Effective Date and Last Updated: December 8, 2020
2. WHO WE ARE
We are Barnes & Noble Education, Inc. and our family of affiliated companies, including Student Brands, LLC, Barnes & Noble College Booksellers, LLC, MBS Textbook Exchange, LLC (we refer to our family of companies here as “Student Brands,” “we,” “us,” or “our”). Student Brands provides a family of products, services, Websites, and Apps (we refer to all of these together as "Services").
3. INFORMATION WE COLLECT
Information You Provide.
- your name, email address, username, password, physical address, phone number, credit card number and other cardholder data, gender, school attending, graduation year, and other registration information;
- transaction-related information, such as your orders for any Services, downloads or other features, or purchases you make from us;
- information you otherwise provide us, such as when you contact us (to get help for example); and
- other information related to your use of certain offerings on our Services.
Information Collected Automatically.
We, our service providers, and Third-Party Services may automatically receive or collect certain information from you when you use the Services. This information may include:
- your browser or operating system;
- your manner of connecting to the Internet (including the browser and type of device you are using) and the name of your Internet service provider or wireless carrier;
- your Internet protocol (“IP”) address;
- data relating to malfunctions or problems that occur when you use the Services;
- log file information, including your web request, IP address, browser type, referring/exit pages and URLs, number of clicks and how you interact with links on our Services, domain names, landing pages, pages viewed, and other such information; and
- information collected by cookies, which are small pieces of information or text files that a website sends to your computer for record-keeping purposes stored in a file on your computer's hard drive, and other tracking technologies, including but not limited to, web beacons (also known as “tracking pixels”), embedded scripts, location-identifying technologies, fingerprinting, device recognition technologies, in-app tracking methods and other tracking technologies now and later developed (we refer to all of these together as “Tracking Technologies”) may be used to collect information about interactions with the Services or emails, including information about your browsing and purchasing behavior.
We will treat information that does not personally identify you as non-personal information, and
we may de-identify, anonymize or otherwise convert your personal information to non-personal information. As permitted by the law applicable to us, we reserve the right to use, process, share and otherwise make use of your non-personal information without limitation.
Information Collected Through the Apps.
Depending on your personal device and App permission settings, when using the Apps, we may collect or have access to:
- stored information and files, which allow the Apps to read, modify, or delete the contents of your storage, including photographs and video clips;
- your camera, which allows the Apps to take photos or videos for you; and
- other information, which includes sending and receiving data to and from the Internet, viewing network connections, having full network access, or preventing your device from sleeping.
4. USE OF YOUR INFORMATION
Our Use of Your Information.
We may use your information to:
- process your registration, manage your account (including your payment information and preferences), and deliver our Services and the features you want (including any available customization features you request);
- improve our Services;
- fulfill other purposes disclosed to you at the time you provide us with your information or otherwise where we are legally allowed to do so;
- personalize content and offers and serve you advertising that may be of interest to you;
- respond to your inquiries;
- fulfill your request for Services;
- provide you with updates and other information regarding the Services;
- understand your general location (but not your specific geolocation) based on your IP address;
- keep our Services safe and secure and to prevent detect fraud and abuse;
- comply with our legal obligations, policies, and procedures;
- administer and manage our Services including content and layout, site usage, troubleshooting, data analysis, testing, research, statistical and survey purposes; and
- improve our Websites to ensure that consent is presented in the most effective manner for you and your computer, device or other hardware through which you access the Websites.
How We May Share Your Information.
We may share your information:
- with service providers in connection with their work on our behalf;
- with our family of affiliated companies who may have content and offers of interest to you, but note we do not share your personal information with non-affiliated third parties for marketing purposes unless you expressly authorize;
- in the event of a change in our business ownership;
- to comply with law, law enforcement or other legal processes, and, where allowed, in response to governmental requests or legal process (a court order, search warrant or subpoena, for example); and
- in other circumstances when we have a good faith belief that a crime has been or is being committed by a user.
