Privacy Policy
This privacy policy for Lumio™ by SMART™ (“Privacy Policy”) forms part of the Terms agreed upon between you and SMART. This policy explains how SMART works with you to protect your information and privacy when using Lumio.
By using Lumio you are consenting to SMART's collection, retention, use, and disclosure of certain information as necessary to provide Lumio to you. If you do not agree, you must not use Lumio.
Automatic error reporting: If an SLS application encounters an issue, the application automatically sends the following anonymous information to SMART’s sub-processor Sentry.io (located in the United States):
- Lesson ID (no PII)
- User ID and session IDs (hashed and salted to maintain anonymity)
- Request header (application and version, platform, operating system, browser, language, date and time)
- Breadcrumbs (last pages visited and links clicked)
Optional user error reporting: After automatic error reporting is complete, users are given the option to provide their name, email address, and additional information about the error. Users are also asked if they wish SMART to follow up with them. This optional personal information is stored in Salesforce (located in the United States) and shared with our customer support team.
It is important to remember that customers and users are two distinct groups:
Typically, a customer is an organisation (e.g. local authority, school, company) and not a personally identifiable individual. The identifiable information we require is from the organisational purchaser for transactional purposes. The customer should not be providing SMART with personally identifiable information unless permissible by law and the customer’s policies.
Our users (e.g. teachers, students) are generally not the ones who purchased or set up the account (i.e. IT administrators) and users are only accessing Lumio because the customer’s administrator has granted them access. As such, SMART’s exposure to personally identifiable information only comes from how the customer operates when providing email addresses and names of users to SMART and from user-created Content. If you have a concern as a user about your PII, you must demand the customer provide only non-identifiable information to SMART and you as a user must only create Content with no PII in it.
Still concerned?
A student may join a live session as an anonymous guest with a self-chosen display name and in doing so is not required to share any personally identifiable information.
You own your data and SMART does not sell it or use it for advertisement purposes. We use your data to provide Lumio to you. Data portability and deletion is managed by the customer, who can request its deletion at any time.
Sign-in, and therefore account security, are handled by the world-class providers Google and Microsoft. Both providers support two-step (dual) authentication and enforce strong password creation. Both providers state that you can use their services in compliance with GDPR.
User data is encrypted at rest and in transit.
What about GDPR, CCPA, and FERPA?
User-created Content is not a student or educational record, transcript, marking record, health, or directory information. Lumio is not a learning management system (LMS).
SMART supports the European Union General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and numerous other laws including the Family Educational Rights and Privacy Act (FERPA). SMART is committed to helping our customers work under these and other stringent regulations and we continue to add in-region solutions. We currently offer American and European data storage for user-created Content and we are satisfied our out-of-region user data processors provide appropriate safeguards for the data they handle.
At this time, our e-commerce SLS store is only available for North American purchasers, but you can always make purchases from your regional SMART authorised reseller. For European customers, please note that Canada benefits from a European Commission adequacy decision, the effect of which is that data can flow from the EU (and Norway, Liechtenstein, and Iceland) to Canada without any further safeguards being necessary. In other words, transfers to Canada are treated as intra-EU transmissions of data.
Remember, SMART only receives information because you provide it; you are the data controller. In this way, customers and users are obligated to comply with their local laws and are responsible for any obligations they owe to their users with respect to their personally identifiable information.
PRODUCT USER DATA COLLECTED AND PROCESSED
This section outlines what data is collected, used, and disclosed from the three types of Lumio users:
- guest users
- student users (signed in)
- teacher users (signed in)
Deletion requests for users’ data are controlled by the customer. If you are accessing Lumio through your school, you should make your deletion request to them. If you are a minor, SMART reserves the right to provide access to your account to your parents, guardian, or other authorised adult (teacher, school administrator) if required by law.
GUESTS
Self-chosen display name for guests
Country where data is processed/stored | Sub-processor | Data & purpose | Data |
---|---|---|---|
USA Germany |
Amazon Web Services, Inc. | Required for storage. We offer both an American and European data storage option. | Anonymous |
USA Germany Belgium |
Firebase, Google LLC | Required for basic functionality (Firebase is a backend-as-a-service (BaaS) cloud computing solution we use for real-time (temporary) automated computer processing). | Anonymous |
Guest-created Content
Country where data is processed/stored | Sub-processor | Data & purpose | Data |
---|---|---|---|
USA Germany |
Amazon Web Services, Inc. | Required for storage. We offer both an American and European data storage option. | Anonymous |
USA Germany Belgium |
Firebase, Google LLC | Required for basic functionality (Firebase is a backend-as-a-service (BaaS) cloud computing solution we use for real-time (temporary) automated computer processing). | Anonymous |
Guest analytics
Country where data is processed/stored | Sub-processor | Data & purpose | Data |
---|---|---|---|
USA |
Mixpanel, Inc | Required for product improvement and service monitoring. Mixpanel allows us to analyse how our de-identified users interact with Lumio. It is designed to identify trends, understand common aggregated usage behaviour, and help us make better decisions on how to improve the usability and features of our product. This data is also used to track how long it takes our servers to complete actions like opening files, which helps us measure service health and up/downtime. | Anonymous |
Global | Third-party content providers | Optional content or activity a teacher may add to a lesson such as a YouTube video (uses YouTube API Services) or other embedded content a user voluntarily adds. We cannot control what data a third party directly collects when a teacher or student decides to include it in a lesson. For premium content that SMART provides, however, we only report anonymous usage to the third-party publisher.
