Product Privacy Policy - Firefly Learning Skip to Main Content

Last updated: August 2025

Firefly Learning Limited (“Firefly”) takes the privacy of its users, including students, teachers, and parents, seriously. Firefly is committed to protecting users’ privacy while providing a personalised and valuable learning experience through its education technology products and services (the “Product”).

If users have any questions about our Privacy Policy, they may contact Firefly at privacy@fireflylearning.com.

The School Environment

Collectively, the classroom, teachers, parents, guardians, students, and school and district administration and employees/agents are referred to in this Product Privacy and Cookie Policy as the “School Environment.”

As Firefly is designed to be used in the classroom, much of the information collected is intended to be shared within the School Environment; Product-related or class-related activities, information, or communications may therefore be visible to anyone present in the classroom. Furthermore, some information will be available to other students, teachers, parents, guardians, and school or district administrators and/or employees (see “Firefly User Access Privileges” below). The sharing of the above information is subject to this Product Privacy and Cookie Policy and the privacy policies of the relevant educational institutions. If users have any questions about the sharing of this information under those policies, Firefly recommends that users contact the relevant educational institutions.

Firefly has implemented security measures to ensure that this data will not be shared outside the School Environment, except as outlined in this Product Privacy and Cookie Policy.

Collected Information

Personal Information

The specific information collected depends on the user type (i.e. teacher, district/school staff, parent, and student users). A list of the personal information collected for each user type of the Product, including the type of information collected, how the information is collected and used within the School Environment, whether other users can view the information, and whether the information is shared outside of the School Environment, is available here.

Firefly DOES NOT collect the following data:

  • User’s contact lists or friends lists;
  • Social medial information;

Cookies

Cookies are small data files that are commonly stored on your device when you use websites and online services. They are widely used to make websites work, or to work more efficiently, as well as to provide reporting information and assist with services or personalisation. There are also other technologies that are similar to cookies, which may store small amounts of data on your device (“local storage”).

Firefly uses the following types of cookies and local storage (collectively called “Cookies” herein):

  • Performance and functionality Cookies: These Cookies are not essential, but they help us personalise and enhance your user experience. For example, they may help us to remember your preferences and prevent you from needing to re-enter information more than once, or to remember your id and password so that you do not have to enter them each time you use our services.

The Firefly Product does not use cookies for advertising purposes.

If you wish to disable the use of Cookies, you may do so from the browser preferences menu of your browser software by either turning off Cookies or by using your browser’s privacy mode when using our services.

Please see our cookies notice at fireflylearning.com.

What Does Firefly Do with the Collected Information?

Firefly only collects and uses user information that is required to fulfil its duties and provide and improve its services. Specifically, collected information is used for the following purposes:

  • To operate the Product;
  • To monitor & secure the Product;
  • To enable users to login to the Product;
  • To allow teachers, parents, guardians, students, and school and district administration and employees/agents to manage and engage with the Product as directed by the school;
  • To enable class related activities such as classroom content, assignments/tasks, and communications;
  • To provide analytic data to teachers and school administrators;
  • For software and customer support purposes; 
  • For sales, invoicing, and/or billing purposes;
  • To enable student billing & tuition management; and
  • To enable 3rd party integrations selected by and at the direction of the school.

Firefly does not advertise or market to students or their parents. No student personal data will be used for marketing purposes.

Firefly does not share personal data outside the School Environment, except for those purposes stated within this document, without first obtaining the express written consent of the individual.

Parents who login to the Product are not granted access to personal data of any student other than their child.

Collected information in aggregate form, whereby individual users are not identifiable (i.e. “de-identified data”), is used for the following purposes:

  • To improve the Product;
  • For research and statistical purposes;
  • For marketing purposes related to the Firefly Product; and
  • For customer support purposes.

De-identified data will have all direct and indirect personal identifiers removed. This includes, but is not limited to, name, user ID, date of birth, and location information. Furthermore, Firefly will not attempt to re-identify de-identified data or transfer de-identified data to any party unless that party agrees not to attempt reidentification.

Firefly User Data Access

All user access and/or interactions within the Firefly Product occur in the School Environment among district/school administrators, district/school employees or agents, teachers (including paraprofessionals, aides, behaviour specialists, or other school employees), students, and parents (“trusted users”) in the School Environment.

