Effective Date: 6.1.25

Last Date of Update: 8.21.25

1. Introduction

Hiveclass is an educational technology company committed to student privacy and data protection.
This Privacy Policy describes how we collect, use, and protect data through our platform, including mobile apps and web-based tools.

2. Definitions

“Personally Identifiable Information (PII)” refers to any data that can be used to identify an individual, including but not limited to student name, school affiliation, user role, email address, class or group assignment, login credentials, and any metadata linked to an identifiable user.
“Institution” refers to the school, school district, educational agency, or other academic entity that enters into an agreement with Hiveclass to access and use the Service.
“User Activity Data” refers to data generated by users during their use of the platform, such as the number of videos watched, timestamp of last login, clicks, device type, performance analytics, etc.
“Anonymized Usage Data” (also referred to as “De-identified Data”) refers to data that has been processed to remove all direct and indirect identifiers such that it cannot reasonably be used to identify an individual, consistent with FERPA, COPPA, and applicable state law standards.
“Student” refers to any individual enrolled in or associated with an Institution that uses the Service, regardless of age or grade level.
“School Official” refers to a third party that performs a service or function on behalf of an educational institution under FERPA and is subject to the same use and redisclosure restrictions as the institution itself.
“Subprocessor” refers to a third-party service provider engaged by Hiveclass to process data on its behalf in support of the delivery and maintenance of the Service.
“Service” refers to the Hiveclass application, platform, website, APIs, and any other software or service provided by Hiveclass to Institutions and Authorized Users.
“Authorized User” refers to any individual—such as a student, teacher, administrator, or staff member—who is granted access to the Service by the Institution.
“Educational Records” refers to records that are directly related to a student and maintained by an Institution or by a party acting on behalf of the Institution, as defined under FERPA.
“Data Incident” refers to any unauthorized access to, disclosure of, or acquisition of PII processed by Hiveclass, including but not limited to data breaches, security vulnerabilities, or other unintentional disclosures.
“Applicable Law” refers to all relevant United States federal and state laws and regulations governing student data and privacy, including but not limited to the Family Educational Rights and Privacy Act (FERPA), the Children’s Online Privacy Protection Act (COPPA), and state student privacy laws such as those enacted in California, New York, Illinois, Michigan, and North Dakota.
“HiveclassPE” refers to the Hiveclass curriculum platform for schools and educational organizations.
“HiveclassDigital” refers to the e-learning platform for libraries and community organizations.

3. Data We Collect and Why

Hiveclass collects personal and non-personal data for the purposes of providing and improving educational services.
Hiveclass collects only the minimum amount of information necessary to deliver its educational services and comply with institutional contracts and legal obligations.

Data Essential to HiveclassPE App Functionality

Data Type	Purpose
Full Name	To create and identify user accounts and assign learning progress
Grade Level	To assign developmentally appropriate content
Email	For use as a unique identifier and for communications

Data Collected for Performance and Improvement (Non-Essential)

These elements help us optimize user experience and platform improvements, but are not required for basic educational functionality

Device Type and Browser Info	To improve technical performance and support device compatibility
Usage Analytics (e.g., page views, time on task)	To create and identify user accounts and assign learning progress
Feedback or Survey Responses	To gather user insights and enhance support

Data Not Collected
1. Hiveclass does not collect or request the following data:
  1. Social Security Numbers
  2. IEP data
  3. Grade data
  4. Biometric data
  5. Health or medical records
  6. Geolocation data
  7. Financial or payment information

4. How We Collect Data

User-Provided Information

These data are collected directly from users or administrators during account setup or while using our services on HiveclassPE

Method	Examples of Data Collected	Purpose
Account Registration	Name, Username, Grade, School Affiliation, Class/group assignment, User role	To create and manage user profiles & To organize learners into groups for instruction
In-App Surveys or Feedback Forms	Optional feedback, user satisfaction data	To improve support and services

These data are collected directly from users or administrators during account setup or while using our services on HiveclassDigital

Method	Examples of Data Collected	Purpose
Account Registration	Patron library barcode	To create and manage user profiles
In-App Surveys or Feedback Forms	Optional feedback, user satisfaction data	To improve support and services

Automated Collection

These data are collected automatically through the user’s interaction with our platform or through browser/device tools.

