EduLock.io Privacy Policy

Last Updated: 20/12/2025

EduLock.io ("we", "our", or "the App") is a school device management application designed to help educational institutions enforce acceptable use policies on student devices during school hours. This Privacy Policy explains how EduLock.io collects, uses, and protects information when used for school device management (the “Services” or “EduLock.io Services”). We process data both as a data controller (for school administrator accounts) and as a processor (for student device data).

In this Privacy Policy we will explain our practices regarding the use of personal data obtained and/or processed through our Services.

This Privacy Policy is part of our EduLock.io Terms of Service.

Summary

What Data We Collect and Why

EduLock.io is a school device management application that processes two distinct types of personal data:

(1) School Administrator Account Data: Schools provide administrator contact information (name, email, phone, timezone) to set up and manage their school account. EduLock.io acts as a Data Controller for this information and uses it to manage accounts, provide technical support, handle billing and invoicing, and maintain the platform. This data is retained for the subscription period plus 5 years (in blocked/archived format) for legal and administrative purposes. Administrator registration data is processed under our contracts with schools and legitimate business interests in providing secure, reliable services.

(2) Student Device Data: Schools collect and provide student identification data (name, date of birth, grade level, class, school ID, parent phone number) and authorize EduLock.io to manage the enrollment of student devices for policy enforcement during school hours. Schools act as the Data Controller and remain solely responsible for obtaining all necessary parental consent, complying with applicable laws (including COPPA for children under 13 and FERPA for education records), and informing parents and students about device management software use. EduLock.io acts as a Data Processor on behalf of schools.

For Android devices, EduLock.io collects device identifiers, operating system information, installed app lists, GPS location (for geofencing), and technical data needed for policy enforcement. For iOS devices, EduLock.io receives only device information automatically reported through Apple's MDM protocol in response to management queries, including device identifiers, OS version, battery/storage status, and network information. EduLock.io does NOT actively monitor web browsing, URLs, search queries, or detailed app usage activity.

Data Control and Retention

Schools retain full control over device data collection, retention periods (up to 30 days with immediate deletion available), and can delete student data at any time through the admin dashboard. Device data is retained for 60 days in active format (accessible to schools) and 12 months for analytics and reporting. After deletion requests from verified school administrators, data is removed from active systems within 14 days and from all backups within 15 days of identity confirmation.

Your Rights and Responsibilities

You have the right to request access, correction, erasure, and portability of your personal data, as well as restrict processing or withdraw consent. For administrator data, you can contact us directly at [email protected]. For student data, schools facilitate all requests as the Data Controller. We do not discriminate against anyone exercising these rights. Schools are responsible for verifying the identity of students and parents before submitting deletion requests, and must maintain records of all data requests and deletions.

Data Security and Privacy

All data is processed with encrypted transmission and technical/organizational security measures appropriate to the data's sensitivity and risks. In case of security breaches, we notify affected parties and supervisory authorities without undue delay (within 72 hours if required). We do not sell personal information to third parties and only share data with service providers under strict confidentiality obligations and our documented instructions. For international data transfers, we use EU model clauses and additional safeguards.

Policy Amendments

We may update this Privacy Policy to adapt to legislative or case law developments. We will notify you by posting changes on our website and platform. Continued use of EduLock.io Services after such changes constitutes your acceptance.

For questions about our data practices, contact our Data Protection Officer at [email protected].

A. GENERAL ASPECTS OF DATA PROCESSING BY EDULOCK.IO

This section informs school administrators and users of general information regarding data processing by EduLock.io.

1. Data Controller / Business: EduLock.io is operated by Majaz Projects LTD, domiciled at Nof Hagalil, Israel. Majaz Projects LTD is the Data Controller for administrator account registration and service management data. You can contact our Data Protection Officer to send any suggestions, queries, doubts or complaints about personal data, or to access your personal data by writing to: [email protected].

For school enrollment data and student information, schools act as the Data Controller, and EduLock.io acts as a Data Processor.

2. Confidentiality and Disclosure: We treat your personal data with strict confidentiality in accordance with applicable law. However, we disclose any information about you or your use of our Services: (i) in order to comply with the legal obligations we are subject to, (ii) in order to correctly deliver our Services or perform other obligations in accordance with our Terms, (iii) in the event of a sale or change of control of the Company for the purpose of appropriate due diligence actions; or (iv) to our service providers that provide us a service in relation to the data. We require all third parties to respect the security of your personal data and to process it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process it for specific purposes and in accordance with our instructions.

