VED
Trust & Verification OS · Procurement
VettED — Round 1 Privacy Triage
Scratch Foundation
Round 1 · Privacy Triage · VettED Privacy Triage (Avenues-derived) — Round 1 · assessed
🔴 Do Not Approve
Privacy score 73.3% · band Good
Hard no: the vendor explicitly does something disqualifying — Q16 (AI & Model-Training). An explicit gate violation beats the privacy score.
Hard-fail gate(s): Q16 — an explicit disqualifying practice. This beats the privacy score.

Dimension scorecard

DimensionScore
Data Collection GATE
100.0%
Data Sharing GATE
50.0%
Data Sold GATE
100.0%
Data Rights GATE
33.3%
Data Safety GATE
100.0%
Ads & Tracking GATE
100.0%
Parental Consent
100.0%
School Purpose
100.0%
AI & Model-Training GATE
10.0%
Jurisdiction & Residency
100.0%

Findings — 18 questions, every answer cited

Data Collection
Q1Does the vendor limit collection/use of information to only data required for the product? GATE
✓ Good T3
Answer: Yes
“Scratch collects only minimal information from its users, and only uses and discloses information to provide the services and for limited other purposes, such as research, as described in this Privacy Policy.”
Policy explicitly states minimal collection for service provision.
Q2Does the vendor collect PII beyond what's necessary for the stated educational purpose?
✓ Good T3
Answer: No
“Scratch collects only minimal information from its users, and only uses and discloses information to provide the services and for limited other purposes, such as research, as described in this Privacy Policy.”
Policy states minimal collection, indicating no collection beyond necessary.
Q3Is any image of the user collected?
✓ Good T3
Answer: No
“When you create an account, we ask you for a username and password, your country, gender, and your email address.”
No mention of image collection in account creation or general data collection sections.
Q4Does the vendor collect precise geolocation data?
✓ Good T3
Answer: No
“When you use the Scratch Website, we infer your general location information, for example, by using your internet protocol (IP) address.”
Only general location via IP address; not precise geolocation.
Data Sharing
Q5Does the vendor limit data sharing with third parties to the purpose for which it was collected? GATE
✓ Good T3
Answer: Yes
“We share Personal Information that we collect through the Scratch Website, if you consent to us doing so, in the following circumstances: Service Providers... To third parties who provide services such as website hosting, data analysis, information technology and related infrastructure provisions, customer service, email delivery, artificial intelligence services that provide backend support, and other services.”
Sharing limited to service provision purposes with consent.
Q6Does the vendor impose contractual limits on how third parties use shared personal information? GATE
? Not addressed T0
Answer: Unclear
Policy does not explicitly state contractual limits on third-party use of shared data.
Data Sold
Q7Does the vendor sell or rent users' personal information to third parties? GATE
✓ Good T3
Answer: No
“Scratch does not disclose personal information of students to any third parties except as described in this Privacy Policy.”
Policy explicitly states no disclosure to third parties except as described; no mention of selling or renting data.
Data Rights
Q8Do the student / educator / parent / school retain ownership of data and IP of uploaded content? GATE
? Not addressed T0
Answer: Unclear
Policy does not explicitly address ownership of uploaded content or IP rights.
Q9Can the user delete all of their PII and personal information from the vendor?
✓ Good T3
Answer: Yes
“If you want to delete your account, login to Scratch, and then click your username in the top right-hand corner. Select "Account Settings," then click the "I want to delete my account" link at the bottom of the page. Deleting your account hides all Personal Information from public view, but does not remove all of your Personal Information from our servers. If you want to have all of your Personal Information removed from our servers, please contact help@scratch.org for assistance.”
Users can request complete deletion via help@scratch.org.
Q10Does the vendor auto-delete data after a defined period of inactivity (data sunset)?
? Not addressed T0
Answer: Unclear
Policy does not mention automatic data deletion after inactivity period.
Data Safety
Q11Can students contact or interact with UNKNOWN users (strangers / the general public) in environments NOT supervised by a teacher or school? (Teacher-managed or within-class interaction, and content-only sharing, do NOT count.) GATE
✓ Good T3
Answer: No
“We moderate content posted to the Scratch Website, including shared and unshared projects, comments, and forum posts to ensure that our Community Guidelines are respected.”
Content moderation and community guidelines suggest supervised/managed interaction; no mention of open contact with strangers.
Ads & Tracking
Q12Does the vendor display behavioral or targeted advertising to students inside the product? (Sending product/marketing emails to account holders does NOT count.) GATE
✓ Good T3
Answer: No
“Scratch does not collect information from a student's education record, as defined by the Family Educational Rights and Privacy Act (FERPA). Scratch does not disclose personal information of students to any third parties except as described in this Privacy Policy.”
No mention of behavioral or targeted advertising to students; policy emphasizes student privacy protection.
Q13Does the vendor share students' personal information with third parties for third-party advertising or ad-targeting? GATE
✓ Good T3
Answer: No
“Scratch does not disclose personal information of students to any third parties except as described in this Privacy Policy.”
Explicit statement that student information is not disclosed to third parties for advertising.
Parental Consent
Q14Does the vendor limit collection for children aged 13 or under, or require parental/school consent?
✓ Good T3
Answer: Yes
“Scratch takes children's privacy seriously. Scratch collects only minimal information from its users, and only uses and discloses information to provide the services and for limited other purposes, such as research, as described in this Privacy Policy.”
Policy emphasizes children's privacy and minimal collection; teacher accounts can create student accounts.
School Purpose
Q15Does the vendor state the product is intended for students in preschool or preK-12?
✓ Good T3
Answer: Yes
“When you create a teacher account, we ask for a username and password, your phone number, birthdate, gender, country of residence, name, and details about your employer. When you create student accounts through your teacher account, we ask for a username, password, birthdate, gender, and country of residence.”
Policy explicitly addresses student accounts and teacher accounts for educational use.
AI & Model-Training
Q16Does the vendor use student/user data — including uploaded content — to train, fine-tune, or improve AI/ML models? GATE
✗ Concern T3
Answer: Yes
“We use Personal Information that we collect on the Scratch Website, such as your location and your activities, to monitor and analyze usage of the Scratch Website and to enhance your learning experience, including by training AI tools to personalize features or recommendations on the Website.”
Policy states data is used to train AI tools for personalization.
Q17Does the vendor disclose which AI sub-processors/models power its features and any automated decisions affecting students?
? Not addressed T0
Answer: Unclear
Policy mentions AI tools and automated technologies but does not disclose specific AI sub-processors, models, or automated decision-making details.
Jurisdiction & Residency
Q18Does the vendor disclose where data is stored and which privacy regimes it complies with?
✓ Good T3
Answer: Yes
“We may transfer your Personal Information to countries other than the country where you are located, including to the U.S. (where Scratch servers are located) or any other country in which we or our service providers maintain facilities. If you are located in the European Economic Area, the United Kingdom or Switzerland, or other regions with laws governing data collection and use that may differ from U.S. law, please note that we may transfer your Personal Information to a country and jurisdiction that does not have the same data protection laws as your jurisdiction. Where we do so, we will comply with applicable data protection laws. In particular we will rely on (i) an EU Commission, UK or Swiss government adequacy decision, (ii) contractual protections for the transfer of your Personal Data, or (iii) another valid data transfer mechanism.”
Storage location and compliance regimes disclosed.

