NUTRI-LINK TECHNOLOGIES, INC.
Product and Services Privacy Policy
Effective Date: October 12, 2023

Nutri-Link Technologies, Inc. (“Nutri-Link,” “we,” or “us”) understands that privacy is tremendously important to school districts and schools that purchase or subscribe to our Services (defined below) (“Clients”) and to educators and students whose information we may access on behalf of a Client (“Educators” and “Students”). Nutri-Link provides hosted solutions for public and private school districts, Camps, school nutrition and food service operations, including online Free and Reduced Price School Meals Application submission and eligibility verification services, meal planning/Fees and payment portals, and before/afterschool student dismissal.

This privacy policy applies to all of our products and services (collectively, the “Services”) and will help you understand how we collect, use and safeguard the personal information provided to us through the Services. This Privacy Policy (the “Policy” or “Privacy Policy”) is incorporated into the services agreement (or related terms of use) between Nutri-Link and its Clients (the “Services Agreement”), as well as the end user terms governing use of websites from which the Services may be accessible, including, without limitation, nlappscloud.com, curbsmart.net, mymealorder.com, onlineschoolfees.com and nutri-cafe.com. By using the Services, you acknowledge that you have read and agree to this Policy. If you do not agree with this Policy, you may not use or access the Services.

This privacy policy does not apply to our marketing website, nutrilinktechnologies.com. Please visit nutrilinktechnologies.com/privacy to view the privacy policy applicable to that website.

A Special Note for International Users of the Services:  Our systems are currently based primarily in the United States, so your personally identifiable information will generally be processed by us in the United States, where data protection and privacy regulations may be different than other parts of the world, such as the European Union. If you use the Services as a visitor from outside the United States, you are agreeing to the terms of this Policy and, if applicable, the end user terms of use posted in association with the Services, and you will have consented to the transfer and processing of all such information in the United States, which may not offer an equivalent level of protection of that in the European Union or certain other countries. 

This Policy provides the following information:

  1. How We Collect and Use Information
  2. How We Share Information
  3. How We Protect Your Information
  4. Choices About Your Information
  5. Compliance with Student Data Privacy Laws
  6. Student Data Privacy Policies, Practices and Procedures
  7. Children’s Privacy
  8. Links to Other Websites and Services
  9. How to Contact Us
  10. Changes to This Policy

Transparency. We will always be transparent with the methods we use to collect data and describe exactly how we will use it to the benefit and strict direction of our Clients and their users.

1. HOW WE COLLECT AND USE INFORMATION

We collect the following types of information:

Information about Clients and Their Users: We ask for certain information when a Client administrator, Educator or other user registers with Nutri-Link, or if the user corresponds with us online, which may include a name, school name, school district name, email address and/or account name and password, phone number, and/or message content. We may also retain information provided by a Client if the Client sends us a message, posts content to one of our websites or through our Services, or responds to emails or surveys. Once a Client begins using the Services, we will keep records of activities related to the Services. We use this information to operate, maintain, and provide the features and functionality of the Services, to monitor our service offerings and functionality, and to communicate with our Clients and their users.

We may also use general information we collect from Clients and their employee users (but not parent users) to periodically send information that we think our Clients might find of interest from Nutri-Link or its affiliates such as new services, special offers, or other important service changes. You may choose not to receive these communications by contacting us at [email protected] or by following the opt-out procedure outlined in such communications. Please note that opting out of receiving these communications will not remove your personal information from our files, and we will still contact you as necessary to provide the Services at your request. We do not rent or sell Client or employee user contact information to third parties for marketing purposes. We do not use Student Data for marketing purposes, and we do not send marketing communications to students or parents.

Student Data: Nutri-Link may have access to personally identifiable information about Students (“Student Data”) in the course of providing the Services to a Client. We consider Student Data to be confidential and do not use such data for any purpose other than to provide the Services on the Client’s behalf as agreed in the Services Agreement. For many of our Services, Nutri-Link receives Student Data only from the Client and never interacts with the Student directly. In some instances, depending on the type and level of Services selected by the Client, the Services may require that parents or guardians access and use the Services to provide data as authorized and directed by the Client. Nutri-Link has access to Student Data only as requested by the Client and only for the purposes of performing Services on the Client’s behalf.

Student privacy is very important to us. Student Data is used only for educational purposes at the discretion of the applicable Client.

Information Collected through Technology: We automatically collect certain types of usage information when visitors use the Services. We may send one or more cookies — a small text file containing a string of alphanumeric characters — to your computer that uniquely identifies your browser and lets Nutri-Link help you log in faster and enhance your navigation through the Services. A cookie may also convey information to us about how you use the Services (e.g., the pages you view, the links you click and other actions you take on the Services), and allow us to track your usage of the Services over time. We may collect log file information from your browser or mobile device each time you access the Services. Log file information may include anonymous information such as your web request, Internet Protocol (“IP”) address, browser type, information about your mobile device, number of clicks and how you interact with links on the Service, pages viewed, and other such information. We may employ clear gifs (also known as web beacons), which are used to anonymously track the online usage patterns of our Users. The information allows for more accurate reporting and improvement of the Services. We may also collect analytics data, or use third-party analytics tools, to help us measure traffic and usage trends for the Services. We do not allow third party advertising networks to collect information about the users of our Services.