Teachers (including teachers, paraprofessionals, aides, substitute teachers, behaviour specialists, or other school employees working with students in the classroom) are granted access to student data for the students in their classes and to parent data for the students in their classes. School/district administration officials may access teacher and student data to monitor in-app activities and student behaviour/attendance. Other school employees or agents within the School Environment have appropriate privileges based on their role and need-to-know. These privileges are configured and maintained by the school, not Firefly. Students are granted access to their personal data and all content posted by their teachers or other school officials necessary for them to fulfil their roles within the school. This access is configured and maintained by the school, not Firefly.  Note that some data may be displayed by the teacher in front of the whole class or other groups who may not normally have access to this data. This is at the discretion of school officials and not within the control of Firefly. Parents are granted access to data related to their child and their child’s teacher, and to aggregate data for their child’s class.

Detailed information on user data access can be viewed here.

Student Records

Student records are the property of and under the control of the school and/or school district. Students can access their student records by logging in to their student account. Parents and guardians of students under the age of 18 can access their child’s information via their parent account or by contacting the school. Corrections of any erroneous information should be brought to the attention of the school administration. In the event that the teacher or school are unable to make the correction, the school will contact Firefly via normal support channels. Firefly will work with the teacher or school to facilitate correction of any erroneous information.

Third parties are not granted access to personal data or educational records or other student records except as provided in this Privacy Policy, or after first obtaining the express written consent of the parent or student over 18 years of age.

Should there be any unauthorised disclosure of a student’s records, Firefly will notify the school within 3 days following discovery of the unauthorised disclosure.

No Marketing to Students and Parents

Firefly does not share user data with third parties for marketing purposes. Furthermore, Firefly does not use student data for marketing of any kind, including marketing to students or parents. For information on our privacy practices with respect to the operation of the corporate website, please see Firefly’s Website Privacy Policy here.

Deletion of Records

As our customers require access to records on a continuous basis, Firefly maintains records at the direction of our customers as long as we have an engagement with our customers. Upon termination of an engagement with our customers, records will be deleted within 30 days of the date of termination. Customers have complete control over records lifecycles, including the ability to delete records as they see fit or as directed by a student, parent, faculty, staff, or any other data subject at any time. If you have any concerns about records retention, please contact your school or email privacy@fireflylearning.com.

Your rights in respect of your personal data

UK and EU

You have a number of rights under data protection laws in relation to your personal data.

You have the right to:

  • Request access to your personal data (commonly known as a "subject access request"). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
  • Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
  • Request erasure of your personal data in certain circumstances. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
  • Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) as the legal basis for that particular use of your data (including carrying out profiling based on our legitimate interests). In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your right to object.
  • You also have the absolute right to object any time to the processing of your personal data for direct marketing purposes (see OPTING OUT OF MARKETING in Paragraph 4 for details of how to object to receiving direct marketing communications).
  • Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
  • Withdraw consent at any time where we are relying on consent to process your personal data (see the table in section 4 for details of when we rely on your consent as the legal basis for using your data). However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
  • Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in one of the following scenarios:
    • If you want us to establish the data's accuracy;
    • Where our use of the data is unlawful but you do not want us to erase it;
    • Where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or
    • You have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.

United States of America

California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, Utah, and Virginia provide (now or in the future) their state residents with rights to: 

  • Confirm whether we process their personal information. 
  • Access and delete certain personal information. 
  • Correct inaccuracies in their personal information, taking into account the information's nature processing purpose (excluding Iowa and Utah). 
  • Data portability. 
  • Opt-out of personal data processing for: 
    • targeted advertising (excluding Iowa); 
    • sales; or  
    • profiling in furtherance of decisions that produce legal or 
    • similarly significant effects (excluding Iowa and Utah). 
  • Either limit (opt-out of) or require consent to process sensitive personal information.  

The exact scope of these rights may vary by state.  

Canada

Rights of users located in Canada are governed by the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5, the Personal Information Protection Act, R.S.A. 2003, c. P-6.5, the Personal Information Protection Act, R.S.B.C. 2003, c. 63 and an Act respecting the protection of personal information in the private sector, CQLR, c. P-39.1, as amended by Law 25, An Act to modernise legislative provisions as regards the protection of personal information (as applicable based on the location of the user in Canada). 

