Skip to Main Content

Effective Date: October 2025

Introduction  

This privacy policy (“Policy”) describes how Firefly Learning Limited (“Company”, “we”, and “our”) collects, uses and shares personal data when using this public website www.fireflylearning.com and our Firefly Community website accessible at https://community.fireflylearning.com (the “Community Site” and, collectively with our public website, the “Site”) and downloading our applications (the “Applications”), regardless of where you visit it from, and tell you about your privacy rights and how the law protects you. Please read the following information carefully to understand our views and practices regarding your personal data and how we will treat it.

This Policy applies to our role as a controller. It does not apply to any personal data processed in connection with the services that we provide through our Site and our Application (collectively, our “Services”) to our clients, educational or other institutions (our “Customers”).

In our processing of personal data in connection with Services we provide to our Customers, we act as a processor (not a controller) under applicable data privacy laws, and in that context our Customers act as controllers on whose behalf we process the personal data for purposes of the Services. 

When we act as processor our processing of personal data isn’t governed by this Policy but by our Data Processor Addendum or other data processing terms in place between Firefly and each Customer. For more information on our processing as a processor, please contact the educational or other institution that collected your personal data in connection with the Services.

Because we offer our services on a global basis, we have chosen to use the UK and European Union (GDPR) model, often considered the strictest model for user transparency, as the format for this Policy. Consequently, based on the privacy and data protection laws that apply in the location from which you access our Site and Applications, you may not necessarily understand the meaning of some of the terms used in this Policy, we refer you to our Glossary of terms at the end of this Policy to help you make better sense of this document.

  1. WHO WE ARE
  2. TYPES OF PERSONAL DATA WE COLLECT ABOUT YOU
  3. HOW IS YOUR PERSONAL DATA COLLECTED?
  4. HOW WE USE YOUR PERSONAL DATA
  5. DISCLOSURES OF YOUR PERSONAL DATA
  6. INTERNATIONAL TRANSFERS
  7. DATA SECURITY
  8. DATA RETENTION
  9. OUR POLICY ON CHILDREN
  10. YOUR LEGAL RIGHTS
  11. CONTACT DETAILS
  12. COMPLAINTS
  13. CHANGES TO THE PRIVACY POLICY AND YOUR DUTY TO INFORM US OF CHANGES
  14. THIRD PARTY LINKS
  15. GLOSSARY
 

1. Who we are 

For the purpose of applicable data protection legislation, the data controller of your personal data is Firefly Learning Limited of 167-169 Great Portland Street, 5th Floor, London, England, W1W 5PF.

We have appointed a data protection officer (DPO) who is responsible for overseeing questions in relation to this Policy. If you have any questions about this Policy, including any requests to exercise your legal rights (paragraph 10) please contact our DPO using the information set out in the contact details section (paragraph 11).

 

2. The types of personal data we collect about you 

What is personal data? 

We collect information about you in a range of forms, including personal data. As used in this Policy, “personal data” is as defined in the retained EU law version of the General Data Protection Regulation ((EU) 2016/679) (“UK GDPR”) and the Data Protection Act 2018 (“DPA 2018”). This includes any information which, either alone or in combination with other information we hold about you, identifies you as an individual.

We may collect, use, store and transfer different kinds of personal data about you and/or your household (as applicable based on the privacy laws that apply to your personal data),which we have grouped together as follows:

  • Identity Data includes your first and last name.
  • Contact Data includes your postal address, email address and telephone numbers.
  • Technical Data includes internet protocol (IP) address, your login data, browser language, type and version, screen resolution, time zone setting and location, browser plug-in types and versions, computer or mobile device operating system name and version, manufacturer and model, device ID and other technology on the devices you use to access our Site and Applications. 
  • Profile Data includes your username and password, purchases or orders made by you.
  • Usage Data includes information about how you interact with and use our Site and Applications, about the website you visited before browsing to our Site, pages you viewed, and how much time you spent on a page. 
  • Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences.
  • Employment and Education Data includes job and education history, degrees obtained, resumes and/or CVs, and related information.
  • Financial Data includes your credit card and bank account information as a Customer.
  • Social Media Data includes information associated with your use of social networks.

