Privacy Notice

This is the privacy notice which discloses some or all of the ways a OpenStax gathers, uses, discloses, and manages user's data.

Privacy Notice

This Privacy Notice describes how OpenStax (a part of Rice University) collects and processes personal information in connection with the access or use of any of our individual services, products, and websites that link to this Privacy Notice, including the main OpenStax.org website and digital textbooks, OpenStax Tutor, OpenStax Accounts, OpenStax Assignable, RAISE, Staxly, and OpenStax Kinetic (collectively, the “Services”). The Services are provided by William Marsh Rice University (hereafter referred to as “OpenStax,” “we,” “our,” or “us”). Please read this Privacy Notice and the Terms of Use for each service (linked above) carefully before using our Services. If you do not agree to this Privacy Notice, then you must not access or otherwise use the Services.

Children's Data

We understand that a portion of our Services may include content that children may interact with. As such, we are committed to maintaining information collected about children private and secure.

When children use our Services, we collect their name and the email address associated with the account that is created on their behalf. We also collect the IP address associated with the account that a child may use to access our Services, and we use cookies, and similar technology, to collect information about how children use our Services.

Our main use of the information that children provide is to deliver the Services that we make available. However, we may, at times, use non-personally identifiable data that we collect, including from children, in order to improve our Services.

We retain information in a form which permits identification of a child for as long as necessary to provide the Services in which the child is participating, or for other business purposes such as complying with our legal obligations, resolving disputes, and enforcing our agreements.

We may disclose aggregated information about many of our users, and data that does not identify any individual or device. In addition, we may disclose children’s information (i) to third parties we use to provide or support our Services; (ii) if we are required to do so by law or legal process, such as to comply with any court order or subpoena or to respond to any government or regulatory request; (iii) if we believe disclosure is necessary or appropriate to protect the rights, property, or safety of our company, our customers or others, including to protect the safety of a child, protect the safety and security of the Services; or enable us to take precautions against liability; or (iv) to law enforcement agencies or for an investigation related to public safety.

At any time and upon providing proper identification, parents may access and review their child’s information maintained by us, request that we update or delete such information, and/or refuse to allow us from further collecting or using a child’s information. To protect a child’s privacy and security, we may require you to take certain steps to provide additional information to verify your identity before we provide any information or make corrections.

FERPA Rights

OpenStax acknowledges that it may be provided with personally identifiable information from education records (“FERPA Records”) that are subject to the Family Educational Rights Privacy Act (“FERPA”). If such FERPA Records are provided to OpenStax, then OpenStax will be considered a “School Official” as that term is used in FERPA and its implementing regulations.

Where this applies, schools retain the right to ask OpenStax to access, correct, or delete personal information collected through the Services, and OpenStax will support access to and correction of personal information by parents consistent with legal requirements. For additional information regarding FERPA, please see our FERPA informational page at: https://registrar.rice.edu/ferpa.

Because OpenStax remains under the direct control of the school in this context, parents who may have concerns about the collection or use of students’ personal information through OpenStax should contact their school/institution. If you are not sure who at your student’s school will be able to help, please contact:

Marc Scarborough
CISO, Office of Information Technology
Rice University - MS 119, P.O. Box 1892
Houston, TX 77251-1892 USA

Information We Collect

We collect personal information about you from a variety of sources, including directly from you (e.g., when you contact us by email or request information through our website), as well as automatically through your use of the Services (e.g., information collected from cookies and similar technologies), and from other sources (e.g., third-party authentication services).

We collect the following categories of personal information from you when you use the Services:

Information we collect directly from you includes:

  • Sign-in information, including email address, name, authentication information, telephone/mobile numbers, your educational institution, and/or any passwords you create
  • Profile information, including your interests and preferences, demographics (e.g., gender, age, or other demographic information you provide, such as in the context of optional activities including surveys or learning research studies, including in the context of OpenStax Kinetic).
  • Identification and other verification information, should you win a gift card giveaway based on your participation. This may include any other information we may need to verify your identity and/or comply with applicable laws and regulations.
  • Content posted on or through our discussion boards, Staxly, or any of our Services.
  • Correspondence you send to us, including information provided therein; information provided in response to questions, webinars, or surveys we provide through our Services; and any other content you provide to us in sending or responding to messages and communications through the Services.

Information we automatically collect about your use of the Services includes:

  • Information from the devices and browsers that you use, including technical data collected from your computer or mobile device (e.g., your IP address, operating system, browser and/or plugin information, referring and exiting URLs);
  • Information about your usage of the Services (e.g., which webpages you visit; how often you use the Services; and how you interact with the Services including the order in which pages are visited, dates and times of interactions, and how long you spend on certain tasks);
  • Location information (e.g., geolocation data based on your IP address and point of connectivity); and
  • Information we generate about you (e.g., our understanding of your interests and relevant demographics as a result of your use of the Services; whether you are a regular or occasional user of the Services).

In addition to the above, we may collect any other information you provide to us directly or indirectly through using or otherwise accessing the Services.

