# Data Privacy Agreement

**Vendor:** I Can Tell Time ("Provider"), operator of the mobile application "I Can Tell Time" (bundle identifier `com.modernprogramming.time`)
**Version:** v1.0
**Effective date:** April 22, 2026

This Data Privacy Agreement (this "Agreement") is entered into as of the date it is executed by the last signing party (the "Effective Date") by and between the school district, charter school, non-public school, or other educational agency identified on the signature page (the "LEA") and Provider. The LEA and Provider are each a "Party" and together the "Parties."

---

## Recitals

WHEREAS, the LEA and Provider entered or will enter into a service arrangement under which the LEA deploys the I Can Tell Time application to students within the LEA via mobile device management ("MDM") or Apple School Manager (the "Services");

WHEREAS, in connection with the Services, the Provider may receive or have the opportunity to receive Protected Information (defined below) concerning students, and the Parties wish to ensure that any such information is handled in a manner that complies with the Family Educational Rights and Privacy Act ("FERPA"), 20 U.S.C. §1232g, the Children's Online Privacy Protection Act ("COPPA"), 15 U.S.C. §§6501–6506, and all applicable state student data privacy laws;

NOW, THEREFORE, in consideration of the mutual promises set forth herein, the Parties agree as follows.

---

## Article I — Purpose & Scope

**1.1 Purpose.** This Agreement establishes the obligations of Provider with respect to any Protected Information that it may collect, receive, maintain, or transmit in connection with the Services.

**1.2 Nature of the Services.** The I Can Tell Time application is a standalone, on-device educational application for teaching analog clock reading to students approximately ages 4–8. Under normal operation, after the LEA provisions the application via MDM or Apple School Manager, the application runs entirely on the student's device, does not require student account creation, does not transmit student activity to Provider, and does not require ongoing network connectivity. The Parties acknowledge that, under these operating conditions, Provider collects no student Protected Information.

**1.3 Conservative Construction.** Notwithstanding Section 1.2, this Agreement is drafted to apply comprehensively to any Protected Information Provider does receive, so that LEAs receive full statutory protections regardless of configuration.

---

## Article II — Definitions

**"Education Record"** means an education record as defined under FERPA and its implementing regulations at 34 C.F.R. Part 99.

**"Personally Identifiable Information"** or **"PII"** means information that, alone or in combination, personally identifies a student, parent, or LEA employee, including but not limited to direct identifiers (name, address, email, student ID), indirect identifiers (date of birth, place of birth, mother's maiden name), and other information that, linked with available data, would make a student's identity traceable.

**"Protected Information"** means, collectively, Education Records, Student PII, pupil records (as defined under California Education Code §49073.1), covered information (as defined under Illinois SOPPA and similar statutes), and any other student information protected by applicable federal or state law.

**"School Official"** has the meaning given under 34 C.F.R. §99.31(a)(1)(i)(B) and the LEA's FERPA directory policy.

**"Subprocessor"** means any third party engaged by Provider to process Protected Information on Provider's behalf in connection with the Services.

---

## Article III — Data Ownership & Authorized Access

**3.1 Ownership.** All Protected Information remains the exclusive property of the LEA and the affected student or parent. Provider acquires no ownership interest in any Protected Information.

**3.2 School Official Designation.** To the extent Provider receives any Education Record, Provider is designated a "School Official" with a legitimate educational interest under FERPA, and agrees to comply with the use and redisclosure limitations of 34 C.F.R. §99.33.

**3.3 Permitted Use.** Provider shall use Protected Information solely to (i) provide the Services to the LEA, (ii) maintain and improve the Services in a manner that does not create or enable targeted advertising or profiling, and (iii) comply with applicable law.

**3.4 Prohibited Uses.** Provider shall not (i) sell or rent Protected Information; (ii) use Protected Information for targeted advertising or to amass a profile about a student except in furtherance of K–12 school purposes; (iii) disclose Protected Information except as permitted by this Agreement and applicable law; or (iv) use Protected Information for any commercial purpose other than those explicitly authorized by the LEA.

**3.5 Parental Access.** Provider shall reasonably cooperate with the LEA's efforts to allow parents or eligible students to inspect, review, and correct Protected Information under FERPA, NY Ed Law §2-d, and similar state laws.

---

## Article IV — Data Provided to Provider

**4.1 Schedule of Data.** The categories of Protected Information received by Provider under the Services are set forth in the document titled "Schedule of Data & Supplemental Information for New York Ed Law §2-d" published at https://icantelltime.com/schools/data-privacy (the "Schedule of Data"), which is incorporated by reference. As of the Effective Date, the Schedule of Data reflects that no categories of student Protected Information are collected in the default configuration.

**4.2 Updates.** If Provider's data practices materially change, Provider shall update the Schedule of Data and notify LEAs at least thirty (30) days before the change takes effect. Continued use of the Services after such notice constitutes acceptance of the updated Schedule of Data.

---

## Article V — Duty of Confidentiality & Data Security

**5.1 Confidentiality.** Provider shall treat all Protected Information as confidential, limit access to personnel with a need to know in support of the Services, and require all such personnel to be bound by written confidentiality obligations.

