Amira Privacy Policy - US, EU, and UK

Last Updated: July 16, 2025

Amira Learning, Inc. complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF as set forth by the U.S. Department of Commerce. Amira has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. If there is any conflict between the terms in our privacy policy and the EU-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

The privacy policy covering personal data transferred from the European Union and the United Kingdom can be found below the in the Section titled “Amira Learning EU and UK Privacy Policy”

For other data than transferred from the European Union or the United Kingdom, the following privacy policy associated with the US applies:

 

Amira Privacy Policy - US School Experience

This Privacy Policy explains how Amira Learning Inc. (“Amira,” “we,” “our” or “us”) collects, uses and discloses information about users of our Amira app (“Amira App”), website, and other online products and services (collectively, the “Services”). This Policy addresses our information practices applicable to our Services. Our information practices vary depending upon the type of user and the portion of the Amira App used by that user. Users of the Services include child users (any child under the age of 13 enrolled in school districts and schools that make the Amira App or other Services available) (“Child)” and adult users (including teachers, school administrators, district administrators, and other educators who purchase our Services or work in a district or school that purchased our Services (“Educators”), collectively referred to as Users. A Child may only use the learning portion of the Services. Only Educators can create accounts and subscribe to the Services.

Changes to Amira Privacy Policy

We may change this Privacy Policy from time to time. If we make changes, we will notify you by revising the date at the top of the policy and, in some cases, we may provide you with additional notice (such as adding a statement to our homepage or sending you a notification). We encourage you to review the Privacy Policy regularly to stay informed about our information practices and the choices available to users of our Services.

‍

State-Specific Notes

• ​​If you are a resident of the states of California, Colorado, Connecticut, Nevada, Utah and Virginia, please see our Additional Privacy Notices for U.S. Residents for additional state specific information and disclosures.

• Please also see our Additional Privacy Rights section below for more information about exercising your eligible privacy rights.

‍

Children's Information

Except as explicitly described in this Privacy Policy, we do not knowingly collect personal information from Children under the age of 13 without consent from the school.  We only collect, maintain, use or share personal information from Children as needed for authorized educational or school purposes with consent from the Child’s school. If we learn that we have collected personal information from a Child under 13 without the school’s consent, we will delete that information.

We do not sell personal information of Children. We do not use or disclose information about Children (whether personal information or otherwise) for behavioral targeting of advertisements to Children. We do not build personal profiles of children other than for supporting authorized educational/school purposes.

‍

Collection of Information

Information Provided to Us 

We collect information that Users provide when using the Services, including when Educators sign up for Services.

From Educators

·  Educator Registration Information: We collect registration information, including name, email address, school affiliation and the grade level and names of classes Educators teach.

·  Child Roster Information: We collect information the Educator provides to enable a Child’s use of the Amira App, including the Child’s first name and last name, school email address and password, school name, class name, grade level and local language (e.g. English). We may also collect the Child’s parent’s email address.

From Children

·  Audio Recordings. When a Child interacts with the Amira App, we collect recordings of the Child’s voice. We retain recordings of the Child’s voice when collected from our in-school experience. These recordings enable our AI-driven algorithms to understand their reading strengths and areas where the child would benefit from more practice, evaluate their progress, and customize their experience. We also use these recordings to improve our AI models and the Amira App.

 

Information We Collect Automatically

When Educators access or use the Amira App or our Services, we automatically collect certain information, including:

·  Device and Log Information: We collect information about the device used to access the Amira App or our Services, including the hardware model and device type, unique device identifiers browser type, network information, operating system and version. We also use analytics software to allow us to better understand the functionality of the Amira App and our Services. This software may record information such as access times and frequency, activity within the Amira App or on our Services, and performance data such as crash reports.

·  Information Collected by Cookies and Other Tracking Technologies: We use various technologies to collect information from our Services, including cookies and web beacons. Cookies are small data files stored on hard drives or in device memory that help us improve our Services and users’ experience, see which areas and features of our Services are popular and count visits. Web beacons are electronic images that may be used in our Services or emails and help deliver cookies, count visits, understand usage and campaign effectiveness and determine whether an email has been opened and acted upon. For more information about cookies, and how to disable them, please see “Your Choices” below.

When Children access or use the learning portion of the Amira App, we automatically collect certain information, including:

·  Amira App Activity Information: We collect information about a Child’s interactions with the Amira App, such as the stories the Child reads, where they tap, and their progress and choices within the Amira App. Our collection of this information through cookies and other tracking technologies (as defined above) is used only to support the internal operations of the Services.

‍

Use of Information

We use information we collect from Educators to: 

·  Permit Educators to register for our Services;

·  Send Educators technical notices, updates, security alerts and support and administrative messages;

·  Respond to Educators’ comments, questions and requests and provide customer support;

·  Send Educators metrics and information about a Child’s reading progress through the in school application;

·  Provide marketing communications that we believe may be of interest to Educators; and

· To measure the effectiveness of our advertising to Educators.

We use the information we collect from Children to: 

·  Personalize and improve a Children’s experience on the Amira App and provide content or features that match the Child’s reading level and interests, as well as to monitor trends, usage and activities, so that we can make the Amira App more helpful to all Children; and

· Track a Child’s reading progress and usage of the Amira App.

We use information collected from both Educators and Children to: 

·  Analyze, operate and improve our Services;

·  Detect, protect against, and prevent security incidents and illegal or unauthorized activities, as well as investigate complaints and claims;

·  Comply with applicable laws, legal processes or enforceable governmental requests, and defend against or pursue claims, disputes or litigation – in court or elsewhere; and

·  Enforce our policies, terms and conditions, or other agreements.

