MDM Academy School Privacy Policy

Mama, Dada and Me Adventures, LLC (“MDM Academy,” “we,” “us,” or “our”) provides an AI-powered literacy platform designed for Pre-K through Grade 3 students. This School Privacy Policy applies specifically to the use of MDM Academy within educational institutions (“Schools”) and governs the collection, use, and protection of student education records and personally identifiable information (“PII”).

This policy is separate from our Consumer Privacy Policy, which governs use of our platform by individual families. When MDM Academy is used in a school setting, this School Privacy Policy takes precedence.

MDM Academy is designed to comply with the following federal and state laws:

• Family Educational Rights and Privacy Act (FERPA) — 20 U.S.C. § 1232g: We act as a “school official” with a legitimate educational interest under the school official exception. We do not use education records for any purpose other than providing the contracted educational service.
• Children’s Online Privacy Protection Act (COPPA) — 15 U.S.C. §§ 6501–6506: Schools may consent to the collection of student information on behalf of parents/guardians for educational purposes, as permitted by the FTC’s COPPA Rule (16 CFR Part 312).
• New Jersey Student Data Privacy Act — P.L. 2014, c.151 (N.J.S.A. 18A:36-35 et seq.): We do not use student data for targeted advertising, create student profiles for non-educational purposes, or sell student data.
• Protection of Pupil Rights Amendment (PPRA) — 20 U.S.C. § 1232h

3.1 Student Data (Minimal Collection)

3.2 Data We Do NOT Collect from Students

• Email addresses, phone numbers, or home addresses
• Social Security numbers or government IDs
• Photographs, biometric data, or facial recognition data
• GPS location or precise geolocation
• Financial information or payment data
• Social media accounts or contacts
• Health or disability information
• Behavioral or disciplinary records

3.3 Teacher Data

Teachers provide their name, email address, school name, district, and grade level to create an account. Teacher voice recordings (for classroom voice features) are collected only with explicit consent and are used solely for reading aloud to students in their class.

Student data is used exclusively for the following educational purposes:

• Personalized reading experiences — Stories use the student’s first name and are adapted to their reading level
• Learning analytics — Teachers can view reading progress, quiz scores, and writing development
• Adaptive content — The platform adjusts difficulty based on demonstrated proficiency
• Standards alignment — Content is aligned to NJ Student Learning Standards (NJSLS) and Common Core State Standards (CCSS)

Student data is never used for:

• Advertising or marketing of any kind
• Creating profiles for non-educational commercial purposes
• Sale to third parties
• Training AI models on identifiable student data

MDM Academy uses artificial intelligence to generate personalized stories, reading comprehension questions, writing prompts, and feedback. All AI-generated content is:

• Age-filtered — Content is constrained to age-appropriate themes and vocabulary
• Standards-aligned — Writing prompts follow NJSLA Prose Constructed Response (PCR) formats for Grade 3
• Non-persistent for training — Student interactions with AI are not used to train or improve AI models
• Reviewed by educators — Our content framework was developed with input from certified teachers

• Encryption in transit: All data is transmitted over TLS 1.2+ (HTTPS)
• Encryption at rest: Database storage uses AES-256 encryption
• Access controls: Student data is accessible only to their assigned teacher and school administrators
• Session security: Student sessions expire after 12 hours; teacher sessions after 30 days
• Authentication: Teacher passwords are hashed with bcrypt (12 rounds); student access requires a class code
• Rate limiting: All endpoints are rate-limited to prevent abuse
• Security headers: Helmet.js provides CSP, HSTS, X-Frame-Options, and other security headers
• No student passwords: Students authenticate via class code and name selection — no passwords to compromise

• Default retention: Student data is retained for the duration of the school’s subscription or until the end of the academic year, whichever comes first
• Deletion on request: Schools may request deletion of all student data at any time by contacting [email protected]
• Automatic cleanup: When a teacher removes a student from a class, all associated data (reading sessions, quiz results, writing responses, word bank, rewards) is permanently deleted
• End-of-year purge: At the end of each academic year, schools will be prompted to confirm whether data should be retained or deleted
• Teacher data: Teacher accounts and associated voice recordings are deleted upon request or when the school’s subscription ends

MDM Academy uses the following third-party services in the school portal:

No third-party service receives student email addresses, last names, home addresses, or any data beyond what is strictly necessary for the educational service.

9. Parental Rights

Parents/guardians retain the following rights regarding their child’s data:

• Right to inspect: Parents may request to review their child’s data through the school
• Right to correct: Parents may request corrections to inaccurate data
• Right to delete: Parents may request deletion of their child’s data through the school
• Right to opt out: Parents may opt their child out of using MDM Academy by notifying the school

In the school context, the school acts as the agent for parental consent under COPPA. Parents should direct data requests to their child’s school, which will coordinate with MDM Academy.

10. Data Processing Agreement

MDM Academy will enter into a Data Processing Agreement (DPA) with any school district upon request. Our DPA template is aligned with the Student Data Privacy Consortium (SDPC) National DPA and includes:

• Description of data elements collected
• Purpose limitations on data use
• Data security obligations
• Breach notification procedures (within 72 hours)
• Data return/deletion upon contract termination
• Prohibition on secondary use of student data
• Compliance with applicable state and federal laws

To request a DPA, contact [email protected].

11. Breach Notification

In the event of a data breach affecting student records, MDM Academy will:

• Notify the affected school district within 72 hours of discovery
• Provide details of the nature and scope of the breach
• Describe the steps taken to contain and remediate the breach
• Cooperate fully with the school district’s incident response procedures
• Comply with all applicable state breach notification laws, including the New Jersey Identity Theft Prevention Act (N.J.S.A. 56:11-44 et seq.)

12. Changes to This Policy

We will notify schools of material changes to this policy at least 30 days before they take effect. Continued use of MDM Academy after the effective date constitutes acceptance of the updated policy. Schools may terminate their use of the service if they do not agree with the changes.

13. Contact Information