This translation is provided for convenience only. The US English version of this Privacy & Cookies Policy shall govern in the event of any dispute between or inconsistency with any other translation.
Effective Date: May 16, 2018
In the context of this Policy, VitalSource acts as a data controller for the information we process, with the exception of information processed solely pursuant at the instruction of your institution or another controller, in which case VitalSource acts as a data processor. If you are an institution with users under the age of 18 read about VitalSource’s commitment to the Privacy of Minors, including students, here.
- “Information” is Data that falls into three categories: data that you provide directly to us, data that we receive from third-parties, and data that we passively or automatically collect, such as from your browser or device.
- “Personal Data” is Information that can personally identify you, including but not limited to first name, last name, and contact information.
- “De-identified Data” is data that will have all information that is linked or linkable to you, including personal identifiers (such as name, student identification number, and contact information), irrevocably disassociated, in a manner that would prevent a reasonable person from identifying any party with reasonable certainty. VitalSource shall not attempt to re-identify data.
- “Content Owners” are licensors that have rights related to the content that you access.
- “Distributor” is the academic institution, employer, or other entity that directly licensed or provided you with access to Product(s).
2. Information We Collect About You
VitalSource collects information from you when you purchase, redeem, download, access or use any content or the Products; register a Product with VitalSource; create an account; take notes or participate in assessments in a Product; use collaboration features; submit requests; and access Products, including when you visit any of our websites; as described further below.
a. Information You Provide Directly to Us
The types of Information we collect include your name, address, email address, phone number, other contact information, academic institution, payment information collected and used by our third party payment processors such as credit or debit card numbers, information regarding your use of the Products, and user-generated content such as notes, highlights, and responses to assessments; and any other type of Information or Personal Data you submit to us at your discretion, such as by contacting us.
You can choose not to provide such Information, but, in general, most of the Information we request from you is required in order for us to provide the Products and the lack of such Information will prevent us from doing so. We will collect, use, transfer and disclose this Information as described in this Policy.
b. Information We Receive From Third-Parties
We receive Information from third parties, such as educational institutions, your business organization or representatives (if you are a corporate customer), third-party authentication services (if you interact with us through third-party sites or services) and the parties with whom we exchange Information as described here.
c. Information That Is Automatically Collected
VitalSource automatically collects certain Information as you use the Products, make Product purchases and interact with us. We and our service providers (which are third party companies that work on our behalf), may use a variety of technologies, including cookies and similar tools, to assist in collecting:
- technical data, such as your domain name, and what browser type and langauge, and operating system you are using, your Internet Protocol (IP) address, country, and city, your device types, mobile device identifier, the date and time of your request, if any, and the device you are using, referring and exit pages and URLs, platform type, landing pages, error logs, and other similar information; and
- usage data, such as the date and time of your requests, the number of clicks, information you download, how and which Products you use; pages viewed and the order of those pages, the amount of time spent on particular pages, the terms you use in searches on our sites; information from interactive Products, including scores from assessments, engagement during study sessions and overall performance, and records of any contact we have with you by telephone, email or online.
- We may use third-party web analytics services (such as those of Google Analytics, New Relic, and Hotjar) on our Services to collect and analyze usage information through cookies and similar tools; engage in auditing, research, or reporting; assist with fraud prevention; and provide certain features to you. To prevent Google Analytics from using your information for analytics, you may install the Google Analytics Opt-out Browser Add-on by clicking here.
- If you receive email from us, we may use certain analytics tools, such as clear GIFs to capture data such as when you open our message or click on any links or banners our email contains. This data allows us to gauge the effectiveness of our communications.
We keep your Personal Data for no longer than necessary for the purposes for which it is processed. The length of time for which we retain Personal Data depends on the purposes for which we collected and use it, the instructions of a controller when we act as a processor, and/or our requirements to comply with applicable laws.
