Privacy Policy

Privacy Policy

Effective date: January 4, 2018

Thanks for entrusting NaviGate Prepared with your district information. Holding onto your private information is a serious responsibility, and we want you to know how we’re handling it.

The short version

We collect your information only with your consent; we only collect the minimum amount of district and personal information that is necessary to fulfill the purpose of your interaction with us; we don’t sell it to third parties; and we only use it as this Privacy Statement describes.

Of course, the short version doesn’t tell you everything, so please read on for more details!

Terms we use

NaviGate Prepared (“NaviGate Prepared,” “we,” or “us”) understands that privacy is tremendously important to our online visitors to our website (“Website Visitors”), to schools who use our Service (“Schools”), and to students whose information we may access on behalf of a School (“Students”). NaviGate Prepared provides a platform that enables Schools to securely store information related to school safety and pull student, staff, and class information for accountability and reunification. Schools, as described below, can decide what User Personal Information, Student Data, and School Data (“Data”) is stored and if Data is integrated with NaviGate Prepared, and Schools can control user access to that Data. This privacy policy applies to our NaviGate Prepared platform (our “Service”) and describes the steps we take to protect your Data.

What information NaviGate Prepared collects and why

Information from website browsers:

If you’re just browsing the website, we collect the same basic information that most websites collect. We use common internet technologies, such as cookies and web server logs. This is stuff we collect from everybody, whether they have an account or not. The information we collect about all visitors to our website includes the visitor’s browser type, language preference, referring site, additional websites requested, and the date and time of each visitor request. We also collect potentially personally-identifying information like Internet Protocol (IP) addresses.

Why do we collect this?

We collect this information to better understand how our website visitors use NaviGate Prepared, and to monitor and protect the security of the website.

Information from users with accounts:

If you create an account, we require some basic information at the time of account creation. You will create your own user name and password, and we will ask you for a valid email account. You also have the option to give us more information if you want to, and this may include “User Personal Information.”

“User Personal Information” is any information about one of our users which could, alone or together with other information, personally identify him or her. Information such as a user name and password, an email address, a phone number, a real name, and a photograph are examples of “User Personal Information.”

User Personal Information does not include aggregated, non-personally identifying information. We may use aggregated, non-personally identifying information to operate, improve, and optimize our website and service.

Why do we collect this?

We need your User Personal Information to create your account, and to provide the services you request.

We use your User Personal Information, specifically your user name, to identify you on NaviGate Prepared.

We use it to fill out your profile and other users in your district can view your User Personal Information if used by your district in modules such as but not limited to Call Lists.

We will use your email address to communicate with you, if you’ve said that’s okay, and only for the reasons you’ve said that’s okay. Please see our section on email communication for more information.

We limit our use of your User Personal Information to the purposes listed in this Privacy Statement. If we need to use your User Personal Information for other purposes, we will ask your permission first.

Information about Schools:

We ask for certain information when a School administrator registers a School with NaviGate Prepared, or if an administrator corresponds with us online, including their name, school name, school district, school email address and/or account name and password, phone number, message content, and information relating to the School’s information systems.

We may also retain information provided by a School if the School sends us a message, posts content to our website or through our Service, or responds to emails or surveys. Once a School begins using NaviGate Prepared, we will collect content and information provided by the School through the School’s use of the Service and we will keep records of activities related to the Service.

Why do we collect this?

We use this information to operate, maintain, and provide to the features and functionality of the Service, to analyze and improve our Service offerings and functionality, and to communicate with our Schools and website visitors.

Student Data:

NaviGate Prepared treats Student Data as confidential, and does not use it for any purpose other than to provide services on the School’s behalf, in accordance with NaviGate Prepared’s contractual arrangement with the School.

NaviGate Prepared relies on each school to provide appropriate notice to parents of the School’s use of third-party service providers such as NaviGate Prepared, and, where necessary, to obtain consent and authorization for NaviGate Prepared to receive Student Data, as permitted by the Children’s Online Privacy Protection Act (COPPA).

Through the course of providing its Service to a School, NaviGate Prepared may have access to personally identifiable information about students (“Student Data”) that is provided by the School. NaviGate Prepared has access to Student Data only as requested by the School and only for the purposes of performing Services on the School’s behalf. The type of Student Data we collect is name, gender, date of birth, grade, school, class list, and emergency contact information. NaviGate Prepared receives Student Data only from the School and never interacts with the Student directly.

Why do we collect this?

