Padlet
Round 1 · Privacy Triage · VettED Privacy Triage (Avenues-derived) — Round 1 · assessed
🟢 Approved
Privacy score 84.4% · band Best
All 9 mandatory gates clean; privacy score 84.4% (Best). Confident to use on the strength of the public privacy policy — Round 2 not required.
Dimension scorecard
| Dimension | Score | |
|---|
| Data Collection GATE |
| 80.0% |
| Data Sharing GATE |
| 100.0% |
| Data Sold GATE |
| 100.0% |
| Data Rights GATE |
| 66.7% |
| Data Safety GATE |
| 100.0% |
| Ads & Tracking GATE |
| 100.0% |
| Parental Consent |
| 0.0% |
| School Purpose |
| 100.0% |
| AI & Model-Training GATE |
| 100.0% |
| Jurisdiction & Residency |
| 100.0% |
Findings — 18 questions, every answer cited
Data Collection
Q1Does the vendor limit collection/use of information to only data required for the product? GATE
✓ Good
T3
Answer: Yes
“This information is necessary for the adequate performance of the contract between you and us, for our legitimate interest in being able to provide the Service, and to allow us to comply with our legal obligations. Without it, we may not be able to provide the Service as intended. We do not collect any other categories of personal data aside from those listed below.”
Policy explicitly states collection is limited to what is necessary and lists only specified categories.
Q2Does the vendor collect PII beyond what's necessary for the stated educational purpose?
✓ Good
T3
Answer: No
“We do not collect any other categories of personal data aside from those listed below. We only use the information for the purposes stated in this Policy.”
Policy explicitly limits collection to necessary categories and stated purposes.
Q3Is any image of the user collected?
✗ Concern
T3
Answer: Yes
“You can also provide us your photo, your name, and a short bio, so other users can better identify you when you collaborate with them.”
Policy confirms collection of user photos/images for profile.
Q4Does the vendor collect precise geolocation data?
✓ Good
T3
Answer: No
“Should a user choose to do so, we may request a one-time access to the user's precise location (correct to 10 meters). The location is used only to generate the map that one time. We do not store or track your device location on an ongoing basis.”
Policy explicitly states no ongoing tracking or storage of precise location.
Data Sharing
Q5Does the vendor limit data sharing with third parties to the purpose for which it was collected? GATE
✓ Good
T3
Answer: Yes
“These providers have limited access to your personal information to perform these tasks, and are contractually bound to protect and use it only for the purpose for which it was disclosed and consistent with this Policy.”
Policy states third parties are limited to purpose for which data was disclosed.
Q6Does the vendor impose contractual limits on how third parties use shared personal information? GATE
✓ Good
T3
Answer: Yes
“These providers have limited access to your personal information to perform these tasks, and are contractually bound to protect and use it only for the purpose for which it was disclosed and consistent with this Policy. Padlet has also entered into Data Processing Agreements with parties who process personal data on our behalf or in connection with the use of the Padlet Service.”
Policy confirms contractual binding and Data Processing Agreements with third parties.
Data Sold
Q7Does the vendor sell or rent users' personal information to third parties? GATE
✓ Good
T3
Answer: No
“First and foremost, you should know that Padlet does not sell or rent your personal information to any third party for any purpose, including marketing, advertising or profiling.”
Explicit statement that Padlet does not sell or rent personal information.
Data Rights
Q8Do the student / educator / parent / school retain ownership of data and IP of uploaded content? GATE
✓ Good
T3
Answer: Yes
“Padlets are shared documents and the creator of the padlet is ultimately the owner of the content on it.”
Policy confirms creator/owner retains ownership of padlet content.
Q9Can the user delete all of their PII and personal information from the vendor?
✓ Good
T3
Answer: Yes
“You may delete your Account at any time. You can do so from your Account Settings page on the Site or the App or by sending us a request using our support page. When you delete your account, we delete: your profile information and any other content you provide in your profile (such as your name, username, password, email address, and profile photos) all the padlets you have created and all the content posted on them, whether or not that content was created by you.”
Policy allows account deletion and removal of profile and created padlets.
Q10Does the vendor auto-delete data after a defined period of inactivity (data sunset)?
? Not addressed
T0
Answer: Unclear
Policy does not mention automatic data deletion after inactivity period; only mentions retention for service provision and legal obligations.