|
Anonymous |
STUDENTS/MINORS, SIGNED IN
Student account
Country where data is processed/stored | Sub-processor | Data & purpose | Data |
---|---|---|---|
Global |
Microsoft, Inc. | Required if you use Microsoft as your single sign-on (SSO) provider to access Lumio. Microsoft provides SMART with required account details. | Identifiable |
Global | Google LLC | Required if you use Google as your single sign-on (SSO) provider to access Lumio. Google provides SMART with required account details. | Identifiable |
USA Germany |
Amazon Web Services, Inc. | Required for storage. We offer both an American and European data storage option. | Identifiable |
Using Lumio as a signed-in student (student-created Content)
Country where data is processed/stored | Sub-processor | Data & purpose | Data |
---|---|---|---|
USA Germany |
Amazon Web Services, Inc. | Required for storage. We offer both an American and European data storage option. | Pseudonymised |
USA Germany Belgium |
Firebase, Google LLC | Required for basic functionality (Firebase is a backend-as-a-service (BaaS) cloud computing solution we use for real-time (temporary) automated computer processing). | Pseudonymised |
Signed-in student analytics
Country where data is processed/stored | Sub-processor | Data & purpose | Data |
---|---|---|---|
USA |
Mixpanel, Inc. | Required for product improvement and service monitoring. Mixpanel allows us to analyse how our de-identified users interact with Lumio. It is designed to identify trends, understand common aggregated usage behaviour, and help us make better decisions on how to improve the usability and features of our product. This data is also used to track how long it takes our servers to complete actions like opening files, which helps us measure service health and up/downtime. | Pseudonymised |
Global | Third-party content providers | Optional content or activity a teacher may add to a lesson such as a YouTube video (uses YouTube API Services) or other embedded content a user voluntarily adds. We cannot control what data a third party directly collects via the content when a teacher or student decides to include it in a lesson. For premium content that SMART provides, however, we only report anonymous usage to the third-party publisher. | Pseudonymised |
TEACHERS/ADULTS, SIGNED IN
Teacher account
Country where data is processed/stored | Sub-processor | Data & purpose | Data |
---|---|---|---|
Global |
Microsoft, Inc. | Required if you use Microsoft as your single sign-on (SSO) provider to access Lumio. Microsoft provides SMART with required account details. | Identifiable |
Global | Google LLC | Required if you use Google as your single sign-on (SSO) provider to access Lumio. Microsoft provides SMART with required account details. | Identifiable |
USA Germany |
Amazon Web Services, Inc. |
Required for storage. We offer both an American and European data storage option. | Identifiable |
Using Lumio as a signed-in teacher (teacher-created content)
Country where data is processed/stored | Sub-processor | Data & purpose | Data |
---|---|---|---|
USA Germany |
Amazon Web Services, Inc. | Required for storage. We offer both an American and European data storage option. | Identifiable |
USA Germany Belgium |
Firebase, Google LLC | Required for basic functionality (Firebase is a backend-as-a-service (BaaS) cloud computing solution we use for real-time (temporary) automated computer processing). | Identifiable |
Signed-in teacher analytics
Country where data is processed/stored | Sub-processor | Data & purpose | Data |
---|---|---|---|
USA |
Mixpanel, Inc. | Required for product improvement and service monitoring. Mixpanel allows us to analyse how our de-identified users interact with Lumio. It is designed to identify trends, understand common aggregated usage behaviour, and help us make better decisions on how to improve the usability and features of our product. This data is also used to track how long it takes our servers to complete actions like opening files, which helps us measure service health and up/downtime. | Pseudonymised |
Global | Third-party content providers | Optional content or activity a teacher may add to a lesson such as a YouTube video (uses YouTube API Services) or other embedded content a user voluntarily adds. We cannot control what data a third party directly collects via the content when a teacher or student decides to include it in a lesson. For premium content that SMART provides, however, we only report anonymous usage to the third-party publisher. | Pseudonymised |
CUSTOMER DATA COLLECTED AND PROCESSED
This section outlines what data is collected, processed, and disclosed from customers (purchasers, prospects, and SMART’s authorised channel partners). You can request, through our Customer Support, data and account deletion at any time, but we must retain all data relevant to purchases and financial transactions until it is no longer required by applicable law. The term “identifiable” used in the below chart does not necessarily mean personally identifiable information.
