Kahoot!
Round 1 · Privacy Triage · VettED Privacy Triage (Avenues-derived) — Round 1 · assessed
🟠 Insufficient Evidence — Round 2 required
Privacy score 66.7% · band Average
2 mandatory gates are unaddressed in the privacy policy (Q8 (Data Rights); Q16 (AI & Model-Training)) — more than we tolerate at triage. No violation found, but silence can't earn a pass; escalate these specific items to Round 2.
Unaddressed gate(s): Q8, Q16 — not covered by the public policy. Confirm before relying on this.
Dimension scorecard
| Dimension | Score | |
|---|
| Data Collection GATE |
| 50.0% |
| Data Sharing GATE |
| 100.0% |
| Data Sold GATE |
| 100.0% |
| Data Rights GATE ⚠ |
| 33.3% |
| Data Safety GATE |
| 100.0% |
| Ads & Tracking GATE |
| 100.0% |
| Parental Consent |
| 100.0% |
| School Purpose |
| 100.0% |
| AI & Model-Training GATE ⚠ |
| 0.0% |
| Jurisdiction & Residency |
| 100.0% |
Findings — 18 questions, every answer cited
Data Collection
Q1Does the vendor limit collection/use of information to only data required for the product? GATE
✓ Good
T3
Answer: Yes
“We only request the Personal Information of students that we need to provide the School Services to our customer”
Applies to school/student context; general users may have broader collection
Q2Does the vendor collect PII beyond what's necessary for the stated educational purpose?
? Not addressed
T0
Answer: Unclear
Policy does not explicitly state whether PII beyond educational purpose is collected for general users
Q3Is any image of the user collected?
? Not addressed
T0
Answer: Unclear
Policy mentions 'picture' in account holder information but does not clarify if images are collected from students
Q4Does the vendor collect precise geolocation data?
✓ Good
T3
Answer: No
“Geolocation data at a city-level only, derived from your IP address”
Only city-level geolocation is collected, not precise location
Data Sharing
Q5Does the vendor limit data sharing with third parties to the purpose for which it was collected? GATE
✓ Good
T3
Answer: Yes
“Kahoot! does not collect, retain, use or share students' Personal Information, except as necessary for authorized school purposes, at the direction of our school and school district customers and pursuant to our agreements with them.”
Explicit statement for student data; general users not explicitly addressed
Q6Does the vendor impose contractual limits on how third parties use shared personal information? GATE
✓ Good
T3
Answer: Yes
“We enter into written agreements with all of our service providers restricting the use of Personal Information and imposing the same level of privacy, confidentiality and information security that apply to Kahoot!.”
Contractual limits on third-party use are stated
Data Sold
Q7Does the vendor sell or rent users' personal information to third parties? GATE
✓ Good
T3
Answer: No
“We do not sell Personal Information and we do not share Personal Information with third-parties for marketing purposes. Kahoot! does not sell students' Personal Information.”
Explicit statement that vendor does not sell personal information
Data Rights
Q8Do the student / educator / parent / school retain ownership of data and IP of uploaded content? GATE
? Not addressed
T0
Answer: Unclear
Policy does not explicitly address ownership of uploaded content or IP rights
Q9Can the user delete all of their PII and personal information from the vendor?
✓ Good
T3
Answer: Yes
“the right to request erasure of your Personal Information; or restriction of processing of your Personal Information”
Users can request deletion; policy also states 'you can manage your individual account, including requesting account deletion, through your Kahoot! user settings'
Q10Does the vendor auto-delete data after a defined period of inactivity (data sunset)?
? Not addressed
T0
Answer: Unclear
Policy does not mention automatic data deletion after inactivity period
Data Safety
Q11Can students contact or interact with UNKNOWN users (strangers / the general public) in environments NOT supervised by a teacher or school? (Teacher-managed or within-class interaction, and content-only sharing, do NOT count.) GATE
✓ Good
T3
Answer: No
“Kahoot! group participation is only available on certain plans (it is not available on Children plans) and all group members must be part of the same plan”
Group interaction is limited to same-plan members; no open public stranger contact described for students
Ads & Tracking
Q12Does the vendor display behavioral or targeted advertising to students inside the product? (Sending product/marketing emails to account holders does NOT count.) GATE
✓ Good
T3
Answer: No
“The Services, App and Website do not include any third party advertising, including any targeted advertising. We do not serve third party ads (including targeted ads) on our platforms and do not use information we collect from students or others to serve targeted ads on other services.”