We use or may use the data collected through cookies, log files, device identifiers, and clear gifs information to: (a) remember information so that a user will not have to re-enter it during subsequent visits; (b) provide custom, personalized content and information; (c) to provide and monitor the effectiveness of our Services; (d) monitor aggregate metrics such as total number of visitors, traffic, and usage on our website and our Services; (e) diagnose or fix technology problems; and (f) help users efficiently access information after signing in.

Other non-public information or data received from Clients that constitutes “confidential information” under the terms of the applicable Services Agreement will be subject to the confidentiality terms outlined in that Services Agreement.

2.  HOW WE SHARE INFORMATION
Nutri-Link only shares personal information in a few limited circumstances, described below. We do not rent or sell information for marketing purposes.

  • We may share information (including Student Data) with certain third-party providers whose software or services interface with or otherwise may receive information from, or provide information to, the Services, but only as directed or approved by our Clients. We do not release Student Data to any third party without the prior written consent of the Client or the affected Student (if he or she 18 years of age or older) or his or her parent or legal guardian, as applicable.
  • We may share information with those that provide us with technology or support services (e.g. web hosting, technical support and analytics services), but strictly for the purpose of carrying out their work for us. Client and its end users acknowledge that the Services, and the Student Data, will be made available in a hosted environment that may be provided by a third party, and Client consents to storage of Student Data in such environment solely for the purposes of providing the Services to Client and its users under the Services Agreement.
  • We may be required to share information with law enforcement or other third parties when compelled to do so by court order or other legal process, to comply with statutes or regulations, to enforce our Services Agreements, or if we believe in good faith that the disclosure is necessary to protect the rights, property or personal safety of our users.
  • If we sell, divest or transfer the business or a portion of our business, we may transfer information, provided that the new provider has agreed to data privacy standards no less stringent than our own. We may also transfer personal information – under the same conditions – in the course of mergers, acquisitions, bankruptcies, dissolutions, reorganizations, liquidations, similar transactions or proceedings involving all or a portion of our business.

3.  HOW WE PROTECT YOUR INFORMATION

We store our data in the United States and take strong measures to keep data safe and secure.

Storage and Processing: Any information collected through the Service is stored and processed in the United States. If you use our Service outside of the United States, you consent to have your data transferred to the United States.

Keeping Your Information Safe: Nutri-Link maintains administrative, technical and physical procedures to protect information stored in our servers, which are located in the United States. While no service provider can guarantee absolute security when communicating over the internet or wireless networks, we are committed to taking steps to help secure any personal information that may be in our possession. Access to information is limited (through user/password credentials and two factor authentication) to those employees who require it to perform their job functions. We use industry-standard Secure Socket Layer (SSL) encryption technology to safeguard the account registration process and sign-up information. We secure our system against external hacking and attacks with firewalls and restricted access protocols.

You are solely responsible for maintaining the secrecy of any password used to log in to the Services, if any, and you should always be mindful and responsible whenever disclosing information online that the information is potentially accessible to the public, and consequently, could be collected and used by others without your consent.

4.  CHOICES ABOUT YOUR INFORMATION

Account Information and Settings: Clients may update account information and modify Services by signing into the administrator account. Clients can opt-out of receiving promotional email from us by contacting us at [email protected] or by following the opt-out procedure outlined in such communications. You cannot unsubscribe from Service-related messaging.

If you have any questions about reviewing or modifying account information, contact us directly at [email protected].

Access to Student Data: Student Data is controlled by our Clients. Clients have access to their Student Data via the Services. If you have any questions about reviewing, modifying, or deleting personal information of a Student, please contact your school district directly.

Deleting or Disabling Cookies: You may be able to disallow cookies to be set on your browser. Please look for instructions on how to delete or disable cookies and other tracking/recording tools on your browser’s technical settings. You may not be able to delete or disable cookies on certain mobile devices and/or certain browsers. For more information on cookies, visit www.allaboutcookies.org. Remember, disabling cookies may disable some of the features available on the Service, so we recommend you leave cookies enabled.

If you have any questions about data retention or deletion, please contact [email protected].

5. COMPLIANCE WITH STUDENT DATA PRIVACY LAWS

Nutri-Link provides the secure and private platform that enables Clients to integrate data from various sources and securely store that data in one place.

