Privacy policy

This Learning Commons Privacy Policy (“Privacy Policy”) provides information on how Learning Commons collects, uses, maintains, accesses, and discloses information about you (“Personal Data”) in connection with your use of Learning Commons’ digital platforms including www.learningcommons.org (collectively the “Services”). 

This Privacy Policy applies only to our own websites and services. It does not apply to your use of third-party services, such as Anthropic’s Claude, which are governed by those parties’ own privacy policies. For example, our integration with Anthropic’s MCP Directory provides only publicly available data through our Knowledge Graph tool. We do not intentionally collect or disclose end-user personal data to Anthropic through this integration. In the unlikely event that personal data is transmitted inadvertently (e.g., if included in a user request handled by Anthropic’s systems), we apply strict minimization, retention, and encryption practices to protect that data. See the integration sections below for more detail.

California residents can find specific disclosures, including “Notice at Collection” details, in the California Privacy Rights section below.

Personal Data We Collect

The Personal Data we collect depends on how you interact with us, the Services you use, and the choices you make. We collect information about you from different sources and in various ways when you use our Services, including information you provide directly, information collected automatically, information from third-party data sources, and data we infer or generate from other data. 

Information you provide directly. We collect Personal Data you provide to us. For example:

• Name and contact information, including names, usernames, and contact details such as email addresses.
• Account access information. If you create an account, we will collect information such as a username in combination with a password, security or access code, or other credential that allows access to your account.
• Professional and employment related information, such as details about your employer and your job title. If you apply for employment, we will collect your resume and other relevant background information.

Information we collect automatically. When you use our Services, we collect some information automatically. For example:

• Identifiers and device information. When you visit our websites, our web servers automatically log your Internet Protocol (IP) address and information about your device, including device identifiers (such as MAC address); device type; and your device’s operating system, browser, and other software including type, version, language, settings, and configuration. As further described in the “Cookies, Mobile IDs, and Similar Technologies” section below, our websites and online services store and retrieve cookie identifiers, mobile IDs, and other data.
• Usage data. We automatically log your activity on our Services, including the URL of the website from which you came to our sites, pages you viewed, how long you spent on a page, access times, and other details about your use of and actions on our websites.

Information we obtain from other sources/integrations. We may also receive Personal Data about you from other sources, including third parties, partners, our affiliates, or publicly available sources. For example, if you submit a job application, or become an employee, we may conduct a background check where permitted by law. Another example is our model context protocol (MCP) server integrations, such as with Anthropic’s Claude, or other large language model/API services that use the same MCP standard protocol.

Cookies, Mobile IDs, and Similar Technologies

We use cookies, web beacons, mobile analytics and advertising IDs, and similar technologies to operate our websites and online services and to help collect data, including usage data, identifiers, and device information.

What are cookies and similar technologies? 

Cookies are small text files placed by a website and stored by your browser on your device. A cookie can later be read when your browser connects to a web server in the same domain that placed the cookie. The text in a cookie contains a string of numbers and letters that may uniquely identify your device and can contain other information as well. This allows the web server to recognize your browser over time, each time it connects to that web server.

Web beacons are electronic images (also called single-pixel or clear GIFs) that are contained within a website or email. When your browser opens a webpage or email that contains a web beacon, it automatically connects to the web server that hosts the image (typically operated by a third party). This allows that web server to log information about your device and to set and read its own cookies. In the same way, third-party content on our websites (such as embedded videos, or plug-ins) results in your browser connecting to the third-party web server that hosts that content. We may also include web beacons in our email messages or newsletters to tell us if you open and act on them.

Mobile analytics and advertising IDs are generated by operating systems for mobile devices (iOS and Android) and can be accessed and used by apps in much the same way that websites access and use cookies. Our apps contain software that enables us and our third-party analytics partners to access these mobile IDs.

How do we and our partners use cookies and similar technologies?

We, and our analytics and advertising partners, use these technologies in our websites, apps, and online services to collect Personal Data (such as the pages you visit, the links you click on, and similar usage information, identifiers, and device information) when you use our Services, including Personal Data about your online activities over time and across different websites or online services. This data is used to store your preferences and settings, analyze how our websites and apps perform, track your interaction with the site or app, develop inferences, protect security, and fulfill other legitimate purposes. We and/or our partners also share the data we collect or infer with third parties for these purposes, including to display advertising for Learning Commons on third-party platforms. We do not display third-party advertisements on our Site. For more information about the third-party analytics and advertising partners that collect Personal Data on our Services, please see the “Disclosure of Personal Data” section of this Privacy Policy.

