Is your learning service already with Storypark?
Ask them for an invite.
We know how important security and privacy is to you. They are at the heart of Storypark and as such we strive to make things as safe and clear as possible for everyone involved.
This privacy policy sets out how Storypark (“Storypark”, “we”) treats the privacy of those who use our website and associated services and others with whom we interact.
Please take a moment to read this Privacy Policy so you understand how we process Personal Data.
By accessing our Service, or by providing Personal Data directly to us, you consent to our processing your Personal Data in the manner and for the purposes set out in this Privacy Policy. If relevant to the Purposes set out in this Privacy Policy, Personal Data may at times include Sensitive Data.
Capitalised terms defined in Storypark’s End User Terms have the same meaning in this Privacy Policy. In addition, the following capitalised terms have the following meanings:
a) “Service Users” means Customers, Customer Organisations, Primary Account Holders and Authorised Users.
b) “Data Protection Laws” means the data protection and privacy laws applicable to our processing of your Personal Data that we are committed to comply with, including as applicable:
the Privacy Act 2020 (New Zealand);
the Privacy Act 1988 (Cth, Australia);
the Personal Information Protection and Electronic Documents Act, SC 2000, c5 (federal, Canada);
the Personal Information Protection Act (Alberta, Canada);
the Personal Information Protection Act (British Columbia, Canada);
all applicable United States federal and state privacy laws, including, but not limited to, the California Consumer Privacy Act of 2018 (CCPA), Early Learning Personal Information Protection Act (ELPIPA);
the United Kingdom Data Protection Regulation (UK GDPR); and/or
any other applicable privacy legislation.
c) "End User Terms” means the Storypark end user terms available at Terms and Conditions (available at end user terms) and, if you are accessing the Service for or on behalf of a Customer, the Customer agreement between Storypark and the relevant Customer.
d) “process” or “processing” means any operation or set of operations which is performed on Personal Data, such as collection, recording, organisation, structuring, storage, adaptation, use, disclosure, combination, restriction, or erasure.
e) “Security Incident” means any unauthorised or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to Personal Data.
f) “Sensitive Data” means Personal Information relating to a person’s physical or mental health, race or religion.
g) “Service” means the Storypark Service.
h) “Storypark” means the Storypark entity that you contract with (and, if you are a Customer, that you pay your fees to). This will be: Storypark Limited (a New Zealand limited liability company, registered in Wellington, New Zealand
This Privacy Policy applies to all Personal Data processed by Storypark, including, but not limited to Personal Data submitted by Service Users through the Service.
From time to time we will review our Privacy Policy to keep pace with changes in our Service and any Data Protection Laws. This document is our most recently updated Privacy Policy. We encourage you to read it carefully.
If you have any questions or comments, or want to access, update, or delete the Personal Data we hold about you, or have a privacy concern please contact us using the contact details in section 15 of this Privacy Policy.
Please provide sufficient detail about the information in question to help us locate it. We will respond to any privacy request in compliance with the applicable Data Protection Laws.
We may collect the following categories of Personal Data in in the following situations:
a) Personal Data you voluntarily provide to us: When you give us your Personal Data directly (whether face-to-face, by telephone, email, post, through social media or by communicating with us in any way), when we meet with an organisation wishing to do business with us and an individual from that organisation provides Personal Data about themselves, when you apply for a job with us, or when you sign up or register to become a Service User, or when you enter into a transaction with us you are voluntarily giving us the Personal Data that we collect.
Categories of Personal Data: The Personal Data we may collect includes your name, physical address, email address, login for the Services, feedback and suggestions for the Services, IP address, phone number, billing information in accordance with our End User Terms, occupation, employer, job title, area of responsibilities, employment history, and educational qualifications.
b) Our email marketing list: When you become a Service User, or where you elect to sign up to our email marketing list, we may collect your name, email address, and email marketing preferences.
c) Personal Data we collect automatically: When you use our Service or browse our Website, we may collect information about your usage and web browsing. We may collect the Personal Data as log files, or through cookies or other tracking technologies (see the “Cookies and tracking” below for more information), store it against the associated Account, and link it to the other Personal Data we hold about an Account.
