WHAT INFORMATION DO WE COLLECT?
Depending on how you use our App and our website, we might collect the following kinds of information about you:
- As a customer, prospective customer, or user of our Site, we may collect information such as your name, email address, phone number, school name, grades, country and information about the age of the children.
- We may also collect details of other interactions that you have with us, together with any other information that you choose to provide us with, for example, through your interactions with our customer and technical support teams.
- Registrants who do not give this consent (or do not have this consent provided on their behalf) cannot provide us with their personal information and cannot use the Site. You can however withdraw your consent at any time.
- We do not however collect any unnecessary personal information from Registrants
- It is impractical in most circumstances for you to remain anonymous, and we may not be able to interact with you, provide access to the Site, or answer your enquiry if we are not able to identify you or collect your personal information.
- attend live and/or online classes or other educational events during which image/voice is captured by photography and/or video or sound recording on our Platform(s) or Partner Platform(s).
Personal Data means any information that is recorded, electronically or otherwise, that can be used alone or in combination with other information to identify a natural person or reflect the activity of an identifiable natural person including without limitation: contact information, name, image, voice, email address, contact number, technical data; contact details of children, parents, guardians, teachers; identity data (gender, date of birth, age, interests, reasons for participation, preferences, geographical location; communication (messages between users, discussions, comments to posts, notifications; user profile data including course material (assessments, assessment results and grades); user calendar entries and event data; user-generated documents, presentations, images, homework and tasks; Platform(s) usage (including browsing behavior / activities); sensitive data such as physiological data in images or video or sound recordings captured by photography, video and/or sound recordings at our events and other Personal Data users provide to us.
Partner Platform means schools we have partnered with and Partner user means a Partner(s)’ employees (including teachers, administrators, lecturers, mentors and other) s, a Partner(s) other employees and contractors, and any other use authorised by the Partner who transmits Personal Data via the Partner Platform, including children, parents or guardians.
HOW DO WE USE THIS INFORMATION AND WHAT IS THE LEGAL BASIS FOR ITS USE?
We process Personal Data for the following purposes and under the following legal bases (where applicable under relevant laws):
To operate our business and pursue legitimate interests, in particular:
– To perform our agreements to provide services to users on the COTHM Platform(s) by providing educational materials, templates, and reports, animating and digitizing content, enhancing the user experience of our services, improving educational materials, content and learning outcomes using feedback from users and intelligence we generate from user behaviours, the consequences of those actions and observed learning patterns (Derivative Data) in order to deliver personalized lesson plans and reports on our Platform(s) and to do so in certain instances automated decisions are taken;
– To monitor the use of COTHM Platform, our services (both online and offline) and employ user information to help us, monitor, improve and protect our products, content and services on COTHM Platform (s) or Partner Platform(s), (both online and offline);
– To analyze trends, usage, and user behavior and to predict behaviours (whether on an individualized, anonymized or aggregated basis), to help us better understand how individual users and our collective user base access the use of content and services, on the COTHM Platform when necessary for performing our contracts to:
- improve our services;
- respond to user requests, feedback and preferences;
- provide reports on learning outcomes and performance of users;
- measure the effectiveness of our content and/or content provided and the animation of that content;
- measure the effectiveness of our analysis and feedback to users from Derivative Data that we generate from the behaviour patterns, learning outcomes and performance of users and course or content patterns and layout;
- measure the effectiveness of live and virtual classes and other educational events;
- conduct marketing demonstrations targeted at potential partners (on an aggregated and anonymized basis only);
- assess and recruit candidates for open positions with COTHM
- manage third-party developers that we have engaged; and
- Crowdsource data analytics and hackathon activities (on an aggregated and anonymized basis only) and any data captured in AB testing for personalisation of our services to users.
When users give us consent (if required) by opt-in:
– To provide direct marketing communications about products, services, events, offers or promotions under the categories stated below, provided by: (a) us or, (b) Partners, and (c) other third-party providers, such marketing communications may be in various forms, including advertisements, special events notifications or newsletters, and delivered via various methods (in accordance with the consent for use of Personal Data that you provide to us), such as by, email, SMS, WhatsApp, smartphone app push notifications, notifications on your social media pages, completion of Google forms, in-app messaging or postal mail.
