PRIVACY POLICY - TARTAN APP

1. INTRODUCTION

This privacy policy governs the collection and use of information by Tartan App Inc. ("Tartan"), including, without limitation, information collected through Tartan website located at https://tartan.app (the "Website"), the related web-based application located at https://my.tartan.app ("Application"), and any other products or services to which this Privacy Policy applies (collectively, the "Service"). This Privacy Policy explains Tartan's practices for collecting, using, sharing, and otherwise processing personal information in connection with the Service. Tartan primarily offers its Service to academic institutions, such as school districts, school boards, and independent schools, their students and employees. When Tartan provides the Service to an academic institution, Tartan is a processor of information and "School Official" (as such term is defined under applicable student data privacy laws) acting on behalf of, and under the direction and control of, such academic institution. In such cases, the academic institution is the controller of information and retains all rights in the Student Data. When processing Student Data on behalf of an academic institution, Tartan will process such Student Data only for providing the Service as requested by the academic institution and in compliance with all applicable laws and regulations including, but not limited to, the Family Educational Rights and Privacy Act ("FERPA"), the Children's Online Privacy Protection Act ("COPPA"), and U.S. state student data privacy laws. If the terms of this Privacy Policy conflict with the terms of any Student Data Privacy Agreement between Tartan and an academic institution, the terms of the Student Data Privacy Agreement will control.

By clicking "I agree" or similar confirmation, by creating an account on the Service or by using the Service you are agreeing to be bound by the Privacy Policy. If you are using the Service on behalf of an organization, you represent that you have the authority to bind the organization to this Privacy Policy and are agreeing to this Privacy Policy for that organization. Where you are using the Service on behalf of an organization, "you" and "your" refers to the organization.

2. DESCRIPTION OF THE SERVICE

Tartan offers cybersecurity awareness training and phishing simulation services for use by educational entities, schools (including elementary and high school) employees and students. The Service is provided at the direction of the school and is intended to be used for security education, training, and awareness efforts within the school.

3. COLLECTION OF PERSONAL DATA

As part of the Service, personal data about students and educators will be collected and processed by Tartan as provided by or on behalf of the educational institution. Students are not required to set up their own accounts or otherwise independently provide personal data to Tartan. All Student Data is provided to Tartan by the educational institution or by administrators acting on behalf of the educational institution in order to grant access to and use of the Service.

The Service is provided for use by students at the direction of the educational institution. The Service is not designed to be a social network or to enable social interaction between users of the Service. Students and other users will not be able to independently create content or upload content. The educational institution directs all use of the Service.

The educational institution will obtain any consent required by applicable law prior to the collection, use and disclosure of Personal Data, including the consent of a parent or guardian, as necessary. Parents and/or guardians can withdraw such consent through the educational institution at any time. If consent is withdrawn, Tartan will assist the educational institution with deleting the applicable Student Data within a reasonable period of time and in accordance with contractual and legal requirements.

4. PERSONAL DATA WE COLLECT

Tartan only collects and processes personal data that is necessary for the purposes of providing and supporting the Service. When the Service is provided to an educational institution, personal data, including Student Data, is submitted to Tartan by or on behalf of the educational institution or its authorized administrators. In such cases, Tartan acts as a processor with respect to the information and the educational institution is the controller and is responsible for ensuring that it has obtained any required consents under applicable law.

Student and Staff Data

When accessing the Service through an educational institution, Tartan collects and processes Student and Staff Data, which may include:

• Name and school-assigned email address
• Role (student/staff), department, and other organizational details
• Training module completion and scoring data
• Interaction and usage data within the Service

Threat Manager and Phish Report Button (Google Workspace & Gmail Add-On)

When a school enables the Threat Manager and Phish Report Button (Google Workspace & Gmail Add-On), Tartan requests access to Google user data, and processes reported email content and related technical data for phishing analysis, threat detection, administrator review, and remediation.

Depending on the report and the analysis required, this may include the email subject line, message body, sender and recipient email addresses, message identifiers, headers, links, attachment metadata, and, where necessary, attachment content, as well as related authentication results such as SPF, DKIM, and DMARC.

