People have given up significant personal privacy, often in exchange for security and convenience. Imagine Everything recognizes that a careful balance must be made between the privacy of the people we serve and the necessity of the tools we build for K-12 education.
Welcome to our website.
Imagine Everything ("us", "we", or "our") operates https://www.imagineeverything.com (the "Site"). This page informs you of our policies regarding the collection, use and disclosure of personal information we receive from users of the the imagineeverything.com website. We use your personal information only for providing and improving the site. By using the site, you agree to the collection and use of information in accordance with this policy.
We do not disclose any information with any third-party, ever. Any information you submit, willfully or otherwise, is protected and considered confidential. This includes any form submissions, cookies, log data, or metadata collected while you visit the imagineeverything.com site. While visiting our website your computers Internet Protocol ("IP") address, browser type, browser version, device information, the pages of our Site that you visit, the time and date of your visit, the time spent on those pages and other statistics, will be collected.
Our team uses Google Analytics to optimize content and refine presentation using information as described above.
We use Basecamp and Google Groups.
We use two third-party tools called Basecamp and Google Groups to manage school district community-driven software projects. These are both user self-managed services that allows you to opt in or out of email communications and promotional content.
You may receive an invite, by request, from our team. But, it is also possible for school districts within the community to invite people from within their peer group. This means we cannot completely control whether or not you have received an invitation to this service but we strongly support anti-spam initiatives. If for any reason you feel as though you have received an unsolicited email from our team please notify us immediately.
Privacy and security starts with people.
Before technology and processes can be designed to help protect sensitive information, it’s important to consider the background of the leadership team involved in the company and projects. Our executive team as well as our education-led board members have extensive experience working with highly sensitive information for all levels of government.
Every member of our board of directors is an actively employed Associate Superintendent, Superintendent, or Technology Director for a K-12 school district. Privacy and security is foundational to every decision we make. The Imagine Everything board of directors is given full access to our technical infrastructure schematics as well as ledger-level financial access within the company to ensure complete accountability to the K-12 education community.
Privacy and security from the foundation up.
Here are a few ways we take your privacy and security seriously when designing software projects:
- We do not generate profit. Unlike most private corporations that are fiscally driven, and thus influenced by monetary opportunities, our mission is to help kids. Ultimately, it is our goal to reduce the cost of ownership of student safety technology for school districts as opposed to maximizing profits. There is absolutely no motivation to ever manipulate private school board data towards the end-goal of increasing revenue or profit.
- Your data stays in Canada. All data is stored in the Montreal region of Amazon Web Services. Just as important: we’re a Canadian company, working with Canadian school districts, abiding by Canadian privacy regulations first and foremost.
- It’s your data. Our stance on privacy is abundantly clear: it’s your data -- we just help you create, modify, visualize, and interpret data, in such a way that provides value to your students, staff, and the rest of the community you serve.
- We avoid the collection of personally identifiable information. Whenever possible, we avoid collecting personalty identifiable information. This is easily seen by how projects like Student Aware were designed. For example, in accordance with FOIPP definitions in 9 of 10 Canadian provinces, we do not collect personally identifiable information as part of the Student Aware project. We’ve found better, more privacy-minded ways to still be able to identify children who are at risk of suicide, exploitation, violence, or abuse.
- Short data retention periods. It's our philosophy to only hold data for as long as it is needed for essential purposes. Student Aware typically holds data for less than 30 days and ensures each school district follows good practices handling the data. Other projects, like Education Forms, allow each school district to maintain their own retention policy based on their specific provincial or state requirements.
- Multi-tenancy design that takes security seriously. The multi-tenancy design we selected invokes physical data separation between school boards and employs a dedicated SSL connection unique to each tenant.
- Network security precautions. We employ IP-based network security that dramatically limits the scope of who can access our technologies. We also run an intrusion detection system that is constantly scanning for system vulnerabilities or abnormalities in traffic patterns.
- DDOS protection. We take advantage of high scalability, cloud-based denial of service protection services.
- Data encryption. All data is encrypted during transport and passwords are indecipherably hashed using a scaling algorithm to prevent brute force. We also strongly encourage the use of F2A -- at which point we do not store any password data for any users.
- Data access logging. Each time your data is accessed by administrators, investigators, or members of our team (for support or collaborative research) it is noted in the data access log. This makes it fast and easy to identify who has had access to any sensitive data.
- GDPR compliance. Student data can be downloaded and shared with a student or parent quickly and easily at the click of a button. Administrators also have the ability to purge all data for a single student. Although this is a European standard, we feel it is good practice and foresee Canada and the U.S. adopting similar policy at some point in the foreseeable future.
- Privacy by user interface design. Our interfaces are carefully designed to minimize privacy leaks. Initial dashboards and analytical screens do not typically feature student data which prevents physical security breaches by wondering eyes. Visibility to private data is reserved for specific views. We also do not include any personally identifiable data in email notifications: staff are required to sign in to our services in order to access any private data.
- Security training. Each employee is trained in cyber security practices. All code is peer-reviewed with OWASP security standards foremost in mind. Every project starts with a conversation about security and data privacy based on the types of information we will be collecting.
Your data, your rights.
At any time you may request that we permanently remove some or all of your data from our systems. In most cases we are able to comply with any requests within 24 hours during the business week. You may also request a copy of any of your data however it can take up to 5 business days in order to prepare a complete export and a safe means of transporting this data electronically.
You're not a client, you're a partner.
We refer to the work we do as projects rather than products. We refer to school boards as partners, not customers. Each school board is treated like an investor when it comes to projects. We often involve school districts in our software development sprint cycles, pricing discussions, we’ve even shared source code on some projects.
Our hope is that each school board that joins our community shares the same vision we do about disrupting the education technology market with better software, better support, at a lower cost.
Project specific privacy considerations.
As part of the Student Aware student safety solution we collect the following information:
- Browser ID (numeric)
- Email (string)
- URL (string)
- HTTP User Agent (string)
- Identifies which browser the user was using
- Identifies what operating system the user was using
- Internal IP
- External IP
In addition to collecting the data, we create new annotational data using the above data which includes:
- Topical classifications for risk activity including self harm, child exploitation, school violence, cyberbullying, domestic abuse, adult social network accesses, pornography, vulgarity, anonymizers (e.g. TOR, proxy access), and malware
- Pseudo-anonymized analytics are also created which help describe trends and patterns at the school or school board level which are not associated to a personal identity
Effective date and changes to this policy.