Student data policy

Notice of Magic School’s Practices Relating to Children’s Online Privacy

Effective as of January 28th, 2026

This Notice of MagicSchool’s Practices Relating to Children’s Online Privacy (“Notice”) describes how Magic School, Inc. (“MagicSchool,” “We,” “Us,” “Our”) collects and protects Personal Information of users in the United States who are under the age of 13 and access Our Service through their Schools.

Certain State student data privacy laws, including Maryland’s HB 603, may define a “child” more broadly as an individual under the age of 18. In addition, international jurisdictions—including but not limited to the European Union, the United Kingdom, Canada, and Australia—may impose additional or different requirements relating to the collection and protection of children’s or minors’ personal data. In those jurisdictions, MagicSchool applies the protections described in this Notice to student users under 18, as required by applicable law or contract.

When Children use a School’s implementation of Our Service, We may collect certain Personal Information. We act as a service provider and data processor for such Personal Information on behalf of Our customers, the Schools (who act as the controllers of such information) and provide consent on behalf of Parents pursuant to COPPA’s school-consent exception and other applicable regulations. Please note Our use and processing of this Personal Information as a processor is governed by Our agreements with the Schools. The Schools may have their own privacy policies that govern the Personal Information collected in connection with their use of Our Service, and the policies of the applicable School govern how they process and share Personal Information relating to the Service, including with respect to any rights users may have to such Personal Information. If We receive any requests to exercise such rights with respect to Personal Information for which We act as a processor, We are not able to directly accommodate such requests but will forward such requests to the applicable School (or otherwise follow the procedure We have agreed upon with the applicable School).  

Our Commitment

Magic School does not:

  • Sell or share student personal data for non-educational or commercial purposes.
  • Use student data for targeted advertising, behavioral advertising, or marketing.
  • Engage in profiling of students except where strictly necessary to provide an educational service requested by a school or educator, and never for advertising or commercial decision-making.
  • Allow large language model (LLM) providers to retain student personal data or train their models on any data associated with use of our platform.
  • Employ manipulative, deceptive, or “dark-pattern” design practices that encourage students to disclose more personal data than is necessary or that undermine their autonomy or well-being.
  • Collect or process precise geolocation data, biometric data, or other sensitive personal data from students unless required for a specific educational purpose and permitted by law.

MagicSchool designs and operates its services to avoid practices reasonably likely to cause material harm to children, including physical, emotional, developmental, or privacy-related harm.

Table of Contents:

Definitions

Capitalized words have special meaning in this Notice and are defined below.

“Child,” “Children” means a user or users of the Service in the United States who are under the age of 13 for purposes of the Children’s Online Privacy Protection Act (“COPPA”); and where required by applicable law or contract, including certain US State and international student privacy laws, MagicSchool will treat “Child” to include users under the age of 18 and will apply the protections described in this Notice accordingly.

Child Account” means the user account, made available through an Educator, through which a Child has access to and uses the Service.

Educator,” “Educators” means an individual, or individuals, authorized to act on behalf of the School contracting with MagicSchool for use of the Service.

Parent” means a legal guardian of a Child.

Personal Information” means information about a Child that can reasonably be used alone or in combination with other reasonably available information, to identify, locate, or contact a specific Child.

Service” means the educational software Service, websites, mobile applications, and any other online interactive features or services that collect Personal Information from Children provided to Schools under MagicSchool’s Master Services Agreement or Terms of Service.

School” means a school, district, or other educational institution that has contracted with MagicSchool for use of the Service.

Child Access and Use of the Service

A Child may only use the Service with the prior consent of a Parent or School acting on behalf of the Child’s Parent in connection with legitimate educational purposes. A Parent’s or School’s consent is required for the collection, use, or disclosure of Personal Information from Children, and MagicSchool will not collect, use or disclose any such Personal Information without such consent. The School may consent to the collection, use or disclosure of Personal Information from Children by entering into an agreement to use the Service

Child Users cannot access or use the Service without first being added by their School or an Educator. Child Users access the Service either through a school-approved single sign-on provider or by entering a room code shared by their School.

If We learn that a Child’s Personal Information has been collected through the Service without the appropriate consent of the Child’s School or Parent, We will take appropriate steps to delete this information. If you are a Parent and discover that your Child has a registered account with the Service without a School or Parent’s consent, please contact the Child’s School to request that We delete that Child’s Personal Information from Our systems. 

