1. Introduction

Welcome to ABCmouse.com® Early Learning Academy (ABCmouse), which is owned and operated by Age of Learning, Inc. We are committed to providing children with a learning environment where every activity is just as fun as it is educational and where you can feel confident that your children’s privacy is protected.

This Privacy Policy describes the ways in which Age of Learning, Inc., and its subsidiaries (collectively, we, our, us, or the Company) collect, process, and disclose information about our Users (as defined below) within the European Union and the United Kingdom and the children who use the accounts of our European Users through ABCmouse, and any other websites, applications, and online services (Apps) that link to this Privacy Policy (collectively, the Services). Our Services are directed toward nursery school through second-grade aged children.

This Privacy Policy applies across multiple jurisdictions, such as the European Union where the General Data Protection Regulation (EU) 2016/679 (GDPR) and the Directive on Privacy and Electronic Communications (Directive 2002/58/EC) (ePrivacy Directive) apply and the United Kingdom where the United Kingdom General Data Protection Regulation (UK GDPR) and the UK Data Protection Act 2018 (DPA) apply (collectively the Privacy Acts). References to articles of the GDPR also refer to the corresponding articles of the UK GDPR. References to articles of the ePrivacy Directive include references to the national implementation laws of the individual EU Member States.

For more information about how to contact ABCmouse, please see Section 15.

2. Personal Data

For the purposes of this Privacy Policy, the term “Personal Data” has the meaning as set out in the GDPR.

Personal Data under the GDPR

The term Personal Data is defined in the GDPR as “any information relating to an identified or identifiable natural person (Data Subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.”

Please read this Privacy Policy carefully to understand our views and practices regarding your Personal Data and how we will treat it.  We may provide additional privacy notices to individuals at the time we collect their Personal Data. This type of an “in-time” notice will govern how we may process the Personal Data you provide at that time, for which purposes and on which legal basis. If you do not agree to our use of your Personal Data in line with this Privacy Policy, please do not use the Services.

3. Types of Accounts, Services, and Users

How we collect, process, and disclose Personal Data depends on the type of account held and the type of User (as defined below). We currently offer consumers Family Accounts, which are detailed in our Terms & Conditions.

Users of the Services include Child Users (any child under 16 who uses the learning portion of the Services) and Adult Users (including parents, legal guardians and anyone with parental responsibility for Child Users), purchasers of an Account as a gift (Gift Account), whom are collectively referred to as Users.

4. Personal Data We Collect and How We Collect it

a. Personal Data Users Provide

As more fully set forth below, we collect Personal Data directly from Users that such Users provide when using the Services, including when Adult Users create an Account, sign up for Services, or contact us with a question, comment, request, or complaint. However, we will only use or disclose this information in accordance with this Privacy Policy and applicable data protection and privacy law. Please see Section 7 (When We Disclose Information to Third Parties) for more information and how we limit disclosure of Child User information.

If you created a profile/registered with us, you will have been asked to provide this information to access our Services, purchase our products, and/or view our content.

i.Adult Users

Adult Users are asked to provide certain Personal Data about themselves when registering for any Account, including:

1. first name; 2. last name; 3. email address; and 4. telephone number (optional).

Any other information provided at registration depends on the type of Account or Adult User. For example:

Payment information is collected from Adult Users who purchase a Family Account, including those who purchase a Gift Account for others. For your security, we do not store your complete credit card number in our databases but retain only the first six digits and last four digits so that we can identify your Account and respond to your requests, questions, or complaints.

The email address of a parent, legal guardian, or person with parental responsibility is collected when the Adult User purchasing a Family Account states that he or she is not the legal guardian.

In addition, Adult Users can provide us with information through separate password-protected sections (i.e., the Parent section) of the Services. These sections, accessible via the Menu or Settings link on the Services, allow Adult Users to administer their accounts, including when they add Child Users, provide testimonials, seek customer support, or submit comments or questions.

We do not ask for certain sensitive Personal Data such as information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, or information concerning genetic, biometric, or health data or data concerning a natural person’s sex life or sexual orientation. However, as mentioned above, paying subscribers are asked for payment information when they subscribe. Please see Section 12 (Security) for more information about how we safeguard payment information.

ii. Child Users

Adult Users who register for a Family Account are asked to provide certain Personal Data about the relevant Child Users of such Accounts during ABCmouse® registration, including:

1. the first name (or nickname); 2. birth month and year; and 3. gender of Child Users who will be accessing the Services through their Accounts.

When an Adult User submits any Personal Data relating to a Child User in connection with the Services, the Adult User represents that they have the authority to do so and agree to us using the Personal Data in accordance with this Privacy Policy. To the extent legally required, we request Adult Users to consent to the processing of the Personal Data of their Child User. We may also ask Adult Users submitting Personal Data relating to a Child User that they have the capacity and authorization to do so (i.e., holder of the parental responsibility over the child).

Children can create free-form artwork. We encourage you to use the Services with your Child Users and to view and monitor any content created or uploaded (if applicable) by them. If you would like to review all content saved by your Child Users, you can access this content by clicking on the My Files menu item in each Child User’s About Me section of the Services.

Other than in the places and for the purposes explicitly disclosed in this Privacy Policy, we do not knowingly collect any Personal Data directly from Child Users under the age of 16.

b. Personal Data Automatically Collected from Users

Because the security of your Personal Data is important to us, we only ask for Personal Data where it is reasonably necessary to provide the Services, and we only process your Personal Data in accordance with this Privacy Policy and applicable data protection and privacy laws (in particular with the Privacy Acts).

We automatically collect some Personal Data directly from users of the Services in the form of the actions they take and activities they complete when using the Services. For example, from Adult Users, we may collect information about patterns of usage and order history; from Child Users, we may collect information about patterns of usage, which activities a child commences and completes, when a child starts and stops an activity, which areas of the Services the child frequents, the number of questions answered correctly or incorrectly, how many Tickets the child earns, what virtual items the child selects to exchange for Tickets, and the child’s choice of Avatar and customisation.

