Effective Date: 5 August 2025
Imagine Ltd. ("Imagine", "we", "our", or "us") respects your privacy and is committed to protecting the personal data you share with us. This Privacy Policy ("Policy") explains how we collect, use, disclose, and safeguard information when you access or use Imagine LMS, including our websites, mobile and desktop applications, AI‑powered features, API endpoints, and related services (collectively, the "Service").
Highlights • We collect only the data needed to deliver and improve the Service. • We never sell or rent personal data. • Google API data is used solely to power user‑visible features under Google’s Limited‑Use requirements. • Student data is handled in compliance with FERPA and other applicable laws. • We encrypt data in transit and at rest and retain it only as long as necessary to meet the purposes described below.
If you do not agree with the terms of this Policy, please do not access or use the Service.
We collect three broad categories of information:
1.1 Information You Provide Directly • Account Details – name, institutional email, password (hashed), institution, role (student, teacher, admin). • Profile Information – profile photo, preferred language, biography (optional). • Content & Submissions – files, lecture recordings, assignments, discussion posts, quiz responses, AI prompts, and any other data you upload or create. • Payment Details – billing contact information and payment tokens (card data is processed directly by our PCI‑DSS–compliant provider; we store only tokenized references). • Support Communications – help‑desk tickets, feedback, bug reports, and survey responses.
1.2 Information We Collect Automatically • Usage Data – pages viewed, features used, workflow actions, and timestamps. • Device & Log Data – IP address, browser type, operating system, device identifiers, crash logs. • Analytics – event data collected via first‑party analytics and privacy‑mode third‑party tools (e.g., self‑hosted Plausible and privacy‑enhanced Google Analytics 4).
1.3 Information from Third‑Party Integrations If you connect external services (e.g., Google Drive, Google Classroom, Zoom, Slack): • OAuth tokens, file metadata, or meeting recordings required to enable the integration. • Google User Data (as defined by the Google API Services User Data Policy) – see Section 5 for details.
We process information to: • Provide, operate, and maintain the Service and its AI‑powered features (e.g., transcription, quiz generation, summarisation, content recommendations). • Customise user experience, language localisation, and accessibility options. • Provide customer support and respond to inquiries. • Monitor, debug, and improve the Service and our AI models. • Enforce our Terms of Service and Acceptable Use Policy. • Process payments and manage subscriptions. • Detect and prevent fraud, security incidents, and abuse. • Comply with legal obligations and protect the rights, property, or safety of Imagine, our users, or the public.
We do not use personal data for targeted advertising or marketing unrelated to the core Service.
Where the EU General Data Protection Regulation (GDPR) or UK GDPR applies, our lawful bases include: • Contract – processing is necessary to perform our contract with you (provide the Service). • Legitimate Interests – to understand usage, secure and improve the Service, and communicate important updates (balanced against your rights). • Consent – for optional features, marketing emails, and cookies that require consent. • Legal Obligation – to comply with tax, accounting, and regulatory requirements.
We share information only as necessary: • Service Providers – cloud hosting (AWS EU‑West & Israel regions), content delivery (CloudFront), email delivery (Postmark), payment processing (Stripe), and AI infrastructure (OpenAI, AssemblyAI). All providers are bound by contractual confidentiality and data‑processing agreements. • Integrations You Enable – when you explicitly connect a third‑party platform, we share data strictly to deliver the requested functionality (e.g., posting grades back to Google Classroom or creating Zoom meetings). • Institution Administrators – course analytics and user data visible to authorised staff pursuant to institutional agreements. • Legal & Safety – to comply with lawful requests, enforce agreements, or respond to security threats or user misconduct. • Business Transfers – in connection with a merger, acquisition, or sale of assets, provided the successor honors this Policy.
We do not sell personal data or share it with ad networks.
Our use of Google API Services data complies with Google’s User Data Policy and Limited‑Use Requirements: • We access Google Drive, Classroom, Calendar, or Gmail scopes only to provide user‑visible LMS features (e.g., import course materials, sync rosters, schedule classes). • We do not transfer Google User Data to third parties except as necessary to provide or improve these features. • We do not use Google User Data for advertising, profiling, or analytics unrelated to the requested functionality. • OAuth tokens are stored encrypted at rest and revoked when the integration is disconnected.
Imagine LMS is developed and offered by Imagine Ltd. and is not affiliated with or endorsed by Google LLC.
We use first‑party cookies for authentication, session management, and security. Optional analytics or preference cookies are set only with user consent. Users can manage cookie preferences via our cookie banner or their browser settings.
When Imagine LMS is used with children under 13 (U.S.) or under 16 (EEA & UK), the Institution represents that it has obtained the required parental or guardian consent. We do not knowingly collect personal data from children absent such consent.
When an educational Institution subject to FERPA provides Student Data, Imagine acts as a "school official" with "legitimate educational interest" and: • Uses Student Data only to provide and improve the Service. • Does not disclose Student Data except as directed by the Institution or permitted by law. • Upon termination of the institutional agreement, returns or securely deletes Student Data within 60 days, except where retention is required by law or for lawful archiving purposes.
We are headquartered in Israel. Personal data may be processed in Israel, the European Economic Area, the United States, or other countries where our service providers operate. We rely on adequacy decisions (Israel‑EU), Standard Contractual Clauses, or other legally recognised mechanisms to safeguard cross‑border transfers.
We employ industry‑standard measures including: • TLS 1.2+ encryption in transit and AES‑256 encryption at rest. • Role‑based access controls (RBAC) with mandatory multi‑factor authentication for internal staff. • Network segmentation and least‑privilege principles. • Continuous vulnerability scanning, annual penetration testing, and independent SOC 2 Type II audits. • 24×7 security monitoring and incident‑response procedures aligned with ISO 27001.
We retain personal data only as long as necessary to fulfil the purposes described in this Policy or to comply with legal, contractual, or audit obligations. Upon account deletion: • Most user‑generated content is deleted or anonymised within 30 days. • Database backups are purged within 90 days. • Billing records are retained for up to 7 years as required by tax law.
Depending on your jurisdiction, you may have rights to access, correct, delete, or port your personal data, restrict or object to certain processing, or withdraw consent. Requests can be submitted via privacy@imaginelms.ai or through in‑app settings. We will respond within 30 days (or the timeframe required by law).
You can opt out of non‑transactional emails at any time by clicking the unsubscribe link or updating notification preferences.
For California residents, we disclose that: • We collect the categories of personal information described in Section 1. • We use and retain this information for the purposes described in Sections 2 and 11. • We do not "sell" or "share" personal information as those terms are defined under the CCPA/CPRA. • You may exercise your California privacy rights by emailing privacy@imaginelms.ai.
We may update this Policy to reflect changes in our practices, technology, or legal requirements. If we make material changes, we will provide notice via the Service or email at least 30 days before the changes take effect. Continued use of the Service after the effective date constitutes acceptance of the updated Policy.
Imagine Ltd. Attn: Privacy Officer HaArba'a 6, Tel Aviv 6743832, Israel Email: privacy@imaginelms.ai
For data protection queries in the EEA, you may also contact our EU representative at eu‑rep@imaginelms.ai.
© 2025 Imagine Ltd. All rights reserved.