MagicSchool privacy policy

Effective as of January 30th, 2026

Prior Privacy Policy

Magic School, Inc. ("MagicSchool," "we", "us" or "our") provides teachers and school staff (“Educators”) with online access to generative artificial intelligence tools. This Privacy Policy describes how MagicSchool processes personal information that we collect as a controller through our digital or online properties or services that link to this Privacy Policy including our website and related marketing activities, and other activities described in this Privacy Policy (collectively, the “Service”).

MagicSchool may provide additional or supplemental privacy policies to individuals for specific products or services that we offer at the time we collect personal information.  For example, this Privacy Policy is not intended to cover information we collect from students. Please see our Notice of MagicSchool’s Practices Relating to Children’s Online Privacy for more information regarding how we collect and process students’ personal information.  

This Privacy Policy does not apply to information that we process as a service provider on behalf of schools, school districts, governmental entities, and our business customers (such as learning or tutoring centers) (each, a “Customer”) while providing the MagicSchool platform to them (for example, via our enterprise subscription).  In addition, certain personal information processed on behalf of our Customers may be subject to the Family Educational Rights and Privacy Act (“FERPA”), meaning we will only use personal information that is considered to be “personally identifiable information” maintained as part of “education records” (as both are defined under FERPA) for legitimate educational interests, which include providing the Service to our Customers. 

MagicSchool does not independently disclose Student Data as “directory information” under FERPA. Any designation or disclosure of “directory information” under FERPA is determined and managed by the applicable School or educational agency in accordance with its own policies, notices, and opt-out processes. Where MagicSchool processes Student Data on behalf of a School, we do so solely under the School’s instructions and applicable agreements. Our use of information that we process on behalf of Customers is governed by our agreements with such Customers, and our Customers may also have their own privacy policies that govern their users’ personal information collected in connection with their use of our Service. Those privacy policies will govern how each Customer processes personal information and explain any rights their users may have to such personal information (including any rights under FERPA). If you have questions regarding personal information that MagicSchool processes on behalf of a Customer, or wish to exercise rights relating to that information, please contact the applicable Customer.

Magic School's Commitments Regarding Student Data

To the extent MagicSchool processes Student Data on behalf of a Customer, our Student Data practices are governed by our agreements with the Customer and our applicable student-facing notices and policies; the commitments below reflect MagicSchool’s approach to Student Data where applicable.

We do not:

  • Sell student personal data 
  • Share student personal data for non-educational or commercial purposes.
  • Use student data for targeted advertising, behavioral advertising, or marketing.
  • Engage in profiling of students except where strictly necessary to provide an educational service requested by a school or educator, and never for advertising or commercial decision-making.
  • Use Student Data to train, fine-tune, or improve artificial intelligence or machine learning models, including large language models, or permit any third-party AI provider to do so.
  • Employ manipulative, deceptive, or “dark-pattern” design practices that encourage students to disclose more personal data than is necessary or that undermine their autonomy or well-being.
  • Collect or process precise geolocation data, biometric data, or other sensitive personal data from students unless required for a specific educational purpose and permitted by law.
  • Magic School designs and operates its services to avoid practices reasonably likely to cause material harm to children, including physical, emotional, developmental, or privacy-related harm.

These commitments apply only to Student Data processed by MagicSchool as a service provider or processor on behalf of Schools or other Customers and do not alter this Privacy Policy’s terms governing personal information processed by MagicSchool as a controller.

NOTICE TO EU/UK USERS: Please see the Notice to European/UK Users section for additional information for individuals located in the European Economic Area or United Kingdom (which we refer to as “Europe”, and “European” should be understood accordingly) or United Kingdom below.

Table of Contents:

Personal information we collect

Sources of personal information may include information provided directly by you, information collected automatically through your use of the Service, and information received from third-party integrations or service providers in connection with providing the Service.

Information about you. Depending on the context in which you interact with us, personal information that we may collect from Educators using our “free” and “plus” subscriptions, school representatives, and website visitors through the Service includes:

  • Contact data, such as your first and last name, salutation, email address, billing and mailing addresses, professional title and company name, and phone number.
  • Profile data, such as the username that you may set to establish an online account on the Service, photograph or picture, profession, school name, grade level(s) served, classes taught, interests, preferences, information about your participation in our contests, promotions, or surveys, and any other information that you add to your account profile.  
  • Communications data based on our exchanges with you, including when you contact us through the Service, communicate with us via chat features (e.g., using Raina our AI chatbot), social media, or otherwise. 
  • Transactional data, such as information relating to or needed to complete your subscriptions on or through the Service, including order numbers and transaction history. 
  • Marketing data, such as your preferences for receiving our marketing communications and details about your engagement with them.
  • Inputs, prompts and user-generated content data, such as information that you upload/use as an input or prompt to, presentations that you create and other academic content that you generate, comments, questions, messages, works of authorship, and other content or information that you generate, transmit, or otherwise make available on the Service, as well as associated metadata. 
  • Payment data needed to complete transactions is collected and processed directly by our payment processor, such as Stripe, as further described below in the “How We Share Your Personal Information” section.
  • Job applicants and employees: Please review our “Applicant & Employee Privacy Notice” which details our data collection and secure processing details.
  • Other data not specifically listed here, including data inferred or derived from the categories listed in this section, which we will use as described in this Privacy Policy or as otherwise disclosed at the time of collection.