3. Data Retention: We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including: (a) the performance of the contract with schools and administrators, (b) satisfying any legal, accounting, or reporting requirements, (c) following your instructions regarding data collected from devices. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. Generally speaking, we will retain your personal data for the period of your subscription (in active format) and 5 years thereafter (blocked), for legal and/or administrative purposes.

4. Service Optimisation: We may process data on an aggregated non-identifiable basis for establishing user general attributes and profiles and share such anonymous information with third-party service providers to improve or promote our Services. We also use your data in a non-identifying and aggregated manner (i.e., dissociated data) to better design our website, software, and services.

5. Anonymised Data for Statistical Purposes: For the purpose of improving our Services and providing sector/segment reports, we may anonymise your personal data and store and process this data on an anonymous basis, even after your account has been closed, indefinitely. The principal purpose is to analyse on an aggregated non-identifiable basis how our Services are used, measuring their effectiveness, and providing general customer service. We may also provide this data (or parts of it) on a fully anonymous aggregate basis to third party business partners, including for conducting academic research and surveys or commercial analytics, and to publish periodic sector or segmented information and reports about behaviour patterns and tendencies.

6. Data Security: We have adopted technical and organisational measures to preserve and protect your personal information from unauthorised use or access and from being altered, lost or misused, taking into account the technologic state of art, the features of the information stored and the risks to which the information is exposed. In case of a security breach, we will take the appropriate measure and will notify you electronically in a timely manner.

7. International Transfers of Data: We use third party technological services for the provision of our EduLock.io Services, whose providers may process your personal data as subprocessors. These entities may be in jurisdictions that generally do not provide adequate safeguards in relation to the processing of personal data. For all entities outside the Economic European Area, we have entered contracts with such entities that do include such safeguards, including the EC model clauses, and implemented additional safeguards in accordance with applicable law, listed in Annex.

For more information about our service providers that carry out international data transfers, please contact [email protected]

8. Data Subject's Rights: In accordance with the applicable data protection law, you have the right to:

Request access to your personal data (commonly known as a "data subject access request"). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. For student data, schools as Data Controllers are responsible for initiating all deletion requests through the admin dashboard or by email. EduLock.io will process school-authorized deletion requests within 14 days.
Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights.
Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data's accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
Request the transfer of your personal data to you or to a third party (known as "data portability"). We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will notify you if this is the case.
File a complaint to the supervisory authority. You have the right to file a complaint to the relevant data protection authority if you consider that we are violating the data protection and privacy applicable laws.

School Accountability: For student device data, schools (as Data Controllers) are responsible for exercising all data subject rights on behalf of students and parents. Schools must maintain records of all data deletion requests and confirmations from EduLock.io. EduLock.io provides schools with audit logs detailing all deletions performed.

To exercise your rights, please contact us at [email protected] or by sending a letter to Majaz Projects LTD, Nof Hagalil, Israel. For student and parent data subject requests, schools should contact their designated school administrator or submit requests through the admin dashboard.

If you contact us to exercise your rights, we may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

9. Exercising Your Rights to Know or Delete: To exercise your rights to know or delete described above, please submit a request by either:

For Administrator Data: Emailing us at [email protected]; or submitting a support request within the EduLock.io Services.
For Student Data: Schools (as Data Controllers) must submit all student data deletion requests through the admin dashboard or by emailing [email protected]. Parents and students should contact their school administrator to request access or deletion of their data, as schools are responsible for facilitating these requests in accordance with applicable law.

Only you, or someone legally authorized to act on your behalf, may make a request to know or delete related to your personal information. To designate an authorized agent, please submit a request by emailing us at [email protected].

For student and parent requests: You may make a request to know or delete on behalf of your child by emailing your school administrator. The school must then facilitate this request and ensure deletion is completed through the EduLock.io admin dashboard.

You may also make a request to know or delete on behalf of your child by emailing us at [email protected].

You may only submit a request to know twice within a 12-month period. Your request to know or delete must:

Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative, which may include, but is not limited to:
- contact information associated with the account;
- the user profile name;
- the name of one or more Monitored Devices;
- technical information (e.g., model ID, serial number, IMEI code, operating system, etc.); or
- any other piece of personal information we determine in our sole discretion to be sufficient for verifying your identity to a reasonable degree of certainty.
Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

School Verification Responsibility: Schools are responsible for verifying the identity of students and parents before submitting deletion requests to EduLock.io. Schools must maintain documentation of identity verification and deletion requests.

