Committed to 

Our Users & Partners

Our Commitment to Privacy & Security

As RedShelf helps the learning community transition to digital learning resources, we focus on respecting and protecting our users’ data by employing a range of strategies, including: 

  • Retaining an in-house privacy and security team dedicated to protecting our users’ privacy and securing our platform.

  • Implementing privacy and security measurements throughout the software development lifecycle.

  • Collecting the minimum amount of personal information required to deliver our services to users and our business partners.

  • Implementing a multi-layered defense to assist with platform protection and security.

  • Conducting third-party testing and vulnerability scans to identify potential security risks.

If you have any questions or concerns regarding how RedShelf collects and protects user privacy or implements platform security, please reach out to us at privacy@redshelf.com.

We are committed to achieving and implementing the following benchmarks and industry standards: 

  • We are committed to compliance with the Family Educational Rights and Privacy Act (FERPA) when institutions provide Personally Identifiable Information (PII) to us for legitimate and necessary educational purposes.

  • We are committed to compliance with applicable privacy laws such as the California Consumer Privacy Act (CCPA)

  • We utilize the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) as a guiding principle.

  • We require our third-party processing partner to adhere to the Payment Card Industry Data Security Standards (PCI-DSS) to ensure we do not receive or store payment information.

  • We regularly update our Higher Education Community Vendor Assessment Tool (HECVAT) to mature cybersecurity standards within the higher education industry. 

  • We partner with third-party organizations such as Qualys Scan, and White Hat Hackers to conduct third-party penetration testing and vulnerability scans of our environment.

  • We reside in Amazon Web Services (AWS) and Google Cloud Platform (GCP), both of which are SOC 2 Type 2 certified, meaning they promise to securely manage our data to protect the interest of RedShelf and the privacy of our users.

RedShelf Privacy Notice

Last revised: November 24, 2020

Note: California residents should also see our California Privacy Notice, to understand their rights under the CCPA and our disclosures related to the CCPA.


  1. What’s this?

  2. What information does RedShelf collect?

  3. How will RedShelf use all this Data?

  4. Will RedShelf share any of your Personal Information?

  5. How long will RedShelf collect / keep your Personal Information

  6. Data Security

  7. RedShelf’s commitment to children’s privacy

  8. International visitors

  9. Changes and updates to this Privacy Notice

  10. RedShelf contact information

1. What's This?

1.1.  RedShelf’s Privacy Notice - RedShelf highly values and respects its End Users’ privacy and places significant importance on maintaining the privacy of all its End users. This Privacy Policy explains what types of data RedShelf collects and how it is collected, used and shared. By agreeing to RedShelf’s EULA and using the RedShelf Platform, End User expressly agrees to the Privacy Notice, and accepts the privacy policies set forth herein.


1.2.  Privacy Notice + Terms of Use = EULA - This Privacy Notice is part of RedShelf’s End User License Agreement (EULA), which also encompasses RedShelf’s Terms of Use. This EULA constitutes a legal agreement between End User and RedShelf regarding the use of the RedShelf Platform, including the RedShelf eReader and the digital content (“Content”) that can be accessed through the RedShelf Platform. This Privacy Notice is subject to RedShelf’s Terms of Use. At all times, End User’s use of RedShelf and any personal information provided to or through RedShelf are subject to this Privacy Notice and said Terms of Use


1.3.  Special provisions for Institutional End Users - Personal information of “Institutional End Users”, including Inclusive Access Students is additionally protected by the Family Education Rights and Privacy Act (“FERPA”). In order to safeguard confidentiality of such personal information, different / additional rules may apply to such Institutional End Users, which will be explicitly addressed where relevant in this Privacy Notice. 


1.4.  Privacy opt-out - At any point in time, End User can decide to revoke his/her consent to this Privacy Notice, by clicking here to complete this form to unsubscribe from the RedShelf Platform. As a result, RedShelf will cease to collect any information on said End User. End Users will be warned that they will not be able to enjoy RedShelf’s services or access Content through the RedShelf Platform until they accept RedShelf’s Privacy Notice (as well as RedShelf’s Terms of Use).

1.5   Follett End Users – End Users that purchased their digital content specifically from Follet or a Follett-affiliated bookstore or institution. Follett Users are not directly covered by this Privacy Notice, but are covered under Follett’s privacy policy. Nevertheless, RedShelf treats and protects all Follett Users’ personal information in the same way as it treats and protects its own End Users’ privacy. RedShelf just cannot directly respond to any privacy requests from Follett Users., as RedShelf is Follett’s service provider and merely processes data on behalf of Follett.