Since the adoption of Law 25, Quebec residents have enhanced rights with respect to their personal information, including:  

  • Access Rights: the right to receive confirmation of the processing of their personal information, of the nature of the information being processed, and to receive a copy of it.   
  • Data Portability Right: the right, subject to certain exceptions, to ask that Firefly communicate to them computerised personal information in a written, intelligible transcript, and any collected personal information in a structured, commonly used, technological format. 
  • Rectification Right: subject to certain requirements and exceptions, the right to ask to correct the information in Firefly’s possession if it is inaccurate, incomplete, or ambiguous, or if collecting, communicating, or keeping it is not authorised by law.  
  • De-indexation Right or "Right to be Forgotten": the right to ask Firefly to stop disseminating their personal information or to de-index any hyperlink attached to their name giving access to information if this dissemination causes them harm or contravenes the law or a court order. 
  • Automated Decision Making: the right to be informed when they are the subject of a decision based exclusively on automated processing of their personal information. Firefly will also, on request, inform them about the personal information used to make the decision, the reasons and main factors leading to the decision, and the right to request correction of the personal information used to make the decision. We will also give them the opportunity to present their observations to a member of our staff for review of this decision. 

To exercise your access rights under applicable law, you shall contact the school on whose behalf Firefly processes your personal information.

International Transfers

European Union

Since May 25, 2018, the European Union General Data Protection Regulation (GDPR) has defined the rules regarding the collection, use, and retention of personal information for residents of the European Union (EU). In the UK, the UK GDPR and the Data Protection Act 2018 define the rules around the processing of personal data from residents of the UK.  Firefly complies with the EU GDPR as well as its corresponding legislation in the UK. In order to operate its services, and in accordance with this Privacy Policy, Firefly may collect, use, and retain personal information from users of the Veracross Product who are based in the EU and the UK.

Furthermore, in order to operate its services, and in accordance with this Privacy Policy, Firefly also conducts business with third-party data processors in the United States, where personal information for users of the Firefly Product is stored. Accordingly, when Firefly transfers personal information outside of the European Economic Area or the UK to the United States, such transfers will be governed by data processing agreements and international data transfer mechanisms that comply with European Union and UK (as applicable) data protection requirements.

Please note that Firefly is part of the Veracross LLC group (https://www.veracross.com/), a US company with an address at 401 Edgewater Place, Suite 360, Wakefield, Massachusetts 01880.  

For operational purposes, we now share your personal data within the Veracross Group. This will involve, if you are based in the UK, transferring your data outside the UK and European Economic Area (EEA) and, if you are based in Australia, transferring your data outside Australia, and in particular to the United States. 

Many of Veracross’ external third-party vendors are also based outside the EU, UK and Australia, so their processing of your personal data will also involve a transfer of data outside the EU, UK or Australia (as applicable). 

Whenever we transfer your personal data out of the UK, we ensure a similar degree of protection is afforded to it by using specific contracts approved by the UK Government which give Personal Information the same protection it has in the UK. For further details, see UK International data transfer agreement and guidance.   

EU-U.S. Data Privacy Framework and Swiss-U.S. Data Privacy Framework and the UK Extension thereof.

Veracross LLC complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Veracross LLC has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF.  Veracross LLC has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern.  To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/

Veracross LLC is responsible for the processing of personal data it receives, under the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, and subsequently transfers such personal data to a third party acting as an agent on its behalf.  Veracross LLC complies with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF Principles for all onward transfers of personal data from the EU, the UK, and Switzerland, respectively, including the onward transfer liability provisions.

The Federal Trade Commission has jurisdiction over Veracross LLC’s compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF. In certain situations, Veracross LLC may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Veracross LLC commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU and UK individuals and Swiss individuals with inquiries complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF should first contact Veracross, LLC at privacy@veracross.com. 

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Veracross LLC commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF.