 

Sharing of Information

We may share the information we collect from Educators as follows: 

·  Between and among Amira and current and future parents, affiliates, subsidiaries and other companies under common control and ownership, provided such entities are subject to the commitments set forth in this Privacy Policy; and

·  With Educator consent or at the Educator’s direction.

·  We may also share aggregated or de-identified information, which cannot reasonably be used to identify any individual.

We may share the information we collect from Educators and Children as follows:

·  With vendors, consultants and other service providers who need access to such information to carry out work on our behalf, provided such third parties are obligated to treat the data we provide in accordance with the commitments set forth in this Privacy Policy;

·  In response to a request for information if we believe disclosure is in accordance with, or required by, any applicable law, regulation or legal process;

·  If we believe Users’ actions are inconsistent with our user agreements or policies, or to protect the rights, property and safety of Amira or others; and

· In connection with, or during negotiations of, any merger, sale of company assets, financing or acquisition of all or a portion of our business by another company, provided the successor entity will protect the data in accordance with the commitments in this Privacy Policy.

We do not disclose the personal information of any Child to third parties for any marketing or promotional purposes.

 

Legal Basis for Processing

We process your personal information as follows: 

·  To perform our contractual obligations in our Terms of Service or other contracts with you (such as to provide you the Service as described in our Terms of Service);

·  With Educators’ prior consent, which may be withdrawn at any time (we use Educators’ quotes and testimonials for promotional purposes, or other purposes we obtain Educators’ consent for from time to time);

·  When necessary to ensure compliance with a legal obligation to which we are subject; and

·  When necessary for the purposes of our legitimate interests, such as in improving, personalizing, and developing the Service, and for security purposes as described above.

If you have any questions about or would like further information concerning the legal basis on which we collect and use your personal information, please contact us as provided under the Contact Us section.

‍

Your Choices

Additional Privacy Rights

In accordance with applicable privacy law, and depending upon the jurisdiction in which you reside, you may have the right to request to access, correct or delete your Personal Information or to request to opt-out of certain types of data practices. Eligible users can submit a request by completing our Privacy Rights Request Form or emailing us at trust@amiralearning.com.

Please note that if you are a student who accesses the Services through a School, or the student’s parent or legal guardian, you must contact your School to submit a request to access, modify or delete your Personal Information. Please also review the Children’s Information and Educator Information sections below to learn more.

Children's Information

Educators are able to access and update their own personal information and the personal information of the Children for whom they are responsible at any time through their Amira user account. Unless otherwise required by law, any parent or guardian request to access, make changes to or delete their Child’s personal information must be directed to Educators who are designated administrators of school accounts. To make such requests, parents and guardians should follow their school’s procedures for managing their Child’s personal information under applicable law. 

Educator Account Information

Please note that we may retain certain Educator information as permitted by law. We may also retain cached or archived copies of the information we collect for a certain period of time.

Cookies

Most web browsers are set to accept cookies by default. If you prefer, you can usually choose to set your browser to remove or reject browser cookies. Please note that if you choose to remove or reject cookies, this could affect the availability and functionality of our Services.

Communications Preferences

You may opt out of receiving promotional emails from us by following the instructions in those communications. If you opt out, we may still send you non-promotional emails, such as those about a Child’s reading progress, or about your subscription.

Contact Us

If you have any questions about this Privacy Policy, please contact us at: trust@amiralearning.com,

Phone: +1 (510) 858-2452, and

Mailing: 5214F Diamond Heights Blvd #3255 San Francisco, CA 94131.

 

Amira Learning EU and UK Privacy Policy

This Privacy Policy explains how Amira Learning Inc. (“Amira,” “we,” “our” or “us”) collects, uses and discloses information about users of our Amira app (“Amira App”), website, and other online products and services (collectively, the “Services”). This Policy addresses our information practices applicable to our Services. Our information practices vary depending upon the type of user and the portion of the Amira App used by that user. Users of the Services include child users (“Child)” and adult users (including teachers, school administrators, district administrators, and other educators who purchase our Services or work in a district or school that purchased our Services (“Educators”), collectively referred to as Users. A Child may only use the learning portion of the Services. Only Educators can create accounts and subscribe to the Services.

1. Amira’s Commitment to the Data Privacy Framework (DPF)

Amira complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF as set forth by the U.S. Department of Commerce. Amira has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

Further Information

Amira’s certification under the DPF is enforceable under U.S. law and subject to oversight and investigation by the Federal Trade Commission (FTC). For more details about the Data Privacy Framework, please visit the official DPF website.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, Amira Learning Inc. commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF.

EU and UK individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF should first contact Amira at:

• Email: trust@amiralearning.com
• Mailing Address: Amira Learning Inc., 5214F Diamond Heights Blvd 3255, San Francisco, CA 94131

2. Scope of Policy

This Privacy Policy applies to all personal data collected, used, shared, and stored by Amira through our services, including but not limited to:

• The Amira App: This includes both its learning and administrative components.
• Our website and any associated web-based platforms.
• Other online products and services provided or supported by Amira.

Users Covered by This Policy

This Privacy Policy applies to all individuals who interact with our Services, including but not limited to:

• Educators: Teachers, school administrators, district administrators, and other educational staff who either purchase our Services or work in institutions that utilize our Services.
• Children: Students who use the learning portion of our Services, typically as authorized by their schools or educational institutions.
• Parents and Guardians: Individuals who may interact with our Services via notifications or account management, as permitted by schools or educators.

