Tyto Online is a product created by Immersed Games, Inc. Our mission is to create an empowering, next-generation STEM learning platform. We use data to provide services and to improve Tyto Online constantly as we learn from our users and how they learn and engage with the platform.
Key Term: PII — Personally Identifiable Information. Throughout this policy, we will differentiate when we use PII or when we use de-identified information that is not tied to the individual.
640 Ellicott St #108
Buffalo, NY 14203
Starting with this new updated version, when material changes are made to these policies, we will send an email to all account holder email addresses. We will send notices out a week in advance of effective policy change dates. If users continue to use the service, they are indicating consent to these changes.
Tyto Online collects and receives data in a variety of ways in order to provide its Services.
During the registration process, the person creating accounts provides information.
School Accounts. When teachers register, they provide information that may include a name, school name, district name, school email address, position, password, and phone number.School Accounts must be created with a verifiable educational institution email address to ensure appropriate educational access.
When a teacher uses Tyto Online, they are able to add students in order to keep track of their learning progress and assign activities to them. Students are organized into periods under different subjects by their teacher. For these accounts, we ask teachers to enter the students;’ first and last name, and they can then create a username and password or have them automatically generated for the students.
Teachers may also opt to use a third party Google Classroom integration, in which case student information that includes email addresses will be imported from Google Classroom. Google provides us with the students’ email, name, profile id, and teacher information.
Parent & Child Accounts (non-School). We also support students making their own accounts, separately from a school, under a parent’s supervision. Parents provide information including their name, email, username, and password. When Parents add children, they provide their first name and then set up usernames and passwords.
If a child registers to play on their own, we request the parent’s email so that we can obtain permission for the child to play.
Information During Purchasing. All account types allow for creating a free trial account with the same processes, and that follow the same policies defined here. There are no in-app purchases available or accessible to children.
If someone decides to purchase a Tyto Online subscription, which is done via the website dashboard, users may also provide credit card information and their billing zip code.
During the registration process, the person creating accounts provides information.We also automatically receive information based on our website and game services.
Messages. Tyto Online collects chat messages that are sent and received within the Tyto Online application.
IP Address. We collect your IP address when you login to our services, in order to provide more specific location-based services that we offer now or in the future. For example, connecting you to the closest game server.
Web Search History. We do not collect users’ web search history across third party websites or search engines. However, if a user navigates to our website via a web search, their web browser may automatically provide us with the web search term they used in order to find us. Our website does not honor “do not track” signals transmitted by users’ web browsers, so we encourage you to visit the following link if you would like to opt out of certain tracking: http://www.networkadvertising.org/choices or http://www.aboutads.info/choices/. Note that if you wish to opt out, you will need to do so separately for each of your devices and for each web browser you use (such as Internet Explorer®, Firefox®, Safari®).
Usage Data. We also collect information about what you’re doing with our product, in order to improve the experience and provide accurate assessment data. This includes when you log into the game or website, when you log out of the game, and data on what you accomplish and do within the game via analytics tracking.
The information we collect helps us provide and improve our product.
Opt-in subscriptions targeted towards adults (educators, parents) may ask users to sign up for newsletters, promotional offerings, or participation in other feedback or informational sessions. These communications may include tracking. The information submitted will never be shared or sold to third parties, and an opt-out link will be included at the bottom of these messages. We never knowingly send marketing or advertising to student or child users.
We also require an email for password recovery and sending notifications, emailing about new features or training options, and more. An opt-out link will be available at the bottom of all messages that are not required for functioning of the product.
Most of the information we collect is used primarily for providing Tyto Online and its related services, such as its assessment dashboard. For example, IP addresses allow us to connect users to the correct server in the world for the best performance. We collect students’ names so that teachers can use this information to manage their classes, assign content, and receive assessment information. Similarly, detailed information on what the student does within the game is used to generate assessment data for teachers’ legitimate educational uses.