What controls are available? 

There are a range of cookie and related controls available through browsers, mobile operating systems, and elsewhere. See the “Choice and Control of Personal Data” section below for details.

For additional information and/or specific questions related to Learning Commons’ cookies policy please contact us as described in the “Contact Us” section below.

Use of Personal Data

We use the Personal Data we collect for purposes described in this Privacy Policy or as otherwise disclosed to you. For example, we use Personal Data for the following purposes:

• Product and service delivery. To provide and deliver our Services, including troubleshooting, improving, and personalizing those Services.
• Organizational operations. To operate our organization, such as accounting, improving our internal operations, securing our systems, detecting fraudulent or illegal activity, and meeting our legal obligations.
• Product improvement, development, and research. To develop new services or features and to conduct research.
• Personalization. To understand you and your preferences to enhance your experience and enjoyment using our Services.
• Communications. To send you information, including confirmations, invoices, technical notices, updates, security alerts, and support and administrative messages.
• Marketing/Advertising. To communicate with you about new services, offers, promotions, upcoming events, and other information about our Services. We may also display targeted advertising about our Services to you on third-party platforms (e.g., social media)  (see the “Cookies” and “Choice and Control” section of this Privacy Policy for information about how to change your preferences for promotional communications).

Integrations. For our MCP services and integrations, we may collect minimal user data (which does not constitute personal data) necessary only to provide access to and receive information from our MCP server (i.e., learning standards or learning components). Such data are parts (or parameters) from a user’s user prompts, inputs, or queries (but not the entire prompt, input, or query itself). We do not have access or store LLM-generated outputs (e.g., chatbot responses). We use the limited information provided to retrieve the specified information (i.e., learning standards and learning components from our Knowledge Graph tool). We do not communicate with end-user clients (or their personal data). In the unlikely event that personal data is transmitted inadvertently (e.g., if included in a user request handled by Anthropic’s systems), we apply minimization, retention, and encryption practices to protect that data. We may also log certain events and activities for debugging and system maintenance.

Disclosure of Personal Data

We disclose Personal Data with your consent or as we determine necessary to complete your transactions or provide the services you have requested or authorized. In addition, we disclose each of the categories of Personal Data described above, to the types of third parties described below, for the purposes described in this Privacy Policy: 

• Service providers. We provide Personal Data to vendors or agents working on our behalf for the purposes described in this Privacy Policy. For example, companies we’ve hired to assist in protecting and securing our systems and Services may need access to Personal Data to provide those functions.
• Affiliates. We enable access to Personal Data across our affiliates and related entities, for example, where we share common data systems or where access helps us to operate our organization and provide our Services. Our affiliates include CZI, LLC; but do not include Meta or any Meta affiliates.
• Corporate transactions. We may share your personal data in connection with a merger, reorganization, or sale of all or a portion of our organization or assets.
• Legal and law enforcement. We will access, disclose, and preserve Personal Data when we believe doing so is necessary to comply with applicable law or respond to valid legal process, including from law enforcement, national security, or other government agencies.
• Security, safety, and protecting rights. We will disclose Personal Data if we believe it is necessary to:
  • protect our customers and others, for example to prevent spam or attempts to commit fraud, or to help prevent the loss of life or serious injury of anyone;
  • operate and maintain the security of our Services, including to prevent or stop an attack on our computer systems or networks; or
  • protect the rights or property of ourselves or others, including enforcing our agreements, terms, and policies.

Third party analytics and targeted advertising providers may collect Personal Data through our website and apps including identifiers and device information (such as cookie IDs, device IDs, and IP address), geolocation data, usage data, and inferences based on and associated with that data, as described in the “Cookies” section of this Privacy Policy. These third-party vendors may combine this data across multiple sites to improve analytics for their own purpose and others.  For example, we utilize Google Analytics, a web analysis service provided by Google, to collect certain Personal Data, such as how often users visit the Services or what pages they visit. To learn more about how Google collects and processes Personal Data, please visit here.  For more information about how to opt out of having your Personal Data used by Google Analytics, visit here.

Some of the data disclosures to these third parties may be considered a “sale” or “sharing” of personal information as defined under the laws of California and other U.S. states.  These third parties use the data we provide for analytics or to help us advertise our own Services — not for their own direct marketing or advertising purposes. Please see the “Choice and Control” and “California Privacy Rights” sections below for more details.