You may also have the option to select binding arbitration for the resolution of your complaint under certain circumstances, provided you have taken the following steps: (1) raised your complaint directly with Firefly and provided us the opportunity to resolve the issue; (2) made use of the independent dispute resolution mechanism identified above; and (3) raised the issue through the relevant data protection authority and allowed the US Department of Commerce an opportunity to resolve the complaint at no cost to you. For more information on binding arbitration, see https://www.dataprivacyframework.gov/framework-article/D-Binding-Nature-of-Decisions.

Canada

Rights of users located in Canada are governed by  the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5, the Personal Information Protection Act, R.S.A. 2003, c. P-6.5, the Personal Information Protection Act, R.S.B.C. 2003, c. 63 and an Act respecting the protection of personal information in the private sector, CQLR, c. P-39.1, as amended by Law 25, An Act to modernise legislative provisions as regards the protection of personal information (as applicable based on the location of the user in Canada).

Since the adoption of Law 25, Quebec residents have enhanced rights with respect to their personal information, including:

  • Access Rights: the right to receive confirmation of the processing of their personal information, of the nature of the information being processed, and to receive a copy of it. 
  • Data Portability Right: the right, subject to certain exceptions, to ask that the processing organisation communicate to them computerised personal information in a written, intelligible transcript, and any collected personal information in a structured, commonly used, technological format.

Rectification Right: subject to certain requirements and exceptions, the right to ask to correct the information in the processing organisation’s possession t is inaccurate, incomplete, or ambiguous, or if collecting, communicating, or keeping it is not authorised by law.

De-indexation Right or "Right to be Forgotten": the right to ask organisations to stop disseminating their personal information or to de-index any hyperlink attached to their name giving access to information if this dissemination causes them harm or contravenes the law or a court order.

Automated Decision Making: the right to be informed when they are the subject of a decision based exclusively on automated processing of their personal information. Organisations must also, on request, inform them about the personal information used to make the decision, the reasons and main factors leading to the decision, and the right to request correction of the personal information used to make the decision. They must also be given the opportunity to present their observations to a member of their staff for review of this decision.

Canadian users can access and modify their personal information in Firefly’s possession using your user login and password, or by following the instructions in the section of this document titled “Changes to and Access to Personal Information.”

To exercise their other access rights under Canadian law, residents of Canada shall contact the School on whose behalf Firefly process their personal information.

Please note that because Firefly’s and its service providers are located in the United States and other countries outside Canada, we may transfer personal information that we collect or that you provide as described in this policy to contractors, service providers, and other third parties we use to support our business and who are contractually obligated to keep personal information confidential, use it only for the purposes for which we disclose it to them, and to process the personal information with the same standards set out in this policy.

We may process, store, and transfer your personal information in and to foreign countries, with different privacy laws that may or may not be as comprehensive as Canadian law. In these circumstances, the governments, courts, law enforcement, or regulatory agencies of that country may be able to obtain access to your personal information through the laws of the foreign country. Whenever we engage a service provider, we require that its privacy and security standards adhere to this policy and applicable Canadian privacy legislation.

Security Policy

Firefly uses industry standard methods to protect the confidentiality, security, and integrity of its customers’ data, including personal information collected from children, against unauthorised use or access, disclosure, alteration, unlawful or accidental destruction, or loss. We ensure that all such protected data is encrypted both at rest and in transit and is only retained or deleted in accordance with this Privacy Policy or any overriding agreements with educational agencies.

Firefly does not share the data covered by this policy informally among its employees. Only those employees who require the protected data to carry out their duties are granted access. In such cases, access is granted based on the principle of least privilege, which means that each program and employee are granted the fewest privileges necessary to complete their tasks. Employees with access to protected data are given training to apprise them of their responsibilities when handling data and the various laws and agreements covering data security. Such employees are also given a unique user ID for purposes of accountability.

Firefly performs periodic risk/vulnerability assessments and data privacy and security compliance audits. Firefly will remediate any identified security vulnerabilities in a timely manner. We also have a written incident response plan, which includes prompt notification to the school/district in the event of a security or privacy incident, as well as best practices for responding to a breach of personally identifiable information. We will share this incident response plan upon request.

While Firefly is committed to implementing best practices with regard to information and data security, we cannot make a 100% security guarantee due to constant advances in virus and hacking technology, as well as unforeseeable hardware or software failures and other risk factors. Firefly can therefore not be held responsible for data loss or alteration. Firefly will notify any affected customer of a personal data breach in accordance with applicable law.