Geographical Scope

This Privacy Policy applies to the processing of personal data:

• Within the United States, where Amira Learning is headquartered, insofar as the users’ data is covered by the DPF.
• Within the European Union (EU) and the United Kingdom (UK), where the policy adheres to the General Data Protection Regulation (GDPR) and the DPF.
• In other jurisdictions, where local data protection regulations require compliance with the DPF.

Data Categories Covered

The scope of this policy includes all categories of personal data processed by Amira, such as:

• User registration and account details, including names, email addresses, and roles.
• Educational data, including student reading progress and voice recordings.
• Device and log information, such as IP addresses and device identifiers.
• Cookies and tracking data, collected automatically to improve user experience.

3. Compliance with DPF and UK GDPR

Declaration of Compliance with EU-U.S. DPF and UK Extension to DPF

Amira is committed to complying with the EU-U.S. Data Privacy Framework (DPF) and the UK Extension to the EU-U.S. DPF. This commitment ensures that the processing of personal data originating from the European Union (EU), European Economic Area (EEA), and the United Kingdom (UK) adheres to the highest standards of data protection, as required by applicable regulations, including the GDPR and UK GDPR.

Link to DPF Program Website

Further details about the Data Privacy Framework (DPF) can be found on the U.S. Department of Commerce’s official DPF program website:
https://www.dataprivacyframework.gov

Supervisory Authorities and Dispute Resolution Mechanisms

1. Supervisory Authority
   • Amira Learning acknowledges the authority of the U.S. Federal Trade Commission (FTC) regarding compliance with DPF principles, including enforcement and investigation.
2. Independent Recourse Mechanism
   • Amira has partnered with an independent recourse mechanism to investigate and resolve complaints related to personal data processing under the DPF Principles. This service is provided at no cost to individuals and ensures a fair, timely resolution of disputes.
     1. For EU data, Amira recognizes relevant Data Protection Authorities (DPAs) as an Independent Recourse Mechanism.
     2. For UK-specific data, Amira recognizes the Information Commissioner’s Office (ICO) as an Independent Recourse Mechanism.
   • For complaints that cannot be resolved through these mechanisms, Amira commits to participating in binding arbitration under the DPF program’s guidelines.
3. Complaints and Dispute Resolution Process
   • Individuals can submit a privacy-related complaint directly to Amira by contacting us at:
     Email: trust@amiralearning.com
     Phone: +1 (510) 858-2452 Website
   • If an individual is unsatisfied with Amira's response, they may escalate the complaint to the independent recourse mechanism.
4. UK GDPR-Specific Dispute Process

• • For data originating from the UK, complaints may be submitted to the ICO.
    Contact Information for the ICO:
    Website: https://ico.org.uk
    Phone: +44 303 123 1113

Commitment to Transparency

Amira Learning is committed to making public any relevant compliance documents, including assessment reports, if required under DPF or UK GDPR requirements.

4. Types of Personal Data Collected by Amira

Data Collected about Educators

Amira collects information from educators to facilitate the use of its Services and to support students' learning experiences. The following types of data are collected:

• Registration Data:
  • Name
  • Email address
  • School affiliation
  • Job title and grade level(s) taught
• Classroom Data:
  • Class names
  • Student rosters
  • Relevant educational information necessary for account setup and monitoring
• Contact Data:
  • Communication details provided by educators during the registration process or through ongoing use of the Services.

Data Collected about Children

Amira collects limited personal data from children, strictly for educational purposes, as outlined in applicable privacy laws, including the DPF, GDPR, and UK GDPR. This includes:

• Voice Recordings:
  • Collected during interactions with the Amira App to assess reading progress and tailor the learning experience.
• Learning Progress Data:
  • Information on the child’s reading performance, such as:
    • Stories read
    • Progress within assigned tasks
    • Areas needing improvement
• Account Data – collected from schools during rostering:
  • First and last name
  • School-provided email address (where applicable)
  • Class and grade level

Data Collected Automatically

Amira also collects certain data automatically to ensure the functionality and improvement of its Services, as well as to preserve the Services’ security and integrity:

• Device and Log Information:
  • Device type and model
  • Browser type and version
  • Operating system and version
  • Network information (e.g., IP address)
  • Unique device identifiers
• Usage Data:
  • Activity logs, including times and frequency of usage, as well as crash reports.
• Cookies and Tracking Technologies:
  • Information collected through cookies and similar technologies, including:
    • User preferences and settings
    • Navigation within the Amira App or website
    • Interaction data for optimizing user experience

Purpose of Data Collection:
The personal data collected by Amira is used solely to:

• Enhance the educational experience for children.
• Provide support and resources for educators.
• Ensure the security, functionality, and continuous improvement of the Services.

5. Purpose of Data Processing

Amira Learning processes personal data exclusively for legitimate, defined purposes, ensuring transparency and compliance with data protection regulations. This section details the core purposes for which Amira collects and processes personal data.

Personalization of User Experiences

Amira uses personal data to provide meaningful and individualized educational experiences for its users, focusing particularly on the following aspects:

1. Adaptive Learning Pathways:
   • Amira leverages AI-driven algorithms to assess children’s reading abilities and progress.
   • Based on these assessments, the platform customizes content and exercises to address specific areas for improvement, providing a tailored learning experience that maximizes educational outcomes.
2. Individualized Feedback:
   • Teachers receive detailed reports on the progress of their students, including specific reading metrics and areas requiring further practice.
   • These insights enable educators to design targeted interventions for individual students, fostering more effective teaching strategies.
3. Enhanced User Engagement:
   • Personalization increases user satisfaction and motivation by delivering content that aligns with individual needs and preferences.
   • Amira’s data-driven personalization ensures that the user experience remains engaging and relevant for both children and educators.

