Icon for Canvas

Canvas

Canvas is an online platform that powers digital learning environments for schools and colleges.


Handling

Does the policy allow personally-targeted or behavioral marketing? No

10/10

Decided April 2, 2020 (revision history). This question accounts for 12% of the final score.

Possible Options

Yes0/10
Yes, but you can opt-out3.5/10
Yes, but you must opt-in7/10
No10/10

Citation

"We may also use de-identified and/or aggregated data for our own use. We do not use information collected through the Products for advertising or marketing purposes."

Note

The policy does not explicitly or indirectly allow personally-targeted or behavioral marketing.

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Does the service allow third-party access to private personal data? Yes, not all parties specified (but only to critical service providers)

7/10

Decided April 2, 2020 (revision history). This question accounts for 12% of the final score.

This may come in the form of outright data sharing or by using local third-party analytics software (such as Google Analytics, which collects a plethora of user information).

Note that whether the policy allows sharing aggregated user data does not affect this question.

If the personal data is encrypted when it passes through the third-party, it does not count as third-party access (as the data is inaccessible to that party).

If personal data has been made public by, for example, posting it to a blog, it does not count as private personal information (and is therefore not considered by this question).

Possible Options

Yes, not all parties specified0/10
Yes, all parties specified (including non-critical service providers such as advertisers)3/10
Yes, not all parties specified (but only to critical service providers)7/10
Yes, all parties specified (only to critical service providers)8/10
No10/10

Citation

"We may share your personal information with third party service providers for the sole purpose of providing you with the Services that we offer you through our Site. For example, we may share data with service providers who host our websites or provide email services on our behalf."

"We may also share information about you in connection with or during negotiation of any merger, financing, acquisition, bankruptcy, dissolution, transaction or proceeding involving sale, transfer, divestiture or disclosure of all or a portion of our business or assets to another company. In the event that information is shared in this manner, notice will be posted on our Site."

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Does the service allow you to permanently delete your personal data? Yes, by contacting someone

3/5

Decided April 2, 2020 (revision history). This question accounts for 6% of the final score.

Even if there is a reasonable delay before the data is fully deleted (as is common), the data still counts as "permanently deleted" and satisfies the parameters for this question.

Possible Options

No0/5
Yes, by contacting someone3/5
Yes, using an automated mechanism5/5
N/A (no personal information collected)5/5

Citation

"You may change some of your personal information in your account by editing your profile within the Service. You may also request changes or deletions by e-mailing us at the e-mail address set forth below. We will respond to your request, when permitted by law, within 30 days. We may be unable to delete information that resides in our archives."

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Collection

Does the service collect personal data from third parties? No

10/10

Decided April 2, 2020 (revision history). This question accounts for 12% of the final score.

This includes the use of data brokers and independent verification authorities (such as background check providers).

Possible Options

Yes0/10
Only for critical data7/10
No10/10

Note

The service only mentions collecting third-party analytics information, but that information is stored as aggregate and is not tied to any user.

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Does the policy list the personal data it collects? Yes, exhaustively

10/10

Decided April 2, 2020 (revision history). This question accounts for 12% of the final score.

All types of collected personal data are listed specifically

Possible Options

No0/10
Only summarily3/10
Yes, generally7/10
Yes, exhaustively10/10
N/A (no personal information is collected)10/10

Note

The list of data that Instructure collects is listed in the "DATA YOU PROVIDE TO US" section. Refer to the original policy for the full list.

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Is it clear why the service collects the personal data that it does? Mostly

7/10

Decided April 2, 2020 (revision history). This question accounts for 12% of the final score.

This question deals with transparency. Even if the service uses data for reasons that aren't ideal for privacy, provided they list all of those uses, the service can still receive full credit for this question. However, if they are not explicit about their uses (by employing language like "such as"), a lower score is assigned.

Possible Options

No0/10
Somewhat4/10
Mostly7/10
Yes10/10
No personal data is collected10/10

Citation

"In general, personal information you submit to us is used either to respond to requests that you make, or to aid us in serving you better. Instructure uses your personal information in the following ways: to create and maintain your account; to identify you as a user in our system; to operate, maintain, and improve our Site, Apps, and Services; to personalize and improve your experience; to send you administrative e-mail; to respond to your comments or inquiries; to protect, investigate, and deter against fraudulent, unauthorized, or illegal activity; and to make telephone calls to you, from time to time, as a part of secondary fraud protection or to solicit your feedback with your permission."

