Effective Date: February 7, 2025
This Privacy Policy describes how Circlio ("Company," "we," "us," or "our") collects, uses, discloses, and protects your information when you use our school network platform ("Service"). We are committed to protecting your privacy and handling your personal information responsibly.
We do not knowingly collect: Social Security numbers, financial account numbers, government-issued identification numbers, health or medical information, biometric data, or precise geolocation data.
We use your information for the following purposes:
We do not use your personal information for automated decision-making or profiling that produces legal effects or similarly significant effects on you.
If you are located in the European Economic Area (EEA) or United Kingdom (UK), we process your personal data under the following lawful bases:
We do not sell your personal information. We may share your information in the following limited circumstances:
We share information when you explicitly consent or direct us to do so.
Content you post publicly (posts, comments, profile information you choose to make public) may be visible to other users of the Service. You control your profile visibility through your privacy settings.
We share information with third-party service providers who process data on our behalf and are contractually obligated to protect your information:
We may disclose information if we believe in good faith that disclosure is necessary to:
In the event of a merger, acquisition, bankruptcy, or asset sale, your information may be transferred as part of the business assets. We will notify you via email or prominent notice on the Service before your information becomes subject to a different privacy policy.
We may share aggregated, de-identified information that cannot reasonably be used to identify you for research, analysis, or other purposes.
We implement technical and organizational measures designed to protect your information, including:
While we strive to protect your information, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security, but we are committed to promptly addressing any security incidents.
Our Service integrates with third-party services that have their own privacy policies. We encourage you to review their policies:
We are not responsible for the privacy practices of third-party services. Our Service may also contain links to external websites that we do not control.
We retain your information only for as long as necessary to fulfill the purposes described in this Policy, unless a longer retention period is required by law:
| Data Type | Retention Period |
|---|---|
| Account data | Until account deletion, then retained for 90 days before permanent deletion |
| User content (posts, comments) | Until deleted by you or account deletion; removed from public view immediately, permanently deleted after 90-day retention period |
| Direct messages | Upon account deletion, message content is immediately replaced with a deletion notice; sender attribution is permanently removed after the 90-day retention period |
| Server logs | 90 days |
| Analytics data | 24 months (aggregated and de-identified) |
| Security logs | 12 months |
| Backup copies | Up to 30 days after source data deletion |
When you delete your account, we immediately remove your profile, content, and data from public view. However, we retain your data in our systems for a period of 90 days before permanent deletion. During this retention period:
After the 90-day retention period, your data is permanently and irreversibly deleted from our systems, including all associated records across our database. Backup copies may persist for up to an additional 30 days.
We may retain information longer if required by law (e.g., for tax, legal, or regulatory purposes) or to resolve disputes and enforce our agreements.
Regardless of your location, we provide all users with the following rights:
If you are in the EEA or UK, you may also have the right to: restrict or object to processing, withdraw consent, lodge a complaint with a supervisory authority, and request erasure under applicable law. Contact us at zhangj1@wharton.upenn.edu to exercise these rights.
We will respond to verified requests within 30 days (or within the time frame required by applicable law). We will not discriminate against you for exercising any of these rights.
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):
In the preceding 12 months, we have collected the following categories of personal information: identifiers (name, email, username, IP address); internet activity (usage data, browsing history within our Service); geolocation data (approximate location from IP address); and inferences drawn from the above categories.
To exercise your rights, email zhangj1@wharton.upenn.edu with the subject line "CCPA Request." We will verify your identity before processing your request.
Residents of certain states (including Virginia, Colorado, Connecticut, Utah, Oregon, Texas, and others with comprehensive privacy laws) may have additional rights, including the right to access, correct, delete, and port their personal data, as well as the right to opt out of targeted advertising and profiling.
To exercise rights under your state's privacy law, contact us at zhangj1@wharton.upenn.edu. If your request is denied, you may have the right to appeal. We will provide instructions for appeal in our response.
Your information may be transferred to and processed in the United States and other countries where our service providers operate. These countries may have different data protection laws than your country of residence.
When we transfer personal data internationally, we implement appropriate safeguards, including standard contractual clauses approved by relevant authorities, to ensure your information receives an adequate level of protection.
Our Service is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. Users between 13 and 18 must have parental or guardian consent to use the Service.
If you are a parent or guardian and believe your child under 13 has provided us with personal information, please contact us immediately at zhangj1@wharton.upenn.edu. If we discover we have collected personal information from a child under 13 without verified parental consent, we will promptly delete such information and terminate the associated account.
We do not knowingly sell or share the personal information of users under 16 years of age.
Circlio does not sell your personal information to third parties. We do not share your personal information with third parties for cross-context behavioral advertising purposes.
We honor Global Privacy Control (GPC) signals and Do Not Track (DNT) browser signals as valid opt-out requests where required by applicable law.
If you believe your information has been sold or shared in violation of this policy, contact us at zhangj1@wharton.upenn.edu.
In the event of a data breach that affects your personal information, we will:
We may update this Privacy Policy from time to time. When we make changes, we will:
Your continued use of the Service after the effective date of any changes constitutes acceptance of the revised policy. If you do not agree with the changes, you should stop using the Service.
If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:
Privacy inquiries: zhangj1@wharton.upenn.edu
General support: zhangj1@wharton.upenn.edu
CCPA / state privacy requests: zhangj1@wharton.upenn.edu (subject line: "Privacy Rights Request")
We will respond to your inquiry within thirty (30) days or within the time frame required by applicable law. We may need to verify your identity before processing certain requests.