Privacy Policy
PRIVACY POLICY EFFECTIVE DATE: June 15, 2024
1. INTRODUCTION. 30 Day Lessons Inc. (“us,” “we,” or “Company”) is committed to respecting the privacy rights of its customers, visitors, and other users of the Company Website (“the Site”) and Mobile Applications (“the Apps”), together referred to herein as “Services.” We created this Privacy Policy (“Privacy Policy”) to give you confidence as you visit and use our Services and to demonstrate our commitment to fair information practices. and to the protection of privacy. This Privacy Policy is only applicable to the Services, and not to any other websites that you may be able to access from the Services, each of which may have data collection, storage, and use practices and policies that differ materially from this Privacy Policy.
2. DEFINITIONS
a. “Personal Data” and “Personal Identifiable Information” are data about an identified or identifiable individual. Personal Data may include your name, address, telephone number, credit card information, and any other information that is connected with you and may identify you personally.
b. “Processing” of Personal Data means any operation or set of operations which is performed upon Personal Data, whether or not by automated means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure or dissemination, and erasure or destruction.
c. “Controller” means a person or organization which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
d. “Agent” or “Processor” means any person or organization that processes Personal Data on Controller’s behalf.
e. “Customer” means the subscriber of or visitor to the Company’s Site or Apps, or otherwise accesses the Company’s Services.
3. COMPANY’S LAWFUL BASIS FOR PROCESSING YOUR PERSONAL DATA. Any use of your Personal Data must be for a lawful purpose. In Company’s case, the Personal Data requested from you (e.g., your name, address, email, billing information, etc.) is necessary for the entering into and the performance of the lawful contract between Company and you, under which terms, you may use and enjoy the Company’s Services. Company shall also use the information to promote its services within its subscription base and, with your permission, may share it with third party or affiliate companies interested in marketing similar products to you.
4. COMPLIANCE WITH THE EUROPEAN UNION’S GENERAL DATA PROTECTION
REGULATION (GDPR). In keeping with Company’s commitment to comply with the various rules and regulations relating to safeguarding and protecting Personal Data it receives from its customers in the United States, in the European Union, and elsewhere, Company has chosen to undertake a good faith effort to comply the European Union’s GDPR and the obligations it imposes on controllers and processors of EU Personal Data, and to incorporate the privacy terms required for GDPR compliance herein.
5. COMPLIANCE WITH DATA PRIVACY FRAMEWORK. 30 Day Lessons Inc. complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. 30 Day Lessons Inc. has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. 30 Day Lessons Inc. has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) Program, and to view our certification, please visit https://www.dataprivacyframework.gov/.
6. PRIVACY PRINCIPLES ADHERED TO BY COMPANY PERSONNEL. Company will ensure that its personnel engaged in the processing of Customer Data and Personal Data (i) will process such data only on instructions from Customer, and (ii) will be obligated to maintain the confidentiality and security of such data even after their engagement ends. Furthermore, Company hereby complies with with EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) Data Privacy's Notice Principle which requires Company to inform all participants of the Services about:
a. Its participation in the Data Privacy (see Paragraph 5 above)
b. The types of personal data collected and the entities or subsidiaries of the organization also adhering to the Principles (see Paragraph 7(a) below)
c. Its commitment to subject to the Principles all personal data received from the EU, UK, and/or Switzerland in reliance on the Data Privacy (see Paragraph 5 above)
d. The purposes for which it collects and uses personal information about them (see Paragraphs 3 and 7(b) below)
e. How to contact the Company with any inquiries or complaints (see Paragraph 17 below)
f. The type or identity of third parties to which it discloses personal information, and the purposes for which it does so (see Paragraph 7(d) below)
g. The right of individuals to access their personal data (see Paragraph 12 below)
h. The choices and means Company offers individuals for limiting the use and disclosure of their personal data (see Paragraph 9 below)
i. The independent dispute resolution body designated to address complaints and provide recourse free of charge to the individual, which in this case is an alternative dispute resolution provider based in the U.S. (see Paragraph 17(a) below)
j. The Federal Trade Commission has jurisdiction over 30 Day Lessons’s compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) (see Paragraph 5 above).
k. The possibility, under certain conditions, for the individual to invoke binding arbitration (see Paragraph 17(b) below)
l. The requirement to disclose personal information in response to lawful requests by public authorities (see Paragraph 7(b) below)
m. Company's liability in cases of onward transfers to third parties (see Paragraph 7(b)(ii) below)
7. TYPES AND USES OF INFORMATION COLLECTED
a. Types.
