PRIVACY POLICY

The Curiosity Cube website and mobile application is a product designed for Children by Merck KGaA, Darmstadt, Germany and our affiliates (“Company”, “we”, “us”, or “our”). We have designed the Curiosity Cube website and mobile application for Children (defined below) to minimize the collection of personal information but maximize user engagement in compliance with applicable privacy laws, including the Children’s Online Privacy Protection Act (“COPPA”), a U.S. law designed to protect the online privacy of children under the age of 13 (“Child” or collectively, “Children”). This Privacy Policy describes how we collect, use, and disclose personal information, as “personal information” is defined under COPPA (“Children’s Personal Information”), through our Curiosity Cube website and mobile application directed at Children (collectively, our “Children’s Sites”).

Our primary Children’s Site is available at https://thecuriositycube.com/. Our mobile application (“App”) for Children is also a Children’s Site and covered by this Privacy Policy (“Privacy Policy”).

If you are a California resident or a data subject in Europe, please see additional disclosures at the end of this Privacy Policy.

INFORMATION PARENTS SUBMIT TO US

In order for a Child to access most of the features on a Children’s Site, their parents or legal guardians (“Parents”) must first set up a parental account. As part of setting up a parental account, Parents will be asked to provide the following categories of information:

Their email address.
A password
Four-digit PIN to lock away parental settings.

Before finalizing a parental account, Parents will be required to provide verifiable parental consent for the collection, use, or disclosure of their Children’s Personal Information. For information on verifiable parental consent and your rights as a parent, including how to revoke parental consent once given, please see the “Parental Consent” and “Parental Choices and Controls” sections below.

Once a parental account is established, Parents can then set up an account for their Child to access the Children’s Sites. As part of setting up a Child’s account, Parents will be asked to provide the following categories of information about their Child:

A username, avatar, and color for the Child’s account.
Closed captioning and visually impaired settings for the Child’s account.
The Child’s country, province, and language.
The Child’s month and year of birth.

Parents may also be asked to provide their Child’s gender and race. This information is not required and completely optional to provide. We will only use this information, if provided, to gauge our users’ learning experience on the Children’s Sites, better design our activities for underrepresented communities, and engage users from different backgrounds.

INFORMATION CHILDREN SUBMIT TO US

Once a Child’s account is established, a Child may access the Children’s Sites through their account and make changes to their account subject to parental controls. Children may change their sound, language, and accessibility settings, and view their scores and country-level map activity. Children may also be able to export their scores to their Parents.

In addition, Children may submit information to us in response to activities available on our Children’s Sites. Activities include virtual opportunities to learn about science and science-related careers through games, videos, questions, polls, and quizzes. For example, we may ask Children to vote on various scientific content/questions and provide aggregate level results to all users on the Children’s Sites. Likewise, we may ask Children about a topic they would like to learn more about and develop content based on that topic.

Children are not required to give us more information than reasonably necessary to use the Children’s Sites.

INFORMATION WE COLLECT AUTOMATICALLY

When users visit our Children’s Sites, we automatically collect certain information through background technologies. We use this information to make our Children’s Sites more interesting and useful to Children and for various purposes related to our business, including maintaining, securing and analyzing our Children’s Sites.

The categories of information we automatically collect through background technologies include:

Operating system
Type of browser
Browser language
The pages visited on our Children’s Sites
The activities completed within our Children’s Sites
Internet Protocol (IP) address or other persistent identifiers

Where users visit our Children’s Sites in Guest Mode or outside of a parental or Children’s account, to the extent applicable, we will collect and process persistent identifiers solely for the purpose of providing support for the internal operations of the Children’s Sites or as otherwise permitted by COPPA and other applicable data protection laws.

The background technologies used to automatically collect this information include:

Cookies, which are small data files stored on a user’s device. Cookies can help us recognize a user and save their preferences for when they return to our Children’s Sites, help you navigate the Children’s Sites, improve user experience, and also help with age-screening tools.
Log files, which are files that record events that occur in connection with your use of the Children’s Sites.
Pixels (also known as a “web beacon”), which is code embedded in a service that sends information about your use to a server. When you access our Children’s Sites that contains a pixel, the pixel may permit us or a separate entity to drop or read cookies on your browser. Pixels are used in combination with cookies to track activity by a particular browser on a particular device.

These background technologies may be offered by third parties and allow us to assign a unique number to our Child users, but this number will not be used to track Child users across different, unaffiliated web sites.

Most browsers can be set to detect or reject browser cookies. You may be able to change settings in your device or browser to decline or delete cookies. Some parts of our Children’s Sites may be harder to use or may not work at all if cookies are rejected. Unless and until the law is interpreted to require us to do so, we do not monitor or take action with respect to “Do Not Track” signals.

For more information about cookies, go to https://www.allaboutcookies.org/.

USE OF INFORMATION

We may use information: (1) to provide our services to a Parent or Child (such as the activities a Child would like to engage with); (2) to comply with the law (such as when we use information for record-keeping to satisfy legal and compliance obligations); (3) in accordance with valid consent (where a Parent has provided consent for their Child); and (4) as necessary for business interests (such as when we collect and use a Child’s data in support of internal operations such as making improvements to the user experience or content, taking into account the impact on the Child’s privacy).