We also use a variety of technologies, such as pixel tags and cookies (small text files that the Services save on your computer or mobile device), to automatically collect certain technical information from your computer or mobile device—see Section 13 (Cookie Policy) for further details about how we use pixel tags and cookies.

c. App Store Data

When you download our app from your App Store (e.g. Google Play or Apple App Store), certain required information is transmitted to the App Store you have selected. This information includes in particular your user name, your email address and your customer number of the App Store user account, the time of the download of our app, provided that the app requires payment, your payment information (e.g. credit card data) as well as the individual device identification number (Device ID) of the device on which you download and install our app. We have no influence on these data processing operations. It is conducted exclusively by the respective provider of the App Store and we are not responsible for this processing in the meaning of the data protection laws.

d. Automated Decision Making and Profiling:

We do not use your Personal Data for the purposes of automated decision-making. However, we may do so in order to fulfil obligations imposed by law, in which case we will inform you of any such processing and provide you with an opportunity to object.

e. Requirement to Provide Personal Data

The provision of Personal Data is not a statutory or contractual requirement, but a prerequisite to enter into a contract with us. You are not obliged to provide us with your Personal Data, but without the provision of Personal Data as stated in this Section 4, we are not able to provide you with our Services.

5. Advertising and Marketing

a. Advertising

We use third parties such as network advertisers and others to assist us in advertising, including displaying our advertisements on other websites and through social media platforms; we also may use third parties that display advertisements based on your visits to our Services, as well as other websites, and other third parties to assist us in identifying relevant advertising on our Services. These third parties may collect and use click stream information, browser type, time and date, and subject of advertisements clicked or scrolled over during your visits to the Services and other websites in order to provide advertisements about goods and services likely to be of interest to you. Third-party ad network providers, advertisers, sponsors, and/or traffic measurement services may use cookies, JavaScript, web beacons (including clear GIFs), Flash LSOs, and other technologies to measure the effectiveness of their ads and to personalise advertising content to you.  These third-party cookies and other technologies are governed by each third party’s specific privacy policy, not this one. We may provide these third-party advertisers with Personal Data about your usage of our Services, as well as anonymous data about visitors to and users of our Services.

Advertising to you is based on your visits to the non-child-directed portions of the Services (such as www.abcmouse.com) when you visit third-party websites and applications. We will never use information collected in the child-directed portions of the Services for targeted advertising purposes.

We use the following third-party service providers for advertising purposes:

(1) Google Analytics:

(a) Scope of the processing of Personal Data

We use Google Analytics, a web analytics service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. The controller for users in the European Union/European Economic Area and Switzerland is Google Ireland Ltd, Gordon House, 4 Barrow Street, D04 E5W5, Dublin, Ireland (hereinafter Google). Google examines, among other things, the origin of visitors, their length of stay on individual websites, the use of our websites as well as the use of search engines and thus allows a better control of the success of advertising campaigns. Google stores cookies on your terminal device. This allows personal data to be stored and analyzed, in particular the user’s activity (especially which websites have been visited, which elements have been clicked on, your click paths, clicks on external links and interactions with videos), device and browser information (especially operating system as well as screen resolution and language settings), data about the advertisements displayed (especially which advertisements were displayed and whether the user clicked on them) and also data from advertising partners (especially pseudonymized user IDs). With the help of the user ID, we can assign a unique, permanent identification number to one or more sessions as well as to the activities and interactions with our website that took place during a session and analyze your user behavior across devices. In addition, your approximate location (region), date and time of the website visit, your Internet service provider and the referrer URL, i.e. the website or advertising medium through which you arrived at our website, are recorded. The information collected by the cookies about your use of this online presence is usually transferred to a Google server in the USA and stored there. IP addresses are not stored on the servers of Google for analytics purposes. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. According to Google’s own statement, the IP addresses transmitted in the context of the use of Google Analytics are not merged with other Google data. Please note that there may not be an adequate level of data protection outside the European Union and the European Economic Area. If the data is transferred to the USA, there is a risk that your data may be processed by US authorities for control and monitoring purposes.

You may refuse the use of cookies by selecting the appropriate settings on your browser, however, please note that if you do so, you may not be able to use the full functionality of our Services. You can also prevent the collection of data generated by the cookie and related to your use of our Services (including your IP address) to Google and the processing of this data by Google by

1. not giving your consent to the setting of the cookie or
2. downloading and installing the browser add-on to disable Google Analytics HERE.

For more information on the terms of use of Google Analytics, please visit https://www.google.com/analytics/terms/. For more information on the collection and storage of data by Google, please click here: https://policies.google.com/privacy?gl=DE&hl=en.

(b).       Purpose of data processing

The purpose of processing personal data is to specifically address a target group that has already expressed an initial interest by visiting our website and using our Services. On our behalf, Google will use the information mentioned above under lit. (a) to evaluate your use of our website and Services, to compile reports on the activities of the online presence and to provide further services related to the use of the online presence and internet usage to the operator of the online presence. Furthermore, the reports provided by Google Analytics are used to analyze the performance of our website and our Services and to measure the success of our advertising campaigns.

(c).       Legal basis for the processing of personal data

The legal basis for the processing is Art.6 (1) lit. a) GDPR or Art. 5 (3) ePrivacy Directive for the storage and access to information in your terminal device.

This service may transfer the collected data to another country. Please note that this service may transfer data outside the European Union and the European Economic Area and to a country that does not provide an adequate level of data protection. If the data is transferred to the US, there is a risk that your data may be processed by US authorities for control and monitoring purposes. Google relies for the lawfulness of the transfer of your personal data to third countries on relevant adequacy decisions of the European Commission pursuant to Art. 45 GDPR, by which the European Commission has decided and determined that the third country in question has an adequate level of protection with regard to the processing of your personal data. These are the adequacy decisions, which can be found on the following website of the European Commission:

https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en.