Certain modules in NaviGate Prepared allow staff to account for students during a drill or emergency as conducted by the School. To better account for students by name, NaviGate Prepared filters students by class, teacher, grade, and age.

Student Data is never stored on a users’ mobile device. It is displayed, used, and destroyed as soon as the user changes screens or the alarm is ended. Each user only receives Student Data as it is needed and applies to them, and is necessary for them to fully account for students in their role.

NaviGate Prepared only collects information through the School from a child under the age of 13 where the Student’s School, school district, and/or teacher has agreed through a Services Agreement and/or Terms and Conditions, to obtain parental consent. If you have questions, please contact the School about the School’s use of technology service providers such as NaviGate Prepared.

What information NaviGate Prepared does not collect

We do not intentionally collect sensitive personal information, such as social security numbers, genetic data, health information, or religious information. Although NaviGate Prepared does not request or intentionally collect any sensitive personal information, we realize that you might store this kind of information in your account, such as in a note or document. If you store any sensitive personal information on our servers, you are consenting to our storage of that information on our servers, which are in the United States.

No child under the age of 13 may have an account in NaviGate Prepared. NaviGate Prepared does not knowingly collect information from or direct any of our content specifically to children under 13. If we learn or have reason to suspect that you have users who are under the age of 13, we will unfortunately have to disabled those users or close your account. Please contact us at help@navigatemail.com if you believe that NaviGate Prepared has inadvertently collected information of a child under the age of 13 without proper consent, so that we may delete such data as promptly as possible.

How we share the information we collect

We do not share, sell, rent, or trade Data with third parties for their commercial purposes.

We do not disclose Data outside NaviGate Prepared, except in the situations listed in this section or in the section below on Compelled Disclosure.

We do compile certain aggregated and/or anonymous information that does not reasonably allow for the identification of any individual or School about how our users, collectively, use NaviGate Prepared, or how our users respond to our other offerings, such as our conferences or events. For example, we may compile statistics on how many flipcharts have been created in a given region. From such information, all direct and indirect identifiers will be removed, and these include, but are not limited to ID numbers, demographic information, location information, and School ID. Moreover, we do not sell this information to advertisers or marketers.

We do not host advertising on NaviGate Prepared. We may occasionally embed content from third party sites, such as YouTube, and that content may include ads. While we try to minimize the amount of ads our embedded content contains, we can’t always control what third parties show.

We may share Data with your permission, so we can perform services you have requested.

We may share User Personal Information (not Student data) with a limited number of third-party vendors who process it on our behalf to provide or improve our service, and who have agreed to privacy restrictions similar to our own Privacy Statement. Our vendors perform services such as training, payment processing, customer support ticketing, network data transmission, and other similar services. When we transfer your data to our vendors, we remain responsible for it.

We may share Data if we are involved in a merger, sale, or acquisition. If any such change of ownership happens, we will ensure that it is under terms that preserve the confidentiality of your Data, and we will notify you on our website or by email before any transfer of your Data. The organization receiving any Data will have to honor any promises we have made in our Privacy Statement or in our Terms of Service.

Our use of cookies and tracking

NaviGate Prepared uses cookies to make interactions with our service easy and meaningful. We use cookies (and similar technologies, like HTML5 local Storage) to keep you logged in, remember your preferences, and provide information for future development of NaviGate Prepared.

A cookie is a small piece of text that our web server stores on your computer or mobile device, which your browser sends to us when you return to our site. Cookies do not necessarily identify you if you are merely visiting NaviGate Prepared; however, a cookie may store a unique identifier for each logged in user. The cookies NaviGate Prepared sets are essential for the operation of the website, or are used for performance or functionality. By using our website, you agree that we can place these types of cookies on your computer or device. If you disable your browser or device’s ability to accept cookies, you will not be able to log in or use NaviGate Prepared’s services.

NaviGate Prepared does not allow third-party advertising networks to collect information about your use of the website and service for purposes of serving targeting advertising, and we will never use Student Data for targeted advertising. Certain pages on our site may set other third party cookies. For example, we may embed content, such as videos, from another site that sets a cookie. While we try to minimize these third party cookies, we can’t always control what cookies this third party content sets.

How NaviGate Prepared secures your information

NaviGate Prepared takes all measures reasonably necessary to protect Data from unauthorized access, alteration, or destruction; maintain data accuracy; and help ensure the appropriate use of Data. We follow generally accepted industry standards to protect the Data submitted to us, both during transmission and once we receive it.