We may display country-level maps accessible to all users within the Children’s Sites about how many users are currently interacting with the Children’s Sites. We never display usernames, and all information is displayed in the aggregate.

SERVICE PROVIDERS

We use the services of other companies to help us run our Children’s Sites. This means that some information we collect on Children’s Sites may be collected or accessed by those service providers. Our service providers can only use Children’s Personal Information to do the tasks we hire them to do, in the ways we allow them to, such as enabling registration, maintaining accounts, fulfilling account requests, facilitating activities, and customer service.

BEHAVIORALLY TARGETED ADVERTISING

Our Children’s Sites do not track Children to serve them behaviorally targeted advertisements (also known as retargeting or online behavioral advertising), or to knowingly allow others to do so.

SPECIAL CIRCUMSTANCES FOR INFORMATION DISCLOSURE

We reserve the right to disclose information, including Children’s Personal Information:

As permitted or required by applicable law, such as to operate the Children’s Sites; to maintain the safety and integrity of the Children’s Sites; to send technical notices, updates, security alerts, information regarding changes to policies, and administrative messages; to prevent fraud, breaches of our policies, and threats of harm; to conduct research; to improve our Children’s Sites and other Company websites, apps, products and service; to take precautions against other liability; or when we believe release is required to comply with federal, state or local law (such as cooperating with a judicial process or law enforcement investigation).
In connection with a corporate change or dissolution, including for example a merger, acquisition, reorganization, consolidation, bankruptcy, liquidation, sale of assets, wind-down of business or related due diligence.
To fulfill any other purpose at the user’s direction or with notice to the Parent and with the Parent’s consent.

Notwithstanding the above, we may use and disclose information that does not identify an individual (including information that has been aggregated or deidentified) for any purpose except as prohibited by applicable law. For information on a Parent’s rights and choices regarding how we use information about Children, see the “Parental Choices and Controls” section below.

SECURITY

We implement and maintain reasonable administrative, physical, and technical security safeguards to help protect information on our Children’s Sites from loss, theft, misuse and unauthorized access, disclosure, alteration and destruction. Nevertheless, transmission via the internet is not completely secure and we cannot guarantee the security of information about users.

PARENTAL CONSENT

When we knowingly collect Children’s Personal Information from a Child, we ask the Parent for consent before we collect it, unless the request falls within an exception under COPPA or other applicable data protection laws. We let Parents know about such collection as required or permitted by law.

When prior parental consent is required, we ask for it in ways allowed by COPPA and other applicable data protection laws. We currently use a third party service provider, Kids Web Services, to obtain verifiable parental consent. Depending on your country, the methods available for verifiable parental consent may include verification through e-mail plus, use of a government-issued ID, or a credit card transaction.

PARENTAL CHOICES AND CONTROLS

Parents can visit their parental account settings for certain options around their Child’s account, including modifying certain settings in their Child’s account, including the following settings:

A username, avatar, and color for the Child’s account.
Closed captioning and visually impaired settings for the Child’s account.
The Child’s country, province, and language.
The Child’s month and year of birth.

In addition, at any time, a Parent may review their Child’s Personal Information maintained by us, require us to correct or delete such Child’s Personal Information, request that we delete their Child’s account, and/or refuse to permit us from further collecting or using their Child’s Personal Information by contacting us as set out in the “Contact Us” section below. To protect Parent privacy and security and the privacy and security of Children, we may require a Parent to take certain steps or provide additional information, which we will keep strictly confidential, to verify their identity before we provide any information about the Child or make any corrections.

Please keep in mind that a request to delete Children’s Personal Information may lead to a termination of the Child’s account and ability for the Child to further access the Children’s Sites.

RETENTION AND DELETION

We keep the information we collect for a reasonable amount of time to perform the task for which we collected it. We reserve the right to keep certain information to the extent permitted and/or required by law, including any statutory retention requirements. When deleted, Children’s Personal Information is deleted securely. In some cases we may deidentify or aggregate Children’s Personal Information instead of deleting it.

THIRD PARTY SERVICES

Our Children’s Sites may contain links to websites, apps or other online services that we consider appropriate. We do not own or operate those other sites, and the privacy policies found on those sites (not this Privacy Policy) governs the collection and use of information there.

We recommend reading the privacy policy of each website or app visited after leaving our Children’s Sites, to learn about how information is collected, used, stored and shared by those other websites, apps, and online services.

We encourage Parents to talk with their Children about how to be safe online.

INTERNATIONAL TRANSFERS

Please be aware that information collected through our Children’s Sites may be transferred to, processed, stored, and used in the U.S. and other jurisdictions. Data protection laws in the U.S. and other jurisdictions may be different from those of your country of residence. For personal data transferred from the European Union, United Kingdom, or Switzerland, we will provide appropriate safeguards, such as through use of standard contractual clauses.