In particular, for the transfer of your personal data to the United States, Google relies on its certification under the EU-US Data Privacy Framework, available at https://commission.europa.eu/system/files/2023-07/Adequacy%20decision%20EU-US%20Data%20Privacy%20Framework_en.pdf. Google states in its privacy policy that, through the certification, it has declared that it complies with the principles of the EU-US Data Privacy Framework and is subject to the investigative and enforcement powers of the US Federal Trade Commission.

The certification specifically applies to Google LLC and its wholly-owned subsidiaries in the U.S. (unless specifically excluded) and can be viewed at the following link: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt000000001L5AAI&status=Active0000001L5AAI&status=Active&hl=de.

To the extent that the recipient state to which your personal data is transferred is not subject to an adequacy decision by the European Commission, Google bases the lawfulness of the transfer to companies located in such a state on the standard contractual clauses approved by the European Commission and agreed with the receiving companies, which can be viewed here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?hl=de.

If neither an adequacy decision of the European Commission nor other appropriate safeguards for the transfer exist for the transfer and processing of your personal data in states outside the European Economic Area, your explicit prior consent pursuant to Article 49 (1) lit. a GDPR constitutes the legal basis for our processing in this regard.

Please note that in cases of data transfer to countries outside the European Union and the European Economic Area for which no adequacy decision exists, there may not be a level of data protection comparable to the GDPR, you may not be entitled to the same rights and remedies, and despite careful selection and commitment of the partners, the high level of data protection in the European Union cannot necessarily be guaranteed.

(d).       Duration of storage

Your Personal Data and corresponding data linked to the cookies will be automatically deleted after 12 months. The maximum lifetime of Google Analytics cookies is 2 years. The deletion of data whose retention period has been reached occurs automatically once a month.

(e).       Possibility of objection and removal

You can prevent the collection as well as the processing of your personal data by Google by preventing the storage of third-party cookies on your computer. For more information on objection and removal options vis-à-vis Google, please visit: https://policies.google.com/privacy?gl=DE&hl=de.

(2) Facebook Pixel

(a) Scope of the processing of Personal Data

We use the Facebook pixel of Meta Platforms Ireland Limited (formerly Facebook Ireland Ltd.), 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (hereinafter Facebook). With its help, we can track the actions of users after they have seen or clicked on a Facebook ad. This allows Personal Data to be stored and evaluated, in particular the user’s activity (in particular which websites have been visited and which elements have been clicked on), device and browser information (in particular the IP address and operating system), data about the advertisements displayed (in particular which advertisements have been displayed and whether the user has clicked on them), and also data from advertising partners (in particular pseudonymized user IDs). This allows us to record the effectiveness of Facebook ads for statistical and market research purposes. The data collected in this way is anonymous to us, i.e. we do not see the Personal Data of individual users. However, this data is stored and processed by Facebook. Facebook can link this data to your Facebook user account and also use it for its own advertising purposes in accordance with Facebook’s Privacy Policy. Further information on the collection and storage of data by Facebook can be found here: https://www.facebook.com/privacy/policy/?entry_point=facebook_page_footer

(b) Purpose of the data processing

The Facebook pixel is used to analyze and optimize advertising measures.

(c) Legal basis for the processing of personal data

The legal basis for the processing is Art. 6 (1) lit. a) GDPR or Art. 5 (3) ePrivacy Directive for the storage and access to information in your terminal device.

This service may transfer the collected data to another country. Please note that this service may transfer Personal Data outside the European Union and the European Economic Area and to a country that does not offer an adequate level of data protection. If the Personal Data is transferred to the USA, there is a risk that your Personal Data may be processed by US authorities for monitoring and surveillance purposes. For the lawfulness of the transfer of your personal data to third countries, Facebook relies on corresponding adequacy decisions of the European Commission pursuant to Art. 45 GDPR, with which the European Commission has decided and determined that the third country in question has an adequate level of protection with regard to the processing of your Personal Data. The adequacy decisions can be found on the following website of the European Commission:

https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en.

In particular, the EU-US Data Privacy Framework (available at https://commission.europa.eu/system/files/2023-07/Adequacy%20decision%20EU-US%20Data%20Privacy%20Framework_en.pdf) applies to the transfer of your Personal Data to the USA. Meta Platforms, Inc, located at 1 Meta Way, Menlo Park, California 94025-1453, is certified under the EU-US Data Privacy Framework as the parent company of Facebook. The certification can be viewed at the following link: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt0000000GnywAAC&status=Active.

If there is no adequacy decision by the European Commission for the recipient country to which your Personal Data is transferred, Facebook bases the lawfulness of the transfer to companies based in such a country on the standard contractual clauses approved by the European Commission and agreed with the receiving companies, which can be viewed here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?hl=de.

If there is neither an adequacy decision by the European Commission nor other suitable guarantees for the transfer and processing of your Personal Data in countries outside the European Economic Area, your express prior consent pursuant to Art. 49 (1) lit. a GDPR constitutes the legal basis for the processing in this regard.

