Runestone Logo
Legal & Compliance
← Legal & Compliance

Privacy Policy

Last updated: July 2026

Plain English

Runestone Academy has an educational mission. In this paragraph we provide our plain English view of your privacy and how we use your data when you visit our website (https://runestone.academy, the “Website”) to register your school or class as a user, when you register as a student of a school or class or access or use our educational services. The books and course materials we provide (the “Service”) are free-of-charge and in an open source format. They are for educational purposes only. As part of the Service or the Website we do collect usage data to help us better understand how you learn and how you use the Service and the Website. Because the Services may be used as a part of your formal education we need to collect some identifying information so that you can save and retrieve your work, and so that your instructor can register for the Service and assess your progress, grade, and give you feedback.

We may use the data we collect to make decisions about revisions to the Service, for academic research and to publish academic papers. We would never publish anything that knowingly revealed your identity. We may share this data with fellow educational researchers, or other partners that help further the mission of computer science education for everyone, but rest assured that any and all personally identifying information will be anonymized before we do. Other than that, we will take reasonable efforts to keep your data private and safe.

All of the code used for the Service is available for you to inspect on GitHub. The rest of this document is the detailed legal description of our policy. If you see something below that you think is not in the educational spirit of Runestone Interactive, please point it out so we can clarify it or change it.

Legal

This privacy policy has been compiled to better serve those who are concerned with how their 'Personally Identifiable Information' (PII) is being used. PII is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context. Please read our privacy policy carefully to get a clear understanding of how we collect, use, protect or otherwise handle your PII in accordance with our Website or our Service.

What personal information do we collect from the people that visit our blog, website or app?

When registering on our Website you may be asked to enter your name, email address, user name or other details to help you with your experience.

When do we collect information?

We collect information from you when you register on our site, enter information on our Website or use the Service.

How do we use your information?

We may use the information we collect from you when you register to use the Service, sign up for our newsletter, respond to a survey or marketing communication, surf the Website, use the Service or use certain other site features in the following ways:

  • To personalize your experience and to allow us to deliver the type of content and product offerings in which you are most interested.
  • To improve our website in order to better serve you.
  • To allow us to better service you in responding to your customer service requests.
  • For educational research.

How do we protect your information?

Although total security does not exist on the Internet or through mobile networks, we will take the following steps to protect your PII.

Your personal information is contained behind secured networks and is only accessible by a limited number of persons who have special access rights to such systems, and are required to keep the information confidential. In addition, all sensitive/credit information you supply is encrypted via Secure Socket Layer (SSL) technology.

An external PCI compliant payment gateway handles all payment transactions.

We do use periodic Malware Scanning.

We implement a variety of security measures when a user enters, submits, or accesses their information to maintain the safety of your personal information.

Do we use 'cookies'?

Yes. Cookies are small files that a site or its service provider transfers to your computer's hard drive through your Web browser (if you allow) that enables the Website's or service provider's systems to recognize your browser and capture and remember certain information. They are also used to help us understand your preferences based on previous or current Website activity, which enables us to provide you with improved services. We also use cookies to help us compile aggregate data about Website traffic and Website interaction so that we can offer better site experiences and tools in the future.

You can choose to have your computer warn you each time a cookie is being sent, or you can choose to turn off all cookies. You do this through your browser settings. Since each browser is a little different, look at your browser's Help Menu to learn the correct way to modify your cookies.

If you turn cookies off, some of the features that make your site experience more efficient may not function properly.

Third-party disclosure

We do not sell, trade, or otherwise transfer to outside parties your PII unless we provide users with advance notice. This does not include website hosting partners and other parties who assist us in operating our website, conducting our business, or serving our users, so long as those parties agree to keep this information confidential. We may also release information when its release is appropriate to comply with the law, enforce our site policies, or protect ours or others' rights, property or safety. It is also possible that we would sell our business (through merger, sale, reorganization or otherwise), or sell all or substantially all of our assets. In any transaction of this kind, customer information, including your PII, may be among the assets that are transferred. If we decide to so transfer your personally identifiable information, you will be notified by email or by a post to the Website.

The advent of Large Language Models (LLMs) brings some unique opportunities for improving learning, and providing personalized tutoring to our readers. To do this we reserve the right to enter into an agreement with any company with the resources to train such an LLM, whereby we would provide them a random sample of anonymized answers to the questions contained in the text books on Runestone Academy. Any data privacy agreement that we have in place with a school, that stipulates the school owns the data will be honored and students from such schools would be excluded from the random sample.

Blogs and Message Areas

The Website may include access to and use of blogs or other message areas that allow users to post information to the Website. When you post messages, other site visitors can also view them. We urge you to exercise caution when providing personally identifiable information in the blogs or other message areas. Remember that any information you disclose in these areas becomes public information.

YouTube Videos — We use YouTube to host the videos contained in our textbooks because it is economical and the most reliable way to ensure that we can serve videos on as many browsers on as many platforms as possible. When we use YouTube for videos then you should understand that YouTube's Terms of Service apply.

