Compliance Addendum
Lummio Platform
This Compliance Addendum (“Addendum”) is incorporated by reference into Lummio’s Terms & Conditions. Defined terms in the Terms shall apply unless otherwise specified herein.
For purposes of this Compliance Addendum:
“Terms” means the Lummio Terms & Conditions for Licensed Use of the Lummio Platform, as amended or replaced from time to time.
“DPA” means the Lummio Data Privacy Addendum that supplements, and is incorporated by reference into, the Terms, including any updated or successor version.
1. FERPA (Family Educational Rights & Privacy Act)
Lummio acts as a “School Official with legitimate educational interests” as defined in FERPA (34 CFR § 99.31(a)(1)), and will use or re-disclose education records solely to provide the Services.
Lummio will use or re-disclose education records only as authorized by a written agreement with the Client or as otherwise permitted by FERPA and other applicable privacy laws.
Lummio maintains administrative, technical, and physical safeguards to protect education records from unauthorized access or disclosure.
2. COPPA (Children’s Online Privacy Protection Act)
Lummio does not collect or use personal information from children under 13 outside the scope of its Services, and only as authorized by the Client.
Where the Client is authorized under COPPA to provide consent on behalf of parents (such as in a school setting), Lummio relies on that consent and does not obtain it directly from parents or guardians.
Lummio does not permit third parties to collect data about minors using the Services for marketing purposes.
3. SOPPA (Illinois School Student Records Act)
Lummio processes student data only pursuant to a written agreement with the Client (including acceptance of the Terms) and never for the purpose of selling or commercializing such data.
Lummio affords the Client full control over student data access, correction, deletion, and retention, and complies with Client instructions on retention and destruction.
Data protections meet or exceed SOPPA’s security requirements and confidentiality expectations.
4. GDPR (General Data Protection Regulation)
If Processing in or for EU individuals, Lummio acts as a Processor and the Client acts as the Controller under GDPR.
Lummio processes data only under documented instructions, and offers the rights defined under GDPR (e.g., data access, correction, erasure) per the described DPA procedures.
Transfers of personal data from the EU are safeguarded via Standard Contractual Clauses or other lawful mechanisms, as described in the DPA.
5. Usage & Monitoring Practices
Lummio does not use student or guardian data for profiling, advertising, or cross‑site tracking outside what is strictly necessary to provide the Services.
Lummio may generate aggregated, de-identified usage data for product improvement or benchmarking, but never in a manner that identifies individual students, guardians, or the Client.
6. Security & Incident Management
Lummio maintains appropriate administrative, technical, and organizational safeguards to protect Client Data, consistent with industry-standard frameworks such as ISO 27001 or comparable standards.
Lummio will notify the Client of a confirmed breach in accordance with its obligations under the DPA.
7. Data Retention & Deletion
Lummio’s data retention and deletion practices are governed by its Terms and DPA, and are designed to meet applicable legal obligations under laws such as FERPA, SOPPA, and GDPR.