Personal Information We Collect

Information provided through use of the Service

MagicSchool only collects information from a Child that is reasonably necessary for the Child to use the Service for educational purposes authorized by a School.  

MagicSchool collects personal information in connection with visits to and use of the Service. The personal information we collect includes the information listed below:

When a Child joins a room created by their teacher, MagicSchool will only collect the user’s first and last name to create an account. If the school opts to use their school-approved SSO provider, the student will be prompted to login using their SSO credentials and the SSO provider will then share with MagicSchool the following information: 

  • Child’s first & last name
  • Student email address
  • School enrollment information such as grade level and School ID.

Information collected automatically

  • Usage information. We and/or Our service providers may automatically collect certain "Usage Information" whenever users, including Children, access and use the Service.  For example, We may collect information regarding how often a user accesses certain features.  Usage Information may include the browser and operating system a user is using, all of the areas within Our Service that users visit, and the time of day they used the Service, among other information. We may use Usage Information for a variety of purposes, including to select appropriate content to display to users and to enhance or otherwise improve the Service.
  • Device information. We and/or Our service providers may collect IP addresses or other unique identifiers ("Device Identifiers") for any computer, mobile phone or any other device (each, a "Device") used to access the Service, including by Children. A Device Identifier is a number that is automatically assigned to the Device used to access the Service, and Our servers identify each individual’s Device by its Device Identifier. Some mobile service providers may also provide Us or Our third-party service providers with information regarding the physical location of the Device used to access the Service, internet service provider (ISP), date and time of a user’s visit, browser language, browser type, referring and exit pages and URLs, amount of time spent on particular pages, which parts of the Service they use, which links users click, search terms, operating system, traffic and related statistics, keywords, and/or other general browsing or Usage Information. The Service may also access files, including metadata, stored on a Device if a user chooses to send or provide access to Us.
  • Information collected via cookies and other tracking technologies. We and/or Our service providers may use “cookies” (a small file sent to your computer by a website or device to allow the website or app to store information which uniquely identifies you) or other similar technology to collect data in order to assist Our users, including Children, and provide them with a more personal experience, to allow for the technical operation of the Service, to enhance the performance and functionality of the Service, and for analytics purposes. Users can disable cookies at their browser or device’s settings, but in that case some (or all) of the features and functionality of the Service may not be available. We do not use cookies or any other tracking technologies to deliver targeted advertising to Children.

Artificial Intelligence and Machine Learning

  • MagicSchool offers artificial intelligence–enabled features to support educational use of the Service, as authorized by the School.
  • MagicSchool does not use Children’s Personal Information to train, retrain, or improve artificial intelligence or machine learning models for general, commercial, or non-educational purposes.
  • We have implemented ‘zero data retention’ with our AI providers such that any materials, prompts, submissions, or student work provided by a Child may be processed transiently by artificial intelligence features, only to generate outputs requested at that time, and are not retained or reused for AI training or improvement.
  • All third-party AI providers act solely as service providers and are contractually prohibited from using Children’s Personal Information for their own purposes.
  • MagicSchool does not use AI for behavioral profiling, targeted advertising, or commercial decision-making about Children.
  • Please review our AI & Data Privacy page for more detailed information on our responsible use of AI.

How We Use Personal Information

MagicSchool uses Children’s Personal Information solely for purposes authorized by the applicable School and consistent with legitimate educational interests, as described below.

Service Delivery and Support. MagicSchool may use a Child’s Personal Information to:

  • Provide and operate the Service for the Child as authorized by the School.
  • Enable features and functionality necessary for the Child’s use of the Service.

Compliance, Safety, and Protection. MagicSchool may use a Child’s Personal Information to:

  • Comply with applicable laws, lawful requests, and legal process, including responding to subpoenas or requests from government authorities.
  • Protect the rights, privacy, safety, and property of MagicSchool, Schools, Children, and others, including by establishing, exercising, or defending legal claims and auditing internal processes for compliance with legal, contractual, and policy requirements.
  • Enforce the terms and conditions that govern the Service.
  • Prevent, identify, investigate, and deter fraudulent, harmful, unauthorized, unethical, or illegal activity, including cybersecurity incidents and misuse of the Service.

