Effective date: January 4, 2018
Thanks for entrusting NaviGate Prepared with your district information.
Holding onto your private information is a serious responsibility, and we want you to know how we’re handling it.
The short version
We collect your information only with your consent; we only collect the minimum amount of district and personal
information that is necessary to fulfill the purpose of your interaction with us; we don’t sell it to third parties; and we
only use it as this Privacy Statement describes.
Of course, the short version doesn’t tell you everything, so please read on for more details!
Terms we use
NaviGate Prepared (“NaviGate Prepared,” “we,” or “us”) understands that privacy is tremendously important to our
online visitors to our website (“Website Visitors”), to schools who use our Service (“Schools”), and to students whose
information we may access on behalf of a School (“Students”). NaviGate Prepared provides a platform that enables
Schools to securely store information related to school safety and pull student, staff, and class information for
accountability and reunification. Schools, as described below, can decide what User Personal Information, Student
Data, and School Data (“Data”) is stored and if Data is integrated with NaviGate Prepared, and Schools can control
the steps we take to protect your Data.
What information NaviGate Prepared collects and why
Information from website browsers:
If you’re just browsing the website, we collect the same basic information that most websites collect. We use common
internet technologies, such as cookies and web server logs. This is stuff we collect from everybody, whether they
have an account or not. The information we collect about all visitors to our website includes the visitor’s browser type,
language preference, referring site, additional websites requested, and the date and time of each visitor request. We
also collect potentially personally-identifying information like Internet Protocol (IP) addresses.
Why do we collect this?
We collect this information to better understand how our website visitors use NaviGate Prepared, and to monitor
and protect the security of the website.
Information from users with accounts:
If you create an account, we require some basic information at the time of account creation. You will create your own
user name and password, and we will ask you for a valid email account. You also have the option to give us more
information if you want to, and this may include “User Personal Information.”
“User Personal Information” is any information about one of our users which could, alone or together with other
information, personally identify him or her. Information such as a user name and password, an email address, a
phone number, a real name, and a photograph are examples of “User Personal Information.”
User Personal Information does not include aggregated, non-personally identifying information. We may use
aggregated, non-personally identifying information to operate, improve, and optimize our website and service.
Why do we collect this?
We need your User Personal Information to create your account, and to provide the services you request.
We use your User Personal Information, specifically your user name, to identify you on NaviGate Prepared.
We use it to fill out your profile and other users in your district can view your User Personal Information if used by
your district in modules such as but not limited to Call Lists.
We will use your email address to communicate with you, if you’ve said that’s okay, and only for the reasons
you’ve said that’s okay. Please see our section on email communication for more information.
We limit our use of your User Personal Information to the purposes listed in this Privacy Statement. If we need to
use your User Personal Information for other purposes, we will ask your permission first.
Information about Schools:
We ask for certain information when a School administrator registers a School with NaviGate Prepared, or if an
administrator corresponds with us online, including their name, school name, school district, school email address
and/or account name and password, phone number, message content, and information relating to the School’s
We may also retain information provided by a School if the School sends us a message, posts content to our website
or through our Service, or responds to emails or surveys. Once a School begins using NaviGate Prepared, we will
collect content and information provided by the School through the School’s use of the Service and we will keep
records of activities related to the Service.
Why do we collect this?
We use this information to operate, maintain, and provide to the features and functionality of the Service, to
analyze and improve our Service offerings and functionality, and to communicate with our Schools and website
NaviGate Prepared treats Student Data as confidential, and does not use it for any purpose other than to provide
services on the School’s behalf, in accordance with NaviGate Prepared’s contractual arrangement with the School.
NaviGate Prepared relies on each school to provide appropriate notice to parents of the School’s use of third-party
service providers such as NaviGate Prepared, and, where necessary, to obtain consent and authorization for
NaviGate Prepared to receive Student Data, as permitted by the Children’s Online Privacy Protection Act (COPPA).
Through the course of providing its Service to a School, NaviGate Prepared may have access to personally
identifiable information about students (“Student Data”) that is provided by the School. NaviGate Prepared has
access to Student Data only as requested by the School and only for the purposes of performing Services on the
School’s behalf. The type of Student Data we collect is name, gender, date of birth, grade, school, class list, and
emergency contact information. NaviGate Prepared receives Student Data only from the School and never interacts
with the Student directly.
Why do we collect this?