3. Using your Information
We use your Information to:
- meet our contractual commitments to you,
- administer your account and respond to your requests,
- provide the Products you request,
- maintain and improve the Products and to develop new Products,
- provide you with information related to the Products, including changes to the Products, or other information we think you may find useful about our products and services or those of carefully selected third parties, provided you have indicated that you do not object to being contacted for these purposes,
- customize content supplied to you based on your use of the Products (e.g., study recommendations, supplemental content),
- to track, evaluate, and analyze individual and aggregate use of the Products and to share, publish, or otherwise publicize information, but not Personal Data, describing such use,
- provide recommendations or advertising for products and services that may be of interest to you,
- prevent, investigate and deal with fraud, violation of intellectual property rights and other laws and unauthorized use of Products or your account,
- as otherwise reasonable and appropriate to the legitimate business needs of VitalSource related to the Products, and
4. Sharing Your Information
If we share Information, including Personal Data, with third parties we require the recipient to maintain appropriate levels of confidentiality, integrity, availability and data protection for such Personal Data, and we will never sell Information to any third party. We share information as follows:
- With the Distributor, VitalSource shares information related to your use, results from your interaction with, results from assessments taken, and overall engagement with relevant Products, including interactive elements. Examples include:
- An academic institution, or their affiliated store, licensing our ecommerce platform to provide you access to Products
- An academic institution, or their affiliated store, licensing our Products to provide you access to content in your Learning Management System
- A company licensing our Product(s) to provide you access to a course or training materials on our Product(s), either through a code you are given, or a direct integration with our Product(s)
- With Content Owners in certain cases:
- For instructors that get desk copies, samples, or free access to Content Owner’s Products we share your name, activity, and institution, in addition to the contact information that you specifically provide for purposes of sharing with Content Owners.
- When we report sales to Content Owners, we include data identifying the instituion or school associated with such sales.
- When you ask us to convey to Content Owners course and enrollment metrics so that they can provide you with pricing or other special terms.
- For content identified as courseware, Content Owners, and not VitalSource, host the content that you are trying to access, we provide Content Owners the information required to provide you access to the Product(s) you have licensed, such as your name, email, and course id.
- We share De-Identified Data of usage associated with Content Owner’s content.
- With trusted third parties performing certain tasks on our behalf. For example, this includes but is not limited to service providers providing customer support, operation and administration of the Products, processing information that you provide to us, and other tasks related to the Products. We allow these third parties to access only the information needed to perform those services.
- With other visitors to the Product or users of the Product. To the extent that you submit content to publicly accessible portions of the Product, visitors and users may be able to view your content and Personal Data that identifies you as the author.
- As otherwise described to you at the point of collection, pursuant to your consent, or as otherwise permitted by law.
5. Your Rights and Choices
- Data Subject Rights: You have certain rights with respect to your Information as further described in this section. If you would like further information regarding your legal rights under applicable law or would like to exercise any of them, please contact us as described in the Contacting Us section of this Policy.
- You can tell us not to contact you with promotional information regarding our Products and services and those of third parties either at the point information is requested on our website (by checking or un-ticking (as directed) the relevant box) or, by following the unsubscribe instructions on promotional communications sent to you. You can also exercise the right at any time by contacting us using the Contacting Us details at the end of this Policy.
- You may request that we:
- provide access to and/or a copy of certain information we hold about you;
- prevent the processing of your information for direct-marketing purposes (including any direct marketing processing based on profiling);
- update information which is out of date or incorrect;
- restrict the way that we process and disclose certain of your information;
- transfer your information to a third party provider of services; and
- revoke your consent for the processing of your information.
- delete certain information which we are holding about you (request that you be forgotten).
Please note, however, that certain information may be exempt from such requests in some circumstances, which may include if we need to keep processing your information for our legitimate interests or to comply with a legal obligation. An exercise of the right to be forgotten will result in your inability to use the Product(s), and will break any linkage between your prior account and your historical engagement data.
Request Content & Responses:
- We may request you provide us with information necessary to confirm your identity before responding to your request. In the case of access and correction requests, please provide as much detail as you can about the particular personal data you seek, in order to help us locate it.
