Trust, data protection & privacy for schools

Trust and privacy at MagicSchool

MagicSchool is designed to collect and process only the data necessary to provide educational services.

We are committed to:

• Using data solely for authorized educational and operational purposes
• Protecting data from unauthorized access, disclosure, alteration, or destruction
• Supporting school and district compliance with applicable privacy laws
• Being transparent about our security practices and sub-processors

We do not:

• Sell student or educator data
• Use or share student data for targeted advertising, behavioral advertising, or marketing
• Build personal profiles of students, except for authorized educational/school purposes
• Permit any third-party AI provider to use student data to train, fine-tune, or improve artificial intelligence or machine learning models

Trust overview

Our role as a service provider/processor:

MagicSchool acts as a service provider and data processor to schools and districts. We process personal data only to deliver contracted educational services and only in accordance with customer instructions and applicable law.

Schools and districts remain in control of their data, including decisions about how it is used, retained, and governed.

Core trust pillars

MagicSchool’s practices are grounded in foundational principles that appear consistently across global data protection and student privacy regulations. These pillars guide how we design our platform, structure our contracts, and govern data use—regardless of jurisdiction.

• Data ownership and control: Schools and districts retain ownership and control of their data. MagicSchool acts only as a service provider or data processor, handling data on behalf of customers and according to documented instructions.
• Purpose limitation: Data is collected and processed only for clearly defined, legitimate educational and operational purposes. MagicSchool does not use data for advertising, profiling, or unrelated secondary purposes.
• Data minimization: MagicSchool is designed to collect and process only the minimum data necessary to provide its services. Student data is not required for many core features, and districts can determine how and when data is shared.
• Storage limitation: We retain data for as long as needed to fulfill the processing activity.
• Lawfulness, fairness, and transparency: We use data in ways we can clearly explain and justify to schools, teachers, and regulators. MagicSchool provides transparency on data processed, why it’s processed, how it’s protected, and who it may be shared with, as detailed in our Privacy Policy and Student Data Policy.
• Accountability: We design systems so we can prove compliance through documentation, controls, and review processes.
• Rights and respect for individuals: MagicSchool supports district obligations related to student, educator, and data subject rights, including access, correction, deletion, and portability where applicable and appropriate.
• Integrity and confidentiality: Data is protected through encryption, strict access controls, and secure system design

Continuous review and improvement: Privacy and trust are not static. MagicSchool regularly reviews its practices to reflect evolving legal requirements, regulatory guidance, and district expectations.

Privacy and compliance

MagicSchool’s privacy program is designed to help schools and districts confidently meet their legal and regulatory obligations. Beyond foundational privacy principles, this section explains how MagicSchool aligns with applicable laws, frameworks, and district review processes in practice.

Regulatory coverage and alignemnt

MagicSchool supports compliance with a broad range of education, consumer, and international privacy regulations. Our platform design, internal policies, and contractual commitments are structured to align with the shared requirements across these frameworks.

Applicable laws and frameworks include, but are not limited to:

U.S. federal privacy laws

• FERPA (Family Educational Rights and Privacy Act): MagicSchool acts as a school official with a legitimate educational interest under FERPA, processing education records only on behalf of schools and districts. Data is used solely to provide educational services and is not redisclosed except as permitted by customer instructions and applicable law.
• COPPA (Children’s Online Privacy Protection Act): MagicSchool supports COPPA compliance by limiting the collection of personal information from children to what is necessary to provide educational services. Where applicable, MagicSchool relies on schools and districts to provide authorization for student use and does not use student data for advertising or marketing purposes.‍
• PPRA (Protection of Pupil Rights Amendment): MagicSchool does not conduct surveys, assessments, or evaluations that collect sensitive student information governed by PPRA without district authorization. Our platform is designed to support district oversight and control over instructional content and data use.