Please note that our Community Site is not designed for the collection and processing of Sensitive Information. We do not intend to collect or process Sensitive Information through the Community Site services. Please do not submit Sensitive Information in any part of the services accessible through the Community Site, including free-text fields, uploads, attachments, custom properties, tags, tickets, logs, screenshots, or screen recordings. 

For this Policy, “Sensitive Information” means information that law treats as requiring extra protection, including:

  • EU/UK Users: “special categories” under Art. 9 GDPR (e.g., racial or ethnic origin; political opinions; religious or philosophical beliefs; trade-union membership; genetic data; biometric data for identification; health; sex life/sexual orientation) and data about criminal convictions and offences under Art. 10/DPA 2018.
  • U.S. Users: “Sensitive Information” under the CPRA and “Sensitive Data” under other state privacy laws (e.g., government IDs such as SSN, driver’s license/passport; financial account numbers with passwords/access codesprecise geolocation as defined by law; health information/genetic/biometric identifiersrace/ethnicityreligionunion membershipsexual orientation/sex lifecitizenship/immigration statuscontents of communications where we’re not the intended recipient; and children’s data).
  • Australian Users:sensitive information” under the Privacy Act 1988 (Cth)/APPs (e.g., racial/ethnic origin, political opinions/associations, religious/philosophical beliefs, trade-union membership, sexual orientation/practices, criminal recordhealth/genetic information, and certain biometrics).
  • New Zealand Users: information regarded as sensitive under the Privacy Act 2020 and OPC guidance (sensitivity is recognised contextually, and is a key factor in notifiable privacy breach assessment). Biometric information is expressly treated by the OPC as particularly sensitive and under active regulatory focus.
  • Canadian Users: information treated as sensitive under federal and provincial law—PIPEDA (sensitivity is context-dependent, with categories like Medical/income deemed typically sensitive) and Québec’s Law 25 (personal information is “sensitive” where, due to its nature — e.g., medical/biometric — or the context, it entails a high expectation of privacy). It also includes government identifiers such as SIN and provincial health numbers and comparable identifiers.
  • All Users: this also includes government-issued identifiers; full financial account numbers with access credentials, and any other information that applicable law classifies as sensitive, or that a reasonable person would consider highly confidential.

Please avoid including Sensitive Information in emails to us, support tickets or chat. If you need help that might involve Sensitive Information, contact us at privacy@fireflylearning.com so we can suggest alternatives.

If we learn that Sensitive Information was submitted in violation of this section, we may take reasonable steps to delete, redact, or restrict that data and contact the submitter to help remediate. Where deletion is not technically feasible, we will minimise further processing and apply appropriate safeguards. These actions are without prejudice to any rights you may have under applicable law (e.g., access, deletion, or restriction requests).

We also collect, use and share aggregated data such as statistical or demographic data which is not personal data as it does not directly (or indirectly) reveal your identity. For example, we may aggregate individuals' Usage Data to calculate the percentage of users accessing a specific Site or Application feature in order to analyse general trends in how users are interacting with our Site and Applications to help improve the Site, Applications, and our Service offering.

 

3. How is your personal data collected? 

We collect information about you in the following ways:

Information You Give Us. This includes:

  • the personal data you provide when you register to receive a free trial of our Applications, or when you complete our online enquiry form, including your‎ first name, last name, school, position, and email address;
  • the personal data you upload to our Applications;
  • the personal data you provide when we provide you with customer support;
  • the personal data you provide when you correspond with us by phone, email or otherwise;
  • apply for a job with Firefly;
  • Access our Community Site.

Information Automatically Collected. We automatically collect Technical, Device and Usage Data about your computer or mobile device when you visit our Site or download and install our Applications. We collect this information by using cookies. We may also receive Usage Data about you if you visit other websites employing our cookies. Please refer to the sections on Cookies below.

Cookies

What are cookies?

We may collect information using “cookies”. Cookies are small data files stored on the hard drive of your computer or mobile device by a website. We may use both session cookies (which expire once you close your web browser) and persistent cookies (which stay on your computer or mobile device until you delete them) to provide you with a more personal and interactive experience on our Site.

