Privacy Policy

July 2023

INDEX

1. Introduction

The https://www.dreamclass.io/ website (the “Website”) is provided by DreamClass LLC, a US based company, having its registered office at 315 Montgomery Street, 9th Floor, San Francisco, CA 94104 (“DreamClass”, “We”). DreamClass is committed to respect your privacy and applicable data protection laws and regulations. This Privacy Policy (the “Policy”) intends to inform you about the way we use your personal data (i.e. any data related to an identifiable natural person, either directly or indirectly), either we collect them, when you visit our Website or when ordering and using our Services.

By accessing and using this Website, you confirm that you have read and fully understood this Policy, that you agree to the collection and the usage of your own and others’ personal data in accordance with the Policy and that you have the authority to provide DreamClass with all information submitted by you via the Website and DreamClass Platform (“the Platform”), including but not limited to the personal data of third parties.

2. General Principles of the Processing

We collect and process personal data in a transparent manner, to the extent necessary for specified, explicit and legitimate purposes, and do not process it further in a manner incompatible with those purposes. We take care that the data we collect are accurate and, when necessary, updated. We process data in a way that guarantees their security, including their protection against unauthorized or unlawful processing and accidental loss, destruction or degradation, using appropriate technical or organizational measures. We are ready to prove at any moment how we adhere to the above principles. We take the appropriate technical and organizational measures for the security, confidentiality, integrity and availability of the data. We respect your rights under the General Data Protection Regulation (GDPR), the UK GDPR, and the CCPA, to the extent applicable, and other applicable data protection laws and regulations, and we take all reasonable steps to assist our Customers in satisfying requests of the data subjects.

3. Usage of data we collect about you

3.1 When visiting our Website

DreamClass is the “Data Controller” of all personal data collected, when you visit the Website. This means that DreamClass determines the means and the purposes of the processing and is responsible to reply to your requests about the usage of your personal data.

3.1.1 Cookies

A cookie is a small data file stored at your device’s hard disk for record-keeping purposes, namely it records information about the use and activity on the Website. This information may include, but is not limited to, your Internet Protocol address, browser type, but also user’s web browsing history before visiting the Website, our Website’s search history. Some cookies are “first party cookies”, which means that they are set by us. Cookies set by parties other than us are called “third party cookies”.

Cookies are used for different reasons.

There are the necessary cookies, which are required for technical reasons in order for a website to operate.

Some cookies are used to enhance the performance and functionality of a website, but are non-essential to their use. However, if you decide not to accept such cookies, certain functionality may become unavailable. Such cookies are called preferences cookies.

Some cookies collect information that is used in aggregate form to help a website owner understand how a website is being used. Such cookies are called statistic cookies and they are either first party or third-party cookies. A third party, for example Google stores a Google Analytics cookie in order to be able to differentiate between users and be able to show a website owner how many times people visit a website on average (not individually) and information on what pages they’ve seen, how long the duration was, and so on.

Some cookies are used for marketing purposes. These are the “marketing cookies” and are third-party cookies. Third-party cookies are placed by providers (e.g. by Google, Facebook), who a website owner may have engaged to provide advertising services on his/her behalf. If, from the analysis of information collected by third-party cookies, visitors of a webpage are interested in one of the services, then advertising material of our services would be projected on third party websites. To see how data is collected and analyzed by third party cookies, you can visit third parties’ respective websites.

When you visit our Website, you are asked to consent to the use of cookies, and our Cookies Notice informs you exactly about the type of Cookies we use. Except for necessary cookies, you may choose to consent to none, one or more of the above cookies. You may withdraw your consent to the use of cookies any time during your visit to our Website freely and easily by clicking on “Manage Cookies Settings” button next to our “Privacy Policy” button.

Additionally, you can instruct your browser, by changing its options, to stop accepting cookies or to prompt you before accepting a cookie from the websites you visit.

3.1.2 Contact Form/Chat

If you wish to communicate with us by using the contact form, you may enter your name, e-mail address, the matter you would like to discuss about with us and write your message in the dedicated space. Optionally you may provide your phone number. You may also require help from us by using the chatting tool, available on the website. Such personal data is used solely for the purpose of responding to you, and we keep your data only as long as it is necessary to respond to your request.

3.2 When ordering our Services

DreamClass is the “Data Controller” of all personal data of Customers collected when ordering our Services. We collect data for our Customer’s personal identification, namely email address, name and surname. We collect our Customer’s Tax Registration Number and billing address for billing purposes. These personal data are necessary for the conclusion of the Subscription Services Agreement between us and the billing of the Services. Credit card data is not collected by us, but by Stripe, a third-party payment platform. To view the privacy policy of Stripe, please click here.