We also collect PII to collect and process payment information, when needed to continue services.
Information is also used and retained in order to guide the internal team in improving the product. For example, de-identified information is used by the developers to see the common educational patterns made by students in the game, so that the game can be improved for better educational outcomes.
We may provide limited personally identifiable information to third party service providers in order to help us provide and improve our own services.
In short, our commitment to you regarding third parties is that:
1. They are used for the purposes of providing and improving our services.
2. We will not share any personally identifiable information for marketing or advertising purposes.
3. We will never sell any personal information to third parties.
We use a variety of third party service providers, such as analytics companies, to understand usage of our services. We may allow those providers to place and read their own cookies to help us measure how users interact with our services. This technical information is collected directly and automatically by these third parties.
These third parties are bound contractually to practice adequate security measures and to use your information solely as it pertains to the provision of their services. They do not have the independent right to share your personally identifiable information.
The following type of third parties have access to limited PII for specified uses (generally email addresses).
Rostering & Single Sign-in. We use Google Classroom and Google Single Sign-in services in order to allow easy account access and set up. We do not support any other social login services.
Google provides us with the following information:students’ email, name, profile id, classroom and/or course name, and teacher information.We currently do not share information with Google Classroom, but may add this feature in the future to support Educator Account workflows.
Hosting and Log Storage. We use Amazon Web Services for hosting our game servers, databases, and logs. This means that PII is stored here in the form of emails, usernames, character names, and user IDs. However, Amazon does not have permission to use this information personally.
Customer Support & Outreach. We use some third party services for customer support and outreach, such as our live chat, Knowledgebase, or email services. These services have access to emails, some to names, and sometimes behavioral information, such as triggers we set up to prompt customer support emails and delivery analytics. These services include Mailchimp (including the Mandrill service), Drift (which also collects IP, location, and device information to help us provide fast and accurate support), Hubspot, and Zendesk. Some basic contact information may also go through Google as we use their email and docs internally. We do not collect student email addresses, so this only applies to adults or optionally provided child emails from parents.
Contract & Payment. We use Stripe to collect payment information, when necessary, which includes customer name, credit card information, billing zip code, and contact information. We also use Quickbooks for internal tracking of revenues and expenses, which may include school billing contact information. We use Echosign to sign electronic documents. None of this includes student PII
The following third parties have access to user data, but only in de-identified form without PII.
Research Purposes. We may use or share anonymous or aggregate and de-identified information for educational research purposes, to evaluate, inform, or show the efficacy of our services.
Required by Law. We reserve the right to disclose personally identifiable information if we are required to do so by law, or if we believe that disclosure is necessary to protect our rights, protect your safety or others’ safety, investigate fraud, and/or comply with a judicial proceeding, court order, subpoena, or legal process.
We take a variety of technical and common-sense measures to protect your data.
Tyto Online takes protecting your security and privacy seriously and has put measures in place to protect your information. These include the use of secure, access-controlled data centers operated by industry leading partners, data encryption in transit and storage of personal information, SSL security, and hashed and salted passwords.
We also take common-sense, non-technical approaches. We limit the amount of personal data we collect to begin with, focusing on what we need to provide services and contact our customers. Our employees who have access to any PII are provided training on privacy laws.
In the event of a security breach, we will notify affected account holders within the amount of time required by law so that you can take steps to keep your data safe.
We are set up for use by both schools and parents directly, following applicable laws.
The school or district assumes responsibility to verifying parental consent to use Tyto Online. There are multiple ways teachers or schools can obtain parental consent:
1. Obtain consent as part of a school-wise technology consent process you already have in place;
2. Obtain individual consent from parents to use Tyto Online;
3. Teachers in the United States may agree to act as the parent’s agent and provide consent on their behalf for students to use Tyto Online solely in the educational context as provided by the FTC.
Teachers, schools, or districts using Tyto Online maintain ownership of their Student Records (as defined in the Family Educational Rights and Privacy Act (FERPA)).
