Privacy & Data Governance for Schools
A plain-language overview of how Music Producer Lab handles student data, what we collect, how we protect it, and what documentation is available to your institution.
What data we collect
Music Producer Lab is designed to work with minimal personal data. For school accounts, we collect only what is operationally necessary:
- Student display name or username (set by the school — no real name required)
- School-managed email address or login token
- Lesson progress and completion data (used for class-linked learner activity reporting)
- Time-on-task per lesson (aggregated, not keystroke-level)
We do not collect date of birth, home address, device identifiers, or any biometric data. No student profile is ever used for advertising or sold to third parties.
UK GDPR & Data Protection context
For institutional use, Music Producer Lab is designed to fit a controller-processor relationship where the school acts as the data controller and MPL acts as a data processor. Contract wording and legal basis are confirmed during procurement.
- The school determines the purpose and legal basis for processing
- We act strictly on the school's documented instructions
- Student data is not processed for any purpose beyond delivering the platform
- Data subjects (students and parents) can exercise rights through the school's own process
Students under 13
MPL does not position direct public sign-up as the route for under-13 learners. In a school context, access is intended to be created and managed by the school administrator or teacher.
- The school remains the responsible party for the lawful basis and local consent requirements
- Student accounts can be pseudonymous (username only, no real name)
- No marketing communications are sent to student accounts
- Account deletion can be requested through the school or support channel
Security & hosting
- Platform hosted on managed cloud infrastructure
- All data in transit encrypted with TLS 1.2+
- Database hosted on managed PostgreSQL infrastructure with encryption at rest
- Limited student data (class enrollment state, lesson progress) stored in browser localStorage to support platform features
- Admin access restricted by role-based authentication
Data retention & deletion
School and student data retention expectations are agreed during the institutional relationship. Typical process at contract end:
- Activity data can be exported by the school during the agreed handover window
- Live student data is scheduled for deletion after the contract end process is completed
- Backup retention follows the hosting provider's operational schedule
- Deletion confirmation can be requested in writing
Documentation available on request
For institutional procurement and compliance teams, the following documents are available:
- Data Processing Agreement (DPA)
- Record of Processing Activities (RoPA) summary
- Sub-processor list
- Privacy Notice (student-facing)
- Acceptable Use Policy template for schools
Email [email protected] with your institution name and we will respond within two working days.
Ready to start a pilot?
30-day pilots are scoped manually, no credit card required. Get in touch to discuss documentation, access setup, and the right rollout shape for your class or department.
Last reviewed: April 2026