- We will consider all requests and provide our response within the time period stated by applicable law.
- Where we decide not to make a requested correction to your personal data and you disagree, you may ask us to make a note of your requested correction with the data.
- In situations in which we process your personal data only on behalf of a customer such as an educational institution, we may refer your request to the relevant party and cooperate with their handling of the request.
- California Online Privacy Protection Act Notice Concerning Do Not Track Signals. We do not recognize or respond to browser-initiated Do Not Track (“DNT”) DNT signals, as the Internet industry is currently still working toward defining exactly what DNT means, what it means to comply with DNT, and a common approach to responding to DNT. To learn more about Do Not Track, you can do so here.
- YOUR CALIFORNIA PRIVACY RIGHTS: California Law permits visitors who are California residents to request once per year certain information regarding our disclosure of personal information to third parties for such third parties’ direct marketing purposes. To make such a request, please send an email to firstname.lastname@example.org or write to us at VitalSource Technologies LLC, Attn: Privacy, 227 Fayetteville Street, Suite 400 Raleigh NC, 27601.
VitalSource takes information security seriously and has taken various measures to keep your Information secure from unauthorized access or disclosure, whether that Information is stored physically or electronically. VitalSource has established administrative, technical, physical, electronic and managerial procedures to help prevent unauthorized access, maintain data security and use the Information collected from you in accordance with this Policy. VitalSource has security measures in place to protect against loss, misuse, or alteration of your Information. Despite these efforts, VitalSource cannot guarantee that unauthorized access or disclosure of Information will never happen. If you have concerns, do not use the Products.
7. European Union Users
EU-US, Swiss-US Privacy Shield Framework
VitalSource Technologies LLC complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework (the "Privacy Shield"), as adopted and set forth by the U.S. Department of Commerce regarding the processing of “personal data” (as defined under the Privacy Shield), within the scope of this Policy, from applicable European countries. VitalSource Technologies LLC commits to adhere to and has certified to the Department of Commerce that it adheres to the Privacy Shield Principles of notice, choice, accountability for onward transfer, security, data integrity, access, and recourse, enforcement, and liability for such personal data. To learn more about the Privacy Shield, and to view VitalSource Technologies LLC’s certification, please visit https://www.privacyshield.gov and https://www.privacyshield.gov/list, respectively.
As required under the principles, when VitalSource receives Personal Data under the Privacy Shield and then transfers it to a third-party service provider acting as an agent on VitalSource’s behalf, we have certain liability under the Privacy Shield if both (i) the agent processes the information in a manner inconsistent with the Privacy Shield and (ii) VitalSource is responsible for the event giving rise to the damage.
VitalSource remains liable for the protection of Personal Data that we transfer to these third parties within the scope of our Privacy Shield certification, except to the extent that we are not responsible for the event giving rise to any unauthorized or improper processing.
Some users (including those whose information we collect under the Privacy Shield) have certain legal rights to access certain information we hold about them and to request its deletion:
For Personal Data about European residents, when the purposes of processing are satisfied and we are not required to retain Personal Data to comply with applicable law, we will delete or anonymize your Personal Data within a maximum of twelve months.
Given that the Internet is a global environment, using the Internet to collect and process Information necessarily involves the transmission of data on an international basis. Therefore, by using any of the Product(s), you acknowledge the transfer, storage or use of your Information outside your country of residence to any country (including the United States, Canada, the United Kingdom and Australia) where we have facilities or engage trusted third parties (such as payment processors, cloud service or other IT providers and other companies that provide services to us). You understand that the countries to which we may transfer Information may not have as comprehensive a level of data protection as in your country. In relation to Australia’s Privacy Act, you agree that in the case of a breach by the third party in relation to handling your personal data, we will not be accountable for the third party under the Privacy Act and you may not be able to seek redress under the Privacy Act.