Certain modules in NaviGate Prepared allow staff to account for students during a drill or emergency as conducted
by the School. To better account for students by name, NaviGate Prepared filters students by class, teacher,
grade, and age.
Student Data is never stored on a users’ mobile device. It is displayed, used, and destroyed as soon as the user
changes screens or the alarm is ended. Each user only receives Student Data as it is needed and applies to them,
and is necessary for them to fully account for students in their role.
NaviGate Prepared only collects information through the School from a child under the age of 13 where the Student’s
School, school district, and/or teacher has agreed through a Services Agreement and/or Terms and Conditions, to
obtain parental consent. If you have questions, please contact the School about the School’s use of technology
service providers such as NaviGate Prepared.
What information NaviGate Prepared does not collect
We do not intentionally collect sensitive personal information, such as social security numbers, genetic data, health
information, or religious information. Although NaviGate Prepared does not request or intentionally collect any
sensitive personal information, we realize that you might store this kind of information in your account, such as in a
note or document. If you store any sensitive personal information on our servers, you are consenting to our storage of
that information on our servers, which are in the United States.
No child under the age of 13 may have an account in NaviGate Prepared. NaviGate Prepared does not knowingly
collect information from or direct any of our content specifically to children under 13. If we learn or have reason to
suspect that you have users who are under the age of 13, we will unfortunately have to disabled those users or close
your account. Please contact us at firstname.lastname@example.org if you believe that NaviGate Prepared has inadvertently
collected information of a child under the age of 13 without proper consent, so that we may delete such data as
promptly as possible.
How we share the information we collect
We do not share, sell, rent, or trade Data with third parties for their commercial purposes.
We do not disclose Data outside NaviGate Prepared, except in the situations listed in this section or in the section
below on Compelled Disclosure.
We do compile certain aggregated and/or anonymous information that does not reasonably allow for the identification
of any individual or School about how our users, collectively, use NaviGate Prepared, or how our users respond to
our other offerings, such as our conferences or events. For example, we may compile statistics on how many
flipcharts have been created in a given region. From such information, all direct and indirect identifiers will be
removed, and these include, but are not limited to ID numbers, demographic information, location information, and
School ID. Moreover, we do not sell this information to advertisers or marketers.
We do not host advertising on NaviGate Prepared. We may occasionally embed content from third party sites, such
as YouTube, and that content may include ads. While we try to minimize the amount of ads our embedded content
contains, we can’t always control what third parties show.
We may share Data with your permission, so we can perform services you have requested.
We may share User Personal Information (not Student data) with a limited number of third-party vendors who process
it on our behalf to provide or improve our service, and who have agreed to privacy restrictions similar to our own
Privacy Statement. Our vendors perform services such as training, payment processing, customer support ticketing,
network data transmission, and other similar services. When we transfer your data to our vendors, we remain
responsible for it.
We may share Data if we are involved in a merger, sale, or acquisition. If any such change of ownership happens, we
will ensure that it is under terms that preserve the confidentiality of your Data, and we will notify you on our website or
by email before any transfer of your Data. The organization receiving any Data will have to honor any promises we
have made in our Privacy Statement or in our Terms of Service.
similar technologies, like HTML5 local Storage) to keep you logged in, remember your preferences, and provide
information for future development of NaviGate Prepared.
A cookie is a small piece of text that our web server stores on your computer or mobile device, which your browser
sends to us when you return to our site. Cookies do not necessarily identify you if you are merely visiting NaviGate
Prepared; however, a cookie may store a unique identifier for each logged in user. The cookies NaviGate Prepared
sets are essential for the operation of the website, or are used for performance or functionality. By using our website,
you agree that we can place these types of cookies on your computer or device. If you disable your browser or
device’s ability to accept cookies, you will not be able to log in or use NaviGate Prepared’s services.
NaviGate Prepared does not allow third-party advertising networks to collect information about your use of the website and service for purposes of serving targeting advertising, and we will never use Student Data for targeted
advertising. Certain pages on our site may set other third party cookies. For example, we may embed content, such
as videos, from another site that sets a cookie. While we try to minimize these third party cookies, we can’t always
control what cookies this third party content sets.
How NaviGate Prepared secures your information
NaviGate Prepared takes all measures reasonably necessary to protect Data from unauthorized access, alteration, or
destruction; maintain data accuracy; and help ensure the appropriate use of Data. We follow generally accepted
industry standards to protect the Data submitted to us, both during transmission and once we receive it.