Data Safety
Q11Can students contact or interact with UNKNOWN users (strangers / the general public) in environments NOT supervised by a teacher or school? (Teacher-managed or within-class interaction, and content-only sharing, do NOT count.) GATE
✓ Good
T3
Answer: No
“When you collaborate with other people, they can see your profile photo, name, and username. All registered users on padlet.com have a public profile. These profiles are accessible to and searchable by all Padlet users.”
Public profiles are searchable but policy does not describe direct messaging or stranger contact features; collaboration is within padlets controlled by creators.
Ads & Tracking
Q12Does the vendor display behavioral or targeted advertising to students inside the product? (Sending product/marketing emails to account holders does NOT count.) GATE
✓ Good
T3
Answer: No
“Padlet also does not display any traditional, contextual or personalized advertisements.”
Explicit statement that no advertisements are displayed to users.
Q13Does the vendor share students' personal information with third parties for third-party advertising or ad-targeting? GATE
✓ Good
T3
Answer: No
“First and foremost, you should know that Padlet does not sell or rent your personal information to any third party for any purpose, including marketing, advertising or profiling.”
Policy explicitly states no sharing of personal information with third parties for advertising or profiling.
Parental Consent
Q14Does the vendor limit collection for children aged 13 or under, or require parental/school consent?
? Not addressed
T0
Answer: Unclear
Policy does not explicitly address age-specific collection limits for children under 13 or parental/school consent requirements.
School Purpose
Q15Does the vendor state the product is intended for students in preschool or preK-12?
✓ Good
T3
Answer: Yes
“If you have bought a school or business account, the above does not apply as those accounts are not public.”
Policy references 'Schools and Business products' indicating product is offered for school use.
AI & Model-Training
Q16Does the vendor use student/user data — including uploaded content — to train, fine-tune, or improve AI/ML models? GATE
✓ Good
T3
Answer: No
“We share only necessary information with our AI service providers and do not use your personal data to train the AI.”
Policy explicitly states personal data is not used to train AI models.
Q17Does the vendor disclose which AI sub-processors/models power its features and any automated decisions affecting students?
✓ Good
T3
Answer: Yes
“AI service providers are used to provide content generation services on Padlet like the 'AI image', 'AI Recipe' and Padlet TA features; as well as content moderation services to ensure that Padlet remains a safe place for all users to collaborate on.”
Policy discloses specific AI features and services but does not name specific models or sub-processors.
Jurisdiction & Residency
Q18Does the vendor disclose where data is stored and which privacy regimes it complies with?
✓ Good
T3
Answer: Yes
“Padlet has certified to the U.S. Department of Commerce that Padlet adheres to (1) the EU-U.S. Data Privacy Framework with regard to the processing of personal information received from the European Union, (2) the UK Extension to the EU-U.S. Data Privacy Framework, with regard to the processing of personal information received from the United Kingdom (and Gibraltar), and to (3) the Swiss-U.S. Data Privacy Framework with regard to the processing of personal information received from Switzerland.”
Policy discloses compliance with DPF but does not explicitly name storage locations; lists regimes.
Jurisdiction & residency — Nord Anglia footprint
Vendor named 0 of 11 Nord Anglia countries. Shown alongside the verdict, not folded into the score —
a vendor can be strong on privacy yet leave residency gaps for specific countries.
“Padlet has certified to the U.S. Department of Commerce that Padlet adheres to (1) the EU-U.S. Data Privacy Framework with regard to the processing of personal information received from the European Union, (2) the UK Extension to the EU-U.S. Data Privacy Framework, with regard to the processing of personal information received from the United Kingdom (and Gibraltar), and to (3) the Swiss-U.S. Data Privacy Framework with regard to the processing of personal information received from Switzerland.”
| Country | Privacy law | Coverage |
|---|
| MexicoLatAm | LFPDPPP | ⚠ Gap |
| Costa RicaLatAm | Law 8968 | ⚠ Gap |
| PanamaLatAm | Law 81/2019 | ⚠ Gap |
| Dominican RepublicLatAm | Law 172-13 | ⚠ Gap |
| BrazilLatAm | LGPD | ⚠ Gap |
| ColombiaLatAm | Ley 1581/2012 | ⚠ Gap |
| EcuadorLatAm | LOPDP (2021) | ⚠ Gap |
| PeruLatAm | Law 29733 | ⚠ Gap |
| ChileLatAm | Law 21.719 | ⚠ Gap |
| UruguayLatAm | Law 18.331 | ⚠ Gap |
| United States | FERPA / COPPA | ⚠ Gap |
| GDPR (overlay) | Nord Anglia is UK-headquartered, global | ✓ Named |