Thanks for using GraphoLearn! Here we describe how we collect, use and handle your and children’s personal data when using our websites, software and services. The European General Data Protection Regulation (EU) 2016/679 (GDPR) requires us to do so.
- You also give us an explicit consent to process the data at the United States or outside EU/EEA area when the Data Controller is from the United States/or outside the EU/EEA area. Such processing may have possible risks due to the absence of an adequate level of data protection. The General Data Protection Regulation is a regulation in EU and it does not apply to data processing at the United States/outside the EU/EEA area.
- If you are not the guardian of the child, you must have explicit permission from the legal guardians of any minors that use GraphoLearn under your supervision.
What is GraphoLearn?
GraphoLearn (Service) is an evidence-based learning game for supporting reading development. In other words, GraphoLearn is digital assessment and training environment for those who are learning to read. With our international partners, we develop and validate new GraphoLearn language versions in several countries. For more information: info.grapholearn.com.
Data controller and data processors
The University of Jyväskylä is the data controller for GraphoLearn. If the University of Jyväskylä processes personal data on behalf of its contracting party, usually its research partner then university is a data processor. As a data processor, we only process indirect identifiers from which the child cannot be identified without additional information from the data controller (which is usually the university’s research partner).
Contact details: University of Jyväskylä, Centre for Applied Language Studies whose registered office is located at P.O. Box 35, 40014 University of Jyväskylä, Finland. Data Protection Officer: tietosuoja(at)jyu.fi, tel. +358408053297.
In order to use GraphoLearn, the user (an adult, usually a researcher, teacher or guardian) needs to register in the game and accept the user terms before starting to use the game. For registration, the user needs to provide his/her email address. This means that when an adult who wants to be a GraphoLearn user registers in the game by giving his/her email address, the server will send back to this email address an activation link which must be clicked in order to activate the user account. After the activation is completed, the account can be used to log into the game. The email address is not used for anything else.
GraphoLearn collects also game log data that do not include direct identifiers. For the person to be identified from the log data additional information is needed. However, these data are considered personal data as long as the data controller is able to identify the players.
How collected information is used
The game log information GraphoLearn collects is used for improving the service and for scientific research purposes. Typically, this means that we researchers look at the data to see for example how long it takes to learn specific reading skills, what things seem to be easy and more challenging, and any other questions to help us understand better how to support reading skill development and improve GraphoLearn (Service).
Legal grounds for the processing of personal data
The EU General Data Protection Regulations (which is known as GDPR) apply to us when we process personal data. The regulations say that information should only be processed in one or more specified circumstances, which are known as ‘lawful bases’. The lawful bases on which we may process your personal information include:
- The legal guardian has given consent to the processing of child’s personal data for one or more specific purposes (Article 6.1(a).
- Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Article 6.1(b). [E.g., where an order has been placed for our services].
- Processing is necessary for scientific or historical research purposes or statistical purposes (section 4.1(3) of the Finnish data protection act).
- Fulfilment of the legitimate interests of the controller or a third party (Article 6.1(f), GDPR) [E.g. improving the GraphoLearn service, to communicate with you, and to investigate and respond to your queries].
- Processing that is necessary for compliance with a legal obligation to which the controller is subject (Article 6.1(c), GDPR).
Who can use the collected information
The data gathered by using GraphoLearn can be disclosed to researchers within a specified research team for purely scientific purposes. The team is specified in GraphoLearn Research or in GraphoLearn Research and Development Licenses. Typically, researchers are from established universities and research institutes.
Transferring personal data outside the EU/EEA
The University of Jyväskylä shall be entitled to transfer Personal Data freely within the European Union or the European Economic Area in order to provide the Service. The Processor is also entitled to transfer Personal Data outside the European Union or the European Economic Area in compliance with the Data Protection Laws.
GraphoLearn uses GraphoLearn servers on Google Cloud Platform. These are located both within and outside the European Union or the European Economic Area. The servers are used for GraphoLearn registration (registration requires an email address from a user), for creating player names, and for game log data which can be used by the GraphoLearn game and researchers. Google Cloud Platform terms of service (a copy of which is at https://cloud.google.com/terms/) and which the Controller has read and accepts with respect to the hosting of the personal data collected and processed by the Controller within the use of Service.
The user data (email address) can be removed from the GraphoLearn servers upon user’s written removal request. The way to contact us is either to send an email to the following address: firstname.lastname@example.org or by using the feedback function in GraphoLearn. Also, once three years has passed since the last time the user has used the game and has not replied to an email request whether s/he wants to continue to use the game, the user information (email address used for the registration) will be removed.
The players log data are anonymized when the data controller stops processing direct identifiers.
All of these rights may not apply when the data are processed by the data controller at the United States/outside EU/EEA area.
Withdrawal of consent (Article 7, GDPR)
You have the right to withdraw your consent if the processing of personal data is based on consent. Withdrawing consent does not have any impact on the lawfulness of processing based on consent carried out before the withdrawal.
Right to access data (Article 15, GDPR)
You have the right to obtain information about whether your personal data are processed, and which personal data are processed. If required, you can request a copy of the personal data processed.
Right to have data rectified (Article 16, GDPR)
If there are any inaccuracies or errors in the processing of your personal data, you have the right to request your personal data to be rectified or supplemented.
Right to have data erased (Article 17, GDPR)
You have the right to request your personal data to be erased in certain situations
Right to the restriction of processing (Article 18, GDPR)
You have the right to restrict the processing of your personal data in certain situations, such as if you deny the accuracy of your personal data.
Right to have personal data transferred from one system to another (Article 20, GDPR)
ou have the right to obtain the personal data you have given in a structured, commonly used and machine-readable format, and the right to transmit that data to another controller if possible, and if processing is automated.
Right to object (Article 21, GDPR)
You have the right to object to the processing of your personal data if processing is based on public or legitimate interest. As a result, the controller cannot process your personal data unless it can prove that processing is based on a significantly important and justified reason which supersedes your rights.
Derogation from the rights of data subjects
Derogation from the aforementioned rights is possible in certain individual situations on the basis of the GDPR and the Finnish data protection act, insofar as the rights prevent scientific or historical research purposes or statistical purposes being fulfilled or make it much more difficult. The need for derogation must always be assessed separately in each situation.
Profiling and automated decision making
Your personal data will not be used in automated decision making. In this study, the purpose of the processing of personal data is not to assess your personal characteristics, i.e., profiling. Instead, your personal data and characteristics will be assessed from the perspective of broader scientific research.
Executing the rights of data subjects
All requests related to the execution of rights must be sent to the registry office of the University of Jyväskylä. Registry office and archive, P.O. Box 35 (C), 40014 University of Jyväskylä, tel.: +358 (0)40 805 3472, email: email@example.com. Visiting address: Seminaarinkatu 15, Building C (Main Building, 1st floor), Room C 140.
Any data breaches or suspicions of data breaches must be reported to the University of Jyväskylä:
You have the right to file a complaint with the supervisory authority of your permanent place of residence or employment if you consider that the processing of personal data is in breach of the GDPR. In Finland, the supervisory authority is the Office of the Data Protection Ombudsman. Office of the Data Protection Ombudsman
Contact information: https://tietosuoja.fi/en/contact-information
We may update this policy from time to time by updating this page.