We use two broad categories of cookies: (1) first party cookies, served directly by us to your computer or mobile device, which are used only by us to recognise your computer or mobile device when it revisits our Site or Applications; and (2) third party cookies, which are served by service providers on our Site or Applications, and can be used by such service providers to recognise your computer or mobile device when it visits other websites.

For more information on the cookies we use, please reference our cookie policy which was presented to you upon accessing the Site.

Third parties. We will receive personal data about you from various third parties as set out below:

  • Technical and Device Data from analytics providers, such as Google based outside the UK.
  • Identity and Contact Data from our affiliated companies within the Veracross Group based in the UK, Australia, and the U.S.
  • Identity, Contact, and Marketing and Communications Data from our interactions with you when we communicate with you via third party communications tools such as Zoom.
  • Identity and Contact Data from our Customers that engage our Services.
  • Identity and Contact Data from our Community Site users.

When we provide our Services, we collect individuals’ information under the direction of our Customers. We process that information as a service provider for our Customers through our Services. We have no direct relationship with the individuals whose Personal Information we process through our Services. Any Personal Information about individuals that we collect on behalf of our Customers is used solely for the business purpose for which our Customers provide the information, and we will promptly comply with Customers’ requests to provide, correct, or remove information, in compliance with applicable law.

When you use our Site or Applications, whether you are an employee of a Customer, an individual with whom we interact on behalf of our Customer, or any other individual, we may collect the categories of information listed above from you directly through your interaction with the Site or Applications.

If you fail to provide personal data 

Where we need to collect personal data by law, or under the terms of a contract we have with you or the Customer on behalf of which we process your data for purposes of our Services, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you or the Customer (for example, to provide them and you with our services). In this case, we may have to cancel a service you have with us but we will notify the Customer if this is the case at the time.

 

4. How we use your personal data 

Legal basis

The law in the EU and the UK requires us to have a legal basis for collecting and using your personal data. We rely on one or more of the following legal bases:

  • Performance of a contract with you: Where we need to perform the contract we are about to enter into or have entered into with you.
  • Legitimate interests: We may use your personal data where it is necessary to conduct our business and pursue our legitimate interests, for example to prevent fraud and enable us to give you the best and most secure customer experience. We make sure we consider and balance any potential impact on you and your rights (both positive and negative) before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).
  • Legal obligation: We may use your personal data where it is necessary for compliance with a legal obligation that we are subject to. We will identify the relevant legal obligation when we rely on this legal basis.
  • Consent: We rely on consent only where we have obtained your active agreement to use your personal data for a specified purpose, for example if you subscribe to an email newsletter.

For EU/UK Users of our Community Site: please note that we do not seek a legal basis to process special-category data through the Services. If such data is submitted contrary to this Privacy Policy, we will handle it as above and will not use it for additional purposes without a valid legal basis (for example, where required to establish, exercise, or defend legal claims).

When we obtain your personal data through one of our Customers we will only use that information for purposes of our Services to that Customer, on the Customer’s behalf, and in accordance with our contract with such Customer.

Purposes for which we will use your personal data 

We have set out below, in a table format, a description of all the ways we plan to use the various categories of your personal data, and which of the legal bases we rely on to do so. We have also identified, for our Site and Application users in the UK and the EU, what our legitimate interests are where appropriate.