Categories of Personal Data: The Personal Data we may collect includes your IP address, your operating system, your browser ID, time, date, your browsing activity, your interaction with the Service (including any Content, comments, and location).
d) Personal Data uploaded and transferred to the Service by Service Users: We collect Personal Data about persons (including Children) indirectly when Service Users use the Service, such as when a Service User:
creates a Family Child Record, Organisation Child Record, or Educator portfolio, or invites another person to become a Service User (including an invitation to become a Primary Account Holder or Authorised User);
uploads and transfers Content that contains Personal Data (including photographs or videos of another person including Children, or uploads and transfers materials created by another person including Children); or
posts a comment or tags Content on the Service that contains Personal Data of another person.
We may use various technologies to collect and store information when you use our Service, and this may include using cookies and similar tracking technologies, such as pixels and web beacons. You may control the use of cookies at the individual browser level, however your use of the Website and Service may be affected.
Personal Data may be collected as log files, or through cookies or other tracking technologies, stored against associated Accounts, and linked to the other Personal Data we hold about associated Accounts.
We process Personal Data for the following purposes:
a) to create and administer Accounts.
b) to enable the features of the Services to be utilised and enjoyed, subject always to our End User Terms. This may, for example, entail incidental posting of photographs/videos of a Child on another Child’s Organisation Child Record. Those posts may remain viewable even once a Child no longer attends a Customer Organisation as long as the relevant Organisation Child Record is retained.
c) to create and update Organisation Child Records;
d) to facilitate a Storypark user inviting other users to view and interact with a child’s profile on Storypark;
e) to analyse user behaviour (in respect of the Website) and Service User behaviour (in respect of the Service) for the purposes of:
determining Service developments;
inviting users or Service Users to explore other features within the Website or Service, and otherwise to generally promote our Service;
ensuring the security of the Website and the Service; and
combating and preventing breaches of our End User Terms, other user agreements, this Privacy Policy and our other policies;
f) to respond to enquiries, feedback or complaints received from you;
g) to perform authorised financial transactions with you and to help us to manage our accounts and administrative services;
h) to verify your identity;
i) for directly marketing to you (including by email, post, other means, or through functionality within the Service) with information about our Service;
j) on an aggregated non-identifiable basis, to:
help Storypark understand its market position;
assist with marketing our Services to others, including in respect of any online advertising; and
deliver a statistical result to help with general Storypark announcements;
k) incidentally, where Educators and their educational mentors, for their further professional development, may view, some content of an Account or Child Records to which the relevant Customer or Customer Organisation has lawful access;
l) to protect our legal interests and fulfil our regulatory obligations, including any notification or reporting obligations and any access directions, imposed on us by any Government agency (if and to the extent necessary);
m) for ensuring the trust and safety of any Child and Authorised Users of the Service; and
n) in other circumstances, provided we comply with applicable Data Protection Laws.
Performance of a contract: You acknowledge and agree that the processing identified below is necessary for the performance of a contract to which the data subject is party (being the Agreement):
to carry out User and Account administration tasks;
to manage and deliver the Service; and
to manage any disputes (including disputes over invoices or delivery of the Service).
Legitimate interests: In respect of all other processing of Personal Data detailed in this Privacy Policy (including direct marketing activities), such processing is necessary for the purposes of a legitimate interest pursued by Storypark, and we have assessed that such interests are not overridden by the interests or fundamental rights and freedoms of the persons to whom the Personal Data relates.
You have the right to object to the way we processes your Personal Data where the processing is based on legitimate interests. For more information see “Your Rights” section below.
Data Processor: In respect of Personal Data uploaded and transferred to the Service by Service Users we are a joint data-controller alongside the relevant Service User. However, the relevant Service User is responsible for determining the legal basis upon which that Personal Data is processed. Please see the End User Terms which outline the Service User’s obligations in this regard.
All those with whom we interact have the option to opt-out of receiving direct marketing communications from us. If you do not wish to continue to receive direct marketing communications from us and/or selected third parties you should opt-out by clicking on the “unsubscribe” link in any email communications that we might send you.
Please note that some features of the Service may involve us providing, through the functionality within the Service, recommendations or suggestions for goods, services or benefits that we offer.
We will retain your Personal Data for as long as the Account associated with you is active, or as long as needed to provide you with our Service or otherwise as required or permitted by law.
We take steps to regularly destroy Personal Data, however we may:
a) in some cases, retain a copy of your Personal Data to comply with our legal obligations, resolve disputes, enforce our agreements and to comply with our trust and safety obligations. Personal Data retained for this purposes will be archived and stored in a secure manner after your Account has been closed, and will not be accessed unless required for any of these reasons; and
b) retain Personal Data in an aggregated, de-identified or otherwise anonymous form, such that there is no reliable way of identifying you from the information.
