Data Privacy and Security Policy
Effective Date: September 18, 2024
This Data Privacy and Security Policy (the “Policy”) for College Guidance Network, Inc. (“Company,” “CGN”, “we,” “us,” or “our”), describes how and why we might collect, store, use, and/or share ("process") your information when you use any of our products (each of which is hereinafter referred to as a “Product”) or CGN’s services (hereinafter referred to as the “Service”) (collectively, “Services”).
Questions or concerns? Reading this Policy will help you understand your privacy rights and choices. If you do not agree with our policies and practices, please do not use our Services. If you still have any questions or concerns, please contact us at privacy@collegeguidancenetwork.com.
Collection, Use, and Sharing of Personal Information
“Personal Information” means information that can be associated with a particular user. The chart below details what Personal Information we collect.
What Personal Information
We Collect
1. Contact information, including first name, last name, email address, phone number, and contact information of user-designated family members and supporters (including first name, last name, and email address).
2. Personal Information contained in customer services communications, whether through a customer service portal or an email.
4. Any Personal Information inputted by users into AVA, our conversational guidance assistant AI chat platform.
3. Device and usage information, such as your IP address, browser and device characteristics, operating system, language preferences, referring URLs, device name, country, location, information about how and when you use our Services, and other technical information.
How We Collect the Personal
Information
1. Users voluntarily input this information directly when they create an account or use the Services.
2. Although we do not directly seek Personal Information, users may share Personal Information incidental to providing feedback or correspondence to us.
4. Users may, if they choose, voluntarily input this information directly when they use the Services. See “Note Regarding Use of AVA” below.
3. We automatically collect this information when you visit, use, or navigate the Services. Information collected through cookies and similar technologies is described in further detail in “Third-Party Activity (Including Cookies and Similar Technologies).”
Why We Collect the Personal
Information
1. We use this information to facilitate account creation and authentication and to communicate with users in accordance with their preferences.
2. We use this information to communicate with users about the topics about which they communicate with us, including to respond to user inquiries and offer support to users.
4. We use this information to provide our Services to users in accordance with their preferences.
3. This information is primarily needed to maintain the security and operation of our Services, and for our internal analytics and reporting purposes. We may process this information to identify usage trends and better understand how the Services are being used so we can improve them.
Who We Provide the
Information To
1. Name and email address are only shared externally to enable third-party Application Programming Interface (API) integrations that require a unique user handle. “Third-party API integrations” refers generally to back-end software integration provided by third parties that allow us to access and use their functionality.
2. Internal use only.
4. We provide information logged by AVA in response to access requests from CGN’s educational institution partners, if and only if both the partner and the user/user’s parent have opted into granting access to this information. See “Note Regarding Use of AVA” below.
3. Internal use only.
When and With Whom Do We Share Your Personal Information?
We generally will not share or disclose Personal Information with any third parties, except under the following circumstances:
-
When you have consented to us sharing or disclosing your Personal Information.
-
When the Personal Information is shared with or disclosed to a parent company, subsidiary, joint venture, or other entity under common control with us in order to achieve any of the purposes described in the section above, “Collection, Use, and Sharing of Personal Information.”
-
Subject to the terms of a confidentiality agreement, in connection with, and for the purposes of, a business deal (or negotiation of a business deal) involving the sale or transfer of all or a part of our business or assets. These deals may include any merger, financing, acquisition, or bankruptcy proceeding.
-
When a third-party contractor is engaged to provide management, administrative, or support services on our behalf (a "Contractor") which require the Contractor to have access to Personal Information. In this instance, we enter into an agreement with the Contractor limiting the Contractor’s use of the Personal Information to the minimum amount necessary to perform the services; requiring the Contractor to report any suspected or actual breach of security or other incident related to the Personal Information to us; and requiring the Contractor to adhere to the same level of privacy requirements that are required of us by all applicable law. By accessing or using our Site, you consent to our sharing your Personal Information with our Contractors and to our Contractors’ use of your Personal Information in accordance with all applicable law, this Policy, and the other terms and conditions applicable to our Sites.
-
To the extent required to comply with legal obligations, processes, or requests; detect, prevent, or otherwise address security, fraud, or technical issues; enforce our contracts and agreements (including this Policy) with you; protect or defend our legal rights; or ensure the personal safety of any individual, including our employees and/or agents, users, or members of the general public.