Each educator has access to a dashboard that allows control over the Student Records. They can create, update, review, modify, and delete accounts.
Educators are encouraged to safeguard access to Tyto Online Student Records, and notify us if there is any unauthorized use of a password or account registered to them. Students using Tyto Online under an educator account will only be able to create or access their accounts with a class code provided by the teachers. Students will be able to communicate with other students within their classroom within Tyto Online. Tyto Online does not allow students to communicate with other students outside of their schools right now (although this may be added as a feature, requiring parent permission to enable, in the future).
We encourage educators to notify parents if they use Tyto Online. Parents can log into their children’s’ accounts to see their records. If you are the parent or guardian of a student using Tyto Online with their teacher, you can request login information from your child or their teacher. You are encouraged to use this information to view your student’s progress at any time. Parents have the right to request that we delete personal information or make changes to records at any time.
Under the terms of our agreement with schools, we agree to act as a “School Official” as defined by FERPA, meaning that we:
1. Perform an institutional service or function for which the school or district would otherwise use its own employees;
2. Have been determined to meet the criteria for being a School Official with a legitimate educational interest in the education records;
3. Are under the direct control of the school or district with regard to the use and maintenance of education records; and
4. Use education records only for authorized purposes and will not re-disclose Personally Identifiable Information from education records to other parties (unless we have specific authorization from the school or district to do so and it is otherwise permitted by FERPA).
COPPA through Schools. These practices are COPPA compliant. Tyto Online limits use of the child’s information to educational uses authorized by the school.
In addition, School account administrators can review childrens’ personal information and request to have it deleted. Tyto Online may still retain information for up to 30 days to provide customer support and prevent accidental deletion. Please keep in mind that after deletion, recovery of account progress will be impossible.
School account administrators can also request that there is no further use of the child’s information; however, Tyto Online will need to inactivate or delete the account for this, as we cannot provide Services without some data processing.
Parent and Child Registration without Schools. We also allow children and parents to use the service outside of schools. We provide a way for parents to sign up and add their children, providing their consent in the process.
When it becomes necessary to collect personal information from children under 13, we will only do so after obtaining verifiable parental consent, as defined under COPPA, or as otherwise permitted under COPPA. We confirm that the parent is the one giving consent with credit card confirmation.
This information is only retained where the minor’s parent or legal guardian, has provided and/or approved that information to Immersed Games during the registration process. Children before parental consent will not be able to use in-game chat, meaning there is no way for individuals to contact them in the game.
Such information is not shared with third parties and is only used internally. A child’s usage information, such as analytics collected through gameplay, is only shared in an aggregated anonymous manner and never in a way that could personally identify the minor.
In the event that we learn that we have collected personal information from a minor without parental consent, they will delete that information as quickly as possible. If the User believes that their child or a minor may have provided us with personal information beyond what is requested when signing up for the Site or game, please contact the company at firstname.lastname@example.org.
Parental Review of Personally Identifiable Information. Parents will have the ability to use their parental account to administer their children’s accounts and review the personally identifiable information maintained by Immersed from such accounts. Parents or guardians may establish a parental account during the initial registration process for the child’s account or, subsequently, through the account management features applicable to the child’s account.
We ensure students have a safe online environment for gameplay and learning.
We use an industry-leading provider, CleanSpeak, to safely filter all chat in the game.
Users of the Tyto Online game have access to social features, such as creating a character and then chatting with other students in the game. The Tyto Online game has a chat filter which does not allow the sharing of personally identifiable information like students’ name and location, curse words, bullying language, etc. Attempts by users to message with any of those banned topics will be blocked before posting, to the best of our ability.
Students when in the game are only represented by their character name, which is a name they choose to represent themselves in the Tyto Online application that is not the same as their real-life name. They therefore do not need, and are encouraged not to, share any personal information to participate in social settings. Students do not have publicly available profiles with their information.
