PRIVACY POLICY

1. DESCRIPTION OF THE SERVICE

Tartan provides cybersecurity awareness training and phishing-simulation services for staff and students of elementary and high schools.

2. HOW WE OBTAIN PERSONAL DATA

The Service requires the collection and processing of your personal data, which is information about you or that identifies both students and educators. Subject to legal, contractual and technical requirements, users may choose not to provide Tartan with certain data or request the deletion of certain data, which may impact the essential operation of the Service.

The Service is intended for use at the direction of schools by educators and is not intended to operate as a social platform or facilitate any social interaction between users. Users cannot create or upload content. The use of the Service is to be at the express direction of the educator. Schools are responsible for obtaining any consent required for users of the Service ages 13 years and under as well as teens. Parents of children ages 13 years and under have the right to withdraw consent for the collection of their child's personal information at any time. Consent is obtained by the educational institution prior to student account activation. If a parent withdraws consent, we will work with the school to delete the student's information within 30 days

3. PERSONAL DATA WE COLLECT

Tartan only collects the minimum amount of personal data necessary to provide and improve the Service. Tartan collects certain personally identifiable information as defined by applicable law when a user begins using the Service, submits information through submission forms, contacts Tartan, or uploads information to the Service. Tartan acts as a data processor for student and staff information you supply. The school or the district remain the data controller and are responsible for obtaining any required consents under the applicable law. Personal data is collected by Tartan when it is shared by the user's associated organization account administrator, which is determined at the express discretion of the organization. The following is a description of the personal data that we may collect, use and process in connection with the foregoing:

• Account Information: Administrator name, your full name, job title, telephone number, physical address, email address and password.
• Recipient Information: User (student/staff) full name, school email, department and role.
• Usage Information. Usage data including location, browser type, operating system, IP address and activity (access times, page history, links clicked, emails reported, training completed, screens viewed, buttons clicked, time spent on training modules) when using the Website and Application;
• Payment Information. Payment information, which is collected and processed solely by third-parties (such as Stripe) and to which Tartan does not have access (other financial information may be shared with Tartan on occasion, including bank account information and payment terms - only in cases where you decide not to use a payment processor, ex. Stripe, but would still like to use the Service); and
• Other Information. Answers to feedback surveys, newsletters and comments/requests made through the Website, Application or by email, and help-desk messages and outbound email engagement.

As the Services are provided at the request of your educational institution, Tartan does not have control over how your educational institution utilizes your personal data collected through your use of the Services for their purposes.

4. PROCESSING OF YOUR PERSONAL DATA

We process your personal data for our legitimate business purposes including but not limited to:

• providing the Service to you, including tailoring the Service to your needs based on the data that you provide to Tartan;
• understanding your needs and improving the quality of the Service, including providing customer support and feedback, analyzing functionality and technical issues and generating internal reports and data models that we use to improve the Service;
• contacting you for various reasons such as when providing customer support; and
• for contractual, legal, regulatory or audit obligations, including responding to requests from law enforcement or a government agency asserting lawful authority to obtain the data or where Tartan has reasonable grounds to believe the data could be useful in the investigation of unlawful activity, complying with a subpoena or warrant or an order made by a court, person or body with jurisdiction to compel the production of data, complying with court rules regarding the production of records and data, defending Tartan in a legal, regulatory or administrative proceeding or in a contractual dispute or providing information to our legal counsel.

In all cases, all data you share with Tartan will be handled with care, and only authorized employees, agents, contractors who have agreed to keep all personal information secure and confidential have access to such information. We may disclose your personal data to our parent companies, affiliates, subsidiaries, employees and contractors for the same purposes described above.

5. THIRD-PARTY SERVICES

While Tartan does not share personal data with third parties, this Privacy Policy only applies to personal data that Tartan collects, processes and discloses and does not apply to the collection, processing and disclosure of data by third parties through third-party services, including but not limited to: Amazon Web Services, Stripe (USA), Mailgun, Twilio Sendgrid (USA), Microsoft Clarity, Anthropic PBC (USA), Google Analytics 4, HubSpot, Meta Pixel, Linkedin Insight Tag, Bugsnag and SmartLead (USA), which may be broader than set forth in this Privacy Policy, and that may be embedded into the Service:

Tartan has executed appropriate Data Processing Agreements (DPAs) or Standard Contractual Clauses (SCCs) with each Sub-Processor to ensure compliance with applicable privacy laws (e.g., GDPR, FERPA, COPPA and NYS Ed Law 2-D). Tartan monitors these third-party sub-processors for compliance with Tartan's privacy and security standards and regularly review their practices.

