Last Updated: May 26, 2022
MIND Research Institute, the creator of ST Math, is a nonprofit social benefit organization with a mission to mathematically equip all students to solve the world’s most challenging problems. As a nonprofit committed to the betterment of children’s education and futures, we take student privacy seriously.
We appreciate the continued efforts of privacy advocates, researchers, regulators, and journalists to hold education technology companies and organizations accountable. MIND is proud that we have taken every step to timely and fully meet evolving responsibilities around student privacy. As we continue to learn, we continue to update our privacy protections.
On December 23, 2021, Human Rights Watch (HRW) reached out to MIND with questions about our education technology practices. We were quick to work with them and provide answers. As a research organization ourselves, we also asked HRW for additional information about their sampling strategy and analysis methodology for their research and whether their research had been solicited by any third party. Unfortunately, HRW did not reply to our answers or request for additional information.
Now, a new report from HRW emphasizes the necessity of protecting the privacy of student personal information. While the report’s topic is undoubtedly important, our research organization’s review of the findings reflect potentially meaningful flaws in HRW’s methodology. Specifically, HRW analyzed ST Math’s customer-facing website (stmath.com) designed for marketing purposes instead of the educational platform (play.stmath.com) used by students and educators. Our ST Math educational platform does not include the trackers and cookies outlined in the report, and we assuredly do not provide student data to any third parties.
The vast majority of student and educator access to the ST Math program is via single sign on (SSO) through Clever or Classlink. This represents approximately 84% of our users. These users are passed from their Clever or Classlink system directly to the program site at play.stmath.com–they do not need to interact at all with the public-facing site, stmath.com. The remaining 16% of our users access the program by logging in directly at play.stmath.com. When we set customers up at the beginning of the year, we encourage them to bookmark that address–play.stmath.com–and we further reinforce access through that point to families in the letters we send home.
MIND/ST Math does not utilize or share any personally identifiable information in student records for the purposes of targeted advertising or other commercial purposes. The organization is compliant with relevant federal and state legal requirements, including, as a non-limiting example, the federal Family Educational Rights and Privacy Act (20 U.S.C. Sec. 1232g) (“FERPA”), the Children’s Online Privacy Protection Act (15 U.S.C. Secs. 6501 – 6506) (“COPPA”), and the Student Online Personal Protection Act (105 ILCS85) (“SOPPA”). We are also a signatory of the Student Privacy Pledge.
Who are the Users of the Sites? Certain of our Sites host our ST Math® instructional Software, which has been developed for use by students from pre-kindergarten through high school (“Student(s)”), for the improvement of math-related skills and achievement. Students are provided access to our Software and Sites through their schools and school districts (collectively, “Local Educational Agencies” or “LEAs”), who utilize these services to assess their Students’ progress and supplement their mathematics curriculum. Homeschooled Students may also access versions of our Software that are licensed by their parent or legal guardian for homeschool use, per the terms of our end user license agreement for such Software (“Homeschooling EULA”). “Users” of our Sites include these Students; authorized representatives of the LEAs, including the Students’ teachers (“LEA Representative(s)”); parents / legal guardians of the Students (“Parent(s)”); and other visitors to our websites and mobile applications (“Visitor(s)”).
What Student information does MIND Research Institute collect itself from the Sites and Software? We may collect or generate certain information automatically from the Student’s use of the Sites, including login and logout timestamps. We may also collect and generate additional information about students through their use of the Software (“Student Performance Data”), including measurements / assessments of Student’s progress against the ST Math® curriculum (for example, Learning Objectives encountered, passes, fails) as well as applicable educational standards; ST Math® quiz scores; and information derived and reports generated from the foregoing information and the Students’ use of the Software, for utilization by the Students, their parents / legal guardians, teachers, and the LEAs.
How does MIND Research Institute use Student Records? We may use Student Records for the following purposes:
We may also use aggregated or de-identified information about Students, from which we have removed personally identifying information, for educational research, analysis, and similar purposes.
For the avoidance of doubt, we will not utilize any personally identifiable information in Student Records for the purposes of targeted advertising.
What Other Personal Information does MIND Research Institute collect from its Users?Additional information gathered by MIND Research Institute via the Sites falls into the following categories: (1) information voluntarily supplied by Visitors through optional online forms completed by such Visitors of our Sites when requesting additional information about MIND Research Institute or its products or services, or through Communications (as defined below) with MIND Research Institute; (2) information automatically obtained from the use of User names and password to access the restricted portion(s) of the Sites (the "Restricted Pages") to do things such as view online demonstrations or presentations about the MIND Research Institute or its products or services, including, by way of example, pages visited and time stamps; and (3) tracking information gathered as Visitors navigate through our websites or mobile applications.
