XtraMath Privacy Policy


XtraMath is committed to protecting data privacy. We strictly adhere to this Privacy Policy, which explains what user data we collect and how we use it. This policy and our Terms of Service are known collectively as our “Terms.” We may change these Terms from time to time, but will provide notice as specified in the Terms of Service document

This policy is effective May 25, 2018, and replaces our prior privacy policy.


What Data We Collect

XtraMath collects the minimum amount of data required to operate our program. Below we summarize the data we collect on students, teachers, and parents. For an up-to-date list that shows what user data we collect, and how we use that data, see Appendix B, Record of Data Processing.


Student Data

We collect a student’s first name, grade level, and program settings from the student’s parent or teacher. As the student uses XtraMath, we collect usage and performance data, such as when they signed in, how many questions they answered correctly, and how long it took them to answer questions. If a student signs in via a single sign-on provider, such as Google, we collect an identifier from the provider that allows us to authenticate their sign-in. We do not collect the student email address that may be used for such a sign-in.

Other personal information about the student could be inferred from data that we collect. If a student account belongs to a class, for example, then we could infer that they attend a certain school.

Parent Data

We collect a parent’s name and email address when they sign up for an account. If they sign up using a single sign-on provider, we also collect an identifier that allows us to authenticate their sign-in. We also collect some metadata and account settings, such as their time zone, the language they used to sign up, and their email preferences.

A parent supplies a password when they create an account. The password is hashed (scrambled) on the user’s computer before it is ever sent to XtraMath. We do not have access to a user’s original password, and cannot obtain it from the hashed version that we receive.

Other personal information about the parent could be inferred from data that we collect. For example, we could infer that a parent whose account is linked to a student account is the parent or guardian of that student.

Teacher Data

We collect the same data for teacher accounts as parent accounts, with a few additions. For example, we collect the name by which students address the teacher, such as “Ms. Smith.” We also collect information about each class that the teacher creates, such as its name and its end date.

Other personal information about the teacher could be inferred from data we collect. For example, we could infer that the teacher works at a specific school based on their email address.

How We Use and Share Data

XtraMath processes user data in order to establish and maintain accounts, to provide educational activities to students, to compile and deliver reports about those activities to teachers and parents, and to understand and improve our program’s effectiveness. For an up-to-date list that shows the specific types of user data we collect, and how we use that data, see Appendix B, Record of Data Processing.

Student Data

A student’s Personal Data is used internally to provide the student with appropriate educational activities, and to report their performance to their parents and teachers. We may access student Personal Data when providing customer support or investigating a reported issue with our program.

Parent and Teacher Data

A parent’s or teacher’s Personal Data is used internally for sign-in purposes and, with permission, to send them reports, announcements, and alerts related to XtraMath. We may access a parent’s or teacher’s Personal Data when providing them with requested support.

Sharing Personal Data with Third Parties

We release Personal Data to third parties only in the following circumstances:

XtraMath never releases Personal Data for any kind of third-party advertising.

Use of De-identified Data

We may use de-identified usage data internally to analyze and improve our educational services, and to develop new products or features. We will never attempt to re-identify data that has been de-identified.

We may release de-identified data to educational researchers for the purpose of evaluating the effectiveness of our program. We will not release de-identified data unless we are confident it cannot be re-identified, due to the removal of all direct and indirect personal identifiers, and the educational researchers have agreed in writing that they will not attempt to re-identify any individuals, classes, or Schools.

We may use aggregate de-identified data, such as the number of users of our service, for promotional purposes.

How We Securely Store Data

XtraMath takes security seriously. We implement a variety of industry-standard security measures to prevent any unauthorized access to our users’ data. Such measures include, but are not limited to: data minimization; encrypting data in transit via HTTPS; hashing sensitive data, like passwords; deletion of outdated data; locked physical facilities; employee training; and administrator account security.

Data Storage and International Transfer

XtraMath stores and processes all data on servers in the United States. All servers that store XtraMath data are operated by trusted third party processors with whom we have contractual Data Processing Addendums. Our providers are certified under the EU-US Privacy Shield and Swiss-US Privacy Shield, to better protect the data of our international users. For details, see Appendix A, List of Third Party Providers.

Data Breach Response

While we use industry-standard practices to safeguard data, no service can guarantee absolute data security. We have a Breach Response Plan, which we will follow if we ever discover that Personal Data has been accessed improperly. As part of our response, we will: take action to stop further data loss or unauthorized access; investigate how the breach occurred; promptly contact all affected users via email; and contact law enforcement and government agencies when appropriate.

Data Retention and Deletion

XtraMath retains Personal Data only for as long as necessary to ensure continuity of math skill-building for students, and for the convenience of parents and teachers. We close user accounts, and delete all associated identifiable data, upon request. Most types of data are also deleted automatically after a certain amount of time has passed. For details, see Appendix B, Record of Data Processing.

We may retain de-identified, aggregate data, which cannot identify any individual user, for research and program improvement purposes. Such data is deleted once no longer necessary for these purposes.

We will provide certification of data deletion upon request.

Compliance with Data Privacy Laws

XtraMath intends to comply with the data privacy and data protection laws of all jurisdictions where it operates. See the XtraMath and Student Data Privacy whitepaper for the latest information on compliance. Some specific examples of legislation that we comply with are described below.