Further information on the security measures taken by Facebook to protect your personal data in the context of third country transfers can be found on the following Facebook information page: https://about.fb.com/news/2021/03/steps-we-take-to-transfer-data-securely/.

d. Duration of storage

Your Personal Data will be stored for as long as necessary to fulfill the purposes described in this Privacy Policy or as required by law.

e. Possibility of objection and removal

You can prevent the collection and processing of your Personal Data by Facebook by preventing the storage of third-party cookies on your computer. You can find further information on objection and removal options in relation to Facebook at: https://www.facebook.com/privacy/policy/?entry_point=facebook_page_footer

(3) ironSource

(a) Scope of the processing of Personal Data

We use the online marketing tools of the Israeli company ironSource Mobile Ltd., 121 Menachem Begin Rd., Tel Aviv, Israel (“ironSource”) for our Services. ironSource has appointed Prighter as their privacy representatives in the EU. In case of any questions regarding the processing of Personal Data by ironSource, residents in the EU may contact ironSource’s representative at: Prighter GDPR-Rep by Maetzler Rechtsanwalts GmbH & Co KG, c/o ironSource Ltd., 9 Clare Street, Dublin 2 D02 HH30, Ireland (https://prighter.com/q/13822340265).

ironSource is an Israeli company specializing in the development of technologies for mobile app monetization and distribution. ironSource offers software developers and publishers various services to serve advertisements in their mobile apps, to manage their business relationships with advertisement providers, and to monitor and analyze their mobile apps and the advertisements served therein, including the success of advertising campaigns. If consumers download and use a mobile application that uses the services and tools provided by ironSource or otherwise interacts with the advertisements served by ironSource in a mobile application. ironSource collects data in two ways: either directly through a software development kit, a software component integrated by the developer of a mobile application that enables ironSource to serve advertisements in a mobile application and collect information directly from such mobile applications, or indirectly through other third parties with whom ironSource partners to serve advertisements in mobile applications or by receiving information from its advertisers or affiliates. Among other things, ironSource may collect the following data which may include Personal Data: advertising ID, IP-address, a self-created ID unique to a specific app, IDs unique only to apps of the same developer, device’s time zone, free memory on the device, name and version of the mobile app to which the advertisement is served, battery status, operating system and version, language preferences, name of the mobile carrier, internet connection type, indication whether an advertisement was viewed or clicked and whether there was an installation of an advertised mobile application, information on actions performed within an advertiser’s mobile app following such an installation (e.g. in-app purchases), level in the game, the advertisements displayed within a mobile application and interactions with such advertisements.

Subject to the mobile app publisher’s preferences, ironSource may receive additional Personal Data from such publishers, including the age, gender, in-app purchases, advance in the game, and other information provided by the developer. We have decided to share the following data with ironSource when you use our Services and app: information about how many User events occur with respect to mobile application installations, non-member home page visits, subscription page visits, first-time User sign-ins and new subscriptions, in each case, by disclosing advertising IDs assigned to Users.

Further information on how ironSource process your Personal Data can be found in ironSource’s privacy policy for their services, which may be accessed at: https://developers.is.com/ironsource-mobile/air/ironsource-mobile-privacy-policy/.

(b) Purpose of the data processing

We use ironSource to analyze our marketing measures as well as to optimize such measures.

(c) Legal basis for the processing of personal data

The legal basis for the processing is Art. 6 (1) lit. a) GDPR or Art. 5 (3) ePrivacy Directive for the storage and access to information in your terminal device.

This service may transfer the collected data to another country. Please note that this service may transfer Personal Data outside the European Union and the European Economic Area and to a country that does not offer an adequate level of data protection. ironSource processes your Personal Data in Israel. However, ironSource may also transfer and process your Personal Data in the USA due to the use of service providers that are based in the US (e.g. Amazon Web Services). If the Personal Data is transferred to the USA, there is a risk that your Personal Data may be processed by US authorities for monitoring and surveillance purposes. For the lawfulness of the transfer of your personal data to third countries, ironSource relies on standard contractual clauses adopted by the European Commission (Art. 46 (2) lit. c) GDPR). The current adopted version of the standard contractual clauses adopted by the European Commission may be reviewed at: https://commission.europa.eu/publications/standard-contractual-clauses-international-transfers_en.

With regards to the security of the processing and transfer of Personal Data to Israel, the European Commission has decided and determined that Israel has an adequate level of protection with regard to the processing of your Personal Data (Art. 45 GDPR). The adequacy decisions can be found on the following website of the European Commission:

https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en.

If there is neither an adequacy decision by the European Commission nor other suitable guarantees for the transfer and processing of your Personal Data in countries outside the European Economic Area, your express prior consent pursuant to Art. 49 (1) lit. a GDPR constitutes the legal basis for the processing in this regard.

Further information on how ironSource processes your Personal Data and the security measures taken by ironSource to protect your Personal Data in the context of third country transfers can be found in ironSource’s privacy policy, which can be accessed here: https://developers.is.com/ironsource-mobile/air/ironsource-mobile-privacy-policy/.

d. Duration of storage

Your Personal Data will be stored for as long as necessary to fulfill the purposes described in this Privacy Policy or as required by law. For more information about the data retention periods implemented by ironSource, please see the “Maximum Information Retention Period” section of their privacy policy.

e. Control of the Processing of your Personal Data

Further information on how to control your Personal Data processed by ironSource can be found in the “How to Control Information” section of ironSource’s privacy policy, which may be accessed at: https://developers.is.com/ironsource-mobile/air/ironsource-mobile-privacy-policy/.

b. Marketing

We would like to send you information about our products and Services and those of our associated companies which may be of interest to you. If you have opted in to receive marketing information, you may opt out later. You may not opt out of receiving administrative messages from us regarding your Account, such as password reset emails, customer support messages, and emails about changes to our Privacy Policy in accordance with Section 14 (Changes to Our Privacy Policy).

You have a right at any time to stop us or any associated companies from contacting you for marketing purposes—if you no longer wish to be contacted for marketing purposes please contact us via the contact details in Section 15 (Complaints, Reporting Violations, and Contacting Us) or click on the Unsubscribe button at the bottom of any email received from us.

While it is never our intention to send any marketing messages to children, if you believe a Child User has received such a marketing communication, please contact us as described in Section 15 (Complaints, Reporting Violations, and Contacting Us).

