Merge EDU takes data privacy very seriously, and our platform is compliant with several data protection and security standards, such as:
- Children's Online Privacy Protection Act (COPPA)
- General Data Protection Regulation (GDPR)
- Student Data Privacy Consortium (SDPC)
- Student Privacy Pledge
Customers also have the option to create accounts without any personally identifiable information (PII) for students, by creating generic/shared usernames and passwords.
Data Collected by Merge EDU
The Merge EDU Platform may require some information from customers.
For Administrator-level accounts, we require a full name and email address, so that we can contact them for setup and updates. When purchasing the subscription, we will also ask for the name and address of the school or organization.
For Teacher-level accounts, we require an email address, but first and last names are optional. Email addresses are required to be verified to prevent spam and to alert teachers of system updates.
For Student-level accounts, we only require a username and password. Usernames do not need to relate to the student individually, and can be created as a shared student account for all users. A username and password is required for the purpose of signing into the apps.
For any users using a single sign on tool (Microsoft, Google, Classlink, Clever, Apple) our platform only collects data authorized by the customer through SSO permissions. This may (but not necessarily) include full name, username, and/or email address, for the purposes of signing in.
The Merge EDU apps also collect some usage data from accounts. This includes:
- A log of when accounts sign into the Merge EDU apps (Merge Explorer & Object Viewer)
- Science Simulations and Topic Cards completed in Merge Explorer
- Objects viewed in Object Viewer
- 3D models uploaded via the Object Uploader
All information gathered can be deleted manually by the user by deleting their account via the Merge Dashboard.
Children's Online Privacy Protection Act (COPPA)
Merge EDU is compliant with the Children's Online Privacy Protection Act (COPPA). COPPA imposes certain requirements on operators of websites or online services directed to children under 13 years of age, and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age.
Merge EDU does not require nor collect any Personally Identifiable Information (PII) from children under 13 years of age, except where voluntarily shared by a Local Education Agency that has obtained parental authorization.
For more information, visit https://www.ecfr.gov/current/title-16/part-312.
General Data Protection Regulation (GDPR)
Merge EDU is compliant with the General Data Protection Regulation (GDPR). The GDPR is a regulation in EU law on data protection and privacy in the European Union and the European Economic Area.
For more information, visit https://gdpr.eu/what-is-gdpr/.
Student Privacy Pledge
Merge EDU has signed the Student Privacy Pledge. The Pledge is a set of commitments intended to build transparency and trust by obligating signatories to make baseline commitments about student privacy that can be enforced by the Federal Trade Commission and state attorneys general.
We pledge to carry out responsible stewardship and appropriate use of student personal information gathered in our role as school service providers according to the commitments below and in adherence to all laws applicable to us as school service providers.
We Commit To:
- Not collect, maintain, use or share student personal information beyond that needed for authorized educational/school purposes, or as authorized by the parent/student.
- Not sell student personal information.
- Not use or disclose student information collected through an educational/school service (whether personal information or otherwise) for behavioral targeting of advertisements to students.
- Not build a personal profile of a student other than for supporting authorized educational/school purposes or as authorized by the parent/student.
- Not make material changes to school service provider consumer privacy policies without first providing prominent notice to the account holder(s) (i.e., the educational institution/agency, or the parent/student when the information is collected directly from the student with student/parent consent) and allowing them choices before data is used in any manner inconsistent with terms they were initially provided; and not make material changes to other policies or practices governing the use of student personal information that are inconsistent with contractual requirements.
- Not knowingly retaining student personal information beyond the time period required to support the authorized educational/school purposes, or as authorized by the parent/student.
- Collect, use, share, and retain student personal information only for purposes for which we were authorized by the educational institution/agency, teacher or the parent/student.
- Disclose clearly in contracts or privacy policies, including in a manner easy for parents and teachers to understand, what types of student personal information we collect, if any, and the purposes for which the information we maintain is used or shared with third parties.
- Support access to and correction of student personally identifiable information by the student or their authorized parent, either by assisting the educational institution in meeting its requirements or directly when the information is collected directly from the student with student/parent consent.
- Maintain a comprehensive security program that is reasonably designed to protect the security, privacy, confidentiality, and integrity of student personal information against risks – such as unauthorized access or use, or unintended or inappropriate disclosure – through the use of administrative, technological, and physical safeguards appropriate to the sensitivity of the information.
- Require that our vendors with whom student personal information is shared in order to deliver the educational service, if any, are obligated to implement these same commitments for the given student personal information.
- Allow a successor entity to maintain the student personal information, in the case of our merger or acquisition by another entity, provided the successor entity is subject to these same commitments for the previously collected student personal information.
For more information, visit http://studentprivacypledge.org.
Student Data Privacy Consortium
Merge EDU is compliant with the Data Privacy Agreement (DPA) templates of the Student Data Privacy Consortium (SDPC). The SDPC is a unique collaborative of schools, districts, regional, territories and state agencies, policy makers, trade organizations and marketplace providers addressing real-world, adaptable, and implementable solutions to growing data privacy concerns.
For more information, visit https://sdpc.a4l.org/.