i. TRAFFIC DATA COLLECTED (NON-PERSONAL IDENTIFIABLE INFORMATION). We automatically track and collect the following categories of information when you visit our Services: (1) IP addresses; (2) domain servers; (3) types of computers accessing the Services; and (4) types of web browsers used to access the Services (collectively “Traffic Data”). Traffic Data is anonymous information that does not personally identify you but is helpful for marketing purposes or for improving your experience on the Services. We also use “cookies” to customize content specific to your interests, to ensure that you do not see the same advertisement repeatedly, and to store your password so you do not have to re-enter it each time you visit the Services.
ii. PERSONAL IDENTIFIABLE INFORMATION COLLECTED. In order for you to access certain premium, services and to purchase products that we offer via our Services, we require you to provide us with certain information that personally identifies you. Personal Identifiable Information includes the following categories of information: (1) Contact Data (such as your name, mailing address, e-mail address, and, if you call our phone support service, your phone number); (2) Geographical Information (such as time zones, locales) (3) Financial Data (such as your account or credit card number, your Paypal email address, or your billing address); (4) Demographic Data (such as your zip code, age, and income); (5) Facebook Profile and ID (we access the first and last names and email address from customer’s public profile information); and Google Account Information (we access the first and last names and email address from customer’s public profile information) . If you communicate with us by e-mail, post messages to any of our chat groups, bulletin boards, or forums, or otherwise complete online forms, surveys, or contest entries, any information provided in such communication may be collected as Personal Information. If you choose to participate in one of our optional marketing research surveys, contests, or other promotional and marketing events at the site, the demographic information asked for (e.g., name, age, gender, and income level) will be collected and retained by us for marketing purposes as described below.
b. Uses.
i. COMPANY USE OF INFORMATION. We act as a “Controller” of information we receive from you in that we use your Contact Data to send you information about our company or our products or services, or to provide you with promotional material from some of our partners, or to contact you when necessary. We use your Financial Data to verify your qualifications for certain products or services and to bill you for products and services. We use your Demographic Data to customize and tailor your experience on the Services, such as displaying content that we think you might be interested in according to demographic data and your expressed preferences.
ii. SHARING OF PERSONAL INFORMATION. We share certain categories of information we collect from you to the following parties for the following purposes:
• We share Demographic Data with advertisers and other third parties only on an aggregate (i.e., non-personally-identifiable) basis.
• We share Contact Data with other companies who may want to send you information about their products or services, unless you have specifically requested that we not share Contact Data with such companies.
• We also share Contact Data and Financial Data with our business processing partners who assist us by performing core services (such as hosting, billing,
fulfillment, or data storage and security) related to our operation of the Services. Company may hire such third parties to provide certain limited or ancillary
services on its behalf. Customer consents to the engagement of these third parties as Sub-processors.
• Contractual obligation of all entities with whom we share Personal Data to adhere to Privacy Principles. By express written agreement with Company, those entities who act as Controllers with whom we share Personal Data shall warrant and represent that they likewise comply with the same Privacy Principles as those required by GDPR and EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF), and shall take reasonable and appropriate measures to protect any shared data from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into due account the risks involved in the processing and the nature of the Personal Data.
• Obligations of our business processing partners only. Our agreement with our business processing partners, or agents, provide that such
Personal Data shared may only be processed for limited and specific purposes consistent with the consent provided by the customer, that they shall comply with the
same level of privacy protection as provided by the Company, and that they will otherwise notify Company if the processor can no longer meet this obligation.
In such an event, the agreement will stipulate that the processing partner will immediately cease the processing and shall take other reasonable and that
Company shall take appropriate steps to remediate. The agreement shall further provide that, should an unauthorized breach occur involving their data security
systems, our processing partners shall immediately inform Company.
c. Location and Retention of Customer Data. Unless otherwise expressed herein, the Personal Data collected by Company shall be kept in its central server and shall remain only as long as necessary to fulfill the requirements of the service agreement between Company and customer, or, with customer’s approval, in perpetuity, until customer requests its removal.
d. Summary of Data Recipients, Users, Purposes, and Retention Periods.
