Effective Date and Last Updated: June 8, 2020
In the context of this Policy, VitalSource acts as a data controller for the information we process, with the exception of information processed solely pursuant at the instruction of your institution, business organization, or another controller, in which case VitalSource acts as a data processor.
- “Information” is data that falls into three categories: data that users provide directly to us, data that we receive from third-parties, and data that we passively or automatically collect, such as from your browser or device.
- “Personal Data” is Information that can personally identify an individual, including but not limited to first name, last name, and contact information.
- “De-identified Data” is data that will has Information that is linked or linkable to an identifiable individual, including personal identifiers (such as name, student identification number, and contact information), disassociated, such that it cannot reasonably be used to identify any party with reasonable certainty. VitalSource shall not attempt to re-identify Deidentified Data.
- “Content Owners” are licensors that have rights related to the content that you access.
- “Distributor” is the academic institution, K-12 school or school district (“K-12 School”), employer, business organization, training firm, or other entity that directly licenses or provides users with access to Product(s).
2. Information We Collect
The Information that we collect depends on the Products and features within those Products that a user of the Product or Distributor uses. We collect Information from website visitors, potential customers, Product users, Distributors, K-12 School personnel (collectively, “Users”) and from K-12 students (“Students”)
VitalSource collects information from Users and Students when they purchase, redeem, download, access or use any content or the Products; register a Product with VitalSource; create an account; take notes or participate in assessments in a Product; use collaboration features; submit requests; and access Products, including when they visit any of our websites; as described further below.
Information Provided Directly to Us
Depending on the Products, the types of Information we collect include name, address, email address, phone number, other contact information, academic institution, payment information collected and used by our third party payment processors such as credit or debit card numbers, information regarding Product use, and user-generated content such as notes, highlights, and responses to assessments; and any other type of Information or Personal Data submitted to us.
Users can choose not to provide such Information, but, in general, most of the Information we request is required for us to provide the Products and the lack of such Information will prevent us from doing so. We will collect, use, transfer and disclose this Information as described in this Policy.
We collect Information from and about Students in order to provide the Products to Students as directed by K-12 Schools.
K-12 Schools’ that create Student accounts with VitalSource Products authorize us to collect the following Personal Data from and about Students to enable Students to use our Products: name, email address, login credentials, K-12 School name, Information regarding Students’ use of the Products, and user-generated content such as the Student’s notes, highlights, and responses to assessments; and any other type of Information or Personal Data the Student submits through the Products.
VitalSource also offers K-12 Schools the ability utilize certain Products without enabling VitalSource to collect or use Students’ Personal Data, such as name or login credentials. Specifically, VitalSource, through its integration partners, utilizes reference accounts in order to create and manage content through Bookshelf accounts. In such instances, VitalSource only uses and stores the reference account number for the Student account, along with the content made available to the Student and the Student’s notes and highlights, in managing these accounts.
Information We Receive From Third-Parties
We receive Information from third parties, such as Distributors, K-12 Schools, other educational institutions, business organizations or representatives (for corporate customers), third-party authentication services (for Users who interact with us through third-party sites or services) and the parties with whom we exchange Information as described here.
Information That Is Automatically Collected
VitalSource automatically collects certain Information as Users or Students use the Products, make Product purchases or interact with us. We and our service providers (which are third-party companies that work on our behalf), may use a variety of technologies, including cookies and similar tools, to assist in collecting:
- technical data, such as domain name, browser type and language, operating system, Internet Protocol (IP) address, country, and city, device types, mobile device identifier, the date and time of requests, if any, referring and exit pages and URLs, platform type, landing pages, error logs, and other similar information; and
- usage data, such as the date and time of requests, the number of clicks, information downloaded, how and which Products are used; pages viewed and the order of those pages, the amount of time spent on particular pages, the terms used in searches on our sites; information from interactive Products, including scores from assessments, engagement during study sessions and overall performance, and records of any contact we have with you by telephone, email or online.
