VED
Trust & Verification OS · Procurement
VettED — Round 1 Privacy Triage
Padlet
Round 1 · Privacy Triage · VettED Privacy Triage (Avenues-derived) — Round 1 · assessed
🟢 Approved
Privacy score 84.4% · band Best
All 9 mandatory gates clean; privacy score 84.4% (Best). Confident to use on the strength of the public privacy policy — Round 2 not required.

Dimension scorecard

DimensionScore
Data Collection GATE
80.0%
Data Sharing GATE
100.0%
Data Sold GATE
100.0%
Data Rights GATE
66.7%
Data Safety GATE
100.0%
Ads & Tracking GATE
100.0%
Parental Consent
0.0%
School Purpose
100.0%
AI & Model-Training GATE
100.0%
Jurisdiction & Residency
100.0%

Findings — 18 questions, every answer cited

Data Collection
Q1Does the vendor limit collection/use of information to only data required for the product? GATE
✓ Good T3
Answer: Yes
“This information is necessary for the adequate performance of the contract between you and us, for our legitimate interest in being able to provide the Service, and to allow us to comply with our legal obligations. Without it, we may not be able to provide the Service as intended. We do not collect any other categories of personal data aside from those listed below.”
Policy explicitly states collection is limited to what is necessary and lists only specified categories.
Q2Does the vendor collect PII beyond what's necessary for the stated educational purpose?
✓ Good T3
Answer: No
“We do not collect any other categories of personal data aside from those listed below. We only use the information for the purposes stated in this Policy.”
Policy explicitly limits collection to necessary categories and stated purposes.
Q3Is any image of the user collected?
✗ Concern T3
Answer: Yes
“You can also provide us your photo, your name, and a short bio, so other users can better identify you when you collaborate with them.”
Policy confirms collection of user photos/images for profile.
Q4Does the vendor collect precise geolocation data?
✓ Good T3
Answer: No
“Should a user choose to do so, we may request a one-time access to the user's precise location (correct to 10 meters). The location is used only to generate the map that one time. We do not store or track your device location on an ongoing basis.”
Policy explicitly states no ongoing tracking or storage of precise location.
Data Sharing
Q5Does the vendor limit data sharing with third parties to the purpose for which it was collected? GATE
✓ Good T3
Answer: Yes
“These providers have limited access to your personal information to perform these tasks, and are contractually bound to protect and use it only for the purpose for which it was disclosed and consistent with this Policy.”
Policy states third parties are limited to purpose for which data was disclosed.
Q6Does the vendor impose contractual limits on how third parties use shared personal information? GATE
✓ Good T3
Answer: Yes
“These providers have limited access to your personal information to perform these tasks, and are contractually bound to protect and use it only for the purpose for which it was disclosed and consistent with this Policy. Padlet has also entered into Data Processing Agreements with parties who process personal data on our behalf or in connection with the use of the Padlet Service.”
Policy confirms contractual binding and Data Processing Agreements with third parties.
Data Sold
Q7Does the vendor sell or rent users' personal information to third parties? GATE
✓ Good T3
Answer: No
“First and foremost, you should know that Padlet does not sell or rent your personal information to any third party for any purpose, including marketing, advertising or profiling.”
Explicit statement that Padlet does not sell or rent personal information.
Data Rights
Q8Do the student / educator / parent / school retain ownership of data and IP of uploaded content? GATE
✓ Good T3
Answer: Yes
“Padlets are shared documents and the creator of the padlet is ultimately the owner of the content on it.”
Policy confirms creator/owner retains ownership of padlet content.
Q9Can the user delete all of their PII and personal information from the vendor?
✓ Good T3
Answer: Yes
“You may delete your Account at any time. You can do so from your Account Settings page on the Site or the App or by sending us a request using our support page. When you delete your account, we delete: your profile information and any other content you provide in your profile (such as your name, username, password, email address, and profile photos) all the padlets you have created and all the content posted on them, whether or not that content was created by you.”
Policy allows account deletion and removal of profile and created padlets.
Q10Does the vendor auto-delete data after a defined period of inactivity (data sunset)?
? Not addressed T0
Answer: Unclear
Policy does not mention automatic data deletion after inactivity period; only mentions retention for service provision and legal obligations.
Data Safety
Q11Can students contact or interact with UNKNOWN users (strangers / the general public) in environments NOT supervised by a teacher or school? (Teacher-managed or within-class interaction, and content-only sharing, do NOT count.) GATE
✓ Good T3
Answer: No
“When you collaborate with other people, they can see your profile photo, name, and username. All registered users on padlet.com have a public profile. These profiles are accessible to and searchable by all Padlet users.”
Public profiles are searchable but policy does not describe direct messaging or stranger contact features; collaboration is within padlets controlled by creators.
Ads & Tracking
Q12Does the vendor display behavioral or targeted advertising to students inside the product? (Sending product/marketing emails to account holders does NOT count.) GATE
✓ Good T3
Answer: No
“Padlet also does not display any traditional, contextual or personalized advertisements.”
Explicit statement that no advertisements are displayed to users.
Q13Does the vendor share students' personal information with third parties for third-party advertising or ad-targeting? GATE
✓ Good T3
Answer: No
“First and foremost, you should know that Padlet does not sell or rent your personal information to any third party for any purpose, including marketing, advertising or profiling.”
Policy explicitly states no sharing of personal information with third parties for advertising or profiling.
Parental Consent
Q14Does the vendor limit collection for children aged 13 or under, or require parental/school consent?
? Not addressed T0
Answer: Unclear
Policy does not explicitly address age-specific collection limits for children under 13 or parental/school consent requirements.
School Purpose
Q15Does the vendor state the product is intended for students in preschool or preK-12?
✓ Good T3
Answer: Yes
“If you have bought a school or business account, the above does not apply as those accounts are not public.”
Policy references 'Schools and Business products' indicating product is offered for school use.
AI & Model-Training
Q16Does the vendor use student/user data — including uploaded content — to train, fine-tune, or improve AI/ML models? GATE
✓ Good T3
Answer: No
“We share only necessary information with our AI service providers and do not use your personal data to train the AI.”
Policy explicitly states personal data is not used to train AI models.
Q17Does the vendor disclose which AI sub-processors/models power its features and any automated decisions affecting students?
✓ Good T3
Answer: Yes
“AI service providers are used to provide content generation services on Padlet like the 'AI image', 'AI Recipe' and Padlet TA features; as well as content moderation services to ensure that Padlet remains a safe place for all users to collaborate on.”
Policy discloses specific AI features and services but does not name specific models or sub-processors.
Jurisdiction & Residency
Q18Does the vendor disclose where data is stored and which privacy regimes it complies with?
✓ Good T3
Answer: Yes
“Padlet has certified to the U.S. Department of Commerce that Padlet adheres to (1) the EU-U.S. Data Privacy Framework with regard to the processing of personal information received from the European Union, (2) the UK Extension to the EU-U.S. Data Privacy Framework, with regard to the processing of personal information received from the United Kingdom (and Gibraltar), and to (3) the Swiss-U.S. Data Privacy Framework with regard to the processing of personal information received from Switzerland.”
Policy discloses compliance with DPF but does not explicitly name storage locations; lists regimes.