We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you. However, we will process deletion requests from verified school administrators without delay. You do not need to create an account with us to submit a request to know or delete. However, we do consider requests made through your password protected account sufficiently verified when the request relates to personal information associated with that specific account.

We will only use personal information provided in the request to verify the requestor’s identity or authority to make it

10. Response Timing and Format: For Administrator Data (EduLock.io as Data Controller): For US users, we endeavor to substantively respond to a verifiable consumer request within thirty (30) days of its receipt. If we require more time (up to another 30 days), we will inform you of the reason and extension period in writing. If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option. For Student Data (Schools as Data Controllers): Schools are responsible for responding to all student and parent data subject requests within the timeframes required by applicable law (e.g., 30 days under CCPA, 30 days under GDPR, or as required under COPPA and FERPA).

School Deletion Workflow: When a school submits a verified deletion request through the admin dashboard, EduLock.io will process the deletion within 14 days and provide the school with:
- Confirmation of deletion completion
- Audit log entries documenting the deletion
- Timestamp of deletion execution
School Reporting Obligation: Schools must track and document all deletion requests from students and parents, verify the requestor's identity, and ensure timely submission to EduLock.io. Schools must maintain records proving deletion was completed and communicate confirmation to the requesting student/parent within the required timeframe.

Any disclosures we provide will only cover the 12-month period preceding our receipt of your request. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.

We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request. Schools are responsible for bearing any reasonable costs associated with fulfilling student and parent data deletion requests, as this is part of their Data Controller obligations.

11. Non-Discrimination: We will not discriminate against you for exercising any of the rights described above, and we will not:

Deny you goods or services.
Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
Provide you a different level or quality of goods or services.
Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

12. General: We may amend this Privacy Policy as required to adapt it to future legislative or case law developments. We will notify you by posting a clear notice of these changes on our website, platform and in this Privacy Policy. Your continued use of the EduLcok.io Services following the posting of changes constitutes your acceptance of such changes

Unless a specific local regulation of mandatory application provides otherwise, the Privacy Policy is governed by the laws of [placeholder]

B. EDULOCK.IO PROCESSING SCHOOL ADMINISTRATOR DATA

This section applies to the processing of school administrator account data, including registration information, institutional data, and related account management information.

1. Data Collection by the Company through the Services: EduLock.io will collect and process the following personal data from school administrators as Data Controller:

School Administrator Registration Data: When registering for EduLock.io Services, we collect the following mandatory personal data about the school administrator: Name,Surname, Email address, Phone number and Timezone. This data is required to create and manage the school account.
School Information Data: Schools provide the following institutional information during registration: School name, School address, School code. This data is mandatory and used to identify and manage the school's enrollment.
Technical Information: When administrators access our dashboard, we automatically receive: IP address, Browser type and Device information. This information is collected for platform security and performance analysis.

It is important that the data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

2. Class and Organizational Data: During onboarding, schools enter institutional informations and designations for organizational purposes within the platform.

Class Data: During onboarding, schools enter class names and designations for organizational purposes within the platform.
Student Identification Data: Schools enter student information for enrollment and device association, including: student name, date of birth, grade level, class assignment, school ID, and parent contact phone number. This data is mandatory for device management and student identification purposes. EduLock.io does not collect this data from student devices or apps it is provided solely by school administrators through the dashboard. Schools maintain full control and can modify or delete student records at any time.
Teacher Data: Schools provide teacher names, email addresses, and phone numbers for future dashboard access and administrative purposes.
Policy Configuration Data: Schools configure policies including school schedule and precise location coordinates for geofencing functionality. Schools have full control over this configuration and can modify it at any time.

3. Purposes for Processing: The personal data we collect about you is used for performing our contract with your school and providing the Services (as described in the Terms) and complying with legal requirements in relation to your subscription. The personal data we collect about you is also used to managing your school's EduLock.io account, providing technical support and customer service, billing and invoicing, measuring and improving the Services and its functionality. The Subscription Data we collect are also used to send email notifications and (if you gave your consent) newsletters, or communications, in general, about the Services, products and novelties, requests for feedback and product offers or promotions offered by Us. We will use your data also to ensure compliance with the Terms, the applicable laws, and other legal obligation we are subject to.