Push Notifications and SMS. Additionally, if you downloaded the App on your mobile device to access the Services, as part of your use of the Services we may ask if you would like to receive push notifications, which may include alerts and notifications, badges, banners, and sounds on your mobile device. You may choose to stop receiving push notifications at any time by changing the settings on your mobile device. We may also ask if you would like to receive SMS text messages. Please note that your network provider may charge you for the text messages you receive. To permanently stop receiving SMS text messages from us text STOP, CANCEL, or UNSUBSCRIBE in reply to any SMS text message sent by us.

6. How We Use Your Personal Data

We may use the information collected from Users for the following purposes:

a. Adult User Personal Data.Personal Data about Adult Users may be used:

i. to generate a transaction identification number and member identification number, which is used by us to identify certain actions and Users, such as completing activities or canceling an account. The processing of aforesaid data is necessary to provide you with our Services and to establish and fulfill the contract concluded with you for the use of our Services (Art. 6 (1) lit. b) GDPR);

ii. to permit you to register for and use the Services, including, for example, to send you communications about Child User progress or your Account, or to allow you to provide Feedback through the Parent section. For security purposes, the Parent section is password protected. The legal basis for the processing is the establishment and fulfillment of the contract concluded with you for the use of our Services (Art. 6 (1) lit. b) GDPR);

iii. for paid Accounts, to complete and fulfill your purchase, such as to process your payments, communicate with you regarding your purchase, and provide you with related customer service. The legal basis for the processing is the fulfillment of the contract concluded with you for the use of our Services and to provide you with the purchased orders (Art. 6 (1) lit. b) GDPR);

iv. to respond to your enquiries or complaints and fulfill your requests, retrieve your password or provide technical support. The legal basis for the processing regarding the provision of technical support and the receipt of your password is the fulfillment of the contract concluded with you for the use of our Services (Art. 6 (1) lit. b) GDPR) and regarding the personal data you may provide with your enquiries or complaints our legitimate interest in processing these enquiries and complaints (Art. 6 (1) lit. f) GDPR);

v. to deliver ABCmouse® advertising and to measure the effectiveness of our advertising to adults (see Section 5 (Advertising and Marketing) for more information). The legal basis for the processing is your consent (Art. 6 (1) lit. a) GDPR); and

vi. to send you marketing communications that we believe may be of interest to you (see Section 5 (Advertising and Marketing) for more information). The legal basis for the processing is your consent (Art. 6 (1) lit. a) GDPR).

b. Child User Personal Data.Personal Data collected about Child Users may be used:

i. to measure a Child User’s performance in activities and to adapt a Child User’s learning experience to the Child User’s learning needs; and

ii. to analyse, provide progress reports on, or provide an assessment of a Child User’s performance to the Adult User on the Account.

The processing of Child User Personal Data is necessary to perform and fulfill the contract for the use of our Services concluded with the Adult User (Art. 6 (1) lit. b) GDPR).

c. Both Adult and Child User Personal Data.Personal Data collected about both Adult and Child Users may be used:

i. to allow us to assess and improve the Services, its educational content, and other services we provide, for example, to improve our content and user experience; to research, evaluate, and improve the Services’ educational efficacy; and to inform our understanding of the Services’ user base. For this purposes, the processing of Adult and Child User Personal Data is based on our legitimate interest pursuant to Art. 6 (1) lit f) GDPR. Our legitimate interest is to provide Child Users using our Services with the consent of the Adult User with Services tailored to their needs, to increase the potential educational benefits for Child Users. At the same time, we seek to provide an excellent service that is adapted to Adult and Child Users’ needs;

ii. to customise, adapt, and personalise Users’ viewing and content-consumption experience, for example, by measuring a Child User’s performance in activities and adapting the Child User’s learning path to his or her learning needs. The processing is necessary to perform and fulfill the contract for the use of our Services concluded with the Adult User (Art. 6 lit. b) GDPR);

iii. to detect fraud (Art. 6 (1) lit. f) GDPR);

iv. to maintain and analyse the functioning of the Services, to detect violations of and enforce our Terms & Conditions, and to protect our rights, privacy, safety, or property, or that of our associates, you, or others. The processing is based on our legitimate interest to protect our Services and technical infrastructure from disruptions, outages and (cyber) attacks (Art. 6 (1) lit. f) GDPR); and

v. to comply with legal process and obligations to which we are subject, and to respond to requests from public and government authorities, including public and government authorities outside your country of residence, and court orders ((Art. 6 (1) lit. c) and lit f) GDPR).

We will never monetize the Personal Data of any User of the Services by providing it to a third party in exchange for money, except as described in this Privacy Policy in the context of a sale of the Company.

Where we intend to process your Personal Data for a purpose other than that for which it was originally collected, we will provide you with information on that other purpose and any relevant further information prior to such processing.

7. When We Disclose Information to Third Parties

Personal Data collected about both Adult and Child Users will not be disclosed except as follows:

a. to third parties who perform certain services for us, such as to conduct or evaluate research (such as on the educational impact of the Services); and to provide us with our technical infrastructure (i.e. our host provider).

In this case, any transfer or disclosure of your Personal Data will take place for the fulfillment of the contract concluded with you (Art. 6 (1) lit b) GDPR or, in terms of the conduct and evaluation of research, in our legitimate interest (Art. 6 (1) lit f) GDPR.