U.S. state privacy and student data protection laws, such as:

• CCPA / CPRA (California Consumer Privacy & Privacy Rights Acts): MagicSchool operates as a service provider under California privacy laws and does not sell or share personal information for cross-context behavioral advertising. We support applicable rights requests in accordance with contractual obligations and legal requirements.
• Colorado Privacy Act (CPA): MagicSchool aligns with the Colorado Privacy Act by acting as a data processor and processing personal data only on documented customer instructions. Our practices support CPA principles such as purpose limitation, data minimization, reasonable security safeguards, and respect for applicable consumer rights where required.
• Illinois Student Online Personal Protection Act (SOPPA): MagicSchool aligns with SOPPA requirements by restricting the use of student data to educational purposes, prohibiting targeted advertising, and maintaining safeguards to protect student information. Data retention and deletion practices are governed by contractual and legal requirements.
• Nebraska Data Privacy Act (NDPA): MagicSchool supports compliance with the Nebraska Data Privacy Act by processing personal data only for specified purposes, implementing reasonable safeguards, and supporting applicable rights and transparency requirements through policy and contract.
• New York Education Law §2-d: MagicSchool supports compliance with New York Education Law §2-d by limiting the use of student and teacher data to authorized educational purposes and prohibiting commercial or marketing use. We maintain administrative, technical, and physical safeguards designed to protect data confidentiality and integrity and support district requirements related to data governance, breach notification, and data lifecycle management.
• Texas Student Privacy Act (HB 2087): MagicSchool supports applicable Texas student data privacy requirements by limiting data use to educational purposes, prohibiting commercialization of student data, and maintaining safeguards to protect confidentiality. We work with Texas districts to align contractual terms with local and state requirements.
• Utah Student Data Protection Act: MagicSchool supports compliance with the Utah Student Data Protection Act (Utah Code Title 53E, Chapter 9) by limiting the collection and use of student data to authorized educational purposes only. Student information is protected through appropriate safeguards, is not used for advertising or commercial profiling, and is handled in accordance with district instructions and contractual requirements. Data retention and deletion practices are designed to align with Utah’s expectations for responsible student data governance.
• ‍Virginia Consumer Data Protection Act (VCDPA): MagicSchool acts as a data processor under the VCDPA and processes personal data solely to provide contracted services. We maintain safeguards to protect personal data and support controller obligations through contractual commitments and operational practices.

International privacy and AI governance frameworks, including:

• EU General Data Protection Regulation (EU GDPR): Where the EU GDPR applies, MagicSchool acts as a data processor and processes personal data only on behalf of schools and districts, in accordance with documented customer instructions and applicable lawful bases. Our privacy practices are designed to support GDPR principles such as transparency, purpose limitation, and data minimization, ensuring personal information is used only for authorized educational and operational purposes. We maintain appropriate safeguards to protect confidentiality and integrity, support customer obligations related to data subject rights (including access, correction, deletion, and portability where applicable), and apply contractual protections to govern processing, retention, and sub-processor oversight.
• UK GDPR and UK Data Protection Act 2018: Where UK data protection law applies, MagicSchool processes personal data in accordance with the UK GDPR and the UK Data Protection Act 2018. Personal information is handled only to deliver contracted services and in line with customer instructions, with safeguards designed to protect against unauthorized access, disclosure, or misuse. Our practices support accountability requirements under UK law, including appropriate contractual terms, transparency around processing, sub-processor governance, and support for applicable individual rights and international transfer mechanisms where required.
• EU Artificial Intelligence Act (EU AI Act): MagicSchool designs AI features to support educator-directed use, human oversight, and transparency. Our AI tools are not used for high-risk or prohibited automated decision-making about students and are designed to align with emerging AI governance principles related to accountability, explainability, and risk management under the EU AI Act.
• Canada  Personal Information Protection and Electronic Documents Act (PIPEDA): Our processes are designed to align with the Personal Information Protection and Electronic Documents Act (PIPEDA) and its Fair Information Principles. Personal information is collected, used, and disclosed only for defined educational and operational purposes, with transparency around how data is handled. Safeguards appropriate to the sensitivity of the information are implemented to protect against unauthorized access, disclosure, or misuse. Our practices support core PIPEDA principles such as accountability, purpose limitation, consent where applicable, access and correction rights, and responsible retention and deletion of personal information.
• Dubai Personal Data Protection Law (PDPPL): Our privacy practices support compliance with the Dubai Personal Data Protection Law (PDPL) by processing personal data for specified and legitimate purposes and implementing appropriate technical and organizational measures to protect confidentiality, integrity, and availability. Personal information is handled in a lawful, transparent manner, with limited use aligned to educational and operational needs, and safeguards are designed to prevent unauthorized access or disclosure. Where applicable, contractual and governance controls are used to support PDPL requirements related to data processing, data subject rights, and accountability, helping schools and institutions meet local privacy expectations.
• Qatar Personal Data Privacy Protection Law (PDPPL): Our privacy practices support compliance with Qatar’s Personal Data Privacy Protection Law (Law No. 13 of 2016), which establishes protections for personal data processed electronically in the State of Qatar. In alignment with key principles of the PDPPL, data is processed lawfully and transparently for defined purposes, safeguarded through appropriate administrative and technical measures, and not retained beyond what is necessary for those purposes. Individuals’ rights — including access, correction, and withdrawal of consent are respected in accordance with the law, and contractual protections are used where required to govern processing, cross-border transfers, and safeguards for personal data.
• ‍Australian Privacy Act: MagicSchool aligns its privacy practices with the Australian Privacy Principles (APPs), which govern the fair and responsible handling of personal information in Australia. We limit the collection of personal data to what is necessary for educational and operational purposes, use it only for the purposes for which it was collected, and implement safeguards to protect personal information against misuse, interference, loss, and unauthorized access. Our practices also support transparency, access, and correction rights, and accountability in how personal information is managed, helping Australian schools and institutions meet local privacy expectations and regulatory requirements.