We keep the above personal data for the duration of the Subscription Services Agreement and after termination of the agreement for as long as it is required by law for accounting and tax purposes, and in case of a judicial challenge to defend our claims until settlement of the claim or until a final Court opinion has been issued.

3.3 When using our Services

3.3.1 Roles and responsibilities

DreamClass is the “Data Processor” for all personal data processed in relation to the provision of the Services under the Subscription Services Agreement. This means that these personal data are collected on the Customer’s/Account Owner’s behalf for his/her own purposes, that Customer/Account Owner is solely responsible for the legality of these purposes and the necessity of the processing to serve these purposes, and that the Customer/Account Owner (eg a School Unit or a University Faculty) is the Data Controller of personal data processed, while using the Services. Therefore, the Customer/Account Owner is responsible to satisfy the requests of the data subjects, whose personal data is processed through the Platform, for example the personal data of a pupil or a teacher. Additionally, the Customer/Account Owner is responsible to inform the Users of the Platform, eg the teachers as well as any other person whose personal data is processed by usage of the Platform about the scope, the purpose, the duration and the means of the processing, and to acquire the consent of the data subjects (pupil’s, pupil’s parents etc) whose personal data is being processed through the Platform. DreamClass executes a Data Processing Addendum with the Customer/Account Owner as an integral part of the Subscription Services Agreement, whereby also the security measures implemented by DreamClass are described.

3.3.2 Types of personal data processed

While using our Services our Customers and their Authorized Users provide us with following types of personal data:

A) Personal data referring to pupils/students, eg name, age, date of birth, gender, photos, audio, videos, grades, comments, appraisal remarks, disciplinary data, and any other comment a User, eg a teacher, may wish to add. Additionally, comments of a teacher may include, directly or indirectly, sensitive personal data. Therefore Customer/Account Owner is responsible to assign respective, privileged access rights in a strict way. The Platform allows the designation of different access and editing rights to different Users, and Customer is responsible to make use of the design of the Platform to protect personal data privacy.

B) Personal data referring to teachers: name, age, gender, projects and classes they have been assigned with etc.

C) Personal data of parents: Parents may have access to personal data of their children. They may also communicate through the Platform. Therefore, personal data referring to their correspondence are also stored in the Platform.

Customer/Account Owner is solely responsible for the allocation of access rights to Users, as well as for each User’s power to insert or delete personal data. Customer is solely responsible for the User’s abidance by privacy law, data protection law and codes of ethics.

The above personal data are stored in the Platform for the duration of the Subscription Services Agreement. Customer/Account Owner may delete or rectify any personal data or pupil’s profile and assign respective deletion or rectification rights to specific Users. After termination of the Subscription Services Agreement, and in case Customer does not want to renew the subscription, Customer may choose to either have the data stored in the Account deleted or returned to. If Customer chooses to have the content/data of the Platform returned to, we can export your data in a machine readable format.

3.3.3 Analytics in the Platform

We have specifically engaged Hotjar to analyze the behavior of the Customer and the Authorized User, while using the Services. This is possible by means of cookies and other tracking technologies of HotJar, a Malta based company with the location of facilities hosting our files in Ireland, on the Amazon Web Services infrastructure, eu-west-1 datacenter, that enable it to have access to your behavioral data, while using the Services, for example how easy and quick it is for you to use the Services, whether some tools are more popular than others, whether some tools are not easy to handle, or whether there is a problem while using some functionalities. This information helps us improve our Services and lose problems.

Traffic and behavioral data are retained for as long as it is necessary for us to analyze them and reach conclusions for the improvement of the Services. The retention period shall not in any case exceed that of six months. After that traffic and behavioral data are permanently deleted.

4. Security

Either we collect personal data as Data Controllers or as Data Processors, we take appropriate technical and organizational security measures to protect the integrity, accessibility and confidentiality of personal data. These measures are described in Attachment 2 to our DPA.

We do not share personal data with any third party, unless required to do so by law; in such a case, we shall inform you of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest, e.g. to protect confidentiality of a criminal investigation.

However, we do share personal data with our affiliates, as well as with our associates (sub-contractors and sub-processors), both solely for the provision of the Services and the provision of this Website.

We have made sure, by means of a written contract or assignment that our processors and sub-processors provide at least the same level of data protection as we do, for example they follow reliable technical and organizational security measures.

You may see a full list of our non-affiliate sub-processors, their location and addresses by clicking here.

You may be able to access third party social media services through our Website by using social media plugins on our website. In that case URL data may be transferred to this third party, and possibly also other kinds of data, based on this party’s Privacy Policy. Make sure you read the Privacy Policy of this third party, before you proceed to the plugin.