We ask that you not provide us with any sensitive personal information (e.g., social security numbers, financial account numbers, government ID numbers, information related to racial or ethnic origin, political opinions, religious or other beliefs, health, biological, biometric or genetic information, criminal background information, or similar data) on or through the Service or otherwise.

Automatic data collection. We and our service providers may automatically log information about you, your computer or mobile device, and your interaction over time with the Service and our communications (such as emails), and our websites: 

  • Device data, such as your computer or mobile device’s operating system type and version, manufacturer and model, browser type, screen resolution, RAM and disk size, CPU usage, device type (e.g., phone, tablet), IP address, unique identifiers used for security, fraud prevention, and service operation, language settings, mobile device carrier, radio/network information (e.g., Wi-Fi, LTE, 3G), and general location information such as city, state or geographic area.
  • Online activity data, such as pages or screens you viewed, how long you spent on a page or screen, the website you visited before browsing to the Service, navigation paths between pages or screens, information about your activity on a page or screen, access times and duration of access, and whether you have opened our emails or clicked links within them.
  • Communication interaction data such as your interactions with our email, text or other communications (e.g., whether you open and/or forward emails) – we may do this through use of pixel tags (which are also known as clear GIFs), which may be embedded invisibly in our emails. 

Tracking and other technologies

Cookies, web beacons and other tracking technologies.
We may also use various technical mechanisms such as cookies, web beacons and similar tracking technologies to monitor how users use our Services. "Cookies" are small pieces of information that a website sends to your computer's hard drive while you are viewing a website. "Web beacons" refer to various tracking technologies used to check whether you have accessed some content on our Services. We use cookies for the following purposes, specifically:

  • Performance Cookies: These cookies allow us to count visits and traffic sources, so we can measure and improve the performance of our site. They help us know which pages are the most and least popular and see how visitors move around the site.The information collected through these cookies is generally aggregated or pseudonymous and used to understand usage patterns and improve site performance. If you do not allow these cookies, we will not know when you have visited our site.
  • Functional Cookies: These cookies allow the provision of enhanced functionality and personalization, such as videos. They may be set by us or by third-party providers whose services we have added to our pages. If you do not allow these cookies, then some or all of these features may not function properly.
  • Strictly Necessary Cookies: These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site may not work then.

Where required by law, we provide choices for optional cookies through our cookie consent tools, and you may update your preferences at any time.

We may link the information we store in cookies or through other mechanisms to the personal information you submit while using our Services. We may use both session cookies (which expire once you close your web browser) and persistent cookies (which stay on your computer until you delete them) to provide you with a more personal and interactive experience on our Services. You can remove persistent cookies at any time by following the directions in the "Help" section of your Internet browser. You can also disable all cookies on your Internet browser. If you choose to disable cookies, be advised that you can still visit our Websites, but some components of our Services may not be available or work properly.

We do not allow third-parties to use a user’s data to create an automated profile or engage in data enhancement for the purposes of personalized advertisement.

We use third-party analytics and tracking tools solely to help deliver and improve our Services. These third-party service providers are prohibited from using your personal information for their own purposes, including creating profiles or engaging in targeted advertising.

How we use your personal information

We may use your personal information for the following purposes or as otherwise described at the time of collection:

Service delivery and operations. We may use your personal information to:

  • provide the Service;
  • enable security features of the Service;
  • transmit your inputs to our Third-Party AI Providers for processing and to receive outputs, as necessary to fulfill your requests;
  • establish and maintain your user profile on the Service;
  • communicate with you about the Service, including by sending Service-related announcements, updates, security alerts, and support and administrative messages;
  • communicate with you about events or contests in which you participate; and
  • provide support for the Service, and respond to your requests, questions and feedback.

Service personalization, which may include using your personal information to:

  • understand your needs and interests;
  • personalize your experience with the Service and our Service-related communications; and
  • remember your selections and preferences as you navigate webpages.

Service improvement and analytics. We may use your personal information to analyze your usage of the Service, improve the Service, improve the rest of our business, help us understand user activity on the Service, including which pages are most and least visited and how visitors move around the Service, as well as user interactions with our emails, and to develop new products and services. For more information on analytics, see our “Cookie Notice”. 

Marketing and advertising. We may use personal information to send marketing communications to educators, administrators, or other adult users and to measure engagement with those communications at an aggregate level. You may opt out of marketing communications as described in the “Opt-out of communicationssection below. MagicSchool does not allow third parties to use personal information for targeted advertising or behavioral profiling. Marketing service providers act solely on MagicSchool’s behalf and are contractually restricted from using personal information for their own purposes. Marketing communications do not involve Student Data.

Compliance and protection. We may use your personal information to:

  • comply with applicable laws, lawful requests, and legal process, such as to respond to subpoenas, investigations or requests from government authorities;
  • protect our, your or others’ rights, privacy, safety or property (including by making and defending legal claims); 
  • audit our internal processes for compliance with legal and contractual requirements or our internal policies; 
  • enforce the terms and conditions that govern the Service; and 
  • prevent, identify, investigate and deter fraudulent, harmful, unauthorized, unethical or illegal activity, including cyberattacks and identity theft.  