2. What information does RedShelf collect?

2.1.  Types of Data - In order to provide End Users with the requested services, RedShelf collects different types of data, including personal information, as well as other non-public data (a). RedShelf also collects information regarding End Users’ Access Rights (b), as well as information based on the use of our services, including User Content (c) and Usage Data and other Metadata (d):

a. User Information – When signing up for RedShelf, End User is asked to create a RedShelf profile, and provide RedShelf with certain personal information necessary to identify them as a unique and legitimate RedShelf user. This minimum User Information encompasses End User’s name, email address, date of birth and an (automatically generated) RedShelf ID number. End User can choose to complete their RedShelf profile with a second email address, phone number, mailing address, billing address, profile picture or avatar, etc. This category of information is considered to be “User Information”. 

For Inclusive Access-students, such User Information may include but is not limited to Personally Identifiable Information (PII) as mentioned in FERPA. Under FERPA and the regulations promulgated thereunder, students’ educational records and any Personally Identifiable Information (PII) contained therein, are confidential, and thus protected. 


RedShelf is an educational service provider considered to be a “School Official” with a “legitimate educational interest” as described in FERPA. In this capacity, RedShelf is allowed access to certain PII (which RedShelf will only use to fulfill its contractual obligations and services). 

Based on said ‘school official’-label, the school or institution – upon setting up an IA Course with RedShelf – provides RedShelf with certain personal information about its students, like students’ name, email address, and “Student-Course Information” (which is information as to in which school and which course(s) a student is participating in the Inclusive Access Program). This may also include student ID, secondary email address, phone, and mailing address, billing address, financial aid, etc. to the extent the school chooses to provide that information to RedShelf. 


RedShelf will only collect such information that is necessary to provide its IA Students with the services and access to digital content they are entitled to. Just like any other End User, Institutional End Users can choose to complete their RedShelf profile with a second email address, phone number, mailing address, billing address, profile picture or avatar, etc. 


Inclusive Access Students should note that Opt-in or Opt-out is done on the RedShelf Platform, and thus requires acceptance of RedShelf’s EULA. IA students who ignore or decline the EULA are not automatically opted out and may be charged by their Institution. Students who have concerns about that, may contact RedShelf through this form

b. Access Rights Information – For each End User, RedShelf needs to keep track of which Content such End User has a right to access, as well as the duration of such right to access. This information is referenced to as “Access Rights Information”. 

For Institutional End Users, either the Inclusive Access student or the Institution may provide RedShelf with opt out information, which will determine access rights to certain content.


c. User Content – The result of an End User’s activity on the RedShelf Platform, including all his/her highlights, notes, flashcards, study guides, comments, bookmarks, questions, assignments, assessments etc. added to any digital content, is logged and stored by RedShelf as End User’s personal version of such content. The collectivity of all such personal versions of all of End User’s content, together with any content shared with or by other RedShelf End Users, and any feedback from or to other Users, including assessment and reading scores, is considered to be “User Content”. 


For Institutional End Users, User Content may also include submitted assessments, assessment scores, reading scores, feedback, etc. within a certain IA Course.


d. Metadata - “Metadata” is system information and user analytics, automatically collected using cookies, IP tracking and other or similar sensors and technologies, etc. The Metadata collected by RedShelf include:

  • Device information such as hardware model, operating system version, browser type and version user agent;

  • Log information including details of when and how an End User used our services, Internet Protocol address ("IP Address") including geolocation, time zone, failed login attempts, language;

  • Usage information including the content and pages that End Users access on RedShelf, the dates, times and duration that they visit RedShelf and Content, navigation data (usage of features, opening / closing of menus), user actions (searches, dictionary lookups, creation of notes, flashcards, bookmarks, comments, printing, usage of offline mode, …), etc.


e. Google Analytics – RedShelf uses a third-party tool, Google Analytics, to collect and process general (aggregate) analytics about the use of our website and Platform. This set of analytic data is de-identified (as defined hereafter, in section 2.3), not re-identifiable (only aggregate information on an entire group of users). Please visit policies.google.com/technologies/partner-sites to know more about how Google Analytics collects and processes data, and to learn how to prevent Google Analytics from tracking your browser. Google Analytics also uses cookies (visit developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage for more information on Google’s cookies). RedShelf does not use Google Analytics Advertising Features, or other advertising networks and does not provide website visitors or End Users with interest-based advertising.