 
Purpose/Use Type of data Legal basis
To register you as a new user of our Site and allow you to install our Applications and use their respective contents
Identity Contact
Performance of a contract with you
To process and deliver your order including: (a) Process your purchase of our Services, send you updates about your order, deliver and manage your order. (b) Manage payments, fees and charges (c) Collect and recover money owed to us
Identity. Contact Profile Marketing and Communications 
Performance of a contract with you (process your purchase, send you updates about your order, deliver, and manage your order, including to collect payments, fees and charges) Necessary for our legitimate interests (to start legal proceedings to recover debts due to us)
To manage our relationship with you which will include: (a) Notifying you about changes to our terms of use or to our privacy policy (b) Dealing with your requests, complaints and queries (c) If you have an account with us, managing your account, including communicating with you regarding your account
Identity Contact Profile Usage Marketing and Communications
Performance of a contract with you (to notify you about changes to our terms of use) Necessary to comply with a legal obligation (to notify you about changes to our privacy policy) Necessary for our legitimate interests (to keep our records updated and manage our relationship with you)
To administer and protect our business and our Site and Applications (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)
Identity Contact Technical
Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise)
To deliver relevant Site and Applications content and online advertisements to you and measure or understand the effectiveness of the advertising we serve to you
Identity Contact Profile Usage Marketing and Communications Technical
Necessary for our legitimate interests (to study how customers use our services, to develop them, to grow our business and to inform our marketing strategy)
To use data analytics to improve our Site and Applications, services, customer relationships and experiences and to measure the effectiveness of our communications and marketing
Technical Usage
Necessary for our legitimate interests (to define types of customers for our services, to keep our Site and Applications updated and relevant, to develop our business and to inform our marketing strategy)
To send you relevant marketing communications and make personalised suggestions and recommendations to you about services that may be of interest to you based on your Profile Data
Identity Contact Technical Usage Profile Marketing and Communications
Necessary for our legitimate interests (to carry out direct marketing, develop our services and grow our business) Consent, having obtained your prior consent to receiving direct marketing communications
To carry out market research through your voluntary participation in surveys
Identity Contact Profile Usage Marketing and Communications
Necessary for our legitimate interests (to study how customers use our services and to help us improve and develop our services)
To process your application for one of our available positions
Employment Education
Necessary for the performance of a contract

Direct marketing  

During the registration process on our Site when your personal data is collected, you will be asked to indicate your preferences for receiving direct marketing communications from us via email. You will receive marketing communications from us if you have requested information from us or purchased services from us and you have not opted out of receiving the marketing.

We may also analyse your Identity, Contact, Technical, Usage and Profile Data to form a view which services and offers may be of interest to you so that we can then send you relevant marketing communications. 

Third-party marketing 

We will get your express consent before we share your personal data with any third party for their own direct marketing purposes. 

Opting out of marketing 

You can ask to stop sending you marketing communications at any time by following the opt-out links within any marketing communication sent to you or by going to our Privacy Centre. If you opt out of receiving marketing communications, you will still receive service-related communications that are essential for administrative or customer service purposes for example relating to updates to our Terms of Use, checking that your contact details are correct.

Change of purpose 

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.

If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

 

5. Disclosures of your personal data 

We may share your personal data where necessary with the third parties set out below for the purposes set out in the table Purposes for which we will use your personal data above:

  • Internal Third Parties: other companies in the Veracross Group acting as joint controllers and who are based in the UK, Australia, and in the U.S. and provide IT and system administration services, sales and marketing services, technical services, and undertake leadership reporting.
  • Our External Third Party Service Providers. We or our affiliates of the Veracross Group may share your personal data with the following third party service providers:
    • Amazon Web Services (AWS), based in the EU and acting as processors which provide hosting, infrastructure, and storage services using your personal data; 
    • Apple and Google, based in the United States and acting as processors, which provide apps and analytics services using your personal data;
    • Mailgun, based in the United States with data stored in the EU, and acting as processors, which provides email and analytics services using your personal data;
    • Zendesk, Marketo, Survey Monkey, and Salesforce, based in the United States, and acting as processors, which provide communications and analytics services using your personal data;
    • Professional advisers acting as processors or joint controllers, including lawyers, bankers, auditors and insurers based in the UK and in the United States, who provide consultancy, banking, legal, insurance and accounting services.

These third parties are only permitted to use your personal data to the extent necessary to enable them to provide their services to us. They are required to follow our express instructions and to comply with appropriate security measures to protect your personal data

  • Corporate Restructuring. We may share personal data when we do a business deal, or negotiate a business deal, involving the sale or transfer of all or a part of our business or assets. These deals can include any merger, financing, acquisition, or bankruptcy transaction or proceeding.
  • Other Disclosures. We may share personal data as we believe necessary or appropriate: (a) to comply with applicable laws; (b) to comply with lawful requests and legal process, including to respond to requests from public and government authorities to meet national security or law enforcement requirements; (c) to enforce our Policy; and (d) to protect our rights, privacy, safety or property, and/or that of you or others.
 