Such marketing communications may market or offer products or services (including special events and promotions) in the following categories: educational services, social networking services, payment services, online advertising services, other e-commerce, information and communications and services and other products and services related to any of the foregoing, which we think may be relevant to users and/or Partners based on information provided to us (for instance, via user participation in our user surveys); and
– To allow users to register for our services and participate in our trials, tests, demonstrations, events, courses and promotions, including verifying their identity at those events and promotions.
For purposes which are required by law:
– In response to requests by government or law enforcement authorities investigating.
RELYING ON LEGITIMATE INTERESTS
We have assessed all the data processing activities described above in order to weigh up any privacy implications against our legitimate business interests. Users can obtain information on any of our assessments by contacting us using the details set out in the section Security Measures
INFORMATION COLLECTED FROM CHILDREN/YOUNG PERSON
We will only collect personal data from users under the age of 20 with the consent of the parent/guardian of that user.
The Platforms, websites and mobile applications can be accessed by minors below the age of 20 only with the consent of parents/guardians and by further usage users are acknowledging that they have a guardian/parental consent.
Please note that if we are made aware that we have collected Personal Data from anyone under the age of 20 without verification of guardian/parental consent, we will take steps to remove that information from our servers within 24 hours.
WITHDRAWING CONSENT OR OTHERWISE OBJECTING TO DIRECT MARKETING
Wherever we require the user or Partner’s consent under applicable law, the user or Partner will always be able to withdraw any consent provided to us. We shall cease to use or process Personal Data for the purpose in respect of which the user or Partner has withdrawn their consent, but we may still use, process, store and transfer such data for other purposes, such as those set out above, to the extent allowed under applicable laws. Irrespective of the legal basis on which we rely to send direct marketing, users and Partners have an absolute right to opt-out of direct marketing or profiling we carry out for direct marketing, at any time. They can do this by contacting us using the details contact us page on the website
WHO WILL WE SHARE USER DATA WITH, WHERE AND WHEN?
We may share users with the related Partner Platforms of COTHM located within or outside the jurisdiction of operation of the Platform(s) for the purposes set out in How do we use this information, and what is the legal basis for this use? section above. However, where required under applicable law, we will not provide such Personal Data to any related Partners of COTHM in order for them to send you direct marketing communications regarding their products and services unless we obtain your prior consent.
Personal Data may be shared with government authorities and/or law enforcement officials if required for the purposes set out in How do we use this information, and what is the legal basis for this use? the section above, if mandated by law or if required for the legal protection of our legitimate interests in compliance with applicable laws.
- E-mail/SMS/MMS/WeChat/WhatsApp blasting service providers;
- Data storage and cloud service providers (for storage of Personal Data and hosting of applications that process Personal Data for the purposes identified in this policy);
- Google, Facebook, Instagram, Linked In and other networks (for matching Personal Data with their database in order to send users our direct marketing materials through their Google, Facebook and/or Linked In account(s));
- Data analytics, AB testing, hackathon service providers and agencies (for the purposes stated in the section above How do we use this information, and what is the legal basis for this use?
Derivative Data collected on the Platform(s) or Partner Platform(s) and stored separately from Personal Data will be used to generate intelligence delivered as part of our services.
WHAT RIGHTS DO USERS HAVE?
Where permitted by law, users of the Platform(s) have the right to ask us for a copy of their Personal Data; to correct, delete or restrict (stop any active) processing of their Personal Data; and to obtain their Personal Data in a structured, machine-readable format, and to ask us to share (port) this data to another controller.
HOW TO GET IN TOUCH WITH US
We hope that we can satisfy queries users of the Platform(s) may have about the way we process data. If users have any concerns about how we process data or would like to opt-out of direct marketing or request access to or correct their Personal Data, they can get in touch by (a) contacting our Data Privacy Officer (DPO) at support@COTHM.pk
WHO IS THE DATA CONTROLLER / DATA USER
The data controllers/data users in respect of the Personal Data of users of the COTHM Platform(s) is COTHM. The contact details for the respective privacy officers can be found in the section above How to get in touch with us. The data controller/data user of any Personal Data collected on a Partner Platform(s) is the Partner and we may also act as a joint controller with our Partner(s) and/or process user data as a data processor on behalf of the Partner to provide services on Partner Platform(s) subject to our User Policy.
HOW LONG WILL WE KEEP USER DATA?