Data sharing in the context of corporate changes of control, we may share certain personal information in the context of actual or prospective corporate changes of control – for more information, see “How we share your personal information” below.

To create aggregated, de-identified and/or anonymized data. We may create aggregated, de-identified and/or anonymized data from your personal information and that of other individuals whose personal information we collect. We make personal information into de-identified and/or anonymized data by removing information that makes the data identifiable to you. We may use this aggregated, de-identified and/or anonymized data and share it with third parties for our lawful business purposes, including to analyze and improve the Service and promote our business. We do not attempt to re-identify it and do not share de-identified children’s data for advertising or unrelated commercial purposes. 

Third-Party AI Services

We utilize application program interfaces ("API") to power the AI functionality of our Services from multiple AI vendors. A current list of these vendors can be found in our subprocessors list.

We prioritize data security and compliance with applicable data protection laws. However, we recommend reviewing the privacy policies of our AI providers to understand their specific data handling practices.

Fairness, Bias, and Disparate Impact Considerations. MagicSchool recognizes that AI-enabled features may perform differently across individuals and groups and may produce unintended or disparate impacts. We take reasonable steps, consistent with the educational context of our Services, to evaluate and reduce the risk of unfair outcomes. These steps may include testing, monitoring, and selecting models or configurations designed to promote educational suitability, safety, and reliability.

MagicSchool does not engage in automated decision-making or profiling that produces legal or similarly significant effects, as described in the No Automated Decision-Making and Profilingsection below. Educators and Schools remain responsible for reviewing outputs and exercising professional judgment when applying outputs in educational settings.
Key items of note:

MagicSchool does not use personal information to train artificial intelligence or machine learning models.

  • Artificial intelligence service providers engaged by MagicSchool act solely as service providers and are contractually prohibited from using any data processed on MagicSchool’s behalf to train, develop, or improve their own models.
  • Data transmitted through artificial intelligence APIs is retained only for a limited period, solely for purposes such as abuse and misuse monitoring, security, and compliance, and is deleted within thirty (30) days, unless a longer retention period is required by applicable law.

Retention

We retain personal information to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements, to establish or defend legal claims, or for fraud prevention purposes. To determine the appropriate retention period for personal information, we may consider factors such as the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorized use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal requirements. 

How we share your personal information

We may share your personal information with the following parties and as otherwise described in this Privacy Policy, in other applicable notices, or at the time of collection.  

  • Service providers. Third parties that provide services on our behalf or help us operate the Service or our business (such as hosting, information technology, customer support, online chat functionality providers, email delivery, marketing, consumer research and website analytics). 
  • Payment processors. Any payment card information you use to make a purchase on the Service is collected and processed directly by our payment processors, such as Stripe. Stripe may use your payment data in accordance with its privacy policy (see Stripe’s Privacy Policy at https://stripe.com/privacy).
  • Third parties designated by you. We may share your personal information with third parties where you have instructed us or provided your consent to do so. 
  • Linked third-party services. If you log into the Service with, or otherwise link your Service account to, a social media or other third-party service, we may share your personal information with that third-party service. The third party’s use of the shared information will be governed by its privacy policy and the settings associated with your account with the third-party service.
  • Professional advisors. Professional advisors, such as lawyers, auditors, bankers and insurers, where necessary in the course of the professional services that they render to us.
  • Authorities and others. Law enforcement, government authorities, and private parties, as we believe in good faith to be necessary or appropriate for the “Compliance and protection purposes” described above. 
  • Business transferees. We may disclose personal information in the context of actual or prospective business transactions (e.g., investments in MagicSchool, financing of MagicSchool, public stock offerings, or the sale, transfer or merger of all or part of our business, assets or shares), for example, we may need to share certain personal information with prospective counterparties and their advisers. We may also disclose your personal information to an acquirer, successor, or assignee of MagicSchool as part of any merger, acquisition, sale of assets, or similar transaction, and/or in the event of an insolvency, bankruptcy, or receivership in which personal information is transferred to one or more third parties as one of our business assets.

Your rights and choices 

In this section, we describe the rights and choices available to all users. Users who are located in Europe can find additional information about their rights below.

Access or update your information. If you have registered for an account with us through the Service, you may review and update certain account information by logging into the account. 

Opt-out of communications. You may opt-out of marketing-related emails by following the opt-out or unsubscribe instructions at the bottom of the email, or by contacting us. Please note that if you choose to opt-out of marketing-related emails, you may continue to receive service-related and other non-marketing emails.  

Cookies. For information about cookies employed by the Service and how to control them, see our “Cookie Notice.” 

Blocking images/clear gifs: Most browsers and devices allow you to configure your device to prevent images from loading. To do this, follow the instructions in your particular browser or device settings.

Do Not Track. Some Internet browsers may be configured to send “Do Not Track” signals to the online services that you visit. We currently do not respond to “Do Not Track” signals. To find out more about “Do Not Track,” please visit http://www.allaboutdnt.com.

Declining to provide information. We need to collect personal information to provide certain services. If you do not provide the information we identify as required or mandatory, we may not be able to provide those services.