Tartan may also generate derived security information such as threat classifications, spoofing indicators, reputation results, QR code analysis, risk scores, and summaries. Tartan processes reporter and recipient identity data and limited organizational details only as needed to support administrator review and remediation within the school environment. Reported email content and related message data are retained for 7 days.

We do not use Google Data for advertising, marketing, or any other purposes not directly related to providing our Gmail Add-on.

Other Personal Data

• Account Information: Administrator name, full name (first and last), job title, phone number, physical address, email address, account login, and password.
• Usage Information: Technical information about browsers, operating systems, IP addresses, timestamps of when and how often our pages are accessed, page visit history, links clicked, emails reported to Tartan, including associated metadata (such as timestamps and sender/recipient information), training modules completed, buttons clicked in training modules, and amount of time spent on training modules.
• Payment Information: When you provide payment information to access paid features of the Service, that information is collected and processed by third-party payment providers (such as Stripe). Tartan does not have access to complete payment card numbers. In rare cases where we do not use a payment processor, we may ask you to provide us with billing or financial information directly. This would not include sensitive financial data, such as your complete credit card number, but would include information such as bank account numbers and payment terms.
• Other Information: Any information you provide when submitting support requests, surveys, communications, and through helpdesk interactions.

TARTAN DOES NOT COLLECT UNNECESSARY PERSONAL INFORMATION FROM STUDENTS AND DOES NOT EXPECT STUDENTS TO INDEPENDENTLY SUBMIT THEIR PERSONAL DATA.

5. THIRD-PARTY SERVICES

Tartan engages certain third-party service providers ("Subprocessors") to support the delivery, operation, and maintenance of the Service. These Subprocessors may process personal data, including Student and Staff Data, solely on behalf of and under the instructions of Tartan and the applicable educational institution, or as necessary to support authorised use of the Service in accordance with applicable agreements. Tartan ensures that all Subprocessors are subject to written agreements requiring them to protect personal data in a manner consistent with this Privacy Policy and applicable laws. Subprocessors are only permitted to process personal data to the extent necessary to provide their services and are not permitted to use such data for their own independent purposes.

The following Subprocessors are used in connection with the Service:

Other Third-Party Services

Certain third-party services (including Google Analytics, Meta Pixel, LinkedIn Insight Tag, Reddit Pixel, Google Ads Tag, Microsoft Clarity, HubSpot, and SmartLead.ai) are used in connection with Tartan's public-facing website, analytics, or marketing activities. These tools are not integrated into, and are not used to process Student Data within, the core Service provided to educational institutions.

Where such tools are used, Tartan applies appropriate contractual, technical, and organisational safeguards. Tartan seeks to limit any Personal Data processed to what is necessary for legitimate service-related purposes and applies data minimisation measures. Where feasible and appropriate, aggregated, pseudonymized, or non-identifiable data will be used.

Tartan implements appropriate contractual and organizational measures, including Data Processing Agreements or similar safeguards, with its Subprocessors and monitors their compliance with applicable privacy and security standards.

The Service may contain links to third-party websites or services that are not operated or controlled by Tartan. This Privacy Policy does not apply to such third-party services, and Tartan is not responsible for their data practices. Users are encouraged to review the privacy policies of any third-party services they access.

6. COOKIES AND OTHER TRACKING TECHNOLOGIES

Tartan collects information through the use of cookies and similar tracking technologies (including session cookies and web beacons). Tartan may use cookies and tracking technologies to facilitate and improve the Service, for Service administration and maintenance, to understand how the Service is used, and to monitor the Service's performance. Cookies and tracking technologies can help us gather information such as your IP address, device type, browser type, and usage activity. The Tartan Service only uses those tracking technologies that are necessary to facilitate normal operations. These include tracking technologies necessary to administer user sessions and for system maintenance and to improve Tartan services. Tartan may also use tracking and analytics technologies on Tartan's public website and for Tartan marketing purposes. These tracking and analytics technologies are subject to their own privacy policies and may collect information about your online activity over time. Cookies and similar technologies can often be managed through your web browser. Please note that if you choose to disable certain cookies you may experience reduced functionality from certain parts of the Service.

