Privacy

Music and the Brain All Access Privacy Policy

LEARN.MUSICANDTHEBRAIN.ORG

Music and the Brain All Access, located at learn.musicandthebrain.org, is a web-based learning platform of the Music and the Brain program. Music and the Brain brings a sequential music literacy curriculum and whole-class piano/keyboard instruction to schools to be implemented by music teachers during the school day. Music and the Brain is a program of the nonprofit Building for the Arts NY, Inc.

Any information stored on the Music and the Brain All Access platform is treated as confidential. All information is stored securely and is only accessed by authorized personnel. Music and the Brain has a robust data security program in place to ensure the protection of the data we handle and to comply with all legal regulations, including FERPA and COPPA. We implement comprehensive data security procedures for data collection, use, storage, transfer, destruction, and security incident response.
 
As an educational program, Music and the Brain (“MATB”, “we” or “us”) is committed to protecting the privacy of children and other visitors who access our website. By accessing this website, you are consenting to this Online Privacy Policy (the “Policy”). This Policy describes what information MATB collects from users, including children under 13, when they visit this site; how such information is used; how users, parents, and guardians can control the use and disclosure of information concerning children; and how information is protected.
 
The Children's Online Privacy Protection Act of 1998 and its rules (collectively, "COPPA") require us to inform parents and legal guardians (as used in this policy, "parents") about our practices for collecting, using, and disclosing personal information from children under the age of 13 ("children"). It also requires us to obtain verifiable consent from a child's parent for certain collection, use, and disclosure of the child's personal information.
This policy describes how Music and the Brain collects, utilizes, stores, transfers, and destroys sensitive data securely:

  • The types of information we may collect from children.
  • How we use the information we collect.
  • Our practices for disclosing that information.
  • Our practices for notifying and obtaining parents' consent when we collect personal information from children, including how a parent may revoke consent.
  • All operators that collect or maintain information from children through MATB 

Children should always check with their parents or guardians before entering information on any website or application, and MATB encourages families to discuss their household guidelines regarding the online sharing of personal information. We also recommend that parents/guardians carefully supervise their children when their children participate in any online activities. 

In compliance with COPPA, MATB observes the following policies:

 

a. Verifiable Consent. MATB does not knowingly collect any information from children under the age of 13 unless the school or teacher working with the student has obtained appropriate, verifiable consent directly from the parent or legal guardian for the student to use the MATB service.

b. Notification. MATB does not allow students to create an account on our sites - this can only be done by a teacher or administrator. If a student under the age of 13 creates an account in this manner and MATB becomes aware of the violation, we will lock the student’s account and send a notification to the parent, legal guardian, or educator.

c. Providing or Withdrawing Consent. MATB allows parents and legal guardians to review information submitted by their children, and to request the removal of any information. Details on these procedures can be found in our Privacy Policy at https://learn.musicandthebrain.org/privacy

 

d. Schools that Act as the Parent’s Agent. Schools that partner with MATB to provide our services for legitimate educational purposes only may consent to the collection of student information on the parent’s behalf (see “Verifiable Consent” above) and may also request to review and/or delete a student’s personal information. Schools should consider making these same notices available to parents.

Information Collection & Use
 
MATB offers this website to a range of users, including teachers, parents, and students, including some children. This Policy summarizes potential instances of data collection and outlines how and when we will seek parental consent when collecting information from children. In any instance that we collect personal information from a child, we will retain that information only so long as reasonably necessary, or as required by law. In the event we discover we have collected information from a child in a manner inconsistent with COPPA’s requirements, we will either delete the information or immediately seek the parent’s consent for that collection.
 
Types of Data Collected and Purpose

MATB collects User Data only for educational purposes to fulfill our contractual obligations and provide services to our partner schools, acting as a School Official with a legitimate educational interest as defined in FERPA. MATB does not collect, use, maintain, use, or share any personal information beyond that needed for authorized educational purposes.

All User Data is collected, used, and maintained securely and in compliance with all state and federal statutes, as will be described in further detail below. A complete, up-to-date listing of the data elements that MATB collects and how each element is used can be found at the end of this document.

