GraceNotes considers its users’ privacy a priority.
Information Collected by GraceNotes
You must create an account on our website in order to use Sight Reading Factory®’s online services. You may be part of a school system that is providing access to Sight Reading Factory® as a benefit to its students and has provided a registration code. Or you may wish to use Sight Reading Factory® independently as part of your private music practice. Both scenarios are described below.
If your school system has contracted with GraceNotes to use its services, a teacher or authorized school official must first register on the Sight Reading Factory®’s website so that student accounts can be linked to the school’s account. The school official is asked to enter the following information during registration: first name, last name, and email. In order to process payment for the school system, either credit card or Paypal account information is collected. Payment information is not stored by GraceNotes. Students age 12 and under who are creating a school account are asked to enter the following information during registration: first name, last initial, and username. Users under 12 are prohibited from using an email address as their username (the “@” character is disallowed).
By default, students above the age of 12 must use an email as their username, and are allowed to provide a full last name. Sight Reading Factory allows administrators to opt-in to prohibiting use of email and last name for all students of any age. If the administrator chooses to prohibit this information, then students age 13 and older are asked to enter first name, last initial, and username. If the administrator chooses to allow this information, then students age 13 and older are asked to enter first name, last name, and email. Email address is used by us only for automating Forgot Password functionality, and is not shared with third parties.
Those signing up on behalf of Independent Sight Reading Factory® users age 12 and under are asked to enter the following information during registration: first name, last initial, and a parent’s email address which will be the username. Students age 13 and older who are creating an individual account are asked to enter the following information during registration: first name, last name, and email. Payment information, via credit card or Paypal, is also requested from both groups. Payment information is not stored by GraceNotes.
As users participate in the Sight Reading Factory® online program, GraceNotes collects information about usage, history, session data, and preferences selected on the user’s dashboard. Details associated with each practice composition, including the instrument selected and level of difficulty, are collected. Where user accounts are linked to a school system or private instructor, practice compositions assigned, including audio recordings, and teacher feedback are saved.
Exceptions From Information Collection
If students access Sight Reading Factory® through a learning management system (“LMS,” for example Canvas or Blackboard), or a single sign-on (“SSO,” for example Auth0 or OneLogin), GraceNotes will not collect any personally identifiable information about them.
Information collected directly from users
GraceNotes also collects information directly from users as they interact with the site. This student-generated data includes but is not limited to a user’s choice of instrument, level and time signature, time spent playing a composition, selections made to customize a given assignment, and audio recordings of practice sessions. We may use student-generated and teacher-generated data to analyze student-generated data and provide the student and his or her teacher with periodic progress reports on performance, and to improve GraceNotes’ offerings. If we ever need to collect information that is not generated from usage, GraceNotes will seek authorization of a parent, guardian, or school official prior to collecting such additional information from the user. In addition, we may aggregate your student’s generated data with the generated data of other students for business related purposes. Aggregate information will be anonymous and will not allow individual users to be identified.
How GraceNotes will use the information collected from you
GraceNotes does not collect, maintain, use, or share student personal information beyond that needed for educational purposes, as authorized by parents and students. By ‘educational purposes,’ we mean services or functions that customarily take place at the direction of schools and teachers, that aid directly in instruction and practice of music education
Email Address: For some users over the age of 12 and school administration officials, email address will serve as login username. If email address is collected, it may be used to send a confirmation email upon registration and it may be used as an additional means of communicating about our services, including notifications of updates to the web site or its related policies. However, if a user signs up with a school system voucher, that user will not be added to the mailing list and email address provided will only be used for password reset. For users under the age of 12, an identifier set up at registration will serve as login username in lieu of email, and parental email provided for consent will only be used for password reset.
Student’s Name: Student’s name will be used to customize areas of the website, as well as to personalize the reports and updates to teachers or school administrators concerning student progress. Users 12 and under will only be asked for first name and last initial, whereas students 13 and older will be asked for first and last name.
Credit Card or PayPal Information: In order to collect payment for services provided, Stripe and PayPal services are offered. No payment data is stored in GraceNotes’ database.