Linked third-party platforms. If you choose to connect to the Service through your social media account or other third-party platform, you may be able to use your settings in your account with that platform to limit the information we receive from it. If you revoke our ability to access information from a third-party platform, that choice will not apply to information that we have already received from that third party.

Delete your content or close your account. You can choose to delete certain content through your account. If you wish to request to close your account, please contact us.

Other sites and services

The Service may contain links to websites, mobile applications, and other online services operated by third parties. In addition, our content may be integrated into web pages or other online services that are not associated with us. These links and integrations are not an endorsement of, or representation that we are affiliated with, any third party. We do not control websites, mobile applications or online services operated by third parties, and we are not responsible for their actions. We encourage you to read the privacy policies of the other websites, mobile applications and online services you use.

Account Visibility and Display Controls. MagicSchool’s Services are designed so that personal information is not displayed publicly. Depending on the Service feature and the account type, certain account information (such as name, school, role, and profile photo if provided) may be visible to other authorized users within the same School or organization (for example, administrators or other Educators) as necessary to operate the Service. Where display controls are available in your account settings, you may update your profile information and certain visibility settings by logging into your account. If your account is provisioned or managed by a School or other Customer, the School or Customer may control which information is shared within its environment.

Security 

We employ technical, organizational and physical safeguards designed to protect the personal information we collect such as, but not limited to: 

  • Use of encryption technologies to protect customer data both at rest and in transit
  • System features and configuration settings designed to authorize user access while restricting unauthorized users from accessing information not needed for their role.
  • Use of intrusion detection systems to prevent and identify potential security attacks from users outside the boundaries of the system.
  • Regular vulnerability scans over the system and network, and penetration tests over the production environment
  • Operational procedures for managing security incidents and breaches, including notification procedures.
  • Use of data retention and data disposal

Additionally, Magic School undergoes an annual SOC 2 Type II audit based on Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality and Privacy. A copy of our Report is posted here on our website under the ‘Our Policies’ section.

However, no method of transmission over the Internet or method of electronic storage is completely secure, and we cannot guarantee absolute security.

Additional Information for California Residents

If you are a California resident, California law requires us to provide you with some additional information regarding how we collect, use, and share your "personal information" as defined in the California Consumer Privacy Act ("CCPA").

How We Source, Use, and Disclose Information for Business Purposes.
The chart below details the categories of personal information we collect, the sources of such personal information, and how we use and share such information for business purposes.

Categories of Personal Information CollectedSources of Personal InformationPurposes for Use of Personal Information (see "How We Use the Data We Collect" for more information)Disclosures of Personal Information for Business Purposes (see "Information Sharing and Disclosure" for more information)
Contact information (e.g., name, email address, organization, role, phone number, mailing address including state/province, country)
  • You, through your use of the Service
  • Provide the services requested and customer service
  • Communicate with you
  • Analyze use of and personalize the services
  • Improve the services
  • Provide security, prevent fraud, and for de-bugging
  • Comply with legal requirements
  • Service providers
  • Law enforcement in the event of a lawful request
  • With entities in the event of a business transaction
  • With your consent
Financial and transactional information (e.g., payment account information and donation history)
  • You
  • Payment processors
  • Process service fees
  • Communicate with you
  • Comply with legal requirements
  • Payment processors
  • Law enforcement in the event of a lawful request
  • With entities in the event of a business transaction
  • With your consent
Login information (e.g., account name/username)
  • You, through your device
  •  Provide the services and customer service
  • Analyze use of and personalize the services
  • Improve the services
  • Provide security, prevent fraud, and for de-bugging
  • Comply with legal requirements
  • Service providers
  • Law enforcement in the event of a lawful request
  • With entities in the event of a business transaction
  • With your consent
Device and online identifier information (e.g., IP address, browser type, operating system, general location inferred from IP address, and similar information)
  • You, through your use of the Service
  • Provide the services requested and customer service
  • Communicate with you
  • Analyze use of and personalize the services
  • Improve the services
  • Provide security, prevent fraud, and for de-bugging
  • Comply with legal requirements
  • Service providers
  • Law enforcement in the event of a lawful request
  • With entities in the event of a business transaction
  • With your consent
Service usage information (e.g., the dates and times you use the services, how you use the services, and the content you interact with on the services)
  • You, through your use of the Service
  • Provide the services and customer service
  • Analyze use of and personalize the services
  • Improve the services
  • Provide security, prevent fraud, and for de-bugging
  • Comply with legal requirements
  • Service providers
  • Law enforcement in the event of a lawful request
  • With entities in the event of a business transaction
  • With your consent

Please note that the above chart does not describe the Student Data that we process. For more information about our privacy practices with regard to Student Data, please refer to our Student Data Policy. In short – Student Data are processed solely on behalf of specific Educational Institutions under a student data privacy agreement. If you have questions about an Educational Institution’s privacy practices, you should contact the Educational Institution directly.

