Software-Privacy Policy

Privacy Policy

Effective date: February, 10, 2022

Last updated date: September 4, 2022

To see previous versions of our privacy policy please contact us at [email protected]

MARIOforMe is owned and operated by Mario Framework LLC, a Delaware limited liability company. Our mission is to leverage robust research to develop cutting-edge, technology-rich, learning solutions that release students’ inner purpose and strengths, positioning them for success. We are constantly innovating and measuring our impact in order to improve the lives of children, and we recognize our moral and legal responsibility to protect student privacy and ensure data security.

This policy outlines the MARIOforMe platform’s privacy practices. If you would like information the privacy practices of marioframework.com please visit the site’s privacy policy here https://marioframework.com/privacy-policy/

___________________________

Kids Privacy Assured by PRIVO: Student Digital Privacy

MARIO Framework, LLC is a member of the PRIVO Kids Privacy Assured Program(“the Program”) for Student Digital Privacy. PRIVO is an independent, third-party organization committed to safeguarding children’s personal information collected online.

Student Digital Privacy Assured

The Program applies to the digital properties listed on the validation page that is viewable by clicking on the PRIVO Student Digital PrivacyVerified Shield. The PRIVO Student Digital Privacy Assured Program supports EdTech providers to comply with key student digital privacy regulations, including Family Educational Rights and Privacy Act (“FERPA”), Protection of Pupil Rights Amendment (“PPRA”)  Student Online Personal Information Protection Act (“SOPIPA”), California AB 1584 Education Code section 49073.1 – Privacy of Pupil Records: 3rd-Party Digital, California Education Code 49073.6 – Collection of Student Information from Social Media and Student Privacy Pledge. The Program includes regular monitoring of its members.

___________________________

Table of Contents

COPPA compliance…………………………………………………………………………………………………………….. 3

FERPA compliance……………………………………………………………………………………………………………… 3

GDPR compliance………………………………………………………………………………………………………………. 3

PDPA compliance………………………………………………………………………………………………………………. 3

Information we collect from students……………………………………………………………………………………. 3

Data collection………………………………………………………………………………………………………………. 3

Service Providers………………………………………………………………………………………………………….. 4

Data use………………………………………………………………………………………………………………………. 4

Data disclosure and access……………………………………………………………………………………………….. 4

Data retention and management………………………………………………………………………………………. 5

Data destruction……………………………………………………………………………………………………………. 6

Links……………………………………………………………………………………………………………………………. 6

Security overview……………………………………………………………………………………………………………… 6

Software security…………………………………………………………………………………………………………… 6

Data encryption………………………………………………………………………………………………………….. 6

File Transfer Protocol…………………………………………………………………………………………………… 6

Firewalls……………………………………………………………………………………………………………………. 6

Security audits……………………………………………………………………………………………………………. 7

Secure programming practices………………………………………………………………………………………. 7

Account protection……………………………………………………………………………………………………… 7

Changes to our privacy policies…………………………………………………………………………………………….. 7

COPPA compliance

The primary users of MARIOforMe are young children. The Children’s Online Privacy Protection Act (COPPA) protects children under the age of 13. School officials and teachers are authorized under COPPA to provide consent on behalf of parents; therefore, MARIOforMe does not obtain parental consent directly. A teacher or school district official provides consent for a child under the age of 13 to use MARIOforMe when they create a MARIOforMe account for that child. MARIOforMe enters into contractual agreements with every school and district it works with.

 

FERPA compliance

The Family Educational Rights and Privacy Act (FERPA) provides parameters for what is permissible when sharing student information. MARIOforMe is authorized by schools and districts under the FERPA “school official” exception to receive and use educational data to provide educational services. This data has significant educational value; apart from enabling the creation of accounts with which students access the MARIOforMe individualized learning path, the data allows teachers to track student growth and identify students who need intervention. This information is used only for academic purposes. We do not collect data for collection’s sake, and access is limited and appropriate.

GDPR compliance

MARIOforMe is committed to the principles inherent in the General Data Protection Regulation (GDPR) and particularly to the concepts of privacy by design, the right to be forgotten, consent and a risk-based approach. In addition, we aim to ensure:

  • transparency with regard to the use of data
  • that any processing is lawful, fair, transparent and necessary for a specific purpose
  • that data is accurate, kept up to date and removed when no longer necessary
  • that data is kept safely and securely.

PDPA compliance

MARIOforMe is committed to the principles inherent in the Personal Data Protection Act (PDPA). In addition to complying with COPPA, FERPA, and GDPR regulations, we ensure compliance with additional regulations set out by the PDPA.

We require parental consent for all data owners under the age of 10. MARIOforMe does not obtain parental consent directly and requires that schools bear the responsibility of ensuring parental consent for all students, under the age of 18, using MARIO for Me.

Information we collect from students

This section provides information about MARIOforMe data practices and explains how we collect, use, and maintain student personal information.

Data collection

When a school or district creates a student account, MARIOforMe begins to collect information about students. Some of the data stored are personally identifiable information (PII).

The following is a list of data fields that a school populates to create a student account.

  • First name
  • Last name
  • Email

As students use MARIOforMe, additional data is collected, including assessment scores, curriculum progress, student images, audio, video, goals, strengths, challenges, learning strategies, friendships, activities, support structures, habits and approaches towards learning, social and emotional learning factors, and reflections on learning.

Students cannot share with other student users on the platform, there are no community features available for students such as chat, comments, forums or social media links.

MARIOforMe also collects some personal information about teachers and administrators when a school or district creates accounts. This data includes first and last name, e-mail address, school or district name, pedagogical goals, pedagogical practices, and reflections on learning.

