Privacy Policy

III. How do we use the information collected?

We use this information to:

• To fulfil our contractual commitment and to enhance the performance of our contract with you.
• Allow you use of our products and applications and respond to your requests
• Provide you with the services, support or information requested and monitor effectiveness
• Operate, maintain and add to the features and functionality of our products and services
• Improve our website’s user experience and communicate better to engage users
• Enhance the effectiveness of our marketing campaigns. To send marketing emails or messages related to our products and services
• Monitor aggregate metrics to conduct our market research and understand our customers better
• Analyze, diagnose and fix issues in our product and service offerings.
• To process your job application for an open position.

In all cases this information is not shared with any third party. It is used by Magic Box as above or to prevent/respond to protection of our websites or applications. In some cases like with hosted services, we may share information with those that provide us with technology services (e.g. web hosting and analytics services), but strictly for the purpose of carrying out our work. All such vendors used by us are EU GDPR compliant and have siged a Data protection agreement with Magic to secure your data. We may be required to share information with law enforcement or other third parties when compelled to do so by court order or other legal process, to comply with statutes or regulations.

If we merge with or are acquired by another company, and if all of our assets are acquired by another company, this information will most likely be one of the assets to be transferred. However, we will not transfer any personal information of our customers until absolutely necessary to provide you with a continuity of service and only when the new owner maintains and provides the same level of data privacy standards as we do. In such cases, we will provide you with notice and an opportunity to opt-out of the transfer of identifiable data.

IV. How do we secure information collected?

We understand that the security of your information is vital and have in place strong administrative, technical, and physical security controls and measures to keep data safe and secure. Our privacy practices are designed to provide protection for your personal information, all over the world.

To protect information stored in our servers, through Amazon Web Service infrastructure at various locations like the US, Australia and India, access is limited (through user/password credentials and two factor authentication) to those employees who require it to perform their job functions. We use industry-standard Secure Socket Layer (SSL) encryption technology to safeguard the account registration process and sign-up information. Other security safeguards include but are not limited to multifactor authentication, data encryption, firewalls, and physical access controls to building and files.

We would like to caution our visitors about phishing attacks, wherein unscrupulous third parties seek to extract sensitive and confidential information from you by posing as a genuine website or by sending an email misrepresenting it to be from a genuine source. Please be aware that we never seek sensitive or confidential information such as regarding your financial or health record through emails or through our websites. If you receive such a message claiming to be from Magic Box, then please do not reply to it and immediately bring it to our attention by contacting the Webmaster.

Magic Box also recognizes the receipt, transmission or distribution of spam emails (unsolicited bulk emails) as a major concern and has taken reasonable measures, to minimize the transmission and effect of spam emails in its computing environment.

V. Can this information be reviewed?

In some cases and at our discretion this information may be accessed by respective organizations to correct any mistake in that information, and to delete any information we no longer have business reasons for retaining. You can do this by sending us an email.

Magic Box strives to comply with all applicable laws around the globe that are designed to protect your privacy and information, no matter where that information is collected, transferred, or retained. Although legal requirements may vary from country to country, we intend to adhere to the principles set forth in this Privacy Policy even if information is transferred from your country to other countries that may not require an adequate level of protection for your information.

VI. Who owns the data?

Ownership and Handling of Data: MagicBox Guiding Principles and Policy on Personally Identifiable Information (PII)

Ownership of Data

MagicBox is a white-labeled software platform licensed to third-party publishers, who in turn make the platform available to educational institutions such as schools and districts (“End Users”). MagicBox acknowledges and affirms that all personally identifiable information (PII) related to students, teachers, administrators, and parents is the sole property of the respective educational institutions (End Users) or agencies utilising the platform via authorised publishers.

Role as Data Processor

MagicBox acts solely as a data processor and service provider on behalf of these institutions/publishers and does not claim ownership of any user data. All access to, use of, or processing of such data is conducted solely on behalf of, and as instructed by, the customer (i.e., the educational institution or its authorized publisher), in accordance with the terms of the applicable license or services agreement, and in compliance with all relevant data privacy laws and regulations, including but not limited to the Family Educational Rights and Privacy Act (FERPA), the Children’s Online Privacy Protection Act (COPPA), and applicable state laws.

Categories of Data Collected

MagicBox uses minimum Personally Identifiable Information (PII), restricted only to what is necessary for the provision of services. Details regarding PII that is collected include:

• Username – This is added by the district/school.
• First Name and Last Name of the Student.
• Parent email addresses – optional, except where required under COPPA (i.e., for users under the age of 13, parent email collection is mandatory).
• No Biometric or Sensitive Personal Information: MagicBox does not collect or store any biometric data and no sensitive personal information is collected as defined under applicable laws.

Prohibition on Commercial use of PII

MagicBox, operated by Magic, does not sell, rent, use, or disclose covered PII for marketing, advertising, or other commercial purposes. Data received from its customers is to be used solely for the purposes of providing educational services in accordance to applicable agreements.

Access and Authorisation

Magic, acting through MagicBox is liable to process PII only as authorised by the customer or in accordance to executed contractual agreements.No access to PII shall be granted to third parties unless authorised by the customer or as required by law.