Your California Privacy Rights.
If you are a California resident, the CCPA allows you to make certain requests about your personal information. Specifically, the CCPA allows you to request us to:

  • Inform you about the categories of personal information we collect or disclose about you; the categories of sources of such information; the business or commercial purpose for collecting your personal information; and the categories of third parties with whom we share/disclose personal information.
  • Provide access to and/or a copy of certain personal information we hold about you.
  • Delete certain personal information we have about you.
  • Provide you with information about the financial incentives that we offer to you, if any.

The CCPA further provides you with the right not to be discriminated against (as provided for in applicable law) for exercising your rights. Please note that certain information may be exempt from such requests under California law. For example, we need certain information in order to provide our services to you. We also will take reasonable steps to verify your identity before responding to a request. In doing so, we may ask you for verification information so that we can match at least two verification points with information we maintain in our files about you. If we are unable to verify you through this method, we shall have the right, but not the obligation, to request additional information from you.
Please also note that if your personal information has been collected by MagicSchool as a result of a Customer's (as defined above) use of our services, MagicSchool collects and maintains your personal information under the directions of the relevant Customer. If these circumstances apply to you and you wish to access or delete any personal information that we have collected about you, please direct your query to the relevant Customer as this may expedite the completion of your request. We nevertheless provide reasonable assistance to our Customers to give effect to consumer choices as appropriate and required by applicable laws.
If you would like further information regarding your legal rights under California law or would like to exercise any of them, or if you are an authorized agent making a request on a California consumer's behalf, please contact us at [email protected]

The CCPA provides certain rights if a company "sells" personal information, as such term is defined under the CCPA. MagicSchool does not engage in activities that would be considered "sales" of personal information under the CCPA.

Shine the Light Disclosure: The California "Shine the Light" law gives residents of California the right under certain circumstances to request information from us regarding the manner in which we share certain categories of personal information (as defined in the Shine the Light law) with third parties for their direct marketing purposes. We do not share your personal information with third parties for their own direct marketing purposes.

Do Not Track Signals: MagicSchool does not track users over time and across third-party websites and therefore does not respond to Do Not Track ("DNT") signals from web browsers. Further, because there currently is no industry standard concerning what, if anything, a service should do when they receive such signals, we currently do not take action in response to these signals.

Other US State Laws

Data protection laws in the United States continue to evolve, and multiple states have enacted comprehensive privacy statutes and education-specific student data privacy laws that may apply to MagicSchool’s processing of personal information, depending on the circumstances.

In addition to California, MagicSchool monitors and complies with applicable requirements under other U.S. state privacy and student data protection laws, including, but not limited to:

  • Colorado (Colorado Privacy Act)
  • Connecticut (Connecticut Data Privacy Act)
  • Delaware (Delaware Personal Data Privacy Act)
  • Florida (Florida Digital Bill of Rights)
  • Iowa (Iowa Consumer Data Protection Act)
  • Indiana (Indiana Consumer Data Protection Act)
  • Montana (Montana Consumer Data Privacy Act)
  • Oregon (Oregon Consumer Privacy Act)
  • Texas (Texas Data Privacy and Security Act)
  • Utah (Utah Consumer Privacy Act)
  • Virginia (Virginia Consumer Data Protection Act)
  • New York (Education Law §2-d, where MagicSchool processes Student Data on behalf of New York educational institutions)

Depending on the applicable law and your state of residence, you may have certain rights with respect to your personal information, which may include the right to:

  • request access to personal information;
  • request correction of inaccurate personal information;
  • request deletion of personal information;
  • obtain a copy of certain personal information, where required by law; and
  • opt out of certain processing activities, such as targeted advertising or profiling, where applicable.

The availability and scope of these rights vary by state and may depend on MagicSchool’s role as a controller or as a service provider/processor acting on behalf of a School or other Customer. Where MagicSchool processes personal information, including Student Data, on behalf of a School or other Customer, privacy rights requests relating to such data may need to be directed to the applicable School or Customer in accordance with applicable law.

MagicSchool responds to verifiable privacy rights requests in accordance with applicable state privacy and student data protection laws. To submit a request or to obtain additional information, please contact us at [email protected]. We may take reasonable steps to verify your identity and the authenticity of the request, as required or permitted by law.

Children  

Our Service is designed for Educators and schools. If you are a parent or guardian of a child from whom you believe we have collected personal information in a manner prohibited by law, please contact us. If we learn that we have collected personal information through the Service from a child without consent as required by law, we will comply with applicable legal requirements to delete the information.

Students under the age of 18 may only access the Service through MagicSchool’s agreement with a Customer. If you are a parent or guardian of a child from whom you believe we have collected personal information through an agreement with a Customer, and you would like to review, manage or delete that child’s personal information, please contact the Customer directly. Where MagicSchool has entered into an agreement with a Customer, we cannot change or delete that data without the Customer’s consent. 

Notice to European and UK Users

Where this Notice to European and UK users applies. The information provided in this “Notice to European and UK users” section applies only to individuals in the European Economic Area (i.e., “Europe” as defined at the top of this Privacy Policy) and the United Kingdom (“UK”).

Personal information. References to “personal information” in this Privacy Policy should be understood to include a reference to “personal data” (as defined in the GDPR) – i.e., information about individuals from which they are either directly identified or can be identified.   