6. International transfers 

Your information, including personal data that we collect from you, may be transferred to, stored at and processed by us and other third parties outside the country in which you reside, including, but not limited to the United States and Australia, where data protection and privacy regulations may not offer the same level of protection as in other parts of the world. We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Policy.

Intra-group transfers

We share your personal data internally within the Veracross Group. This will involve transferring your data outside the U.K., Switzerland, and the European Economic Area (EEA).

Whenever we transfer your personal data out of the UK, Switzerland, and the EEA to countries which have laws that do not provide the same level of data protection as the UK law, Swiss law, or the laws of the member states of the EEA, we always ensure that a similar degree of protection is afforded to it by ensuring that we use specific standard contractual terms approved for use in the UK, Switzerland, and the EEA, which give the transferred personal data the same protection as it has in the UK, namely the International Data Transfer Addendum to the European Commission’s standard contractual clauses for international data transfers. To obtain a copy of these contractual safeguards, please contact us at privacy@fireflylearning.com.

Third-party transfers

We may transfer your personal data to service providers that carry out certain functions on our behalf. This may involve transferring personal data outside the UK, Switzerland, or the EEA to countries which have laws that do not provide the same level of data protection as the UK law, the Swiss law, or the laws of the member states of the EEA.

Whenever we transfer your personal data out of the UK, Switzerland, or the EEA to service providers, we ensure a similar degree of protection is afforded to it by using specific standard contractual terms approved for use in the UK, Switzerland, and the EEA, which give the transferred personal data the same protection as it has in the UK, namely the International Data Transfer Addendum to the European Commission’s standard contractual clauses for international data transfers. To obtain a copy of these contractual safeguards, please contact us at privacy@fireflylearning.com

EU-U.S. Data Privacy Framework and Swiss-U.S. Data Privacy Framework

Please also note that our U.S. parent company, Veracross LLC, and its U.S. subsidiaries Magnus Health, LLC and Digistorm, LLC participate in and have certified their compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, as administered by the U.S. Department of Commerce, with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. Veracross LLC and its U.S. subsidiaries have also certified to the U.S. Department of Commerce that they adhere to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from SwitzerIand in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this Policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view the Veracross certification, please visit https://www.dataprivacyframework.gov/.

Veracross LLC, and its subsidiaries, are responsible for the processing of personal data they receive, under the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, and subsequently transfer such personal data to a third party acting as an agent on their behalf. Veracross LLC, and its U.S. subsidiaries, comply with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF Principles for all onward transfers of personal data from the EU, the UK, and Switzerland, respectively, including the onward transfer liability provisions.

The Federal TradeCommission has jurisdiction over Veracross LLC, and its subsidiaries, compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF. In certain situations, Veracross LLC, and its subsidiaries, may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Veracross LLC, and its subsidiaries, commit to resolve DPF Principles-related complaints about their collection and use of your personal data. EU and UK individuals and Swiss individuals with inquiries complaints regarding our U.S. affiliates’ handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF should first contact us at privacy@fireflylearning.com

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Veracross LLC, and its subsidiaries, commit to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our U.S. affiliates’ handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF.

For complaints regarding EU-U.S. DPF, Swiss-U.S. DPF, and UK Data Bridge compliance not resolved by the EU, Swiss, or UK IRM panel, you have the possibility, under certain conditions, to invoke binding arbitration. Further information can be found here.

Canadian Residents

Please note that we may process, store, and transfer your personal information in and to a foreign country, with different privacy laws that may or may not be as comprehensive as Canadian law. In these circumstances, the governments, courts, law enforcement, or regulatory agencies of that country may be able to obtain access to your personal information through the laws of the foreign country. Whenever we engage a service provider, we require that its privacy and security standards adhere to this policy and applicable Canadian privacy legislation.

 

7. Data security 

We have used reasonable organisational, technical and administrative measures to protect personal data within our organisation. Unfortunately, no transmission or storage system can be guaranteed to be completely secure, and transmission of information via the internet is not completely secure. If you have reason to believe that your interaction with us is no longer secure (for example, if you feel that the security of any account you might have with us has been compromised), please immediately notify us of the problem by contacting us using the details in the Contact Information section below.