Additional jurisdictional coverage

MagicSchool also supports additional U.S. state and global privacy requirements beyond those listed above, and works with districts to address jurisdiction-specific obligations as they arise.

Supporting district compliance reviews

MagicSchool supports district procurement, legal, and compliance teams throughout the review process. We provide documentation and clarification to help districts assess alignment with their local, state, and federal privacy obligations.

Support includes:

• Privacy and compliance documentation upon request
• Responses to district privacy questionnaires and RFPs
• Alignment with district governance policies and approval workflows

Ongoing compliance management

Privacy and compliance are continuously reviewed at MagicSchool. We monitor regulatory developments, updated guidance, and evolving district expectations to ensure our practices remain aligned over time.

Material changes to privacy or compliance practices are addressed through policy updates, contractual alignment, and customer communication as appropriate.

Sub-processors

MagicSchool is committed to transparency in how we operate and deliver our services. To provide, maintain, and support the MagicSchool platform and related business functions, we engage a limited number of trusted third-party service providers (“sub-processors”).

• These sub-processors support essential functions such as cloud hosting and data storage, technical infrastructure and IT support, customer support operations, and website analytics.
• MagicSchool maintains contractual agreements with all sub-processors that require appropriate privacy, confidentiality, and security safeguards. Sub-processors are authorized to process data only to deliver MagicSchool services and in accordance with applicable data protection laws and our internal standards.
• For transparency, our sub-processor list identifies each provider, the services they perform, and the locations where data may be hosted or processed.

Data privacy agreements

MagicSchool offers Data Privacy Agreements (DPAs) to support district procurement and compliance needs. We act as a service provider and data processor, processing data only on behalf of schools and districts and solely for authorized educational purposes.

• Our DPAs include commitments around data ownership, security safeguards, retention and deletion, sub-processor oversight, and incident notification. MagicSchool supports commonly used district frameworks, including the following:
  
  • Student Data Privacy Consortium (SDPC) National Data Privacy Agreement (NDPA), where applicable. 
  • For international data transfers, our agreements incorporate the EU Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum, as required. ‍
• Custom DPAs are available, and we work collaboratively with district legal and procurement teams to align with local policies and applicable laws.

To request a Data Privacy Agreement, reach out to [email protected]