Last updated: Sept 2023
To summarize our data privacy commitment in plain English:
- We do not display advertising on our App or on our Website.
- We do not sell or share your data with third parties to advertise or market their services or products to you.
- We do not host third-party cookies or trackers that would allow those third parties to track you on our site to advertise or market their products or services to you.
- We use the data you share with Kami solely to provide you the Kami service, to improve it, and to keep you updated about new developments. And we only use third party services that have made the same commitment to us.
- If you ever want to be forgotten, simply email us at email@example.com and all your data will be completely removed from our system.
- Security and Data Protection Measures document can be found here.
COPPA, FERPA, SOPPA & SOPIPA in the USA
This policy is in accordance with the U.S. Children’s Online Privacy Protection Act (“COPPA”) and Family Educational Rights and Privacy Act (FERPA), and outlines our practices world-wide regarding the personal information of all students under 13. For more information about COPPA and general tips about protecting children’s online privacy, please visit OnGuard Online.
Kami fully complies with the Student Online Personal Protection Act (SOPPA) and the Student Online Personal Information Protection Act (SOPIPA) regulations. We are committed to protecting the privacy and security of K-12 students’ personal information while using our platform, Kami collects only the necessary personal information, SOPPA went in to effect in 2021 and can be found under Public Act 101-0515 on Illinois general assembly site and you can contact Kami on Support@kamiapp.com with questions, we secure the information as highlighted in this policy as well as and restrict access to it as its the right thing to do and complies to these acts.
Teacher or schools consent in lieu of a parent
If you are accessing Kami on behalf of a Class, School or District, anywhere in the world, the following provisions also apply:
- You represent and warrant that you are solely responsible for complying with the Child Online Privacy Protection Act (COPPA) or similar requirement to secure parental consent for accessing applications which require personal information from children under 13.
- With regard to school-based activities, COPPA allows teachers and school administrators to act in the stead of parents to provide consent for the collection of personal information from children.
- For more information on COPPA, please see www.ftc.gov/privacy.
- Information on SOPIPA can be found here
Personal information stored
In order to create a unique account, Kami does require that all users enter their email address and create a password, which is stored on the site, or use their own Google or Microsoft Account to sign on (Single-Sign-On), and may collect additional information such as name of school or class, and whether they are a teacher or student, in order to assign the user to the correct user group. Documents may be uploaded to Kami by users in order to share them with other users for collaborative processing. Kami does not store these files once the sharing process is completed. Annotations made by users are stored on the site in order to display them to other users viewing a shared document, and to display them to the user if the same file is later re-opened.
We collect and use the following information to provide, improve and protect our Services:
- Account – We collect, and associate with your account, information you give us like your name, email address, phone number, payment info, and physical address. Some of our services let you access your accounts and your information with other service providers.
- Services – When you use our Services, we store, process and transmit your files and information related to them (for example, the annotations you make). If you give us access to your contacts, we’ll store those contacts on our servers only for you to use. This will make it easy for you to do things like sharing your stuff, and inviting others to use the Services.
- Usage – We collect information from and about the devices you use to access the Services, to aid trouble-shooting and optimisation of the Services. This includes things like IP addresses, the type of browser and device you use, the web page you visited before coming to our sites, and identifiers associated with your devices. Your devices (depending on their settings) may also transmit location information to the Services.
Please note that users, including children, can choose whether to share this information with us, but certain features may not function without it. As a result, users may not be able to access certain features if required information has not been provided. We will not require a user to provide more information than is reasonably necessary in order to participate in the online activity, and we use this personal data for no other purpose than providing the service to the user.
Kami collects limited personal information from students only where that student’s school, district, or teacher has engaged with Kami to collect personal information for the use and benefit of the learning environment. This information is not shared outside of the school or with any third parties except those needed for the provision of the service as outlined in this policy. Students of any age cannot share their profiles publicly outside of their classroom or school.
Teachers can annotate documents and provide comments to students. Students can annotate documents, submit assignments through your learning management system, add comments and take online tests; Teachers or students can record audio or video and attach these recordings to content in our system. None of this information is shared with any third parties without the teacher or school’s consent.