In many cases, third parties may collect personal data about your online activities over time and across different websites and services. The Services may contain links to websites, mobile applications and other online services operated by third parties. These links are not endorsement of, or representation that Tartan is affiliated with, any third party. We strongly recommend that you read each third-party privacy policy carefully before using the Service. Please contact us directly using the information found below if you would like to learn more about third-party data practices.

6. COOKIES AND TRACKING TECHNOLOGIES

The Service uses tracking technologies, such as cookies (session based and support) and web beacons, to collect data about you, such as your IP address and device information. Based on this data, third parties may be able to resolve your identity across multiple devices. This data is collected, used and disclosed in accordance with the terms of this Privacy Policy and the applicable third-party privacy policies. Certain Service features may rely on tracking technologies and by declining to accept cookies or by changing certain settings on your device, you may not have access to these features.

7. OBTAINING, RECTIFYING AND CONTROLLING YOUR PERSONAL DATA

Except as otherwise provided, this Privacy Policy applies to residents and data subjects of states and jurisdictions where there are privacy laws applicable to us that grant their residents statutory rights. You may contact Tartan to obtain a copy of any personal data we collect about you, the production of which may be subject to a fee as permitted by applicable law. In addition, you may contact Tartan to correct inaccurate personal data or to complete incomplete personal data.

You may be able to opt-out of some or all of the ways in which your personal data is processed, or request the deletion of certain personal data, except where the personal data is necessary or vital for:

• the performance of contractual obligations, such as the Tartan Terms of Service or certain legal obligations agreed upon between your educational institution and Tartan;
• protecting your interests or those of another person; and
• our legitimate interests or the legitimate interests of a third-party,

and may do so by requesting deletion by contacting us using the contact information found below.

8. Data Storage and Retention

While Tartan is a Canadian company, the data you provide through the Service may be stored and processed by third parties in countries around the world and you hereby authorize Tartan and third parties acting on our behalf to process your data in any country of their choosing, which may cause your data, including personal data, to be subject to privacy protections and laws applicable in other jurisdictions.

Your personal data is retained until you request its deletion or until Tartan no longer requires such data for the purpose for which it was collected or until required to be deleted by laws applicable in your jurisdiction. Please email us at [email protected] to delete any personal data of yours that we hold.

9. Change of Ownership or Business Transition

In the event of, or in preparation for, a change of ownership or control of Tartan or a business transition such as the sale of some or all Tartan's assets, we may disclose and/or transfer your personal data to third parties who will have the right to continue to collect and use such data in the manner set forth in this Privacy Policy.

10. Security

We are committed to ensuring that your data is secure. To prevent unauthorized access, disclosure, or breach, we have put in place suitable physical, electronic, and administrative procedures to safeguard and secure the data we collect and process, including appropriate protections for any sensitive personal data we collect. These safeguards include encryption of sensitive data in transit and at rest, and role-based access controls.

11. Contact Preferences

We will communicate with you through your email address, phone or other digital methods in order to conduct the Service and to respond to support requests or comments.

If you have provided us with your email address and would like to change the email preferences we associate with you (for example, unsubscribing from receiving certain types of email) you may do so by clicking a link within certain types of emails that we send to you or, if no link is available, by replying with "unsubscribe" in the email title or body. On rare occasions, some types of email are necessary for the Service and cannot be unsubscribed from if you continue to use the Service.

12. Updates

Tartan reserves the right, in its sole discretion, to modify this Privacy Policy at any time (each an "Update") and shall make each Update available on the Website. You are deemed to accept an Update by continuing to use the Service. Unless Tartan states otherwise, an Update is automatically effective 30 days after posting on the Website, except in such case where an Update is immaterial to any of your legal rights or legal obligations of Tartan and such Update is made only to correct a typographical, formatting or grammar inaccuracy, and in such case, an Update is effective immediately after posting on the Website.

13. Contact Us

If you have requests, questions or comments about the Privacy Policy or our data collection in general, please contact our Data Privacy Officer or our Privacy Team at [email protected] or at