CHANGES TO THIS PRIVACY POLICY

This Privacy Policy may be changed. Any changes will be effective immediately upon posting of the revised Privacy Policy. For material changes, we will try to notify Parents in any way the law allows. We may also post a notice on our Children’s Sites that post a link to this Privacy Policy when material changes are made, unless otherwise required by applicable law.

CONTACT US

If you have any questions about this Privacy Policy, our data practices, or our compliance with applicable law, or experience any difficulty accessing the information in this Privacy Policy, please contact us.

ADDITIONAL DISCLOSURES FOR CALIFORNIA RESIDENTS

The California Consumer Privacy Act of 2018 (“CCPA”) provides additional rights to know, delete and opt-out, and requires businesses collecting or disclosing personal information to provide notices and means to exercise such rights when applicable.

A. Notice of Collection.

In the past 12 months, we have collected the following categories of personal information enumerated in the CCPA:

Identifiers, including email address, month and year of birth, and online identifiers (such as IP address).
Characteristics of protected classifications under California or federal law, including country, race, age, and gender.
Commercial or transactions information, including records of activities viewed, obtained, considered, and completed.
Internet activity, including browsing history, search history, and interactions with our websites, emails, and applications.
Geolocation data.

For further details on information we collect, including the sources from which we receive information, review the “Information Parents Submit to Us,” “Information Children Submit to Us,” and “Information We Collect Automatically” sections above. We collect and use these categories of personal information for the business purposes described in the “Use of Children’s Information” section above. Please review the “Service Providers” and “Special Circumstances for Information Disclosure” sections above for further details about the categories of parties to whom we disclose information.

B. Right to Know and Delete.

You have the right to know certain details about our data practices in the past 12 months. In particular, you may request the following from us:

The categories of personal information we have collected about you;
The categories of sources from which the personal information was collected;
The categories of personal information about you we disclosed for a business purpose or sold;
The categories of third parties to whom the personal information was disclosed for a business purpose or sold;
The business or commercial purpose for collecting or selling the personal information; and
The specific pieces of personal information we have collected about you.

In addition, you have the right to delete the personal information we have collected from you.
To exercise any of these rights, please submit a request through our Online Form. In the request, please specify which right you are seeking to exercise and the scope of the request. We will confirm receipt of your request within 10 days. We may require specific information from you to help us verify your identity and process your request. If we are unable to verify your identity, we may deny your requests to know or delete.
We do not “sell” personal information as that term is defined by the CCPA.

C. Authorized Agent.

You can designate an authorized agent to submit requests on your behalf. However, we will require written proof of the agent’s permission to do so and verify your identity directly.

D. Right to Non-Discrimination.

You have the right not to receive discriminatory treatment by us for exercising of any your rights.

E. Shine the Light.

We do not disclose personal information to third parties for those third parties’ own direct marketing purposes.

ADDITIONAL DISCLOSURES FOR DATA SUBJECTS IN EUROPE

A. Roles.

Data protection laws in Europe distinguish between organizations that process personal data for their own purposes (known as “controllers”) and organizations that process personal data on behalf of other organizations (known as “processors”). Company acts as a controller with respect to personal data collected as you interact with our Children’s Sites.

B. Lawful Basis for Processing.

Data protection laws in Europe require a “lawful basis” for processing personal data, including Children’s Personal Information. Our lawful bases include where: (a) a parent or legal guardian has given consent to the processing of personal data for one or more specific purposes, either to us or to our service providers; (b) processing is necessary for the performance of a contract with you; (c) processing is necessary for compliance with a legal obligation; or (d) processing is necessary for the purposes of the legitimate interests pursued by us or a third party, and your interests and fundamental rights and freedoms do not override those interests. Where applicable, we will transfer your personal data to third countries subject to appropriate or suitable safeguards, such as standard contractual clauses.

Where the basis for our processing of personal data from children under 16 in Europe is consent, we will make appropriate efforts to verify that consent is given or authorized by the holder of parental responsibility over those children, and, if we learn or have reason to suspect that we have collected personal data from those children without parental consent, we will promptly delete it. If you are a child under 16 in Europe, please speak with your Parent about this Privacy Policy so you can better understand how we use your personal data.

C. Your Data Subject Rights.

You have the right to access, rectify, or erase any personal data we have collected about you. You also have the right to data portability and the right to restrict or object to our processing of personal data we have collected about you. In addition, you have the right to ask us not to process your personal data (or provide it to third parties to process) for marketing purposes or purposes materially different than for which it was originally collected or subsequently authorized by you. You may withdraw your consent at any time for any data processing we do based on consent you have provided to us.

To exercise any of these rights, please contact us as set out in the “Contact Us” section above and specify which right you are seeking to exercise. We will respond to your request within 30 days. We may require specific information from you to help us confirm your identity and process your request.

Please note that we retain information as necessary to fulfil the purposes for which it was collected, and may continue to retain and use information even after a data subject request for purposes of our legitimate interests, including as necessary to comply with our legal obligations, resolve disputes, prevent fraud, and enforce our agreements.

If you have any issues with our compliance, you may contact us as set out in the “Contact Us” section above. You also have the right to lodge a complaint with the data protection regulator in your jurisdiction.