5. SWEEPSTAKES, CONTESTS AND PROMOTIONS
6. INFORMATION YOU DISCLOSE PUBLICLY OR TO OTHERS
California minors should read Section 11, “Minors,” about potential removal of certain UGC they have posted on the Services.
7. THIRD-PARTY CONTENT, THIRD-PARTY SERVICES, SOCIAL FEATURES, ADVERTISING AND ANALYTICS
Third-Party Services may use their own Tracking Technologies to independently collect information about you and may solicit personal information from you. For example, Student Brands maintains its own branded pages on various social networks. When you visit these branded social media pages, the provider of the social network and other Third-Party Services may set Tracking Technologies on your browser or device.
Certain functionalities on the Services may permit interactions that you initiate between the Services and certain Third-Party Services, such as third-party social networks (“Social Features”). Examples of Social Features include: enabling you to send content such as contacts and photos between the Services and a Third-Party Services; “liking” or “sharing” Student Brands content; logging in to the Services using your Third-Party Services account (using Facebook Connect to sign- in to the Services, for example); and to otherwise connect the Services to a Third-Party Services (to pull or push information to or from the Services, for example). If you use Social Features, and potentially other Third-Party Services, information you post or provide access to may be publicly displayed on the Services (you can read more about in Section 6, “Information You Disclose Publicly or to Others,” or by the Third-Party Services that you use. If you post information on a third-party service that references the Services (by using a hashtag associated with our family of affiliated companies in a tweet or status update, for example), your post may be used on or in connection with the Services or otherwise by our family of affiliated companies. Student Brands and third parties may have access to certain information about you and your use of the Services and any Third-Party Services.
We may engage and work with service providers and other third parties to serve advertisements on the Services and Third-Party Services. Some of these ads may be tailored to your interest based on your browsing, across time, of the Services and elsewhere on the Internet, which may include use of data from cross-device usage, sometimes referred to as “interest-based advertising” and “online behavioral advertising” (“Interest-based Advertising”), which may include sending you an ad on a third-party service after you have left the Services (that is called “retargeting”). Please remember our advertisers' and ad networks' use of Tracking Technologies have their own privacy policies.
Your Tracking Technologies Choices.
Regular cookies may generally be disabled or removed by tools available as part of most commercial browsers, and in some instances blocked in the future by selecting certain settings. Browsers offer different functionalities and options so you may need to set them separately. Also, tools from commercial browsers may not be effective with Flash cookies (also known as locally shared objects), HTML5 cookies, or other Tracking Technologies. For information on disabling Flash cookies, go to Adobe's website here.
Please be aware that if you disable or remove these technologies, some parts of the Services may not work and that when you revisit the Services your ability to limit browser-based Tracking Technologies is subject to your browser settings and limitations.
Some App-related Tracking Technologies in connection with non-browser usage (e.g., most functionality of a mobile app) can only be disabled by uninstalling the app. To uninstall an app, follow the instructions from your operating system or handset manufacturer. Apple and Google mobile device settings have settings to limit ad tracking, and other tracking, but these may not be completely effective.
Your browser settings may allow you to automatically transmit a “Do Not Track” signal to online services you visit. Note, however, there is no consensus among industry participants as to what “Do Not Track” means in this context. Like many online services, we currently do not alter our practices when we receive a “Do Not Track” signal from a visitor's browser. To find out more about “Do Not Track,” you can visit here, but please know we cannot take responsible for the completeness or accuracy of this or any third-party information. You have the right to request information from us about the Services that currently do not respond to "do not track" mechanisms featured in any Internet browser by contacting us (you can read Section 16, “How to Contact Us” to learn your options).
Many advertisers and service providers that perform advertising-related services for us and third parties participate in voluntary programs that provide tools to opt-out of such interest-based advertising such as the Digital Advertising Alliance's (“DAA”) Self- Regulatory Program for Online Behavioral Advertising. To learn more about how you can exercise certain choices regarding Interest-based Advertising for DAA members, visit here and here for information on the DAA's opt-out program for mobile apps. Some of these companies also are members of the Network Advertising Initiative (“NAI”). To learn more about the NAI and your opt-out options for their members, see here. You can also go to here to adjust your advertising preferences with our service provider, NextRoll, Inc. (which used to be called AdRoll).