Data Retention and Deletion

• Upon termination of the customer contract, upon request of the customer, or once the data is no longer required to provide services, MagicBox shall permanently delete all personal data in its possession in accordance with the agreed data retention and deletion policy.
• For further information, please refer to the Data Retention and Deletion section.

VII. MagicBox Guiding Principles and Policy on Data Retention and Deletion

This section outlines the principles, process and policy regarding data retention and deletion of customer data upon contract termination. These practices and policies ensure compliance with applicable regulations, including the General Data Protection Regulation (GDPR) and the Children’s Online Privacy Protection Act (COPPA), while providing clients with adequate opportunities to retrieve their data within a clearly defined timeframe.
MagicBox operates as a data processor under GDPR or a service provider under the California Consumer Privacy Act (CCPA), As such all data is processed exclusively on behalf of our clients and in accordance with their instructions.

1. Data Retention Period

• Upon termination of the client’s contract, we retain all client data for a period ofone hundred and eighty days (180 days) from the contract termination date.
• During this retention period, clients may request access to their data or retrieve it for their archival and compliance purposes.

2. Data Retrieval Process

Clients may request their data by submitting a written request to the MagicBox Support Team at support@magicedtech.com within sixty (60) days of the contract termination date.
Data Types to eligible for retrieval

• Content or artefacts uploaded by the client: including SCORM packages, PDF, Videos, ePub content, Assessments and similar.
• User Data (PII): This data is inclusive of Teacher, Student, Administrators or Parents and any other user accounts created in the platform.

Upon receiving a valid request, MagicBox will securely deliver the requested data using one of the following approved methods.

• Secure Google Drive Links
• Any other mutually agreed-upon methods

After the 60-day retrieval window, no further retrieval requests will be honoured.

3. Final Notification and Data Deletion

• In the final week of the 180-day retention period, MagicBox will send a notification to the client, reminding them of the impending data deletion.
• At the conclusion of the 180-day period, all client data will be permanently deleted from MagicBox systems using a secure industry standard erasure technique.
• Important Note: Once the data is deleted, it cannot be recovered under any circumstances.

4. Usage Analytics and Anonymized Data

• MagicBox may retain usage analytics data in an anonymized form for internal reporting, performance monitoring and product improvement purposes,
• In compliance with GDPR and COPPA:
  • No Personally Identifiable Information (PII) will be retained in our systems post data deletion.
  • All usage data will be de-identified to prevent identification of an individual user.

5. Compliance and Security Measures

• All retention, retrieval, and deletion processes are executed in accordance with industry best practices and legal obligations under:
  • General Data Protection Regulation (GDPR)
  • Children’s Online Privacy Protection Act (COPPA)
• MagicBox uses secure Data deletion protocols to ensure no unauthorised access or data recovery is possible post-deletion.

6. Client Responsibilities

• Clients are solely responsible for submitting data retrieval requests within the specified 60-day window.
• Clients are encouraged to maintain independent backups or copies of critical data to mitigate any disruption resulting from contract termination.

7. Contact

For any questions or requests related to data retention or deletion, clients may contact: support@magicedtech.com

Acknowledgement

By continuing to use MagicBox or upon contract termination, clients acknowledge and accept this Data Retention and Deletion Policy.

VIII. What is the Cookie Policy?

Cookies are small data files that a website stores on a user’s browser, memory, or device storage. These files serve various purposes, including personalizing content, enhancing site navigation, improving user experience, and remembering user preferences such as login credentials.
To learn more about the types of cookies we use and how they function, please refer to our Cookie Policy.”

IX. Children’s Online Privacy Protection Act (COPPA) Compliance

MagicBox is fully committed to full compliance with the Children’s Online Privacy Protection Act (COPPA) and implements the following procedures and safeguards to ensure that the personal information of children under the age of 13 is collected, used and retained in a lawful and secure manner, under the direction of the educational institution, which acts as the agent of the parent or guardian for providing consent.
If MagicBox becomes aware that any information has been collected from a child under 13 without the requisite consent, it is promptly deleted in line with our data deletion policies and applicable law

1. Privacy Policy Availability

Our Privacy Policy is prominently accessible across all parts of the MagicBox platform, including, but not limited to, the Content Store, Publisher portal, School Admin portal, and Teacher and Student applications. It provides clear disclosures regarding the categories of data and information collected and our data protection measures implemented in accordance with applicable laws.

2. Verifiable Parental Consent Process

In alignment with COPPA requirements, MagicBox ensures that verifiable parental consent is obtained prior to providing access to the platform for users under 13 years of age. The consent process is as follows:

• A parent or guardian’s email address is collected.
• A consent request is transmitted via a secure, dynamic link to a parent or guardian.
• The parent can choose to approve or deny the request.
• If consent is granted, the child’s account is activated.
• If consent is denied or not provided, the account remains deactivated and inaccessible.

3. Restricted Data Access

Students’ personal data is protected, and access is limited strictly to authorized users within the educational institution. No third-party or external entity is granted access, unless explicitly authorized by the school, district or educational institution or required by law or in a contractual agreement.