Data Analysis and Service Improvement

The analysis of collected data is fundamental to maintaining and improving the quality of Amira’s Services. This encompasses:

1. Performance Optimization:
   • Amira tracks interactions within its platform to understand how users engage with various features. This data is analyzed to identify any bottlenecks or areas where user experience could be improved.
   • Insights from user behavior guide the development of new features and functionalities, ensuring the service evolves to meet user needs.
2. AI Enhancement:
   • Data collected from children’s voice recordings and interactions is used to refine the platform’s AI models. These improvements ensure greater accuracy in assessing reading abilities and providing tailored support. Amira maintains controls that prevent a particular local educational authority’s data from being used for training and will apply these controls upon provisioning and maintain them until/unless we have specific written authorization.
   • Continuous improvement of the AI system enhances the reliability and educational value of the platform.
3. Quality Assurance and Testing:
   • Amira conducts rigorous testing using anonymized data to evaluate the performance and scalability of its platform under different conditions.
   • User feedback is incorporated into updates and enhancements, ensuring that the service remains responsive to the evolving needs of educators and students.

Compliance with Legal Requirements

Amira’s data processing practices are designed to align with the legal frameworks governing its operations. This includes:

1. Adherence to Data Protection Regulations:
   • Amira complies with the EU-U.S. DPF, UK GDPR, and applicable state-specific regulations to ensure lawful processing of personal data.
   • Policies are regularly updated to reflect changes in legal requirements, minimizing risks of non-compliance.
2. Transparent and Lawful Disclosure:
   • Amira may disclose personal data in response to lawful requests by public authorities, such as government agencies, national security agencies, law enforcement bodies or courts, in compliance with applicable laws.
   • Any such disclosure is handled with the utmost care to protect user rights and privacy.
3. Safeguarding User Rights:
   • Amira ensures that all data processing activities are rooted in legal bases such as contractual obligations, user consent, and legitimate interests.
   • Processing activities are documented and justified to demonstrate compliance with regulatory requirements.

Core Principles Supporting Data Processing

Amira ensures that all data processing activities adhere to the following core principles:

1. Purpose Limitation:
   • Data is processed only for predefined and legitimate purposes, ensuring that users’ personal information is not used for secondary purposes unrelated to the educational scope of Amira’s services.
2. Data Minimization:
   • Only the data strictly necessary for achieving the stated purposes is collected and processed, reducing risks associated with excessive data handling.
3. Security and Confidentiality:
   • Personal data is protected using robust technical and organizational measures, including encryption and access controls, ensuring that data remains secure throughout its lifecycle.
4. Accountability:
   • Amira maintains detailed records of its data processing activities, enabling it to demonstrate compliance with applicable legal and ethical standards.
     

6. Data Flows and Categories

Amira Learning ensures transparency and compliance by carefully mapping the flow of personal data throughout its systems. This section outlines the stages of data collection, processing, storage, and eventual deletion, as well as the categories of data processed and the conditions for transferring data to third parties.

Detailed Mapping of Data Flows

The data flow at Amira follows a structured pathway from initial collection to eventual deletion, ensuring accountability and regulatory compliance at each stage:

1. Data Collection:
   • Educators: Data is collected during account registration, including names, email addresses, school affiliation, and classroom details (e.g., class names and grade levels).
   • Children: Data includes voice recordings, reading progress, interaction details within the Amira app, and in some cases, parent email addresses.
   • Automated Collection: Device and log information, such as device type, browser type, and cookies, is collected when users interact with Amira services.
2. Data Processing:
   • Collected data is processed to personalize learning experiences, generate insights for educators, and improve the platform's performance and AI algorithms.
   • Voice recordings are analyzed using AI-driven algorithms to assess reading skills and identify areas for improvement.
3. Data Storage:
   • All data is securely stored in compliance with DPF, GDPR and UK GDPR, using encrypted storage mechanisms to protect sensitive information.
   • Data is retained only as long as necessary for its intended purpose (e.g., educational progress tracking), after which it is securely deleted.
4. Data Sharing:
   • Data may be shared with third-party service providers who assist in hosting, analytics, or technical support. All third parties are required to adhere to equivalent levels of data protection as outlined in Amira's policies and agreements. Amira is responsible for enforcing compliance of third-party transfers with the DPF.
5. Data Deletion:
   • Personal data is securely deleted upon user request or after the data retention period ends. Amira employs certified deletion protocols to ensure complete removal of data from its systems.

7. Data Transfers to Third Parties

Amira ensures that all third-party data transfers comply with applicable data protection regulations. Key practices include:

1. Contractual Safeguards:
   • Third-party vendors are bound by contractual obligations to provide the same level of data protection as Amira.
   • Data sharing agreements specify the purposes for which data may be used and include terms for remediation in case of non-compliance.
2. Vendor Screening:
   • All third parties are vetted to ensure compliance with DPF, GDPR and UK GDPR. Vendors must demonstrate adherence to equivalent standards of data security and privacy.
3. Purpose Limitation:
   • Data is shared only for purposes aligned with Amira's educational goals (e.g., hosting, analytics, technical support). It is never shared for marketing or behavioral advertising purposes.
4. Transparency and Accountability:
   • Amira maintains a detailed record of all third-party data transfers, which can be provided to regulators upon request.
   • Users are informed of third-party processing activities through the Privacy Policy.

Amira Learning Inc. remains responsible and liable under the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF if third-party agents that it engages to process personal data on its behalf do so in a manner inconsistent with the principles unless Amira Learning Inc. proves that it is not responsible for the event giving rise to the damage.