For additional information about our security measures please visit our Trust Centre.

Third Parties

Third Party Links

Any member of the school community may make postings that contain links to third party services in various sections of Firefly. Common examples of this would be links to videos hosted by YouTube or Vimeo, links to Wikipedia or other reference material, and so on. It is the responsibility of the customer to ensure that this content is appropriate and free from links to sites which may compromise the privacy of their students.  Firefly does not actively monitor content and has no responsibility for this content.

Third Party Integrations

Third Party software may be integrated with Firefly. Firefly has no responsibility for the content, policies, or actions of these websites and they are entirely separate from Firefly and are not covered by this Privacy Policy.

Firefly also provides users with the option of registering/logging into the Product with single sign-on authentication through Third-Party software. If you choose to access our Product through single sign-on authentication, Firefly may exchange personal information such as the user’s email address with the authentication service, depending on your privacy settings with that service. Firefly will only collect and store such information in accordance with this policy. We recommend familiarising yourself with any authentication service’s terms of use and privacy settings and policies before using such services to connect to Firefly.

A list of these Third-Party Integrations, including the services they provide to Firefly, the information we share with them or that they share with us, their privacy policies, and their contact information, can be found here.

Third Party Service Providers

Firefly may use trusted Third-Party Service Providers to support our Product by assisting us with providing, maintaining, and improving our services. To this end, Firefly may share information with these providers, but only to the extent necessary to provide our services, and only in accordance with our needs, this Privacy Policy, and all other applicable privacy agreements, laws, and/or requirements.

A list of these Providers, including the services they provide to Firefly, the information we share with them or that they share with us, their privacy policies, and their contact information, can be found here.

Changes to and Access to Personal Information

Users have access to their personal information via their Firefly user account, or by contacting the teacher or school administration. Users may also request a copy of their personal information, make modifications to any incorrect information, or exercise any other rights available to them under applicable law by sending a written request to the school.

Users can also correct and update their personal information by contacting the school.

Change of Control

In the event that all or a portion of Firefly or its assets are acquired by or merged with a third party, personal information that we have collected from users would be one of the assets transferred to or acquired by that third party. This Privacy Policy will continue to apply to your information, and any acquirer would only be able to handle your personal information as per this policy (unless you give consent to a new policy). We will provide you with notice of an acquisition within thirty (30) days following the completion of such a transaction, by posting on our homepage, or by email to your email address that you provided to us. If you do not consent to the use of your personal information by such a successor company, you may request its deletion from the company.

Disclosure of Information to Satisfy Legal Obligations

Firefly may disclose personal information if we have a good faith belief that doing so is necessary to comply with the law, such as complying with a subpoena or other legal process. We may need to disclose personal information where, in good faith, we think it is necessary to protect the rights, property, or safety of Veracross, our employees, our community, or others, or to prevent violations of our Terms of Use or Terms of Service or other agreements. This includes, without limitation, exchanging information with other companies and organisations for fraud protection or responding to government requests.

Changes and Updates to the Privacy Policy

Firefly may, at its sole discretion, update, revise, modify, and/or supplement from time to time this Privacy Policy. Should we make modifications to this policy or the related Terms of Service, we’ll post a notice that you will receive when you login to the Product and/or we will send an email directly to the school. Firefly’s updated Privacy Policy and Terms of Service will also be posted on Firefly’s Trust Centre. Firefly asks users to review the updated Privacy Policy and/or Terms of Service before continuing to use our services. The user’s continued use of the services provided by Firefly after the updated Privacy Policy takes effect will constitute the user's acceptance of the updated Privacy Policy.

Consent to the Gathering and Processing of Information

By accepting the Terms of Service, users are expressly giving Firefly a special declaration that users have agreed to the terms of this Privacy Policy governing the collection and processing of their personal information for purposes of services provided by Firefly. Users are further declaring that users are aware of the purpose for Firefly collecting, processing, and using such information, how the processing will be conducted, and how users’ privacy will be protected.

Contact

Firefly’s service to its users and users’ trust is of utmost importance to Firefly. If users have any questions about this Privacy Policy, users should contact Firefly at: privacy@fireflylearning.com.