Jurisdiction & residency — Nord Anglia footprint

Vendor named 1 of 11 Nord Anglia countries. Shown alongside the verdict, not folded into the score — a vendor can be strong on privacy yet leave residency gaps for specific countries.
“Scratch servers are located in the U.S. (where Scratch servers are located) or any other country in which we or our service providers maintain facilities. If you are located in the European Economic Area, the United Kingdom or Switzerland... we will comply with applicable data protection laws. In particular we will rely on (i) an EU Commission, UK or Swiss government adequacy decision, (ii) contractual protections for the transfer of your Personal Data, or (iii) another valid data transfer mechanism. Scratch does not collect information from a student's education record, as defined by the Family Educational Rights and Privacy Act (FERPA).”
CountryPrivacy lawCoverage
MexicoLatAmLFPDPPP⚠ Gap
Costa RicaLatAmLaw 8968⚠ Gap
PanamaLatAmLaw 81/2019⚠ Gap
Dominican RepublicLatAmLaw 172-13⚠ Gap
BrazilLatAmLGPD⚠ Gap
ColombiaLatAmLey 1581/2012⚠ Gap
EcuadorLatAmLOPDP (2021)⚠ Gap
PeruLatAmLaw 29733⚠ Gap
ChileLatAmLaw 21.719⚠ Gap
UruguayLatAmLaw 18.331⚠ Gap
United StatesFERPA / COPPA✓ Named
GDPR (overlay)Nord Anglia is UK-headquartered, global✓ Named
Advisory only. Round 1 reads the vendor's public privacy policy — a T3 (self-asserted, unverified) source. This is a triage signal, not a final verdict or legal advice. An explicit gate violation is a hard no; silence routes to Round 2, it never fakes a pass. A human reviews and signs off.
Reviewed by: __________________________ Date: ____________