Third-party links

Occasionally, at our discretion, we may include or offer third-party products or services on our website. These third-party sites have separate and independent privacy policies. We therefore have no responsibility or liability for the content and activities of these linked sites. Nonetheless, we seek to protect the integrity of our site and welcome any feedback about these sites.

How does our site handle Do Not Track signals?

We honor Do Not Track signals and Do Not Track, plant cookies, or use advertising when a Do Not Track (DNT) browser mechanism is in place.

Does our site allow third-party behavioral tracking?

It's also important to note that we do not allow third-party behavioral tracking.

COPPA (Children Online Privacy Protection Act)

The Service shall not be made available to anyone under the age of 13 without our prior written consent.

FERPA (Family Educational Rights and Privacy Act)

The Family Educational Rights and Privacy Act (FERPA, 20 U.S.C. § 1232g; 34 CFR Part 99) protects the privacy of student education records. When Runestone Academy provides the Service to a school, school district, college, or university (an “Educational Institution”), we act as a “school official” with a “legitimate educational interest” in the education records disclosed to us, as those terms are defined under FERPA and its implementing regulations (34 CFR § 99.31(a)(1)(i)(B)). In that role:

  • Direct control. We use and maintain student education records under the direct control of the Educational Institution with respect to the use and maintenance of those records.
  • Limited use. We use education records only to provide and improve the Service for the Educational Institution and for the authorized educational purposes described in this Privacy Policy. We do not use education records for advertising or any commercial purpose, and we do not sell them.
  • No redisclosure. We do not disclose student education records to third parties except as directed or authorized by the Educational Institution, as needed by our service providers to operate the Service (subject to confidentiality obligations at least as protective as those in this policy), or as required by law.
  • Access and correction. Because the Educational Institution controls its students' education records, requests to inspect, review, correct, or delete education records should be directed to the Institution (typically the student's instructor), and we will cooperate to fulfill them. Students may also access, correct, or delete much of their own information directly from their User Profile page.
  • Ownership. As between Runestone Academy and the Educational Institution, education records provided to us or generated by students through the Service remain the property of, and under the control of, the Educational Institution.
  • Retention and deletion. We retain and delete education records in accordance with the Data Retention section below and any Data Privacy Agreement we have entered into with the Educational Institution.

Nothing in this section is intended to transfer to Runestone Academy any obligation of an Educational Institution to obtain any consent required under FERPA prior to disclosing education records to us.

The General Data Protection Regulation (GDPR)

The GDPR is a regulation in EU law on data protection and privacy for all individuals within the European Union. It also addresses the export of personal data outside the EU. The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. To the best of our knowledge we are in compliance with the GDPR. We collect minimal personally identifiable information (email, first name, last name) and we do not share that information with any third parties. All users have the ability to delete their account and all associated data. We do not use any personal information for marketing purposes. We do not use any personal information for any purpose other than making it easier for instructors to run a course on Runestone Academy.

How to Access, Correct or Delete Your Information

You can access, correct or delete your personally identifiable information on your “User Profile” page. To protect your privacy and security, we require a user ID and password to verify your identity before granting access or making corrections. Please be advised that certain personal information may not be corrected or deleted if we must by law retain such information as submitted.

If at any time you would like to unsubscribe from receiving future emails, you can email us at [email protected] and we will promptly remove you from ALL correspondence.

Parental options to Access, Correct or Delete a Student's Information

Parents may request corrections, access or deletion of student information by submitting a request through the verified instructor for the course in which their child is enrolled. Runestone has no way to independently verify the identity of a parent without working through the instructor for the course so if you are a parent please do not email us directly.

Data Retention

In general we keep all data for two years. This is largely so that students can access their work as they continue their studies. After two years data is deleted from our production system. There are several exceptions to this policy.

  • Any student can fully delete their account and all associated data from the profile page. This deletion is permanent and non-reversible.
  • If we have a Data Privacy Agreement in place with a school that calls for data to be deleted earlier than two years we are happy to comply.

Advertising

Runestone derives revenue from the use of Ethical Ads. Registered users, enrolled in a course through their institution, will not be shown ads. EthicalAds does not use cookies or any other form of tracking. See About Advertising for more.

Information Security Policy

We maintain a written information security policy that we update from time to time. Keeping in mind that as a small organization we do not need a lot of written policies. You are welcome to read our Data Security & Privacy Plan. We welcome your feedback and suggestions for how to improve.

Breach Response

In the event of a data breach, we will notify the instructor(s) of all affected courses by email as soon as we are able, within at least 48 hours of us becoming aware of said breach. We will rely on the instructors to relay that information to their school administration. In the event that we have a Data Privacy Agreement in place with a school where we have other contact information we will use that as well.

Contacting Us

If there are any questions regarding this privacy policy, you may contact us using the information below.

https://blog.runestone.academy
2161 Maier Court
Luck, WI 54853
USA
[email protected]

© Copyright Runestone Academy Ltd  •  Privacy Policy  •  Terms of Service  •  Legal & Compliance