- We may use third-party web analytics services (such as those of Google Analytics, New Relic, and Hotjar) on our Services to collect and analyze usage information through cookies and similar tools; engage in auditing, research, or reporting; assist with fraud prevention, and provide certain features to you. To prevent Google Analytics from using your information for analytics, you may install the Google Analytics Opt-out Browser Add-on.
- If Users receive an email from us, we may use certain analytics tools, such as clear GIFs to capture data such as when you open our message or click on any links or banners our email contains. This data allows us to gauge the effectiveness of our communications.
We keep Personal Data for no longer than necessary for the purposes for which it is processed. The length of time for which we retain Personal Data depends on the purposes for which we collected and use it, the instructions of a controller when we act as a processor, the instructions of K-12 Schools for Student Personal Data, and/or our requirements to comply with applicable laws.
3. Using Information
Depending on the Product used, we use Information to:
- meet our contractual commitments to Users,
- administer accounts and respond to requests,
- provide the Products requested to Users or requested by K-12 Schools to Students,
- maintain and improve the Products and to develop new Products,
- provide information related to the Products, including changes to the Products,
- provide information we think Users may find useful about our products and services or those of carefully selected third parties, provided you have indicated that you do not object to being contacted for these purposes,
- customize content supplied based on use of the Products (e.g., study recommendations, supplemental content),
- track, evaluate, and analyze individual and aggregate use of the Products and to share, publish, or otherwise publicize information, but not Personal Data, describing such use,
- provide recommendations or advertising for products and services that may be of interest to Users,
- prevent, investigate and deal with fraud, violation of intellectual property rights and other laws and unauthorized use of Products or accounts,
- as otherwise reasonable and appropriate to the legitimate business needs of VitalSource related to the Products,
We will not use Student Personal Data for any purposes other than K-12 Schools’ educational purposes unless we the Data is De-identified Data. We will not use Student Personal Data for behaviorally-targeted advertising purposes, and we do not sell or rent such Student Personal Data to any third party for any purpose.
4. Sharing Your Information
If we share Information, including Personal Data, with third parties, we require the recipient to maintain appropriate levels of confidentiality, integrity, availability and data protection for such Personal Data, and we will never sell Information to any third party. We share information as follows:
- With the Distributor, VitalSource shares User information related to use results from Users’ interaction with, results from assessments taken, user-generated content, and overall engagement with relevant Products, including interactive elements. Examples include:
- An academic institution, or their affiliated store, licensing our e-commerce platform to provide you access to Products
- An academic institution, or their affiliated store, licensing our Products to provide you access to content in your Learning Management System
- A company licensing our Product(s) to provide you access to a course or training materials on our Product(s), either through a code you are given, or a direct integration with our Product(s)
VitalSource does not share Students Personal Data with publishers or Distributors, other than the Student’s own K-12 School.
- With Content Owners in certain cases:
- For instructors that get desk copies, samples, or free access to Content Owner’s Products we share your name, activity, and institution, in addition to the contact information that you specifically provide for purposes of sharing with Content Owners.
- When we report sales to Content Owners, we include data identifying the institution or school associated with such sales.
- When Users ask us to convey to Content Owners course and enrollment metrics so that they can provide you with pricing or other special terms.
- For content identified as courseware, Content Owners, and not VitalSource, host the content that you are trying to access, we provide Content Owners the information required to provide you access to the Product(s) you have licensed, such as your name, email, and course id.
- We share De-Identified Data of usage and user-generated data associated with Content Owner’s content.
- With trusted third parties performing certain tasks on our behalf. For example, this may include but is not limited to service providers providing customer support, operation and administration of the Products, processing information that you provide to us, and other tasks related to the Products. We allow these third parties to access only the information needed to perform those services.
- With other visitors to the Product or users of the Product, to the extent that Users submit content to publicly accessible portions of the Product, visitors and users may be able to view your content and Personal Data that identifies you as the author.
- As otherwise described to Users at the point of collection, pursuant to User consent, or as otherwise permitted by law.