6. Your Rights

We respect your rights as a data subject under the GDPR, the UK GDPR, the CCPA and under other applicable data protection laws and regulations. Bear in mind that we are entitled to answer to your requests as a data subject, when acting as Data Controllers, if you contact us at this email address: privacy@dreamclass.io. When we are acting as Data Processors, the Data Controller, our Customer (eg the School Unit or the University faculty) is responsible to address your requests. However, we shall provide any reasonable assistance to the Data Controller for the satisfaction of your rights.

You should know that you, as a data subject, have the following rights under the GDPR and the UK GDPR.

6.1 Information and Transparency

You have the right to be informed about any processing of your personal data (the purpose, scope, duration and means, as well of data sharing). We adhere to the principle of transparency in processing. For any question regarding this Policy you may contact us at the following email address: privacy@dreamclass.io . We will respond without delay and in any case within one month upon receipt of the request.

6.2 Access

You have the right to receive confirmation on whether your personal data are processed and in case this happens, all required information thereof (processing means, goal, records etc.). This enables you to receive a copy of the personal information the data controller holds about you and to check that your data are lawfully processed. You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, you may be charged with a reasonable fee, if your request for access is clearly unfounded or excessive. Alternatively, data controller may refuse to comply with the request in such circumstances.

6.3 Rectification

You have the right to require the rectification of incomplete or inaccurate data relating to you without undue delay, as well as to fill in incomplete data, if necessary for processing.

6.4 Erasure

You have the right to ask for the erasure of personal data concerning you without undue delay. We, if we are the data controllers, shall not proceed to the erasure of the personal data, only in case the data must be maintained for compliance with a legal obligation or in cases where the processing is required for the establishment, exercise or defense of legal claims.

6.5 Restriction of processing

You have the right to request restriction of processing, if the accuracy of personal data is disputed, for that period of time that allows data controller to verify the accuracy of personal data or based on any other legitimate reason specified in applicable data protection laws. For example, you may ask data controller to suspend the processing of your personal data, if you want data controller to establish its accuracy or the reason for processing it.

6.6 Data Portability

You have the right to receive your personal data in a structured, commonly used and machine-readable format as well as the right to request the direct transmission of personal data to another (controller or processor), if this is technically feasible.

6.7 Right to Object

You may oppose the processing of personal data, which takes place based on a legitimate interest of data controller without your consent. In this case, data controller may no longer process your personal data, unless it demonstrates imperative and legitimate reasons for the processing that override the interests, rights and freedoms of you as a data subject, or for the establishment, exercise or defense of legal claims.

6.8 No automated individual decision-making

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. You have the right to object to such automated individual decision-making.

In case you have provided your consent to the collection, processing and transfer of your personal data for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. Once data controller has received notification that you have withdrawn your consent, data controller may no longer process your information for the purpose or purposes you originally agreed to, unless there is another legitimate basis for doing so in law, and data controller notifies you of that.

For example, you may withdraw your consent to the use of cookies by clicking on the button “Manage Cookies Settings” or choose not to accept cookies by your browser settings. You may also oppose to processing at any time by contacting us at the email provided at the end of this Policy.

6.10 Children

Our services are not directed to children. We do not knowingly collect personal data from children. Customer is responsible not to send credentials of the Accounts to children, but only to their guardians. If we become aware that a child has provided us with personal data, we will immediately delete such information. If you become aware that a child has provided us with his/her personal data, please contact us at the contact information below.

6.11 Complaint to a Supervisory Authority

You have the right to lodge a complaint with a Supervisory Authority, i.e. a Data Protection Authority in a European Union Member State, if you consider that the processing of your personal data infringes the GDPR and applicable European or member state data protection laws.

7. Right to opt out and right to Non-Discrimination

If you are a California resident, you should be specifically aware that you have the right to direct a business that sells (or may in the future sell) your Personal Information to stop selling your Personal Information and to refrain from doing so in the future. However, DreamClass does not sell your Personal Information to any other party.

If you are a California resident, you should be specifically aware that we will not discriminate against California residents or against any person, if they exercise any of the rights provided in the CCPA, or any applicable privacy law provision. In particular, we will not deny goods or services; charge different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties; provide a different level or quality of goods or services; or suggest that anybody (including California residents) will receive a different price or rate for goods or services or a different level or quality of goods or services.

8. Changes to this Privacy Policy

Our Privacy Policy may change from time to time and any changes to this Policy will be updated so as to describe these changes. You are expected to check our website from time to time to take notice of any changes in this Policy.

If you have any further questions about this Policy or how we handle your personal data, which are eventually not dealt with here, please get in touch with us by contacting us to this email address: privacy@dreamclass.io.