Minnesota Historical Society's Northern Lights Interactive eBook Privacy Policy and Terms of Service

Privacy Policy

Effective Date: July 1, 2024 (Previous version was in effect 11/23/2021 - 6/30/2024.)

Minnesota Historical Society (“MNHS,” “Company,” “we,” “us,” and “our”) provides educational materials and related services to schools via educational software (our “Product”). This Privacy Policy (this “Policy”) governs our privacy practices for the Northern Lights Interactive eBook. Where capitalized terms are used in this Policy without definition, their definitions may be found in Section 17.

1. Our Commitment to Privacy

MNHS is committed to maintaining robust privacy protections for its Users. We have created our eBook to assist our teachers, administrators, and school/school district customers (each, a “Customer”) in providing online educational experiences to their students. We believe that transparent and strong privacy practices foster these experiences, and we provide this Policy in that spirit. Our Customer agrees to this Policy and any updates, on behalf of its administrators, teachers, students, and students’ parents or guardians (collectively, “Users”). For purposes of this Agreement, “Product” refers to the Company’s eBook, which can be accessed via web browser at nl.mnhs.org or the MNHS Education iPad app through which Users access the Northern Lights Interactive eBook for 6th grade Minnesota Studies and its related content. 

2. Updates to this Privacy Policy

The date on which this Policy was last revised is identified at the top of this page. We will post any updates we make to this Policy from time to time on this page. If we make material changes to how we treat our Users’ Personal Information, we will notify our Customers by email. Any changes will become effective when we post the revised Policy or, in the case of any material changes, provide the revised Policy to our Customers. The Customer is responsible for ensuring we have an up-to-date active and deliverable email address on file.

3. Our Compliance with COPPA and FERPA

We recognize the sensitive nature of Personal Information concerning students under age 13, and concerning PreK-12 students generally, where the information is contained in a school's educational records. This Personal Information is protected under either or both of the following federal statutes: COPPA and FERPA. Our privacy practices comply with both COPPA and FERPA.

4. The Scope of Our Privacy Policy

This Policy governs our privacy practices with respect to all Personal Information that Users submit, or that we collect in connection with our Product. This Policy governs not only our practices with respect to students' Personal Information, but also with respect to the Personal Information of teachers and school administrators who use our Products.

5. Consent from Schools Regarding Students' Personal Information

COPPA permits a school, acting in the role of “parent,” to provide required consents regarding Personal Information of students who are under the age of 13. Where a school is the subscriber to our Products, we rely on this form of COPPA consent. We provide the school with this Policy, to ensure that the school, in providing its COPPA consent, has full information and assurance that our practices comply with COPPA.

FERPA permits a school to provide educational records (including those that contain students' Personal Information) to certain service providers without requiring the school to obtain specific parental consent. FERPA permits this where the service provider acts as a type of “school official” by performing services, for example, that would otherwise be performed by the school's own employees. We fulfill FERPA requirements for qualifying as a school official by, among other steps, giving the school direct control with respect to the use and maintenance of the education records at issue (including associated Personal Information), and refraining from re-disclosing or using this Personal Information except for purposes of providing our Products to the school. We comply with FERPA by relying on this form of consent.

6. Access and Control of Personal Information

MNHS provides schools and districts full access to their student information through administrator access to the Product.  our Application and Admin tool. All student accounts and content will be permanently deleted each summer as part of the Company’s annual student and class reset. The Company does not maintain any student records. Schools can delete their student account information at any time. Parents and legal guardians can request deletion of student data prior to the summer reset by email.

7. The Types of Information We Collect

MNHS limits the collection of Personal Information to no more than is reasonably necessary for the User at issue to experience our Product. Specifically, the following types of information is collected:

• 7.1. Subscription Administrator Information: Registration information from a designated subscription administrator is collected when the subscription administrator activates the school or district's Product subscription account. This information may include the subscription administrator's own first and last name, business address and phone number, email address, profile information, and username.
• 7.2. Teacher Information: Teacher registration information is collected when a teacher’s account is activated, either by the subscription administrator or by the teacher. This information may include the teacher's first and last name, business address and phone number, email address, profile information, and username. 
• 7.3. Student Information: Student registration information is collected when a student’s account is activated, either by a teacher or subscription administrator. This information may include the student's first and last name, email address, and username. Information about a student may be combined with information about their school, such as its location.
• 7.4. User-Generated Content: Information that students and other Users provide in connection with submitting user-generated content and participating in collaborative features of the Product (where applicable) is collected. Examples of user-generated content that might contain Personal Information include notes, responses to questions and teacher assignments, responses to other students’ submissions, and other information provided in open-text and open-form fields. 
• 7.5. Usage Information: Usage, viewing, analytics, and technical data, including device identifiers and IP addresses, relating to Users of the Product is collected.
  • 7.5.1. Information about how, where, in a general sense (based on IP address), when, and for how long a User accesses and uses the Product, as well as what content they view, what actions they take (including, for example, clicks, touches, and hovers using a mouse), and how they navigate through the Product.
  • 7.5.2. Information from and about the User’s device, such as mobile device type, browser type and version, operating system name and version, IP address, and referring URL. This information is automatically connected when a User accesses the Product, and helps the Company understand usage, diagnose problems, best administer and provide support for the Product.