Service providers

1. Amazon Web Services – Cloud computing provider

2. Amplitude – Product analytics

3. MongoDB Atlas – Database platform

4. Pusher – Realtime data and functionality

5. Zendesk – Cloud-based help management

6. SendGrid, Inc – Email notification service

For more information on these service providers, please contact us at [email protected]

Data use

Data we collect is used to provide educational services. MARIOforMe tracks and assesses a student’s development as they progress through the curriculum. This data is used to generate reports that allow teachers to evaluate student progress and identify students who need intervention. MARIOforMe does not rent or sell student personal information, nor do we share the student information we collect for behavioral advertisements to students. We do not build a profile of students to track them across the internet and we do not share user data with third parties. No student data is used for commercial purposes.

We retain some de-identified data (data we have made anonymous by removing all personally identifiable information) to conduct statistical research. This research helps us evaluate the effectiveness of MARIOforMe and improve our product.

Data disclosure and access

MARIOforMe acknowledges the right parents and legal guardians have under COPPA and FERPA to review, amend or request deletion of any educational data we collect pertaining to their children. Upon request, and after verifying identity, we will provide parents and legal guardians access to this data within 45 days. However, we recommend that parents first contact their child’s school.

Personal data collected by MARIOforMe is accessible only to a limited number of MARIOforMe employees who need the data to perform their job. Access is controlled using a number of technical measures.

A Note to UK, EU, & Thai Citizens:

MARIOforMe complies with the rights given to EU/UK Citizens under the General Data Protection  

Regulation (GDPR) and Thai Citizens under the PDPA.

These rights under the GDPR are as follows:

  • to correct the personal data we have about you;
  • to withdraw your consent to the processing of your personal data;
  • to obtain a copy of the personal data we hold about you;
  • to have your personal data deleted;
  • to transfer your personal data to another controller to provide you with services;
  • to restrict the personal data we have;
  • to request we stop processing your personal data.

These rights under the PDPA are as follows:

  • to be informed;
  • to rectification;
  • to data portability;
  • to access/obtain records;
  • to objection;
  • to erasure;
  • to restriction;
  • to consent withdrawl;
  • to complaint.

If you are an EU/UK/Thai citizen and would like to make a complaint about the way we process your personal data, you can contact the relevant Data Protection Authority (DPA). Please contact us at [email protected] to find out more.

You can action any of these rights by contacting us at: [email protected] Requests will be

actioned within 30 days. In the event that a request cannot be actioned in that time, we will respond to explain

why and confirm when it is complete.

Data retention and management

Data maintained by MARIOforMe is protected in a secure environment. See Security Overview for more information about MARIOforMe security practices.

All Personal data provided to MARIOforMe will be destroyed upon termination of our relationship with the school or district, or when it is no longer needed for the purpose for which it was provided. A school, student, or parent can request their data if their account is closed (if their data is not yet deleted) or they no longer wish to use the service.

If a parent, student or school requests the deletion of their data this will be actioned within 30 days.

As outlined in the Individuals with Disabilities Education Act (IDEA), the MARIO Framework will support the Licensee in informing parents when the data of a special education student is no longer needed to provide services to that student.

 

Data destruction

MARIOforMe employs United States Office of Education best practice recommendations for data destruction.

MARIOforMe uses these processes for data destruction:

  • Data is destroyed within 30 days of termination of a relationship with a school or district, preserving the opportunity of a school or LEA to honor any remaining parent requests for student education records created by the use of MARIOforMe before they are no longer available.
  • Data is destroyed using National Institute of Standards and Technology (NIST) clear method sanitization that protects against non-invasive data recovery techniques.
  • Sensitive data is completely removed using Eraser rather than methods such as file deletion, disk formatting, and one-way encryption that leave the majority of data intact and vulnerable to being retrieved.
  • Occasionally, non-electronic media used within MARIOforMe may contain personal data. When these documents are no longer required, the non-electronic media is destroyed in a secure manner (most typically using a shredder) that renders it safe for disposal or recycling.

MARIOforMe does not include links out to other sites and online services.

Security overview

At MARIOforMe, we are serious about our responsibilities. We have implemented several security measures to protect personal data from unauthorized disclosure.

Software security

MARIOforMe has implemented privacy and security practices that are compliant with relevant regulations; however, to achieve comprehensive protection of student personal data it is necessary for each school or district to use secure practices as well.

Data encryption

Data is encrypted when in rest and in transit.

File Transfer Protocol

Data is securely transferred to MARIOforMe using File Transfer Protocol (FTP) over secure (SSL/TLS)  cryptographic protocol.

Firewalls

Anti-virus software and firewalls are installed and configured to scan our system. The firewall is periodically updated and configured so users cannot disable the scans.

Security audits

MARIOforMe conducts security audits and code reviews.

Secure programming practices

MARIOforMe software developers are aware of secure programming practices and strive to avoid introducing errors in our application (like those identified by OWASP and SANS) that could lead to security breaches.

Account protection

Each user of MARIOforMe is required to create an account with a unique account name and password. Single Sign-On (SSO) users are authenticated with secure tokens.

Changes to our privacy policies

MARIOforMe periodically reviews the processes and procedures described in this document to verify that we act in compliance with this policy. If we determine that a change is necessary to improve our privacy practices, we may amend this policy. Changes will be posted 30 days prior to their implementation. If we make a material change to this policy we will notify you by email before making the change.

Contact[email protected] | 651 North Broad Street, Suite 206 Middletown, Delaware 19709 USA | +14043147708