  • Device information such as hardware model, operating system version, browser type and version user agent;

  • Log information including details of when and how an End User used our services, Internet Protocol address ("IP Address") including geolocation, time zone, failed login attempts, language;

  • Usage information including the content and pages that End Users access on RedShelf, the dates, times and duration that they visit RedShelf and Content, navigation data (usage of features, opening / closing of menus), user actions (e.g. searches, dictionary lookups, creation of notes, flashcards, bookmarks, comments, printing, usage of offline mode), etc.


2.2.  No payment information - RedShelf does not store information used to complete and process payment transactions on RedShelf. RedShelf utilizes third-party payment gateway service providers to complete transactions and, therefore, does not store any payment information.


2.3.  De-identified Data - Some of the above data will be de-identified before processing or sharing. De-identified Data has all direct and indirect personal identifiers removed, including name, ID, date of birth, demographic information, location information, and school. RedShelf will not attempt to re-identify any de-identified Data.

3. How will RedShelf use all this data?

3.1.  Authorized purposes - RedShelf will only use the collected Data to fulfill the services it has been contracted for, which is to serve its End Users and provide them with access to all the digital content and services they are entitled to. These authorized purposes include: 

a. Identification / Authentication – RedShelf verifies End Users’ identity upon every login, and to verify each End User’s License to access certain Content. 

b. Security – RedShelf may use the collected Data in order to detect, prevent, or otherwise address fraud, security or technical issues, as well as to enforce this Privacy Notice and/or the RedShelf Terms of Use, including investigation of potential violations thereof. 

c. Copyright protection – RedShelf may use the End Users’ User Information, Access Rights Information and User Content to the extent necessary to comply with the Digital Millennium Copyright Act (DMCA) as a service provider. 

d. Communication – RedShelf may use End User’s contact information for administrative and communication purposes such as notifying End Users of account activity, updates, customer service, addressing possible copyright infringement, or to contact End Users regarding any content that they may have posted to or purchased from RedShelf.  

e. Improving RedShelf products & services – RedShelf uses (aggregate) Metadata and Google Analytics Data in the analytics section in order to improve its products and services in general:  to assess usage of products and features and build new ones, to improve its User Experience, etc. 


RedShelf may use End User’s User Information, Access Rights Information and User Content (identifiable) Metadata for malware/spam detection, for personalization purposes, as well as to provide End User with help and support faced with any kind of problem they encounter and contact our customer service for. 

f. Learn and Report on study behavior – RedShelf additionally uses Usage Data about IA-students, to research and allow Institutions to analyze student reading and study habits, student performance, etc.


3.2.  What about Marketing and Advertising? - RedShelf will not use any personal information to serve End Users with third-party advertisements or marketing. Individual End Users may receive emails from RedShelf informing them about new products or services, discounts, contests, events, etc. RedShelf only uses online behavioral / targeted advertising to deliver interest-based ads to redshelf.com visitors when they visit other websites. 


RedShelf does not direct any advertisement or marketing towards Inclusive Access-Students. Advertising or marketing may be directed to End User’s Institution only if student information is properly de-identified. RedShelf does not apply data mining or data scanning for the purpose of advertising or marketing to IA-Students. 

4. Will RedShelf share any of your personal information?

4.1.  No Disclosure of personal information - RedShelf shall not disclose nor share any personal information with any third-party unless permitted by the terms of this Privacy Notice or its Terms of Use. 


4.2.  Exceptional Disclosures

a. Required by law – RedShelf may disclose personal information if required to do so by law or in the good-faith belief that such action is necessary to comply with state and federal laws (such as U.S. Copyright law) or respond to a court order, judicial or other government subpoena, or warrant in the manner required by the requesting entity;

b. Court order or subpoena – In case RedShelf receives a court order or lawfully issued subpoena, RedShelf may re-disclose personal information from education records on behalf of End User’s institution in response to that order or subpoena. Unless said court order or subpoena explicitly precludes it, RedShelf will – prior to any re-disclosure in response to the court order or subpoena – make a reasonable effort to notify impacted End Users so they may seek protective action; 

c. Protection – RedShelf reserves the right to disclose personal information that RedShelf believes, in good faith, is appropriate or necessary: to take precautions against liability; to protect RedShelf from fraudulent, abusive, or unlawful uses; to investigate and defend ourselves against third-party claims or allegations; to assist government enforcement agencies; to protect the security or integrity of RedShelf’s Platform and systems; or to protect the rights, property, or personal safety of RedShelf, our employees, other Users, or others. 

d. In the event of a Merger or Sale – In the event that RedShelf is acquired by or merged with a third-party entity, RedShelf reserves the right, in any of these circumstances, to transfer or assign the information that RedShelf has collected from End Users as part of that merger, acquisition, sale, or other change of control. Any such assignment would, along with the data, transfer any and all of RedShelf’s obligations as well as rights regarding data security and privacy protection to the assignee, not affecting and thus safeguarding End Users’ personal information. 