Controller. MagicSchool is the controller in respect of the processing of your personal information covered by this Privacy Policy for purposes of European data protection legislation (i.e., the EU GDPR and the  ‘UK GDPR’ (as and where applicable, the “GDPR”)). See the ‘How to contact us’ section above for our contact details.

Processor. MagicSchool acts as a data processor when it processes personal data on behalf of its customers, including schools, school districts, and other educational institutions, that are the data controllers. In these circumstances, MagicSchool processes personal data solely on the documented instructions of the applicable educational institution, and such processing is governed by a data processing agreement or similar contractual terms.

Our GDPR Representatives. We have appointed the following representatives in Europe and the UK pursuant to Article 27 of the GDPR – you can also contact them directly should you wish as follows:

Our EU representative appointed under the EU GDPR is Global GmbH. You can contact them:

  • By email to:[email protected].
  • By postal mail to: EU-REP.Global GmbH, Attn: MagicSchool, Inc., 24114 Kiel, Germany 

Our UK representative appointed under the UK GDPR is DP Data Protection Services UK Ltd. You can contact them:

  • By email to: [email protected].
  • By postal mail to: DP Data Protection Services UK Ltd., Attn: MagicSchool, Inc., 16 Great Queen Street, Covent Garden, London, WC2B 5AH, United Kingdom

EU-US + UK Extension Data Privacy Framework

Magic School complies with the EU–U.S. Data Privacy Framework (EU–U.S. DPF) and the UK Extension to the EU–U.S. DPF, as set forth by the U.S. Department of Commerce. Magic School has certified to the U.S. Department of Commerce that it adheres to the EU–U.S. Data Privacy Framework Principles (EU–U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU–U.S. DPF and the UK Extension to the EU–U.S. DPF. If there is any conflict between the terms in this Privacy Policy and the EU–U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/

Under the terms of the Framework, MagicSchool is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC).

We adhere to the DPF Principles and Supplemental Principles, including but not limited to:

  • Providing Notice about the collection and use of personal data and the purposes for which it is processed;
  • Offering Choice and means for individuals to opt out of certain data uses where required;
  • Maintaining Accountability for Onward Transfers of personal data to third parties;
  • Implementing Security measures to protect personal data;
  • Ensuring Data Integrity and Purpose Limitation consistent with what was described at the time of transfer;
  • Providing individuals with Access mechanisms to review, correct, or delete their personal data; and
  • Maintaining Recourse, Enforcement and Liability mechanisms to address individual concerns or complaints.

Dispute Resolution

If a privacy complaint or dispute relating to Personal Data received by MagicSchool in reliance on the Data Privacy Framework (or any of its predecessors) cannot be resolved through our internal processes, we have agreed to participate in the VeraSafe Data Privacy Framework Dispute Resolution Procedure. Subject to the terms

of the VeraSafe Data Privacy Framework Dispute Resolution Procedure, VeraSafe will provide appropriate recourse free of charge to you. To file a complaint with VeraSafe and participate in the VeraSafe Data Privacy Framework Dispute Resolution Procedure, please submit the required information here: https://www.verasafe.com/privacy-services/dispute-resolution/submit-dispute/. If a complaint or dispute cannot be resolved through our internal process, we have also agreed to cooperate with the EU and UK data protection authorities and to participate in the dispute resolution procedures of the panel established by such data protection authorities.

Binding Arbitration

If your dispute or complaint related to your Personal Data that we received in reliance on the Data Privacy Framework cannot be resolved by us, nor through the dispute resolution mechanism mentioned above, you may have the right to require that we enter into binding arbitration with you under the Data Privacy Framework “Recourse, Enforcement and Liability” Principle and Annex I of the Data Privacy Framework.

Compliance with GDPR Data Protection Principles

MagicSchool processes personal data in accordance with the data protection principles set out in the EU General Data Protection Regulation (“GDPR”), the UK General Data Protection Regulation (“UK GDPR”), and applicable data protection laws. These principles guide how we design, operate, and review our Services and how we handle personal data.

In particular, MagicSchool adheres to the following principles:

  • Lawfulness, fairness, and transparency – We process personal data lawfully, fairly, and in a transparent manner, including by providing clear and accessible information about our data processing practices and relying on appropriate lawful bases.
  • Purpose limitation – We collect and process personal data only for specified, explicit, and legitimate purposes and do not further process personal data in a manner that is incompatible with those purposes.
  • Data minimisation – We seek to ensure that personal data is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed.
  • Accuracy – We take reasonable steps to ensure that personal data is accurate and, where necessary, kept up to date, and to rectify or delete inaccurate personal data without undue delay.
  • Storage limitation – We retain personal data only for as long as is necessary to fulfil the purposes for which it is processed, to comply with legal obligations, or as otherwise permitted under applicable agreements.
  • Integrity and confidentiality – We implement appropriate technical and organisational measures designed to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction, or damage.

Our legal bases for processing 

In respect of each of the purposes for which we use your personal information, the GDPR requires us to ensure that we have a “legal basis” for that use. 

Our legal bases for processing your personal information described in this Privacy Policy are listed below.