Service Operation, Maintenance, and Troubleshooting. MagicSchool may use a Child’s Personal Information only as reasonably necessary to operate, secure, support, and maintain the Service, including to troubleshoot issues, respond to errors, ensure system reliability, and protect the safety and integrity of the Service.

  • MagicSchool does not use Children’s Personal Information for research and development purposes. To the extent MagicSchool conducts product improvement, analytics, or development activities beyond immediate operational support, such activities are performed using aggregated, anonymized, or de-identified data that cannot reasonably be used to identify a Child.
  • MagicSchool does not use Children’s Personal Information for unrelated commercial activities and does not attempt to re-identify aggregated or de-identified data.

Aggregated and De-Identified Data. MagicSchool may create aggregated, anonymized, or de-identified data from Children’s Personal Information by removing information that reasonably identifies a Child.

  • MagicSchool may use and share such aggregated or de-identified data for lawful business purposes, including to analyze, maintain, and improve the Service, provided that such data cannot reasonably be used to identify a Child and is not used for advertising, profiling, or unrelated commercial purposes.

With Consent. MagicSchool may collect, use, or share a Child’s Personal Information for purposes not described above only with the consent of the School or Parent, as required by applicable law.

MagicSchool does not sell Children’s Personal Information and does not engage in targeted advertising, behavioral profiling, or cross-context tracking of Children.

How We Share Personal Information

We may share a Child’s Personal Information with the following parties or as otherwise agreed to by the School:

  • With Schools and Educators. We may share Personal Information of a Child with the Child’s School and Educators of the Child’s School, subject to the agreement between MagicSchool and the relevant School. We do not control, and are not responsible for, Educators’ handling of the Personal Information of Children. As noted above, if you are a Parent and have questions with respect to Personal Information that We process, please direct these questions to your Child’s School.
  • With service providers. We may share Personal Information with Third parties that provide services on Our behalf or help Us operate the Service or Our business (such as hosting, information technology, customer support, and email delivery providers). See more details in the Sub-processor section included in this Notice.
  • Professional advisors. We may share Personal Information with professional advisors, such as lawyers, auditors, bankers and insurers, where necessary in the course of the professional services that they render to us.
  • Authorities and others. We may share Personal Information with law enforcement, government authorities, and private parties, as We believe in good faith to be necessary or appropriate for the compliance and protection purposes described above.
  • Business transferees. We may share Personal Information with acquirers and other relevant participants in business transactions (or negotiations of or due diligence for such transactions) involving a corporate divestiture, merger, consolidation, acquisition, reorganization, sale or other disposition of all or any portion of the business or assets of, or equity interests in, MagicSchool (including, in connection with a bankruptcy or similar proceedings).
    • If a transaction results in a change of control of MagicSchool, we will provide notice to applicable Schools within a reasonable period following the consummation of the transaction (and, where practicable, in advance), and in any event no later than thirty (30) days after the transaction becomes effective. Any acquiring entity will be required to honor MagicSchool’s existing privacy commitments with respect to Personal Information, including Student Data, unless and until the School is notified of any material changes and provided an opportunity to exercise its rights under applicable law or contract.

Note regarding third-party content, links to other sites, and MagicSchool content found outside of the Service. Certain content provided through the Service may be hosted and served by third parties. In addition, the Service may link to third-party websites or content over which MagicSchool has no control and which are governed by the privacy policies and business practices of those third parties. Please note that MagicSchool content may be included on web pages and websites that are not associated with Us and over which we have no control. These third parties may independently collect data. MagicSchool is not responsible or liable for the privacy practices or business practices of any third party.

What Personal Information is visible to others using the Service?

No Child’s Personal Information is made available or visible generally to the public through use of the Service. Depending on the features a School activates, Educators and other Children at the Child’s School may view a Child’s information through their connected accounts. 

How Schools and Parents Can Access and Manage Personal Information of Children?

The collection, maintenance and use of any Personal Information in Our Service is controlled by the School that contracts with MagicSchool for use of the Service. Schools can review, manage, or delete a Child’s information by contacting us at [email protected]  

If you are a Parent and have questions regarding your Child’s Personal Information in connection with the use of our Service, please contact your Child’s School for support, including any questions regarding your rights to review, delete, and refuse to allow further collection of your Child’s Personal Information. Because Child Accounts are authorized and provided by your Child’s School, you must contact their School to opt-out of sharing such Personal Information. MagicSchool cannot delete, change, or divulge any Child’s Personal Information from the Service unless authorized by your Child’s School. 