For Institutional End Users, any such assignment will safeguard the Institution’s control over the use and maintenance of the education records and any PII contained therein. 


4.3.  Sharing of de-identified Data – RedShelf will only transfer de-identified Data to third parties who agree not to attempt any re-identification. 


4.4.  Necessary disclosure of select information – As a rule, RedShelf only shares de-identified information with third parties. In some instances however, in order to render our services and to provide End User with access to the Content, RedShelf needs to share User Information (name, email address and RedShelf ID number) with other parties.  

a. Disclosures to other School Officials – For Institutional End Users, RedShelf will share certain User Information, Course Information, Usage Data and User Content with relevant administrative and academic staff and faculty within the Institution, which RedShelf may assume to be school officials under FERPA as well.


b. Disclosures to Content holders – RedShelf needs to share certain User Information, Access Rights Information and Usage Data with Content holders and other educational service providers that are instrumental in the delivery of and reporting on the Content and services provided to such End Users.


For Institutional End Users, RedShelf may assume these Content holders and other educational service providers to be school officials as well, pursuant to FERPA.

c. Disclosures to Third-Party Content Providers and Bookstores – RedShelf may have to share certain User Information and Usage Data on End Users and on Follett Users (as described in Section 3.2 e of RedShelf’s Terms of Use) with third-party content provider or bookstore, as such End Users are such third-party’s customers, not RedShelf’s customers.


d. Authorized purposes only – RedShelf will not disclose any personal information for any other purposes (such as commercial, advertising marketing purposes) than to fulfil our obligations towards End User and, if applicable, towards End Users’ Institution) and to the extent authorized by this Privacy Notice, the RedShelf Terms of Use and, if applicable, the Customer or Institution’s contract with RedShelf.

5. How long will RedShelf collect/keep your personal information?

5.1.  Request to anonymize – Under certain circumstances, End User can request that RedShelf anonymizes his/her user account,  by submitting this form. As a result of such (confirmed) request, RedShelf will de-identify as much personal information as possible, given the restrictions mentioned in section 5.3. After a RedShelf account has been anonymized, RedShelf will have no means whatsoever to retrieve/re-identify any User Information, any Access Rights Information or any Usage Data or any other information linked to such anonymized End User. It also means End User's information may be pulled back in in the future (for example through an Inclusive Access program at User’s Institution). End User will be warned thereof and asked to confirm his request through email (see section 5.2).


5.2.  Final notice – Prior to proceeding with the anonymization of an End User’s account, RedShelf will notify such End User: (i) to inform End User that the anonymization of his/her account will be permanent and not-reversible; (ii) if applicable, to inform End User that he/she will lose access to any and all Content; (iii) to ask End User to confirm his/her request to de-identify his/her personal information; (iv) to ask the End User for feedback on our services and the reason for anonymizing. RedShelf will notify End User based on the email address RedShelf has on record.  


5.3.  Exceptions/ limitations:

a. Active access rights - End Users who still have active access rights to certain Digital Content, will irreversibly lose access to such Content upon anonymization, and RedShelf will only proceed with such anonymization (i) after such End User explicitly confirms the Digital Content can be de-activated; and (ii) to the extent that no other limitations preclude anonymization (see this Section 5.3); 


b. Accessed content less than 2 years ago – In case End User has accessed any Digital Content in the 2 years prior to the anonymization request, User cannot be de-identified;


c. Transaction data – Certain User Information contained in transaction data cannot be removed from RedShelf’s records for tax, audit and liability purposes, and will therefore survive any un-subscription or request for anonymization;


d. Inclusive Access – For Institutional End Users, the Institution through which an End User was provided access to Content on the RedShelf Platform, has authority over their students’ personal data. Therefore, RedShelf cannot independently anonymize information of Institutional End Users linked to an Institution’s Inclusive Access Program and the following restrictions apply:

i.   Individual request from End User – Institutional End Users cannot request to have their account anonymized directly by RedShelf, but are advised to contact their Institution’s administration, who will then coordinate with RedShelf over any such request. In any case, RedShelf can only anonymize user accounts to the extent described in section 5.3. a. through c.


ii.  Students with Continued access – In the event the Institutional End User graduates, or for any other reason is no longer enrolled in or linked to the Institution, but still has active access rights to certain content, such Institutional End User will have Continued Access. RedShelf will keep the personal information unless and until such End User requests and confirms that RedShelf anonymize his/her account, pursuant to sections 5.1 through 5.3.


iii.   Institution’s request to anonymize – In the event an Institution directs RedShelf to de-identify certain or all Personally Identifiable Information relating to its students, RedShelf will only do so to the extent described in section 5.3. a. through c.

iv. Once anonymized, RedShelf no longer recognizes such End User, and cannot prevent End User's information from being pulled back in through the Inclusive Access program of the End User’s institution in a following term or semester.

