VED
Trust & Verification OS · Procurement
VettED — Round 1 Privacy Triage
Nearpod (Renaissance Learning)
Round 1 · Privacy Triage · VettED Privacy Triage (Avenues-derived) — Round 1 · assessed
🟠 Insufficient — Request Data-Processing Agreement
Privacy score 27.8% · band Poor
This reads as a general website privacy policy, not a data-processing agreement: 13 of 18 questions are simply not addressed. That's a wrong-document signal, not a vendor judgment — the 27.8% reflects silence, not bad practice. Enterprise vendors' real assurance lives in their DPA, a security cert (e.g. ISO 27001), or a completed questionnaire. Request those and assess in Round 2.
Unaddressed gate(s): Q1, Q5, Q8, Q11, Q12, Q13, Q16 — not covered by the public policy. Confirm before relying on this.

Dimension scorecard

DimensionScore
Data Collection GATE
0.0%
Data Sharing GATE
50.0%
Data Sold GATE
100.0%
Data Rights GATE
33.3%
Data Safety GATE
0.0%
Ads & Tracking GATE
0.0%
Parental Consent
100.0%
School Purpose
0.0%
AI & Model-Training GATE
0.0%
Jurisdiction & Residency
100.0%

Findings — 18 questions, every answer cited

Data Collection
Q1Does the vendor limit collection/use of information to only data required for the product? GATE
? Not addressed T0
Answer: Unclear
Policy does not explicitly state whether collection is limited to data required for the product.
Q2Does the vendor collect PII beyond what's necessary for the stated educational purpose?
? Not addressed T0
Answer: Unclear
Policy does not address whether PII beyond educational purpose is collected.
Q3Is any image of the user collected?
? Not addressed T0
Answer: Unclear
Policy does not mention collection of user images.
Q4Does the vendor collect precise geolocation data?
? Not addressed T0
Answer: Unclear
Policy does not address precise geolocation data collection.
Data Sharing
Q5Does the vendor limit data sharing with third parties to the purpose for which it was collected? GATE
? Not addressed T0
Answer: Unclear
Policy does not explicitly state whether data sharing with third parties is limited to original purpose.
Q6Does the vendor impose contractual limits on how third parties use shared personal information? GATE
✓ Good T3
Answer: Yes
“For personal data transferred from the EU, if Renaissance transfers your personal data to a third party, Renaissance will ensure that the third party is contractually obligated to process your data only for limited, specific purposes consistent with this Website Privacy Notice.”
Contractual limits on third-party use stated for EU data under Privacy Shield.
Data Sold
Q7Does the vendor sell or rent users' personal information to third parties? GATE
✓ Good T3
Answer: No
“Renaissance does not rent or sell personally identifiable information and non-personally identifiable information to other companies.”
Data Rights
Q8Do the student / educator / parent / school retain ownership of data and IP of uploaded content? GATE
? Not addressed T0
Answer: Unclear
Policy does not address data ownership or IP ownership of uploaded content.
Q9Can the user delete all of their PII and personal information from the vendor?
✓ Good T3
Answer: Yes
“If you desire to delete your account, please go to your account and follow the instructions to delete that account.”
Users can delete their account; policy also states Renaissance will take reasonable steps to permit deletion of inaccurate/incomplete information upon request.
Q10Does the vendor auto-delete data after a defined period of inactivity (data sunset)?
? Not addressed T0
Answer: Unclear
Policy does not mention automatic data deletion after inactivity period.
Data Safety
Q11Can students contact or interact with UNKNOWN users (strangers / the general public) in environments NOT supervised by a teacher or school? (Teacher-managed or within-class interaction, and content-only sharing, do NOT count.) GATE
? Not addressed T0
Answer: Unclear
This is a website privacy notice, not a product privacy policy. No mention of student interaction features, stranger contact, or supervised/unsupervised communication environments.
Ads & Tracking
Q12Does the vendor display behavioral or targeted advertising to students inside the product? (Sending product/marketing emails to account holders does NOT count.) GATE
? Not addressed T0
Answer: Unclear
Policy mentions 'customized content and advertising' but does not specify whether behavioral/targeted advertising is displayed to students inside the product.
Q13Does the vendor share students' personal information with third parties for third-party advertising or ad-targeting? GATE
? Not addressed T0
Answer: Unclear
Policy does not address sharing of student PII with third parties for ad-targeting.
Parental Consent
Q14Does the vendor limit collection for children aged 13 or under, or require parental/school consent?
✓ Good T3
Answer: Yes
“We do not direct the Website to, nor do we knowingly collect any personally identifiable information from children under 13 ("children's personally identifiable information"). Children under the age of 13 are specifically requested to NOT provide any personally identifiable information through this Website.”
Policy states it does not knowingly collect PII from children under 13 and requests they not provide such information.
School Purpose
Q15Does the vendor state the product is intended for students in preschool or preK-12?
? Not addressed T0
Answer: Unclear
This is a website privacy notice. Policy does not state the product is intended for preschool or preK-12 students. (Note: Nearpod is an educational product, but this particular document is the website privacy notice, not the product privacy policy.)
AI & Model-Training
Q16Does the vendor use student/user data — including uploaded content — to train, fine-tune, or improve AI/ML models? GATE
? Not addressed T0
Answer: Unclear
Policy does not address use of student/user data to train, fine-tune, or improve AI/ML models.
Q17Does the vendor disclose which AI sub-processors/models power its features and any automated decisions affecting students?
? Not addressed T0
Answer: Unclear
Policy does not disclose AI sub-processors, models, or automated decisions affecting students.
Jurisdiction & Residency
Q18Does the vendor disclose where data is stored and which privacy regimes it complies with?
✓ Good T3
Answer: Yes
“Your personally identifiable information will generally be stored in databases maintained by Renaissance or our service providers. Most of these databases are stored on servers located in the United States. Renaissance may use third-party storage or service-provider companies to store your personally identifiable information, some of which may be outside of the United States.”

Jurisdiction & residency — Nord Anglia footprint

Vendor named 1 of 11 Nord Anglia countries. Shown alongside the verdict, not folded into the score — a vendor can be strong on privacy yet leave residency gaps for specific countries.
“Renaissance participates in and complies with the EU-U.S. Privacy Shield Framework (the "Framework"). Renaissance has certified that it adheres to the Privacy Shield Principles of Notice; Choice; Accountability for Onward Transfer; Security; Data Integrity and Purpose Limitation; Access; and Recourse, Enforcement and Liability.”
CountryPrivacy lawCoverage
MexicoLatAmLFPDPPP⚠ Gap
Costa RicaLatAmLaw 8968⚠ Gap
PanamaLatAmLaw 81/2019⚠ Gap
Dominican RepublicLatAmLaw 172-13⚠ Gap
BrazilLatAmLGPD⚠ Gap
ColombiaLatAmLey 1581/2012⚠ Gap
EcuadorLatAmLOPDP (2021)⚠ Gap
PeruLatAmLaw 29733⚠ Gap
ChileLatAmLaw 21.719⚠ Gap
UruguayLatAmLaw 18.331⚠ Gap
United StatesFERPA / COPPA✓ Named
GDPR (overlay)Nord Anglia is UK-headquartered, global✓ Named
Advisory only. Round 1 reads the vendor's public privacy policy — a T3 (self-asserted, unverified) source. This is a triage signal, not a final verdict or legal advice. An explicit gate violation is a hard no; silence routes to Round 2, it never fakes a pass. A human reviews and signs off.
Reviewed by: __________________________ Date: ____________