In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality. 

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

For the most up-to-date Firefly data security measures, see our Trust Centre.

 

8. Data retention 

We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

By law we have to keep basic information about our customers (including Contact, Identity, Financial and Transaction Data) for six years after they cease being customers for tax purposes.

In some circumstances you can ask us to delete your data: see paragraph 9 below for further information.

In some circumstances we will anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you. 

You can find more information about our data retention policies by emailing privacy@fireflylearning.com.

 

9. Our Policy on children 

Our Site and Applications are not intended for visitors under 18 of age. No one under 18 may provide any personal data to or on Applications or the Site. We do not knowingly collect personal data from children. If you are under 18, do not use or provide any information on this Site or our Applications or through any of their respective features, or provide any information about yourself to us, including your name, address, telephone number, or email address. If we learn we have collected or received personal data from a child, we will delete that information. If you believe we might have any information from or about a child, please contact us at privacy@fireflylearning.com.

U.S. users

No one under age 13 may provide any personal information to or on the Site or the Applications, unless they are an authorised user at one of our Customers and their personal data is collected and used as part of our Services to that Customer, in which case any such collection and use isn’t governed by this Policy but by our Data Processor Addendum or other data processing terms in place between Firefly and the Customer.

To access our notice to our Customers under the U.S. Children's Online Privacy Protection Act of 1998 and its rules, please see our COPPA notice. 

California residents under 16 years of age may have additional rights regarding the collection and sale of their personal information. Please visit our notice to California residents here for more information.

 

10. Your legal rights 

You have a number of rights under data protection laws in relation to your personal data. Please click on the links below to find out more about these rights:

You have the right to:

  • Request access to your personal data.
  • Request correction of the personal data.
  • Request erasure of your personal data.
  • Object to processing of your personal data.
  • Request the transfer of your personal data.
  • Right to withdraw consent at any time where we are relying on consent to process your personal data.
  • Request restriction of processing of your personal data.

U.S. Residents: Your State Privacy Rights

California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, Utah, and Virginia provide (now or in the future) their state residents with rights to:

  • Confirm whether we process their personal information.
  • Access and delete certain personal information.
  • Correct inaccuracies in their personal information, taking into account the information's nature processing purpose (excluding Iowa and Utah).
  • Data portability.
  • Opt-out of personal data processing for:
    • targeted advertising (excluding Iowa);
    • sales; or 
    • profiling in furtherance of decisions that produce legal or similarly significant effects (excluding Iowa and Utah).
  • Either limit (opt-out of) or require consent to process sensitive personal information. 

The exact scope of these rights may vary by state. If you are a California resident, California law may provide you with additional rights regarding our use of your personal information. To learn more about your California privacy rights, visit Privacy Policy for California Residents.

To appeal a decision regarding a request to exercise your rights with respect to your personal data please send an email to privacy@fireflylearning.com, specifying the nature of your rights affected by the decision and your arguments in support of the appeal, and include a copy of the decision, along with any supporting documentation, and the best phone number and email address to reach you back on. We’ll review your appeal and revert to you with our decision as soon as possible.

Canadian residents

Rights of users located in Canada are governed by the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5, the Personal Information Protection Act, R.S.A. 2003, c. P-6.5, the Personal Information Protection Act, R.S.B.C. 2003, c. 63 and an Act respecting the protection of personal information in the private sector, CQLR, c. P-39.1, as amended by Law 25, An Act to modernise legislative provisions as regards the protection of personal information (as applicable based on the location of the user in Canada).

Since the adoption of Law 25, Quebec residents have enhanced rights with respect to their personal information, including: 

  • Access Rights: the right to receive confirmation of the processing of their personal information, of the nature of the information being processed, and to receive a copy of it.  
  • Data Portability Right: the right, subject to certain exceptions, to ask that the processing organisation communicate to them computerised personal information in a written, intelligible transcript, and any collected personal information in a structured, commonly used, technological format.
  • Rectification Right: subject to certain requirements and exceptions, the right to ask to correct the information in the processing organisation’s possession t is inaccurate, incomplete, or ambiguous, or if collecting, communicating, or keeping it is not authorised by law. 
  • De-indexation Right or "Right to be Forgotten": the right to ask organisations to stop disseminating their personal information or to de-index any hyperlink attached to their name giving access to information if this dissemination causes them harm or contravenes the law or a court order.
  • Automated Decision Making: the right to be informed when they are the subject of a decision based exclusively on automated processing of their personal information. Organisations must also, on request, inform them about the personal information used to make the decision, the reasons and main factors leading to the decision, and the right to request correction of the personal information used to make the decision. They must also be given the opportunity to present their observations to a member of their staff for review of this decision. 