8. Sharing of Personal Data

Amira Learning ensures that the sharing of personal data is conducted in compliance with legal requirements, remains transparent, and is limited to circumstances strictly necessary for the intended purposes of processing. Data sharing involves both internal entities, such as subsidiaries, and external parties, including service providers and business partners. In every instance, Amira guarantees that entities receiving data are obligated to adhere to the highest privacy standards.

Sharing Data with Parties

1. Internal Entities
   Personal data may be shared with Amira Learning's affiliated companies, such as sister companies or subsidiaries, to support the operational functionality of services, software development, or data management. Such sharing is strictly limited to clearly defined purposes in alignment with the Privacy Policy and compliant with DPF and UK GDPR requirements. These entities are required to adhere to the same data protection principles upheld by Amira Learning.
2. External Entities
   Collaboration with external service providers is critical to the functionality and growth of Amira Learning's products. Data may be shared with:
   • Technology and cloud service providers, responsible for data hosting and technical infrastructure management. The purpose of sharing data is to enable the technical functioning of the system.
   • Analytics providers, whose tools help monitor application performance and identify areas for optimization. The purpose of sharing data is to perform analysis of the system’s performance and improve our functionalities.
   • Technology partners, facilitating integration of services within the infrastructure of schools and educational institutions. The purpose of sharing data is to enable system integration with school infrastructure.
   • Consultants and auditors, supporting compliance efforts with legal regulations and security standards. The purpose of sharing data is to ensure legal compliance.

Each external entity operates under a Data Processing Agreement (DPA), ensuring that the data is processed solely for purposes defined by Amira and in compliance with applicable laws.

Restrictions and Accountability for Onward Data Transfers

To ensure full compliance with regulations, Amira enforces stringent restrictions on onward sharing of data by third parties. Any transfer of data must meet the following conditions:

1. Purpose Limitation
   Data shared with third parties may only be used for the purposes outlined in the Data Processing Agreement. Third parties are prohibited from using the data for marketing, advertising, or any other purposes outside the scope defined by Amira.
2. Verification of Third-Party Compliance
   Amira conducts thorough audits and due diligence processes before engaging with service providers to ensure their adherence to data protection standards required by DPF and UK GDPR. Additionally, these entities must commit to immediate notification of any security breaches or compliance challenges.
3. Mandatory Notification of Breaches
   Third-party entities are required to notify Amira immediately of any data breaches or if they determine they can no longer meet the data protection requirements. In such cases, Amira has the right to demand the cessation of data processing and implement remedial actions.
4. Responsibility for Processing Activities
   Amira assumes full responsibility for the actions of third parties involved in processing personal data. This includes documenting compliance processes and being prepared to present evidence of such compliance upon request by supervisory authorities.

Transparency to Users

Through the Privacy Policy, users are informed about all categories of third parties that may receive their data, as well as the purposes for which the data is processed. Amira also commits to disclosing information about data protection mechanisms and accountability measures in the event of any breaches.

This approach ensures that data sharing processes align with regulatory requirements while maintaining a high level of privacy protection for users.

9. Technical and Organizational Measures

Amira Learning employs a comprehensive framework of technical and organizational measures to ensure the confidentiality, integrity, and availability of personal data processed within its systems. These measures are designed to align with industry best practices, as well as the requirements set forth by the DPF and UK GDPR. The implementation of these controls underscores Amira’s commitment to robust data protection and cybersecurity.

Data Encryption

1. Encryption in Transit
   All personal data transmitted across networks is encrypted using industry-standard protocols, such as TLS (Transport Layer Security). This ensures that data exchanged between users and Amira’s services, or between internal systems, remains secure and inaccessible to unauthorized parties during transmission.
2. Encryption at Rest
   Personal data stored within Amira’s systems is safeguarded using advanced encryption algorithms (e.g., AES-256). This applies to data hosted on servers, databases, and backup systems. By encrypting data at rest, Amira ensures that sensitive information remains protected even if storage devices are physically compromised.

Regular Security Audits and Penetration Testing

1. Security Audits
   Amira conducts regular internal and external audits to evaluate the effectiveness of its security controls and ensure compliance with legal and regulatory standards. These audits review system configurations, access controls, and adherence to data protection policies.
2. Penetration Testing
   Third-party security experts perform penetration tests on Amira’s systems to identify potential vulnerabilities. These simulated attacks are designed to uncover weaknesses that could be exploited by malicious actors. Results are used to improve security infrastructure and mitigate risks proactively.

Detection and Prevention of Data Breaches

1. Intrusion Detection and Prevention Systems (IDPS)
   Amira employs advanced systems to monitor network traffic and application activity in real-time. These tools are configured to detect unusual patterns or unauthorized access attempts and automatically block potential intrusions.
2. Incident Response Plan
   A formal incident response plan is in place to address any potential data breaches. This includes predefined roles and responsibilities, procedures for containment and investigation, and communication protocols for notifying affected users and relevant authorities.
3. Vulnerability Management
   Amira’s systems undergo continuous vulnerability scanning to identify outdated software, misconfigurations, or other weaknesses. Patches and updates are applied promptly to eliminate vulnerabilities and reduce exposure to threats.

Access Control Mechanisms

1. Role-Based Access Control (RBAC)
   Access to personal data is restricted based on job responsibilities. Only authorized personnel with a legitimate need are granted access to sensitive data, ensuring minimal exposure.
2. Multi-Factor Authentication (MFA)
   Amira enforces MFA for all users accessing its internal systems, adding an extra layer of protection by requiring multiple forms of verification.