Where we process registration data, we will retain your data for a minimum of 7 years or for as long as needed for the purpose of collection or as long as users are active on COTHM Platform(s) or Partner Platform(s) and provided it is required for business and legitimate interests or legal requirement.
Where we process data in connection with a Partnership Agreement and Data Processor Agreement, we do not keep users’ Personal Data if they are no longer registered users on the Partner’s Platform(s) or if we are no longer in partnership with that Partner. An identifier via controlled encryption key to user Personal Data in Derivative Data (which we will retain) will be broken to protect the privacy of users’ Personal Data if they are no longer a user on the Partner Platform(s) or we are no longer in partnership with that Partner.
Where we process Personal Data for marketing purposes or with user consent, we process the data for as long we have the user’s valid consent, or until the user asks us to stop and for a short period after this (to allow us to implement their requests). We also keep a record of the fact that the user has asked us not to send them direct marketing or to process their data so that we can respect their request in the future.
Can Users Deactivate their accounts at any point?
Yes, if any user wants to deactivate their account they can inform their school administration or they can simply fill in the form on this link: https://COTHM.pk/account-deletion/
Derivative Data is aggregated data collected by COTHM from operational data collected on its Platform(s) or Partner Platform(s) from user behaviours in respect of the Platform(s) and/or content held on the Platform(s). It is used in an anonymized form to deliver and improve services on the Platform(s) and may be sold or licensed to other third parties. COTHM owns and will retain all right title and interests in or to any Derivative Data in anonymized form.
We will keep the images captured by our analytics cameras or cameras operated by our Partners only for as long as the retention of such images is necessary for the authorized purposes detailed in How do we use this information, and what is the legal basis for this use? Section above.
APPLICABLE LOCAL LAWS FROM PAKISTAN:
THE PREVENTION OF ELECTRONIC CRIMES ACT, 2016 (PECA)
WHAT RIGHTS DO USERS HAVE?
Right to privacy of Identity Information
User’s Identity Information i.e., information which may authenticate or identify an individual or an information system and enable access to any data or information system, cannot be obtained, sold, transmitted, or used without the user’s authorization.
Users have the right to apply to the local regulatory body for securing, destroying, blocking access, or preventing transmission of their Identity Information.
The relevant local regulatory body is the Pakistan Telecommunication Authority established under the Pakistan Telecommunication (Re-organization) Act 1996.
WHAT RIGHTS DO USERS HAVE?
Users have the right to access personal data we hold about them, to rectify any personal data held about them that is inaccurate, to request the deletion of personal data held about them, and the right to request the suspension of the processing of their personal data. Users can exercise such rights by contacting us at support@COTHM.pk
HOW LONG WILL WE KEEP USER DATA?
We immediately destroy relevant personal data after the purpose of collection and use is achieved. However, if applicable laws and regulations require us to retain the data, we will store it for a certain period prescribed in the applicable laws and regulations. In this case, we will transfer the relevant data to a separate database or other storage place.
- Records on contract or subscription withdrawal: 5 years (Act on the Consumer Protection in Electronic Commerce, Etc.)
- Records on price settlement and supply of goods: 5 years (Act on the Consumer Protection in Electronic Commerce, Etc.)
- Records on consumer complaint or dispute settlement: 3 years (Act on the Consumer Protection in Electronic Commerce, Etc.)
- Records on collection/processing and use of credit information: 3 years (Use and Protection of Credit Information Act)
- Records on labelling/advertising: 6 months (Act on the Consumer Protection in Electronic Commerce, Etc.)
- User’s internet log records/user’s access point tracking data: 3 months (Protection of Communications Secrets Act)
- Other data verifying communication facts: 12 months (Protection of Communications Secrets Act)
We destroy user Personal Data in a manner that renders it unrestorable by the relevant department after the purpose of collection and use of the personal data is achieved.
We or our Partners may take photographs and/or video recordings of users in live classes and make recordings of virtual classes or other school events for authorized purposes detailed in HOW DO WE USE THIS INFORMATION, AND WHAT IS THE LEGAL BASIS FOR THIS USE? Section above. In such case, we will obtain your consent before collecting and/or processing this data. We do not permit unauthorised photography, sound and/or video recording for any other commercial use, private gain, use in press or media, or for promotional purposes in live classes or recording of virtual classes or other school events.