Country where data is processed/stored | Sub-processor | Role | Data & purpose | Data |
---|---|---|---|---|
Global | Reseller & SMART’s regional office | Seller | Required contact information: organisation name, email, title, phone, address. Required order information: product, quantity, price and tax, delivery. Ask your local regional reseller about their privacy policies. | Identifiable |
Canada | Blue Ocean Contact Centers, Inc. | Support | Optional. Blue Ocean is a subcontractor providing live (telephone, email, and web) support. Information collected includes organisation name, caller name (can use company title only if preferred for GDPR reasons), email (can provide non-PII version to comply with GDPR), title, phone, address, a description of the issue, and any shared details to help solve the problem. Calls are recorded. | Identifiable |
Canada | Call Miner | Support |
Optional for telephone interactions (option to opt out of call recordings), required for email. Call Miner is a subprocessor providing omnichannel interaction analytics powered by AI and machine learning. Call Miner analyses customer support interactions, including recorded calls and emails, which are temporarily stored in CallMiner. The metadata is retained in CallMiner for analysis of the customer experience and trending information regarding the interactions between agent and customer. |
Identifiable |
USA | Amazon Web Services, Inc. | Processing, back office | Required for product infrastructure including the hosting of support call recordings. | Identifiable |
Global | Google, LLC. | Processing, back office. | Optional. Only used for processing support forms. Google Forms are used when a purchaser is engaged with our field services (i.e. on-site support). | Identifiable |
Global | Microsoft, Inc. | Processing, back office | Required for our enterprise resource planning (ERP) system, which is software to manage day-to-day business activities such as accounting, procurement, project management, and supply chain operations, our e-mail, PowerBI® (data visitation), and SharePoint® (document management), as well as all the other standard Microsoft Office software titles, like Word, Excel, etc. | Identifiable |
USA | BigCommerce, Inc. | Ordering | Optional. Only used when a customer makes a purchase through our e-commerce store: customer name, email, title, phone, address, product or service purchased, and whether payment has been received. | Identifiable |
USA Ireland |
Stripe, Inc. and Stripe Payments Europe, Ltd. | Ordering | Optional. Only used when a customer makes a purchase through our e-commerce store using a credit card: customer name, email, title, phone, address, product or service purchased, credit card details. Residents of the European Economic Area (EEA), the UK, and Switzerland. The entity responsible for the collection and processing of credit card personal data for residents of the EEA, the UK, and Switzerland is Stripe Payments Europe, Ltd., a company incorporated in Ireland and with offices at 1 Grand Canal Street Lower, Grand Canal Dock, Dublin. To exercise your rights, the Data Protection Officer may be contacted via dpo@stripe.com. | Identifiable |
USA | Salesforce.com, Inc | Ordering, marketing, channel support | Required order information (product, quantity, price and tax, delivery). Required for our customer relationship management (CRM). Required to allow our authorised distributors and resellers to work together with SMART. Basic customer and purchase information is shared between SMART and its authorised distributors and resellers. | Identifiable |
Germany | Hubspot, Inc. | Marketing/Customer communications | We use HubSpot, which is a customer relationship management (CRM) system, for certain communications, such as marketing, training, news, and offers from us. | Identifiable |
USA | Mixpanel, Inc. | Monitoring | Required for product improvement and service monitoring. Mixpanel allows us to analyse how our de-identified users interact with Notebook. It is designed to identify trends, understand common aggregated usage behaviour, and help us make better decisions on how to improve the usability and features of our product. This data is also used to track how long it takes our servers to complete actions like opening files, which helps us measure service health and up/downtime. | Pseudonymised |
USA | Gainsight, Inc. | Customer communications | Applicable only to North American Customers. We use Gainsight, which is a customer relationship management (CRM) tool, for email (name, email address, company information) marketing to individuals and organisations. | Identifiable |
THIRD PARTIES
To the extent functionality is not directly provided or managed by SMART, such as single sign-on (SSO) via Google and Microsoft, YouTube®, etc., you agree it is your responsibility to review and accept these third-party service providers’ terms and privacy policies. Links to their policies have been provided.
Portions of Lumio use third-party open-source code. To find out more about third-party code in Lumio and its licences, visit our Lumio third-party code attribution page.