Method	Examples of Data Collected	Purpose
Cookies	Session ID, login status, preferences, usage analytics, feature tracking	To maintain secure logins and save user settings. To monitor performance and engagement.
Log Files	Browser type, device type, timestamps	To support troubleshooting and optimize performance

Use of Cookies and Tracking Technologies
1. Hiveclass may use cookies or similar technologies solely for purposes such as session management, login persistence, and platform performance analysis.
2. No third-party advertising or behavioral tracking cookies are used.
3. Users may adjust browser settings to manage cookie use, though this may impact platform functionality.

Third-Party Authentication (if applicable)

If enabled by a school or user, Hiveclass may integrate with third-party login systems such as Google, Canvas, Classlink, or Clever for authentication.

Method	Examples of Data Collected	Purpose
OAuth 2.0 or SAML 2.0 Login (Google, Microsoft, Canvas, Sierra Patron API, SirsiDynix, EZProxy etc.)	Name, Email address (used for login)	To streamline user access and reduce password management
OAuth-based proprietary API (Clever, Classlink)	Name, Email address (used for login)	To streamline user access and reduce password management

5. Data Ownership and Use

Hiveclass acknowledges that all personally identifiable information (PII), as defined by FERPA and other applicable laws, is owned by the client (school/district) and processed solely on their behalf.

Hiveclass may retain and use de-identified, anonymized, or aggregate data — that cannot be used to identify an individual — for internal analytics, platform improvements, and reporting. Hiveclass does not claim ownership of any PII and processes such data only as a Data Processor under the direction of the Data Controller (the institution)

Data Type	Examples	Ownership
Personally Identifiable Information (PII)	Name, grade level, school affiliation, class membership, login ID (patron barcode), user role	Owned by the institution and governed under FERPA
User Activity Data	Number of videos watched, timestamp of last login, clicks, device type, performance analytics	Owned by Hiveclass in de-identified form and used to improve product performance
Anonymized Usage Data	System-wide engagement trends, most used features across districts	Hiveclass may use or share in de-identified form for research and improvement

6. Data Deletion and Retention

Hiveclass honors verified deletion requests from institutional administrators. Requests are typically fulfilled within 60 days unless contractual terms require shorter timeframes. Anonymized usage data may be retained for platform analytics. Requests can be directed to the institution’s account manager and/or support@hiveclass.co.

Below is a table outlining our data retention practices:

Data Type	Retention Policy	Deletion Method
Personally Identifiable Information (PII)	Deleted upon verified request from institution	Manual deletion in database and backups
User Activity Data	Retained as long as the institution maintains account or per contractual term. Deleted upon verified request from institution	Bulk deletion by script or Manual deletion in database and backups
Anonymized Usage Data	Retained indefinitely	Not applicable (data is anonymized)

De-identification is performed using industry-standard techniques, including the removal of direct and indirect identifiers, to ensure that anonymized data cannot reasonably be used to identify any individual.

7. Data Security Measures

Hiveclass uses administrative, technical, and physical safeguards to protect data integrity and confidentiality.
1. Employee access is restricted to authorized personnel; employees receive annual privacy training.
2. .Access to student data is granted only to Hiveclass employees or agents with a legitimate educational interest, consistent with FERPA and applicable state laws.
3. Systems are tested periodically through vulnerability scans and third-party audits.
4. Hiveclass maintains system activity logs and monitors application usage for security, auditing, and incident response purposes, in accordance with applicable institutional requirements.
In the event of a data breach involving personally identifiable information (PII), Hiveclass will notify the affected client institution as quickly as practicable, and in no event later than seven calendar days after confirmation, consistent with applicable state laws and institutional agreements.

8. Encryption and Data Protection

Hiveclass encrypts all data in transit and at rest using industry standard

Environment	Encryption Standard	Scope
Production	TLS 1.2+, AES-256	All data in transit and at rest
Staging	TLS 1.2+, AES-256	Mirrors production security
Backups	AES-256	Encrypted at rest

9. Third-Party Service Providers and Subprocessors

Hiveclass uses subprocessors only for essential services such as hosting, content delivery, accessibility, and analytics.

Subprocessor	Purpose	Data Shared
Amazon Web Services (AWS)	Application hosting, storage	All hosted data encrypted
Cloudflare	Content delivery, DDoS protection	IP address, TLS data
Userway	Accessibility overlay	Page metadata only
Omni	Business Intelligence Product	Usage Data, PII

Hiveclass conducts a structured vetting process before engaging any third-party service provider (subprocessor) to ensure alignment with our data protection standards and applicable laws. This process includes:
1. Instructional Scope Verification
  1. Hiveclass confirms that the subprocessor will only process data strictly under Hiveclass’s direction and for the limited purpose for which they are engaged.
2. Security and Compliance Evaluation
  1. We assess the subprocessor’s security controls, data handling practices and compliance posture to ensure they meet or exceed industry standards and legal requirements (e.g., FERPA, COPPA, and state-specific education privacy laws).
3. Data Use Restrictions
  1. We verify that the subprocessor contractually agrees not to sell, reuse or disclose personal data for any unauthorized or secondary purpose.
4. Ongoing Oversight and Review
  1. Hiveclass performs periodic assessments of each active subprocessor to ensure continued compliance with contractual and legal obligations. This includes audits, reviews of policy updates and security posture evaluations.
Subprocessor Vetting and Compliance Documentation
1. Hiveclass recognizes the importance of ensuring that all third-party service providers (subprocessors) involved in the processing of Company Personal Data meet the same high standards of data protection and privacy as we do. While Hiveclass may not be in a position to impose its own data protection policies on large infrastructure providers, we maintain a rigorous vetting and documentation process to ensure alignment with legal and contractual obligations.
2. Vetting Process
  1. Before engaging any subprocessor, Hiveclass conducts a formal evaluation that includes:
    - Review of the subprocessor’s privacy and data security policies, terms of service and compliance documentation;
    - Verification of the subprocessor’s adherence to relevant data protection laws such as FERPA, COPPA and applicable state regulations;
    - Assessment of the subprocessor’s participation in recognized privacy frameworks (e.g., SOC 2, ISO 27001, Privacy Shield where applicable);
    - Evaluation of the subprocessor’s data handling practices to ensure that only the minimum necessary data is processed and only for approved purposes.
3. Documentation and Recordkeeping
  1. Hiveclass maintains a centralized third-party risk and compliance register that includes:
    - Copies or links to the subprocessor’s publicly available privacy policies and terms of service;
    - Records of compliance certifications or third-party audit reports, where applicable;
    - A detailed data flow and access mapping that outlines the specific data shared, purpose of processing, and legal basis for each subprocessor;
    - Date of most recent review and scheduled next review;
    - Notes from internal assessments or risk evaluations.
    - These records are reviewed and updated annually or upon any change in the subprocessor’s services, policies, or contract terms.
4. Ongoing Monitoring
  1. Hiveclass performs periodic reassessments of all subprocessors to ensure continued compliance. This includes:
    - Monitoring for significant policy changes or reported data incidents involving the subprocessor;
    - Requesting updated documentation or certifications as needed;
    - Re-evaluating risk if new types of data are introduced or additional access is required.
  2. If a subprocessor fails to meet our compliance expectations, Hiveclass will take appropriate action, including mitigation plans, restricting access, or terminating the relationship.

10. Opt-Out Options

Institutions may request Hiveclass disable any non-essential third-party service. Hiveclass will respond within 30 days.

11. Compliance with Data Protection Laws

Hiveclass complies with FERPA, COPPA, and state-specific regulations where applicable, including laws in California, Illinois, Michigan, and New York.
1. Compliance is tied to the location of the school or district we serve and does not impose broader obligations beyond those jurisdictions.

