VED
Trust & Verification OS · Procurement
VettED — Round 1 Privacy Triage
Lumina Learn
Round 1 · Privacy Triage · VettED Privacy Triage (Avenues-derived) — Round 1 · assessed
🟢 Approved
Privacy score 91.1% · band Best
All 9 mandatory gates clean; privacy score 91.1% (Best). Confident to use on the strength of the public privacy policy — Round 2 not required.

Dimension scorecard

DimensionScore
Data Collection GATE
100.0%
Data Sharing GATE
100.0%
Data Sold GATE
100.0%
Data Rights GATE
73.3%
Data Safety GATE
100.0%
Ads & Tracking GATE
100.0%
Parental Consent
20.0%
School Purpose
100.0%
AI & Model-Training GATE
100.0%
Jurisdiction & Residency
100.0%

Findings — 18 questions, every answer cited

Data Collection
Q1Does the vendor limit collection/use of information to only data required for the product? GATE
✓ Good T3
Answer: Yes
“Simulated policy statement (demo vendor) answering Q1.”
Q2Does the vendor collect PII beyond what's necessary for the stated educational purpose?
✓ Good T3
Answer: No
“Simulated policy statement (demo vendor) answering Q2.”
Q3Is any image of the user collected?
✓ Good T3
Answer: No
“Simulated policy statement (demo vendor) answering Q3.”
Q4Does the vendor collect precise geolocation data?
✓ Good T3
Answer: No
“Simulated policy statement (demo vendor) answering Q4.”
Data Sharing
Q5Does the vendor limit data sharing with third parties to the purpose for which it was collected? GATE
✓ Good T3
Answer: Yes
“Simulated policy statement (demo vendor) answering Q5.”
Q6Does the vendor impose contractual limits on how third parties use shared personal information? GATE
✓ Good T3
Answer: Yes
“Simulated policy statement (demo vendor) answering Q6.”
Data Sold
Q7Does the vendor sell or rent users' personal information to third parties? GATE
✓ Good T3
Answer: No
“Simulated policy statement (demo vendor) answering Q7.”
Data Rights
Q8Do the student / educator / parent / school retain ownership of data and IP of uploaded content? GATE
✓ Good T3
Answer: Yes
“Simulated policy statement (demo vendor) answering Q8.”
Q9Can the user delete all of their PII and personal information from the vendor?
✗ Concern T3
Answer: No
“Simulated policy statement (demo vendor) answering Q9.”
Q10Does the vendor auto-delete data after a defined period of inactivity (data sunset)?
✓ Good T3
Answer: Yes
“Simulated policy statement (demo vendor) answering Q10.”
Data Safety
Q11Can students contact or interact with UNKNOWN users (strangers / the general public) in environments NOT supervised by a teacher or school? (Teacher-managed or within-class interaction, and content-only sharing, do NOT count.) GATE
✓ Good T3
Answer: No
“Simulated policy statement (demo vendor) answering Q11.”
Ads & Tracking
Q12Does the vendor display behavioral or targeted advertising to students inside the product? (Sending product/marketing emails to account holders does NOT count.) GATE
✓ Good T3
Answer: No
“Simulated policy statement (demo vendor) answering Q12.”
Q13Does the vendor share students' personal information with third parties for third-party advertising or ad-targeting? GATE
✓ Good T3
Answer: No
“Simulated policy statement (demo vendor) answering Q13.”
Parental Consent
Q14Does the vendor limit collection for children aged 13 or under, or require parental/school consent?
✗ Concern T3
Answer: No
“Simulated policy statement (demo vendor) answering Q14.”
School Purpose
Q15Does the vendor state the product is intended for students in preschool or preK-12?
✓ Good T3
Answer: Yes
“Simulated policy statement (demo vendor) answering Q15.”
AI & Model-Training
Q16Does the vendor use student/user data — including uploaded content — to train, fine-tune, or improve AI/ML models? GATE
✓ Good T3
Answer: No
“Lumina Learn does not use customer or student content to train AI or machine-learning models.”
Q17Does the vendor disclose which AI sub-processors/models power its features and any automated decisions affecting students?
✓ Good T3
Answer: Yes
“Simulated policy statement (demo vendor) answering Q17.”
Jurisdiction & Residency
Q18Does the vendor disclose where data is stored and which privacy regimes it complies with?
✓ Good T3
Answer: Yes
“Simulated policy statement (demo vendor) answering Q18.”

Jurisdiction & residency — Nord Anglia footprint

Vendor named 1 of 11 Nord Anglia countries. Shown alongside the verdict, not folded into the score — a vendor can be strong on privacy yet leave residency gaps for specific countries.
“Data is stored in the United States; Lumina Learn complies with FERPA, COPPA and GDPR.”
CountryPrivacy lawCoverage
MexicoLatAmLFPDPPP⚠ Gap
Costa RicaLatAmLaw 8968⚠ Gap
PanamaLatAmLaw 81/2019⚠ Gap
Dominican RepublicLatAmLaw 172-13⚠ Gap
BrazilLatAmLGPD⚠ Gap
ColombiaLatAmLey 1581/2012⚠ Gap
EcuadorLatAmLOPDP (2021)⚠ Gap
PeruLatAmLaw 29733⚠ Gap
ChileLatAmLaw 21.719⚠ Gap
UruguayLatAmLaw 18.331⚠ Gap
United StatesFERPA / COPPA✓ Named
GDPR (overlay)Nord Anglia is UK-headquartered, global✓ Named
Advisory only. Round 1 reads the vendor's public privacy policy — a T3 (self-asserted, unverified) source. This is a triage signal, not a final verdict or legal advice. An explicit gate violation is a hard no; silence routes to Round 2, it never fakes a pass. A human reviews and signs off.
Reviewed by: __________________________ Date: ____________