Recipient of Data |
Data Solicited/Shared |
Purpose |
Retention Period |
30 Day Lessons Inc. (Originating Controller) |
Data Solicited: Personal Information (name; phone number; email; address); Computer information (IP; Browser type); Demographic Information (zip code, age, income); Financial Information (credit card number, PayPal address, billing address); Geographical information (Locale, Time Zone); Facebook Profile; Google Profile |
Information is necessary to effectuate the service agreement between Company and customer, for customer support, and to allow Company to promote and market the service within its customer base. Facebook and Google public profile information are accessed by Company only to record the “name” and “email” of customer, again for effectuating the agreement and for internal marketing.
|
Information shall be retained and used in its central server only as long as necessary to fulfill the requirements of the service agreement between Company and customer, or, with customer’s approval, in perpetuity, until customer requests its removal. |
Mobile Advertising, Marketing, and Attribution Networks |
Data shared: Personal Information (email); Device information (IP; Device type, in-app events, advertising IDs); Geographical information (Locale, Time Zone); |
Information is necessary to effectuate the service agreement between Company and customer, for customer support, and to allow Company to promote and market the service within its customer base.
|
Information shall be retained and used in its central server only as long as necessary to fulfill the requirements of the service agreement between Company and customer, or, with customer’s approval, in perpetuity, until customer requests its removal. Customer may also limit the sharing of this data.
|
8. DATA BREACH NOTIFICATION. If Company becomes aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data or Personal Data while processed by Company (each a “Security Incident”), Company will promptly and without undue delay (1) notify Customer of the Security Incident; (2) investigate the Security Incident and provide Customer with detailed information about the Security Incident; (3) take reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Incident. With respect to breach of Personal Data of citizens of the EU, Company shall comply with GDPR requirements and take immediate steps to notify the supervisory authority “without undue delay” and within 72 hours of discovering the breach, where feasible. Company’s obligation to report or respond to a Security Incident under this section is not an acknowledgement by Company of any fault or liability with respect to the Security Incident.
9. CUSTOMER’S CHOICES REGARDING USE OF INFORMATION; CUSTOMER’S RIGHT TO OPT-OUT. You may choose not to provide us with any Personal Information. In such an event, you may still access and use much of the Services, however, you will not be able to access and use those portions of the Services that require your Personal Information. If you do not want us to share your Contact Data with any third parties, please email us at [email protected], or select the “opt out” box on our online forms. In addition, we maintain a procedure for you to review and request changes to your Personal Information; this procedure is described in Section 11 below.
a. Assignment of Personal Information in the Event of Sale or Change in Business Status. In the event of a sale of the business, or company bankruptcy, we may be required to sell portions of our company or its assets, including the information collected through the Services. If Company or substantially all of its assets are acquired by a third party, customer information may be one of the assets transferred to the acquirer. It shall be a necessary condition of any transfer that these privacy policy principles expressed herein shall continue to remain in force.
10. CONFIDENTIALITY AND SECURITY OF PERSONAL INFORMATION. Customer’s personal payment information (e.g., credit card information) is currently stored with a third-party payment processing company, Stripe or PayPal. We do not store credit card information on our own service, only on the third-party server “vault.” Except as otherwise provided in this Privacy Policy, we will keep your other personal information private on secure servers and will not share it with third parties, unless such disclosure is necessary to: (a) comply with a court order or other legal process; (b) protect our rights or property; or (c) enforce our Terms of Service. We provide you with the capability to transmit your Personal Data Information via secured and encrypted channels if you use a similarly equipped web browser.
11. DATA PROTECTION OFFICER. Company has designated a Data Protection Officer (DPO) to regularly monitor and maintain the systems and processes relating to Company’s proper handling of Personal Data Information, and to make sure that appropriate safeguards be in place to ensure that any processing and retention of Personal Data complies with the GDPR. Moreover, the Company shall be responsible for onward transfer and the record-keeping relating to all processing activities, for the purposes of demonstrating compliance with GDPR, should a compliance audit be requested.
12. PROCESS TO ACCESS, UPDATE, CORRECT, OR ERASE PERSONAL INFORMATION. We maintain a procedure in order to help you confirm that your Personal Information remains correct and up-to-date. At any time, you may visit your personal profile at https://www.30daysinger.com/account. Through your personal profile you may: (a) review and update your Personal Information that we have already collected; (b) choose whether or not you wish us to send you information about our company, or promotional material from some of our partners; and/or (c) choose whether or not you wish for us to share your Personal Information with third parties.
13. DATA PORTABILITY. Upon your request, Company shall provide your Personal Data in a machine-readable format, or electronically transmit your Personal Data, directly to another Controller.