COOKIES
SMART and some of its processors use cookies to provide Lumio to you. Cookies are small files that are placed on your computer or device. Most web browsers allow some control over cookies through the browser settings. Blocking all cookies will, however, have a negative impact upon the usability of Lumio. Thus, you may prefer to accept cookies and then delete them later or upon exiting your session.
Who | Cookie | Purpose |
---|---|---|
SMART |
id.smarttech-prod.com
_ga
_gid _ids _ids_legacy _ssos _ssos_legacy |
Required for providing navigation, login status, and user identification for the purpose of providing Lumio to the user, including the proper linking of user-created Content. |
Microsoft |
login.microsoftonline.com
AADSSO
login.live.com
CCState ESTSAUTH ESTSAUTHLIGHT ESTSAUTHPERSISTENT ESTSSC SignInStateCookie brcap buid ch clrc esctx fpc stsservicecookie x-ms-gateway-slice MSPRequ
uaid |
Required for providing single sign-on functionality and identification of the user for the purpose of providing Lumio to the user. These cookies are installed by Microsoft and SMART has no control over what Microsoft does with the information. Click here for additional information on Microsoft’s cookies. |
Google LLC |
accounts.google.com
ACCOUNT_CHOOSER
google.ca
LSID __Host-3PLSID __Host-GAPS user_id APISID
google.com
HSID NID SAPISID SID SSID __Secure-3PAPISID __Secure-3PSID APISID
youtube.com
HSID NID SAPISID SID SIDCC SSID __Secure-3PAPISID __Secure-3PSID __Secure-3PSIDCC APISID
HSID SAPISID SID SSID __Secure-3PAPISID __Secure-3PSID |
Required for providing single sign-on functionality and identification of the user for the purpose of providing Lumio to the user. YouTube cookies are installed during sign-on and support additional functionality (adding videos) within Lumio. These cookies are installed by Google and SMART has no control over what Google does with the information. Click here for additional information on Google’s cookies. |
Google LLC | _utma | This cookie is typically written to your browser upon the first visit to www.smarttech.com and our admin portal site. If the cookie has been deleted by the browser operator, and the browser subsequently visits our site, a new __utma cookie is written with a different unique ID. This cookie is used to determine unique visitors to our site and it is updated with each page view. Additionally, this cookie is provided with a unique ID that Google Analytics uses to ensure both the validity and accessibility of the cookie as an extra security measure. This cookie is a persistent cookie with a lifespan of 2 years from set/update. |
Google LLC | _utmb | This cookie is used to establish and continue a visitor session with our admin portal site. When a visitor views a page on our site, the Google Analytics code attempts to update this cookie. If it does not find the cookie, a new one is written and a new session is established. Each time a visitor visits a different page on our site this cookie is updated and will expire in 30 minutes, thus, continuing a single session for as long as visitor activity continues within 30-minute intervals. This cookie is a session cookie with a lifespan of 30 minutes from set/update. |
Google LLC | _utmc | Historically, this cookie operated in conjunction with the __utmb cookie to determine whether to establish a new session for the visitor. For backwards compatibility purposes with sites still using the urchin.js tracking code, this cookie will continue to be written and will expire when the user exits the browser. This cookie may or may not be set and is a session cookie with a lifespan of the browser session. |
Google LLC | _utmz | This cookie stores the type of referral used by the visitor to reach our site, whether via a direct method, a referring link, a website search, or a campaign such as an ad or an email link. It is used to calculate search engine traffic, ad campaigns, and page navigation within our site. The cookie is updated with each page view to our site. This cookie is a persistent cookie with a lifespan of 6 months from set/update. |
Identity Client library | software_portal | When an administrator signs in from SMART’s admin portal, this cookie is set to remember the authorisation information for the current signed-in session. The cookie will be refreshed automatically to keep the session alive. This cookie is set by SMART and is a persistent cookie with a lifespan of 365 days. The content of the cookie is the encrypted id access token and id refresh token |
Language cookie | website#lang, support#lang, training#lang | This cookie saves your language selection for our website. |
Sitecore | SC_ANALYTICS_GLOBAL_COOKIE | This cookie is associated with our Sitecore content management system and is used for web analytics to identify repeat visits by unique users. |
SMART ID | SMARTId, SMARTIdState, SMARTIdReturnUrl | These cookies are written to your browser when you sign in to SMART ID. Signing out of your SMART ID deletes this cookie. These cookies store encrypted authentication information that only our servers can decrypt. This cookie is persistent and lasts for several hours. |
HAVE A QUESTION FOR US? We would love to hear from you:
SMART Technologies ULC
Attention: Legal Department
Suite 600, 214-11 Ave SW
Calgary, AB T2R 0K1
CANADA
+1.403.245.0333
SMART’s Privacy Office
privacy@smarttech.com
Last updated: 23 October 2023