4. Parental Rights and Controls

Parents and legal guardians have the right to exercise full control over their child’s participation, including the ability to:

• Approve or deny access via the emailed consent link.
• Withdraw consent at any time by revisiting the consent link.
• If consent is withdrawn, the child’s account is deactivated, and no further data collection will occur.

5. Data Deletion upon Improper Collection

If MagicBox becomes aware that it has inadvertently collected personal information from a child under 13 without appropriate parental or school consent, such information will be immediately and permanently deleted in accordance to our internal data retention and deletion protocols and consistent with COPPA requirements.

6. Contact for COPPA-related Inquiries

For any inquiries, concerns or requests related to MagicBox’s COPPA compliance or data practices, please contact us at support@magicedtech.com.

X. Family Education Rights and Privacy Act (FERPA) Compliance and Student Data Protection

MagicBox fully complies with the Family Educational Rights and Privacy Act (FERPA) and is committed to supporting the educational mission of its institutional clients while protecting the privacy of students and their schools and education records.. We recognize the sensitive and confidential nature of Personally Identifiable Information (PII) contained in education records and implement policies, processes and safeguards to ensure their confidentiality.

1. Role as School Official:

In this capacity, MagicBox collects, processes, and stores student PII data solely on the behalf of and as authorized by the educational institution and exclusively for the purpose of delivering contracted educational services.

• MagicBox strictly does not sell, lease, disclose or trade student data,
• MagicBox does not use it for targeted advertising or marketing purposes.

2. Security and Confidentiality Measures:

To safeguard student data, MagicBox maintains robust administrative, technical, and physical security controls that protect against unauthorized access, disclosure, or misuse.

3. FERPA Compliance Mechanisms:

• Student Access to Personal Information: Students may access their own personal information (PII) within the platform and may update certain fields as permitted.
• Access to Education Records: Students may view their own educational records, including assessment reports and performance data, through authenticated access to the platform’s reporting features.
• Restrictions on Record Modification: Students are not permitted to amend or modify educational or assessment outcomes. All such updates to official education records must be made only by duly authorized personnel.
• Teacher and School Staff Authority: Only teachers and authorized school staff have the ability to evaluate student performance, assign grades, and update educational records based on academic outcomes in accordance with institutional policy.
• Parent/Guardian Access: Parents or guardians can access their child’s educational records and assessment reports through the platform, where such access is enabled by the educational institution via authenticated access to the platform.
• Secure Data Capture: Educational records, such as assessment scores, assignment records and evaluations are securely captured and stored within the platform, accessible only through authenticated user access to the platform.

4. Compliance and Recourse

These measures are designed to ensure that access, use, management and protection of education records are fully compliant with FERPA and that the confidentiality and integrity of student data are maintained at all times.
If you have inquiries about MagicBox’s FERPA compliance, or if you would like to request access to or deletion of education records, in accordance with institutional policy and applicable law, please contact us at support@magicedtech.com.

XI.Rights over your personal data

Under certain circumstances, by law you have the right to:

• Be informed about the processing of your personal data (i.e. for what purposes, what types, to what recipients it is disclosed, storage periods, any third party sources from which it was obtained, confirmation of whether we undertake automated decision-making, including profiling, and the logic, significance and envisaged consequences).
• Object to your personal data being processed for a particular purpose or to request that we stop using your information.
• Request not to be subject to a decision based on automated processing and to have safeguards put in place if you are being profiled based on your personal data.
• Ask us to transfer a copy of your personal data to you or to another service provider or third party where technically feasible and otherwise required by applicable regulations.
• Withdraw, at any time, any consent that you have previously given to us for our use of your personal data.
• Ask us to stop or start sending you marketing messages at any time.
• Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
• Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected. It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your working relationship with us.
• Request the erasure of your personal data. This enables you to ask us to delete or remove personal data where you think that we do not have the right to process it.

Any request for access to or a copy of your personal data must be in writing and we will endeavour to respond within a reasonable period and in any event within one month in compliance with Data Protection Legislation. We will provide this information free of charge unless the request is manifestly unfounded or excessive. We will comply with our legal obligations as regards any individual’s rights as a data subject.

If you would like to contact us in relation to any of the rights set out above please contact us by email dpo@magicedtech.com.To protect your privacy and security, we may take reasonable steps to verify your identity before providing you with the details.

XII. RIGHT TO COMPLAIN TO THE ICO

You can contact the ICO if you have any concerns about how Magic Box has handled your personal data and you also have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues. You can contact the ICO via their helpline on 0303 123 1113. You can find out more information about your rights as a data subjects, their regulatory powers and actions they can take on their website https://ico.org.uk/

XIII. Notification of Changes

If we decide to change our privacy policy, we will post those changes on this page so our users are always aware of the information we collect and how we use it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

Where links are provided to other websites it should be noted that they are not and cannot be governed by our Privacy Statement. We cannot guarantee your privacy when you access other websites through any link provided on thiswebsite.

Magic’s CCPA
Privacy Policy