No method of transmission, or method of electronic storage, is 100% secure. Therefore, we cannot guarantee its
Our server environment is currently hosted by Amazon Web Services (“AWS”). We do not own or maintain the
physical implementation of our environment.
AWS provides detailed security information on the physical access of their facilities
System installation using hardened, patched OS with automatic security patches applied
VPCs in place to isolate our environment from any outside access
Amazon Virtual Private Cloud (Amazon VPC) allows us to configure subnet routes, public IP addresses,
security groups, and network access control lists in order to minimize application attack surfaces. Elastic Load
Balancing (ELB) load balancers and Amazon Elastic Compute Cloud (EC2) instance security groups are
configured to allow only traffic that originates from specific IP addresses protecting backend application
components from a direct attack.
Security groups — Act as a firewall for associated EC2 instances, controlling both inbound and outbound traffic
at the instance level
Network access control lists (ACLs) — Act as a firewall for associated subnets, controlling both inbound and
outbound traffic at the subnet level
Flow logs — Capture information about the IP traffic going to and from network interfaces in our VPC
Elastic Load Balancing
Elastic Load Balancing (ELB) enables the automatic distribution of application traffic to several EC2 instances
across multiple Availability Zones, which minimizes the risk of overloading a single EC2 instance helping to
mitigate DDoS attacks. ELB only supports valid TCP requests, so DDoS attacks such as UDP and SYN floods
are not able to reach EC2 instances. It also offers a single point of management and can serve as a line of
defense between the Internet and our backend, private EC2 instances.
All of our key servers have at least 2 identical copies running and are currently load balanced across two
different physical Availability Zones to combat any network or physical data center issues in one specific
physical location or one specific hardware or software failure
We have separate application, database, reporting, and event servers, as well as separate media and static
content. Decoupled applications prevent Internet access to critical system components, protecting them from
an attack and enabling our team to focus DDoS mitigation efforts on resources that are publicly accessible.
AWS handles the virtual host, storage, network, and database security inherent in their global infrastructure as
well as database server updates and security patching
System access logged and tracked for auditing purposes
The NaviGate Prepared login credentials cannot be used to access a shell or the filesystem. All users are virtual
and have no user account in our AWS structure or any specific EC2 instance
All private data exchanged with NaviGate Prepared is always transmitted over SSL (which is why your dashboard is
served over HTTPS, for instance).
All server maintenance is done over SSH authenticated with keys.
Login information is always sent over SSL. All passwords are filtered from all our logs and are one-way encrypted in
File system and backups:
Every line of code we store is saved on a minimum of three different servers, including an off-site backup.
All uploaded files are stored in S3 which keeps a minimum of 3 copies of every file for redundancy and carries a
99.999999999% durability. All files are stored with versioning allowing us to restore any files accidentally or
maliciously changed or deleted.
All information stored in the database is replicated between two servers in multiple availability zones. If the primary
database server has any hardware or software failure, the secondary instance immediately becomes available
with an identical copy of all data.
All database information has point-in-time recovery. We backup the database and transaction logs and store both
for 35 days. This allows us to restore data to any second during those 35 days, up to the last five minutes.
We do not encrypt storage on disk because it would not be any more secure: the website and NaviGate Prepared
back-end would need to decrypt the information on demand, slowing down response times. Any user with shell
access to the file system would have access to the decryption routine, thus negating any security it provides.
Therefore, we focus on making our machines and network as secure as possible.
No NaviGate Prepared employees ever access your Data unless required to for support or development reasons.
Support staff may sign into your account to access settings related to your support issue. In rare cases staff may
need to pull a clone of your Data to our secure test server if we are making updates that may impact your site.
Support staff does not have direct access to servers or file storage, they will need to login and access your site
through the NaviGate Prepared interface which is logged. When working a support issue we do our best to respect
your privacy as much as possible, we only access the files and settings needed to resolve your issue. All cloned Data
is deleted as soon as the support issue has been resolved.
Installing the NaviGate Prepared app \ required permissions
When downloading the NaviGate Prepared app from the Apple App Store or the Google Play Store, you may note
that certain permissions are required to install the app.
We need this permission to be able to store things onto the device.
We store a file with a special token onto the phone that allows you to stay logged in. Without that token, you would
have to log in to the app each time you opened it.
