Noteflight Learn Terms and Privacy Policies

Noteflight Learn is acceptable for students of all ages.

Noteflight Learn is appropriate for students of all ages, and is compliant with COPPA, FERPA, GDPR and CCPA. Noteflight Learn allows schools and/or districts to create their own private website for their students (e.g. "schoolname.sites.noteflight.com") which serves as a walled garden, completely separate from the consumer accounts on noteflight.com. 


We take school data privacy and security very seriously and are constantly monitoring and working to ensure that school data is protected and secured to the highest standards. If you have any questions regarding these Noteflight Learn Terms and Privacy Policies, or need us to complete documents for your school or district, please email us at info@noteflight.com.


Included Terms and Policies

1. Noteflight Learn Subscription Terms

These terms represent the contract between Noteflight and the purchasing school or district, and includes details on what data we collect, how it is used, and how it is protected.  


2. Data Processing Addendum

This addendum covers our use of data in compliance with GDPR and CCPA.


3. Student Data Policy

This policy discloses our use of Student Data in compliance with COPPA and FERPA.




Frequently Asked Questions

What personally identifiable data is collected?

We only collect school employee and student data needed to provide the services. For students and teachers, this includes: First and last name, username, and any information entered in musical scores. Each account will have an administrator where we collect necessary school and billing information, including a contact email. 


How is data used?

We only use education data to provide the services needed for Noteflight Learn. We do not use data for marketing or any other means beyond what is necessary for use of the product.

How is data secured?
We use encryption and other industry-standard practices to make sure digital data is protected at all times.


Who has access to data?

We control access so only the employees who need to service accounts can see education data and each account has required multi-factor authentication. All sub processors have signed DPAs and control access in the same manner we do, plus we only send identifiable information to subprocess when necessary; all other use is deidentified.

What rights do parent’s have to data?
Parents always have the right to request to see what data is collected on their child. Noteflight does not accept requests directly from parents, instead, parents can request through the school district and once Noteflight can verify the request with the school district the data will be provided to both the parents and the school. 



Noteflight Learn Subscription Terms

These Noteflight Learn Subscription Terms (including the DPA (as defined below), this “Agreement”) create a legal agreement between Hal Leonard LLC, on behalf of itself and its wholly-owned subsidiary, Noteflight LLC (collectively, “Licensor”) and the subscriber to the Services (as defined below) (“Customer”). This Agreement governs Customer's use of the Services and by using or accessing the Services, Customer agrees to be bound by this Agreement. In the event that the individual accessing the Services is accessing the Services on behalf of a School, private music studio, or other legal entity, such School, private music studio, or other legal entity shall be the Customer hereunder, and, where Customer is not a natural person, the natural person accessing the Services on behalf of Customer hereby represents and warrants in his or her individual capacity that he or she has the authority to bind such legal entity in contract to this Agreement as Customer. "School" means a department of education, board of cooperative educational services, school, or school district. Customer and Licensor are individually hereinafter referred to as a “Party” and collectively as the “Parties”.  


1. SCOPE OF AGREEMENT


1.1 Services. 

Licensor's proprietary software platform (together with the services, features, and information made available on or through such software platform, the “Software”) will be hosted and distributed online by Licensor and made available to Customer as a software as a service, which enables Designated Users (as defined below) to compose, view, create, export, and print musical scores and parts, and assess performance of, record, mix, and play back such scores and parts using multiple instrument options. Licensor will be responsible for hosting of the Software. Customer or Customer’s Designated Users (as defined below) will be responsible for procuring and maintaining network connections and telecommunications links and providing the computer hardware or mobile devices necessary to interface with the Software and for ensuring that Customer has implemented the minimum browser requirements specified by Licensor from time to time. In some instances, Customer may desire Licensor to provide additional customization, training, or other services as mutually determined by the Parties and agreed upon in a written addendum to this Agreement (“Supplemental Services”). This Agreement sets forth the terms and conditions that will govern Licensor’s grant of access to the Software and the performance of the Supplemental Services (such Software and Supplemental Services are collectively, the “Services”). Without limitation of the foregoing, the Services include retention of any and all Customer Data (as defined below) until such time that Customer requests Licensor to return or destroy such Customer Data in accordance with Section 2.4.  


1.2 Rights to Use. 

Subject to the terms and conditions of this Agreement, Licensor hereby grants to Customer a non-exclusive, non-sublicensable, non-transferable, limited, revocable license (solely through Customer’s Designated Users) to access and use the Software identified corresponding to the Software subscription purchased by Customer solely during the Term. 


1.3 Ownership and Reservation of Rights. 

Nothing in this Agreement shall constitute a transfer of any proprietary right by Licensor to Customer. The Services may be protected by patent, copyright, trade secret, and/or other intellectual property laws. As between the Parties, Licensor owns and retains all right, title, and interest in and to the intellectual property rights in and to the Services (including any data made available through the Services) and any enhancements, modifications or derivative works thereof. As between the Parties, (i) each Party retains ownership in and to its Confidential Information (as hereinafter defined) and (ii) Licensor exclusively owns all right, title, and interest in and to the Services and any derivative works and work product conceived, originated, or prepared in connection with the Services. All rights not specifically granted to Customer in this Agreement are retained by Licensor. Customer acknowledges the proprietary rights of Licensor and its licensors in the Services and that Licensor retains all right, title and interest in and to the Services.


1.4 Third-Party Sites. 

The Services may link, interface, and integrate with third party software applications and websites that are not operated or controlled by Licensor (“Third-Party Sites”). All such Third-Party Sites shall remain the property of their third-party providers. Customer hereby acknowledges and agrees that Licensor is not responsible for the content or practices of the Third-Party Sites. Customer is solely responsible for any required third-party account setup or fees levied by any such Third-Party Sites for using their services. It shall be Customer's responsibility to, and Customer shall, ensure that the use of the Services in connection with any such Third-Party Sites complies with any applicable terms of service. Any links to or content from Third-Party Sites in the Services are provided for Customer’s convenience only. Customer's reliance on any Third-Party Site is at Customer's own risk; Licensor does not endorse or warranty any Third-Party Site, including any Third-Party Site linked to, or interfaced or integrated with, the Services. Licensor reserves the right to update or remove any functionality available through the Services at any time for any reason. NOTWITHSTANDING ANY OTHER PROVISION IN THIS AGREEMENT, CUSTOMER SHALL BE SOLELY RESPONSIBLE FOR ITS RELATIONSHIP WITH ANY THIRD-PARTY SITE, INCLUDING WITHOUT LIMITATION CUSTOMER'S OR CUSTOMER'S DESIGNATED USERS' INTERACTION WITH ANY SUCH THIRD-PARTY SITE, INCLUDING THROUGH THE SERVICES. LICENSOR SHALL HAVE NO RESPONSIBILITY OR LIABILITY FOR ANY INTERACTION WITH ANY THIRD-PARTY SITE, WHETHER THROUGH THE SERVICES OR OTHERWISE, BY OR ON BEHALF OF CUSTOMER OR ANY OF CUSTOMER'S DESIGNATED USERS. LICENSOR SHALL HAVE NO RESPONSIBILITY OR LIABILITY FOR ANY PAYMENT OBLIGATIONS THAT ARISE AS A RESULT OF ANY SUCH INTERACTION, ANY LIABILITY THAT ARISES AS A RESULT OF ANY SUCH INTERACTION (INCLUDING WITHOUT LIMITATION UNDER ANY APPLICABLE TERMS OF SERVICE), OR ANY RELATIONSHIP THAT EXISTS OR COMES TO EXIST BETWEEN CUSTOMER OR ANY OF CUSTOMER'S DESIGNATED USERS AND ANY THIRD-PARTY SITE PROVIDER.


1.5 Feedback. 

Notwithstanding any provision in this Agreement to the contrary, Licensor may use, develop and implement any information, suggestions, comments, or other feedback (collectively, “Feedback”) provided to Licensor by Customer or any of its Representatives (as defined below) in connection with the Services (including the development and operation thereof), in its discretion, and with no compensation to any person providing such Feedback, irrespective of any intellectual property or proprietary rights claimed by Customer in such Feedback. Customer represents, warrants, and covenants that it has not, and will not, knowingly provide Feedback that is subject to any third party intellectual property rights.


1.6 Changes to Services. 

Licensor reserves the right at any time to alter or discontinue any or all features, functionality, license terms and other characteristics of the Services; provided, however, that in the event that any such alterations materially limit the features or functionality of the Services, Licensor shall use commercially reasonable efforts to provide Customer with advanced notice thereof. Any subsequent upgrade, enhancement or other change to the Services shall be owned by Licensor and subject to the terms of this Agreement.