Information we collect about you from other sources includes:

Information provided to us if you connect to the Services using third-party authentication services (such as those provided by social media including Meta, Google, X, or Learning Management Systems (LMSs)).

Information from third-party authentication services may include:

  • personal details (e.g., name);
  • contact details (e.g., email address);
  • third-party identifiers (e.g. school ID numbers); and
  • social media information (e.g., if you log in using social sign-on features, we may collect other information associated with your social media profile such as your profile picture).

OpenStax may obtain personal information about you from other sources, including from commercially available sources such as data aggregators and public databases. This information may include your name, email, school, subject area, class size, and textbook adoptions. OpenStax may combine this information with the information we collect from and about you to help us tailor our communications to you and improve our Services.

Cookies and Similar Technologies

Cookies are small files that are stored on your computer that help OpenStax understand your preferences and basic information about your visit to the website. You may disable cookies for the website by consulting the help section of your browser. 

When you use our Services, information such as your IP address, browser type, geolocation, and pages you visit may be tracked via cookies. This information is used to analyze trends or viewing habits, monitor for abuse or malicious activity, and for website administration.

We use various service providers to help analyze how people use our Services. These service providers use cookies and similar technologies to collect information pertaining to how people use our website and mobile application and elsewhere based on your on-line activities over time and across different sites, services, and devices, as well as for other lawful purposes. We use the information we get from these service providers to improve and optimize our website, mobile application, and Services.

One of the service providers we use is Google Analytics, which helps us understand how you use our Services. Google Analytics collects data about your traffic via Google advertising cookies and anonymous identifiers, as well as data collected through standard Google Analytics implementation. You can learn more about how Google uses data at www.google.com/policies/privacy/partners. To opt-out of Google Analytics, please access this link: https://tools.google.com/dlpage/gaoptout/.

How We Use Your Information

We use your personal information for the following purposes:

  • To verify your identity and protect the security of your personal information when you access and use our Services, and to identify you across other OpenStax services, products, and websites that you use or access.
  • To communicate with you about the Services. For example, we may send you notifications about your account and/or new features, your transactions, updates to the Terms of Use for OpenStax sites, products and services that you use, and we may provide responses to your requests for support or comments relating to the Services.
  • To send you communications about products or services of OpenStax or our affiliates that may be of interest to you, based on our understanding of your interests and preferences. Where required by law, we will obtain your consent before sending you marketing communications. You may unsubscribe from marketing communications, but we will still send you communications regarding transactions, your account, or other administrative messages, as described above.
  • To enable us to provide, oversee, and administer the Services.
  • To monitor, maintain, and improve the functioning and security of the Services, software, systems, and network. We may use your personal information to create algorithms and programs that help us improve existing features, personalize student experiences for each individual learner, to evaluate the effectiveness of materials and the learning experience, to assess a student’s level of ability, and to improve our understanding of the learning process.
  • To provide customer support services you request from us. For example, when you submit a request for support, we may use the information provided to respond to such communications and to provide the requested service.
  • To track, evaluate, and analyze individual and aggregate use of the Services for learning research purposes. This involves tracking progress and completion of learning tasks, competencies and performance, and learning behavior.
  • To investigate, take action, or prevent illegal activities, suspected fraud, suspected violations of the Terms, potential misuses of the Services, security issues, or technical issues; to respond to subpoenas, court orders, or other legal process; to prosecute and defend a court arbitration or similar proceeding; to protect our rights, property, or safety or those of others.
  • To process payments. Where applicable, OpenStax provides schools and/or individuals with the ability to pay for the Services using a credit card through a third-party payment processing provider. Our service provider collects and processes credit card information provided to us.
  • As otherwise described to you at the point of collection.
  • If the personal information is de-identified, so that you may not reasonably be re-identified by us or any other party, and we may use or share such de-identified information for any lawful purpose, including for additional research purposes.
  • For any other lawful purpose not otherwise included herein.

How We Share Information

We share personal information with third parties as follows:

  • With third parties that perform certain tasks on our behalf. For example, this includes but is not limited to service providers providing customer support, customer newsletters, webinars, operation and administration of the Services, processing information that you provide to us, and other tasks related to the Services.
  • To the extent that you submit content or other personal information to publicly accessible portions of the Services, others may be able to view your information, which may in some cases identify you as author.
  • OpenStax shares personal information with other researchers at Rice, as well as third-party researchers engaging in learning research for or on behalf of educational agencies or institutions. In most cases, OpenStax de-identifies personal information before providing it to researchers, so that researchers cannot identify individual students with reasonable certainty when conducting their research. For the majority of our studies, researchers will only receive de-identified student data. In some limited circumstances, and only when authorized by the school or student, OpenStax may disclose personal information of students to researchers. Researchers will not have access to personal information without additional training, agreements, and vetting, only in support of the study and consistent with our policies.
  • With affiliates of OpenStax, or with successors in the event of a merger, acquisition or reorganization, for their use consistent with this Privacy Notice.
  • With law enforcement agencies, courts, regulators, government authorities, or other third parties. To investigate, take action, or prevent illegal activities, suspected fraud, suspected violations of Terms of Use for any of OpenStax services, products, and websites, security issues, or technical issues; to respond to subpoenas, court orders, or other legal process; to prosecute and defend a court arbitration or similar proceeding; to protect our rights, property, or safety or those of others; or as otherwise required by law.
  • For integration with third party services. For example, videos and other content may be hosted on YouTube and other websites not controlled by us, and your access of such material may involve disclosure of your personal information.
  • When directed or consented to by the learner (or the learner’s parent or guardian) or teacher who input the information, or by the administrator of an institution or school’s account.
  • As otherwise described to you at the point of collection. For example, in connection with certain targeted learning research studies.
  • We may also share de-identified information, as described above, with third parties for any lawful purpose, including for additional research purposes.

