Capitalized terms used in this Data Retention Policy have the meanings assigned to them in the Privacy Policy, which can be found here Privacy Policy
THIRTEEN takes measures to ensure that its personnel and service providers abide by its security standards, contractual obligations and applicable law with respect to the data we collect, which includes a combination of technical due diligence, data security and privacy trainings, oversight, audits, periodic tests, scans and other assessments. Periodic risk assessments, audit trails and security logs also enable us to assess and remediate vulnerabilities as needed and to protect data from deterioration and degradation. THIRTEEN requires any service provider that processes Personal Information on its behalf to comply with and maintain a data security policy that is consistent with ISO 27001, NIST, SOC 2 Trust Service Principles or other appropriate standards.
We delete all Personal Information obtained from Educational Customers within 365 days of receipt, unless earlier deletion is requested by the Educational Customer or their parents or Educational Institution. If an Educational Institution provides Personal Information, we will request renewed permission to retain that information every 365 days in order to allow continued use of the Services.
We may continue to retain and use anonymous or aggregate data, or any other data that constitutes non-personal information. Please note that we will not be liable for disclosures of your data due to errors or unauthorized acts of third parties.
We may keep back-up and similar copies of Personal Information that it is unable to destroy using commercially reasonable measures, to the extent permitted by law. We may also keep archive copies of Personal Information needed for audit, dispute resolution or legal compliance purposes, again to the extent permitted by law.