Chat logs are retained for at least 90 days in order for us to provide appropriate services and resolve any concerns that users have. In addition to the filtering system, we also have moderation that flags common offenders to human reviewers within the team.
The CleanSpeak software is hosted by us, with our game’s chat functionality, so that this data is not going through CleanSpeak as a third party.
We also provide controls on who children/ students can talk with by default, and let parents or schools limited it further.
School Accounts. Our online interactions and chat for students within Classrooms (created with School Accounts) functions so that:
1. When students log into the application, they will be given a list of Classrooms they are a part of and can choose which one to log into;
2. That then loads a special world that is only available to students within that Classroom;
3. Students are therefore only be able to talk with and see other students within those Classrooms when they log in;
4. Educators may turn off chat for their students if they wish.
Parent and Individual accounts. Our online interactions and chat for students who are playing from Parent Accounts or Individual Accounts function so that:
1. They are on the Tyto Online Public Server, so they will have access to other students and strangers, which could include adults playing;
2. Chatting is only with parental permission for students under 13, and parents may opt to turn off or on general chat, private messages, or private messages only with friends;
3. Players whose parents have not enabled talking in the game may see strangers, but will not be able to interact with them besides emotes like waving or nodding.
What are the default chat settings for my child (parent account)?
Once you have confirmed your parental status with a credit card, they will have access to game and private message chat unless you disable it.
Can someone report abuse or cyber-bullying or other inappropriate behavior?
Of course! While our filtering would make this very difficult to engage in, if someone suspects or has observed this happening, please use our live chat on tytoonline.com to let us know, or email us at email@example.com
Can I see what my child has said in the game, or what others have said to them?
If a parent or teacher is concerned about a potential discussion their student(s) engaged in, they can email firstname.lastname@example.org with the user(s) involved and approximate date. The Immersed Games team will respond within 72 hours with the requested information, or if the data has already been deleted and is out of scope (previous 90 days).
What are the default chat settings for a student (teacher account)?
Students can only talk with students within their classroom (not even across other classrooms in the school).
Can I turn chat off?
Yes. A parent can use their parental settings to turn off chat for their children. Teachers can request chat be turned off directly with our team right now: email, live chat, or via phone with their Immersed Games contact.
Can I delete all my child/student’s chat data?
Yes, a parent or teacher may request that all chat that their student has engaged in is deleted by contacting us at email@example.com with the students’ username. You must email us from the same email address that owns the account, so that we can confirm ownership. The requested will be processed within 72 hours.
How do you view, correct, edit, or update personal information?
Users can access and change their own personal information (name, email, username, password) from the website account dashboard unless they are a child account, or imported from Google Classroom. Child accounts can only be edited by their parents, and Google Classroom account information must be edited with Google.
How does Tyto Online handle abandoned accounts?
Tyto Online will delete an account and all content associated with the account if the account has not been accessed for more than 7 years. An inactive account will not be automatically deleted, so that students can return to the game during their K12 learning experience and retain their customized character and learning progress.Prior to deleting an abandoned account, Tyto Online will notify the account owner associated with the account by email and provide an opportunity for them to log in and prevent deletion.
How do you delete your Tyto Online account and information?
If you would like to delete your Tyto Online account (or that of your students or children) and all related account information, please send an email to firstname.lastname@example.org. Tyto Online may still retain information for up to 30 days to provide customer support and prevent accidental deletion. Please keep in mind that after deletion, recovery of account progress will be impossible.
If you are a teacher or school administrator within the US, please be aware that FERPA requires us to retain student education records once a valid request to inspect those records has been made.
Can I export my Tyto Online data?
Unfortunately, data created by Tyto Online gameplay is unique to the proprietary design of Tyto Online and not usable by other applications. Therefore, this data is not currently exportable or portable to other services or applications.
If you have any questions, please email us at email@example.com