Please be aware that, even if you can opt out of certain kinds of Interest-based Advertising, you may continue to receive other types of ads. Opting out only means that those selected, participating members should no longer deliver certain Interest-based Advertising to you but does not mean you will no longer receive any targeted content and/or ads (from other ad networks, for example). Also, if your browsers are configured to reject cookies when you visit these opt-out webpages, or you subsequently erase your cookies, use a different device or web browser or use a non-browser-based method of access (mobile app, for example), your browser-based opt-out may not, or may no longer, be effective.
We support the ad industry's 2009 Self-regulatory Principles for Online Behavioral Advertising you can read here and expect ad networks we directly engage that serve you Interest-based Advertising to do so as well, although we cannot guaranty their compliance. We are not responsible for the effectiveness of, or compliance with, any third-parties' opt-out options or programs or the accuracy of their statements regarding their programs.
In addition, we may serve ads on Third-party Services that are targeted to reach people on those services that are also identified on one of more of our databases (“Matched List Ads”). This is done by using Tracking Technologies, or by matching common factors between our databases and the databases of the Third-Party Services. We are not responsible for these Third-Party Services, including without limitation their security of the data. We are not responsible for such third parties' failure to comply with your or our opt-out instructions as they may not give us notice of opt-outs to our ads that you give to them, and they may change their options without notice to us or you.
We may use Third-Party Services such as Google Analytics and Sailthru to help us analyze our performance and our delivery of Services and advertising to you. For example, we may use Remarketing with Google Analytics, Google Display Network Impression Reporting, the DoubleClick Campaign Manager and Google Analytics Demographics and Interest Reporting.
We and third-party vendors, including Google, may use first-party cookies (such as the Google Analytics cookies) and third-party cookies (such as the DoubleClick cookie) together to report how your ad impressions, other uses of ad services, and interactions with these ad impressions and ad services are related to visits to our Websites.
8. OPTING OUT OF PROMOTIONAL COMMUNICATIONS
You can make choices about how your information may be used by us to provide information and offers to you. You may opt out of commercial messages by clicking on the "opt out" or "unsubscribe" link provided with each message. These preferences do not apply to transactional communications, such as those that are related to your registration with us, required or important notices related to your use of our Services, or the fulfillment of a specific transaction.
9. OPTING OUT OF PROVIDING PERSONAL INFORMATION THROUGH THE APPS
You may be able to enable or disable certain permissions features (allowing the App to read, modify, or delete the contents of your USB storage; take pictures and videos; or view Wi-Fi connections, for example) by adjusting the permissions in your device. If you no longer want to provide any information to us through the Apps, you may uninstall them from your device.
10. ACCESSING AND CHANGING INFORMATION
We may provide web pages, other mechanisms or processes allowing you to delete, correct, or update some of the personal information that we collect from you, and potentially certain other information about you (profile and account information, for example). We will make good faith efforts to make requested changes in our then-active databases as soon as practicable, but it is not always possible to completely change, remove or delete all your information or public postings from our databases and residual and/or cached data may remain archived thereafter. We reserve the right to retain data: (a) as required by laws that apply to us; and (b) except when the laws that apply to us do not allow, for so long as we need it to reasonably achieve the purposes for which your data is maintained.
California minors should read Section 11.B., “Minor CA Residents” about potentially removing certain UGC they have posted on the Services.
No use if under 16.
Children under 16 should not use the Services and children under 16 must not give any us any personal information.
Minor CA Residents.