For the provision of the services mentioned above, we use the following service providers, which we have carefully selected beforehand as processors, whose reliability we have verified pursuant to Art. 28 (1) GDPR and, to the extent required by law, which we have contractually obliged within the scope of Art. 28 (3) GDPR to process all Personal Data provided by us exclusively in accordance with our instructions:

Hosting Service Provider: Amazon Web Services, Inc., 410 Terry Avenue North, Seattle WA 98109, USA. Link to privacy notice: https://aws.amazon.com/privacy/?nc1=h_ls. Link to data privacy FAQ on how AWS handles customer content hosted on their servers: https://aws.amazon.com/compliance/data-privacy-faq/.

b. to the following payment service providers, who process your debit and credit card and other payment related information:

Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043 USA (for Android users) link to privacy notice: https://payments.google.com/payments/apis-secure/get_legal_document?ldo=0&ldt=privacynotice&ldl=en;

Apple, Inc., One Apple Park Way, Cupertino, California, USA (for iOS users) link to privacy notice: https://www.apple.com/legal/privacy/data/en/apple-pay/

In this case, any transfer or disclosure of your Personal Data will take place for the fulfillment of the contract concluded with you (Art. 6 (1) lit b) GDPR

c. where legally required by law or where requested by public or government authorities, including public and government authorities outside your country of residence, or court order. The legal basis for these processing operations is Art. 6 (1) lit. c) GDPR; and

d. subject to confidentiality agreements, the terms of this Privacy Policy, and applicable data protection and privacy law, information may be disclosed to service providers, advisors, potential transactional partners, or other third parties in connection with the consideration, negotiation, or completion of a corporate transaction in which we are acquired by or merged with another company or we sell, liquidate, transfer, or license all or a portion of our assets in bankruptcy or otherwise. This means that if some or all our assets are acquired or otherwise transferred or licensed, including in bankruptcy, that such acquirer shall be subject to the same commitments stated under this Privacy Policy. The legal basis for the disclosure of your Personal Data is Art. 6 (1) lit. c) and f) GDPR.

We do not disclose the personally identifiable information of any Child User to third parties for any marketing or promotional purposes.

As used in this Privacy Policy, Anonymous Data means data that does not relate to an identified or identifiable natural person or Personal Data rendered anonymous in such a manner that the Data Subject is not, or is no longer, identifiable. Anonymous Data does not, by itself, permit the identification of individual persons and is therefore not regarded as Personal Data.

We also may disclose Anonymous Data and/or aggregated User information for any other purpose as permissible by applicable data protection and privacy law—for example, the distribution of anonymous User records to outside researchers or the distribution of reports containing aggregate user demographic and traffic patterns—provided that no individual Adult User or Child User or any specific end-user device can be readily identified.

8. How to Access, Change, or Delete Account Information; Your Rights

An Adult User can review or change the information they provided when they registered for the Services, including by adding or removing Child Users to or from the Account, or by updating information through the Parent section of the Services. In addition, Adult Users may contact us at any time as described in Section 15 (Complaints, Reporting Violations, and Contacting Us) to request that we provide for their review, or delete from our records, any Personal Data they have provided about Child Users associated with their Accounts, or to cease collecting Personal Data from those Child Users, as applicable. Please keep in mind that a request to delete Personal Data may lead to cancellation of your Account or the inability to use certain Services.

When we change or delete any Personal Data at your request, we will make good faith efforts to make the changes in our then-active databases as soon as reasonably practicable. Changing setting options may not result in immediate changes to the settings, which are subject to our operations and maintenance schedules. Please note that information, including Personal Data, may remain in backup or archive records to comply with statutory or other legal retention obligations which are applicable to us, and we may retain certain data relevant to preventing fraud or future abuse or for legitimate business purposes.

Your Rights:

You have the following statutory rights under GDPR:

a. the right to access the Personal Data we hold about you: you may access the Personal Data we hold about you at any time by contacting us as described in Section 15 (Complaints, Reporting Violations, and Contacting Us) (Art. 15 GDPR);

b. where our processing of your Personal Data is based on your consent, the right to withdraw your consent to such processing at any time with effect for the future, i.e withdrawing your consent does not affect the lawfulness of the processing based on consent before your withdrawal (Art 7 (3) GDPR);

c. the right to rectification of your Personal Data: you can also contact us to update or correct any inaccuracies in your Personal Data (Art. 16 GDPR);

d. the right to restriction of processing or to object to processing of your Personal Data (Art. 18 GDPR);

e. the right to request us to transfer your Personal Data to a third party in a structured, commonly used machine-readable format (Art. 20 GDPR);

f. the right to object, on grounds relating to the data subjects’ particular situation to the processing of Personal Data which is based on Art. 6 (1) lit e) or f) GDPR and to object to direct marketing measures (as referred to in Section 5) (Art. 21 GDPR);

g. the right to request the erasure of your Personal Data (Art. 17 GDPR “right to be forgotten”); and

h. the right to lodge a complaint with a competent supervisory authority (Art. 77 GDPR).

If you wish to exercise any of these rights, please contact us using the details in Section 15 (Complaints, Reporting Violations, and Contacting Us). In your request, we encourage you to make clear: (i) what Personal Data is concerned; and (ii) which of the above rights you would like to enforce. For your protection, we may need to verify your identity before implementing a request.  Please note that we may need to retain certain information for recordkeeping purposes and/or to complete any transactions that you began prior to requesting such change or deletion.

9. Account Cancellation and Reactivation; Data Deletion

We only keep your Personal Data for as long as necessary in relation to the purpose for which we are processing that information. To determine the appropriate retention period for Personal Data, we consider the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorised use or disclosure of your Personal Data, the purposes for which we process your Personal Data and whether we can achieve those purposes through other means, and the applicable legal requirements.

At any time, Adult Users may cancel their Accounts through the Parent section of the Services.

For Family Accounts that have been cancelled, if the Account remains inactive for 12 months, subject to legal requirements to the contrary, we will delete all Personal Data in our active databases associated with the Account (Account Information). The 12 months is provided so that you have the ability, following cancellation of a Family Account or inactivity, to reactivate your Account and potentially recover previous information and resume where the Child User left off.  If a User requests that Personal Data be deleted prior to the end of the 12-month period of inactivity, we will satisfy that request.

Upon Account cancellation, Adult and Child User Anonymised Data may nonetheless persist internally in our archive files or similar databases and may still be used, on an anonymous basis, for our internal support, administrative, and record-keeping purposes including, but not limited to, allowing us to improve the Services and other services we provide through research, evaluation, and analytics as permissible by applicable data protection and privacy law.