Third-Party Activity (Including Cookies and Similar Technologies)
Like many businesses, we also collect information through cookies and similar technologies. We may use cookies and similar tracking technologies (like web beacons and pixels) to access or store information. The information we may collect through these technologies includes:
-
Log and Usage Data. Log and usage data is service-related, diagnostic, usage, and performance information our servers automatically collect when you access or use our Services and which we record in log files. Depending on how you interact with us, this log data may include your IP address, device information, browser type, and settings and information about your activity in the Services (such as the date/time stamps associated with your usage, pages and files viewed, searches, and other actions you take such as which features you use), device event information (such as system activity, error reports (sometimes called "crash dumps"), and hardware settings).
-
Device Data. We collect device data such as information about your computer, phone, tablet, or other device you use to access the Services. Depending on the device used, this device data may include information such as your IP address (or proxy server), device and application identification numbers, location, browser type, hardware model, Internet service provider and/or mobile carrier, operating system, and system configuration information.
Our Site may contain links to other websites, cookies, or other materials from, or which may be operated by, parties other than CGN. The information practices and privacy policies of these parties may be different than ours. CGN is not responsible for any actions or omissions by these third parties. This Policy applies only to Personal Information collected by CGN.
Note Regarding Use of AVA
CGN’s Services include AVA, a conversational guidance assistant AI platform that utilizes generative AI technology powered by OpenAI’s machine learning models and customized specifically for our Services.
CGN does not share any of your Personal Information with OpenAI via our API-enabled usage of OpenAI’s models. OpenAI is responsible for its own data protection and privacy policies. You should review OpenAI’s privacy policy (currently located here) prior to submitting any information to AVA. If you enter your Personal Information or sensitive data into AVA in the course of using CGN’s Services, you do so at your own risk and on your own initiative. CGN is not responsible for monitoring the data protection and privacy policies of OpenAI or its affiliates and does not control or hold any responsibility for OpenAI’s collection and/or retention of your information, except as required by applicable law.
How Long Do We Keep Your Information?
We will only keep your Personal Information for as long as it is necessary for the purposes set out in this Policy, unless a longer retention period is required or permitted by law (such as tax, accounting, or other legal requirements). Unless required by applicable law, we will not retain your Personal Information for longer than twelve (12) months past the termination of your account.
When we have no ongoing legitimate business need to process your Personal Information, we will either delete or de-identify such information; or, if this is not possible (for example, because your Personal Information has been stored in backup archives), we will securely store your Personal Information and isolate it from any further processing until deletion is possible.
How Do We Keep Your Information Safe?
We have implemented appropriate and reasonable technical and organizational security measures designed to protect the security of any Personal Information we process, including but not limited to the following:
-
Encryption of all Personal Information that we process both while at rest and in transit;
-
Security and access controls which protect CGN’s infrastructure from external attack and unauthorized access;
-
Regular review of our information collection, storage, and processing practices;
-
Review of the privacy and security practices and policies of third parties that may receive your Personal Information; and
-
Training for employees to prevent unauthorized access to our systems.
However, despite our safeguards and efforts to secure your information, no electronic transmission over the Internet or information storage technology can be guaranteed to be 100% secure, so we cannot promise or guarantee that hackers, cybercriminals, or other unauthorized third parties will not be able to defeat our security and improperly collect, access, steal, or modify your information. Although we will do our best to protect your Personal Information, transmission of Personal Information to and from our Services is at your own risk. You should only access the Services within a secure environment.
What Are Your Privacy Rights?
Withdrawing your consent: If we are relying on your consent to process your Personal Information, which may be express and/or implied consent depending on the applicable law, you have the right to withdraw your consent at any time. You can withdraw your consent at any time by contacting us by using the contact details provided in the section "How Can You Contact Us About This Policy?" below.
However, please note that this will not affect the lawfulness of the processing before its withdrawal, nor when applicable law allows, will it affect the processing of your Personal Information conducted in reliance on lawful processing grounds other than consent.