5. Rights and Choices
- K-12 Schools can review and delete Student Personal Data through the Products. K-12 Schools may also request the review or deletion of such information by contacting us. We will also assist the K-12 School in facilitating requests from Students or parents upon K-12 School request.
- Parents and Students may make a request for access, review, correction or deletion of Personal Data in the Products by contacting the appropriate official at the student’s K-12 School. If the K-12 School determines that the request should be implemented, the School may either make the change themselves or submit the request to us.
- Users can tell us not to contact them with promotional information regarding our Products and services and those of third parties either at the point information is requested on our website (by checking or un-ticking (as directed) the relevant box) or, by following the unsubscribe instructions on promotional communications sent to you. Users can also exercise the right at any time by contacting us using the Contacting Us details at the end of this Policy.
Rights for Residents of Certain Jurisdictions
- Depending on the User’s jurisdiction, certain rights with respect to Information may be available as further described in the section applicable to the place of residency. See below for additional information. Further information regarding legal rights under applicable law are available by contacting us as described below or in the Contacting Us section of this Policy.
Request Content & Responses:
Please note, upon receipt of a User request:
- We may request Users to provide us with information necessary to confirm identity before responding. In the case of access and correction requests, Users should provide as much detail as possible about the particular personal data sought, in order to help us locate it.
- We will consider all requests and provide our response within the time period stated by applicable law.
- Where we decide not to make a requested correction to personal data, and the decision is disputed, the User may ask us to make a note of the requested correction with the data.
- In situations in which we process personal data only on behalf of a customer such as an educational institution, we may refer such request to the relevant party and cooperate with their handling of the request.
6. California Residents
California law requires us to provide additional information to California residents regarding how we collect, use, and share “personal information” (as defined in the California Consumer Privacy Act (“CCPA”)).
Categories of personal information we collect, use and disclose.
Throughout this Policy, we discuss in detail the types of Information we collect from and about Users and discuss how we use and share such Information. See “Information We Collect” for more details. The following are the “categories” of personal information under the CCPA that we collect and that we may, as discussed throughout this Policy, use and disclose for our business purposes:
- Identifiers (such as name, address, email address); commercial information (such as transaction data); financial data (such as credit card information); device identifiers (such as IP address and unique device identifiers); internet or other network or device activity (such as browsing history or app usage (such as your notes and highlights in the Services)); general and precise geolocation data; any user-generated content or feedback provided by Users; audio or visual information; physical characteristics or description (e.g., if you voluntarily submit a photo); professional or employment related data; educational data; and other information that identifies or can be reasonably associated with a User.
How we use these categories of personal information.
We use the categories of personal information we collect from and about Users consistent with the various business purposes we discuss throughout this Policy. See “Using Information” for more details
The CCPA sets forth certain obligations for businesses that “sell” personal information. We do not sell personal information based on our understanding of the definition of sale under applicable law. Please note, we do share certain personal information with our service providers and certain other entities as set forth in “Sharing Your Information.”
California Privacy Rights
California residents can make certain requests about their personal information under the CCPA. Specifically, California residents may request that we:
- provide information about: the categories of personal information we collect, disclose or sell; the categories of sources of such information; the business or commercial purpose for collecting or selling personal information; and the categories of third parties with whom we share personal information. Such information is also set forth in this Policy.
- provide access to and/or a copy of certain information we hold about you;
- delete certain information we have about you; and/or
- provide you with information about the financial incentives that we offer to you, if any.
California residents can also designate an authorized agent to make such requests on their behalf. We will take reasonable steps to verify your identity before responding to a request.
The CCPA further provides you with the right to not be discriminated against (as provided for in applicable law) for exercising your rights.
Please note that certain information may be exempt from such requests under California law. For example, we need certain information in order to provide the Products to you.
If you would like further information regarding your legal rights under California law or would like to exercise any of them, please contact us at firstname.lastname@example.org or by visiting https://support.vitalsource.com/hc/en-us/requests/new?ticket_form_id=102087
Shine the Light: We do not share personal information to third parties for direct marketing purposes.