Please note that following a request to delete information or your Account under Sections 8 or 9 of this Privacy Policy, information including Personal Data may remain in backup or archive records if required by law, or relevant to preventing fraud or future abuse. All retained data will continue to be subject to the Privacy Policy in effect at that time and applicable law.

10. Links to Other Services

In certain sections of the Services, we may include links to external websites or applications (including Facebook, X (formerly Twitter), YouTube, Instagram, and Pinterest). However, in order to protect children from accessing these external websites, an Adult User will be required to enter a valid password. These websites and applications are governed by their own privacy policies or information collection practices, which may be substantially different from ours. We encourage you to review the privacy policies and information collection practices of any external websites and applications, as those parties’ practices would not be subject to this Privacy Policy. These service providers are solely responsible for the data processing that they carry out for their own purposes. Below you will find contact details of the controllers in Europe and some links to further useful information regarding their data processing:

• Facebook (https://www.facebook.com): operated by Meta Platforms Ireland Limited (formerly Facebook Ireland Ltd.), 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland;

Privacy Policy: https://www.facebook.com/about/privacy https://www.facebook.com/settings?tab=ads  

Notes on Facebook Pages and Insights: Agreement on joint processing of personal data on Facebook pages: https://www.facebook.com/legal/terms/page_controller_addendum (link only works when copied to browser), https://www.facebook.com/legal/terms/information_about_page_insights_data

• Instagram (https://www.instagram.com): operated by Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland;

Privacy Policy: https://de-de.facebook.com/help/instagram/155833707900388;

• X (formerly Twitter) (https://www.twitter.com): operated by X Corp. 1355 Market Street, Suite 900 San Francisco, CA 94103, USA, data controller in the European Union: Twitter International Unlimited Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07 Ireland

Privacy Policy: https://twitter.com/en/privacy

• Youtube (https://www.youtube.com): operated by YouTube LLC, 01 Cherry Ave., San Bruno, CA 94066, USA, data controller in the European Union: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Privacy Policy: https://policies.google.com/privacy?hl=en

• Pinterest (https://www.pinterest.com): operated by Pinterest Europe Ltd., Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland, data controller in the European Union: Pinterest Europe Ltd., Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland jointly with Irland. Pinterest, Inc., 651 Brannan St., San Francisco, CA 94107, USA.

Privacy Policy: https://policy.pinterest.com/en/privacy-policy

11. Location of Information Processing

The Services are controlled and operated by us from the United States of America. Your information may be transferred to, stored, and processed by us in any country where we have facilities or in which we engage service providers, including the United States of America, which may have data protection laws that are different from those of your country. Specifically, we may transfer Personal Data from the European Economic Area (EEA) to:

a. countries that the European Commission has deemed to adequately safeguard Personal Data and for which the European Commission has issued an adequacy decision pursuant to Art. 45 GDPR. Information on which countries the European Commission deems to have an adequate level of data protection can be found here: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en;

b. pursuant to the recipient’s compliance with standard contractual clauses (Art. 46 (2) lit c) GDPR, or Binding Corporate Rules (Art. 46 (2) lit. b), Art. 47 GDPR);

c. pursuant to the consent of the individual to whom the Personal Data pertains (Art. 49 (1) lit. a) GDPR, or

d. as otherwise permitted by applicable EEA requirements pursuant to Art. 44 et. seq. GDPR.

In addition, your information may be subject to access requests from governments, courts, or law enforcement officials in countries where it may be processed, under the laws of those countries.

We will take all steps reasonably necessary to ensure that your Personal Data is treated securely and in accordance with this Privacy Policy.

12. Security

The security of your Personal Data is important to us, and we employ reasonable physical, technical, and administrative security measures designed to safeguard the Personal Data collected by the Services and to guard against unauthorised or unlawful processing of Personal Data and against damage to, accidental loss, or destruction of your Personal Data. We use industry-standard SSL (secure socket layer technology) encryption to transfer Personal Data. Other security safeguards include, but are not limited to, data encryption, firewalls, and physical access controls to buildings and files.

Account holders create a password in the registration process. You can help protect against unauthorised access to your account and Personal Data by selecting a strong password, protecting your password appropriately, and limiting access to your computer and browser by signing off after you have finished accessing your Account. At registration, we assign a Member ID to each Account and use those Member IDs to authenticate logins, allow access to the subscription content, and monitor compliance. The Member ID is also used to authenticate users when requesting technical support. Access to information is limited (through user/password credentials and two-factor authentication) to those employees who require it to perform their job functions.

We also use PCI-DDS compliant service providers for credit card processing as required by applicable law.

13. Cookie Policy

a. What Are Cookies?

Our websites and Apps use cookies. Cookies are small (text) files placed on your device to collect standard internet log information and visitor behaviour information. The cookies may transmit information via your browser with a purpose of authenticating or identifying the computer (via, e.g., the IP address) or the User. Cookies may contain information such as registration data and User preferences.

We use cookies to:

i. automatically collect certain technical information from your computer or mobile device over time and across different websites, including when you use the Services, such as your browser type, operating system, device type, the page served, your IP address and your geolocation. When you download and use our App(s), we and our service providers may track and collect App usage data, such as the date and time the App on your device accesses our servers and what information and files have been downloaded to the App based on your device number. Storing such cookies on and accessing your end devices to obtain these information is technically necessary to provide our Services to you. Legal basis for storing these cookies on your end devices and accessing your information to obtain these information is based on Art. 5 (3) ePrivacy Directive, and the processing of your Personal Data on Art. 6 (1) lit. f) GDPR.;

ii. collect and store information about your location to provide you with educational experiences or email updates that are tailored for your region. The location information we have access to may include (1) your postal code, if you provide one to us; and (2) the approximate geographic region your computer or mobile device is located in, as determined from your IP address. However, we do not collect your street name and the name of your city/town unless provided during registration. You may be able to change the settings on your computer or mobile device to prevent it from providing us with such IP information. We also have access to your school or classroom location if you (as a teacher) provide it to us. The legal basis for storing corresponding cookies and processing the aforementioned geo localization data is your consent pursuant to Art. 5 (3) ePrivacy Directive, Art. 6 (1) lit. a) GDPR.; and