4. Legal Basis for Processing: Below are the lawful bases that we rely on to process your data:

Preparation and performance of Contract: Processing your data is necessary for the performance of our contract with you, or to take steps at your request before entering into such a contract.
Legitimate Interest: We have a legitimate interest to process your registration data for our business, in conducting and managing our business to give you the best service and the best and most secure experience.
Compliance with legal or regulatory obligation: We may process your personal data where it is necessary for compliance with a legal or regulatory obligation that we are subject to.

Generally, we do not rely on consent as a legal basis for processing your Account Data other than in relation to sending own marketing communications to you via email or text message. However, for transparency and clarity, we ask you to provide this consent, which is given by you on registering your account. You have the right to withdraw consent at any time by contacting us at [email protected]. This will not affect the processing of your Registration Data for service provision until you cancel your account

5. Data Retention: We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including: (a) the performance of the contract with schools and administrators, (b) satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. Generally speaking, we will retain your personal data for the period of your subscription (in active format) and 5 years thereafter (blocked), for legal and/or administrative purposes.

6. Data Sharing – Schools: Where you register for EduLock.io services through an invitation from a school, your basic identification data (such as sign-up name, and email address or phone number) may be disclosed to your child’s school for the purpose of verifying your family status as EduLock.io users and so that the school may engage and support you in relation to your child’s usage of school and home devices.

We do not sell personal information to third parties.

7. Your Responsibilities: As the person responsible for administrator data, you represent and warrant that:

You have all appropriate authority to collect and provide this data
The data you provide is accurate and up-to-date
You will immediately inform us of any changes to this data

C. EDULOCK.IO PROCESSING STUDENT DEVICE DATA (As Data Processor)

Please note that this Section applies to the processing of student device data from Monitored Devices. For student device data, schools act as the Data Controller, and EduLock.io acts as a Data Processor.

Schools retain full control over what data is collected, how long it's retained (up to 30 days or immediate deletion), and can delete student data at any time through the admin dashboard.

Important: Schools are the Data Controller of student data and remain solely responsible for:

Obtaining all necessary parental consent
Complying with applicable laws (including COPPA for children under 13 and FERPA for education records)
Informing parents and students about the use of device management software

Data Collection by the Company through the Services: EduLock.io collects the following data from Monitored Devices:

On Android Devices:

Device information: Device model and operating system version. Application installation status (the app requires permission to access the list of installed apps in order to enforce app blocking policies, but does not actively monitor or read the list for other purposes).
Location Information: GPS coordinates (latitude and longitude) are collected and processed locally on the device. Only the geofence status (whether the device is inside or outside the designated school location) is transmitted to the server. The actual GPS coordinates do not leave the device and are not sent to EduLock.io servers. Location data is collected in the background to enable geofencing functionality.
Technical Information: Firebase Cloud Messaging token (for receiving policy updates), App usage data related to policy enforcement.

2. Purposes for Processing: The personal data we collect is used to provide the EduLock.io Services as configured by schools administrators within the Services and to ensure compliance with the monitoring of the devices as intended.

3. Legal Basis for Processing: Below are the lawful bases that we rely on to process Device Data:

Performance of Contract: Processing device data is necessary for the performance of our contract with schools to provide the device management and monitoring services.

Compliance with legal or regulatory obligation: We may process device data where necessary to comply with legal requirements that schools are subject to.

4. Background Location Collection: EduLock.io collects location data even when the app is closed or not in use only. This is necessary for:

Geofencing: Automatically applying school policies when entering/leaving school grounds
Schedule enforcement: Ensuring policies are active during school hours regardless of app state

Location is checked periodically (not continuously tracked) to minimize battery impact.

5. Term: The term of processing is the term of your subscription with EduLock.io and a further 5 years (blocked, i.e. in secure archive) to comply with regulatory requirements.

**6. Warranty and Indemnity:**You represent and warrant that you have all appropriate informed consents or other legal basis, when necessary, for processing from each and every data subject whose personal data are submitted to us in the course of the provision of the Services or collected and transmitted to us by the EduLock.io software. You agree to indemnify and keep us harmless from all claims, damages and losses we may suffer relating to or arising out of the processing of Device Data and other third-party personal data submitted to our systems during the course of use and provision of the Services.