7. ACCESSING, CORRECTING AND MANAGING YOUR PERSONAL DATA

Tartan allows individuals to access and correct or update their personal data in accordance with applicable law.

When you access the Service through an educational institution, if you wish to access your Student Data (or request correction or deletion of your Student Data), you should direct your request to the applicable educational institution. Tartan will assist the educational institution with your request in accordance with applicable law.

As for administrators and other individuals who are not students, you can contact Tartan using the information below to request access to or correction or deletion of your personal data in accordance with applicable law.

Tartan may not delete your personal data where required to comply with legal obligations, to enforce existing contracts, to investigate potential wrongdoing, or to protect the rights, safety and security of Tartan and its users.

8. DATA STORAGE AND RETENTION

Tartan may store and process personal data in jurisdictions where it or its service providers operate, subject to applicable legal and contractual requirements. Tartan implements appropriate safeguards to ensure that personal data is protected in accordance with applicable data protection laws.

Where the Service is provided to an educational institution, Student Data is stored and retained in accordance with the instructions of the educational institution and applicable contractual obligations. Tartan retains Student Data only for as long as necessary to provide the Service and will delete or return such data upon request from the educational institution or upon termination of the relevant services, in accordance with applicable agreements and legal requirements.

For administrators and other non-student users, personal data is retained only for as long as necessary to fulfill the purposes for which it was collected, including to provide the Service, comply with legal obligations, and resolve disputes. Individuals may request deletion of their personal data by contacting Tartan using the contact details provided below, subject to applicable legal limitations.

9. CHANGE OF OWNERSHIP OR BUSINESS TRANSITION

In the event of, or in preparation for, a change of ownership, control, or business transition of Tartan (including a merger, acquisition, reorganization, or sale of assets), personal data may be disclosed to or transferred to a successor entity, subject to appropriate confidentiality and data protection safeguards.

Where personal data includes Student Data provided by an educational institution, such data will remain subject to the same restrictions and protections set out in this Privacy Policy and any applicable agreements with the educational institution. Any successor entity will be required to continue to process such data in accordance with those obligations.

Tartan will take reasonable steps to ensure that any such transfer is carried out in a manner that protects the confidentiality and security of personal data.

10. SECURITY

Tartan implements appropriate technical, administrative, and organizational measures designed to protect personal data against unauthorized access, disclosure, alteration, or destruction. These safeguards include, but are not limited to, encryption of data in transit and at rest, role-based access controls, secure authentication mechanisms, and monitoring of systems for potential vulnerabilities and threats.

Access to personal data is limited to authorized personnel who require such access to perform their duties and who are subject to confidentiality obligations.

Tartan regularly reviews and updates its security practices to maintain the integrity, confidentiality, and availability of personal data, taking into account the nature of the data processed and applicable legal and contractual requirements.

11. COMMUNICATION PREFERENCES

In order to provide and administer the Service and for service-related announcements or to respond to your inquiries, Tartan may communicate with you through email, telephone, or other electronic communication methods.

You can change your communication preferences, or opt out of receiving certain non-service communications, by clicking on the unsubscribe link provided in such communications or by contacting Tartan. Communications that are required for the operation of the Service (including service updates, security alerts, and account notices) cannot be opted out of unless you cease use of the Service.

12. UPDATES

Tartan may revise this Privacy Policy as necessary to keep it up to date with changes in our practices or services, or to comply with applicable laws. When we do, we will post the updated Privacy Policy on our Website. If required by applicable law or under an agreement we have with you, we will notify you of material changes to this Privacy Policy by contacting the educational institution to which you belong. Your continued use of the Service after the effective date of a posted revision indicates your agreement to be bound by the revised Privacy Policy.

13. CONTACT US

If you have requests, questions or comments about the Privacy Policy or our data collection in general, please contact our Data Privacy Officer or our Privacy Team at [email protected] or at