1.7 Software Evaluation. 

As specified at https://www.noteflight.com/request_learn_demo, Licensor may elect (in Licensor's sole discretion) to make the Software (or a restricted version thereof) available to Customer on a limited trial basis free of charge or at a fee for the sole purpose of facilitating Customer’s internal evaluation and testing of the Software, until the earlier of (i) the end of the designated trial period for which Licensor has permitted Customer to evaluate the applicable Software, or (ii) the commencement date of any purchased Software subscriptions ordered by Customer. Licensor reserves the right to modify, cancel and/or limit the limited trial of the Software without notice at any time. Additional trial terms and conditions may appear on the trial registration web page. Any such additional terms and conditions are incorporated into this Agreement by reference and are legally binding. NOTWITHSTANDING ANYTHING SET FORTH IN THIS AGREEMENT TO THE CONTRARY, DURING THE DESIGNATED TRIAL PERIOD, THE SOFTWARE AND ANY SERVICES MADE AVAILABLE TO CUSTOMER ARE PROVIDED ON AN “AS-IS”, “AS AVAILABLE” AND “WITH ALL FAULTS” BASIS, WITHOUT ANY WARRANTY.  


2. CONFIDENTIAL INFORMATION


2.1 Definition of Confidential Information. 

Confidential Information” means all information, in whatever form, that is disclosed or otherwise made available by or on behalf of one Party to the other Party, which, given the totality of the circumstances, a reasonable recipient should have reason to believe is proprietary, confidential, or competitively sensitive, regardless of whether such information is labeled as confidential or not, including without limitation, creative works, business activities, trade secrets, analysis, software, algorithms, know-how, techniques, research, developments, inventions, discoveries, processes, designs, Personal Data (as defined below), technical data and information, financial information, pricing, vendors, customers, prospects, marketing plans and any other information of a similar nature. For the avoidance of doubt, Licensor’s Confidential Information includes the Services (including the design, features, functions, and architecture thereof and any information or data made available thereon).


2.2 Access and Use. 

Each Party receiving Confidential Information from the other Party shall: (i) use and reproduce the Confidential Information only for the purposes specified in this Agreement, (ii) restrict disclosure of Confidential Information to its Representatives with a need to know the Confidential Information to enable the receiving Party to perform its obligations and exercise its rights under this Agreement, provided that such Representatives are bound by confidentiality obligations broad enough to encompass Confidential Information that are at least as protective as those contained in this Agreement, and (iii) use reasonable care to protect the other Party’s Confidential Information and to prevent unauthorized disclosure of such Confidential Information. Additionally, to the extent that any Party’s Confidential Information includes any information relating to any identified or identifiable natural person, household, or device ("Personal Data"), the other Party agrees to use such Personal Data solely in accordance with applicable Law.


2.3 Exclusions. 

Except as expressly provided herein, and except with respect to Personal Data, nothing in this Agreement will be construed to restrict or impair in any way the right of a receiving Party to use or disclose any information which: (i) is at the time of its disclosure hereunder generally available to the public; (ii) becomes generally available to the public through no fault of the receiving Party; (iii) can be reasonably demonstrated to be in the possession of a receiving Party prior to its initial disclosure hereunder; or (iv) is acquired from a third party having a right to disclose the same to a receiving Party without breach of any confidentiality obligation. A receiving Party may disclose Confidential Information in accordance with a legally binding judicial or other governmental order, provided that, to the extent permitted by applicable Law, such Party provides the disclosing Party with prompt notice of the same and cooperates with the disclosing Party in connection with any actions taken by the disclosing Party to protect such Confidential Information, including without limitation the seeking of an appropriate protective order or other remedy. Notwithstanding any other provision in this Agreement to the contrary, Licensor may collect, analyze, and anonymize data, statistics or other de-identified information obtained through the provision, use and performance of various aspects of the Services (collectively, “Analytics”) and aggregate such Analytics with data, statistics or other information obtained from other sources, and (provided that such Analytics are not identifiable of any natural person) may use such Analytics for lawful business purposes, including improvement of the Services and the Software, as long as in doing so Licensor does not re-identify, or attempt to re-identify, any of the Analytics or otherwise link or associate Analytics with any information relating to (i) Customer, or (ii) an identified or identifiable natural person. Licensor owns all right, title, and interest in and to all Analytics and no compensation will be paid by Licensor to any person with respect to its use of Analytics.


2.4 Customer Data. 

During the Term, Licensor may Process certain data (whether through the Software, Services, or otherwise) solely on behalf of Customer including without limitation original musical scores, audio performances of musical scores, digital musical instrument definitions, and textual comments in musical scores made available through the Services by Customer and/or its Designated Users (including, without limitation, Student Records, "Customer Data"). For the avoidance of doubt, and without limitation of the foregoing, Customer Data does not include any data that is acquired by Licensor outside the scope of the provision of Services to Customer, including without limitation any information associated with a Noteflight.com account independently held by a student, teacher, or Noteflight Learn administrator. Customer hereby grants to Licensor a non-exclusive, royalty-free, worldwide license during the Term to use, adapt, modify, reproduce, display, sublicense, and store Customer Data only to the extent necessary to provide the Services. Without limitation of the foregoing, Customer hereby consents to Licensor's Processing of Customer Data only to the extent necessary to provide the Services. Customer shall be responsible for all changes to and/or deletions of Customer Data and the security of all passwords and other access protocols required in order to access the Software or Services. Customer will be solely responsible for the accuracy and completeness of the Customer Data. Licensor may retain any Customer Data obtained in the course of providing the Services until such time that Customer requests Licensor in writing to return or destroy such Customer Data, in which case, Licensor shall return to Customer or destroy such Customer Data within 60 days of such written notice, unless Licensor is required or permitted to retain such Customer Data by applicable Law. Customer represents, warrants, and covenants that: (i) it has (and will have) Processed, collected, and disclosed all Customer Data in compliance with applicable Law and provided any notice and obtained all consents and rights required by applicable Law to enable Licensor to lawfully Process Customer Data as permitted by this Agreement; (ii) it has (and will continue to have) full right and authority to make the Customer Data available to Licensor under this Agreement; and (iii) Licensor's Processing of the Customer Data in accordance with this Agreement does and will not infringe upon or violate any applicable Law or any rights of any third party. The terms of the Data Processing Addendum, attached hereto as Annex I (the “DPA”), shall apply to: (i) the Processing of personal data (as defined in the GDPR) to the extent regulated by the General Data Protection Regulation (EU) 2016/679 (the “GDPR”) by Licensor solely on behalf of Customer, if any; and/or (ii) the Processing of personal information (as defined in the CCPA) to the extent regulated by the California Consumer Privacy Act of 2018 (together with any rules or regulations promulgated thereunder, the “CCPA”) by Licensor solely on behalf of Customer, if any. “Process” (including any grammatically inflected forms thereof) means any operation or set of operations which is performed on data or on sets of data, whether or not by automated means, including without limitation collection, recording, organization, structuring, storage, adaptation or alteration, access, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.


2.5 Student Records. 

As used herein, "Student Records" means both of the following: (a) information directly related to a student of Customer that is maintained by or on behalf Customer; and (b) information that Licensor acquires directly from a student of Customer through the student’s use of the Services; provided that “Student Records” does not include (i) deidentified information, including aggregated deidentified information, used by Licensor to improve educational products, for adaptive learning purposes, and for customizing student learning; (ii) deidentified information, including aggregated deidentified information, used to demonstrate the effectiveness of Licensor's products in the marketing of those products; or (iii) deidentified information, including aggregated deidentified information, used for the development and improvement of educational sites, services, or applications; or (iv) data relating to a student, parent, legal guardian, or family member that is not acquired by Licensor as a result of providing Services to Customer, including without limitation any information associated with a Noteflight.com account independently held by a student. As between the Parties, Student Records will continue to be Customer's property and under the control of Customer.  Upon termination of provision of Services under this Agreement, no Student Records will be retained by or available to Licensor.  Following such termination, within sixty (60) days of Customer's written request, Licensor will provide written notice to Customer that no Student Records have been retained or are available to Licensor.  Customer acknowledges and agrees that the provisions of this section shall not apply to student-generated content if the student chooses to establish or maintain an account with Licensor for the purpose of storing such student-generated content (provided that such student must have reached the age of 13).

  

2.5.1 Control of Student-Generated Content. 

Control of student-generated content, if any, may be retained by the respective student. Customer will be able, upon written request and on behalf of a particular student, to access, modify, and delete student-generated content, if applicable, by written request to Licensor.

  

2.5.2 Student Records Usage. 

Licensor shall not use information in a Student Record other than to provide the Services or to the extent permitted by applicable Law or as specifically permitted by Licensor's Student Data Privacy Policy, attached hereto as Annex II. For the avoidance of doubt, Licensor shall not use any Personal Data contained in Student Records (if any) to engage in targeted advertising or to create a personal profile of a student of Customer other than to the extent necessary to provide the Services. Except in connection with a Change of Control (as defined below) with respect to Licensor, Licensor shall not sell Personal Data contained in Student Records (if any).


2.5.3 Information Review. 

A parent, legal guardian, or student who has reached 18 years of age may review Personal Data contained in the respective Student Record and correct erroneous information by the contacting Customer and requesting such information and corrections. Licensor shall reasonably cooperate with Customer in addressing any such requests.