Privacy by Design & Data Minimization 

Magic School designs its services so that the highest level of privacy protection is enabled by default for student users, and we build student-facing features with privacy-by-design principles from the outset.

We collect, use, disclose, and retain only the minimum amount of Personal Information reasonably necessary for a Child to access and participate in the Service for legitimate educational purposes authorized by the applicable School. Children are not required or encouraged to provide Personal Information beyond what is needed to use the Service, and optional data elements (if any) are disabled by default unless enabled by the School or Educator, as applicable.

We provide age-appropriate explanations of our data practices and design user experiences that are understandable for the intended age range.

In practice, we:

  • Limit collection of Personal Information to what is directly relevant to providing educational functionality and maintaining safety and security;
  • Avoid designing prompts or interfaces (including free-text fields and interactive features) that encourage Children to disclose unnecessary Personal Information, and implement reasonable safeguards to reduce inadvertent collection;
  • Restrict access to Children’s Personal Information to authorized School personnel, authorized users, and vetted service providers/subprocessors that need access to support the Service, subject to confidentiality and data protection obligations.

Age-Appropriate Design and Best Interests of Children

Magic School designs, develops, and operates its Services in accordance with age-appropriate design principles and with a duty to act in the best interests of children whose Personal Information is processed through the Services.

‍Consideration of Age Ranges and Developmental Needs

Magic School considers the age ranges and developmental characteristics of the children likely to access the Services when designing student-facing features, interfaces, and data practices. Such consideration includes differences in children’s ability to understand data practices, exercise judgment, and navigate digital environments safely.

Protective Defaults and Age Estimation

Magic School configures student-facing features with protective defaults that provide a high level of privacy and safety for children by default. These defaults are intended to limit data collection, processing, and feature exposure to what is reasonably necessary for educational purposes.

Where appropriate, Magic School may rely on school-provided age or grade-level information, contextual indicators, or other reasonable means to apply age-appropriate protections and does not require children to provide additional personal information for the purpose of age verification unless otherwise required by law.

In-Product Safety Features Aligned with Child Development

Magic School incorporates reasonable in-product safety features aligned with children’s developmental stages and educational use, which may include:

  • Age-appropriate interfaces, instructions, and disclosures;
  • Design measures intended to reduce the risk of inadvertent or unnecessary disclosure of Personal Information by children;
  • Controls and guardrails intended to discourage harmful, abusive, or inappropriate use of the Services;
  • Features that support educator or school oversight, where applicable.

Best Interests of Children Standard

Magic School acts in the best interests of children when designing and operating the Services. In furtherance of this duty, Magic School:

  • Prioritizes children’s privacy, safety, dignity, and well-being over commercial or engagement-driven considerations;
  • Avoids manipulative, deceptive, or coercive design practices that may exploit children’s vulnerabilities or encourage excessive data disclosure;
  • Limits data practices to those reasonably necessary to provide educational functionality and maintain safety and security.

Risk Assessment and Ongoing Review

Magic School assesses and documents foreseeable risks of material harm to children arising from its student-facing data practices and product design and implements reasonable safeguards to mitigate such risks. These assessments are reviewed and updated as appropriate, including when there are material changes to the Services, data flows, or functionality affecting children.

Parent and Guardian Monitoring

MagicSchool does not currently offer functionality that allows a parent or legal guardian to monitor or observe a student’s use of the Service.

If MagicSchool introduces parent or guardian monitoring functionality in the future, such functionality shall be designed and implemented in compliance with applicable student data privacy laws. In particular, MagicSchool would ensure that any permitted monitoring by a parent or legal guardian may occur without an obvious or persistent signal to the child, where allowed by law, and would be subject to appropriate access controls and safeguards.

Any future parent or guardian monitoring features would be:

  • Be limited to educational, safety, or welfare purposes;
  • Be enabled only where authorized by the School acting as the educational authority under FERPA;
  • Be subject to appropriate access controls, authentication measures, and audit safeguards;
  • Be implemented in a manner that does not expand the collection, use, or disclosure of Student Data beyond what is reasonably necessary to provide the monitoring functionality.