Participation Data: Participation history will be collected by GraceNotes for customer care, business development, and other operational purposes, including improvements to our services; however, such information will not be disclosed to third parties or used for advertising directly to student users.
Secondary Uses: Registration Information and other information may be used for ad-hoc data analysis and internal reporting on site usage. In all cases, the information will only be used to further our educational purposes, either internally by GraceNotes or shown to the user to whose account it pertains. Such information be aggregated as anonymous statistical information. GraceNotes will not sell, trade, or assign any personal information to third parties outside nor directly target any type of communication to a student.
Reviewing and changing your information
You may review and modify your account information at any time by using your password to access the site. An export of your account data can be provided upon request by writing to the address or email below. We provide this access to student personal information to parents and students for review and correction, either by direct request from student users, parents, or through a school or teacher. Please allow 5 business days for completion of your request.
Deleting your account, retention of data
A user who initially opens an account related to a school system can continue to maintain their user account after graduating from or leaving that school system. A user simply needs to pay the fee associated with maintaining the account when it is due in order to keep the account active. The account can persist in an inactive state if the user does not pay the maintenance fee. However, if at any time, a user decides they actively want to remove his or her account from GraceNote’s user database, he or she can initiate a deletion request by writing to the address or email below. Please allow 5 business days for completion of your request. Where we do not receive a specific request for removal of account-related data from our database, GraceNotes’ standard information retention practice and the limits of its obligation to retain data on inactive accounts is limited to two years.
For students who have received a school code from their school system in order to create an account, the school system has contracted with GraceNotes to collect the limited personal information described above from students for the use and benefit of the school and for no other commercial purpose. Based on this, GraceNotes provides the school system with full notice of its collection, use, and disclosure practices and presumes that the school’s authorization for collection of students’ personal information is based upon the school having obtained parental consent.
Users under the age 18 who are creating accounts independently outside of a school system must have parental consent. Parents are not contacted directly.
You will be asked to select a password to access GraceNotes services. Your password should be kept confidential. Your password will allow you to review and change the information we collect about you, or if you’re a teacher or school administrator, it will allow you to review information about your students.
Protecting your information
No data transmissions over the internet can be guaranteed to be 100% secure, and, therefore, GraceNotes cannot completely ensure or warrant the security of any information you transmit to us.
As a third-party contractor to educational institutions, GraceNotes has adopted and will continue to align its practices with the National Institutes of Standards and Technology’s Cybersecurity Framework (“NIST CSF”), as well as federal and state laws including laws referenced in this policy, and New York State Education Law § 2-d and its implementing regulations. Internal access to education records is limited to those GraceNotes employees or subcontractors who require it to provide the contracted services. We will:
- maintain reasonable administrative, technical and physical safeguards to protect the security, confidentiality and integrity of PII,
- use encryption technology to protect data while in motion or in our custody from unauthorized disclosure, using controls as specified by the Secretary of HHS in guidance issued under Public Law 111-5, § 13402(h)(2).
More specifically, we have taken the following measures to protect the data from loss, misuse or alteration of information under our control.
- Data in transit: All browser/server communications utilize HTTPS/TLS 1.1 protocol currently. Browser/server communication protocols are reviewed and updated on a quarterly basis.
- Data at rest: Passwords are stored using a hashing algorithm (bcrpyt) specifically designed for this purpose. Passwords are never stored or transmitted in an unencrypted format such that even Gracenotes does not have the ability to un-encrypt them.
- Production environment access is limited to two site owners and is protected with two-factor authentication.
- Automatic snapshot backups of the production database are retained for 7 days. Redundant full DDL backups are retained for 1 day.
- Industry best practices are leveraged when coding the site and emphasis is placed on preventing attacks such as SQL injection.