We will not sell Personal Data to anyone.
We share Personal Data with third parties for limited purposes, such as to help us run our business and provide the Website and Service. Those third parties can be categorised as follows:
a) Service Users: At the direction of a Customer, Customer Organisation or Primary Account Holder (as applicable)Storypark shall disclose Content (which may contain Personal Data) through the Service to other Service Users. For example:
The family version of the Service enables Service Users to tag posts and Content in a way as to identify particular interests of a Child or features of a Child’s development or progress. Storypark may be directed to disclose this Personal Data to an Authorised User (such as an Educator), to facilitate their understanding of the Child’s progress, development, interests etc.
the Service will enable an Authorised User to access (and upload) Sensitive Information relating to a Child, solely for the purpose of their understanding of the Child’s progress, development, interests, etc.
Educators may share stories from an Organisation Child Record with Authorised Users (including any person invited by the Primary Account Holder to have access to that Child’s stories).
Stories from an Organisation Child Record (which may include Sensitive Information of a Child) may also be shared by Authorised Users with other family members of a Child’s Storypark community, However, Authorised User’s cannot disclose notes, routines or plans from an Organisation Child Record with any other family members of a Child’s Storypark community or any other parents or families.
Educators may share group stories (which may include Sensitive information of a Child) relating to two or more Children with family members from the Storypark community for the relevant Children.
Educators may share group plans (which may include Sensitive information of a Child) with the Primary Account Holders for all Children included in the group plan.
Storypark may be directed to allow a Customer Organisation (or, if applicable a Customer that operates the Customer Organisation) to access an Educator portfolio and its associated Personal Data (where that Customer or Customer Organisation maintains the Account to which an Educator portfolio relates).
We have no direct relationship with any person other than you, and for that reason, you are responsible for making sure you have the appropriate permission for us to disclose any Content (which may contain Personal Data) in the manner you direct through the Service. Please see the End User Terms which outline your obligations in this regard.
If you no longer want to be contacted by one of our Service Users, please contact the relevant Customer or Customer Organisation directly.
b) Service providers: We share your Personal Data with our third party service providers, who help us provide and support our Service. For example:
Organisations who carry out credit, fraud and other security checks;
Payment processors;
Hosting services;
Content delivery services;
IT support providers; and
Marketing businesses engaged by us to disseminate materials to which recipients have consented.
We limit the information we provide to third parties to the information they need to help us provide or facilitate the provision of goods and services and associated purposes. We deal with third parties that are required to meet the privacy standards required by law in handling your Personal Data, and use your Personal Data only for the purposes that we give it to them.
c) Sale, merger, consolidation, liquidation, reorganisation, or acquisition: If Storypark or substantially all of its assets were acquired by a third party, Personal Data which we hold may be one of the transferred assets (subject to the same constraints on use and disclosure as under this policy).
d) Legal obligation: If we are under a duty or have a legal right to disclose or share Personal Data in order to comply with any legal obligation or request or investigation issued by any Government agency, or in order to enforce or apply our terms and conditions or to protect our rights, property, or the safety of our personnel or third parties. This includes exchanging information with other companies and organisations for the purposes of fraud protection, trust and safety and credit risk reduction.
CCPA: If you are based in California in the USA, we agree that we will not: (a) sell your Personal Data to any third party; (b) retain, use or disclose your Personal Data for any purpose other than as set out in this Privacy Policy and any other agreement you sign up to with us; (c) retain, use, or disclose your Personal Data for a commercial purpose other than as set out in this Privacy Policy and any other agreement you sign up to with us; or (d) retain, use, or disclose the Personal Data outside of the direct business relationship between them, other than as set out in this Privacy Policy and any other agreement you sign up to with us.
Storypark’s head office is located in New Zealand, so some limited Personal Data is transferred and/or stored there. For the purposes of the EU GDPR and the UK GDPR, New Zealand has been recognized as providing adequate protection
The vast majority of Personal Data we handle is stored and hosted in Australia. All Personal Data relating to Children on Storypark is hosted in Australia.
Some limited Personal Data may be provided to companies located in the USA who offer software as a service products that process content for inclusion on the Service (for example, conversion of images and videos to make them suitable for viewing online/ through a web browser). Those third parties located overseas are not permitted to (and are contractually obligated to not) access or use the Personal Data provided except for those limited purposes. We only choose reputable service providers and have agreements with such third parties that prevent them from using or disclosing to others the Personal Data we share with them, other than as is necessary to assist us.