We rely on public cloud providers to offer services on our Platform(s), including AWS. This list will be updated on our website as new service providers are engaged to deliver our services.
COTHM has implemented the security measures set out below in accordance with industry standards to protect personal information. COTHM may update or modify such security measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the services.
The COTHM management team has been actively involved in developing an information security culture within and has a management structure in place to manage the implementation of information security in its services with clear roles and responsibilities within the organization.
Multiple industry best-practice processes and policies exist to ensure the best possible confidentiality, availability and integrity of the platform. These policies are built around strict requirements in a number of areas, such as;
- Information security
- Hosting environment security
- Third party access
- Capacity control
- Change management
- Backup and recovery
- Access control
- Logging and monitoring
- Incident response
- Release management
Information Security team
COTHM has a team of Information security experts who are responsible for the overall information security of the organization. Their role includes responsibility for;
- Coordinating security-related tasks
- Securing corporate environment, network and devices
- Security of the application (in-house penetration testing and application audits)
- Monitoring and logging
- Process and policy management (disaster recovery, path management etc.)
- Training and education of employees, in the field of information security
- Coordinating third-party security audits, and following up on any findings
- Reviewing code for potential security vulnerabilities.
Roles and responsibilities
All employees have clear roles within the company and are only given access to data required for their specific roles. A number of employees have administrative access to our production environment and their rights are strongly regulated and reviewed at set intervals. Any major change to the application, environment or hardware of the production environment is always verified by a minimum of two individuals.
All COTHM employees are required to enter into a strict confidentiality agreement. All staff are required to follow corporate policies regarding confidentiality, business ethics and professional standards. Staff involved in securing, handling and processing customer data are required to complete training appropriate for their role.
Strict requirements are in place for any employee, hired consultants or third party requesting access to COTHM information systems. Access control is controlled by an authentication system. The user is required to:
- Have management approval for the requested access
- Have strong passwords that are in accordance with the corporate password policy
- Change their password at regular intervals
- Document that the access requested is required for their specific role/task
- Ensure that the device (PC, tablet, cellphone) used is adequately secured, and locked when the user is absent.
Internal data access processes and policies are designed to prevent unauthorized persons and/or systems from gaining access to systems used to process Personal Data. Any changes to data are logged to create an audit trail for accountability.
COTHM operates all its customer services from data centres separated from the corporate office workspace. Access to data centres is strictly controlled and protected to reduce the likelihood of unauthorized access, fire, flooding or other damage to the physical environment. Physical access to data centres in Pakistan to a small number of employees within COTHM and/or its hosting centre providers. Strict security clearances are required and must be approved by security management prior to entering a data centre.
Technical measures – System availability
COTHM has implemented industry-standard measures to ensure that Personal Data is protected from accidental destruction or loss, including:
- infrastructure redundancy (including full network, power, cooling, database, server and storage redundancy)
- backup is stored at an alternative site and available for restoration in case of failure of the primary system.
- appropriate denial-of-service protection
- 365/24/7 personnel on duty to monitor and troubleshoot
COTHM has implemented a series of industry-standard measures to prevent Personal Data from being read, copied, altered or deleted by unauthorized parties during transport or at rest. This is accomplished by various industry-standard measures including:
- Use of layered firewalls, VPNs and encryption technologies to protect gateways and pipelines
- HTTPS encryption (also referred to as SSL or TLS connection) with secure cryptographic keys
- Remote access to data centres is protected with a number of layers of network security
- Particular sensitive customer data at rest is protected by encryption and/or hashing (pseudonymisation)
- Every decommissioned disk is subject to a disk erasure process according to our “Disk erase policy”, and decommissioning is logged by disk serial number
- Regular third-party security audits (minimum annually), including penetration testing, that is made available to partners
COTHM uses only state-of-the-art data centres, with 365/24/7 on-site security and monitoring operations. The data centres are housed in modern fire-resistant facilities that require electronic keycard access, with alarms that are linked to the on-site security operation. Only authorized employees and contractors are permitted to request electronic keycard access to these facilities.
COTHM’s Platform(s) is based on industry standard technologies from well-known vendors, including Microsoft, Linux, Dell, Fujitsu, Amazon, Cloudflare, F5 and Cisco. Systems are periodically patched to the latest version to ensure that the latest security enhancements are applied. The platform is in general updated several times per quarter, and bug fixes are released swiftly based on priority, following rigorous quality checks.