Some of our Services also include integrations, references, or links to services provided by third parties whose privacy practices differ from ours. An example is our MCP server integrations (such as with Anthropic’s Claude). For such integrations, we will not share or disclose the limited data shared with us to third parties. Another example is certain tools on the Sites point to related resources hosted on GitHub (https://github.com).  If you provide Personal Data to any of those third parties, or allow us to share Personal Data with them, that data is governed by their privacy policies.

Finally, we may disclose de-identified information in accordance with applicable law.

Choice and Control of Personal Data

We provide a variety of ways for you to control the Personal Data we hold about you, including choices about how we use that data. In some jurisdictions, these controls and choices may be enforceable as rights under applicable law.

Access, portability, correction, and deletion.  If you wish to access, correct, or delete Personal Data about you that we hold, you may submit a request by emailing us at privacy@learningcommons.org.

Communications preferences. You can choose whether to receive promotional communications from us by email. You may unsubscribe from the Marketing and Communications Services emails at any time by clicking the unsubscribe button in the email communication or by contacting us as described in the “Contact Us” section below. These choices do not apply to certain informational communications including surveys and mandatory service communications.

Targeted Advertising. To opt-out from or otherwise control the use of data collected on our Services to display targeted advertising on third-party platforms, you have several options. First, you can opt-out of this practice by clicking the Do Not Sell or Share My Personal Information link or the link provided in the footer of the website and turn off the toggle switch for Marketing and Social Media Cookies. Or you can use the Global Privacy Control setting in a web browser or browser extension as described below. You can use the opt-out controls offered by the organizations our advertising partners may participate in, which you can access at:

• United States: NAI (http://optout.networkadvertising.org) and DAA (http://optout.aboutads.info/)
• Canada: Digital Advertising Alliance of Canada (https://youradchoices.ca/)
• Europe: European Digital Advertising Alliance (http://www.youronlinechoices.com/)

Or, you can use the other cookie or mobile ID controls described below.

These choices are specific to the device or browser you are using. If you access our Services from other devices or browsers, take these actions from those devices or browsers to ensure your choices apply to the data collected when you use them.

Data sales. Some privacy laws define “sale” broadly to include some of the disclosures described in the “Our Disclosure of Personal Data” section above, in particular those related to targeted advertising. To opt-out from such data “sales” you may use the targeted advertising controls described above.

Browser or platform controls.

• Cookie controls. Most web browsers are set to accept cookies by default. If you prefer, you can go to your browser settings to learn how to delete or reject cookies. If you choose to delete or reject cookies, this could affect certain features or services of our website. If you choose to delete cookies, settings and preferences controlled by those cookies, including advertising preferences, may be deleted and may need to be recreated.
• Global Privacy Control. Certain browsers or browser extensions enable you to instruct websites not to share your personal data for cross-contextual behavioral advertising via the Global Privacy Control. If you have activated Global Privacy Control in your browser or extension, we will honor those requests that our Sites can recognize by disabling targeting cookies and similar technologies. Please be aware that we may not always be able to link an opt-out preference signal to other user data, such as your email address.
• Do Not Track. Some browsers include a “Do Not Track” (DNT) setting that can send a signal to the websites you visit indicating you do not wish to be tracked. Unlike the GPC described above, there is not a common understanding of how to interpret the DNT signal; therefore, our websites do not respond to browser DNT signals. Instead, you can use the range of other tools to control data collection and use, including the GPC, cookie controls, and advertising controls described above.
• Mobile advertising ID controls. iOS and Android operating systems provide options to limit tracking and/or reset the advertising IDs.

Email web beacons. Most email clients have settings that allow you to prevent the automatic downloading of images, including web beacons, and the automatic connection to the web servers that host those images.

Before processing your request, we will take reasonable steps to verify your identity, which will include verifying that the email address from which you submit the request matches the email address we maintain on file for you. In some cases, we may ask that you provide additional information or take additional actions to verify your identity.  You may also designate an authorized agent to make a request on your behalf. The authorized agent may submit the request through our Privacy Portal and will be required to provide proof that they have been authorized to act on your behalf. If the authorized agent does not provide such proof, you will be required to confirm your identity and the authenticity of the request.

Except for the automated controls described above, if you send us a request to exercise your rights or these choices, to the extent permitted by applicable law, we may decline requests in certain cases. For example, we may decline requests where granting the request would be prohibited by law, could adversely affect the privacy or other rights of another person, would reveal a trade secret or other confidential information, or would interfere with a legal or contractual obligation that requires retention or use of the data. Further, we may decline a request where we are unable to authenticate you as the person to whom the data relates, the request is unreasonable or excessive, or where otherwise permitted by applicable law. If you receive a response from us informing you that we have declined your request, in whole or in part, you may appeal that decision by submitting your appeal using the contact details provided at the bottom of this Privacy Policy.