**5.2 Administrative Safeguards.** Provider maintains written information security policies, annual privacy training for personnel with access to Protected Information, and documented processes for access provisioning and revocation.

**5.3 Technical Safeguards.** Any Protected Information in transit across a public network is protected by Transport Layer Security (TLS 1.2 or higher). Any Protected Information at rest on Provider-controlled systems is protected by industry-standard encryption (AES-256 or equivalent). Authentication to any Provider system that would permit access to Protected Information requires multi-factor authentication.

**5.4 Physical Safeguards.** Any servers used by Provider to process Protected Information are hosted in SOC 2 Type II–certified facilities within the United States.

**5.5 Subprocessors.** Provider shall not engage a Subprocessor to process Protected Information without ensuring the Subprocessor is contractually bound to data protection obligations no less protective than those in this Agreement. A current list of Subprocessors is published at https://icantelltime.com/schools/data-privacy. As of the Effective Date, no Subprocessor receives student Protected Information.

**5.6 Audit.** Upon reasonable written request and no more than once per year, the LEA may request a written summary of Provider's information security program and compliance with this Article V.

---

## Article VI — Data Retention & Destruction

**6.1 Retention.** Because the application stores student progress locally on each device, Provider does not retain student Protected Information between sessions or across devices. Any diagnostic data voluntarily submitted via email support is retained only for the period necessary to resolve the support request.

**6.2 Deletion on Request.** Upon written request by the LEA, Provider shall, within forty-five (45) days, delete or return any Protected Information in its possession, except to the extent retention is required by law. Provider shall provide written certification of deletion upon request.

**6.3 Deletion on Termination.** Upon termination of the Services, Provider shall delete any Protected Information in its possession within sixty (60) days, except as required to comply with law.

---

## Article VII — Data Breach Notification

**7.1 Definition.** "Breach" means the unauthorized acquisition, access, use, or disclosure of Protected Information that compromises its security or privacy, consistent with the definition under each applicable state data-breach statute.

**7.2 Notice.** Provider shall notify the LEA's designated data privacy contact of any confirmed or reasonably suspected Breach without unreasonable delay, and in any event within the shorter of (i) seventy-two (72) hours of discovery, (ii) the timeframe required by NY Ed Law §2-d and Part 121 (seven calendar days) where the LEA is a New York educational agency, or (iii) the timeframe required by any other applicable state law.

**7.3 Contents of Notice.** The notice shall describe, to the extent known, the nature of the Breach, the categories of Protected Information involved, the students or individuals affected, the measures taken to contain the Breach, and the remedial steps the LEA or affected individuals may take.

**7.4 Cooperation.** Provider shall cooperate with the LEA's investigation, notification to parents and regulators, and any remedial action at Provider's expense where the Breach is attributable to Provider's acts or omissions.

---

## Article VIII — Term & Termination

**8.1 Term.** This Agreement begins on the Effective Date and continues for so long as Provider provides the Services to the LEA, unless terminated earlier as provided herein.

**8.2 Termination for Cause.** The LEA may terminate this Agreement and the Services immediately upon written notice if Provider materially breaches this Agreement and fails to cure within thirty (30) days of written notice of breach.

**8.3 Termination for Convenience.** Either Party may terminate this Agreement for convenience on sixty (60) days' written notice.

---

## Article IX — General Provisions

**9.1 Order of Precedence.** In the event of a conflict between this Agreement and any separate service or subscription agreement between the Parties, this Agreement controls with respect to Protected Information.

**9.2 Governing Law.** This Agreement is governed by the laws of the state in which the LEA is located, without regard to its conflict-of-law principles. This provision is intended to favor the LEA's jurisdiction and may be modified by mutual agreement.

**9.3 Assignment.** Provider may not assign this Agreement without the LEA's prior written consent, except to a successor in connection with a merger, acquisition, or sale of substantially all of Provider's assets, provided that such successor agrees in writing to be bound by this Agreement.

**9.4 Survival.** Articles III, V, VI, VII, and IX survive termination of this Agreement.

**9.5 Entire Agreement.** This Agreement, together with any exhibits, constitutes the entire agreement of the Parties regarding its subject matter and supersedes prior agreements on the same subject.

**9.6 Severability.** If any provision of this Agreement is held unenforceable, the remaining provisions remain in full force and effect.

---

## Notices

Notices under this Agreement to Provider shall be sent to hello@icantelltime.com. Notices to the LEA shall be sent to the data privacy contact identified on the signature page.

---

## Signatures

**For the LEA**

- Name: _______________________________________________
- Title: ______________________________________________
- LEA Name: ___________________________________________
- Signature / Date: ___________________________________

**For Provider (I Can Tell Time)**

- Name: _______________________________________________
- Title: ______________________________________________
- Organization: I Can Tell Time
- Signature / Date: ___________________________________

---

*Provider accepts alternative templates including the SDPC National DPA v1r8 with state Exhibit E, the NY Ed Law §2-d template, the Connecticut Student Data Privacy Agreement, the Illinois SOPPA template, and district-specific templates. Contact hello@icantelltime.com or submit a request at https://icantelltime.com/schools/dpa.*