7. Your use of Device Data: You warrant that you have the appropriate authority to collect and process the Device Data and you will not submit to the Services any personal data relating to any individual over 13 who has not authorized such processing. Through the Services, you may also access a copy of the Device Data collected by us on your behalf. You will protect the confidentiality of any accessible Device Data and prevent access by or disclosure to any unauthorized third person.

8. Service Configuration and Data Processing Instructions: As a school administrator, you are responsible for setting the device management configurations within the EduLock.io dashboard that (i) controls the Services, the supervision and monitoring of device activities, and (ii) determines the personal data to be covered. The installation of the EduLock.io app on devices and your configuration of the admin dashboard constitute instructions for us to process Device Data on your behalf to provide you the Services. The level and degree of such monitoring is entirely under your control, and we will not be liable for any configuration and control carried out by you. Furthermore, your support requests via email or phone also constitute instructions for us to process Device Data, as long as processing Device Data is necessary to help you with your request or take the action you ask us to. All such Device Data will be under your responsibility, even with the Company acting as data processor in accordance with this Privacy Policy.

9. Data Retention and removal: During your subscription, we retain (a) your Device Data from the past 30 days for a retention period of 60 days, during which you will have access to it via the Platform. In addition, through the admin dashboard, you may delete all historical data saved at any time. Additionally, we retain (b) Device Data on an identifiable basis for 12-month periods for providing analytics and reporting purposes. This data will no longer be accessible and will be fully removed from our systems on the next backup. If you wish to remove all the Device Data in your EduLock.io Account, please uninstall EduLock.io from your devices and send an email to [email protected] with a digital copy of your ID or other identification document to prove your identity, requesting the deletion of all the data. Once your identity is confirmed, we will immediately remove all data from our active systems and backups within fifteen (15) days from confirmation of identity. In summary, we will retain your Device Data for the period of 60 days (in active format for your access) and 12-month periods for analytics and reporting (in active format but not accessible by you).

10. EduLock.io On iOS Devices: Upon installation of the EduLock.io Mobile Device Management (MDM) profile on Monitored Devices with iOS operating system, EduLock.io gains the ability to send management commands directly to the device and receive device status information through Apple's MDM protocol. EduLock.io does not actively monitor or filter user traffic. Instead, devices report specific information automatically in response to management commands and device check-ins. Data Automatically Available Through MDM Profile: Through the MDM protocol, the following information is automatically provided by iOS devices in response to management queries:

Device Information (available upon Device Information query): Device identifiers (UDID, serial number, model name, product name, IMEI, MEID) Operating system version and build version, Device name and hardware capabilities, Battery level and available storage capacity, Network information (WiFi MAC address, Bluetooth MAC address, carrier information, roaming status), Security status (Supervision status, Activation Lock status, Do Not Disturb status) and MDM enrollment and configuration status.
Restrictions Information (available upon Restrictions query): Current device restriction settings configured by the school administrator, Device management policy compliance status.
Data Transmitted Automatically on Device Check-in: Push notification acknowledgment and device availability status, Command execution results and status, Device location (only when geofencing policies are configured and then Tampered with by the student).

Important Clarification: EduLock.io does NOT actively collect or monitor: Web browsing history or domain names visited, URLs visited or search queries, User agent information, Individual app usage or activity logs, Content accessed or displayed on the device, Communication or messaging activity.

All device information is collected solely for the purpose of enforcing device management policies, such as app blocking, restriction enforcement, and geofencing-based policy activation. This data is transmitted securely to EduLock.io servers exclusively for policy enforcement and reporting to school administrators. This data is not shared with any third party except as required by law or court order.

Notifications Regarding Illegal or Policy-Violating Activity:

If EduLock.io detects through system monitoring that a device user engages in any activity that is or may be illegal, violates the rights of third parties, or violates school device policies configured within the EduLock.io dashboard, EduLock.io will notify the school administrator of such activity.

Device Suspension and Access Controls: EduLock.io reserves the right to (and will, if required by court order, applicable law, or to protect its interests and business):

Suspend or block access to specific applications or websites based on policies configured by the school administrator;
Provide information regarding notifications or violations to law enforcement, a court, or public authority if legally required;
Suspend or terminate the school's account if the account is being used in violation of applicable law or these Terms of Service.

School administrators maintain full control over device management policies, including which applications and websites are blocked, geofencing settings, and the scope of device monitoring configured within the EduLock.io dashboard.