Adult PII (Teachers, Administrators)

MATB collects a limited amount of PII from our adult educational users, including but not limited to teachers, principals, and district administrators. For these users, we require name and email address. This identifying information is critical for the creation, protection, and maintenance of an MATB user account.

Student PII

MATB does not require that any student PII be entered into our platform. MATB offers the option of creating student accounts, but student accounts are not required. If an educational entity wants to utilize MATB’s student account functionality, the educational entity may choose what student PII to share with the MATB platform in order to do so. Student accounts may be created utilizing anonymous credentials. Student names, emails, and other PII are not required. 
To make student account management more effective and intuitive, student PII may be shared with MATB. Student names, emails, IDs, and more can be shared with MATB to make it easier for students to log in and for teachers to identify students within the program.

Digital User Metadata- Automatic Data Collection

MATB also collects Digital User Metadata such as IP, device, and browser information. This information is only used internally to allow us to better serve our users. For instance, we monitor the devices and browser versions used to access MATB so that we can ensure that our platform continues to run smoothly on those devices and browser versions. 
 
When users, including children, interact with us, certain information may automatically be collected, both to make our sites and applications more interesting and useful to users and for various purposes related to our organization. Examples include the type of computer operating system, the user’s IP address or mobile device identifier, the web browser, the frequency with which the user visits various parts of our sites or applications, and information regarding the online or mobile service provider. This information may be collected using technologies such as cookies, flash cookies, web beacons, and other unique identifiers. This information may be collected by MATB or by a third party (such as Google Analytics). This data is principally used for internal purposes only, in order to: 
 

  • customize content and improve the site 
  • conduct research and analysis to address the performance of our site 
  • generate anonymous reporting for use by MATB.

We do not share, sell, rent, or transfer children's personal information other than as described in this section.

We may disclose aggregated information about many of our users, and information that does not identify any individual or device. In addition, we may disclose children's personal information:[2]

  • To third parties we use to support the internal operations and who are bound by contractual or other obligations to use the information only for such purpose and to keep the information confidential.
  • If we are required to do so by law or legal process, such as to comply with any court order or subpoena or to respond to any government or regulatory request.
  • If we believe disclosure is necessary or appropriate to protect the rights, property, or safety of MATB, our customers or others, including to:
  • protect the safety of a child;
  • protect the safety and security of MATB;
  • enable us to take precautions against liability, and
  • to law enforcement agencies or for an investigation related to public safety.

In the event we collect (or allow others to collect) such information from children on our sites and applications for other purposes beyond the scope of purposes outlined above, we will seek parental consent in the manner specific to the interaction as described in this Policy, or otherwise as described under the heading “Verifiable Parental Consent.” 

Derivative Data

MATB collects Derivative Data, such as usage data, access data, assessment data, and more. This data is used for various educational purposes. Usage and access data sometimes reported to educational organization leadership (school supervisors and district administrators) to provide insight into how their users are utilizing Music and the Brain All Access. MATB also monitors usage and access data to determine how our program is being used and what new features might need to be developed to better support the educational purposes of educational organizations. Assessment data allows teachers to measure, track, and report student progress from within the Music and the Brain All Access platform. The four instances of derivative data collection through this website are (i) student response forms, (ii) student contests (known as “Challenges”), (iii) parent feedback forms, (iiii) student audio recordings on the MATB virtual keyboard. Each of these are addressed at the end of this document:
 

Data Collection Protocols

MATB has various methods for collecting User Data. Data may be collected directly from users or shared by administrative entities such as school or district IT departments.


Collecting Data From Users

In compliance with COPPA, MATB never collects PII directly from any user under the age of 13 without the explicit consent of an authorizing adult such as the teacher, district representative, or guardian. Any data entry forms on MATB, including but not limited to account sign up forms, contact forms, and more, require that users certify that they are over the age of 13 before entering any PII, or they require explicit authorization from an authorizing adult to collect such information from the student user. MATB does not request PII directly from users under the age of 13 without the authorization of an authorizing adult through any methods, including but not limited to email, phone, or in-site forms.