Explicit statement that no targeted ads are shown to students
Q13Does the vendor share students' personal information with third parties for third-party advertising or ad-targeting? GATE
✓ Good
T3
Answer: No
“Kahoot! does not use or disclose information collected through the School Services for any targeted advertising purposes.”
Student data is not shared for ad-targeting
Parental Consent
Q14Does the vendor limit collection for children aged 13 or under, or require parental/school consent?
✓ Good
T3
Answer: Yes
“We comply with applicable privacy laws, such as the EU's General Data Protection Regulation ("GDPR"), the UK GDPR, the Family Educational Rights and Privacy Act ("FERPA"), the Children's Online Privacy Protection Act ("COPPA"), the California Student Online Personal Information Protection Act ("SOPIPA") and other US state education privacy laws.”
Vendor states compliance with COPPA and other child privacy laws; also states 'We do not send marketing communications to Child account holders'
School Purpose
Q15Does the vendor state the product is intended for students in preschool or preK-12?
✓ Good
T3
Answer: Yes
“Kahoot! is a global educational technology and software-as-a-service group providing a learning platform for the global educational technology market. We focus on developing a comprehensive offering of engaging learning tools for enterprises, the educational sector as well as for personal users.”
Product is described as for educational sector; also mentions 'School Services' and student data handling
AI & Model-Training
Q16Does the vendor use student/user data — including uploaded content — to train, fine-tune, or improve AI/ML models? GATE
? Not addressed
T0
Answer: Unclear
Policy does not address whether student/user data is used to train or improve AI/ML models
Q17Does the vendor disclose which AI sub-processors/models power its features and any automated decisions affecting students?
? Not addressed
T0
Answer: Unclear
Policy does not disclose specific AI sub-processors, models, or automated decision-making affecting students
Jurisdiction & Residency
Q18Does the vendor disclose where data is stored and which privacy regimes it complies with?
✓ Good
T3
Answer: Yes
“We collect information globally and may transfer, process and store your information outside of your country of residence, to wherever we or our third-party service providers operate... All international transfers to a Third Country are made based on an appropriate legal basis, including to a country who has received a finding of adequacy by the European Commission or the UK for the purposes of Article 45 of the GDPR / UK GDPR (as applicable), including the EU-US Data Privacy Framework, including the UK and Swiss extensions, or on the basis of executed standard contractual clauses approved by the European Commission or the Information Commissioner's Office ("SCCs").”
Vendor discloses international transfers and compliance with GDPR, UK GDPR, FERPA, COPPA, SOPIPA
Jurisdiction & residency — Nord Anglia footprint
Vendor named 1 of 11 Nord Anglia countries. Shown alongside the verdict, not folded into the score —
a vendor can be strong on privacy yet leave residency gaps for specific countries.
“We collect information globally and may transfer, process and store your information outside of your country of residence, to wherever we or our third-party service providers operate... We comply with applicable privacy laws, such as the EU's General Data Protection Regulation ("GDPR"), the UK GDPR, the Family Educational Rights and Privacy Act ("FERPA"), the Children's Online Privacy Protection Act ("COPPA"), the California Student Online Personal Information Protection Act ("SOPIPA") and other US state education privacy laws.”
| Country | Privacy law | Coverage |
|---|
| MexicoLatAm | LFPDPPP | ⚠ Gap |
| Costa RicaLatAm | Law 8968 | ⚠ Gap |
| PanamaLatAm | Law 81/2019 | ⚠ Gap |
| Dominican RepublicLatAm | Law 172-13 | ⚠ Gap |
| BrazilLatAm | LGPD | ⚠ Gap |
| ColombiaLatAm | Ley 1581/2012 | ⚠ Gap |
| EcuadorLatAm | LOPDP (2021) | ⚠ Gap |
| PeruLatAm | Law 29733 | ⚠ Gap |
| ChileLatAm | Law 21.719 | ⚠ Gap |
| UruguayLatAm | Law 18.331 | ⚠ Gap |
| United States | FERPA / COPPA | ✓ Named |
| GDPR (overlay) | Nord Anglia is UK-headquartered, global | ✓ Named |