  • Where we need to perform a contract, we are about to enter into or have entered into with you (“Contractual Necessity”).
  • Where it is necessary for our legitimate interests and your interests and fundamental rights do not override those interests (“Legitimate Interests”). More detail about the specific legitimate interests pursued in respect of each Purpose we use your personal information for is set out in the table below.
  • Where we need to comply with a legal or regulatory obligation (“Compliance with Law”).
  • Where we have your specific consent to carry out the processing for the Purpose in question (“Consent”).  

We have set out below, in a table format, the legal bases we rely on in respect of the relevant Purposes for which we use your personal information – for more information on these Purposes and the data types involved, see ‘How we use your personal information’.

PurposeCategories of personal information involvedLegal basis
Service delivery and operations
  • Contact data
  • Profile Data
  • Communications data
  • Transactional Data
  • User-generated content data
  • Relationship data
  • Payment data
  • Data from Third Party Sources
  • Device data
  • Contractual Necessity.
Service personalization
  • Contact data
  • Profile Data
  • Communications data
  • Transactional Data
  • User-generated content data
  • Relationship data
  • Payment data
  • Data from Third Party Services
  • Device data
  • Location data
  • Legitimate Interests. We have a legitimate interest in providing you with a good service, which is personalized to you and that remembers your selections and preferences.
  • Consent, in respect of any optional cookies used for this purpose.
Service improvement and analytics
  • Contact data
  • Profile data
  • Device data
  • Online activity data
  • Location data
  • Communication interaction data
  • Legitimate Interests. We have a legitimate interest in providing you with a good service and analysing your use of our Services to improve our Services.
  • Consent, in respect of any optional cookies used for this purpose.
Direct marketing
  • Contact data
  • Profile data  
  • Communications data  
  • Transactional data 
  • Marketing data
  • Legitimate Interests. We have a legitimate interest in promoting our operations and goals as an organisation and sending marketing communications for that purpose.
  • Consent, in circumstances or in jurisdictions where consent is required under applicable data protection laws to the sending of any given marketing communications.
Compliance and protection
  • Any and all data types relevant in the circumstances
  • Compliance with Law.
  • Legitimate Interests. Where Compliance with Law is not applicable, we and any relevant third parties have a legitimate interest in participating in, supporting, and following legal process and requests, including through co-operation with authorities. We and any relevant third parties may also have a legitimate interest in ensuring the protection, maintenance, and enforcement of Our and their rights, property, and/or safety. We also have a legitimate interest in ensuring the ongoing security and proper operation of our Service and associated IT services, systems, and networks.
Data sharing in the context of corporate changes of control
  • Any and all data types relevant in the circumstances
  • Legitimate Interests. We have legitimate interest in developing our organisation to ensure its operations and goals run smoothly.
To create aggregated, de-identified and/or anonymized data
  • Any and all data types relevant in the circumstances
  • Legitimate Interests. We have legitimate interest, and believe it is also in your interests, that we are able to take steps to ensure that our Services and how we use Personal Information is as un-privacy intrusive as possible.
Further uses
  • Any and all data types relevant in the circumstances
  • The original legal basis relied upon, if the relevant further use is compatible with the initial purpose for which the Personal Information was collected. 
  • Consent, if the relevant further use is not compatible with the initial purpose for which the personal information was collected.

Retention

MagicSchool retains personal data in accordance with the “Retention section above. For individuals located in Europe or the United Kingdom, personal data is retained only for as long as necessary for the purposes described in this Privacy Policy, to comply with applicable legal obligations, or as otherwise permitted under applicable agreements, consistent with the GDPR and UK GDPR principles of storage limitation.

Other info

No sensitive personal information. We ask that you not provide us with any sensitive personal information (e.g., social security numbers, information related to racial or ethnic origin, political opinions, religion or other beliefs, health, biometrics or genetic characteristics, criminal background or trade union membership) on or through the services, or otherwise to us. If you provide us with any sensitive personal information to us when you use the services, you must consent to our processing and use of such sensitive personal information in accordance with this Privacy Policy. If you do not consent to our processing and use of such sensitive personal information, you must not submit such sensitive personal information through our services.

No Automated Decision-Making and Profiling. As part of the Service, we do not engage in automated decision-making and/or profiling, which produces legal or similarly significant effects. 

Your rights

European data protection laws give you certain rights regarding your personal information. If you are located in Europe, you may ask us to take the following actions in relation to your personal information that we hold:

  • Access. Provide you with information about our processing of your personal information and give you access to your personal information.
  • Correct. Update or correct inaccuracies in your personal information.
  • Delete. Delete your personal information where there is no good reason for us continuing to process it - you also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below). 
  • Transfer. Transfer a machine-readable copy of your personal information to you or a third party of your choice.
  • Restrict. Restrict the processing of your personal information, for example if you want us to establish its accuracy or the reason for processing it.
  • Object. Object to our processing of your personal information where we are relying on Legitimate Interests – you also have the right to object where we are processing your personal information for direct marketing purposes.
  • Withdraw Consent. When we use your personal information based on your consent, you have the right to withdraw that consent at any time.  

Exercising These Rights. You may submit these requests by email to [email protected] or our postal address provided above. We may request specific information from you to help us confirm your identity and process your request. Whether or not we are required to fulfill any request you make will depend on a number of factors (e.g., why and how we are processing your personal information), if we reject any request you may make (whether in whole or in part) we will let you know our grounds for doing so at the time, subject to any legal restrictions.  