United States

Children’s Online Privacy Protection Act (COPPA): As a non-profit organization, XtraMath is not subject to COPPA. Nevertheless, we fully comply with the law as if we were subject to it. Children under the age of 13 may not create accounts. We only collect usage and performance data from students as a result of their performing educational activities, and we only use that data for educational purposes. If we gain actual knowledge that a child is using XtraMath without the appropriate consent, we terminate the account.

Family Education Rights Protection Act (FERPA): Schools in the United States may provide student data to XtraMath while complying with FERPA. When a School provides us with a student’s Personal Data (or PII — Personally Identifiable Information) under the FERPA school official exemption, they remain in control of that data. XtraMath will only use and disclose that data as specified in our Terms and as allowed by law.


General Data Protection Regulation (GDPR): XtraMath affirms and respects all data subject's rights under GDPR. We minimize the data we collect and process, and use data only as described in this policy. For detailed information about what data we process, for what purpose, for how long, and our basis for doing so under the GDPR, see Appendix B, Record of Data Processing. To object to processing, or to request data deletion or access, contact our Data Protection Officer at privacy@xtramath.org.

Cookies and Local Storage

XtraMath intends to discontinue the use of cookies by August 1, 2018.

XtraMath uses two types of cookies. These cookies can be cleared via browser settings - aboutcookies.org provides cookie management instructions for many specific browsers.

The XtraMath website uses “LocalStorage” files to remember a user’s sign-in information (if they choose to do so). We also use “SessionStorage” to improve performance during student activities by temporarily storing activity data on the device. Use of LocalStorage and SessionStorage is not required to use XtraMath. Users can remove remembered sign-in information at any time via the appropriate sign-in page. Users can also clear all LocalStorage by using the “Clear now” button on our support page, or via browser settings.

The XtraMath mobile apps use application data for the same purposes as browser LocalStorage and SessionStorage. Users can still remove remembered sign-in information via the app’s sign-in pages. Uninstalling the app will remove all locally stored data. Some devices also allow users to clear locally stored app data without uninstalling the app.

Contact Us

For data privacy questions or concerns, to object to processing, or to request access to or deletion of your or your child’s Personal Data, email us at privacy@xtramath.org. You may also write to us at: XtraMath, 4700 42nd Ave SW #580, Seattle, WA 98116

Appendix A: List of Third Party Providers

This list will be kept up-to-date to include all third-party providers with which XtraMath shares user data.

Provider Name Data shared with Provider Purpose Relevant Policies
AWS User account data, including name, email address, and program usage. Database hosting via remote servers Privacy Policy
Google Anonymous ID created by cookie Website Analytics Privacy Policy
Opt-out Browser Add-on
Maxmind IP adddress Geolocation Service Privacy Policy
Vimeo Anonymous ID created by cookie, video player settings Enable playback of embedded videos (remember volume, if video is paused, etc) Privacy Policy

Appendix B: Record of Data Processing

We have compiled this record in order to provide users with as much transparency as possible into how we use their data. This record also helps us to comply with European law. Unless otherwise noted in the record below, we process user data based on our legitimate interests.

Account Type Type of Data Processing Purpose Deletion
Student First name, PIN, parent or teacher email, class Account access and identification Upon account closure1. Some information is deleted upon removal from the class or linked account.
Single-sign-on provider and hashed ID Account access using optional 3rd party credential Upon request or account closure1
Grade level Determine initial activity level. When de-identified and aggregated, used to analyze program usage. Upon account closure1
Program settings: current program, UI options, preferred language, etc. Activity customization. When de-identified and aggregated, used to analyze program usage. Upon account closure1
Activity Data Activity customization and creation of progress reports. When de-identified and aggregated, used to analyze program usage. Upon account closure1. Some data is deleted when user restarts a program. Detailed activity data is deleted after one year.
Parent or Teacher Name, “addressed as” name, email address, hashed password Account access and identification Upon account closure2, 3
Email address Send announcements, alerts, reports, and/or reminders via email Processing ceases upon request. Data deletion upon account closure2, 3
Email address Share with linked accounts that have access to same student or class (for increased transparency and security of student data) Data deletion upon account closure2, 3
Account settings: account type, email preferences, time zone, etc. Create progress reports and maintain data preferences Upon account closure2, 3
Electronic identifiers: account change timestamps, version number, etc. Technical support and account security Upon account closure2, 3
Single-sign-on provider and hashed ID Account access using optional 3rd party credential Upon request or account closure2, 3
IP address Determine time zone upon sign-up Not stored
Hashed IP address Account security After 1 year or upon account closure2, 3
Teacher Hashed IP address Expedite classroom setup on multiple devices After 24 hours
Class name, class end date, student names Create progress reports and facilitate program usage Upon request, account closure3, or one year after class end date.
All Users Hashed IP address, change logs Network security After 90 days
De-identified and aggregated usage data Product improvement and development, promotional activities, and educational research Until no longer useful
  1. Student accounts: account closure occurs upon request, automatically after two years of account inactivity, or one month after being unlinked from all parent and teacher accounts.
  2. Parent accounts: account closure occurs upon request, or automatically after two years of account inactivity.
  3. Teacher accounts: account closure occurs upon request.