In visiting or using our Site and in transmitting Communications with us, we may request and collect the following types of personally identifiable information from Visitors including: legal name; business name (if applicable); e-mail address; or user name and password). MIND Research Institute may also ask for additional personal information from Visitors at various times such as when we run a promotion or contest or conduct a survey, as described in such promotion or contest or elsewhere on the Site. The personally identifying information we collect from Visitors helps us offer Visitors more personalized features, respond to Visitor requests, provide you with information that is of most interest to you, improve our products and services, and, to the extent that you consent to such communications, send you promotions and events offered by MIND Research Institute.
Does MIND Research Institute track my IP address? When you visit the Site, our servers automatically collect information about your Internet address (which is a number that lets computers attached to the Internet know where to send you data). Your Internet address does not identify you personally. We log your Internet address to deliver our web pages to you upon request, help diagnose problems with our servers, administer our Site in order to constantly improve its quality and the services we offer you, and identify and authenticate you and your licensed content and preferences as you navigate the Site. We may also use your Internet address to gather broad demographic information. We may also track and analyze non-identifying and aggregate usage and volume statistical information from our Visitors and other Users and provide such information to third parties.
How does MIND Research Institute use information collected from me? MIND Research Institute researches our customers' and Visitors' demographics based upon information provided by them or, their LEAs (if applicable), gathered from their Communications or password, or contained in our server log files or surveys. We do this to better understand and serve our customers and other Visitors. This research is compiled and analyzed on an aggregated basis.
How does MIND Research Institute share information? MIND Research Institute does not provide, sell, trade, or rent personally identifiable information. We may disclose or share personally identifying information as follows:
To our service providers.We may share personally identifying information collected through the Site or otherwise in our possession with companies and organizations that perform services on our behalf, for example, companies that provide data management or other support services to us (such as data storage and Web hosting services), subject to confidentiality and security obligations.
To parents / legal guardians. We may provide Student Records or Student Performance Data to the Students’ Parents / legal guardians.
To teachers / LEAs. We may provide Student Records and corresponding Student Performance Data to the teachers or other authorized LEA representatives for the applicable Students.
In a business transfer. We may transfer personal information and other data in our possession in connection with an acquisition by or merger with another company, if substantially all of our assets are transferred to another company, or as part of a bankruptcy proceeding.
How do I review, correct, update and / or remove my personal information or my child’s personal information?
Reviewing and updating Student Records. Parents, legal guardians, and Students aged 13 and above may review the personally identifying information contained in Student Records and may have us correct any erroneous Student Records. We will terminate use and storage of any personal information contained in Student Records received from the LEA following written notice of termination, unless we have received consent directly from such Student, if aged 13 or above, or the Student’s parent or legal guardian otherwise, to store such Student Records. We will terminate use and storage of any personal information contained in Student Records that we have collected for children under 13 following written request from their parent or legal guardian. To exercise these rights, you may contact us at email@example.com. To review Student Records for Students under the age of 13, you will be required to authenticate yourself as the Student's parent / legal guardian, teacher, or other authorized LEA representative to receive information about that Student. You agree and acknowledge that the Sites or Software, or features of the Sites or Software, may be inaccessible or inoperable upon removal of Student Records..
Review and updating other User information. Visitors may review, update and/or correct your contact or other personal information at any time by sending an e-mail to us at firstname.lastname@example.org and/or notifying MIND Research Institute of the changes, as applicable. If you have been prompted to provide information to register an account, you will be provided limited access to your account information to update and/or correct the personal information you have supplied.
How does MIND Research Institute protect personal information?Our Site has security measures in place to minimize the risk of loss, misuse, and alteration of the information under our control. Your access to the Restricted Pages or other accounts (if you have any) established through MIND Research Institute or the Site is password-protected so that only you have access to that personal information, so keep your password private and secure.