6. Data Security

6.1.  RedShelf’s Security measures – RedShelf uses commercially reasonable physical, managerial, and technical safeguards to preserve the integrity and security of RedShelf’s systems and End Users’ personal information. These measures can only be effective to the extent End User applies equally reasonable precautionary measures. RedShelf verifies End User's identity before granting account access to his/her account and Content, or before making corrections to End User's User Information of User Content. However, END USER IS RESPONSIBLE FOR MAINTAINING THE SECRECY OF HIS/HER LOGIN INFORMATION AT ALL TIMES.


6.2.  No warranty – RedShelf cannot, however, ensure or warrant the security of any information End User transmits to RedShelf, and End User does so at his/her own risk. Once RedShelf receives End User’s transmission of information, RedShelf makes commercially reasonable efforts to ensure the security of our systems. However, please note that RedShelf does not guarantee that such information will not be accessed, disclosed, altered, or destroyed by breach of any of our physical, technical, or managerial safeguards. No data transmission over the Internet or information storage technology can be guaranteed to be 100% secure. SECURITY MECHANISMS IN THE SERVICES HAVE INHERENT LIMITATIONS.

7. RedShelf's Commitment to Children's Privacy

7.1.  Children’s Privacy Protection – Protecting the privacy of young children is especially important. For that reason, RedShelf does not knowingly collect or maintain personal information from persons under 13 years-of-age.  

a. If RedShelf learns that personally-identifiable information of persons less than 13-years-of-age has been collected on or through RedShelf, then RedShelf will take the appropriate steps to delete this information.

b. RedShelf invites the parent or legal guardian of a child under 13 who has become a RedShelf End User, to click here to complete this form to have that child’s account terminated and information deleted.


7.2.  Between 13 and 18 years old? – End Users between the age of 13 and 18 may only use the RedShelf Platform with the explicit consent of their parent(s) or legal guardian(s). RedShelf will only allow the signing on of such End User upon receipt of a duly filled out and signed parental consent form through which such parent (s) or legal guardian(s) accept(s) both RedShelf’s Terms of Use and Privacy Notice for their child. Please click here to complete this form so we can help you set up your account and connect with your parent(s)/ legal guardian(s). 


For Inclusive Access Students between 13 and 18, parental consent forms are collected by the students’ Institution.


7.3.  Monitoring tools for parents - The following are some resources that may help parents and legal guardians in monitoring and limiting your children’s access to certain types of material on the internet. While RedShelf does not endorse these products, RedShelf provides information about them as a public service to our community.

  • "OnGuard Online," maintained by the Federal Trade Commission.

  • WiredSafety

  • Netsmartz.org

  • The Child Safety Network

  • Control Kids

  • Cyber Sitter

  • Net Nanny

8. International Visitors

For users visiting RedShelf from non-U.S. Territories, please note that any data that passes through RedShelf will be transferred outside such non-U.S. Territory for use by RedShelf and its affiliates for any of the purposes outlined in this Privacy Notice. By providing data to RedShelf, End User hereby expressly consents to such transfers of data to the United States or other countries. 

9. Changes and Updates to This Privacy Notice

This Privacy Notice may be revised periodically, which will be reflected by an updated “last modified” date mentioned at the top of this document. End User will be notified of any updates to this Privacy Notice and will be asked to re-accept them. 


For Institutional End Users, RedShelf will not change what Data is collected, or how Data is used or shared under the terms of this Privacy Notice without notice to End Users’ Institution.


10. RedShelf Contact Information

RedShelf is committed to addressing and resolving any complaints about End User privacy and RedShelf’s collection or use of End Users’ personal information. For all questions, inquiries or complaints regarding this Privacy Notice or RedShelf’s privacy practices, please first contact RedShelf at: RedShelf, Inc., 500 N Dearborn St. Suite 1200, Chicago, IL 60654, or click here to complete this form. RedShelf will respond to your inquiry within 30 days of its receipt.



  • RedShelf LinkedIn Link
  • RedShelf Facebook Link
  • YouTube - White Circle
  • RedShelf Twitter Link

​© 2021 by RedShelf