Jurisdiction & residency — Nord Anglia footprint

Vendor named 0 of 11 Nord Anglia countries. Shown alongside the verdict, not folded into the score — a vendor can be strong on privacy yet leave residency gaps for specific countries.
“Padlet has certified to the U.S. Department of Commerce that Padlet adheres to (1) the EU-U.S. Data Privacy Framework with regard to the processing of personal information received from the European Union, (2) the UK Extension to the EU-U.S. Data Privacy Framework, with regard to the processing of personal information received from the United Kingdom (and Gibraltar), and to (3) the Swiss-U.S. Data Privacy Framework with regard to the processing of personal information received from Switzerland.”
CountryPrivacy lawCoverage
MexicoLatAmLFPDPPP⚠ Gap
Costa RicaLatAmLaw 8968⚠ Gap
PanamaLatAmLaw 81/2019⚠ Gap
Dominican RepublicLatAmLaw 172-13⚠ Gap
BrazilLatAmLGPD⚠ Gap
ColombiaLatAmLey 1581/2012⚠ Gap
EcuadorLatAmLOPDP (2021)⚠ Gap
PeruLatAmLaw 29733⚠ Gap
ChileLatAmLaw 21.719⚠ Gap
UruguayLatAmLaw 18.331⚠ Gap
United StatesFERPA / COPPA⚠ Gap
GDPR (overlay)Nord Anglia is UK-headquartered, global✓ Named
Advisory only. Round 1 reads the vendor's public privacy policy — a T3 (self-asserted, unverified) source. This is a triage signal, not a final verdict or legal advice. An explicit gate violation is a hard no; silence routes to Round 2, it never fakes a pass. A human reviews and signs off.
Reviewed by: __________________________ Date: ____________