Adult users, including but not limited to teachers, counselors, administrators, and parents, may be asked to share PII with MATB to support critical account functionality or powerful educational features. For instance, an MATB teacher may be asked to enter their teacher email address as this is critical for the creation, protection, and maintenance of a MATB licensed teacher account. Teachers may also choose to enter student PII into MATB in order to utilize powerful educational tools, such as assessments and gradebook functionality. Teachers must only enter student PII into MATB if they or their parent educational organization have already obtained proper consent from the students’ parents.

All User Data is collected over secure channels. Data collected within MATB’s program is always transferred securely using HTTPS and TLS protocols. If a user needs to deliver sensitive data to MATB outside of the program itself, an sFTP transfer will be utilized. This ensures that all User Data collected is securely transferred and encrypted in motion.

Collecting Data From Administrative Entities (School or District IT)

Following educational industry trends and best practices, much of the User Data that MATB collects is shared by a higher administration entity of an educational organization, rather than by an individual user. MATB receives User Data from schools and districts utilizing secure exchange protocols agreed upon by both parties. These secure exchange methods include but are not limited to sFTP transfers and API exchange using HTTPS and TLS protocols.

All data exchanges of this nature are set up with the administrative entity’s approval and participation in an effort to provide a better service to their users. MATB collects the data needed to support only the educational purposes of our users, acting as a School Official with a legitimate educational interest as defined in FERPA. Administrative entities, including but not limited to school and district IT teams, must obtain proper consent from their students’ parents or guardians before sharing student data with MATB.

Google User Data

To minimize student and teacher information sharing with MATB, wherever applicable, MATB allows teachers, administrators, and students to login with Google Classroom credentials.  We allow teachers to create classes at learn.musicandthebrain.org that will also be accessible on Google Classroom, where students can be added to the class.  MATB will only be collecting teacher and administrator emails for initial account set up.  No password information will ever be provided to MATB staff for those who sign in with Google credentials.  Only teachers and administrators acting on behalf of their students will set up student accounts.  MATB will only use Google user data in the ways described in this privacy policy.


Data Storage and Protection

MATB takes significant measures to protect all User Data in our possession.  We follow industry best practices and comply with all state and federal statutes and contractual obligations.

All student PII is stored encrypted in place at all times utilizing at least 256 bit encryption protocols. All User Data is stored in access-restricted systems within the United States. Only authorized MATB employees can access sensitive data, and only to serve the needs of our users. All MATB employees with access to any User Data undergo criminal background checks, attend annual data security training, and sign confidentiality agreements. MATB does not disclose User Data to any third parties.

Data Utilization

MATB utilizes the User Data we collect solely for educational purposes to serve our customers’ needs. MATB does not construct marketing profiles from User Data. Any user profiles constructed are used only for educational purposes. For instance, a student profile may be constructed that provides a holistic view of a student including their identifying information, assessment data, attendance records, and more. This student profile would only be created to present powerful insights to the student’s teachers, parents, or other authorized educational parties.
 
MATB does not use user profile data for marketing or advertising purposes. MATB does not disclose any user profile data to third parties.

Specific User Data elements are utilized for differing purposes. For instance, a student’s name might be utilized to populate a teacher’s class roster in MATB and allow the teacher to identify the student within the program. A teacher’s email address might be used for critical account communications. A complete, up-to-date listing of the data elements that MATB collects and how each element is used can be found at the end of this document.

Disclosure

MATB does not disclose User Data to any third parties without the express, written consent of the Data Owner. MATB never sells student data for any reason. MATB only transfers User Data to verified, authorized recipients using secure transfer protocols that encrypt the data in motion. We have internal rules and procedures in place for determining authorized recipients and verifying their identity. We do not share User Data, even de-identified, with any third parties.

MATB sometimes employs subcontractors to fulfill our duties to our customers. Any subcontractors employed by MATB who are given any access to User Data are held to MATB’s strict protocols and standards regarding the handling and protection of that data.
 
Music and the Brain All Access is a digital platform with a sophisticated web architecture. While all systems are designed and managed by MATB, our web hosting infrastructure is provided by Amazon Web Services (AWS). MATB does not explicitly disclose any sensitive data to AWS, but the data in MATB’s possession is stored on AWS systems within the United States. AWS is one of the largest web hosting providers in the world, with robust security procedures in place. AWS meets or exceeds MATB’s strict protocols for data security and complies with all federal and state statutes, including FERPA.