14. NOTICE CONCERNING CHILDREN. Our Services are intended for a general audience, and we do not direct any of our content specifically at children under 13 years of age. We understand and are committed to respecting the sensitive nature of children’s privacy online. If we learn or have reason to suspect that a user of our Services is under age 13, we will promptly delete any personal information in that user’s account. Special notice regarding Citizens and residents of the European Union: Citizens of the EU who are younger than 16-years-old may provide personal information provided consent is actually given or authorized by the holder of parental responsibility over the child.
15. LOST OR STOLEN INFORMATION. You must promptly notify us if your credit card, user name, or password is lost, stolen, or used without permission. In such an event, we will remove that credit card number, user name, or password from your account and update our records accordingly.
16. PUBLICLY-RELEASED INFORMATION. The Services contain links to other third-party websites. We are not responsible for the privacy practices or the content of such websites. We also make chat rooms, forums, message boards, and news groups available to you. Please understand that any information you voluntarily disclose in these areas becomes public information and is not our responsibility. Thereafter, you should exercise caution when deciding to disclose your Personal Information in such venues.
17. DISPUTES REGARDING PERSONAL DATA COMPLAINTS
a. Complaint Process. Any individual may bring complaints relating to Company’s use of Personal Data, or any other matter arising under this Privacy Policy, directly to the company by sending notice of the complaint to the Company’s Consumer Relations Officer at [email protected]. Company shall respond in a reasonable time not to extend beyond 45 days. Within the scope of this privacy notice, if a privacy complaint cannot be resolved through 30 Day Lesson Inc.’s internal processes. 30 Day Lessons Inc. has agreed to participate in the VeraSafe Data Privacy Dispute Resolution Procedure. Subject to the terms of the VeraSafe Data Privacy Dispute Resolution Procedure, VeraSafe will provide appropriate recourse free of charge to you. To file a complaint with VeraSafe
under the Data Privacy Dispute Resolution Procedure, please submit the required information to VeraSafe here: https://verasafe.com/privacy-solutions/data-privacy-framework-dispute-resolution-program/
b. Good Faith Negotiation; Arbitration. Should the dispute not be resolved satisfactorily in good faith negotiations between you and the Company, Company shall act in good faith to provide, free of charge, accessible and independent dispute resolution though an independent dispute resolution service provider located in San Francisco, California. Should that not be successful, either party may then elect to resolve any remaining dispute through a neutral, binding, non-appearance-based arbitration under the Commercial Rules of Arbitration of the American Arbitration Association conducted in San Francisco, California. The Arbitrator and the parties must comply with the following rules: (a) the arbitration will be conducted, at the option of the party seeking relief, by telephone, online or based solely on written submissions; (b) the arbitration will not involve any personal appearance by the parties or witnesses unless otherwise mutually agreed by the parties; and (c) any judgment on the award rendered by the arbitrator may be entered in any court of competent jurisdiction.
THE PARTIES ACKNOWLEDGE AND AGREE THAT THE FOREGOING DISPUTE RESOLUTION AGREEMENTS RESULT IN EACH PARTY GIVING UP HIS, HER OR ITS RIGHT TO A JURY TRIAL OF ALL ISSUES. EACH PARTY HEREBY EXPRESSLY WAIVES HIS, HER, OR ITS RIGHT TO A JURY TRIAL WITH RESPECT TO ANY AND ALL DISPUTED ISSUES IN ANY MANNER RELATING TO OR ARISING OUT OF THE TERMS AND CONDITIONS OR PERFORMANCE OR NON PERFORMANCE OF TERMS AND CONDITIONS OF THIS AGREEMENT.
c. No Class Actions. You and Company agree that you may bring claims against the other only in your individual capacity and not as a plaintiff or class member in any purported class or representative proceeding. Further, you agree that the arbitrator may not consolidate proceedings of more than one person’s claims and may not otherwise preside over any form of a representative or class proceeding.
d. Cause of Action. You agree that regardless of any statute or law to the contrary, any claim or cause of action arising out of or related to use of this Agreement must be filed within one (1) year after such claim or cause of action arose or be forever barred.
18. UPDATES AND CHANGES TO PRIVACY POLICY. We reserve the right, at any time and without notice, to add to, change, update, or modify this Privacy Policy, simply by posting such change, update, or modification on the Services and without any other notice to you. Any such change, update, or modification will be effective immediately upon posting on the Services.