Note

The reason why "Mostly" is selected is due to the following citation: "We may also use de-identified and/or aggregated data for our own use." The policy does not describe what such "own use" might constitute.

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Does the service allow the user to control whether personal data is used or collected for non-critical purposes? On an opt-in basis

5/5

Decided April 2, 2020 (revision history). This question accounts for 6% of the final score.

Non-critical use of personal data is not enabled by default.

Some services allow users to opt-out or opt-in to of non-critical collection or use of personal data, such as collecting data for personalized advertisements.

Possible Options

No0/5
On an opt-out basis, but only for some non-critical data/uses1.5/5
On an opt-out basis, for all non-critical data/uses3/5
N/A (no data used for non-critical purposes)5/5
On an opt-in basis5/5

Note

There is no mention of data that could be treated as non-critical, except optional social networking features that are not enabled by default.

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Transparency

Does the policy require users to be notified in case of a data breach? No

0/7

Decided April 2, 2020 (revision history). This question accounts for 8% of the final score.

Note that all companies operating in the EU are subject to Art. 33 of the GDPR, which requires companies to notify their data protection authority of a data breach within 72 hours of discovering it.

Possible Options

No0/7
Yes, eventually5/7
Yes, within 72 hours7/7
N/A (the service collects so little personal data that notification would not be possible)7/7

Note

There is no mention of what happens in case of a data breach. Security practices, however, are listed in the "SECURITY OF YOUR PERSONAL INFORMATION" section.

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Is the policy's history made available? Only the date it was last modified

3/5

Decided April 2, 2020 (revision history). This question accounts for 6% of the final score.

Possible Options

No0/5
Only the date it was last modified3/5
Yes, with revisions or a change-log5/5

Citation

"Instructure may change this Privacy Policy from time to time. If we make any changes to this Policy, we will change the “Last Updated” date above. If such changes are material, a notice of the changes will be posted along with the revised Privacy Policy. We encourage you to visit this page from time to time for the latest on our privacy practices."

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Will affected users be notified when the policy is meaningfully changed? No

0/5

Decided April 2, 2020 (revision history). This question accounts for 6% of the final score.

Possible Options

No0/5
Yes5/5
N/A (no personal data—or contact information—collected)5/5

Citation

"Instructure may change this Privacy Policy from time to time. If we make any changes to this Policy, we will change the “Last Updated” date above. If such changes are material, a notice of the changes will be posted along with the revised Privacy Policy. We encourage you to visit this page from time to time for the latest on our privacy practices."

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.


Does the policy outline the service's general security practices? Yes

2/3

Decided May 16, 2020 (revision history). This question accounts for 4% of the final score.

Possible Options

No0/3
Somewhat1/3
Yes2/3
Yes, including audits2.5/3
N/A (no personal data collected)3/3
Yes, including independent audits3/3

Citation

"Instructure takes reasonable steps to help protect your personal information in an effort to prevent unauthorized access, use, or disclosure. Despite these measures, you should know that Instructure cannot fully eliminate security risks associated with personal information. No method of transmission over the Internet, or method of electronic storage, is 100% secure. Therefore, we cannot guarantee its absolute security. Any content you post while using the Services is at your own risk. If you have any questions about security on our Site or Apps, you can contact us at the contact information set forth below."

Note

See https://www.instructure.com/canvas/security

Click here to suggest a change or to flag this conclusion as incorrect, or here for more information.



Warnings

Canvas has no warnings published on PrivacySpy. PrivacySpy publishes warnings when it learns a service has announced a data breach or is found misusing user data. If you believe a warning should be published for Canvas, submit one here.


Highlighted Policy Snapshot ALPHA

No highlighted policy snapshot has been created for this privacy policy. To view the policy at its original location, click here.

7.1/10

How we calculate ratings →


Version Added

April 2, 2020

Ratings Updated

May 16, 2020

Warnings

0

Maintained by

Igor

Original Location
Open in New Tab
Other Versions