Privacy Shield

MYLIO PRIVACY SHIELD

This Privacy Shield Policy (“Policy”) describes how Mylio collects, uses, and discloses certain data about an identified or identifiable individual that we receive in the United States (“U.S.”) from the European Economic Area (“EEA Personal Data”) and Switzerland (“Swiss Personal Data”). In this Policy, countries that are members of the European Economic Area are collectively referred to as the “EU”. This Policy supplements the Mylio Privacy Policy located here, and unless specifically defined in this Policy, the terms in this Policy have the same meaning as in the Mylio Privacy Policy.

Mylio complies with the EU-U.S Privacy Shield Framework and the Swiss-U.S. Privacy Shield as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information received from the European Union and Switzerland. Mylio and its affiliates have certified that they adhere to the Privacy Shield principles of notice, choice, accountability for onward transfer, security, data integrity and purpose limitation, access, and recourse, enforcement and liability (“Principles”). If there is any conflict between the policies in this Statement and the Privacy Shield Principles, the Principles shall govern. To learn more about Privacy Shield, please visit the U.S. Department of Commerce Privacy Shield website: https://www.privacyshield.gov/. To review Mylio’s Privacy Shield certification, see the U.S. Department of Commerce’s list of Privacy Shield certified companies located at https://www.privacyshield.gov/list

PURPOSE

The purpose of this Mylio Privacy Shield Statement (“Statement”) is to outline how we comply with the Principles with respect to the personal information we collect. If you would like to obtain additional information regarding our privacy practices in connection with information collected on this website in general, please refer to our Privacy Policy. If there is any conflict between this Statement and the Privacy Policy, this Statement shall prevail.

SCOPE

This Statement applies to any personal information received by Mylio and its affiliates from the European Union or Switzerland in reliance on Privacy Shield.

MYLIO DATA PROCESSING ACTIVITIES

Mylio at times acts as a data processor or a data controller when processing personal data transferred from the EU or Switzerland, depending on the Mylio product or service. Though the types of data Mylio collects and processes may vary depending on the product and our customers’ preferences, data we collect typically includes personal information relating to students and other end users of our products and services and schools/organizations, billing and payments information, web browsing behavior and other information relating to a user’s device used to access the services, and other information as described in our Privacy Policy. Mylio processes this data for the purpose of providing our business and consumer services; billing and payments; customer service and product support; communications and marketing; analytics to inform and improve our services; other internal purposes.

PRINCIPLES

  1. Notice. We will provide individuals with notice of our data collection and processing practices in our Privacy Policy, describing what personal information we collect, the purpose and use of personal information, the categories of third parties with whom we may share such information (and the purposes for which we do so), the individual’s right to access such information, the choices and means through which the individual may limit the use and disclosure of personal information, and other disclosures consistent with the Notice Principle.
  2. Data Transfer to Third Parties. Third Party Agents or Service Providers. We may transfer EU and/or Swiss Personal Data to our third party agents or service providers that perform functions on our behalf. Where required by the Privacy Shield, we enter into written agreements with those third party agents and service providers requiring them to provide the same level of protection that the Privacy Shield requires and limiting their use of the data to the specified services provided on our behalf. We take reasonable and appropriate steps (i) to ensure that third party agents and service providers process EU and/or Swiss Personal Data in accordance with our Privacy Shield obligations and (ii) to stop and remediate any unauthorized processing. Under certain circumstances, we may remain liable for the acts of our third party agents or service providers that perform services on our behalf for their handling of EU and/or Swiss Personal Data that we transfer to them.
  3. Security. We take reasonable and appropriate measures to protect personal information from loss, misuse and unauthorized access, disclosure, alteration and destruction. We have implemented appropriate physical, electronic and managerial procedures to help safeguard and secure personal information from loss, misuse, unauthorized access or disclosure, alteration or destruction.
  4. Data Integrity and Purpose Limitation. We will process personal information in a manner that is compatible with and relevant to the purpose for which it was collected or authorized by individuals. Where we receive personal information from an Institution, it shall be the Institution that determines those purposes. To the extent necessary for those purposes, we will take reasonable steps to ensure that personal information is accurate, complete, current and reliable for its intended use.
  5. Access. You may have the right to access the EU and/or Swiss Personal Data that we hold about you and to request that we correct, amend, or delete it if it is inaccurate or processed in violation of the Privacy Shield. These access rights may not apply in some cases, including where providing access is unreasonably burdensome or expensive under the circumstances or where it would violate the rights of someone other than the individual requesting access. If you would like to request access to, correction, amendment, or deletion of your EU and/or Swiss Personal Data, you can submit a written request to the contact information provided below. We may request specific information from you to confirm your identity. In some circumstances we may charge a reasonable fee for access to your information.
  6. Jurisdiction and Enforcement. As part of our participation in Privacy Shield, we are subject to the investigatory and enforcement powers of the US Federal Trade Commission.
  7. Lawful Requests. Under certain circumstances, we may be required to disclose your EU and/or Swiss Personal Data in response to valid requests by public authorities, including to meet national security or law enforcement requirements.
  8. Contact Mylio and RecourseIf you have any questions about this Statement or the information that we collect from you in reliance on Privacy Shield, please contact us at privacy@mylio.com or write to:
    Legal Department
    Mylio Inc.
    10500 NE 8th Street, Suite 1050
    Bellevue, WA 98004 USA
    Phone: (425) 453-6704

    In the event that you are concerned about how personal information you have provided to Mylio has been used, please address your inquiry or complaint first to us at the address listed above. Mylio takes all concerns about privacy and use of personal information very seriously, and shall endeavor to reply to you within 45 days of receiving a complaint.

    If we fail to respond within that time, or if our response does not adequately address your concerns, you may submit your complaint free of charge to JAMS, Mylio’s designated Privacy Shield dispute resolution provider, using this link: https://www.jamsadr.com/file-an-eu-us-privacy-shield-or-safe-harbor-claim.

    There may also be circumstances when disputes can be resolved through the Privacy Shield binding arbitration process. Please see the Privacy Shield website for further information: 
https://www.privacyshield.gov/article?id=C-Pre-Arbitration-Requirements.

CHANGES TO THIS POLICY
We reserve the right to amend this Policy from time to time consistent with the Privacy Shield’s requirements.

This statement is effective on May 25, 2018