We also store a copy of your flipcharts and drill scenarios (for admins only) onto the device so that they are
accessible without an internet connection.
We do not access any other files, including your personal files and pictures, on the device.
We access the camera on the user account screen. We now allow staff to take their own picture from their phone
so it can be attached to their user card. That picture shows up on call lists inside NaviGate and is optional to use.
Because of the way we integrate sounds (like playing audio when an alarm is initiated) the microphone is included
automatically as part of that. We do not actually use the microphone in any way.
Device ID & Call Info:
We store a device ID with each user account so we know which user matches with each device. It allows us to
connect the correct information to the device and also troubleshoot if something is not working correctly.
We do not access anything about an active call or the remote phone number for any phone calls.
We use internet (network) in the app to pull and update data.
We have been working on a flashlight component, though it hasn’t been fully released as all phones haven’t
supported it. This would just be a toggle to turn on the flashlight if a user needed it quick during an emergency.
We don’t automatically change your audio settings in any way.
In future updates we will use vibration for new messages and when an alarm is triggered.
If you have concerns about the way NaviGate Prepared is handling your Data, please let us know immediately. We
want to help. You may contact us by filling out the contact form. You may also email us directly
at email@example.com with the subject line “Privacy Concerns.” We will respond within 14 days at the latest.
How we respond to compelled disclosure
NaviGate Prepared may disclose personally-identifying information or other information we collect about you to law
enforcement in response to a valid subpoena, court order, warrant, or similar government order, or when we believe
in good faith that disclosure is reasonably necessary to protect our property or rights, or those of third parties or the
public at large.
In complying with court orders and similar legal processes, NaviGate Prepared strives for transparency. When
permitted, we will make a reasonable effort to notify users of any disclosure of their information, unless we are
prohibited by law or court order from doing so, or in rare, exigent circumstances.
How you can access and control the information we collect
If you’re already a NaviGate Prepared user, you may access, update, alter, or delete your basic user profile
information by editing your user profile or contacting NaviGate Prepared Support at .
Data Retention and Deletion:
NaviGate Prepared will retain Data for as long as your account is active or as needed to provide you services.
Following termination or deactivation of an account, NaviGate Prepared may retain profile information and content for
a commercially reasonable period of time to comply with legal obligations and for backup, archive, or audit purposes,
but all Student Data associated with the School will be promptly deleted.
If you would like to cancel our account or delete your Data, you may do so by contacting NaviGate Prepared Support
How we communicate with you
We will use your email address to communicate with you, if you’ve said that’s okay, and only for the reasons you’ve
said that’s okay. You have a lot of control over how your email address is used and shared on and through NaviGate
Prepared. You may manage your communication preferences on your User Card in NaviGate Prepared.
Depending on your email settings, NaviGate Prepared may occasionally send notification emails about new features,
requests for feedback, important policy changes, or offer customer support. We also send marketing emails, but only
with your consent. You can either unsubscribe from our emails using a link at the bottom of the email or by adjusting
your email settings on your user card.
Our emails might contain a pixel tag, which is a small, clear image that can tell us whether or not you have opened an
email and what your IP address is. We use this pixel tag to make our email more effective for you and to make sure
we’re not sending you unwanted email. If you prefer not to receive pixel tags, please opt out of marketing emails.
By providing your mobile phone number to NaviGate Prepared (or if you are part of a School, permitting the School to
provide your mobile phone number to NaviGate Prepared), you hereby expressly consent to our use of your mobile
phone number to call or send you SMS audio and text messages in connection with the Services, including through
the use of automatic telephone dialing systems or other automated communications technology. NaviGate Prepared
will not assess and charge for any calls or texts, but standard message charges or other charges from your wireless
carrier may apply.
To stop receiving SMS audio and text messages from the Services, you may remove your mobile phone number from
Changes to our Privacy Statement
Although most changes are likely to be minor, NaviGate Prepared may change our Privacy Statement from time to
time. We will provide notification to Users of material changes to this Privacy Statement through our Website at least
30 days prior to the change taking effect by posting a notice on our home page or sending email to the email address
specified in NaviGate Prepared as administrators. For changes to this Privacy Statement that do not affect your
rights, we encourage visitors to check this page frequently.
Contacting NaviGate Prepared
Questions regarding NaviGate Prepared’s Privacy Statement or information practices should be directed to
the contact form on our website or through email at .