Magic School would provide advance notice to Schools and update this Student Data Policy prior to enabling any parent or guardian monitoring functionality.

Data Protection Impact Assessments

Magic School conducts and maintains documented Data Protection Impact Assessments (“DPIAs”) for products and features that process student personal data. Each DPIA evaluates data flows, identifies potential risks to students’ rights and well-being, documents safeguards and mitigation measures, and assesses whether the product is designed and operated in the best interests of children.

DPIAs are reviewed periodically and updated when material changes are made to data practices, product functionality, or risk profiles.

Data Storage, Retention and Deletion

Data is stored in secure data centers located in the United States. MagicSchool retains Personal Information for as long as needed to fulfill the processing activity.  Upon termination or expiration of a school or district contract, Magic School will, at the direction of the customer, delete or return all student personal data within 60 days and provide written certification of deletion upon request. If we receive a verified data deletion request from the School, we will comply.

De-identified or aggregated data may be retained after contract termination solely for lawful purposes such as product improvement or analytics, provided that such data cannot reasonably be used to identify any student and is not used to profile or target students.

Sub-processors

Magic School may engage third-party service providers, sub-processors, and technology partners (including providers of hosting services, analytics, customer support, security, and application programming interfaces (“APIs”)) that may process Student Personal Information on Magic School’s behalf in connection with the Service.

Magic School remains responsible for its sub-processors’ handling of Student Personal Information and requires all sub-processors to process such information solely on Magic School’s instructions and for authorized educational purposes, consistent with this Notice, applicable law, and Magic School’s agreements with Schools.

Magic School:

  • Maintains a current list of sub-processors that may have access to Student Personal Information.
  • Requires all subprocessors, by contract, to implement privacy, confidentiality, and data security protections that are no less protective than those imposed on Magic School, including compliance with COPPA and other applicable student data privacy laws;
  • Conducts reasonable diligence and risk-based assessments of subprocessors prior to engagement and on an ongoing basis to evaluate their data practices, security measures, and alignment with Magic School’s privacy obligations;
  • Notifies subprocessors, where applicable, that the Service may involve the processing of children’s personal information, and requires subprocessors to refrain from using such information for any purpose other than providing services to Magic School;
  • Limits subprocessors’ access to Student Personal Information to what is reasonably necessary to support the functionality of the Service.

Magic School will provide advance notice to Schools of material changes to its subprocessors, where required by law or contract, and will take reasonable steps to ensure continued compliance with applicable student data protection requirements.

Security

We maintain reasonable administrative, technical and physical safeguards that are designed to preserve the confidentiality and availability of Personal Information processed by MagicSchool in accordance with the terms agreed to by the Child’s School, as detailed in our Privacy Policy.

Changes to this Notice

Magic School reserves the right to modify this Notice from time to time. If we make material changes to this Notice that affect how Student Personal Information is collected, used, or shared, we will provide advance notice to the applicable School using reasonable means before such changes take effect, unless a shorter notice period is required to address legal, security, or operational obligations.

We will also update the effective date at the top of this Notice and make the updated version available through our website or other appropriate channels.

Material changes will become effective on the date specified in the notice provided to Schools. Continued use of the Service by a School after the effective date constitutes acceptance of the updated Notice on behalf of its users.

Nothing in this section limits or modifies a School’s rights or remedies under an applicable agreement with Magic School or under applicable law.

Contact Us

If you have any questions or concerns regarding this Notice, please contact Us at [email protected]

MagicSchool logo
THE AI OPERATING SYSTEM FOR SCHOOLS, TEACHERS ARE MAGIC and MAGICSCHOOL are trademarks of Magic School, Inc.
Book a demo
Free for teachers
AI Solutions
AI for Schools
For SuperintendentsFor Chief Academic OfficersFor Chief Technology OfficersFor Principals
AI for Teachers
Lesson Plan GeneratorRubric MakerPresentation GeneratorMultiple Choice Quiz MakerWorksheet Generator
AI for Students
Outcomes
Protect Privacy & SecurityDrive Student OutcomesBuild AI LiteracySave TimeIntegrate quicklyWrite AI Policy
Resources
SupportApp StatusProfessional DevelopmentCertification CoursesWebinarsBlogCase StudiesFAQs
Company
PricingCompareAI PioneersCareersMagicSchool StoreMissionPress
Privacy PolicyTermsAccessibilitySustainability