- If a data breach occurs that results in an unauthorized release of user data, Gracenotes is responsible for notifying the school district or, if not associated with a school district, the independent user within 72 hours from the time the data breach occurred. If the account is connected to a school district, the notification must be written and include what happened, when the breach occurred, when the breach was identified, a complete accounting of the data that was breached, the number of students or employees impacted, which students or employees were impacted, and steps taken to mitigate continued breach of data. If the account is not connected to a school district, Gracenotes will use the parent’s email address of users under 12 and the student’s email address for users over 12 to send notification of the data breach.
Your information and third parties
GraceNotes will not sell, trade, or assign any personal information that it collects to third parties. GraceNotes uses Google Analytics to track usage data. Geolocation is used at signup to estimate the user’s timezone for end user reporting and formatting only. All data is aggregated and reported in the form of anonymous group statistics and in a manner that makes individual student users unidentifiable. GraceNotes’ use of Google AdWords is completely separate from the website and no re-marketing to site visitors is done.
GraceNotes uses third party vendors and hosting partners to provide the necessary hardware and other technical contributions required to run SRF. Although we own the code, databases, and all rights to SRF and the Service, you retain all rights to your own data.
Unsolicited third-party promotional emails
GraceNotes will not send unsolicited third-party promotional emails.
Sight Reading Factory® Mobile App
GraceNotes offers users the option of practicing via the mobile app in addition to the website. The mobile app is simply a front-end interface that connects to the same service behind the website and collects less user information than the website. All privacy policies explained here apply to the mobile app as well.
Children’s Online Privacy Protection Act
The Children’s Internet Protection Act
The Children’s Internet Protection Act (CIPA) is a federal law enacted by Congress in December 2000 to address concerns about access to offensive content over the Internet on school and library computers. CIPA imposes certain types of requirements on any school or library that receives funding support for Internet access or internal connections from the “E-rate” program — a program that makes certain technology more affordable for eligible schools and libraries. GraceNotes does not provide links to external resources or chat rooms and our site does not contain any offensive or inappropriate material. If you would like more information about CIPA, please go to http://www.fcc.gov/cgb/consumerfacts/cipa.html.
The Family Educational Rights and Privacy Act
Relevant for our users associated with a school system, the Family Educational Rights and Privacy Act (FERPA) is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education.
FERPA gives parents certain rights with respect to their children’s education records. These rights transfer to the student when he or she reaches the age of 18 or attends a school beyond the high school level. GraceNotes helps our school district administrators be compliant with FERPA. Specifically:
- Any sensitive online information is transmitted over secure channels
- All student data is stored in ways such that it is not publicly accessible
- Security audits are performed to ensure data integrity
GraceNotes does not share information with any third parties that could be used to personally identify students. If a school requests that student data be sent to a third party, with parental consent, GraceNotes will send the data to the school and never directly to the third party.
If you would like more information about FERPA, please go to https://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html.
The Student Online Personal Information Protection Act
The Student Online Personal Information Protection Act (SOPIPA) imposes rigorous rules on operators of websites or providers of internet services or mobile applications where the services are used primarily for “K-12 school purposes” and were designed and marketed for K–12 school purposes. Among other things, it prohibits the use of student data for targeted advertising on the website, service or app and the sale of student data. Operators of educational online services must also implement and maintain reasonable security procedures and practices, as well as protect that student data from unauthorized access, destruction, use, modification, or disclosure.
GraceNotes will not sell, trade, or assign any customer information to third parties. Targeted advertising is not done currently and is not planned for the future. GraceNotes has taken several precautions as described above in section 8 to protect user data from loss, misuse or alteration of information under our control.
If you would like more information about SOPIPA, please go to https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201320140SB1177
A Word About the CCPA
We sometimes get questions about the California Consumer Privacy Act (effective starting in 2020). That law does not apply to SRF. We do not sell anyone's personal information. We do not therefore derive any revenue from selling consumers' personal information. We do not buy or sell personal information related to more than 50,000 consumers, households, or devices. We do not have gross annual revenues in excess of $25 million. As always, if you have any questions or concerns about how we collect and handle information, please contact us at email@example.com”
If you have any questions about your privacy or the security measures we have implemented, please contact our Privacy Officer at: