Skip to main content

Kiddom Platform Data Retention Policy and Procedure

Key Concepts

This section provides clarification for some terms used in this Kiddom Platform Data Retention Policy and Procedure (“Policy”). Understanding these terms will help you navigate the Policy more effectively:

  • Data Subject” is an individual whose Personal Data is being or has been Processed. On the Kiddom Platform, this includes students and teachers who use the platform.
  • “Kiddom Platform Personal Data” includes any Personal Data Processed within the Kiddom Platform Product associated with a client account, regardless of the type of Product Record (defined below). This excludes the Personal Data of the Main Client Contact (first name, last name, company, email, and phone number). 

Note that Personal Data Processed outside the Kiddom Platform (e.g., data of Kiddom employees) is not considered Kiddom Platform Personal Data and is not subject to this Policy. 

  • “Main Client Contact” is the Data Subject designated as the primary contact for each client account. Kiddom retains this individual’s Personal Data after the agreement with the client ends to maintain contact regarding the account and ensure compliance with regulatory, tax, and intellectual property-related obligations. 
  • Personal Data” refers to any information that can be used to identify an individual directly or indirectly, such as a student or teacher on the Kiddom Platform. Examples include but are not limited to names, email addresses (including school email addresses), usernames, user IDs, school affiliations, assignments, tests, quizzes, scores and grades, videos, chat communications, comments, spoken languages, user activity logs, location data, and IP addresses.
  • Processed” or “Processing” encompasses any action performed on or with Personal Data, including but not limited to collecting, viewing, storing, or deleting the Personal Data.
  • Product Record broadly refers to any material or information, in any form or media, created by or for Kiddom in connection with its Processor Products. Examples include:
    • Digital files and images;
    • Hard copy documents (printed and handwritten);
    • Blueprints; 
    • Photos and videos;
    • Electronic and digital recordings;
    • Specifications, formulations, and methodologies; 
    • Intellectual and industrial property, including know-how, trade secrets, inventions, developments, processes, designs, and drawings;
    • Advertising media and promotional material and research;
    • Email messages;
    • Web pages;
    • Computer programs; 
    • Electronically stored documents and data;
    • Agreements;
    • Invoices and other finance-related information, and commercial plans;
    • Mergers, acquisitions, dispositions and other commercial transactions;
    • Litigation (including threatened and pending litigation);
    • Internal and external correspondence and memoranda;
    • Presentations; and
    • Analyses and reports created by or on behalf of Kiddom.
  • SaaS Service Agreement – A contract between Kiddom and its clients specifying the terms and conditions for using the Kiddom Platform.

Introduction

Kiddom Inc. (referred to as “Kiddom,” “we,” “our,” or “us”) Processes Kiddom Platform Personal Data on behalf of clients and according to their instructions. As a data processor or service provider under the California Consumer Privacy Act (“CCPA”), Kiddom only handles Kiddom Personal Data as directed by clients. This means that only clients can decide how, why, and how long Kiddom will process the Kiddom Platform Personal Data.

When providing the Kiddom Platform to clients, we establish a SaaS Service Agreement outlining how we must handle the personal data entrusted to us. This agreement addresses our responsibilities concerning personal data upon termination or expiration of our contract with the client, such as returning or deleting the data.

  • In our standard Kiddom SaaS Service Agreement (which most of our clients sign), we commit to making all client data available for electronic retrieval for 30 days following the contract’s termination or expiration. After that period, we securely delete or de-identify Kiddom Platform Personal Data.
  • Occasionally, we may enter into SaaS Service Agreements with slightly different data retention terms (e.g., when using a client’s template). Regardless, all agreements should allow clients at least 30 days for electronic data retrieval before we delete or de-identify their data and related educational records. Unless otherwise specified, all personal data on the Kiddom Platform should be treated according to the terms of the standard Kiddom Agreement mentioned above and the retention period outlined in Section 3. “Retention Period for Kiddom Platform Personal Data” of this Policy.

This Policy describes the policy and steps for deleting Kiddom Platform Personal Data after a client account has been terminated or expires, as well as retrieving, exporting, and providing personal data to a client upon termination or expiration of their account. The Policy applies to the designated person(s) at Kiddom responsible for overseeing the deletion and retrieval of personal data on the Kiddom Platform.

Retention Period for Kiddom Platform Personal Data

Kiddom’s policy is to only retain Kiddom Platform Personal Data associated with a client account for 90 calendar days after the account is terminated or expires. Following this period, Kiddom securely deletes Kiddom Platform Personal Data in accordance with the details provided in the table in Section 6, Deletion & Retrieval Details. Regular checks must be performed to ensure that all Kiddom Platform Personal Data is deleted after the 90-day period.

Note: Clients who want Kiddom Platform Personal Data returned must inform Kiddom within 30 days after termination of their agreement. Upon receiving a timely request, Kiddom will provide the client with instructions on exporting their personal data or supply the exported data directly. If a client requests the return (or retrieval) of their personal data, Kiddom will postpone the deletion process until either (1) the Kiddom Platform Personal Data has been exported and provided to the client or downloaded by the client, or (2) an additional 90 days have passed since the client made the request, whichever comes first.

Client Notification System

A client notification system shall be implemented to remind clients of the upcoming data deletion and their option to request data retrieval within the specified time limit.

Handling Late Requests for Deletion or Retrieval

If a client fails to communicate their decision to retrieve or delete the Kiddom Platform Personal Data within the 90-day period following the termination or expiration of their agreement, Kiddom will take the following steps:

  1. Attempt to contact the client to remind them of their data retrieval or deletion options.
  2. If the client does not respond within seven (7) days, Kiddom will proceed with the secure deletion of the client’s Kiddom Platform Personal Data.
  3. In cases where the client requests data retrieval after the 90-day period has passed, Kiddom will evaluate the request on a case-by-case basis and may accommodate the request if the backup data is still available.

Deletion & Retrieval Details

The following table provides the necessary details for deletion and export of Kiddom Platform Personal Data:

Location of Kiddom Platform Personal Data Kiddom Platform Personal Data Items to Be Deleted or Exported Procedure to Delete Kiddom Platform Personal Data Procedure to Export Kiddom Platform Personal Data and Transfer it to the Client 
User profiles within the Kiddom Platform’s administrative interface
  1. User’s full name 
  2. User’s email address
  3. Names of student’s parents/legal guardians
  4. School affiliation
  5. Avatar or photograph
  6. Username
  7. User IP address
  8. The user’s Google contact and contacts groups
  9. Google Drive file information
  10. Education records directly related to a student such as assignments, quizzes and tests, scores and grades, transcripts, class lists, student schedules, and student identification codes
  11. Educational institution an individual works for or studies at
  12. Job title
For already terminated or expired client accounts:

Kiddom follows steps outlined in the Policy and Procedure for Processing Data Subject Rights Requests

For future terminated or expired client accounts: Automated scheduled deletion.

  1. Data Subject (or an authorized representative of Data Subject) will contact the client (school) with a request. Client will evaluate the request for validity, and if valid, the Main Client Contact will send the request to Policy Owner.
  2. Policy Owner will review the request. Data Subject’s name will be used to locate the relevant unique ID (UID) in Kiddom’s backend. Relevant Personal Data will be identified via additional information such as username and/or school email address.
  3. Data will be queried and returned from user table, classroom table and assignment tables based on unique system ID.
  4. The Personal Data requested will be transferred to the Main Client Contact in the form of a CSV file and from there will be delivered to the Data Subject (or authorized representative of Data Subject) who submitted the request to the client.
Kiddom Platform’s Backup files Automated scheduled deletion after 60 days from the deletion of the user profiles. Process outlined above will provide all information
Kiddom Platform’s analytics
  1. Web browser and/or device type
  2. Browsing and search history
  3. Information regarding the user’s interaction with the Platform
Automated scheduled deletion.  Process outlined above will provide all information

Contact Information of Client Accounts

There is one exception to the obligation to delete Personal Data of our clients; Kiddom retains the contact information of one client contact per client account (the Main Client Contact) to ensure compliance with regulatory, tax, and intellectual property-related obligations. In these cases, Kiddom only keeps the contact’s first name, last name, the school/district the contact works at, professional email, and professional phone number. This Personal Data is not typically stored in the Kiddom Platform.

Responsibility

The following responsibilities must be observed when creating, approving, implementing, and auditing this Policy:

PROCEDURE RESPONSIBLE PARTY RESPONSIBILITIES
Policy Review Max Vaillancourt,
Security Lead
– Review Policy yearly to identify needed updates or revisions.
Policy Amendments – Make revisions with IT and Legal department input.
Employee Training – Provide regular training to familiarize employees with the Policy.

– Ensure employees read, understand, and implement the Policy.

Policy Enforcement – Oversee technical and operational changes for Policy implementation.

– Monitor Policy compliance.

Auditing & Monitoring –  Conduct audits and evaluations to ensure policy adherence.

Additional Support / Feedback

Do you have questions or need help using this SOP? Please contact Max Vaillancourt (security@Kiddom.com). Additionally, you may contact VeraSafe, our privacy and IT security advisor, at Kiddom@verasafe.com, or visit https://www.VeraSafe.com.

We are very interested to hear your feedback on this SOP. If you have any comments, suggested improvements, or other feedback, please contact both Max Vaillancourt and VeraSafe at kiddom@verasafe.com or experts@verasafe.com. We look forward to hearing from you.

Accountability

This Policy is enforced by Kiddom’s VP Engineering. Any individual who breaches this Policy may be subject to internal disciplinary action (up to and including termination of their employment) and may also face civil or criminal liability if their breach violates the law. 

Revision History

Revision No.  Change(s) to Policy Date
1.0 New SOP: Kiddom Platform Data Retention Policy and Procedure. Outline deletion protocols, close outlined issues, close all remaining comments. Nov 16, 2023