California Privacy Rights

If you are a California resident and the processing of personal information about you is subject to the California Consumer Privacy Act (CCPA), you have certain rights with respect to that information.

Notice at Collection. At or before the time of collection, you have a right to receive notice of our practices, including the categories of personal information and sensitive personal information to be collected, the purposes for which such information is collected or used, whether such information is sold or shared, and how long such information is retained. You can find those details in this Privacy Policy by clicking on the above links.

Right to Know. You have a right to request that we disclose to you the personal information we have collected about you. You also have a right to request additional information about our collection, use, disclosure, or sale of such personal information. Note that we have provided much of this information in this Privacy Policy. You may make such a “request to know” using the email address in the Contact Us section at the end of this Privacy Policy.

Rights to Request Correction or Deletion. You also have rights to request that we correct inaccurate personal information and that we delete personal information under certain circumstances, subject to a number of exceptions. To make a request to correct or delete, please use the contact details provided in the Contact Us section at the end of this Privacy Policy.

Right to Opt-Out / “Do Not Sell or Share My Personal Information”. You have a right to opt-out from future “sales” or “sharing” of personal information as those terms are defined by the CCPA.

Note that the CCPA defines “sell,” “share” and “personal information” very broadly, and some of our data disclosures described in this Privacy Policy may be considered a “sale” or “sharing” under those definitions. In the past 12 months, we have sold or “shared” the following categories of personal information: (1) identifiers; (2) internet or other electronic network activity; (3) geolocation data; and (4) inferences drawn from internet or other electronic network activity. To opt-out from “sales” or “sharing” of personal information, you can visit our “Do Not Sell or Share My Personal Information” page or use the Global Privacy Control described in the “Choice and Control” section of this Privacy Policy.

We do not knowingly sell or share the personal information of minors under 16 years of age.

Right to Limit Use and Disclosure of Sensitive Personal Information. You have a right to limit our use of sensitive personal information for any purposes other than to provide the services or goods you request or as otherwise permitted by law. Note that we do not use sensitive personal information for any such additional purposes.

Finally, you have a right to not be discriminated against for exercising these rights set out in the CCPA.

Additionally, under California Civil Code section 1798.83, also known as the “Shine the Light” law, California residents who have provided personal information to a business with which the individual has established a business relationship for personal, family, or household purposes (“California Customers”) may request information about whether the business has disclosed personal information to any third parties for the third parties’ direct marketing purposes. Please be aware that we do not disclose personal information to any third parties for their direct marketing purposes as defined by this law.

Location of Personal Data

The Personal Data we collect may be stored and processed in your country or region, or in any other country where we or our affiliates, subsidiaries, or service providers process data, some of which may have laws that offer different levels of data protection than the country in which you reside. Currently, we primarily use data centers in the United States. The storage location(s) are chosen to operate efficiently and improve performance. We take steps to process and protect Personal Data as described in this Privacy Policy wherever the data is located.

Retention of Personal Data

We retain Personal Data for as long as necessary to provide the Services and fulfill the transactions you have requested, comply with our legal obligations, resolve disputes, enforce our agreements, and for other legitimate and lawful purposes.  Because these needs can vary for different data types in the context of different services, actual retention periods can vary significantly based on criteria such as user expectations or consent, the sensitivity of the data, the availability of controls that enable users to delete data, and our legal or contractual obligations.

Security of Personal Data

Learning Commons holds the confidentiality, integrity, and availability of your Personal Data in the highest regard and takes reasonable and appropriate steps as part of its program to protect Personal Data it controls.

Changes To This Privacy Policy

This Privacy Policy may be revised at any time by Learning Commons updating this Privacy Policy and posting it on the Sites with an updated date. We encourage you to periodically visit this page to review the most recent Privacy Policy. 

Learning Commons may notify you of changes or updates to the Privacy Policy, or to request your consent for such changes, by additional means where required by law, such as posting a notice on the front of Learning Commons’ Site, and/or by sending you an e-mail.

Contact Us

If you have questions regarding Learning Commons Privacy Policy, you may contact Learning Commons via email at: privacy@learningcommons.org.

Our address is: 

Learning Commons c/o Chan Zuckerberg Initiative
2682 Middlefield Road, Suite i
Redwood City, CA 94063