If it is discovered that the Company has collected Personal Information in a manner inconsistent with the requirements of COPPA or FERPA, we will either (a) delete the Personal Information, or (b) promptly seek requisite consents before taking further action concerning the Personal Information.

8. How We Collect Personal Information

Personal Information is collected through the Product in several ways. School administrators and teachers provide Personal Information during the registration process. Teachers and students also submit Personal Information during the normal usage of the Product. They submit this information, for example, when creating notes, and otherwise engaging in educational and other activities available on the Product. MNHS also collects usage information through technology, such as cookies, as further explained in Section 9 below.

9. Cookies and Non-personal Information

MNHS collects usage information through technology, such as cookies, web browser analysis tools, server logs, web beacons, and persistent identifiers. We use cookies, IP addresses, and other persistent identifiers to authenticate Users in order to ensure that only authorized individuals are permitted access to the Product, and so that we can understand how a User engages with our Product, such as identifying what links are clicked and what content is accessed and for how long. This information allows the Company to improve the user interface and create a better Product, such as by making commonly accessed content easier to reach or by more prominently displaying content that has been less frequently accessed.

Certain features of our Product may be hosted on third party sites, and in those instances the collection activities described above may be undertaken by this third party, under our direction and control and consistent with this Policy. Most information we collect using technological means is collected only in a non-identifiable way where no information that could be linked to an individual User is used, such as for website optimization and tracking website traffic patterns. If Personal Information is collected, this Policy governs how we use Personal Information.

10. How We Use Personal Information

In addition to the uses described above, and subject to any restrictions imposed by applicable laws or our agreement with our Customer, we may use and disclose the Personal Information we collect for the following purposes:

• 10.1. To provide our Customers and their authorized Users with the content and features available through our Products and to tailor and optimize the use of any of our Products to the needs of a particular school, classroom or student;
• 10.2. To permit school administrators and teachers to review students’ work, in order that they can monitor students’ performance and progress, plan lessons, and otherwise support instruction;
• 10.3. To communicate with school administrators and teachers about the applicable subscription account or transactions with us, and to send information about our Products, content, features and usage;
• 10.4. To communicate with l administrators and teachers, subject to any communications preferences they express;
• 10.5. To ensure that our Products run properly and are presented optimally, and for Product improvement;
• 10.6. To diagnose problems, troubleshoot issues, and provide maintenance and support;
• 10.7. To personalize a Product’s content and experiences for students, teachers, and other Users of the platform, such as by using the appropriate language, displaying their name on the User dashboard.
• 10.8. To detect, investigate and prevent activities that may violate our policies or be illegal.

11. How We Use De-Identified Information

• 11.1. We do not, as a rule, allow third-party operators to collect Personal Information through persistent identifiers on our Product for any purpose other than the internal operations, support and maintenance of our Product. Further, we do not use, or permit third parties to use, Personal Information collected through our Product for the purpose of targeted advertising.
• 11.2. We may use aggregate information that does not permit the identification of any individual User or Customer for analytics purposes, to understand how our Product is accessed and used, and how they perform, so that we may improve upon their design and functionality and otherwise develop and improve upon our products and services, and to develop analytics studies. We may disclose these studies to third parties, including to demonstrate product efficacy;
• 11.3. Finally, we de-identify usage information in accordance with COPPA and FERPA, and use this de-identified Information, in order to develop, evaluate, and provide improved educational products and services, as permitted under COPPA and FERPA. 

12. We Do Not Share Personal Information Except In Specific, Limited Circumstances

We use Personal Information for our internal purposes only, with the following limited exceptions.We never use student or children's data for targeted or third-party advertising. We disclose Personal Information:

• In response to the request of a law enforcement agency, governmental authority or other authorized public agency, including a request by a children's services agency or by the school at issue;
• To protect the security or integrity of our Product and associated applications and technology, as well as the technology of Our Service Providers;
• To the extent we believe necessary or appropriate to protect our rights, safety, or property and/or that of our affiliates, our Customers, our Users or others;
• To enable us to take precautions against liability, enforce legal rights, and to detect, investigate and prevent activities that violate our policies or that are illegal;
• If we are directed to do so by a subscribing school in connection with an investigation related to public safety, the safety of a student, or the violation of a school policy;
• If we are directed to do so by a subscribing school in connection with a student or parent/guardian request, as appropriate;
• To Our Service Providers, to permit them to provide the contracted services to us;
• In other cases, if we believe in good faith that disclosure is required by law.

