Privacy practices built for districts and families.

Introduction

This Privacy Policy describes how K12 ARLO LLC (“Arlo,” “we,” “us,” or “our”) handles personal information. Because we operate both a public-facing website and a platform serving school districts, this document is divided into two parts:

• Website Privacy Policy: how we handle information collected from visitors to k12arlo.com and individuals who interact with us as prospective or current customers.
• Services Privacy Notice: how we handle information about students, teachers, and other school users in connection with providing the Arlo platform (the “Services”) to school districts and other educational agencies (our “Districts” or “LEAs”). We handle that information solely on behalf of our Districts as a service provider, pursuant to our agreement with them. The Website Privacy Policy does not apply to that information.

Information We Collect

We collect the following categories of information from website visitors and business contacts:

• Contact information you provide, such as your name, organization, role, email address, and phone number when you request a demo, contact us, or sign up for communications.
• Communications you send us, including the contents of messages, support tickets, and feedback.
• Marketing preferences, such as your preferences for receiving communications and how you engage with our emails.
• Device and usage data collected automatically, such as IP address, browser type, operating system, pages viewed, referring URL, and approximate location derived from IP. We use cookies and similar technologies to collect this information.

How We Use This Information

We use website information to:

• Operate, maintain, and improve our website.
• Respond to inquiries, demo requests, and support questions.
• Send service-related and, with your permission, marketing communications.
• Analyze website usage to improve our content and offerings.
• Comply with legal obligations and enforce our terms.

How We Share This Information

We share website information with:

• Service providers that help us operate our business, such as hosting, analytics, email delivery, and CRM providers. These providers are bound by confidentiality obligations.
• Authorities and others when reasonably necessary to comply with law, respond to legal process, or protect our rights and the safety of others.
• Business successors in connection with a merger, acquisition, or sale of all or part of our business. We will require any successor to honor the commitments in this Privacy Policy.

We do not sell information collected through our website.

Cookies and Tracking

We use cookies and similar technologies to remember your preferences, understand how visitors use our website, and improve performance. You can disable cookies through your browser settings, though some features may not function as intended. We do not currently respond to “Do Not Track” browser signals.

Your Choices

• Marketing emails: you can unsubscribe at any time using the link at the bottom of any marketing email.
• Access, correction, deletion: you may contact us at the address below to request access to, correction of, or deletion of your personal information, subject to applicable law.

Children

Our website is not directed to children under 13. We do not knowingly collect personal information from children under 13 through our website. Information collected through our Services is addressed in the Services Privacy Notice.

Changes to This Section

We may update this Website Privacy Policy from time to time. The “Last Reviewed” date at the top of this document reflects the most recent revision. We will provide notice of material changes by posting an updated version on our website.

Our Role

When we provide the Services, our District customers are the controllers of student and other educational data, and we act as a service provider or processor on their behalf. With respect to information governed by the Family Educational Rights and Privacy Act (“FERPA”), we operate as a “school official” with a legitimate educational interest, performing functions that the District would otherwise perform itself, under the District’s direct control.

Districts retain ownership of their data. All student data we process remains the property of and under the control of the District. In the event of a conflict between this Notice and a signed DPA, the DPA controls.

Information We Collect

Depending on the configuration selected by each District, the Services may collect or process the following categories of information about students, teachers, and other authorized users:

• Identifiers: name, email address, school and district name, District-assigned student or staff ID, state ID, Arlo-assigned user ID, app username, and password.
• Roster and enrollment data: grade level, school enrollment, homeroom, schedule, teacher names, specific curriculum programs, and year of graduation.
• Demographic data: date of birth, place of birth, gender, ethnicity or race, language information, English language learner status, low-income status, IEP or 504 status, and similar indicators provided by the District.
• Attendance data: daily school attendance and class attendance records.
• Assessment data: standardized test scores, observation data, and other assessment results provided by the District.
• Behavior and conduct data: conduct or behavioral records, behavior incidents, and related notes.
• Intervention and support records: intervention plans, progress notes, support referrals, counseling notes, and associated workflow records.
• Student-generated content: written work, uploads, posts, survey responses, and in-platform communications created by students.
• Parent and guardian contact information: name, address, email, phone, and the connection of a guardian to a student.
• Health data: medical alerts, health flags, and similar information provided by the District for educational support purposes.
• Application metadata and usage data: IP address, device type, browser type, log data, pages or features accessed, and similar technical information generated through use of the Services.

A complete and current list of data elements collected by the Arlo platform is maintained in the Schedule of Data (Exhibit B) attached to each District’s DPA, and is available upon request.

How We Use This Information

We use information processed through the Services solely to:

• Provide, maintain, and support the Services contracted for by the District.
• Communicate with authorized users about the Services, respond to support requests, and notify users of service-related issues.
• Analyze, improve, and develop the Services, including by creating de-identified or aggregated data as described below.
• Comply with applicable law, our contractual obligations to Districts, and lawful instructions from Districts.