Opting out of marketing and promotional communications: We require and ask for your consent to opt into certain email and text/SMS communications we may send to the email address and phone number you choose to provide to us, including reminders and alerts related to our Services. You can opt-out of or unsubscribe from our marketing and promotional communications at any time by clicking on the unsubscribe link in the emails that we send, following any instructions we send you via text, or by contacting us using the details provided in the section "How Can You Contact Us About This Policy?" below. You will then be removed from the marketing lists. However, we may still communicate with you — for example, to send you service-related messages that are necessary for the administration and use of your account, to respond to service requests, or for other non-marketing purposes.
Reviewing or terminating account information: If you would at any time like to review or change the information in your account or terminate your account, you can log in to your account settings and update your user account.
If you would at any time like to terminate your account, please email us at admin@collegeguidancenetwork.com. Upon your request to terminate your account, we will deactivate or delete your account and information from our active databases. However, we may retain some information in our files to prevent fraud, troubleshoot problems, assist with any investigations, enforce our legal terms and/or comply with applicable legal requirements.
Cookies and similar technologies: Most Web browsers are set to accept cookies by default. If you prefer, you can usually choose to set your browser to remove cookies and to reject cookies. If you choose to remove cookies or reject cookies, this could affect certain features or services of our Services. If you have questions or comments about your privacy rights, you may email us at privacy@collegeguidancenetwork.com.
Controls For Do-Not-Track Features
Most web browsers and some mobile operating systems and mobile applications include a Do-Not-Track ("DNT") feature or setting you can activate to signal your privacy preference not to have data about your online browsing activities monitored and collected. We do not currently respond to DNT browser signals or any other mechanism that automatically communicates your choice not to be tracked online.
Children and Personal Information Collected from Students of Educational Institutions
The Children’s Online Privacy Protection Act imposes certain requirements on website operators that have actual knowledge that they collect personal information from children under 13 years of age. CGN does not knowingly collect or maintain Personal Information from persons under 13 years of age, and no part of our Services are directed at persons under 13. If you are under 13 years of age, please do not use our Services. If CGN learns that Personal Information of persons less than 13 years of age has been collected without verifiable parental consent, CGN will delete the Personal Information.
In the event that an educational institution partnering with CGN chooses to use our Services with students under the age of 13 or otherwise under the age of consent for privacy purposes in their jurisdiction, we rely on that educational institution to obtain any necessary parental consents or act in lieu of the parents in providing consent for our collection and use of the Personal Information. We otherwise comply with our direct obligations for protecting that Personal Information. If we learn that we have inadvertently collected such Personal Information without the necessary consent, we will take steps to promptly delete it.
When educational institutions who are subject to the Family Educational Rights and Privacy Act (“FERPA”) contract with CGN, they agree to designate us as a “school official” with a “legitimate educational interest” in providing the Services as the terms are used in FERPA §§ 99.31(a)(1). CGN remains under the direct control of the educational institution with respect to the use and maintenance of FERPA-protected “education records” and uses student Personal Information only as set forth in our agreement with the educational institution and in compliance with applicable law.
Do California Residents Have Specific Privacy Rights?
California Civil Code Section 1798.83, also known as the "Shine The Light" law, permits our users who are California residents to request and obtain from us, once a year and free of charge, information about categories of Personal Information (if any) we disclosed to third parties for direct marketing purposes and the names and addresses of all third parties with which we shared Personal Information in the immediately preceding calendar year. If you are a California resident and would like to make such a request, please submit your request in writing to us using the contact information provided below.
If you are under 18 years of age, reside in California, and have a registered account with our Services, you have the right to request removal of unwanted data that you publicly post on the Services. To request removal of such data, please contact us using the contact information provided below and include the email address associated with your account and a statement that you reside in California. We will make sure the data is not publicly displayed on the Services, but please be aware that the data may not be completely or comprehensively removed from all our systems (e.g., backups, etc.).
Do We Make Updates to This Policy?
We may update this Policy from time to time. The updated version will be indicated by an updated "Revised" date and the updated version will be effective as soon as it is accessible. If we make material changes to this Policy, we may notify you either by prominently posting a notice of such changes or by directly sending you a notification. We encourage you to review this Policy frequently to be informed of how we are protecting your information.
How Can You Contact Us About This Policy?
If you have questions or comments about this Policy, you may contact us via email at privacy@collegeguidancenetwork.com or by mail to:
College Guidance Network, Inc.
37 Saddle Club Road
Lexington, MA 02420
United States