Data Security and Privacy Plan

Thimble.io restricts access to confidential and sensitive data to protect it from being lost or compromised in order to avoid adversely impacting our customers, incurring penalties for non-compliance and suffering damage to our reputation. While we must ensure users can access data as required for them to work effectively, we prioritize the security and privacy of our users’ data above all else.

Data Security

Thimble.io Inc. strives to meet the following legal data regulations and requirements and aligns with their standards:

Family Educational Rights and Privacy Act (FERPA) - United States: FERPA is a US federal law that protects the privacy of student education records. It applies to all educational institutions that receive funds under an applicable program of the US Department of Education. Under FERPA, schools must have written permission from the parent or eligible student to release any information from a student's education record.
Children's Online Privacy Protection Act (COPPA) - United States: COPPA is a US federal law that applies to the online collection of personal information from children under 13 years of age. COPPA requires that website operators and online services obtain parental consent before collecting, using, or disclosing personal information from children under 13. It also mandates that website operators provide a privacy policy outlining their practices regarding the collection and use of personal information.
California Consumer Privacy Act (CCPA) - California, United States: The CCPA applies to businesses operating in California and grants consumers the right to access, delete, and opt-out of the sale of their personal information. While the CCPA does not specifically target educational institutions, it does apply to organizations that collect and process personal information of California residents, including students.
General Data Protection Regulation (GDPR) - European Union: The GDPR is a comprehensive data protection regulation that applies to organizations operating within the European Union (EU) or processing personal data of EU residents. The GDPR grants individuals the right to access, correct, delete, and restrict the processing of their personal data. It also requires organizations to implement appropriate security measures and obtain explicit consent before processing personal data.
Local and Regional Regulations: In addition to the regulations mentioned above, there may be other local or regional data protection laws that pertain to student data. It's essential to familiarize yourself with the specific requirements of the jurisdictions where Thimble.io operates.

To ensure that data generated by the Thimble.io SAAS platform meets the regulatory requirements mentioned above, we take the following steps:

Enable encryption: Ensure that your data is encrypted both at rest and in transit. GCP offers automatic encryption at rest and supports various encryption options for data in transit, such as SSL/TLS.
Access control: Implement proper access control mechanisms to limit access to personal information. Use GCP's Identity and Access Management (IAM) service to define roles and permissions for users and service accounts.
Regular audits: Perform regular security audits and vulnerability assessments to identify and mitigate potential risks. GCP provides tools like Security Command Center and Cloud Security Scanner to help you monitor your security posture.

User Privacy

At Thimble.io, we value the privacy of our users and are committed to protecting their personal information. This Privacy Policy outlines the types of information we collect, how we use and protect it, and the rights and choices our users have concerning their data. By accessing and using our platform, you agree to the terms of this Privacy Policy.

Information We Collect

When users access Thimble.io’s websites, we collect the following types of information:

Personal information: Including first name, last name, and email address.
Usage data: Including log in, log out, session duration, projects accessed, projects completed, projects in progress, quiz scores, and testing scores.
Test data: Including test questions, answers, and the time taken to answer questions.

We do not collect any additional demographic information about our users. We do not sell or distribute any user information to third parties. We do not allow or permit direct communication between student users and Thimble.io employees.

How We Use the Information

We use the collected information for the following purposes:

To provide and improve our services.
To personalize and enhance the user experience.
To track and analyze usage data for internal research and development.
To maintain the security and integrity of our platform.
To comply with legal and regulatory requirements.

Sharing and Disclosure of Information

We may share user information with third parties in the following situations:

With the user's school or educational institution, as authorized by the school or applicable regulations.
In response to legal requests, such as court orders or subpoenas, or to comply with applicable laws and regulations.

Data Protection and Security

We implement industry-standard security measures to protect user information, including:

Data encryption at rest and in transit.
Access control and authentication mechanisms.
Regular security audits and vulnerability assessments.

User Rights and Choices

Users have the following rights concerning their personal information:

Users can request access to their data at any time.
Users can request to delete their data at any time.

Changes to the Privacy Policy

We may update this Privacy Policy from time to time. We encourage users to review the Privacy Policy regularly to stay informed about our data practices.

Contact Information

If you have any questions or concerns about this Privacy Policy or our data practices, please contact us at:

Thimble.io
2495 Main St Ste 443
Buffalo, NY 14214
Email: support@thimble.io