What We Will Not Do

Consistent with our DPA obligations, FERPA, COPPA, and applicable state student privacy laws, we will not:

• Sell student data or any other information processed through the Services.
• Use student data for targeted advertising or to build a profile of a student for any purpose other than supporting authorized educational purposes.
• Disclose student data to any third party except as described in this Notice or as directed or permitted by the District.
• Use student data for any commercial purpose other than providing the Services to the District.

How We Share Information

We share information processed through the Services only as follows:

• With the District: authorized users at the District have access to data pertaining to their students, staff, and schools.
• With subprocessors: we engage vendors to support the Services, such as cloud hosting and infrastructure providers. Each subprocessor is bound by a written agreement that requires data protections at least as stringent as those in our DPA with the District, and prohibits any sale of student data. A current list of subprocessors is available to Districts upon request.
• In response to legal process: we may disclose information if required by a judicial order, lawfully issued subpoena, or warrant. Where permitted, we will notify the District before disclosure.
• In a change of control: if we are involved in a merger, acquisition, or sale of assets, we will provide written notice to Districts within sixty (60) days of closing and will require any successor to assume our obligations under each DPA. We will not sell student data as part of such a transaction.
• To protect health or safety: only when an authorized District employee has invoked the FERPA health-or-safety emergency provisions, or as otherwise permitted by law.

De-Identified and Aggregated Data

We may create de-identified or aggregated data by removing direct and indirect identifiers in accordance with NIST de-identification standards or guidance issued by the U.S. Department of Education. We may use de-identified data to analyze, improve, and demonstrate the effectiveness of the Services. We will not attempt to re-identify de-identified data, and we will not transfer de-identified data to a third party other than a subprocessor bound by equivalent terms or as expressly authorized by the District.

Children’s Information (COPPA)

The Services may be used by students under 13. We do not collect personal information directly from children under 13 except where the District has authorized our collection on behalf of parents or guardians, consistent with the school-consent provisions of the Children’s Online Privacy Protection Act (COPPA). Districts are responsible for providing any required notices and obtaining any required parental consent under COPPA and applicable state law.

FERPA

Districts authorize us to receive and use educational data under the FERPA “school official” exception. We use educational data only for the purposes set forth in our agreement with the District and this Notice, and we do not re-disclose educational records except as permitted by FERPA or as directed by the District.

Security

Our information security program is aligned with the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) 2.0, which organizes cybersecurity outcomes around six functions: Govern, Identify, Protect, Detect, Respond, and Recover. Our program includes:

• Governance: written information security policies, defined roles and responsibilities, and management oversight of our security program.
• Risk identification: an inventory of systems and data assets, periodic risk assessments, and subprocessor risk review.
• Protective controls: encryption of data in transit and at rest, role-based access controls, multi-factor authentication for administrative access, least-privilege principles, employee confidentiality agreements, and security awareness training for personnel with access to student data.
• Detection: logging, monitoring, and vulnerability scanning to identify suspicious activity and potential weaknesses.
• Response: a written incident response plan, with defined roles, communication procedures, and breach notification workflows.
• Recovery: regular backups and procedures for restoring service and data following an incident.

We conduct a security audit or assessment at least annually and following any data breach. Audit reports are available to Districts upon reasonable request, subject to confidentiality and reasonable redaction, in accordance with the terms of our DPA.

All Services data is hosted in the United States. We do not store or transfer Services data internationally.

Data Breach Notification

In the event of a confirmed data breach involving information processed through the Services, we will notify the affected District within seventy-two (72) hours of confirmation, or within a shorter period if required by our DPA or applicable law. Our notification will include the information required under our DPA and applicable law, including the date of the breach, a description of the data involved, and the steps we are taking in response. We maintain a written data breach response plan, a summary of which is available to Districts upon reasonable written request.

Data Retention and Disposition

We retain information processed through the Services for as long as the District maintains an active agreement with us, or as otherwise instructed by the District. Upon written request from the District, or at the termination of our agreement, we will dispose of or return all student data within sixty (60) days, in accordance with our DPA. The District may provide special instructions for disposition (for example, to delete data for graduating students) at any time during the term of the agreement. Our standard retention and destruction schedule is available to Districts upon request.

Parent and Student Rights

Districts are responsible for responding to requests from parents, legal guardians, and eligible students to access, correct, or delete educational records. If a parent, guardian, or student contacts us directly with such a request, we will refer them to the District. We will support the District in responding to verified requests in accordance with FERPA and applicable state law, typically within thirty (30) days of receipt or the timeframe required by state law, whichever is sooner.

Changes to This Notice

We may update this Services Privacy Notice from time to time. Where a change materially affects how we handle student data, we will provide Districts with at least thirty (30) days’ prior written notice by email to the address designated in their DPA. The “Last Reviewed” date at the top of this document reflects the most recent revision.

Governing Law

This Privacy Policy is governed by the laws of the Commonwealth of Massachusetts, without regard to conflict of laws principles. With respect to information processed through the Services, the governing law and venue provisions of each District’s DPA control.

How to Contact Us

If you have questions about this Privacy Policy or our handling of personal information, please contact us:

K12 ARLO LLC
Attention: Privacy Officer

• General privacy inquiries: nathan@k12arlo.com
• Security contact (per Section 5.3 of the NDPA): nathan@k12arlo.com
• Website: k12arlo.com