Access to user information is given only as discussed below, but we won’t give or sell it to advertisers or other third-parties.
- Other users you share it with – Our Services display information like your name and email address to other users in places like your user profile and sharing notifications. Certain features let you make additional information available to other users.
- You can also give third parties access to your information and account – for example, via Kami APIs. Just remember that their use of your information will be governed by their privacy policies and terms.
- Law & Order – We may disclose your information to third parties if we determine that such disclosure is reasonably necessary to (a) comply with the law; (b) protect any person from death or serious bodily injury; (c) prevent fraud or abuse of Kami or our users; or (d) protect Kami’s property rights.
Stewardship of your data is critical to us and a responsibility that we embrace. We believe that our users’ data should receive the same legal protections regardless of whether it’s stored on our services or on their home computer’s hard drive. We’ll abide by our principles when receiving, scrutinizing and responding to government requests for our users’ data:
- Be transparent,
- Fight blanket requests,
- Protect all users, and
- Provide trusted services.
Review and Deletion of Personal Information
General Rules for Deletion of Personal Information
If you wish to review your personally identifiable information stored by Kami, you may email us your request at firstname.lastname@example.org . We will respond to your request within 30 days.
If your personally identifiable information changes, or if you no longer desire our service, you may correct, update, or delete it by making the change directly in the user profile in the Kami App, or email us at email@example.com . We will respond to your request within 30 days.
We will retain your information only for as long as your account is active or as needed to provide you services. If you wish to cancel your account or request that we no longer use your information to provide you services, contact us at firstname.lastname@example.org. We will only retain and use your information as necessary to comply with our legal obligations.
Rules for Deletion of Personal Information for children
Under FERPA regulations, Parents have the right to refuse the site further contact with their child and to have access to their child’s school record information and to have it deleted by contacting the school administrator.
If you are a parent and would like more information on parental rights with respect to a child’s educational record under the U.S. Family Educational Rights and Privacy Act (FERPA), please visit the FERPA site. If you believe that a student’s school, district, or teacher has not required parental consent prior to our collection of any personal information, contact us at email@example.com
If you wish to review your or your student’s or your child’s personally identifiable information stored by Kami, you may email us your request at firstname.lastname@example.org . We will respond to your request within 30 days.
If your or your student’s or your child’s personally identifiable information changes, or if you no longer desire our service, you may correct, update, or delete it by making the change directly in the user profile in the Kami App, or email us at email@example.com . We will respond to your request within 30 days.
In any correspondence such as e-mail or mail, please include the child’s username, the school or organization, and the teacher or parent’s email address and telephone number. To protect children’s privacy and security, we will take reasonable steps to help verify a teacher or parent’s identity before granting access to any personal information.
Is the Personal Information Secure?
Your account is protected by a password for your privacy and security. You must prevent unauthorized access to your account and Personal Information by selecting and protecting your password appropriately and limiting access to your computer or device and browser by signing off after you have finished accessing your account.
We endeavor to protect the privacy of your account and other Personal Information we hold in our records, but we cannot guarantee complete security. The transmission of information via the Internet is not completely secure. Unauthorized entry or use, hardware or software failure, and other factors, may compromise the security of user information at any time.
When you enter your information on our site we encrypt the transmission of that information using transport layer security (TLS). Firewalls are used to segregate application tiers and provide strict controls on access to resources within our networks. Your data is also encrypted at rest on the servers hosted by our cloud services partners AWS and Google Cloud Platform, which we selected because of their compliance with COPPA, and their stringent security measures, including compliance with the following certifications and third-party attestations:
- SAS70 Type II audits
Level 1 service provider under the Payment Card Industry (PCI) Data Security Standard (DSS)
- ISO 27001 certification
U.S. General Services Administration FISMA-Moderate level operation authorization
Outages, attacks, unauthorized use, or other factors may compromise the security of user information at any time. In the event of a security breach, we will notify you by posting on the Kami Website and notifying you by email using the email address on your account within 72 hours of Kami becoming aware of such breach. For EU residents, notification to the Kami Supervisory Authority shall be made within the same time period.