Training and Awareness

1. Staff Training
   All employees undergo regular training on data protection regulations, cybersecurity practices, and incident reporting procedures. This ensures that personnel are aware of their roles in maintaining a secure environment.
2. Awareness Campaigns
   Periodic awareness campaigns emphasize the importance of data security, phishing prevention, and adherence to company policies.

Compliance Monitoring

Amira utilizes automated tools to monitor compliance with internal security policies and external regulatory requirements. Any deviations are flagged for immediate corrective action, ensuring ongoing alignment with data protection standards.

Through these measures, Amira demonstrates its commitment to safeguarding personal data and maintaining the trust of its users. This proactive and layered approach ensures that data remains protected from unauthorized access, breaches, and other threats throughout its lifecycle.

10. Data Retention Policy

Amira Learning implements a structured Data Retention Policy to ensure that personal data is retained only for as long as necessary to fulfill the purposes for which it was collected or to comply with applicable legal and regulatory requirements. This policy reflects Amira's commitment to data minimization and accountability under the DPF and UK GDPR frameworks.

Unless required by law to maintain certain information for a longer period of time, Amira retains Personally Identifiable Information only for as long as a student’s school and/or school district maintains a subscription with Amira to one or more of the Resources. Once a subscription to a particular Resource is cancelled or otherwise terminated, Amira will retain any Personally Identifiable Information related to that Resource for sixty days after cancellation/termination to allow for temporary lapses in subscription services, at which point that information is destroyed. Personally Identifiable Information may also be destroyed at any time at the request of the school and/or school district.

Retention Periods for User Data

1. Educator Data
   Personal data collected from educators, such as registration information, contact details, and class rosters, is retained for the duration of their use of the Amira platform and services. Once an educator account is deactivated or terminated:
   • Data required for legal, or compliance purposes is retained for a set period, in line with applicable record-keeping obligations.
   • Non-essential data is deleted or anonymized promptly after account deactivation.
2. Child Data
   Amira ensures that data collected from children, such as voice recordings, progress reports, and account details, is managed with utmost care. Retention policies for child data include:

• • Active Use: Data is retained while the child remains enrolled in a school or district using Amira services.
  • Account Deactivation: Once a child’s use of the platform concludes, personal data is securely immediately, unless a specific legal requirement necessitates longer retention.

Secure Data Deletion Procedures

1. Automated Deletion Processes
   Amira employs automated processes to identify and securely delete data that is no longer required. These processes ensure compliance with retention timelines and minimize the risk of unauthorized data retention.
2. Data Anonymization
   Where appropriate, data that is no longer actively required but holds analytical value is anonymized. This ensures that no individual can be identified while allowing Amira to leverage insights for improving services.
3. Physical and Digital Data Destruction
   For physical records (if any), certified shredding methods are used to ensure complete destruction. For digital data:
   • Secure deletion protocols, such as overwriting or cryptographic wiping, are employed to render data unrecoverable.
   • Backup systems are also monitored and purged of outdated data during routine maintenance cycles.

Regular Policy Review

Amira’s Data Retention Policy is reviewed on an annual basis to ensure alignment with evolving regulatory requirements and industry best practices. This review process also involves audits of data retention timelines and deletion practices to guarantee compliance.

By adhering to these robust retention and deletion protocols, Amira safeguards user privacy while maintaining compliance with legal and contractual obligations, further reinforcing the trust of educators, children, and their families.

11. User Rights

Amira Learning recognizes and upholds the fundamental rights of all users concerning their personal data, in compliance with the Data Privacy Framework (DPF) and UK GDPR. These rights empower users to have greater control over how their data is processed and ensure transparency in Amira’s data management practices. Below is a detailed explanation of the rights available to users and how Amira facilitates their exercise.

User Rights Overview

1. Right to Access
   Users have the right to request a copy of the personal data Amira holds about them. This includes information about:
   • The categories of personal data collected.
   • The purposes of data processing.
   • Any third parties with whom their data has been shared.
   • The retention period for their data or the criteria used to determine it.
2. Right to Rectification
   Users can request corrections to any inaccurate or incomplete personal data held by Amira. For example:
   • Educators may update contact details or class information.
   • Parents or guardians may request corrections to their child’s personal data. If the data were provided by the school upon rostering, such requests should be made through the administrative portal od the school or local educational authority that holds the student roster.
3. Right to Erasure ("Right to be Forgotten")
   Users may request the deletion of their personal data under the following circumstances:
   • The data is no longer necessary for the purposes for which it was collected.
   • Consent for processing has been withdrawn (where applicable).
   • The data has been unlawfully processed.
   • There is a legal obligation to erase the data.
4. Right to Restrict Processing
   Users can request that Amira limit the processing of their personal data in specific situations, such as:
   • When the accuracy of the data is contested.
   • When the processing is unlawful, but the user opts for restriction instead of erasure.
   • When the user needs the data for legal claims, but Amira no longer requires it.
5. Right to Object
   Users can object to the processing of their personal data for specific purposes, such as:
   • Direct marketing communications (although Amira does not use data for marketing to children).
   • Automated decision-making or profiling (if applicable).

Procedures for Submitting Requests

Amira has established a clear and efficient process to ensure users can exercise their rights without unnecessary burden:

• Submitting a Request:
  Users can submit requests regarding their data rights through the following channels:
  • School Liaison: Parents or guardians may also contact their child’s school administrator, who will relay the request to Amira.
  • Email: By contacting Amira’s Privacy Team at trust@amiralearning.com.
• Required Information:
  To process requests, users may be asked to provide:
  • Proof of identity (e.g., a government-issued ID or verification through an educator account).
  • Details about the request (e.g., specific data categories or corrections required).

Response Timelines

Amira is committed to responding to user requests promptly and in line with regulatory requirements. In particularly complex cases, the response may take up to 45 days.