11. Rights and Responsibilities of EduLock.io: EduLock.io shall:

Process Device Data only on the basis of documented instructions from you, including transfers of Device Data to a third country or international organization, unless otherwise required to do so under Union law or applicable Member State law.
Ensure that the persons authorized to process Device Data have undertaken to respect confidentiality or are subject to an obligation of confidentiality of a statutory nature.
Take all appropriate technical and organizational measures to ensure a level of safety appropriate to the risk of processing.
Respect the conditions for having recourse to a data processor, as established in the current legislation on protection of personal data.
Communicate with schools prior to responding to requests for the exercise of rights of the data subjects, in this case, the users and parents.
At your choice, either destroy or return all personal data once the processing services have been completed and destroy any existing copies unless the retention of personal data is required under Union or applicable Member State law.
Make available to you all information necessary to demonstrate compliance with the obligations established herein.
Ensure that the Data Protection Officer is involved in an adequate and timely manner in all matters relating to the protection of Device Data.
Adhere to a Code of Conduct that is approved by the European Commission or other competent authority, if applicable.
Keep a record of processing activities in the case of processing personal data that may pose a risk to the rights and freedoms of the data subject and/or in a non-occasional manner, or which involves the processing of special categories of data and/or data relating to convictions and infractions.

12. Data Subjects’ Exercise of their Rights: If you or any device user addresses a request or exercises any of the rights established in the General Data Protection Regulation, EduLock.io shall provide the information requested and perform any required actions, without delay and, at the latest, within one month from receiving the request, which may be extended for a further two months if necessary, taking into account the complexity of the application and the number of applications. We shall consult with the school prior to providing any Device Data to a device user. Similarly, in the event that EduLock.io does not proceed with the request of the user, EduLock.io shall inform the latter without delay, and no later than one month after receipt of the request, shall provide the user with the reasons why EduLock.io has not acted and inform the user of his/her/their right to file a complaint before a competent authority and to file a judicial appeal. The response to the user's request shall be made in the same format as that used by the person concerned, unless he/she/they requests that it be done otherwise.

13. Security Breach of the Personal Data: Insofar as there exists an instruction from a competent supervisory authority, a development of national legislation or a delegated act, in the event of a security breach of personal data, EduLock.io shall notify you and the competent supervisory authority of such breach without undue delay, and if possible, no later than seventy-two (72) hours after it occurred.

14. Termination, Resolution & Expiration: In the event of termination, resolution, or expiration of the contractual relationship for the provision of services hereunder between you and EduLock.io, the latter shall not keep the Device Data unless otherwise legally required or advisable to do so. Otherwise, upon termination, resolution or expiration, or when no longer legally required to keep the data, EduLock.io shall destroy or return to the school all personal data and any copies of it, as well as any support or other document containing any personal data. This is without prejudice to the right of EduLock.io to continue to process Device Data where such data is being processed by EduLock.io or for the defense of its legal interests.

D. CONTACT US

For questions about this privacy policy or our data practices:

Email: [email protected]

Website: https://edulock.io

Data Protection Officer: [email protected]

For data-related requests, please contact your school administrator.

For school-level questions about data processing and school responsibilities, your school's designated administrator can contact us at [email protected].

E. FOR US USERS - CCPA COMPLIANCE

COPPA and its rules require us to inform parents and legal guardians ("parents") about our practices for collecting, using, and disclosing personal information from children under the age of 13 ("children"). It also requires us to obtain verifiable consent from a child's parent, or confirm that the child's teacher has obtained verifiable consent from such child's parent, for certain collection, use, and disclosure of the child's personal information.

Read more about COPPA at the FTC's COPPA page.

This regulation is designed to protect the privacy of your children. In order for a child under the age of 13 located in the United States to use EduLock.io Services, the child's parent or teacher must approve the enrollment or provide verifiable consent. Schools are responsible for:

Obtaining prior verifiable parental consent before enrolling children under 13 in device management
Providing parents with clear notice of what device data will be collected and how it will be used
Allowing parents to review, delete, or refuse further collection of their child's personal data
Maintaining records of parental consent and any data deletion requests
Not conditioning a child's participation in activities on collection of more information than reasonably necessary

EduLock.io will only process student device data in accordance with the instructions and consent obtained by schools. Parents may contact their child's school administrator to exercise their rights regarding their child's data, or contact EduLock.io's Data Protection Officer at [email protected] for assistance.