  

2.5.4 Security. 

Licensor shall employ commercially reasonable administrative, physical, and electronic measures designed to protect the security and confidentiality of Student Records, which measures will include the designation and training of responsible individuals.  Within a reasonable period of time following Licensor's knowledge of an unauthorized disclosure of Student Records, Licensor will provide written notice thereof to Customer, and Customer shall be responsible for notifying (with Licensor's reasonable assistance, if requested in writing) the affected parents, legal guardians, and students who have reached 18 years of age.


2.5.5 Family Educational Rights and Privacy Act. 

Licensor and Customer shall reasonably cooperate to ensure compliance with the Family Educational Rights and Privacy Act (20 U.S.C. Sec. 1232g) ("FERPA") as applicable to this Agreement. To the extent Licensor receives access to Student Records that are regulated by FERPA in connection with the Agreement, Customer acknowledges and agrees that Licensor shall be deemed a "school official" for purposes of FERPA.

 

2.6 Remedies. 

The Parties expressly acknowledge and agree that any breach or threatened breach of this Section 2 by the receiving Party may cause immediate and irreparable harm to the disclosing Party that may not be adequately compensated by damages. Each Party therefore agrees that in the event of such breach or threatened breach of this Section 2 by the receiving Party, and in addition to any remedies available at law, the disclosing Party shall have the right to seek equitable and injunctive relief, without the need to post bond, in any court of competent jurisdiction, with respect to such a breach or threatened breach.


3. TERM AND TERMINATION


3.1 Term. 

The term of the Agreement will commence when Customer first accesses the Services and will continue until such time Licensor no longer has access to Customer Data (the “Term”).


3.2 Termination. 

Customer may terminate this Agreement at any time by requesting that Licensor return and/or destroy Customer Data in accordance with Section 2.4. Licensor may, for any reason or no reason, terminate this Agreement upon 30 days' written notice to Customer, in which event, Licensor shall return to Customer or destroy (at Customer's written direction) any Customer Data in Licensor's possession within 60 days of such written notice, unless Licensor is required or permitted to retain such Customer Data by applicable Law. To the extent permitted by applicable Law, with respect to any prepaid Services, Customer agrees and acknowledges that Customer shall not be entitled to any refund for any amounts which were pre-paid on behalf of Customer's account prior to any termination of this Agreement or any Software subscription. By accessing the Services, Customer acknowledges that, although under certain circumstances, users located in the European Economic Area may have a right to cancel prepaid account subscriptions within 14 days of signing up for, upgrading to, or renewing an account, PERFORMANCE OF THIS AGREEMENT HAS BEGUN UPON ACCESSING THE SERVICES AND CUSTOMER THEREBY LOSES ANY RIGHT OF WITHDRAWAL CUSTOMER MAY HAVE UNDER APPLICABLE LAW, INCLUDING APPLICABLE EUROPEAN UNION LAW, IN RESPECT OF THE PURCHASE OF ANY DIGITAL CONTENT HEREUNDER, AND CUSTOMER THEREBY WAIVES ANY RIGHT CUSTOMER MAY HAVE TO A REFUND OF ANY AMOUNTS WHICH WERE PRE-PAID ON BEHALF OF CUSTOMER'S ACCOUNT PRIOR TO ANY TERMINATION OF CUSTOMER'S ACCOUNT. 


3.3 Effect of Termination. 

Immediately upon termination or expiration of this Agreement, Licensor’s obligation to provide the Services will immediately cease, any and all licenses granted by Licensor hereunder will immediately terminate, and all unpaid fees and other amounts due from Customer for Services previously provided by Licensor will immediately become due and payable. From and after the termination or expiration of this Agreement, upon 60 days' written notice from the other Party, each Party shall return or destroy, at the option of such other Party, all copies of such other Party’s Confidential Information that are in its possession or control. 


3.4 Suspension of Services. 

Notwithstanding any provision herein to the contrary, Licensor may suspend the Services (or any portion thereof) in the event (i) of any activity by Customer or any of Customer’s Designated Users, if such activity has, or in Licensor’s reasonable assessment is likely to have, an adverse effect on the Services, or (ii) Customer fails to pay an undisputed amount due under this Agreement.


4. FEES


4.1 Payments. 

Customer understands that use of the Services will result in payments by Customer for the access to the Software and receipt of the Services (“Charges”). The current Charges applicable to the Software subscriptions, as well as the Services, offered by Licensor are viewable at www.noteflight.com/plans, as supplemented by written documentation made available upon request from time to time. After Customer has purchased such Software subscription or Services, Customer shall timely pay all Charges attributable thereto, and Licensor will process payment of the applicable Charges, using the preferred payment method designated in Customer's account, and will send Customer a receipt by email. The Charges do not include, and Customer shall be responsible for paying all, local, state, federal or foreign sales, use, excise, VAT or other taxes, levies, duties or tariffs of any nature that may be due relating to this Agreement and the Services provided hereunder, except for taxes based on the income of Licensor. To the extent permitted by applicable Law, subject to Section 3.2, Charges paid by Customer are final and non-refundable, unless otherwise determined by Licensor. Any questions relating to Charges or disagreement with the Charges should be addressed to Licensor by contacting [support@noteflight.com]. Licensor may from time to time provide certain clients or prospective clients of Licensor with promotional offers and/or discounts that may result in different Charges for the same or similar Services, and Customer agrees that such promotional offers and/or discounts, unless also made available to Customer, shall have no bearing on Customer's use of the Services or the Charges applied to Customer. When Customer purchases any time-based Software subscription, auto-renewal will automatically be selected in Customer's account with respect to such Software subscription, provided that Customer may elect at any time to turn off auto-renewal. At the end of each selected subscription period, an order will automatically be placed for Customer for the applicable subscription renewal and Licensor will process payment of the applicable Charges, using the preferred payment method designated in Customer's account, and Licensor will send Customer a receipt by email for such subscription. If Customer does not wish Customer's Software subscription to auto-renew, Customer may cancel its Software subscription at any time on Customer's account prior to the end of the then-current subscription period or email Licensor at [support@noteflight.com]. If Customer elects not to renew any Software subscription once the applicable subscription period has elapsed, then Licensor shall have no further obligations with respect to the Software under this Agreement, Licensor’s obligation to provide access to the Software will immediately cease, and Customer will no longer have an active Software subscription, provided that this Agreement (apart from any obligation of Licensor with respect to the Software), including any terms and conditions under this Agreement applicable to any ongoing Services (excluding Software), shall continue following such non-renewal for the duration of the Term. The various Software subscriptions are described at www.noteflight.com/plans, as supplemented by written documentation made available upon request from time to time.


5. CUSTOMER’S DUTIES AND RESTRICTIONS


5.1 Login and Password. 

Customer will assign Customer’s designated end users and administrators (who may be teachers or students, collectively, the “Designated Users”), and, as between the Parties, Customer will be responsible for assigning unique initial login credentials for each such Designated User in order to access the Services. The logins for the Designated Users may not be shared and shall only be used by the Designated User to whom the login is initially assigned. Customer is solely responsible for maintaining the confidentiality of the accounts and related passwords of Customer’s Designated Users and for all use of such accounts. Each Designated User must be Customer’s employee or student (as applicable) and, in each case, under Customer’s control. Customer shall be solely responsible for all use of the Services under Customer’s account, including by Customer’s Designated Users. Customer hereby agrees that the act or omission of a current or former Representative shall be deemed the same as if performed by Customer. 


5.2 Copyrighted Content Libraries. 

The use of the Noteflight Learn Content Libraries ("Content Libraries") is restricted to only the Customers, Teachers, and Students for educational purposes. Content Libraries, and all score copies, are restricted from printing and exporting and any attempt to screenshot or otherwise replicate Content Libraries in physical form is a violation of this Agreement. Audio export of Content Libraries is intended only for educational purposes and can be used as the accompaniment to school performances. However, use of Content Libraries in live streaming or on-demand recorded performances outside of an instructional classroom setting or otherwise publicly accessible is not permitted. To request licensing for non-instructional live or on-demand audio and/or video use, please contact Hal Leonard at www.halleonard.com/licensing.


5.3 Affirmative Covenants. 

Customer shall: (i) ensure Customer’s Designated Users, officers, directors employees, contractors, representatives, agents and affiliates (collectively, “Representatives”) comply with this Agreement; (ii) take all necessary steps to prevent unauthorized access to or use of the Services, (iii) notify Licensor immediately of any such unauthorized access or use; (iv) comply with all applicable federal, state, local, municipal, domestic, foreign, and international laws, rules and regulations (“Law”); (v) use the Services in compliance with all applicable industry standards; (vi) use the Services only for Customer’s own internal educational purposes and solely in accordance with the terms of this Agreement; and (vii) use the Services solely in accordance with Licensor’s instructions.   