We provide and require training of all of our personnel involved in the handling, usage, or storage of Student Records or other personally identifying information, which training is renewed periodically. This training includes compliance with relevant federal and state legal requirements, including, as a non-limiting example, the federal Family Educational Rights and Privacy Act (20 U.S.C. Sec. 1232g) (“FERPA”), the Children’s Online Privacy Protection Act (15 U.S.C. Secs. 6501 – 6506) (“COPPA”), and the Student Online Personal Protection Act (105 ILCS85) (“SOPPA”). To protect our information technology environment and the data that we store, we take commercially reasonable security measures, implemented with a multi-tier software architecture, that are consistent with standards generally recognized in the industry. Please be aware, however, that despite our efforts, no security measures are perfect or impenetrable. Due to the open nature of the Internet, we cannot guarantee that any of your information stored on our servers, or transmitted to or from a us or a user, will be 100% free from unauthorized access, and we disclaim any liability for any theft or loss of, unauthorized access or damage to, or interception of any data or communications. By using the Site, you acknowledge that you understand and agree to assume these risks.
Where does MIND Research Institute host its services? MIND Research Institute's infrastructure is hosted within the United States. We design and implement our systems to provide resiliency against server, segment, and geographic failure, through the implementation of a clustered redundant architecture that yields highly available service endpoints. which provide resiliency against server, segment, and geographic failure. We utilize service providers whose systems have been certified for compliance with security standards including ISO 27001. We cannot, however, guaranty that systems will never be subject to a security breach, or will be otherwise error-free. Additional information regarding our system availability and security practices is provided below, and for additional questions, please reach us at email@example.com.
How does MIND Research Institute protect data? Unauthorized access of User data is a real risk facing the users of today's electronic information services. MIND Research Institute strives to keep informed of these risks, and we work diligently to combat them. One method of protecting User data is to utilize cryptography to prevent data visibility in the event of its unauthorized access. MIND Research Institute leverages cryptography to protect user data in the following two ways:
Data in Transit. Our services support Transport Layer Security (“TLS”) to encrypt User communications (TLS 1.2 or greater and only the strongest ciphers). Data transferred between our Site and its end Users (including credential submission, data uploads, and data downloads) are sent over TLS connections, which protect such data using strong encryption, so that data in transit is kept in a private channel between the intended User and our systems.
Data at Rest. User data that contains personally identifying information, when “at-rest” (i.e., when in storage) is encrypted using industry standard AES-256. There are two types of "at rest" storage:
How does MIND Research Institute respond to breaches? If you correspond with us by e-mail, or using the “contact us” feature on the Site, you should be aware that your transmission might not be secure. We will have no liability for disclosure of your information due to errors or unauthorized acts of third parties during or after transmission. If we believe that the security of User information may have been compromised, we will comply with applicable laws and regulations regarding notice of such breaches. Without limiting the foregoing, we will notify any LEA whose data is affected by such a breach, and will provide any reasonable cooperation to the LEA to notify affected parents / legal guardians in the event of an unauthorized disclosure of student records. You consent to our use of your e-mail address as a means of such notification. Please notify us of any unauthorized use of your password or account or any other breach of security of which you are aware.
Will MIND Research Institute send me unsolicited communications? How do I opt-out? MIND Research Institute may use the information it collects to respond to requests for information, to notify you about functionality changes to the web site, or to provide industry and company updates. You may update or modify your information or change your privacy preferences (such as whether you wish to receive promotional offers) at any time by emailing us at firstname.lastname@example.org. If you wish to have your name removed from any of our mailing or subscription lists, please write to us at our above address or click the “remove subscription” link set forth in the relevant communication (typically provided at the end of such communication). In the event that you contact us with this request, all reasonable efforts will be taken to ensure that you will not receive any further communications from which you have opted-out in the future.
How does MIND Research Institute respond to Do-Not-Track signals? In some cases, third parties may be able to collect information about a user’s online activities over time and across different websites when he or she uses our Site or services. Some web browsers may transmit “do-not-track” signals to the websites with which the user communicates. Because of differences in how web browsers incorporate and activate this feature, it is not always clear whether users intend for these signals to be transmitted, or whether they even are aware of them. Because there currently is no industry standard concerning what, if anything, websites should do when they receive such signals, we currently do not take action in response to these signals.
For our international customers. Because MIND Research Institute is headquartered within the United States, any personally identifiable information (PII) shared with us by international customers for the purpose of creation and ongoing use of ST Math accounts shall be stored on our servers. Our secure servers, hosted by Amazon Web Services (AWS), are located within North America. By partnering with MIND Research Institute and using ST Math, you acknowledge and accept this nature of our business.
How do I contact MIND Research Institute? What are my information rights? If you have any questions about this privacy statement, the practices of this Site, your dealings with this Site, or any disclosure of personal information to third parties for direct marketing purposes, you can contact us in the following ways:
Mail: MIND Research Institute
5281 California Avenue, Suite 300
Irvine, CA 92617
Tel: 949-345-8700 or 888-751-5443 (Toll Free)