Third Party Service Providers used
We work with a number of third-party service providers to help improve the quality of our service. We have contracts with these third parties which guarantee that they do not share your information with any other third parties and protect the data at least the same level as we do ourselves. In case a transfer of data is needed while collaborating with one of those third parties we make sure the transfer is executed to a country which is providing adequate protection according to EU. If this is not the case we sign agreements which includes the EU Standard Contractual Clauses (also called Model Clauses) published by the European Commission to protect EU data.
Kami uses the following third-party services :
- Groove – Groove is a platform our Support Team use internally to coordinate customer support activities in response to requests from our customers. Our contractual agreement with Groove complies with the terms of this policy.
- Google Analytics & Tag Manager – an analytics service used to help analyze your use of our Website and allow us to improve our Service and provide you information on the Service. Our agreement with Google complies with the terms of this policy.
- Stripe – when you upgrade your account online using a credit card, your payment is securely processed using Stripe’s e-payments service. Our contractual agreement with Stripe complies with the terms of this policy.
We will only contract with future service providers that are consistent with this policy or allow users a choice to send information to the future provider.
For more information on any of these third parties please contact us at: firstname.lastname@example.org
European Union – GDPR Data Protection
If you are using Kami in the European Union, The EU General Data Protection Regulation (GDPR) applies to you and our storage and processing of your data.
Legal grounds, Rights of data subjects, Deletion
We process your data only on legal grounds, meaning when we have your explicit consent; when we need this in order to execute our contractual obligations towards you; when we are obliged to do so under a legal act of any kind; or in order to protect our legitimate interest.
As a data subject you have rights to:
You may request access to your personal data to receive information, for example, about the categories of personal data that Kami is currently processing.
You may ask Kami to correct personal data that is inaccurate or incomplete.
You may ask Kami to erase personal data where one of the following grounds applies:
- Where the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- You withdraw consent on which the processing is based and where there is no other legal ground for the processing;
- You object to automated decision-making and there are no overriding legitimate grounds for the processing, or you object to the processing for direct marketing;
- The personal data have been unlawfully processed;
- The personal data have to be erased for compliance with legal obligation in Union or Member State law to which Kami is subject;
- The personal data have been collected in relation to the offer of information society services.
You may ask Kami to restrict how it processes your personal data, requesting only their storage, where one of the following grounds applies:
- You contest the accuracy of your personal data, for a period enabling Kami to verify the accuracy of your personal data;
- The processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
- Kami no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defense of legal claims;
- You have objected to processing pursuant to the right to object and automated decision-making, pending the verification whether the legitimate grounds for Kami override those of you.
You may ask Kami to transfer the personal data you have provided us to another organization and/or ask to receive your personal data in a structured, commonly used and machine readable format.
In case you provided your consent to the processing of personal data, you may withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
If your personal data are transferred outside the European Economic Area, you have the right to obtain copy of such data as well as indication of the Country/Countries where the personal data have been made available.
Your right to object to the processing of your personal data
You have the right to object to the processing of your personal data and request the stop of the processing operations when they are based on the legitimate interest.
Your right to lodge a complaint to the Supervisory Authority
The criterion for the duration of the retention of personal data is the respective legal retention period. Once this period expires, the data in question will be routinely erased, provided it is no longer required for the fulfilment or initiation of the contract.
When we process your data we apply high-standard technical and organizational measures in order to provide maximum security as described above.
The GDPR requires that when any EU user’s personal data is hosted or processed outside of the European Economic Area, it must remain protected to an adequate standard in line with EU law. Here is our Data Transfer Agreement as well below there are a few ways that Kami achieves this:
First, some of our EU customers’ data is processed in New Zealand (where our Headquarters are located). New Zealand is recognized by the EU as a territory that ensures an adequate level of data protection decided by 2013/65/EU: Commission Implementing Decision of 19 December 2012 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data by New Zealand (notified under document C(2012) 9557) Text with EEA relevance.
When we hold EU customer data in other territories, like the US, we take other ‘Appropriate Safeguards’ that are prescribed by the GDPR. Specifically, we either transfer your data to countries which are providing adequate protection according to EU or we enter into Data Processing Agreements with Customers in which we rely on EU Standard Contractual Clauses (also called Model Clauses) published by the European Commission to protect EU data. These are standard form data export agreements that have been approved by the European Commission as a lawful basis for transferring personal data to non-EEA countries like the USA. Our standard Data Processing Agreement is available and can be downloaded here to sign upon request.