Data Retention

MATB retains User Data as long as it is useful to provide services to the Data Owner. As long as the Data Owner’s data is being utilized to support features being used by that Data Owner, MATB will continue to collect and store the data. When the data is no longer in use, MATB will de-identify any User Data so that it can no longer be associated to any real individual. MATB will retain the de-identified User Data solely for internal research and product development purposes.

The Data Owner may request that MATB de-identify or securely destroy their User Data in our possession at any time. If a Data Owner requests that MATB de-identify or securely destroy their data, MATB will obtain verified authorization from the Data Owner before completing the requested action. Once authorization is obtained, MATB will de-identify or securely destroy the data specified and will provide certification to the Data Owner that the action has been completed.
 
Data authorized for destruction will be securely destroyed following industry best practices, such as NIST SP 800-88. Depending on the data storage format, the destruction method will vary. The data destroyed will not be recoverable within the normal course of business.

Security Incident Response

MATB has a robust Security Incident Response Plan in place to respond to any data security incidents quickly and effectively. The plan is divided into five key phases:

  1. Prevent or Mitigate Breach – As soon as MATB becomes aware of any potential issue that could result in the unauthorized disclosure of sensitive data, our response team, will immediately take any actions possible to prevent or mitigate the disclosure. 
  2. Assess Impact – MATB will then assess the Security Incident and determine if there was a confirmed Security Breach, defined as a confirmed unauthorized disclosure of sensitive data. If there was a Security Breach, we will assess what data was disclosed and to whom.
  3. Notify – In the case of a Security Breach, affected users and Data Owners will be notified of the details of the disclosure.
  4. Remediate – MATB will work to address any security vulnerabilities illuminated by the incident in order to prevent future incidents. We will also assess our own response execution and make improvements to our Security Incident Response Plan where possible.
  5. Report – MATB will write a retrospective report including the full details of the incident and our response. This report may be made available to customers upon request, with the understanding that certain security details may need to be redacted to protect MATB’s security infrastructure and the data still in MATB’s possession.

Access and Correction

Data Owners can contact MATB with inquiries regarding their User Data. MATB will provide data requested to verified authorized recipients. If any User Data is found to be inaccurate or requires corrections, MATB will update the data as needed to ensure it is accurate. All data inquiries can be directed to info@musicandthebrain.org. In accordance with certain statutes and contractual requirements, MATB may direct students and parents of students to request data access or adjustments through their educational organization.

Successor Entities

If MATB is ever sold or merged with another business entity, the new parent business entity will agree to adhere to the same data security standards as MATB before any user data in MATB’s possession is shared with the new business entity. If the new business entity does not agree to uphold the same or stricter data security standards as MATB, then all existing MATB users will be notified of the impending business change and be allowed to choose whether they want their User Data shared with the new business entity or destroyed.
User Responsibility

MATB agrees to follow industry best practices and comply with all legislation regarding the handling and protection of User Data. We have significant security protocols in place to ensure User Data is protected during collection, storage, and transit. MATB does not accept responsibility for unauthorized disclosure of User Data that occurs as a direct result of customer or user negligence. Users should utilize strong passwords and access MATB utilizing secure networks. Users should never share their access credentials or personal data with any unauthorized parties or over any insecure channels.

Policy Consent

Any individual over the age of 18 years old who establishes an MATB account authorizes MATB to collect and utilize their User Data. MATB is authorized to collect and utilize User Data for users under the age of 18 (students) when a parent, guardian, or educator of such student (a) establishes a MATB account for the student user; (b) instructs the student user to establish a MATB account; or (c) directs the student user to complete educational tasks (assignments, activities, and the like) utilizing the MATB platform. MATB is also authorized to collect and utilize User Data for any users created as a result of bulk User Data exchange from an educational organization administrative entity.

Types of PII Music and the Brain Collects
 

Music and the Brain collects limited personally-identifiable information to best accommodate teacher and student use of our resources. Depending on the product configuration required, the information gathered may vary.
 

Types of PII Collected

Required?

