence, like written authorization, or contact you directly to confirm the request.

If you would like to exercise your rights regarding your personal data, you can do so by:

• emailing your request to us at: privacy@smarttech.com
• contacting us by postal mail at:

 

+1.403.245.0333

Legal basis for processing personal information

We process your personal data in accordance with applicable data protection laws and rely on one or more of the following legal grounds:

• To provide our Services, fulfill contractual obligations, or take steps at your request prior to entering into a contract;
• For our legitimate business interests including managing our relationship with you, providing customer support, enhancing user experience and optimizing our services;
• To comply with relevant laws and legal processes.

Opting out or removing personal information and data retention

We do not sell your data, and we do not share personal data with third parties without your permission. A list of the third parties we share data to provide our services to you are detailed below.

SMART will only keep personal data for as long as required to provide the service, or to comply with statutory requirements. When the personal data collected is no longer required by us, we and our service providers will perform the necessary procedures for destroying, deleting, erasing, or converting it into an anonymous form as permitted or required under applicable laws.

You may request deletion of your SMART account at any time by e-mailing privacy@smarttech.com or contacting our support department. SMART will respond to customer requests to delete personal data within 30 days. Inactive unpaid accounts are deleted after two (2) years. All data stored locally on the AMG1 can be deleted by you at any time.

If you would like to request that your personal information be provided to you for your review, be removed from our services, or be updated, please contact privacy@smarttech.com.

Notification of Breach

If SMART becomes aware of a personal data breach, it shall without undue delay, and where feasible, no later than 72 hours after having become aware of it, notify the affected customer and the supervisory authority (if it was for data where SMART was the Data Controller) in accordance with Article 33 of the GDPR, unless the data breach is unlikely to result in a risk to the rights and freedoms of natural persons. SMART’s communication of a breach shall be in clear and plain language and contain a minimum of:

1. Contact details of the Data Protection Officer or other contact person,
2. A description of the nature of the breach,
3. Likely consequences of the breach,
4. Advice on steps data subjects can take to protect themselves, and
5. The measures SMART has taken or proposes to take to address the breach

SMART has an internal incident response plan in place to promptly and effectively address any security incidents involving personal data. This plan outlines procedures for identifying, assessing, containing, investigating, and mitigating data breaches to minimize risks to individuals and ensure compliance with applicable data protection laws.

Data security

We take appropriate technical and operational measures to protect against unauthorized access to or unauthorized alteration, disclosure or destruction of data. We restrict access to your personal data to employees who need to know that information in order to fulfil, develop or improve our services to you. SMART's business processes are designed and applied to appropriately safeguard your personal information, having regard to the sensitivity and use of that information.

Nevertheless, such security measures may not prevent all loss, misuse or alteration of personal information provided to SMART, and SMART is not responsible for any damages or liabilities relating to any such security failures. By using our services, you understand that there is a risk that data and communications, including e-mail and other electronic communications, may be accessed by unauthorized third parties when communicated over the Internet. The foregoing does not affect any liability which cannot be excluded or limited under applicable law.

If you have any questions or concerns regarding the security measures applied to collection, use or disclosure of your personal information please email privacy@smarttech.com.

Third-party apps and services

The AMG1 allows you to access or acquire services, websites, links, content, material, or applications from independent third parties (companies or people who aren’t SMART). We do not control how private information is collected by third party apps. Please refer to each individual app that you use for their privacy policy.

Cookies

The AMG1 and some of its features use cookies to enhance your experience and provide the functionality of the device. Cookies are small files stored on your device that help the AMG1 remember your preferences and settings. Most web browsers and smart devices offer options to manage and control cookies through their settings. However, blocking all cookies may affect the performance and usability of the AMG1. You may choose to accept cookies, and you can delete them later or when you exit your session, ensuring a customized experience each time you use the board.

Changes to the policy

We reserve the right to change this Privacy Policy from time to time to reflect changes to our products and services, operations, or to meet new legal and regulatory requirements. The most recent version of the Policy will always be posted on the website, and the update date will be reflected in the “Last Modified” heading.

Any material amendments will be communicated to customers 30 days in advance and become binding once posted online.