California Online Privacy Protection Act Notice Concerning Do Not Track Signals. We do not recognize or respond to browser-initiated Do Not Track (“DNT”) DNT signals, as the Internet industry is currently still working toward defining exactly what DNT means, what it means to comply with DNT and a common approach to responding to DNT. Visit All about DNT to learn more about Do Not Track.
7. Nevada Residents
We do not sell your covered information, as defined by Section 1.6 of Chapter 603A of the Nevada Revised Statutes. If you reside in Nevada, you have the right to submit a request regarding the sale of covered information to our designated address: Privacy, 227 Fayetteville Street, Suite 400 Raleigh NC, 27601.
8. European Union Users
- Residents of the European Union may request that we:
- provide access to and/or a copy of certain information we collect;
- prevent the processing of information for direct-marketing purposes (including any direct marketing processing based on profiling);
- update information which is out of date or incorrect;
- restrict the way that we process and disclose certain information;
- transfer information to a third party provider of services; and
- revoke previously provided consent for the processing of information.
- delete certain information which we are holding (request that you be forgotten).
Please note, however, that certain information may be exempt from such requests in some circumstances, which may include if we need to keep processing your information for our legitimate interests or to comply with a legal obligation. An exercise of the right to be forgotten will result in your inability to use the Product(s), and will break any linkage between your prior account and your historical engagement data.
Legal Basis for Use (e.g., processing) of Information:
- Where use of Information is necessary to perform our obligations under a contract (for example, to comply with the terms of service of our Products which you accept by browsing the Products or registering; and/or our contract to provide our Products to you);
- Where use of Information is necessary for our legitimate interests or the legitimate interests of others (for example, to provide security for our Products; operate our Products; make and receive payments; comply with legal requirements and defend our legal rights; prevent fraud); or
- With User consent; or
- Other grounds, as required or permitted by law in the specific respective context.
EU-US, Swiss-US Privacy Shield Framework
As required under the principles, when VitalSource receives Personal Data under the Privacy Shield and then transfers it to a third-party service provider acting as an agent on VitalSource’s behalf, we have certain liability under the Privacy Shield if both (i) the agent processes the information in a manner inconsistent with the Privacy Shield and (ii) VitalSource is responsible for the event giving rise to the damage.
VitalSource remains liable for the protection of Personal Data that we transfer to these third parties within the scope of our Privacy Shield certification, except to the extent that we are not responsible for the event giving rise to any unauthorized or improper processing.
Some users (including those whose information we collect under the Privacy Shield) have certain legal rights to access certain information we hold about them and to request its deletion:
For Personal Data about European residents, when the purposes of processing are satisfied, and we are not required to retain Personal Data to comply with applicable law, we will delete or anonymize your Personal Data within a maximum of twelve months.
Given that the Internet is a global environment, using the Internet to collect and process Information necessarily involves the transmission of data on an international basis. Therefore, by using any of the Product(s), you acknowledge the transfer, storage or use of your Information outside your country of residence to any country (including the United States, Canada, the United Kingdom and Australia) where we have facilities or engage trusted third parties (such as payment processors, cloud service or other IT providers and other companies that provide services to us). You understand that the countries to which we may transfer Information may not have as comprehensive a level of data protection as in your country. In relation to Australia’s Privacy Act, you agree that in the case of a breach by the third party in relation to handling your personal data, we will not be accountable for the third party under the Privacy Act and you may not be able to seek redress under the Privacy Act.
If you have any questions or complaints about VitalSource’s privacy practices, including questions related to the Privacy Shield, you may contact us at the email address or mailing address set forth under “Contact Us.” We will work with you to resolve your issue.
Complaints and Dispute Resolution
In compliance with the Privacy Shield Principles, VitalSource commits to resolve complaints about our collection or use of your Personal Data. European and Swiss residents with inquiries or complaints regarding our Privacy Shield policy should first contact VitalSource at:
VitalSource Technologies LLC
ATTN: Info Data Sec and Privacy Officer
227 Fayetteville Street
Suite 400 Raleigh NC, 27601
If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please visit https://www.jamsadr.com/eu-us-privacy-shield for more information or to file a complaint. The services of JAMS are provided at no cost to you.