COTHM has measures in place to minimize the risk of introducing code in its platform that can degrade the security or integrity of the customer services and Personal Data processed. Measures include:
- Regular training of staff
- Code review by security architects
- QA process for rigorous testing of changes prior to deployment
When onboarding sub-processors, COTHM performs an audit of the security and privacy practices of sub-processors to ensure sub-processors provide a level of security and privacy appropriate to their access to data and the scope of the services they are engaged to provide. COTHM performs regular security audits of the practices and delivery for existing sub-processors.
USER PRIVACY INFORMATION
COTHM is committed to keeping its users’ Personal Data safe.
- We do not own, control or process our users’ data independently. All Personal Data is controlled by the Partner. We do not determine the purpose or lawfulness of how user data is processed by our Partner and we are not responsible for the privacy practices of any Partner Platform(s)
- We and our Partners will only collect Personal Data of users under the age of 20 with the consent of their parent/guardian.
- We never transfer Personal Data to anyone including third parties without written instruction from our Partners. Users are advised to contact the Partner if they have questions about their Personal Data.
- We do not sell or try to make money out of our Partner’s users’ Personal Data. We do not build profiles using our users’ data for our own purposes other than Derivative Data.
- We delete Personal Data promptly when instructed by our Partners.
- We and our Partners are both responsible for keeping users’ Personal Data safe. We employ physical, technical, and organizational measures as part of our security procedures. You can read about the security measures we take to keep our users’ data safe on the COTHM SECURITY MEASURES
- We never let our third-party service providers or sub-processors process Personal Data unless it is approved by the Partner. Sub-processors are legally bound to protect our users’ privacy in the same manner as we are.
- In case of a data breach that could affect our Partners, we will always inform our Partners about this as soon as we become aware of it.
- Our users might have a right to be informed in detail about what their Personal Data is used for and what their legal rights are. Users are advised to contact the Partner Platform(s) that they are registered for to find out more about this.
We use the following categories of cookies on our Platform(s):
Category 1: Strictly Necessary Cookies
These cookies are essential to enable you to move around the Platform(s) and use its features, such as accessing secure areas of the Platform(s) or areas with paid-for content. Without these cookies, certain services cannot be provided. As cookies are essential for using the Platform(s), these cookies cannot be turned off without severely affecting your use of the Platform(s).
Category 2: Performance Cookies
These cookies collect anonymous information on how people use our Platform(s). For example, we use Google Analytics cookies to help us understand how customers arrive at our Platform(s), browse or use our Platform(s) and highlight areas where we can improve our Platform(s) such as navigation, and use of course materials. The data stored by these cookies never shows personal details from which your individual identity can be established.
Category 3: Functional Cookies
These cookies remember choices you make such as the country you visit Platform(s) from, language and search parameters. These can then be used to provide you with an experience more appropriate to your selections and to make the visits more tailored and pleasant. The information these cookies collect may be anonymised and they cannot track your browsing activity on other websites.
Category 4: Targeting cookies or advertising cookies
These cookies collect information about your browsing habits in order to make advertising more relevant to you and your interests. They are also used to limit the number of times you see an advert as well as help measure the effectiveness of an advertising campaign. The cookies are usually placed by third-party advertising networks. They remember the websites you visit and that information is shared with other parties such as advertisers.
Category 5: Social Media Cookies
These cookies allow you to share what you have been doing on the platform(s) on social media such as Facebook and Twitter. These cookies are not within our control. Please refer to the respective privacy policies for how their cookies work.
HOW TO VIEW YOUR COOKIE SETTINGS AND CHANGE THEM?
If you want to delete any cookies that are already on your device, please refer to the help and support area on your internet browser for instructions on how to locate the file or directory that stores cookies.
Please refer to the useful links below for your browser:
Internet Explorer: https://support.microsoft.com/en-gb/help/17442/
Please note that by deleting our cookies or disabling future cookies you may not be able to access certain areas or features of our Platform(s).
OTHER USEFUL LINKS
You can also learn more about cookies in general by visiting www.allaboutcookies.org which includes additional, useful information on cookies and how to block cookies using different types of browsers.