13. Third Party Services

Upon written request, we will provide a list of Our Service Providers to our Customer. This Policy does not address, and we are not responsible for, the privacy, information, or other practices of any other third parties, including any third party operating any site or service to which our Product may link. The inclusion of a link in our Product does not imply our endorsement of the linked site or service. We are not responsible for the privacy, information or other practices of other organizations, such as Apple, Google, Microsoft, RIM, or any other device manufacturer, app developer, or provider of an app, social media platform, operating system, or wireless service.

14. How We Protect Personal Information

We have implemented and maintain reasonable organizational, technical, administrative and physical security controls that are designed to protect the security, confidentiality and integrity of personal information collected through our Product from unauthorized access, disclosure, use, loss or modification. Our information security controls comply with reasonable and accepted industry practice, as well as requirements under COPPA and FERPA. We diligently follow these information security controls and periodically review and test our information security controls to keep them current.

• 14.1. Information Security Procedures. We will:
  • Standard of Care. Keep and maintain all Personal Information in strict confidence, using such degree of care as is appropriate to avoid unauthorized access, use, modification, or disclosure;
  • Use for School Purposes Only. Collect, use, and disclose Personal Information solely and exclusively for the purposes for which Users provided to us the Personal Information, or access to it, and not use, sell, rent, transfer, distribute, modify, data mine, or otherwise disclose or make available Personal Information for our own purposes or for the benefit of anyone other than the Customer, without the Customer's prior written consent or as permitted by this Policy;
  • Non-Disclosure. Not, directly or indirectly, disclose Personal Information to any person other than our employees and Our Service Providers who have a need to know, without express written consent from the Customer;
  • Employee Training. Provide appropriate privacy and information security training to our employees.
  • Secure Storage. Use industry standard file encryption for user data that is subject to protection under either COPPA, FERPA, or both. Where file encryption is not reasonably feasible, we employ other industry standard safeguards, protections, and countermeasures to protect such data, including authentication and access controls within media, applications, operating systems and equipment.
• 14.2. Data Breach Response. In the event of a security breach involving Personal Information, we will take prompt steps to mitigate the breach, evaluate and respond to the intrusion, and cooperate and assist our Customer in their efforts with respect to (i) responding to the breach, including the provision of notices to data subjects; and (ii) engaging mutually agreeable auditors or examiners in connection with the security breach, subject to reasonable notice, access and confidentiality limitations.

15. Our Retention and Deletion of Personal Information

We retain Personal Information of Users of our Product (i) for so long as reasonably necessary (ii) to permit the User to participate with the Product, (iii) to ensure the security of our Users and our services, or (iv) as required by law or contractual commitment. After this period has expired, upon written instruction by the Customer, we will delete the Personal Information from our systems. Please understand that these deletion periods apply only to Personal Information and do not apply to De-identified Information. We retain De-Identified information in accordance with our standard practices for similar information, and do not retain or delete such information in accordance with this Policy.

In addition, if requested by a Customer, we will delete from our Product the Personal Information of the Customer's Users as the Customer directs. Deleting this information will prevent the User from engaging in some or all features of our Product. Where required by applicable law, we will delete such information and provide a certification of such deletion.

16. Contact Us

You may contact us with questions or concerns regarding this Policy via email. 

17. Definitions

“COPPA” means the Children’s Online Privacy Protection Act, 15 U.S.C. §§ 6501–6506, including the rules and regulations promulgated thereunder, in each case as amended.

“De-identified information” means information that meets each of the following criteria: the information (i) does not identify a particular natural person; (ii) does not identify, by network Internet Protocol address, raw hardware serial number, or raw MAC address, a particular device or computer associated with or used by a person; (iii) does not identify the school at issue by name or address; and (iv) is not reasonably linkable to a particular natural person or school because of technical, legal, or other controls.

“FERPA” means the Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g, including the Protection of Pupil Rights Amendment, including the rules and regulations promulgated thereunder, in each case as amended.

“Our Service Provider” means a third party that provides content and/or functionality for our Products, or services such as website hosting and customer service, and that has executed a written agreement containing terms regarding Personal Information that we share with them that are no less restrictive than the terms contained in this Policy.

“Parent” means a parent or legal guardian of a student.

“Personal Information” means information that identifies a natural person, as specified in FERPA and COPPA

This Privacy Policy was last updated on July 1, 2024