VitalSource has further committed to refer unresolved Privacy Shield complaints to JAMS, an alternative dispute resolution provider located in the United States.If you are a resident of the European Union or Switzerland and do not receive timely acknowledgment of your complaint from us, or if we have not addressed your privacy complaint to your satisfaction, please visit https://www.jamsadr.com/eu-us-privacy-shield for more information or to file a complaint. The services of JAMS are provided at no cost to you.
European Residents may elect to arbitrate unresolved complaints pursuant to the Privacy Shield’s Recourse, Enforcement and Liability Principle and Annex I of the Privacy Shield, but prior to initiating such arbitration, you must: (1) contact us and afford us the opportunity to resolve the issue; (2) seek assistance from our designated independent recourse mechanism above; and (3) contact the U.S. Department of Commerce (either directly or through a European Data Protection Authority) and afford the Department of Commerce time to attempt to resolve the issue. Each party shall be responsible for its own attorney’s fees. Please be advised that, pursuant to the Privacy Shield, the arbitrator(s) may only impose individual-specific, non-monetary, equitable relief necessary to remedy any violation of the Privacy Shield Principles with respect to the individual.
VitalSource is subject to the investigatory and enforcement powers of the United States Federal Trade Commission.
VitalSource takes information security seriously and has taken various measures to keep your Information secure from unauthorized access or disclosure, whether that Information is stored physically or electronically. VitalSource has established administrative, technical, physical, electronic and managerial procedures to help prevent unauthorized access, maintain data security and use the Information collected from you in accordance with this Policy. VitalSource has security measures in place to protect against loss, misuse, or alteration of your Information. Despite these efforts, VitalSource cannot guarantee that unauthorized access or disclosure of Information will never happen. If you have concerns, do not use the Products.
10. Children’s Privacy
Generally, our Products are for users 13 years of age or older, and users must be 13 or older to create an account for a Product. For Products offered to K-12 Schools, we either provide that Product without collecting, using, or disclosing “personal information” (as defined in the Children’s Online Privacy Act (“COPPA”), except as permitted by COPPA, or we obtain consent from the school or a parent or guardian. If we have reason to believe that any such personal information has been submitted to us by a child under 13 in the United States or a child under 16 in the EU without legally-valid consent, we will take reasonable steps to delete that information as soon as possible. We also comply with other age restrictions and requirements in accordance with applicable local laws.
Prior to a Student accessing the Product, the School must facilitate the Student’s access to Products.
The Products limit access to each Student’s account and the content thereon to the Student, the Student’s parents, and K-12 School personnel (depending on the choices and authorization made by the K-12 School’s administrator). The Products do not permit any Student’s account or the content and grades thereon to be viewed or accessed by the general public.
We keep Student Personal Data for no longer than necessary for the purposes for which it is processed. The length of time for which we retain Student Personal Data depends on the purposes for which we collected and use it, as authorized by the K-12 School.
Please see “Rights and Choices” for parental choices.
11. Links to Other Websites
The Products may contain links or enable Users to link to third-party websites. These websites may have their own privacy, cookies and/or other policies, which you should check. We do not accept any responsibility or liability for their policies because we have no control over them.
12. Changes to this Policy
The information practices described in this Policy are current as of the effective date at the end of this document. VitalSource reserves the right to periodically update this Policy at its discretion. Notice of any revisions will be posted to this page and are effective once posted. If you are concerned about how your Information is used, bookmark this page and check back periodically.
13. Contacting Us
If you have any questions, comments, or requests regarding this Policy, please contact us by post or email using the following contact information:
VitalSource Technologies LLC
ATTN: Info Data Sec and Privacy Officer
227 Fayetteville Street
Suite 400 Raleigh NC, 27601
Please allow up to 5 business days for us to reply.