Any California residents under the age of 18 who have registered to use the Services, and who posted content or information on the Services, can request removal by contacting us (as described in Section 16, “How to Contact Us”) and including where the content or information is posted and affirming that you posted it. We will then make reasonable, good faith efforts to remove the post from prospective public view or anonymize it so the minor cannot be individually identified to the extent required by the law that applies to us. This removal process cannot ensure complete or comprehensive removal. For example, third parties may have republished or archived content by search engines and others that we do not control.
12. LINKS AND OTHER SITES
13. CHANGE OF OWNERSHIP
If our ownership were to change because of a business merger, acquisition, or any transaction involving the transfer of some or all our assets by another company, your information may be transferred. We will provide you notice prior to any such transfer of your personal information.
16. HOW TO CONTACT US
- Toll-free by phone: 833-720-0427
- By email: firstname.lastname@example.org
Student Brands, LLC
523 W 6th St. Suite 1234
Los Angeles, CA 90014
17. JURISDICTION-SPECIFIC TERMS
For Users Located in the European Economic Area (“EEA”)
Controller of your Personal Data.
Purposes and Legal Bases for Using Personal Data.
We process your personal data only if we have a legal basis to do so, including:
- to comply with our legal and regulatory obligations;
- for the performance of our contract with you or to take steps at your request before executing a contract;
- for our legitimate interests or those of a third party; and
- where you have given consent to our specific use.
- governmental requests or legal process (a court order, search warrant or subpoena, for example);
- to other circumstances in which we have a good faith belief that a crime has been or is being committed by a user;
- an emergency that poses a threat to the safety of you or another person;
- protect our property; and
- in connection with a substantial corporate transaction, such as the sale of our business, a divestiture, merger, consolidation, asset sale or in the unlikely event of bankruptcy.
The purpose for which we use and process your information and the legal basis on which we carry out each type of processing is further explained here:
Purposes for processing the information Legal basis for processing the information To deliver Services and features you desire. It is necessary for us to process your personal data to deliver the Services and process transactions according to the applicable contract between us. To improve our Services to you. It is necessary for us to process your personal data to improve our Services to you according to the applicable contract between us. To personalize content and offers and serve you advertising that may be of interest to you. We will personalize content and offers to you and serve you advertising based on your interests and online activities if you have consented to this processing. To respond to your inquiries. It is necessary for us to process your personal data in this manner to respond to your inquiries according to the applicable contract between us. To fulfill your request for products or Services. It is necessary for us to process your personal data to fulfill your request for products or Services according to the applicable contract between us. To use your login user ID and password to register you on your behalf and to give you access to Websites and Services as part of a “single sign-on” feature by our family of affiliated companies. It is necessary for us to process your personal data to use carry out these activities according to the applicable contract between us. To provide you with updates and other information regarding the Services. It is necessary for us to process your personal data to provide you with updates and other information regarding the Services according to the applicable contract between us. To share your information with the third party that employed you, engaged you, or authorized you to access and use the Services. It is in the legitimate interests of the third party that employed you, engaged you, or authorized you to access and use the Services. We consider this use to be proportionate and will not be prejudicial or detrimental to you. To analyze statistically Website usage and to customize our Website's content, layout and services. It is in our legitimate interests to process your personal data to analyze our Website usage and to customize our Website's content, layout and services. We consider this use to be proportionate and will not be prejudicial or detrimental to you. To enable our family of affiliated companies, and trusted third-party businesses that we do business with, who may have content and offers of interest to you. It is in our legitimate interests to process your personal data to enable our family of affiliated companies who may have content and offers of interest to you. We process your personal data to enable our family of affiliated companies and trusted third-party businesses to send you offers and market to you only if you have consented to these activities. To enable our service providers to perform certain activities on our behalf. It is necessary for us to process your personal data in this manner to deliver the Services and process transactions according to the applicable contract between us. It is also in our legitimate interest to enable our service providers to perform certain activities on our behalf. We consider this use to be proportionate and will not be prejudicial or detrimental to you. To offer you the opportunity to use our invitation service and application so that you can tell your friends about the Services. We process your data for these activities only if you have given your consent to do so. To administer our Websites, including troubleshooting, data analysis, testing, research, statistical and survey purposes; and to improve our Websites to ensure that consent options are presented in the most effective manner for you and your computer, device or other item of hardware through which you access the Websites. For all these categories, it is in our legitimate interest to continually monitor and improve our Services and your experience of the Websites and to ensure network security. We consider this use to be proportionate and will not be prejudicial or detrimental to you.