5.4 Restrictive Covenants. 

 Customer shall not, and Customer will ensure that Customer’s Representatives do not: (i) alter, change, modify, adapt, translate, or make derivative works of the Services; (ii) use the Services in a manner that, or provide any direction to Licensor that, violates any applicable Law; (iii) transmit any virus or programming routine intended to damage, surreptitiously intercept, or expropriate any system, data, or Personal Data; (iv) transfer, sell, resell, license, sublicense, or otherwise make the Services (or any data or information accessible through the Services) available to any third party, except as expressly described in this Agreement; (v) use the Services for timesharing, rental, outsourcing, or a service bureau operation; (vi) attempt to gain, or assist others with attempting to gain, unauthorized access to Licensor’s network, systems, or the Services; (vii) decipher, decompile, disassemble, or reverse engineer the Services or assist or encourage any third party to do so; (viii) engage in any activity that violates the rights of others, that interferes with or disrupts the Services, or that could damage the reputation of Licensor; (ix) upload any file containing any back door, time bomb, Trojan horse, worm, virus, or similar malicious code (“Malware”); (x) harvest or otherwise collect information about others; (xi) infringe or violate the rights of any other party, including without limitation any intellectual property rights or rights of privacy or publicity; or (xii) engage in conduct that is obscene, offensive, pornographic, fraudulent, deceptive, defamatory, threatening, harassing, abusive, slanderous, hateful, or causes embarrassment to any other person.    


6. WARRANTIES, DISCLAIMERS AND LIMITATIONS


6.1 Warranties. 

Each Party represents and warrants to the other that: (i) it is duly organized and existing under the laws of the state of its formation; (ii) it has all requisite power and authority to enter into this Agreement; (iii) there is no outstanding contract, commitment, or agreement to which it is a party that would prevent such Party from performing this Agreement, and (iv) its activities relating to this Agreement will not violate any applicable Law. Licensor will use reasonable efforts not to transmit Malware to Customer, provided that it shall not be a breach of Licensor’s covenant to Customer if Customer or a Designated User uploads a file containing Malware in contravention of Customer’s obligations under Section 5.3(ix).


6.2 Warranty Disclaimer. 

EXCEPT AS EXPRESSLY STATED IN THIS AGREEMENT, LICENSOR MAKES NO WARRANTY, (EXPRESS, IMPLIED, OR STATUTORY) AND HEREBY DISCLAIMS ANY AND ALL WARRANTIES, REPRESENTATIONS, OR CONDITIONS, INCLUDING THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, AND ANY WARRANTY ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. THE SERVICES ARE PROVIDED ON AN “AS-IS”, “AS AVAILABLE”, AND “WITH ALL FAULTS” BASIS. LICENSOR DOES NOT WARRANT THAT THE SERVICES OR ANY WORK PRODUCT THEREOF WILL MEET CUSTOMER’S REQUIREMENTS OR THAT THE SERVICES WILL BE UNINTERRUPTED, ERROR-FREE, OR WITHOUT DELAY. CUSTOMER ACKNOWLEDGES THAT, AS A SAAS-BASED SERVICE, THE FUNCTIONALITY AND INTERFACES OF THE SERVICES MAY CHANGE OVER TIME.


6.3 Limitation of Liability. 

(a) EXCEPT FOR EITHER PARTY’S INDEMNIFICATION OBLIGATIONS, ANY BREACH OF EITHER PARTY’S CONFIDENTIALITY OBLIGATIONS UNDER THIS AGREEMENT, VIOLATION OF LICENSOR’S INTELLECTUAL PROPERTY RIGHTS, OR CUSTOMER’S BREACH OF SECTIONS 2.4, 5.2, OR 5.3, IN NO EVENT SHALL EITHER PARTY BE LIABLE TO THE OTHER FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, PUNITIVE OR INCIDENTAL DAMAGES OF ANY KIND OR NATURE WHATSOEVER (INCLUDING LOST PROFITS, DAMAGES FOR LOSS OF GOODWILL, LOST SALES OR BUSINESS, WORK STOPPAGE, COMPUTER FAILURE OR MALFUNCTION, LOST DATA, EVEN IF SUCH PARTY HAS BEEN ADVISED, KNEW, OR SHOULD HAVE KNOWN OF THE POSSIBILITY OF SUCH DAMAGES) ARISING OUT OF OR IN CONNECTION WITH THIS AGREEMENT, EVEN IF THE APPLICABLE PARTY HAD BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES OR EVEN IF SUCH DAMAGES WERE REASONABLY FORESEEABLE. EXCEPT FOR CUSTOMER’S PAYMENT OBLIGATIONS UNDER THIS AGREEMENT, EITHER PARTY’S INDEMNIFICATION OBLIGATIONS, ANY BREACH OF EITHER PARTY'S CONFIDENTIALITY OBLIGATIONS UNDER THIS AGREEMENT, VIOLATION OF LICENSOR’S INTELLECTUAL PROPERTY RIGHTS, OR CUSTOMER’S BREACH OF SECTIONS 2.4, 5.2, OR 5.3, NEITHER PARTY’S TOTAL AGGREGATE AND CUMULATIVE LIABILITY TO THE OTHER SHALL EXCEED THE AMOUNT PAID OR PAYABLE TO LICENSOR IN THE TWELVE (12) MONTH PERIOD IMMEDIATELY PRECEDING THE DATE OF THE CLAIM THAT GAVE RISE TO SUCH LIABILITY.

(b) NOTWITHSTANDING ANYTHING TO THE CONTRARY IN THIS AGREEMENT, LICENSOR’S AGGREGATE LIABILITY TO CUSTOMER FOR DAMAGES RESULTING FROM THE UNAUTHORIZED ACCESS TO, OR IMPERMISSIBLE DISCLOSURE OF, CONFIDENTIAL INFORMATION SHALL NOT EXCEED US $10,000.00. IF SUCH DAMAGES INCLUDE THE COST OF NOTIFICATION TO INDIVIDUALS OR ANY REGULATORY AUTHORITY OR CREDIT MONITORING, LICENSOR SHALL BE LIABLE FOR SUCH DAMAGES (SUBJECT TO THE FOREGOING LIMITATION) ONLY IF SUCH NOTICE OR CREDIT MONITORING IS REQUIRED BY LAW OR REGULATION.


6.4 Prohibition of Claim. 

CUSTOMER SPECIFICALLY ACKNOWLEDGES AND AGREES THAT ANY CAUSE OF ACTION ARISING OUT OF THIS AGREEMENT OR RELATING TO THE SERVICES MUST BE COMMENCED WITHIN ONE (1) YEAR AFTER THE CAUSE OF ACTION ACCRUES, OTHERWISE SUCH CAUSE OF ACTION SHALL BE PERMANENTLY BARRED.


6.5 Application. 

SECTIONS 6.2, 6.3, AND 6.4 SHALL APPLY TO THE FULLEST EXTENT PERMISSIBLE UNDER LAW AND SHALL SURVIVE THE TERMINATION OR EXPIRATION OF THIS AGREEMENT AND THE PROVISION OF SERVICES HEREUNDER.


7. INDEMNIFICATION


7.1 By Licensor.  

7.1.1 Licensor will defend, indemnify, and hold Customer harmless from and against any claim, demand, suit, investigation, or proceeding made or brought by any third party (each, a “Claim”) against Customer alleging that the use of the Software as permitted hereunder infringes or misappropriates a third-party copyright, trade secret, trademark, or United States patent. Licensor will pay all costs, reasonable outside attorneys’ fees, and any settlement amounts agreed to by Licensor or damages awarded in connection with the Claim. 


7.1.2 If Customer’s use of the Software has become, or in Licensor’s opinion is likely to become, the subject of any Claim, Licensor may at its option and expense: (i) procure for Customer the right to continue using the Software as set forth herein; (ii) modify the Software to make it non-infringing; or (iii) if the foregoing options are not reasonably practicable, terminate this Agreement and refund Customer any unused pre-paid fees attributable to Software that will not be provided due to such termination.


7.1.3 Licensor will have no liability or obligation with respect to any Claim to the extent caused by: (i) Customer’s use of the Software that is not in accordance with this Agreement or that is not reasonably foreseeable by Licensor; or (ii) the combination, operation or use of the Software with other applications, portions of applications, products or services where the Software would not by itself be infringing.


7.1.4 This Section 7.1 states Licensor’s entire and exclusive obligation, and Customer’s exclusive remedy, for any claim of any nature related to infringement or misappropriation of third-party intellectual property rights.


7.2 By Customer. 

 Customer will defend, indemnify, and hold harmless Licensor, and its officers, directors employees, contractors, representatives, agents and affiliates, from and against any Claim made or brought against Licensor, arising from Customer’s breach, or alleged breach, of this Agreement. 


7.3 Conditions. 

As a condition of the obligations set forth in this Section 7, a Party entitled to indemnification (the “Indemnified Party”) will: (a) provide prompt written notice of the applicable Claim to the other Party (the “Indemnifying Party”); (b) provide the Indemnifying Party with sole control of the applicable defense and settlement; and (c) cooperate as requested by the Indemnifying Party, at the Indemnifying Party’s expense. The Indemnifying Party will not agree to any settlement that admits fault or obligates the Indemnified Party to pay damages without the consent of the Indemnified Party, which consent shall not be unreasonably withheld.