12. Notification of Subprocessor Changes

Hiveclass will notify institutions 30 days prior to adding or changing subprocessors. Institutions may raise objections based on reasonable privacy concerns. Hiveclass will work in good faith to resolve objections, including exploring alternatives or suspending use of the subprocessor for the objecting institution where feasible.

13. Protecting Children’s Privacy

Hiveclass does not knowingly collect PII from children under 13 without verified school authorization in compliance with COPPA.
Hiveclass collects personal information from students only under the direction of the school or district and does not accept or respond to direct requests from parents. Parents seeking to access, review, or delete their child’s information should contact their school administrator, who may then work with Hiveclass as needed.

14. International and State-Specific Legal Rights

FERPA (Family Educational Rights and Privacy Act)
1. Hiveclass operates as a school official under FERPA, with a legitimate educational interest, and only processes student information on behalf of and under the control of educational institutions. Parents or eligible students seeking access to or correction of education records should contact their school directly.
COPPA (Children’s Online Privacy Protection Act)
1. Hiveclass does not collect personal information from children under 13 for commercial purposes. Where Hiveclass is used by children under 13, it is only under the direction and authorization of the school, in accordance with COPPA’s “school exception.” Parents seeking to access or delete their child’s information should contact their school or district.
California Consumer Privacy Act (CCPA)
1. Hiveclass does not collect personal information from California residents for its own commercial purposes and operates solely as a service provider to schools and districts. Parents or students seeking access to, or deletion of, their personal information under the CCPA should contact their school or district administrator, who may relay the request to Hiveclass as appropriate.
New York Education Law § 2-d
1. Hiveclass complies with New York Education Law § 2-d and only processes student data as directed by the educational agency. Any requests to access or amend student data, or report suspected breaches, should be directed to the applicable school or district.
Illinois Student Online Personal Protection Act (SOPPA)
1. Hiveclass complies with the Illinois Student Online Personal Protection Act (105 ILCS 85) and enters into written agreements with Illinois school districts prior to collecting any covered information. Parents and guardians should direct any inquiries or access requests to their school, in accordance with SOPPA procedures.
Michigan and North Dakota
1. Hiveclass complies with applicable data protection statutes in Michigan and North Dakota. As a vendor operating under contract with schools, Hiveclass does not respond directly to student or parent data requests. Such requests should be made to the student’s educational institution.

15. Hiveclass does not utilize platform user data to target users for advertising, either within our platform or through third-party services.

We do not sell, rent, or share user data for marketing purposes.
We do not allow interest-based, behavioral, or contextual advertising directed at students, educators, or administrators.
We do not permit third-party advertisers to access or use our platform data.
All data collected by Hiveclass is used exclusively to deliver, maintain, and improve educational services in accordance with our agreements with schools and districts, and in full compliance with FERPA, COPPA, and applicable state laws.

16. Changes and Updates

Hiveclass will provide 30 days’ notice before making material changes to this privacy policy.

17. Contact Information

Hiveclass Inc.
16 Hampton Blvd, Massapequa, NY 11758, USA
Email: info@hiveclass.co
Phone: 516-218-0156

18. Business Transfers and Successors

Hiveclass may disclose personal information if required to do so by law or in the good-faith belief that such action is necessary to comply with a legal obligation, protect and defend the rights or property of Hiveclass, respond to legal claims, or protect the personal safety of users or the public.

19. Disclosure in Response to Legal Process

Hiveclass may disclose personal information if required to do so by law or in the good-faith belief that such action is necessary to comply with a legal obligation, protect and defend the rights or property of Hiveclass, respond to legal claims, or protect the personal safety of users or the public.

20. Governing Law

This policy shall be governed by and construed in accordance with the laws of the State of New York. Any disputes arising hereunder shall be subject to the exclusive jurisdiction of the courts located in New York, unless otherwise specified in a separate written agreement between Hiveclass and the institution.

Hiveclass Privacy Policy