Escalation Mechanisms

If a user is dissatisfied with the response to their request or believes their rights have not been respected, they can escalate the matter:

• Internal Review: Users may request a secondary review by Amira’s Data Protection Officer (DPO).
• External Complaint: Users may file a complaint with the relevant supervisory authority:
  • For UK users: Information Commissioner’s Office (ICO).
  • For EU users: The appropriate Data Protection Authority (DPA) in their country of residence.

12. Dispute Resolution and Mechanisms for Reporting Breaches

Amira Learning is committed to addressing user concerns and ensuring compliance with the Data Privacy Framework (DPF) and UK GDPR through robust dispute resolution processes and mechanisms for reporting potential data breaches. These measures are designed to provide users with clear pathways to address grievances and safeguard personal data effectively.

Independent Dispute Resolution Mechanisms

Amira has established partnerships with independent third-party organizations to ensure that any disputes related to personal data handling are resolved impartially and efficiently:

1. Independent Recourse Mechanism
   • Amira participates in the DPF’s approved independent dispute resolution mechanism to address complaints regarding data processing practices.
   • Users can access this mechanism free of charge to have their complaints investigated and resolved in a timely manner.
   • Contact information and detailed instructions for accessing this mechanism are provided in the Privacy Policy and Amira’s support documentation.
2. Escalation to Supervisory Authorities
   • If a user feels their issue has not been adequately addressed through internal or independent mechanisms, they may escalate the matter to:
     • The Information Commissioner’s Office (ICO) for UK residents.
     • The appropriate Data Protection Authority (DPA) in their EU member state.
   • Amira is committed to cooperating fully with these authorities to resolve disputes.

If personal data covered by this privacy policy is to be used for a new purpose that is materially different from that for which the personal data was originally collected or subsequently authorized, or is to be disclosed to a non-agent third party in a manner not specified in this policy, Amira Learning Inc. will provide you with an opportunity to choose whether to have your personal data so used or disclosed. Requests to opt out of such uses and disclosures of personal data should be sent to trust@amiralearning.com. Amira Learning Inc. will not use sensitive personal data for a purpose other than the purpose for which it was originally collected or subsequently authorized by an individual unless Amira Learning Inc. has received their affirmative and explicit consent (opt-in).

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, Amira Learning Inc. commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF.

Complaint Submission Procedure

To ensure transparency and efficiency, Amira has implemented a straightforward process for users to file complaints related to personal data handling:

1. Submission Channels
   Users can submit complaints through the following channels:
   • Email: Send a detailed complaint to trust@amiralearning.com.
   • Online Form: Complete Amira’s dedicated Privacy Rights Request Form available on its website.
   • School Representative: Parents or guardians may lodge complaints through their child’s school administrator, who will escalate the issue to Amira.
2. Information Required
   To process complaints efficiently, users are encouraged to provide:
   • A description of the issue or suspected breach.
   • Details about the data or processing activity involved.
   • Contact information for follow-up communication.

Reporting and Addressing Data Breaches

In the unlikely event of a data breach, Amira follows a structured approach to ensure timely reporting and mitigation:

1. User Notification
   • If a breach involves personal data that poses a risk to users, Amira will notify affected individuals without undue delay and within the timeframe specified by applicable laws.
   • Notifications will include:
     • Details of the breach and its impact.
     • Steps taken to mitigate risks.
     • Guidance on actions users can take to protect themselves.
2. Reporting to Authorities
   • Amira will report data breaches to the relevant supervisory authority (e.g., ICO for UK users) within 72 hours of becoming aware of the incident, as required by UK GDPR and DPF.

Commitment to Continuous Improvement

Amira is dedicated to continuously improving its dispute resolution and breach reporting mechanisms to provide users with transparent, efficient, and user-friendly processes. By aligning with the highest standards of data protection, Amira fosters trust and accountability in its relationships with users and regulatory bodies.

13. Country-Specific Notes

Amira Learning recognizes that data privacy regulations vary across jurisdictions, particularly between the United Kingdom and the European Union. To ensure full compliance and provide transparency to users in these regions, Amira has tailored its privacy practices to align with the specific requirements of the UK GDPR, EU GDPR, and other applicable laws.

Privacy Practices for the United Kingdom (UK)

1. Compliance with UK GDPR
   • Amira adheres to the UK General Data Protection Regulation (UK GDPR) as enforced by the Information Commissioner’s Office (ICO).
   • All data collection, processing, and storage practices are designed to meet the standards established under UK data protection law.
2. Supervisory Authority
   • For UK-based users, the ICO serves as the primary supervisory authority for addressing data privacy concerns. Contact details for the ICO are as follows:
     • Website: www.ico.org.uk
     • Phone: +44 303 123 1113
     • Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
3. User Rights
   • UK users have rights under the UK GDPR, including:
     • Accessing their personal data.
     • Correcting inaccurate data.
     • Requesting data deletion or restriction.
     • Objecting to data processing.
4. Mechanisms for Filing Complaints
   • UK users can file complaints directly with Amira or escalate unresolved issues to the ICO.

Privacy Practices for the European Union (EU)

1. Compliance with EU GDPR
   • Amira complies with the EU General Data Protection Regulation (EU GDPR) to protect the personal data of users in EU member states.
   • The principles of lawfulness, fairness, and transparency, as outlined in the EU GDPR, are integrated into Amira’s data processing activities.
2. Supervisory Authorities
   • EU users can contact their local Data Protection Authority (DPA) to report concerns or escalate unresolved privacy-related matters.
   • Amira collaborates with DPAs across EU member states to ensure compliance and resolve disputes effectively.
3. Cross-Border Data Transfers
   • Data transfers from the EU to the United States are conducted in accordance with the EU-U.S. Data Privacy Framework (DPF) to ensure an adequate level of data protection.
   • Amira provides users with transparency regarding data transfer mechanisms and safeguards.