No method of transmission, or method of electronic storage, is 100% secure. Therefore, we cannot guarantee its absolute security.

Physical Security:

Our server environment is currently hosted by Amazon Web Services (“AWS”). We do not own or maintain the physical implementation of our environment.

AWS provides detailed security information on the physical access of their facilities (https://aws.amazon.com/whitepapers/overview-of-security-processes/)

System Security:

System installation using hardened, patched OS with automatic security patches applied

VPCs in place to isolate our environment from any outside access

Amazon Virtual Private Cloud (Amazon VPC) allows us to configure subnet routes, public IP addresses, security groups, and network access control lists in order to minimize application attack surfaces. Elastic Load Balancing (ELB) load balancers and Amazon Elastic Compute Cloud (EC2) instance security groups are configured to allow only traffic that originates from specific IP addresses protecting backend application components from a direct attack.

Security groups — Act as a firewall for associated EC2 instances, controlling both inbound and outbound traffic at the instance level

Network access control lists (ACLs) — Act as a firewall for associated subnets, controlling both inbound and outbound traffic at the subnet level

Flow logs — Capture information about the IP traffic going to and from network interfaces in our VPC

Elastic Load Balancing

Elastic Load Balancing (ELB) enables the automatic distribution of application traffic to several EC2 instances across multiple Availability Zones, which minimizes the risk of overloading a single EC2 instance helping to mitigate DDoS attacks. ELB only supports valid TCP requests, so DDoS attacks such as UDP and SYN floods are not able to reach EC2 instances. It also offers a single point of management and can serve as a line of defense between the Internet and our backend, private EC2 instances.

All of our key servers have at least 2 identical copies running and are currently load balanced across two different physical Availability Zones to combat any network or physical data center issues in one specific physical location or one specific hardware or software failure

Decoupled infrastructure

We have separate application, database, reporting, and event servers, as well as separate media and static content. Decoupled applications prevent Internet access to critical system components, protecting them from an attack and enabling our team to focus DDoS mitigation efforts on resources that are publicly accessible.

AWS handles the virtual host, storage, network, and database security inherent in their global infrastructure as well as database server updates and security patching

System access logged and tracked for auditing purposes

The NaviGate Prepared login credentials cannot be used to access a shell or the file system. All users are virtual and have no user account in our AWS structure or any specific EC2 instance

Communications:

All private data exchanged with NaviGate Prepared is always transmitted over SSL (which is why your dashboard is served over HTTPS, for instance).

All server maintenance is done over SSH authenticated with keys.

Login information is always sent over SSL. All passwords are filtered from all our logs and are one-way encrypted in the database.

File system and backups:

Every line of code we store is saved on a minimum of three different servers, including an off-site backup.

All uploaded files are stored in S3 which keeps a minimum of 3 copies of every file for redundancy and carries a 99.999999999% durability. All files are stored with versioning allowing us to restore any files accidentally or maliciously changed or deleted.

All information stored in the database is replicated between two servers in multiple availability zones. If the primary database server has any hardware or software failure, the secondary instance immediately becomes available with an identical copy of all data.

All database information has point-in-time recovery. We backup the database and transaction logs and store both for 35 days. This allows us to restore data to any second during those 35 days, up to the last five minutes.

We do not encrypt storage on disk because it would not be any more secure: the website and NaviGate Prepared back-end would need to decrypt the information on demand, slowing down response times. Any user with shell access to the file system would have access to the decryption routine, thus negating any security it provides. Therefore, we focus on making our machines and network as secure as possible.

Employee access:

No NaviGate Prepared employees ever access your Data unless required to for support or development reasons. Support staff may sign into your account to access settings related to your support issue. In rare cases staff may need to pull a clone of your Data to our secure test server if we are making updates that may impact your site. Support staff does not have direct access to servers or file storage, they will need to login and access your site through the NaviGate Prepared interface which is logged. When working a support issue we do our best to respect your privacy as much as possible, we only access the files and settings needed to resolve your issue. All cloned Data is deleted as soon as the support issue has been resolved.

Installing the NaviGate Prepared app \ required permissions

When downloading the NaviGate Prepared app from the Apple App Store or the Google Play Store, you may note that certain permissions are required to install the app.

Photos/Media/Files:

We need this permission to be able to store things onto the device.

We store a file with a special token onto the phone that allows you to stay logged in. Without that token, you would have to log in to the app each time you opened it.