In respect of the transfer of Personal Data to New Zealand, Canada, Australia, the USA and other countries, we will use reasonable efforts to obtain assurances from any third parties that they will safeguard personal information consistent with this Privacy Policy and all applicable Data Protection Laws.
While the information resides outside of the territory where you reside, it may be accessible to the local courts, law enforcement and national security authorities in a foreign jurisdiction.
We take all reasonable steps to protect Personal Data, including through internal and external security, restricting access to Personal Data to those who have a need to know, maintaining technological products to prevent unauthorised computer access and regularly reviewing our technology to maintain security. We choose technology partners based on their security and privacy policies and practices.
Personal Data stored in our system is protected by electronic and procedural safeguards. We take reasonable precautions to protect Personal Data (and other content) from accidental loss and theft by storing it in secure data centres with off-site backups. Communication between Service Users and our servers is encrypted via industry-standard secure sockets layer (SSL).
The Service is protected by a secure and encrypted password that each Service User must choose themselves. Service Users should never share their passwords. Storypark is not responsible for any loss of data or breach of privacy if a Service User shares their password with someone else. We do not store your password on our servers.
Because internet transmissions cannot be guaranteed to be 100% secure, you acknowledge and agree that you use the Service at your own risk.
In case of a security incident or any other breach of security safeguards, such as the loss of, unauthorised access to or unauthorised disclosure of Personal Data under Storypark’s control, we will respond in accordance with our obligations under applicable Data Protection Laws.
You have the right to access your readily retrievable Personal Data that we hold about you, and to ask for it to be corrected if you think it is wrong.
If you are based in the European Union or the United Kingdom you have the right, under the EU GDPR or the UK GDPR (as applicable), to:
in certain circumstances, have your Personal Data erased;
restrict the processing of your Personal Data;
move, copy or transfer your Personal Data easily for your own purposes across different services in a safe and secure way;
object to processing where we rely on our legitimate interests as the lawful basis for processing;
withdraw your consent at any time, where our processing of your Personal Data is based on consent; and
lodge a complaint with an appropriate supervisory authority, if you consider that our processing of your Personal Data has breached the EU GDPR or the UK GDPR (as applicable).
If you are a resident of California, you have the right under the CCPA:
to request and obtain from us, once a year and free of charge, information about categories of Personal Data (if any) we disclosed to third parties for direct marketing purposes and the names and addresses of all third parties with which we shared Personal Data in the immediately preceding calendar year;
subject to certain exceptions, to request the deletion of your Personal Data that we have collected from you; and
subject to certain exceptions, not to receive discriminatory treatment for the exercise of your CCPA privacy rights.
We will respond to any request made in respect of the above in accordance with the applicable Data Protection Laws.
Please note that in certain circumstances we may refuse to respond to a rights request where we have the right to do so under applicable Data Protection Laws, for example, where a request is manifestly unfounded or excessive.
Requests for such access and correction requirements can be made to the contact details in section 15 of this Privacy Policy.
Please note that where we are not, or are no longer, in a position to identify you within the information we hold (including because of any de-identification techniques we may have employed), then your rights as described above shall not apply.
We will respond to any request made in respect of the above without delay, but in any case within one (1) month of a request, or two (2) months where the requests are complex or numerous (in which case, we will inform you of such delay).
If your Storypark Account terminates (for whatever reason), the Personal Data associated with it may no longer be accessible to you. Any Content you have posted from your Account may still be available to other Service Users that the Content has been associated with. There may continue to be residual copies of such Content due to ongoing data back-up and archiving.
If you wish to exercise your rights under this Privacy Policy or any applicable Data Protection Laws or otherwise raise any privacy issue with us, you can do this by emailing our Privacy Officer at hello@storypark.com. Your email should provide evidence of who you are and set out the details of your request (e.g., the Personal Data, or the correction, that you are requesting).
If you are located in New Zealand and believe we are unlawfully processing your Personal Data, you can lodge a complaint with us directly using the above contact details, or you can lodge a complaint with the New Zealand Privacy Commissioner. Information about how to lodge a complaint is available at Privacy Commissioner’s website.
If you are located outside New Zealand, you may also lodge a complaint regarding our Personal Data processing activities as they relate to your Personal Data with your relevant privacy law supervisory authority.