8. GOVERNING LAW AND DISPUTE RESOLUTION


8.1 Governing Law. 

This Agreement will be governed by and construed under the laws of the Commonwealth of Massachusetts, without reference to principles of conflict of laws. Any dispute arising between the Parties will be settled in an action commenced and maintained in any court sitting in Middlesex County, Massachusetts. The Parties irrevocably consent and submit to the exclusive personal jurisdiction of such courts if there is any dispute between them and agree not to challenge or assert any defense to the jurisdiction of such courts.

 

8.3 Equitable Remedies. 

Customer acknowledges that the rights granted and obligations made hereunder to Licensor are of a unique and irreplaceable nature, the loss of which will irreparably harm Licensor and which cannot be replaced by monetary damages alone so that Licensor will be entitled to injunctive or other equitable relief (without the obligations of posting any bond or surety) in the event of any breach or anticipatory breach by Customer. Except as expressly provided in this Agreement, Customer irrevocably waives all rights to seek injunctive or other equitable relief and agrees to limit such Customer’s claims to claims for monetary damages (if any).


8.4 Disputes.

8.4.1 To expedite resolution and control the cost of any dispute, controversy or claim related to this Agreement (each, a “Dispute”), Customer and Licensor agree to first attempt to negotiate any Dispute (except those Disputes expressly provided below) informally for at least thirty (30) days before initiating any arbitration or court proceeding. Such informal negotiations commence upon written notice from one person to the other. Customer will send its notice in accordance with Section 9.


8.4.2 If Customer and Licensor are unable to resolve a Dispute through informal negotiations within thirty (30) days, either Customer or Licensor may elect to have the Dispute (except those Disputes expressly excluded below) finally and exclusively resolved by binding arbitration. Any election to arbitrate by one Party will be final and binding on the other. CUSTOMER UNDERSTANDS THAT ABSENT THIS PROVISION, SUCH CUSTOMER WOULD HAVE THE RIGHT TO SUE IN COURT AND HAVE A JURY TRIAL. The arbitration will be commenced and conducted under the Streamlined Arbitration Rules and Procedures (the “Rules”) of JAMS, which is available at the JAMS website www.jamsadr.com. The determination of whether a Dispute is subject to arbitration will be governed by the Federal Arbitration Act and determined by a court rather than an arbitrator. Customer’s arbitration fees and its share of arbitrator compensation will be governed by the Rules. The arbitration may be conducted in person, through the submission of documents, by phone or online. The arbitrator will make a decision in writing, but need not provide a statement of reasons unless requested by a Party. The arbitrator must follow applicable Law, and any award may be challenged if the arbitrator fails to do so.


8.4.3 Notwithstanding the above, Customer and Licensor each agree that arbitration will be limited to the Dispute between Licensor and the Customer individually. To the full extent permitted by Law: (a) no arbitration will be joined with any other; (b) there is no right or authority for any Dispute to be arbitrated on a class-action basis or to utilize class action procedures; and (c) there is no right or authority for any Dispute to be brought in a purported representative capacity on behalf of the general public or any other persons.


8.4.4 Customer and Licensor agree that the following Disputes are not subject to the above provisions concerning informal negotiations and binding arbitration: (a) any Disputes seeking to enforce or protect, or concerning the validity of, any of Customer’s or of Licensor’s intellectual property rights; (b) any Dispute related to, or arising from, allegations of theft, piracy, invasion of privacy or unauthorized use; and (c) any claim for injunctive relief or to compel arbitration, stay proceedings pending arbitration, or to confirm, modify, vacate or enter judgment on the award entered by the arbitrator.


9. GENERAL TERMS 


Except as expressly specified in this Agreement, this Agreement does not create any agency, partnership, franchise, joint venture, or any other such relationship between the Parties. Neither Party is granted any express or implied right or authority to assume or create any obligation on behalf of or in the name of the other Party or to bind the other Party in any matter whatsoever. If any provision of this Agreement is determined by any court of competent jurisdiction to be invalid, illegal, or unenforceable, such provision will be automatically reformed and construed so as to be valid, legal, operative, and enforceable to the maximum extent permitted by applicable Law while preserving its original intent. The invalidity, illegality, or unenforceability of any part of this Agreement will not render invalid the remainder of this Agreement. Sections 1.3, 1.5, 2, 3, 4, 5.2, 5.3, 6.2, 6.3, 6.4, 6.5, 7, 8, and 9 and the DPA shall survive and continue to bind the Parties after execution and delivery of this Agreement and its expiration or early termination to the extent and for as long as may be necessary to give effect to the rights, duties and obligations of the Parties pursuant to this Agreement. Failure by a Party to insist upon strict performance of any provision herein by the other Party will not be deemed a waiver by the first Party of its rights or remedies or a waiver by it of any subsequent default by the other Party, and no waiver will be effective unless it is in writing and duly executed by the Party entitled to enforce the provision being waived. Except for Section 8.4, which can only be amended by mutual written consent of both Parties, Licensor reserves the right, at Licensor's discretion, to change, modify, add, or remove portions of this Agreement at any time. Please check this Agreement periodically for changes. Customer's continued use of the Services after the posting of changes to this Agreement constitutes Customer's binding acceptance of such changes. Licensor will make commercially reasonable efforts to notify Customer if Licensor materially changes this Agreement. Licensor may provide Customer with notices hereunder, including those regarding changes to this Agreement, by email, regular mail or postings through the Services. Notice will be deemed given twenty-four hours after email is sent, unless Licensor is notified that the email address is invalid. Notice posted through the Services is deemed given 24 hours following the initial posting. Alternatively, Licensor may give Customer legal notice by mail to the postal address provided by Customer in connection with Customer's registration to use the Services. Notice to Licensor under this Agreement shall be provided by Customer in writing by mail to the following address: Hal Leonard LLC, c/o Noteflight LLC, Attention: Managing Director, 1167 Massachusetts Ave, Arlington, MA 02476. In the case of notice posted by mail, notice will be deemed given three days after the date of mailing. Except with regard to payments due to Licensor, neither Party will be liable for any delays or failures in performance due to circumstances beyond its reasonable control, including for example (but not limitation) natural disasters, such as floods, earthquakes, or severe weather events, epidemics, pandemics, quarantines, and/or other health emergencies, war, hostilities, terrorist acts, civil unrest, acts of government or the public enemy, organized labor activities, such as strikes or work slow-downs, or shortages of power, supplies, infrastructure, or transportation. Licensor may assign this Agreement to any person at any time without any notice to Customer. Customer may not assign this Agreement without Licensor’s prior written consent. Any sale of all or substantially all of a Party’s assets, business, or a majority of such Party’s voting securities or any merger or other change of control (each, a "Change of Control") with respect to such Party shall be deemed an assignment for purposes of this Agreement. In this Agreement, unless a clear contrary intention appears: (i) where not inconsistent with the context, words used in the present tense include the future tense and vice versa and words in the plural number include the singular number and vice versa; (ii) reference to any person includes such person’s successors and assigns but, if applicable, only if such successors and assigns are not prohibited by this Agreement; (iii) reference to any gender includes each other gender; (iv) reference to any agreement, document or instrument means such agreement, document or instrument as amended or modified and in effect from time to time in accordance with the terms thereof and includes all addenda, exhibits and schedules thereto; (v) the titles and subtitles used in this Agreement are used for convenience only and are not to be considered in construing or interpreting this Agreement; (vi) “hereunder,” “hereof,” “hereto,”  and words of similar import shall be deemed references to this Agreement as a whole and not to any particular Section or Subsection of this Agreement; (vii) “including” (and with correlative meaning, “include”) means including without limiting the generality of any description preceding such term and (viii) any reference to “dollars” means United States Dollars. Except as amended after the date hereof pursuant to this Section 9, this Agreement (including any documents or webpages linked to in this Agreement and any Exhibits referenced herein) constitutes the entire Agreement between the Parties and supersedes all prior and contemporaneous undertakings and agreements between the Parties, whether written or oral, with respect to the Services. 


Updated 10/28/2020 

Data Processing Addendum

Annex I

1. Preamble.  

This Data Processing Addendum (“DPA”), forms part of the Noteflight Learn Subscription Terms (together with this DPA, the "Agreement") between Hal Leonard LLC, on behalf of itself and its wholly-owned subsidiary, Noteflight LLC (collectively, “Licensor”) and Customer (as defined in the Agreement). Terms used and not otherwise defined herein shall have the meanings ascribed to them in the Agreement. Each of Licensor and Customer is referred to in this DPA individually as a "party", collectively the "parties".