Exercising Your Data Subject Rights

The following section only applies to you if we collect and process your personal data directly and for our own purposes, not on behalf of our Customers for purposes of the Services we provide to you on their behalf. If we collect and/or otherwise process your information this section does not apply to you and we ask that you please direct any request to exercise your data subject rights to the Customer on behalf of which we process your personal data for purposes of our Service. 

You may exercise your data subject rights by submitting a request to our Privacy Portal.

Individuals who submit requests to exercise data subject rights will be required to verify their identity by answering certain questions. We cannot process data subject rights requests until your identity is verified. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

If you are making a request for access, we may not be able to provide specific pieces of personal data if the disclosure creates a substantial, articulable, and unreasonable risk to the security of your personal data, your account with us, or our systems or networks.

If you are making a request for erasure of personal data, we will ask that you confirm that you would like us to delete the personal data again before your request is processed.

You may designate an authorised agent to submit a request on your behalf by providing that agent with your written permission. If an agent makes a request on your behalf, we may still ask that you verify your identity directly with us before we can honour the request.

Agents who make requests on behalf of individuals will be required to verify the request by submitting written authorisation from the individual. We will not honour any requests from agents until authorisation is verified.

If you are seeking to access, correct, or delete information on our Services, we may refer your request to the Customer on whose behalf we process your personal data for purposes of our Services.

We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated. 

 

11. Contact details

We welcome your comments or questions about this Policy. You may contact us in writing at privacy@fireflylearning.com or 167-169 Great Portland Street, 5th Floor, London, United Kingdom, W1W 5PF.

 

12. Complaints

We are committed to resolving any complaints about our collection or use of your personal data. If you would like to make a complaint regarding this Policy or our practices in relation to your personal data, please contact us at: privacy@fireflylearning.com. We will reply to your complaint as soon as we can and in any event, within 45 days. We hope to resolve any complaint brought to our attention, however if you feel that your complaint has not been adequately resolved, you reserve the right to contact your local data protection supervisory authority, which for the UK, is the Information Commissioner’s Office.

If you are based in Australia, you may contact the Office of the Australian Information Commissioner (OAIC) (www.oaic.gov.au).

 

13. Changes to this Policy and your duty to inform us of changes 

We keep our Policy under regular review. We reserve the right to modify the Policy at any time, so we encourage you to review it frequently. We will post any modifications or changes to the Policy on www.fireflylearning.com. If we make any material change(s) to the Policy, we will notify you via email prior to such changes(s) taking effect. The “Last Updated” legend above indicates when this Policy was last changed. Historic versions can be obtained by contacting us.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us, for example a new address or email address.

 

14. Third-party links

Our Site may contain links to third party websites and features. This Policy does not cover the privacy practices of such third parties. These third parties have their own privacy policies, and we do not accept any responsibility or liability for their websites, features or policies.  Please read their privacy policies before you submit any data to them.

 

15. Glossary

YOUR LEGAL RIGHTS 

You have the right to:

  • Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
  • Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
  • Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
  • Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground, as you feel it impacts on your fundamental rights and freedoms. You also have the right to object, where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information, which override your rights and freedoms.
  • Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios:
    • If you want us to establish the data’s accuracy.
    • Where our use of the data is unlawful, but you do not want us to erase it.
    • Where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims.
    • You have objected to our use of your data, but we need to verify whether we have overriding legitimate grounds to use it.
  • Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which     you initially provided consent for us to use or where we used the information to perform a contract with you.
  • Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.

When your personal data was collected by any of our Customers and processed by us on behalf of such Customers please contact your educational institution to exercise any of the above rights.