All interactions with Student Data are handled with attention to accuracy and protecting Student privacy. Once Student Data is provided to us, we treat it as if it were our own children’s information.

Protecting the confidentiality, integrity, and availability of our Clients’ systems and data is of the utmost importance to us, as is maintaining Client trust and confidence. To that end, we ensure that our staff is trained and systems are in place to provide required security and confidentiality of Student Data. We have implemented training on the federal and state laws, regulations and policies governing confidentiality of Student Data and any PII (defined below) included in such Student Data for any Nutri-Link officers and employees who will have access to Student Data and PII under the Client’s Services Agreement. We also conduct background checks and require that our employees and agents sign secure data handling signed prior to receiving such access.

Nutri-Link has implemented practices and procedures designed to meet or exceed applicable requirements in federal and state laws and regulations, school district policies, as well as private industry best practices, regarding the proper handling and security of student information; these practices and procedures are described in further detail below. Our use and maintenance of PII from Student Data is subject to the direct provision and control of our Clients and parent and guardians of Students.

Different levels of access in our hosted Services may require different permissions, and we look to the Client to designate such permissions. System administrators assigned by the Client will have the ability (independently of Nutri-Link) to enable or disable access by any given Client user to various portions of the hosted data Services, and if a Client desires to have us disable access by any previously-authorized Client user, an authorized official of the Client must notify us in writing, and we will take reasonably prompt measures to disable access for that user as requested.

Family Educational Rights and Privacy Act: Nutri-Link understands and is compliant with all applicable aspects of the federal Family Educational Rights and Privacy Act, 20 USC § 1232(g) et seq. (“FERPA”), and associated regulations regarding “personally identifiable information” (“PII”), as such term is defined in FERPA, and Nutri-Link follows federal guidelines in regard to the collection, production, and distribution of PII included in Student Data we receive. For more information regarding FERPA, see http://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html. We agree that we will manage and use such PII in accordance with FERPA and applicable state statutes, regulations, and policies. We rely on our Clients’ proper compliance with FERPA provisions regarding the release of PII from education records by (a) Clients’ obtaining parental consent to share PII with appropriately approved or contracted third parties such as Nutri-Link, or (b) Clients’ use of the “School Official” exception under FERPA (See http://ptac.ed.gov/sites/default/files/FERPA%20Exceptions_HANDOUT_horizontal_0.pdf and 34 CFR §§ 99.31(a)(1) and 99.7(a)(3)(iii)).

Compliance with State Student Data Privacy Laws: Our Services comply with specific state statutes, regulations, and policies regarding student data privacy and security. To the extent a state has requirements not otherwise covered by these policies, please contact our Compliance Department at 404-437-7964 or email us at [email protected].

6. STUDENT DATA PRIVACY POLICIES, PRACTICES AND PROCEDURES

Nutri-Link has implemented the following specific policies, practices and procedures with respect to Student Data:

  • Prohibition against using Personally Identifiable Information (PII) in student records to engage in targeted advertising. We do not sell, trade, or rent PII in Student Data to anyone outside the organization. We strictly limit internal access to Student Data and PII to those individuals who have a legitimate need for such access in order for us to perform our obligations under the Services Agreement with our Client. We do not use any PII for our own purposes and do not use any PII for the purposes of selling or marketing any product to any person or third party, whether such person or party is the subject of the applicable PII or otherwise.
  • Prohibition against using any PII in the student record for any purpose other than those required or specifically permitted by the contract. Nutri-Link prohibits using any PII in Student Data for any purpose outside those required or permitted by the Services Agreement with the applicable Client. Any PII in Student Data to which we have possession or access will be used by us solely for the purposes of providing the Services to the Client, and for providing such information through the Services to those persons or parties to whom the Client has provided access to the applicable portion of the Services. We hold Client data in strictest confidence and do not disclose it to any third parties, unless such third parties are required to fulfill the contract, nor make use of such data for our own benefit or for the benefit of another, or for any use other than the purpose(s) agreed upon in the services Agreement. If third parties have access to Student Data as required by the Services Agreement with the Client, such access is only allowed through Nutri-Link systems and process.
  • Collection of data and information from student records. Nutri-Link does not collect any information from student records separately from that which is provided by or through an educational institution that is within the scope of an approved and legally binding contract.
  • Description of the procedures by which a parent, legal guardian, or eligible student may review personally identifiable information in the student’s records and correct erroneous information. In general, the Client has the capability to provide any such person with access to the applicable data by means of the Services without the involvement of Nutri-Link, and if deemed appropriate, the Client has the capability to revise such Student Data to address any inaccuracy without the involvement of Nutri-Link. However, in the event our participation is necessary or useful to enabling access or addressing any inaccuracy that the Client or an adjudicatory body deems to be required, we will provide cooperation to enable such access or to address such inaccuracy. Importantly, only parents or guardians with FERPA rights may review or correct PII; Client must make such determination and communicate the same to us in the event our cooperation is needed.
  • Description of the procedures for notifying the affected parent, legal guardian, or eligible student in the event of an unauthorized disclosure of the student’s records. In the unlikely case of an unauthorized disclosure of Student Data, we will make every effort to assist the Client in notifying the affected parents or legal guardian. We will notify the Client within 24 hours of becoming aware of any breach of our security system that reasonably could compromise any Student Data or PII.
  • Certification that a student’s records shall not be retained upon completion of the terms of the contract and a description of how that certification will be enforced. Nutri-Link certifies that, to the extent any PII is stored or maintained by Nutri-Link in the Services, within a reasonable period of time after termination of the applicable Services Agreement and expiration of any post-termination access period requested by the Client, we will remove all PII from the hosted Services and deactivate the hosted Services account associated with Client’s subscription. Nutri-Link may, however, retain copies of any PII in its offline data archives for backup, archive or legal recordkeeping purposes, and may subsequently destroy or erase such retained archive data, all in accordance with its data retention policies; provided that the terms of this Privacy Policy apply for so long as Nutri-Link maintains any Student Data. We may maintain anonymized or aggregated data, including usage data, for analytics purposes.
  • Student records continue to be the property of and under the control of the school district. Nutri-Link ensures that Student Data is the property of and under the control of our Client. We may be required to disclose PII to comply with a court order, law or legal process (including a government or regulatory request). However, in advance of such agency request, we will provide the Client with notice of the requirement so that the Client may seek a protective order or other remedy if it so chooses. If, after providing such notice, IO must disclose the required PII, IO will only disclose that portion of the PII which, on the advice of our legal counsel, the order, law or process specifically requires us to disclose