Your Rights and How to Contact Us

You may have specific rights regarding your personal information granted to you by law, where applicable. OpenStax is a non-profit entity and not subject to various data privacy laws within the United States. If you believe you have rights according to a data privacy law that is not covered in this Privacy Notice, you may contact us in accordance with the following procedures and we will review any requests submitted as required by law.

If you are accessing OpenStax from the European Economic Area ("EEA"), please refer to our European Economic Area Privacy Notice which supplements this Privacy Notice: https://www.rice.edu/gdpr.

Who is our Data Protection Officer, and how do I contact that person?

Rice has designated the Chief Information Security Officer as the Data Protection Officer for the purposes of GDPR. He can be contacted with questions or concerns at GDPR@rice.edu or at 1-713-348-5735, or by mail at:

Marc Scarborough
CISO, Office of Information Technology
Rice University - MS 119, P.O. Box 1892
Houston, TX 77251-1892 USA

Legal Basis Under GDPR

OpenStax will only process your information for lawful purposes under the GDPR. In most cases users will provide their explicit consent to the collection and processing of their personal information as part of a research study, or their use of the Services.

Rights Under the GDPR

As stated in the Rice European Economic Area (EEA) Privacy Notice, if you are accessing OpenStax from the EEA, you have the right to request access to, a copy of, rectification of, restriction in the use of, erasure of personal information and withdraw consent to process of your personal information by notifying us at gdpr@rice.edu. You will be required to verify your identity prior to us responding to your request. We are committed to responding to your request within 30 days of receipt. If you feel that we have not complied with the applicable provisions of the GDPR regulating your information, you have the right to file a complaint with the appropriate supervisory authority in the EEA.

Data Deletion Requests

To request deletion of your OpenStax personal data, please fill out the form at https://openstax.org/general/data-deletion-request or email support@openstax.org. Our customer service team will reach out to you before your request is processed to verify your identity and details of your request. In general, your personal information will be deleted upon your request unless applicable law requires destruction after the expiration of an applicable retention period, or unless there is a legitimate reason to retain the information based upon the circumstances upon which it was received by OpenStax.

International Transfers

By using our Services and providing us with information, you understand that your information is being collected and stored on, and may be transferred to, servers located outside your resident jurisdiction. We and many of our third-party vendors are based in the United States, and your information is being processed by us both here and in other jurisdictions where laws may not be equivalent to those where you reside. To the extent we disclose your information to third-party vendors, we use contractual safeguards to help ensure that such third-party vendors are bound to duties of confidentiality. Where local law permits, you are deemed to have consented to these data transfer practices through your use of the Services. If you do not consent to these data transfers practices, please do not use the Services. You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO) with respect to data protection issues. If you would like further information please contact us. Except as set forth herein or if we have obtained your explicit consent, we will not transfer your personal information outside of the EEA.

Links to Other Websites

The Services may include links to other websites, and we are not responsible for the collection and use of your information by such websites. We encourage you to familiarize yourself with the privacy policies and cookie practices of each website you visit and use.

Security and Retention

Your personal information will be retained only for so long as reasonably necessary, for the purposes set out herein, and in accordance with applicable law. OpenStax takes the security of your information seriously and has dedicated resources to the protection of your data. This includes technological controls and a staff that is trained in information confidentiality, integrity, and availability of electronic data, resources, and communications, however no transmission of data over the internet or any other public network can be guaranteed to be completely accurate or secure. More information regarding how Rice and OpenStax protect your personal information is available at https://iso.rice.edu/. However, information collected by third-parties may not have the same security protections as the personal information you submit to us, and we are not responsible for protecting the security of such personal information handled by third parties.

How to Contact Us

Please feel free to contact us at the details below with any question or concern about privacy or personal information.

OpenStax
Rice University
6100 Main Street, MS-375
Houston, TX 77005
Email: support@openstax.org

Modifications to our Privacy Notice

If we update or modify our Privacy Notice, we will post the revised notice here, with an updated revision date. If we make significant changes to our Privacy Notice that materially alter our privacy practices, we may also notify you directly by other means prior to the changes taking effect.

Date Posted: October 24, 2023

Back
Back to top