We also store a copy of your flipcharts and drill scenarios (for admins only) onto the device so that they are accessible without an internet connection.

We do not access any other files, including your personal files and pictures, on the device.

Camera:

We access the camera on the user account screen. We now allow staff to take their own picture from their phone so it can be attached to their user card. That picture shows up on call lists inside NaviGate and is optional to use.

Microphone:

Because of the way we integrate sounds (like playing audio when an alarm is initiated) the microphone is included automatically as part of that. We do not actually use the microphone in any way.

Device ID & Call Info:

We store a device ID with each user account so we know which user matches with each device. It allows us to connect the correct information to the device and also troubleshoot if something is not working correctly.

We do not access anything about an active call or the remote phone number for any phone calls.

Other:

We use internet (network) in the app to pull and update data.

We have been working on a flashlight component, though it hasn’t been fully released as all phones haven’t supported it. This would just be a toggle to turn on the flashlight if a user needed it quick during an emergency.

We don’t automatically change your audio settings in any way.

In future updates we will use vibration for new messages and when an alarm is triggered.

Resolving complaints

If you have concerns about the way NaviGate Prepared is handling your Data, please let us know immediately. We want to help. You may contact us by filling out the contact form. You may also email us directly at help@navigatemail.com with the subject line “Privacy Concerns.” We will respond within 14 days at the latest.

How we respond to compelled disclosure

NaviGate Prepared may disclose personally-identifying information or other information we collect about you to law enforcement in response to a valid subpoena, court order, warrant, or similar government order, or when we believe in good faith that disclosure is reasonably necessary to protect our property or rights, or those of third parties or the public at large.

In complying with court orders and similar legal processes, NaviGate Prepared strives for transparency. When permitted, we will make a reasonable effort to notify users of any disclosure of their information, unless we are prohibited by law or court order from doing so, or in rare, exigent circumstances.

How you can access and control the information we collect

If you’re already a NaviGate Prepared user, you may access, update, alter, or delete your basic user profile information by editing your user profile or contacting NaviGate Prepared Support at help@navigatemail.com.

Data Retention and Deletion:

NaviGate Prepared will retain Data for as long as your account is active or as needed to provide you services.

Following termination or deactivation of an account, NaviGate Prepared may retain profile information and content for a commercially reasonable period of time to comply with legal obligations and for backup, archive, or audit purposes, but all Student Data associated with the School will be promptly deleted.

If you would like to cancel our account or delete your Data, you may do so by contacting NaviGate Prepared Support at help@navigatemail.com.

How we communicate with you

Email:

We will use your email address to communicate with you, if you’ve said that’s okay, and only for the reasons you’ve said that’s okay. You have a lot of control over how your email address is used and shared on and through NaviGate Prepared. You may manage your communication preferences on your User Card in NaviGate Prepared.

Depending on your email settings, NaviGate Prepared may occasionally send notification emails about new features, requests for feedback, important policy changes, or offer customer support. We also send marketing emails, but only with your consent. You can either unsubscribe from our emails using a link at the bottom of the email or by adjusting your email settings on your user card.

Our emails might contain a pixel tag, which is a small, clear image that can tell us whether or not you have opened an email and what your IP address is. We use this pixel tag to make our email more effective for you and to make sure we’re not sending you unwanted email. If you prefer not to receive pixel tags, please opt out of marketing emails.

Text Messaging:

By providing your mobile phone number to NaviGate Prepared (or if you are part of a School, permitting the School to provide your mobile phone number to NaviGate Prepared), you hereby expressly consent to our use of your mobile phone number to call or send you SMS audio and text messages in connection with the Services, including through the use of automatic telephone dialing systems or other automated communications technology. NaviGate Prepared will not assess and charge for any calls or texts, but standard message charges or other charges from your wireless carrier may apply.

To stop receiving SMS audio and text messages from the Services, you may remove your mobile phone number from your account.

Changes to our Privacy Statement

Although most changes are likely to be minor, NaviGate Prepared may change our Privacy Statement from time to time. We will provide notification to Users of material changes to this Privacy Statement through our Website at least 30 days prior to the change taking effect by posting a notice on our home page or sending email to the email address specified in NaviGate Prepared as administrators. For changes to this Privacy Statement that do not affect your rights, we encourage visitors to check this page frequently.

Contacting NaviGate Prepared

Questions regarding NaviGate Prepared’s Privacy Statement or information practices should be directed to the contact form on our website or through email at help@navigatemail.com.