14. Additional Notes

1. Legal Basis for Processing
   • Amira processes personal data under legal bases consistent with UK GDPR and EU GDPR, including:
     • Contractual necessity (e.g., to provide educational services).
     • Consent (e.g., for marketing communications where applicable).
     • Legal compliance (e.g., responding to regulatory requests).
2. Transparency and Accountability
   • Amira’s privacy policy includes references to applicable laws and frameworks to help users understand their rights and the company’s obligations.
   • Information about independent dispute resolution mechanisms and supervisory authority contacts is clearly provided.

15. Cookies and Tracking Technologies

Amira Learning uses cookies and other tracking technologies to enhance user experience, improve the functionality of its services, and gather insights to optimize operations. Below, we provide details on the types of cookies we use and how users can manage their preferences.

Types of Cookies Used

1. Essential Cookies
   • These cookies are necessary for the operation of the Amira App and related services.
   • They enable core functionalities, such as authentication, session management, and maintaining user preferences.
   • Disabling these cookies may impact the availability or functionality of certain features.
2. Performance and Analytics Cookies
   • These cookies collect data on how users interact with the Amira App and services.
   • Examples of collected data include session duration, pages visited, and errors encountered.
   • This information helps us identify trends and improve the user experience.
3. Functional Cookies
   • These cookies enhance the functionality of the services by remembering user preferences, such as language settings and layout configurations.
   • Functional cookies make the user experience more personalized and efficient.
4. Third-Party Cookies
   • Amira may collaborate with third-party service providers who use cookies to support analytics or service integration (e.g., video playback or data visualization).
   • These providers are required to adhere to the same privacy standards as Amira.

Managing Cookies

1. User Controls
   • Users can manage their cookie preferences through browser settings. Most browsers allow users to:
     • Accept or reject cookies entirely.
     • Block specific types of cookies.
     • Receive notifications when a website wants to store cookies.
2. Cookie Management Tools
   • Amira provides an easy-to-use cookie management interface on its website and app, enabling users to customize their cookie settings.
   • Users can opt in or out of non-essential cookies (e.g., analytics or functional cookies) based on their preferences.
3. Opt-Out Options for Analytics
   • Users who prefer not to have their data collected for analytics purposes can opt out by:
     • Disabling performance cookies in their settings.
     • Using browser-based tools or plugins to block tracking scripts.

Transparency and User Rights

• Amira ensures compliance with applicable privacy laws (e.g., UK GDPR, EU GDPR) by obtaining user consent before setting cookies, except for essential cookies.
• Users can revoke or modify their consent at any time by accessing the cookie management interface.
• The Privacy Policy includes clear and detailed information about the cookies used, their purpose, and how users can exercise control.
  

16. Privacy Policy Updates

Amira Learning is committed to maintaining transparency and keeping its users informed about how their data is processed. To ensure compliance with evolving legal and operational requirements, we periodically update our Privacy Policy. This section outlines the procedure for updating the policy and the measures taken to inform users of any changes.

Procedure for Policy Updates

1. Periodic Review
   • Amira conducts regular reviews of its Privacy Policy to ensure compliance with applicable legal frameworks, including the UK GDPR, EU GDPR, and the Data Privacy Framework (DPF).
   • Updates may also be made to reflect changes in Amira's services, data practices, or business relationships.
2. Approval Process
   • Proposed changes to the Privacy Policy undergo internal review by Amira's data protection team and legal advisors to ensure adherence to applicable regulations and standards.
   • Final approval is provided by senior management before implementation.
3. Policy Revision Date
   • Every version of the Privacy Policy includes a "Last Updated" date at the top of the document to reflect when the most recent changes were made.

Notifying Users of Updates

1. Transparent Communication

1. • Amira ensures that any material changes to the Privacy Policy are communicated clearly to users through appropriate channels, such as:
     • Email updates sent to registered users, including Educators and administrators.
     • Announcements on the Amira website.
2. Advance Notice
   • For significant changes, users are provided with advance notice before the new policy takes effect. This allows users sufficient time to review and understand the updates.
3. Accessibility of Changes
   • A summary of key changes is provided alongside the updated Privacy Policy to highlight the most important modifications.
   • The full updated Privacy Policy is always accessible on the Amira website (https://amiralearning.com/amira-privacy).

User Consent for Substantive Changes

• If changes affect how data is collected, processed, or shared, Amira will obtain user consent where required by law. For example:
  • Updated consent may be required for new categories of data processing.
  • Educators and administrators may need to confirm acceptance of the new policy before continuing to use the services.

17. Contact Information

Amira Learning is committed to maintaining open communication with its users and providing clear channels for addressing any inquiries, concerns, or complaints related to data privacy and this Privacy Policy. Below are the contact details for users seeking assistance or wishing to exercise their data protection rights.

For inquiries regarding the Privacy Policy or to report concerns, users may contact Amira through the following means:

• Email Address: trust@amiralearning.com
  This email is monitored by Amira’s data protection team to handle user requests, including exercising rights under applicable privacy laws.
• Phone Number: +1 (510) 858-2452
  Users can call this number for immediate assistance related to data privacy or other inquiries.
• Mailing Address:
  Amira Learning, Inc.
  5214F Diamond Heights Blvd 3255
  San Francisco, CA 94131
  This address can be used to submit written requests or concerns.