 

2. Subject Matter, Nature, Purpose and Duration. 

Sections 2 through 6 of this DPA apply to the processing of personal data relating to data subjects located in the European Economic Area or the United Kingdom, or to the extent such personal data is otherwise regulated by the GDPR, by Licensor solely on behalf of Customer for the purpose of providing the Services (“EU Personal Data”). For the avoidance of doubt, and without limitation of the foregoing, EU Personal Data does not include any data that is acquired by Licensor outside the scope of the provision of Services to Customer, including without limitation any information associated with a Noteflight.com account independently held by a student, teacher, or Noteflight Learn administrator. As between the parties, (i) Customer is a controller and Licensor is a processor on behalf of Customer with regard to EU Personal Data or (ii) Customer is a processor on behalf of a third party with respect to EU Personal Data and Licensor is a processor on behalf of Customer with regard to EU Personal Data. The subject matter and purposes of EU Personal Data processing, the types of EU Personal Data, the categories of data subjects, the nature of the EU Personal Data processing operations carried out by Licensor on behalf of Customer, and Customer’s EU Personal Data processing instructions for Licensor, are set forth on Exhibit A to this DPA and as otherwise as provided in reasonable written instructions by Customer to Licensor from time to time. This DPA shall remain in effect, and the duration of the processing under this DPA shall continue, as long as Licensor carries out EU Personal Data processing operations on behalf of Customer or until the termination of the Agreement (and in each case until all EU Personal Data has been returned or deleted in accordance with Section 3(g)). In Sections 2 through 6 of this DPA, the following terms have the meanings given in the General Data Protection Regulation (EU) 2016/679 (“GDPR”): “controller”, “personal data”, “processor”, “data subject” and “processing”.


3. Processing Covenants. 

In processing EU Personal Data hereunder, Licensor shall: 


 a) process EU Personal Data only on documented instructions from Customer, unless otherwise required to do so by applicable law, in which case Licensor will inform Customer of that legal requirement before undertaking such processing, unless applicable law prohibits Licensor from so informing Customer. For the avoidance of doubt, this DPA shall constitute Customer’s documented instructions to Licensor to process EU Personal Data in connection with Licensor’s provision of the Services to Customer; 

 b) use commercially reasonable efforts intended to ensure that persons authorized to process EU Personal Data hereunder have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality or are subject to ethical rules of responsibility that include confidentiality; 

 c) taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, implement commercially reasonable technical and organizational measures intended to meet the security requirements described in Article 32 of the GDPR; 

 d) taking into account the nature of the processing, use commercially reasonable efforts to assist Customer, at Customer’s expense, by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to requests for exercising the data subjects’ rights with respect to their EU Personal Data under the GDPR and any applicable national implementing legislation, regulations and secondary legislation relating to the processing of EU Personal Data (the “Data Protection Laws”). 

 e) taking into account the nature of processing and the information available to Licensor, use commercially reasonable efforts to assist Customer, at Customer’s expense, in ensuring compliance with Customer’s obligations described in Articles 32 through 36 of the GDPR; 

 f) notify Customer promptly if Licensor becomes actually aware of a breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, EU Personal Data (an “Incident”), provided that the provision of such notice by Licensor shall not be construed as an acknowledgement of fault or liability with respect to any such Incident; 

 g) at the choice of Customer, delete or return all EU Personal Data to Customer within sixty (60) days of the receipt of written notice from Customer by Licensor, after end of the provision of the Services to Customer, and delete existing copies unless applicable law requires retention of EU Personal Data; for the avoidance of doubt, unless Customer requests deletion or return of the EU Personal Data, Licensor will retain such EU Personal Data following the end of the applicable Software subscription for the purposes of resuming provision of such Software (including making such EU Personal Data and associated scores available to Customer) in the event of renewal of such Software subscription. 

 h) make available upon Customer’s reasonable request information reasonably necessary to demonstrate material compliance with the obligations laid down in this DPA and allow for and contribute to audits (each, an “Audit”), at Customer’s expense, including inspections of processing facilities under Licensor’s control, conducted by Customer or another auditor chosen by Customer (an “Auditor”), during normal business hours, no more frequently than once during any twelve (12) month period, and upon reasonable prior notice, provided that no Auditor shall be a competitor of Licensor, and provided further that in no event shall Customer have access to the information of any other client of Licensor and the disclosures made pursuant to this Section 3(h) (“Audit Information”) shall be held in confidence as Licensor’s confidential information and subject to any confidentiality obligations in the Agreement (including Section 2 of the Agreement), and provided further that no Audit shall be undertaken unless or until Customer has requested, and Licensor has provided, documentation pursuant to this Section 3(h) and Customer reasonably determines that an Audit remains necessary to demonstrate material compliance with the obligations laid down in this DPA. Without limiting the generality of any provision in the Agreement, Customer shall employ the same degree of care to safeguard Audit Information that it uses to protect its own confidential and proprietary information and in any event, not less than a reasonable degree of care under the circumstances, and Customer shall be liable for any improper disclosure or use of Audit Information by Customer or its agents. 


4. Subprocessors. 

Customer hereby grants Licensor general authorization to engage another processor to process EU Personal Data on behalf of Licensor (each a “subprocessor”) to assist Licensor in processing EU Personal Data as set out in this DPA. Licensor shall enter into contractual arrangements with such subprocessors requiring the same level of data protection compliance and information security as that provided for herein. Customer hereby consents to the processing of EU Personal Data by, and the disclosure and transfer of EU Personal Data to, the subprocessors listed on Exhibit B to this DPA. Licensor shall inform Customer of any intended changes concerning the addition or replacement of subprocessors at least ten (10) calendar days before the new subprocessor processes EU Personal Data. Customer may object to such changes in writing within five (5) calendar days of such notice, provided that such objection is based on reasonable grounds relating to data protection (an “Objection”). In the event of an Objection, the parties will discuss such concerns in good faith with the intention of achieving a resolution. If the parties are not able to achieve a resolution as described in the previous sentence, Customer, as its sole and exclusive remedy, may terminate the Agreement in accordance with Section 3.2 of the Agreement. Customer shall not be entitled to any refund of fees paid prior to the date of any termination pursuant to this Section 4. 


5. Customer Obligations. 

Customer represents, warrants, and covenants that (i) it shall comply with its obligations as a controller under the GDPR in respect of its processing of EU Personal Data and any processing instructions it issues to Licensor as referred to in Section 3(a); (ii) it has provided notice and obtained all consents and rights required by the Data Protection Laws to transfer the EU Personal Data outside the European Economic Area or United Kingdom and for Licensor to process EU Personal Data pursuant to the Agreement; and (iii) the processing of EU Personal Data by Licensor upon the documented instructions of Customer under Section 3(a) shall have a lawful basis of processing pursuant to Article 6 of the GDPR. If Customer is a processor, Customer represents and warrants to Licensor that Customer’s instructions and actions with respect to EU Personal Data, including its appointment of Licensor as another processor, have been duly authorized by the relevant controller. Customer shall indemnify, defend and hold Licensor harmless against any claims, actions, proceedings, expenses, damages and liabilities (including without limitation any governmental investigations, complaints and actions) and reasonable attorneys’ fees arising out of Customer’s violation of this Section 5. Notwithstanding anything to the contrary in the Agreement, Customer’s indemnification obligations under this Section 5 shall not be subject to any limitations of liability set forth in the Agreement. 


6. Data Transfer. 

Customer hereby consents to the transfer of EU Personal Data to, and the processing of EU Personal Data in, the United States of America and/or in any other jurisdiction in which Licensor or its subprocessors have operations. The parties hereby enter into the Standard Contractual Clauses for Processors, as approved by the European Commission under Decision 2010/87/EU, attached hereto as Exhibit C (the “SCCs”) to this DPA and made a part of this DPA in their entirety. 


7. CCPA Provisions. 

As between the parties, Licensor is a service provider to Customer with respect to Service Provider Information (as defined below).


a. In this Section 7:

 

i. “CCPA” means the California Consumer Privacy Act of 2018, together with any regulations promulgated thereunder.

 

ii. “Medical Information” means any Service Provider Information, in electronic or physical form, regarding a California resident’s medical history or medical treatment or diagnosis by a health care professional.

 

iii. “Health Insurance Information” means a California resident's insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the California resident, or any information in a California resident's application and claims history, including any appeals records.

 

iv. “Sensitive Service Provider Information” means any Service Provider Information that constitutes either of the following: (A) California resident’s first name or first initial and his or her last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted: (I) social security number; (II) driver’s license number, California identification card number, tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific California resident; (III) account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an California resident’s financial account; (IV) Medical Information; (V) Health Insurance Information; or (VI) unique biometric data generated from measurements or technical analysis of human body characteristics, such as a fingerprint, retina, or iris image, used to authenticate a specific California resident (except that unique biometric data does not include a physical or digital photograph, unless used or stored for facial recognition purposes); or (B) a username or email address in combination with a password or security question and answer that would permit access to an online account. Sensitive Service Provider Information does not include publicly available Service Provider Information that is lawfully made available to the general public from federal, state, or local government records.

 

v. “Service Provider Information” means any personal information, to the extent regulated by the CCPA, that is processed by Licensor solely on behalf of Customer. For the avoidance of doubt, and without limitation of the foregoing, Service Provider Information does not include any data that is acquired by Licensor outside the scope of the provision of Services to Customer.

 

vi. The following terms have the meanings given in the CCPA: “personal information”, “processing”, “service provider”, “sell”, “selling”, “sale” and “sold”.