Your Right to Lodge a Complaint with your Supervisory Authority. In addition to your rights outlined above, if you are not satisfied with our response to a request you make, or how we process your personal information, you can make a complaint to the data protection regulator in your habitual place of residence. 

  • For users in the European Economic Area – the contact information for the data protection regulator in your place of residence can be found here: https://edpb.europa.eu/about-edpb/board/members_en
  • For users in the UK – the contact information for the UK data protection regulator is below:

The Information Commissioner’s Office

Water Lane, Wycliffe House

Wilmslow - Cheshire SK9 5AF

Tel. +44 303 123 1113

Website: https://ico.org.uk/make-a-complaint/

Other International Transfers

We are a U.S.-based company and many of our service providers, advisers, partners or other recipients of data are also based in the U.S. This means that, if you use the Service, your personal information will necessarily be accessed and processed in the U.S. It may also be provided to recipients in other countries outside Europe.  

This section applies to international transfers that are not covered by an applicable adequacy decision, including transfers not relying on the EU-U.S. Data Privacy Framework or the UK Extension, where applicable.

Where we transfer personal information to recipients located in countries that are not subject to an adequacy decision by the European Commission or the UK Government, we implement appropriate safeguards designed to ensure a level of protection essentially equivalent to that guaranteed under applicable European data protection laws. These safeguards may include:

  • Standard contractual clauses approved by the European Commission or UK authorities; or

  • Other lawful transfer mechanisms permitted under applicable data protection laws.

In limited circumstances, we may rely on a derogation under applicable data protection laws, such as where a transfer is necessary for the performance of a contract or where we have obtained explicit consent.

You may contact us for further information about the specific transfer mechanism relied upon for a particular data transfer.

Supplemental Incident Response Plan Overview

The information below provides a high-level overview of MagicSchool’s incident response practices. For additional details regarding our incident response procedures, please contact [email protected]. MagicSchool maintains a documented incident response program designed to identify, assess, respond to, and remediate suspected or confirmed security incidents. Upon detection of a potential incident, MagicSchool promptly investigates the matter, evaluates whether Personal Information or Student Data may have been affected, and takes appropriate steps to contain, mitigate, and remediate the incident.

Breach Notification:Where required by applicable law or contract, MagicSchool will notify affected individuals, Customers (including Schools), and relevant regulatory or governmental authorities without undue delay and within legally required timeframes. MagicSchool will also implement reasonable remediation measures designed to reduce the likelihood of similar incidents occurring in the future.

Mergers, Acquisitions, and Business Transfers

Over time, Magic School may grow and reorganize. We may share your information, including personal information with affiliates such as a parent company, subsidiaries, joint venture partners or other companies that we control or that are under common control with us, in which case we will require those companies to agree to use your personal information in a way that is consistent with MagicSchool’s data protection practices and this Privacy Policy.

In the event of a change to our organizations such that all or a portion of Magic School or its assets are acquired by or merged with a third-party, or in any other situation where personal information that we have collected from users would be one of the assets transferred to or acquired by that third-party, this Privacy Policy will continue to apply to your information, and any acquirer would only be able to handle your personal information as per this policy (unless you give consent to a new policy). We will provide you with notice of an acquisition within thirty (30) days following the completion of such a transaction, by posting on our homepage and by email to your email address that you provided to us. If you do not consent to the use of your personal information by such a successor company, subject to applicable law, you may request its deletion from the company.

In the unlikely event that Magic School goes out of business, or files for bankruptcy, we will protect your personal information, and will not sell it to any third-party.

Changes to this Privacy Policy 

We may update this Privacy Policy from time to time. If we make material changes that affect how personal information is collected, used, or shared, we will provide notice using reasonable and appropriate means, which may include updating the “Effective” date above, posting the revised Privacy Policy on the Service, or providing additional notice where appropriate.

Where practicable, we will provide advance notice of material changes before they take effect. However, changes may take effect immediately where necessary to comply with legal requirements, address security or fraud risks, or respond to operational needs. Unless otherwise stated, the updated Privacy Policy will be effective as of the date it is posted.

How to contact us

Attn: Compliance Department

4845 Pearl East Cir Ste 118 PMB 83961

Boulder, CO 80301-6112

MagicSchool logo
THE AI OPERATING SYSTEM FOR SCHOOLS, TEACHERS ARE MAGIC and MAGICSCHOOL are trademarks of Magic School, Inc.
Book a demo
Free for teachers
AI Solutions
AI for Schools
For SuperintendentsFor Chief Academic OfficersFor Chief Technology OfficersFor Principals
AI for Teachers
Lesson Plan GeneratorRubric MakerPresentation GeneratorMultiple Choice Quiz MakerWorksheet Generator
AI for Students
Outcomes
Protect Privacy & SecurityDrive Student OutcomesBuild AI LiteracySave TimeIntegrate quicklyWrite AI Policy
Resources
SupportApp StatusProfessional DevelopmentCertification CoursesWebinarsBlogCase StudiesFAQs
Company
PricingCompareAI PioneersCareersMagicSchool StoreMissionPress
Privacy PolicyTermsAccessibilitySustainability