To keep our Websites safe and secure and to prevent detect fraud and abuse; and to comply with our legal obligations, policies, and procedures.
We may process your personal data to respond to:
We conduct this processing to comply with our legal obligations and to protect the public interest. To process otherwise for internal administrative and analytics purposes. It is in our legitimate interest to process your personal data for internal administrative or analytics purposes. We consider this use to be proportionate and will not be prejudicial or detrimental to you.
Some of our processing of your data will involve transferring your data outside the EEA. Some of our service providers are also based outside of the EEA, and their processing of your personal data will involve a transfer of data outside the EEA. This specifically includes to the United States. Where personal data is transferred to and stored in a country not determined by the European Commission as providing adequate levels of protection for personal data, we take steps to provide appropriate safeguards to protect your personal data, including entering into standard contractual clauses approved by the European Commission, obliging recipients to protect your personal data.
Retention of Personal Data.
Data Subject Access Rights.
You have the following rights:
- Right of access to your personal data: You have the right to ask us for confirmation on whether we are processing your personal data, and access to such personal data and related information;
- Right to correction: You have the right to have your personal data corrected, as permitted by law;
- Right to erasure: You have the right to ask us to delete your personal data, as permitted by law;
- Right to withdraw consent: You have the right to withdraw consent that you have previously provided;
- Right to lodge a complaint with a supervisory authority: You have the right to lodge a complaint with a supervisory authority in the member state of your habitual residence;
- Right to restriction of processing: You have the right to request the limiting of our processing under limited circumstances;
- Right to data portability: You have the right to receive the personal data that you have provided to us, in a structured, commonly used and machine-readable format, and you have the right to transmit that information to another controller, including to have it transmitted directly, where technically feasible; and
- Right to object: You have the right to object to our processing of your personal data, as permitted by law, under limited circumstances.
To exercise any of these rights, please contact us according to Section 16, “How to Contact Us,” here. Please note that the above rights are not absolute, and we may be entitled to refuse requests, wholly or partly, where exceptions under the applicable law apply.
California Consumer Privacy Rights
The California Consumer Privacy Act (“CCPA”), which provides California Consumers certain rights regarding their personal information (“PI”) as those terms are defined in the CCPA, became effective on January 1, 2020.
We are providing you with notice of the PI we collect, and our purposes for that collection of data that may be subject to the CCPA (“CCPA Notice”). This CCPA Notice does not cover information that is outside of the scope of the CCPA. This notice also does not apply to data collected from employees, applicants or contractors or to data collected from individuals acting as representatives of another business in connection with business communications or transactions.
We collect PI directly from you, your device or browser, your education institution and/or the third party that employed you, engaged you, or authorized you to access and use the Services, service providers and suppliers, and our family of affiliated companies. We use and share PI for the following business purposes:
- to provide requested products and Services;
- to advertise and offer new products and services;
- to improve our products and services;
- for quality assurance;
- for research development;
- for prevention of fraud and illegal activity; and
- for marketing purposes.
We collect the following categories of PI from California Consumers, which we share with service providers, agents and licensees who perform Services on our behalf, with our family of affiliated companies, and with your education institution or the third party that employed you, engaged you, or authorized you to access and use the Services, as applicable:
- identifiers (e.g., name, phone number, email address, I.P. address);
- personal records (e.g., name, phone number, email address);
- customer account details and commercial information (e.g., your order history);
- internet usage information (e.g., information regarding your interaction with our online services);
- geolocation data (e.g., your general location based on your I.P. address); and
- inferences from PI collected (e.g., your preferences).
If you are a California Consumer and would like to register a request under your “right to know about personal information collected, disclosed or sold” (including the right to obtain copies of specific pieces of information about categories of PI practices), “right to request deletion of personal information,” or “right to opt-out of the sale of personal information,” you can contact us at CaliforniaPrivacy@BNED.com or toll-free at 833-720-0427. You have the right to not receive discriminatory treatment in a manner prohibited by the CCPA because of you exercising your rights under the CCPA.
To fulfill your CCPA request, we may require you to provide sufficient information to reasonably verify you are the California Consumer about whom we collected PI. This verification process includes providing us at least two unique data points, depending on the type of request.
California Consumers have the right to exercise CCPA privacy rights via an authorized agent who meets the agency requirements of the CCPA. Authorized agent requests must include a copy of the agency agreement between the authorized agent and the California Consumer. We will ask you to independently confirm the agency relationship if this section applies to you.
The Right to Know.
Categories. You have the right, subject to statutory exceptions, to send us a request, no more than twice in a twelve-month period, for any of the following, for the period that is twelve months prior to the request date:
- to provide requested products and Services;
- to advertise and offer new products and services;
- to improve our products and services;
- for quality assurance;
- for research development;
- for prevention of fraud and illegal activity; and
- for marketing purposes.
Specific Pieces. You have the right, subject to statutory exceptions, to make or obtain a transportable copy, no more than twice in a twelve-month period, of your PI that we have collected in the period that is 12 months prior to the request date and are maintaining.
The Right to Deletion.
You have the right, subject to statutory exceptions, to request that we delete your PI that we have collected directly from you and are maintaining. Note also that we are not required to delete your PI that we did not collect directly from you.
You may alternatively exercise more limited control of your PI by instead canceling or modifying our email marketing communications you receive from us. You can do so by following the instructions contained within our promotional emails.
The Right to Opt-Out of the Sale of Personal Information.
We do not “sell” PI that we collect from California Consumers, including PI of minors under the age of 16, in accordance with the definition of “sell” in the CCPA. We treat all PI that we collect from you as subject to a “do not sell” request.
We work with service providers and partner with advertising companies that use Tracking Technologies to collect information about your visits to Websites and Third-Party Services, and then use that information to deliver advertisements relevant to your interests. There is not yet a consensus as to whether third party cookies and/or other Tracking Technologies associated with our Websites and Apps constitute a “sale” of your PI as defined by the CCPA. You may opt out of Interest-based Advertising using ad industry opt out tools by visiting here or here. To effectively manage cookies via this cookie settings tool, you must set cookie preferences on all browsers and all devices that you use. If you clear the cookies on your device, you may need to set your cookie preferences again.
We are not responsible for the completeness, accuracy or effectiveness of any third-party programs, tools or frameworks, or the information they provide.
California's “Shine the Light” law.
If you are a California resident, in addition to the rights set forth above, California's “Shine the Light” law permits customers in California to request certain details about how their personal information is shared with third parties and, in some cases, their affiliates if that personal information is shared for those third parties' and their affiliates' own direct marketing purposes. We do not share personal information with third parties or their affiliates for those third parties' or their affiliates' own direct marketing purposes. Californians may request information about our compliance with this law by contacting us at CaliforniaPrivacy@BNED.com or Barnes & Noble Education, Inc., 120 Mountain View Blvd., Basking Ridge, NJ 07920, Attention: Chief Privacy Officer.
To make a request, please provide sufficient information for us to determine if this applies to you, attest to the fact that you are a California resident, and provide your current California address to which we will send our response. Your inquiry must specify “California Privacy Rights Request” in the subject line of the email or the first line of the letter and include your name, street address, city, state, and ZIP code. Please note that we are only required to respond to one request per customer each year.
- The California Consumer Privacy Act (“CCPA”), which provides California Consumers certain rights regarding their personal information (“PI”) as those terms are defined in the CCPA, became effective on January 1, 2020.
Your Nevada Privacy Rights.
Effective Date and Last Updated: December 8, 2020