 

b. Except as otherwise required by applicable law, Licensor shall:

 

i. process the Service Provider Information for the business purpose of providing the Services or as otherwise permitted by the CCPA;

 

ii. implement and maintain commercially reasonable security procedures and practices appropriate to the nature of the Sensitive Service Provider Information (if any) intended to protect such Sensitive Service Provider Information from unauthorized access, destruction, use, modification, or disclosure;

 

iii. not retain, use or disclose Service Provider Information for any purpose outside the scope of the business relationship of the parties and other than for the specific purpose of providing the Services, nor retain, use, or disclose the Service Provider Information for a commercial purpose other than providing the Services, or as otherwise permitted by the CCPA as applicable to service providers;

 

iv. not collect or use Service Provider Information except as reasonably necessary to provide the Services;

 

v. not sell Service Provider Information;

 

vi. to the extent necessary, use commercially reasonable efforts to assist Customer, at Customer’s expense, in Customer’s fulfilment of Customer’s obligation to respond to California residents’ requests to exercise rights with respect to their Service Provider Information under the CCPA; and

 

vii. use commercially reasonable efforts to assist Customer, at Customer’s expense, to the extent necessary to support Customer’s compliance with Customer’s obligations under the CCPA.

 

c. Licensor understands the restrictions provided in Sections 7(b)(iii) and 7(b)(v) and will comply with them.

 

d. Customer represents, warrants and covenants that (i) it shall comply with its obligations under the CCPA in respect of its processing of Service Provider Information and any processing instructions it issues to Licensor; and (ii) it has provided notice (including pursuant to Section 1798.135 of the CCPA) and obtained all consents and rights required by the CCPA for Licensor to process Service Provider Information pursuant to the Agreement. Customer shall indemnify, defend and hold Licensor harmless from and against any claims, actions, proceedings, expenses, damages and liabilities (including without limitation any governmental investigations, complaints and actions) and reasonable attorneys’ fees arising out of Customer’s violation of this Section 7(d). Notwithstanding anything to the contrary in the Agreement, Customer’s indemnification obligations under this Section 7(d) shall not be subject to any limitations of liability set forth in the Agreement.

 

e. Nothing in the Agreement shall prevent Licensor from engaging its own service providers in the processing of Service Provider Information, provided that Licensor shall enter into contractual arrangements with such service providers requiring a substantially similar level of data protection compliance and information security as that provided in this Section 7 with respect to Service Provider Information.


Exhibit A 

Subject Matter, Nature, Purpose and Duration of the Processing 


1. Type of EU Personal Data: 


Noteflight Learn Administrator: Email address, username and password, school name and address, phone, first and last name, and any information uploaded onto the Services by such Noteflight Learn administrator. 


Noteflight Learn Student and Teacher accounts: First and last name, username and password, musical score, student/teacher role, assessment data (such as a grade on a recorded assignment), content within comments and other in-Services messages, voice/instrument recordings, and any other information uploaded onto, or made available within, the Services by such Noteflight Learn students and teachers. 


2. Categories of Data Subject: 


Students, teachers and other employees of Customer. One employee of Customer will be designated the “Noteflight Learn Administrator”. 


3. Purposes for which EU Personal Data is Processed: 


The provision of the Services by Licensor to Customer. 


4. Nature of the Processing: 


The EU Personal Data will be subject to basic processing, including but not limited to collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction for the purpose of providing the Services by Licensor to Customer. 


Exhibit B 

Subprocessors 


1. Amazon Web Services 

2. Recurly 

3. Zoho CRM 

4. MailChimp 

5. Zapier 

6. Facebook 

7. Google, LLC

8. Rich Relevance

9. AppCues

10. Accelerando, LLC 


Exhibit C 

STANDARD CONTRACTUAL CLAUSES (PROCESSORS) 


For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection Licensor (the ‘data exporter’) And Customer (the ‘data importer’) each a ‘party’; together ‘the parties’, HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1. 


Clause 1 

Definitions 


For the purposes of the Clauses: 


 (a) ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data ;   (b) ‘the data exporter’ means the controller who transfers the personal data; 

 (c) ‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC; 

 (d) ‘the sub-processor’ means any processor engaged by the data importer or by any other sub-processor of the data importer who agrees to receive from the data importer or from any other sub-processor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract; 

 (e) ‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established; 

 (f) ‘technical and organisational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing. 


Clause 2 

Details of the transfer 


 The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses. 


Clause 3 

Third-party beneficiary clause 


1. The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.


2. The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. 


3. The data subject can enforce against the sub-processor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses. 


4. The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law. 

 

Clause 4 

Obligations of the data exporter 


The data exporter agrees and warrants: 

 (a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State; 

 (b) that it has instructed and throughout the duration of the personal data-processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses; 

 (c) that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract; 

 (d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation; 

 (e) that it will ensure compliance with the security measures; 

 (f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC; 

 (g) to forward any notification received from the data importer or any sub-processor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension; 

 (h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for sub-processing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information; 

 (i) that, in the event of sub-processing, the processing activity is carried out in accordance with Clause 11 by a sub-processor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and 

 (j) that it will ensure compliance with Clause 4(a) to (i). 


Clause 5 

Obligations of the data importer* 


The data importer agrees and warrants: 


 (a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract; 

 (b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract; 

 (c) that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred; 

 (d) that it will promptly notify the data exporter about: any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation; any accidental or unauthorised access; and any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so; 

 (e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred; 

 (f) at the request of the data exporter to submit its data-processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority; 

 (g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for sub-processing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter; 

 (h) that, in the event of sub-processing, it has previously informed the data exporter and obtained its prior written consent; 

 (i) that the processing services by the sub-processor will be carried out in accordance with Clause 11; 

 (j) to send promptly a copy of any sub-processor agreement it concludes under the Clauses to the data exporter. 

--------------------

*Mandatory requirements of the national legislation applicable to the data importer which do not go beyond what is necessary in a democratic society on the basis of one of the interests listed in Article 13(1) of Directive 95/46/EC, that is, if they constitute a necessary measure to safeguard national security, defence, public security, the prevention, investigation, detection and prosecution of criminal offences or of breaches of ethics for the regulated professions, an important economic or financial interest of the State or the protection of the data subject or the rights and freedoms of others, are not in contradiction with the standard contractual clauses. Some examples of such mandatory requirements which do not go beyond what is necessary in a democratic society are, inter alia, internationally recognised sanctions, tax-reporting requirements or anti-money-laundering reporting requirements.


Clause 6 

Liability 


1. The parties agree that any data subject who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or sub-processor is entitled to receive compensation from the data exporter for the damage suffered. 


2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his sub-processor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity. The data importer may not rely on a breach by a sub-processor of its obligations in order to avoid its own liabilities. 


3. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the sub-processor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the sub-processor agrees that the data subject may issue a claim against the data sub-processor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the sub-processor shall be limited to its own processing operations under the Clauses. 


Clause 7 

Mediation and jurisdiction


1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject: (a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority; (b) to refer the dispute to the courts in the Member State in which the data exporter is established. 


2. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law. 


Clause 8 

Cooperation with supervisory authorities 


1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law. 

2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any sub-processor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.

3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any sub-processor preventing the conduct of an audit of the data importer, or any sub-processor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5(b). 


Clause 9 

Governing law  


The Clauses shall be governed by the law of the Member State in which the data exporter is established. 


Clause 10 

Variation of the contract 


The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause. 


Clause 11 

Sub-processing 


1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the sub-processor which imposes the same obligations on the sub-processor as are imposed on the data importer under the Clauses. Where the sub-processor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the sub-processor’s obligations under such agreement. 


2. The prior written contract between the data importer and the sub-processor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses. 


3. The provisions relating to data protection aspects for sub-processing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established. 


4. The data exporter shall keep a list of sub-processing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5(j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority. 


Clause 12 

Obligation after the termination of personal data-processing services 


1. The parties agree that on the termination of the provision of data-processing services, the data importer and the sub-processor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore. 


The data importer and the sub-processor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data-processing facilities for an audit of the measures referred to in paragraph 1. 


Appendix 1 

to the Standard Contractual Clauses 


This Appendix forms part of the Clauses and must be completed and signed by the parties. The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.


Data exporter 

The data exporter is (please specify briefly your activities relevant to the transfer): Recipient of the Services provided by data importer 


Data importer 

The data importer is (please specify briefly activities relevant to the transfer): Provider of the Services to data exporter 


Data subjects 

The personal data transferred concern the following categories of data subjects (please specify): Section 2 of Exhibit A to this DPA is incorporated herein by reference.


Categories of data 

The personal data transferred concern the following categories of data (please specify): 

Section 1 of Exhibit A to this DPA is incorporated herein by reference.


Special categories of data (if appropriate) 

The personal data transferred concern the following special categories of data (please specify): None presently contemplated by this arrangement. 


Processing operations
The personal data transferred will be subject to the following basic processing activities (please specify): 

Section 4 of Exhibit A to this DPA is incorporated herein by reference.

 

Appendix 2 

to the Standard Contractual Clauses 


This Appendix forms part of the Clauses and must be completed and signed by the parties. 


Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached): Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the data importer has implemented appropriate technical and organizational measures intended to ensure a level of security appropriate to the risk.


Noteflight Learn Student Data Privacy Policy

 Annex II

The Noteflight Learn online software platform (together with the services, features, and information made available on or through such software platform, the "Software), which enables users to compose, view, create, export, and print musical scores and parts, and assess performance of, record, mix, and play back such scores and parts using multiple instrument options, is owned and operated by Noteflight LLC ("Noteflight"), a wholly-owned subsidiary of Hal Leonard LLC (collectively with Noteflight, “Hal Leonard”, “we” or “us”). This Student Data Privacy Policy does not apply to Noteflight’s or Hal Leonard's general services offered outside of an educational environment. To understand how Noteflight collects, uses, and discloses personally identifiable information other than Student Data, please visit Noteflight's general privacy policy, available at https://www.noteflight.com/legal/privacy.  


"Student Data" means any information relating to an identified or identifiable natural person who is a student of a Customer (each, a "Student") or to such Student's parent, legal guardian, or family, as well as any information that Hal Leonard acquires directly from a Student. Student Data does not include data relating to a Student, parent, legal guardian, or family member that is not acquired by Hal Leonard as a result of providing services to the applicable Customer, including without limitation any information associated with a Noteflight.com account independently held by a Student.


"Teacher" means a teacher at the applicable School or Customer by which teacher a Student has been authorized to use the Software.


"School" means a department of education, board of cooperative educational services, school, or school district.

"Customer" means a subscriber to the Software.


The Student Data collected by or on behalf of Hal Leonard may include the following: first and last name, username, password, assessment data (such as a grade on a recorded assignment), musical scores, Student role, content within comments and other in-Software messages, voice/instrument recordings, any other information uploaded onto, or made available within, the Software by such Student, and the following Software usage data (in each case to the extent identifiable of a natural person): browsing history on the Software, search history on the Software, and information on a Student's interaction with the Software (such as technical information, including the Internet protocol (IP) address used to connect a Student's computer or other device to the Internet, the connection between an IP address and the Teacher providing access to the Software, login information (such as last log in time), and information about such Student's computer or other device being used to connect to our site, including browser type and version, time zone setting, browser plug-in types and versions, operating system and platform, information about such Student's visit, including the full Uniform Resource Locators (URL), clickstream to, through and from our site (including date and time), products or services viewed or searched for, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page).


Such Student Data may be used (to the extent not prohibited by applicable law): (i) to administer our Software (which Customers, Schools, and Teachers use to facilitate music learning, and particularly music composition) and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes and/or (ii) to maintain and analyze the functioning of our Software to try to ensure that content from our Software is presented in the most effective manner for users and for users' computers or other devices; and/or (iii) as part of our efforts to keep our Software safe and secure. We may use de-identified (including aggregated de-identified) information about the use of our education Software for any lawful purpose, which may include research, analysis, and similar purposes, for example, to better understand how users access and use our services, to improve our services, or for other research and analytical purposes. If Students use a third-party learning management service (an "LMS"), such as GSuite for Education, in connection with the Software, we may receive Student Data via that LMS.


1. Children's Data under COPPA


The Children’s Online Privacy Protection Act (COPPA) regulates online collection of information from persons under the age of 13 (collectively, “Children”; individually, a “Child”). To the extent the applicable Student is a Child, such Student's Student Data may constitute personal information that is regulated by COPPA. To the extent such Student Data constitutes personal information that is regulated by COPPA, consent to our practices with respect to the collection, use, and disclosure of a Child’s personal information has been provided by the Customer or Teacher (acting as agent for the Customer) that has provided the Child with access to our Software, and this Student Data Privacy Policy outlines our commitment as the operator of the Software to protect the privacy and safety online of Children and this Student Data Privacy Policy serves as our privacy policy under COPPA. The Software may, on a limited basis, enable Children who are Students to make Student Data available to others in their School or Customer community as described in Section 3.


The operator collecting or maintaining Student Data from Children, or on whose behalf such Student Data is collected or maintained, through the Software is Hal Leonard (through its wholly-owned subsidiary Noteflight). Any inquiries regarding the Software's privacy policies should be directed to:


Hal Leonard LLC


c/o Noteflight LLC


Attention: Managing Director


1167 Massachusetts Ave

Arlington, MA 02476


617-466-9531


support@noteflight.com 


We do not condition a Child’s participation in an activity on the Child’s disclosure of more personal information than is reasonably necessary to participate in the activity. In addition, the School, Customer, or Teacher (as agent for such School or Customer) that provides the Child with access to the Software may: (a) consent to the collection and use of the Child’s personal information without consenting to the disclosure of that information to third parties except as necessary to operate the Software; (b) review and have deleted the personal information of the Child; and (c) refuse to permit further collection or use of the Child’s personal information. Any parent of a Student who is a Child who wishes to do any of the above, should please contact such Child’s School, Customer, or Teacher that provided such Child with access to the Software.


Please note, however, that because the collected information is necessary to provide certain functionality, certain aspects of our Software, website, offerings, features, or resources may not work properly, or at all, if consent to further use or collection of Student Data is revoked, or if we are directed to delete the information in accordance with the rights described above.


2. Disclosures

In addition to persons who provide support for the operations of the Software and who do not use the information for any other purpose, we generally disclose Student Data to the following types of third parties or as specifically authorized by the applicable School, Customer, or Teacher:


a)  We may share Student Data with selected third parties including:


i)  entities that assist us in providing customer service and technical support to users in relation to the Software;


ii)  independent contractors, vendors, and suppliers we engage to provide specific services and products related to our website and our services, including cloud service providers, including the entity that hosts the Software, for the purposes of storage and such hosting;


iii)  our website developer in relation to the Software, for the purposes of further developing the Software; 


iv) if Students use a LMS in connection with the Software, with such LMS; 


v)  analytics and search engine providers that assist us in the improvement and optimization of our Software; and/or


vi) the respective School, Customer, or Teacher (as agent for the applicable School or Customer) that provides a Student with access to the Software.


Google Analytics. 

Please note in particular that our Software uses Google Analytics, including its data reporting features. Information collected by Google Analytics includes but is not limited to web metrics. For information on how Google Analytics collects and processes data, please see the site “How Google uses data when you use our partners' sites or apps”, currently located at www.google.com/policies/privacy/partners/. For information on opting out of Google Analytics, please visit Google’s website, including its list of currently available opt-out options presently located at https://tools.google.com/dlpage/gaoptout.


b)  We also will disclose Student Data to third parties:


i) in the event that we buy or sell any business or assets or receive funding, in which case we may disclose Student Data to the prospective buyer or seller of such business or assets or investor providing such funding. Without limiting the generality of the foregoing, if Hal Leonard or all or substantially all its assets or the relevant part of its assets are acquired by a third party, Student Data held by it will be among the transferred assets and we may disclose Student Data in connection with any such transaction; or


ii) if we are under a duty to disclose or share Student Data in order to: comply with any legal obligation, including without limitation lawful requests by public authorities such as to meet national security or law enforcement requirements, and including with regulators and other authorities who require reporting of processing activities in certain circumstances; or to enforce or apply our standard terms and conditions of business and other agreements; or to protect the rights, property, or safety of Hal Leonard, our clients, or others. This includes exchanging information with other companies and organizations for the purposes of fraud protection and credit risk reduction;


iii)  if we discontinue our business or file a petition or have filed against us a petition in bankruptcy, reorganization or similar proceeding; or


iv)  to our Corporate Affiliates; for purposes of this privacy policy: "Corporate Affiliate" means any person or entity which directly or indirectly controls, is controlled by or is under common control with Hal Leonard whether by ownership or otherwise; and “control” means possessing, directly or indirectly, the power to direct or cause the direction of the management, policies or operations of an entity, whether through ownership of fifty percent (50%) or more of the voting securities, by contract or otherwise.


Student Data may also be viewable in the Community Learning Areas to members of the applicable School or Customer community as described in Section 3.


3. Community Learning Areas

If enabled by the applicable School, Customer, and/or Teacher, our Software may feature various community learning areas and other forums within the applicable School or Customer community under the direction of the applicable Teacher (the "Community Learning Areas") where our Students and Teachers can share information (including scores and recordings) or where Students and Teachers can communicate with one another, including regarding scores and recordings. Depending on the settings enabled by the applicable Teacher with respect to the Community Learning Areas, these Community Learning Areas may be open to the School or Customer community (or a portion thereof) and should not be considered private. We cannot prevent such information from being used in a manner that may be inconsistent with this Student Data Privacy Policy, the law, or users' personal privacy. 


4. Changes to this Student Data Privacy Policy

We may need to change this Student Data Privacy Policy from time to time but, if we intend to make a material change in the collection, use, or disclosure practices with respect to a Student's previously-collected Student Data to which a Teacher, Customer, or School previously has consented, we provide notice to the applicable Teacher, Customer, and/or School and we will obtain such Teacher’s, Customer's or School’s consent, as applicable, to such changes. We encourage you to please check this page periodically for changes.


Last revised and effective as of: 10/28/2020