Secondly, when we hold EU customer data in other territories, like the USA, we take other ‘Appropriate Safeguards’ that are prescribed by the GDPR. Specifically, we enter into Data Processing Agreements with Customers in which we rely on EU Standard Contractual Clauses (also called the SCCs or the EU Model Clauses) published by the European Commission to enforce the protection of EU users’ data. These are standard form data export agreements that have been approved by the European Commission as a lawful basis for transferring personal data to non-EEA countries like the USA. Kami also has signed up to and is compliant with all controls and standards for the EU-US Data Privacy Framework (DPF).
Our standard Data Processing Agreement incorporating the EU Model Clauses can be downloaded here to sign upon request but is already incorporated into our Standard Terms of Service and applies to you.
Kami’s EU-US Data Privacy Framework (DPF) compliance and participation can be found here, This notifies that Notable Inc (dba Kami) is deemed to provide “adequate” data protection (i.e., privacy protection), a requirement (subject to limited derogations) for the transfer of personal data outside of the European Union under the EU General Data Protection Regulation (GDPR), outside of the United Kingdom under the UK Data Protection Act 2018 and UK General Data Protection Regulation (UK GDPR), and outside of Switzerland under the Swiss Federal Act on Data Protection (FADP)
(Kami wants to notify you that as of 10 July 2023 the European Commission adopted its adequacy decision for the EU-US Data Privacy Framework. On the basis of the adequacy decision, personal data can flow freely from the EU to companies in the United States that participate in the Data Privacy Framework. This is a replacement for the EU-U.S. PrivacyShield Framework, which is no longer a valid mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States. Kami complies with the EU-US Data Privacy Framework set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union to the United States.)
Thirdly, we have verified that our US-based cloud hosting providers are working with us according to agreements which include SCC (EU Model clauses) as explained above. Specifically,
- Amazon Web Services – our agreement with AWS incorporates the EU SCCs for GDPR-compliant protection of EU users’ data as confirmed here.
- Google Cloud Platform – our agreement with GCP incorporates the EU SCCs for GDPR-compliant protection of EU users’ data as confirmed here.
- Groove – our agreement with Groove incorporates a DPA using the EU SCCs for GDPR-compliant protection of EU users’ data.
- Stripe – our agreement with Stripe incorporates the EU SCCs for GDPR-compliant protection of EU users’ data here
Kami may not rely on a breach by a sub-processor of its obligations in order to avoid its own liabilities.
GDPR Rights of Arbitration
In case of a dispute or non-resolution related to privacy issues, European users may invoke binding arbitration via your EU data protection authority (DPAs).
Finally, we have a Designated Data Protection Representative established in an EU member state, as required under the requirements of Article 27 of Regulation (EU) 2016/679 (GDPR). You can contact our local EU representative here:
Contact person: Ginka HRISTOVA
United Kingdom Privacy Rights
We comply with the data privacy requirements under the UK legislation, We are aware that UK DPA is an evolving legislative landscape and as such Kami complies with the UK Data Protection Act, KAMI applies the requirements of the UK Data Protection Act and consequently, the UK Data Transfer Agreement (DTA) forms.
The UK ICO has Standard Data Protection Clauses that were issued by the Commissioner under S119A(1) Data Protection Act 2018, if you would like to download the International Data Transfer Agreement, it can be found here, or the international data transfer addendum to the European Commission’s Standard Contractual Clauses (SCC) for international data transfers (Addendum) downloaded here.
Our standard EU Data Processing Agreement incorporating the EU SCCs can be downloaded here to sign upon request but is already incorporated into our Standard Terms of Service.