Furnished By

Purpose

Teacher username and password

Yes

Teacher

For access to Music and the Brain teacher content

Teacher name (first, last)

Yes

Teacher or District

For display in application

Teacher email

Yes

Teacher or District

For Music and the Brain to communicate when necessary

Student username and password

Optional

Student or District

For access to Music and the Brain student content

Student name (first, last)

Optional

District

For display in application. Particularly to help teacher's identify students in Music and the Brain Grade Book.

Student email

Optional

District

Can be used as unique value to identify inbound Single Sign On user. Can be listed with student account for password reset purposes.

Student ID

Optional

District

Can be used as unique value to identify inbound Single Sign On user. Can be entered to help teachers identify students.

Student response forms,  lesson quizzes, Challenges and audio performances on a virtual piano/keyboard

Optional

Student use

For educational purposes, students are asked to provide answers to quizzes pertaining to lesson content and exit tickets summarizing their rating of the lesson content.  Students can submit audio recordings of their performances on the MATB virtual keyboard to their teacher. 

 

*These data types are required only if students are to have individual user accounts. This is not a requirement to use the program.

Response forms include three instances of active data collection through this website are (i) student response/exit ticket forms, (ii) student contests (known as “Challenges”), and (iii) parent feedback forms. Each of these are addressed in detail below:

Student Response Forms

Through student response forms (under the heading "Exit Ticket" on each student lesson page), MATB may collect certain voluntary information from users, particularly students, some of whom may be children under the age of thirteen (13), including (i) school (ii) grade; and (iii) feedback about songs and lessons (anonymous User Generated Content). The information collected will be transmitted to related teacher accounts for teacher assessment of student progress and for internal organizational purposes in order to: 

  • • customize content and improve the site
  • • conduct research and analysis to address the performance of our site
  • • generate reporting for use by MATB.

Challenges

 

MATB may host online contests or “Challenges” to encourage users, including children, to engage with the site’s content. For these contests, we require only the information necessary for a user to participate, such as the user’s name (to distinguish among users), school, music teacher’s name, and parent email address (to notify the parent where required by law), if applicable. As Challenges involve the submission of students' own created educational content (“User Generated Content”), we require parental consent along with the submission, and will seek parental consent in the manner described under the subsequent heading “Verifiable Parental Consent.” 

 

By submitting Challenges, User Generated Content users, or parents/guardians on behalf of their children, acknowledge and agree that they have proper rights to the User Generated Content, and grant to MATB a nonexclusive, perpetual, irrevocable, gratis (i.e. free) license to utilize the User Generated Content in all ways provided for under Section 106 of the U.S. Copyright Act, including, but not limited to, the right to reproduce, perform, and create works derivative of, that User Generated Content. Submitting User Generated Content does not surrender the users’ copyright.

Verifiable Parental Consent

Consistent with the requirements of COPPA, in some instances of Challenges, where we ask for certain types of educational User Generated Content of a child under the age of 13, we will ask for verifiable parental consent. These specific types of content include substantial User Generated Content beyond simple responses, such as compositions and video recorded performances of MATB repertoire. In order for children under the age of 13 to submit this type of work, all submissions must be accompanied with an official signed permission form from a parent/guardian, consistent with the guidelines of COPPA.

With regard to school-based activities, COPPA allows teachers and school administrators to act in the stead of parents to provide consent for the collection of personal information from children. Schools should always notify parents about these activities. For more information on parental rights with respect to a child’s educational record under the Family Educational Rights and Privacy Act (FERPA), please visit the FERPA site.

Changes To This Policy and Notice
 
MATB reserves the right to revise this Policy at any time for any reason in our sole discretion by posting an updated Policy without advance notice to you. Such revisions shall be effective immediately upon posting, and if you use MATB’s sites or applications after they become effective, it will signify your agreement to be bound by the changes. We shall post or display notices of material changes on this site; the form of such notice is at our discretion. However, we encourage you to check this Policy often for updates. Please contact us at the mailing address, email, or phone number below with questions about our Policy and collection and use practices: 
 
Music and the Brain-Building for the Arts
412 West 42nd Street, 5th Floor
New York, NY 10036
Phone: (646) 448-9059
Email: lisala@musicandthebrain.org