iii. we may collect information from your mobile device if you have downloaded our App(s). This information is generally used to help us deliver the most relevant information to you. Examples of information that may be collected and used include your IP address, geographic location, how you use the App(s), and information about the type of device you use. In addition, in the event our App(s) crash on your mobile device, we will receive information about your mobile device model software version and device carrier, which allows us to identify and fix bugs and otherwise improve the performance of our App(s). This information is sent to us as aggregated information. In addition, if you choose to turn on your Bluetooth, wi-fi or other geolocation functionality when you use our App(s), we may collect and use your geolocation information. The legal basis for accessing and collecting such information from your device, is your prior consent pursuant to Art. 5 (3) ePrivacy Directive.

b. Pixel Tags and IFrames:

We also use pixel tags (which are also known as web beacons and clear GIFs) on our Services to track the actions of Users on our Services. Unlike cookies, which are stored on the hard drive of your computer or mobile device by a website, pixel tags are embedded invisibly on web pages. Pixel tags measure the success of our marketing campaigns and compile statistics about usage of the Services, so that we can manage our content more effectively. The information we collect using pixel tags is not actively linked to our Users’ Personal Data (e.g. account data).

We additionally use JavaScript snippets and server to server requests that are provided by our affiliate partners and IFrames (or inline frames) on our Services to insert content from another source into a web page, particularly in respect of advertisements to provide advertisements about goods and services likely to be of interest to our Users. An IFrame is an HTML document embedded inside another HTML document on a website.

We and our third-party service providers listed in Section 5 may use the information collected through these technical methods for several purposes, including delivering content, tracking and enhancing our Users’ experience on the Services, and delivering advertising to visitors of www.abcmouse.com when they visit other websites and applications. For example, when you return to the Services after logging in, cookies help the Services recognise who you are without having to log back in. For more information, see Section 6 (How We Use Your Personal Data). The information collected through these technical methods on the child-directed portions of the Services are used only to support the internal operations of the Services. We do not allow third- party advertising networks to collect information about Child Users who are logged into their Accounts.

c. Managing Your Cookies

Cookies help you to get the most out of our Services, and if you disable cookies some Services or website functionality may not be available. If you do not want the Services to collect information through the use of cookies, you can set your web browser to reject cookies from the Services.

How to enable and disable cookies using your browser:

Most browsers allow you to manage cookie settings. These settings can usually be found in the Settings, Options, or Preferences menu of your browser. The links below are provided to help you find the settings for some common browsers:

i. manage cookie settings in Chrome, Chrome Android, and Chrome iOS;

ii. manage cookie settings in Safariand Safari iOS;

iii. manage cookie settings in Firefox;

iv. manage cookie settings in Internet Explorer; and

v. manage cookie settings in Opera.

For all other browsers, please look for a Help function in your browser or contact the browser provider.

However, as mentioned above, if you reject or block cookies from the Services, the Services may not function as intended. For example, you will not be able to remain logged in to your Account, and therefore you would have to log in during each page transition.

Further information about cookies, including how to see what cookies have been set on your computer or mobile device and how to manage and delete them, visit www.allaboutcookies.org and www.youronlinechoices.com/uk .

14. Changes to Our Privacy Policy

We constantly try to provide the best services, and accordingly our Privacy Policy will change from time to time. If we update this Privacy Policy, we will notify you by posting the revised Privacy Policy on the Services, and for certain revisions that materially expand the ways in which we use or share the information previously collected from you through the Services, either display an alert next to the Privacy Policy, display an alert upon login to the Services, or directly communicate with you (e.g. via the email address associated with your Account).

15. Complaints, Reporting Violations, and Contacting Us

We are committed to resolving any complaints about our collection or use of your Personal Data. If you would like to make a complaint regarding this Privacy Policy or our practices  relating to your Personal Data, please contact us as described below. We will reply to your complaint as soon as we can. We hope to resolve any complaint brought to our attention; however, you reserve the right to contact and file a complaint with a competent supervisory authority, as detailed in Section 8 (How to Access, Change, or Delete Account Information; Your Rights).

Age of Learning, Inc. is located in the United States of America and is the operator of all the Services. Any questions, concerns, or complaints regarding this Privacy Policy, our data collection or processing practices, or issues related to your or a Child User’s information for which you are responsible, should be directed to us via any of the following methods. As Age of Learning, Inc. is in the United States of America, we have appointed a representative in the European Union so that our European Users may easily contact us:

For Family Accounts:

Postal Address: Age of Learning, Inc. Attention: Legal Department P.O. Box 230 Glendale, CA 91209 USA. Telephone Number: 1-800-633-3331 Email Address: privacy@aofl.com

European Representative:

Postal Address: Please see list below.

Attention: DataRep

Email Address: datarequest@datarep.com or through the online portal at www.datarep.com/data-request

We have appointed DataRep as our Data Protection Representative in the European Union so that you can contact them directly in your home country. DataRep has locations in each of the 28 EU countries, so that Age of Learning, Inc.’s customers can always raise the questions they want with them.

PLEASE NOTE: when mailing inquiries, it is ESSENTIAL that you mark your letters for ‘DataRep’ and not ‘Age of Learning, Inc.’ or your inquiry may not reach us. Please refer clearly to Age of Learning, Inc. in your correspondence. On receiving your correspondence, the Company will likely request evidence of your identity, to ensure your personal data and information connected with it is not provided to anyone other than you. If you have any concerns over how DataRep will handle the personal data they will require to undertake their services, please refer to their privacy notice at www.datarep.com/data-request.

DataRep Postal Addresses