Legal Basis for Use (e.g., processing) of Your Information:
- Where use of your Information is necessary to perform our obligations under a contract with you (for example, to comply with the terms of service of our Products which you accept by browsing the Products or registering; and/or our contract to provide our Products to you);
- Where use of your Information is necessary for our legitimate interests or the legitimate interests of others (for example, to provide security for our Products; operate our Products; make and receive payments; comply with legal requirements and defend our legal rights; prevent fraud); or
- With your consent; or
- Other grounds, as required or permitted by law in the specific respective context.
If you have any questions or complaints about VitalSource’s privacy practices, including questions related to the Privacy Shield, you may contact us at the email address or mailing address set forth under “Contact Us.” We will work with you to resolve your issue.
VeraSafe Privacy Program
VitalSource is a member of the VeraSafe Privacy Program, meaning that with respect to Personal Data processed within the scope of this Policy, VeraSafe has assessed VitalSource’s data governance and data security for compliance with the VeraSafe Privacy Program Certification Criteria. The certification criteria require that participants maintain a high standard for data privacy and implement specific best practices pertaining to notice, onward transfer, choice, access, data security, data quality, recourse, and enforcement.
If you are a resident of the European Union and your privacy complaint or dispute cannot be resolved through VitalSource’s internal processes, VitalSource has agreed to participate in the VeraSafe Privacy Shield Dispute Resolution Procedure. Subject to the terms of the VeraSafe Privacy Shield Dispute Resolution Procedure, VeraSafe will provide appropriate recourse free of charge to you. To file a complaint with VeraSafe and participate in the VeraSafe Privacy Shield Dispute Resolution Procedure, please submit the required information here: https://www.verasafe.com/privacy-services/dispute-resolution/submit-dispute/
If, as a European Resident, your dispute or complaint can’t be resolved by VitalSource, nor through the dispute resolution program established by VeraSafe, you may have the right to require that VitalSource enter into binding arbitration with you pursuant to the Privacy Shield’s Recourse, Enforcement and Liability Principle and Annex I of the Privacy Shield. Prior to initiating such arbitration, you must: (1) contact us and afford us the opportunity to resolve the issue; (2) seek assistance from our designated independent recourse mechanism above; and (3) contact the U.S. Department of Commerce (either directly or through a European Data Protection Authority) and afford the Department of Commerce time to attempt to resolve the issue. Each party shall be responsible for its own attorney’s fees. Please be advised that, pursuant to the Privacy Shield, the arbitrator(s) may only impose individual-specific, non-monetary, equitable relief necessary to remedy any violation of the Privacy Shield Principles with respect to the individual.
VitalSource is subject to the investigatory and enforcement powers of the United States Federal Trade Commission.
8. Childrens' privacy
Generally, our Products are for users 13 years of age or older, and users must be 13 or older to create an account for a Product. For Products offered to K-12 schools, we either provide that Product without collecting, using, or disclosing “personal information” (as defined in the Children’s Online Privacy Act (“COPPA”), except as permitted by COPPA, or we obtain consent from the school or a parent or guardian. If we have reason to believe that any personal information has been submitted to us by a child under 13 in the United States or a child under 16 in the EU without legally-valid consent, we will take reasonable steps to delete that information as soon as possible. We also comply with other age restrictions and requirements in accordance with applicable local laws. Read more about VitalSource’s commitment to the Privacy of Minors, including students here.
9. Links to Other Websites
You may find links to third-party websites from any of the Products. These websites may have their own privacy, cookies and/or other policies, which you should check. We do not accept any responsibility or liability for their policies because we have no control over them.
10. Changes to this Policy
The information practices described in this Policy are current as of the effective date at the end of this document. VitalSource reserves the right to periodically update this Policy at its discretion. Notice of any revisions will be posted to this page and are effective once posted. If you are concerned about how your Information is used, bookmark this page and check back periodically.
11. Contacting us
If you have any questions, comments, or requests regarding this Policy, please contact us by post or email using the following contact information:
VitalSource Technologies LLC
ATTN: Info Data Sec and Privacy Officer
227 Fayetteville Street
Suite 400 Raleigh NC, 27601
Please allow up to 5 business days for us to reply.
Effective and last updated May 16, 2018.