Different levels of access in some of our hosted Services require different permissions, and we look to the Client to designate such permissions. System administrators assigned by the Client will have the ability (independently of Nutri-Link) to enable or disable access by any given Client user to various portions of the hosted data Services, and if a Client desires to have us disable access by any previously-authorized Client user, an authorized official of the Client must notify us in writing, and we will take reasonably prompt measures to disable access for that user as requested.

  • De-identified personally identifiable information. The above outlines Nutri-Link’s treatment of PII, but it is also very important to be clear what type of information is not PII. Once PII has been de-identified, that information is no longer PII. PII may be de-identified through aggregation or other appropriate means. The U.S. Department of Education has issued guidance on de-identifying PII in education records, available at http://ptac.ed.gov/sites/default/files/data_deidentification_terms.pdf. In order to allow Nutri-Link to proactively address client needs, we anticipate using de-identified information to improve Nutri-Link products and services generally. This does not mean we will market to you, necessarily, but that we may use de-identified data for general marketing to our Clients and prospective Clients. IO uses reasonable de-identification methods that avoid compromising the privacy or security of the PII provided to us.

7. CHILDREN’S PRIVACY
The Children’s Online Privacy Protection Act (“COPPA”) gives parents control over certain commercial websites’ and online services’ collection, use and disclosure of information from children under the age of 13. As noted above under “Student Data”, in most instances, Nutri-Link receives Student Data only from the Client or a Student’s parent or guardian and does not interact with children directly. To the extent the exact Services selected by the Client permits a Client to allow Students to log into the Services to provide personal information data as authorized and directed by the Client, Nutri-Link has, collects and uses such information only as requested by the Client for the purposes of performing Services on behalf and for the benefit of the Client; notwithstanding any term to the contrary in this Privacy Policy, such information is not used for any other commercial purpose and is, in all cases, subject to the terms of this Privacy Policy. In such circumstances and for purposes of COPPA, Nutri-Link relies on the Client’s grant of consent on behalf of the Student’s parent, if applicable, to the collection and use of such information from children. If you have any questions about the information we collect from Students or how we use such information, please contact your school district directly.

8.  LINKS TO OTHER WEB SITES AND SERVICES
Please remember that this Privacy Policy applies to the Nutri-Link Services only, and not other websites or third party applications that may be linked via our Services, which may have their own privacy policies. You should carefully read the privacy practices of each third party application before agreeing to engage with the application through the Services. We assume no responsibility or liability for the privacy practices of any vendor or operator of third party sites or applications.

9.  HOW TO CONTACT US
If you have any questions about this Privacy Policy or the Services, please contact us at [email protected].

10.  CHANGES TO THIS POLICY
We reserve the right to change this Privacy Policy at any time by posting revised Policy on this webpage, and we will notify Clients of such posting via the most recent Client email address on file with us. We encourage you to review this webpage periodically. The changes will be effective immediately upon notice or posting, and we will update the effective date of this Privacy Policy upon such posting. Your use or continued use of the Services following the posting or email notification (as applicable) of any changes to the Privacy Policy will be deemed to be your acceptance of the changed Privacy Policy.