California Privacy Rights
In addition to the rights as explained in this Policy, California residents who provide Personal Information (as defined in the statute) to obtain educational services are entitled to request and obtain from us, once a calendar year, information about the Personal Information we shared, if any, with others third parties. If applicable, this information would include the categories of Personal Information and the names and addresses of those third parties with which we shared such personal information for the immediately prior calendar year (e.g., requests made in the current year will receive information about the prior year). For more information please contact us at: email@example.com
DO NOT TRACK
Some browsers incorporate a Do Not Track feature that signals to websites you visit that you do not want to have your online activity tracked. Tracking is not the same as using or collecting information in connection with a website. For these purposes, tracking refers to collecting personally identifiable information from consumers who use or visit a website or online service as they move across different websites over time. Our Website does not track its visitors across third party websites. If your browser indicates Do Not Track, our Website will not record your visit.
Australia privacy rights
If you reside in Australia, you have a legal right under the Privacy Act 1988 (Cth) to request access to your personal data which is held by Kami. You also have a right to seek correction (including correction of any errors) of your personal data. If you would like to request access to, or correction of, your personal data, please contact us. If you request access to, or the correction of, your personal data, we will respond to your request within a reasonable period after the request is made. Access to your personal data will be provided in accordance with any applicable laws and is subject to any exemptions which might apply under those laws.
For more information please contact us at: firstname.lastname@example.org
Canada privacy rights
If you reside in Canada, you have a right to request access to your personal data which is held by Kami and the right to request its modification (including the correction of any errors). If you would like to request access to, or correction of, your personal data, please contact us. We will respond to your request within a reasonable period after the request is made. To protect against fraudulent requests for access to your personal data, we may ask you for additional information to confirm that the person making the request is you or is authorized to access your personal data. For example, we may require you to verify your identity before you access your personal data. Access to your personal data will be provided in accordance with applicable laws and is subject to any exemptions which might apply under those laws.
For more information please contact us at: email@example.com
Notable Inc is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC)
Disclosure and Permissions
We do not disclose personal information collected from users to third parties other than to persons who provide support for the operations of the service and who do not use the information for any other purpose, as detailed above.
We do not disclose personal information collected from Children to third parties other than to persons who provide support for the operations of the service and who do not use the information for any other purpose, except as follows:
- Teachers & school administrators
We reserve the right to disclose your personally identifiable information as required by law and when we believe that disclosure is necessary to protect our rights and/or to comply with a judicial proceeding, court order, or legal process served on our Website.
Cookies and similar technologies used
Technologies such as cookies, beacons, tags and scripts are used by Kami. These technologies are used to make it easier for you to navigate our site, to store your passwords so you don’t have to enter it more than once, analyzing trends, administering the site, tracking users’ movements throughout the site and to gather usage information about our user base as a whole. We may receive reports based on the use of these technologies by these companies on an individual as well as aggregated basis.
As true of most Web Sites, we gather certain information automatically and store it in log files. This information may include internet protocol (IP) addresses, browser type, internet service provider (ISP), referring/exit pages, operating system, date/time stamp, and/or clickstream data. We do not link this automatically-collected data to other information we collect about you.
Kami collects and analyzes data on how the service is used in the aggregate for the purpose of improving and enhancing its service. Kami does not analyze information on how particular individuals use the service as part of general reporting procedures or in the usual course of business. However, information on individual usage of the system, including but not limited to individual IP addresses, may be analyzed on a case-specific basis to resolve a technical difficulty or to assist in resolving or investigating any misuse of the service.
Changes to this Policy
We also reserve the right to amend the EU Model Contract Clauses in case when the European Commission adopts new ones.
Links to Other Sites
If you click on a link to a third-party site, you will leave the kamiapp.com Website and be redirected to the site you selected. Because we cannot control the activities of third parties, we cannot accept responsibility for any use of your personally identifiable information by such third parties, and we cannot guarantee that they will adhere to the same privacy practices as Kami. We encourage you to review the privacy statements of any other service provider from whom you request services. If you visit a third-party website that is linked to the Kami Website, you should read that site’s privacy statement before providing any personally identifiable information with them.
Have questions or concerns about Kami, our Services and privacy? Contact us at firstname.lastname@example.org
Notable Inc in USA
8605 Santa Monica Blvd PMB 57387
West Hollywood, California 90069-4109 US
And Kami Limited in New Zealand
125 St Georges Bay Road, Parnell, Auckland 1052