Tynker
Round 1 · Privacy Triage · VettED Privacy Triage (Avenues-derived) — Round 1 · assessed
🔴 Do Not Approve
Privacy score 74.4% · band Good
Hard no: the vendor explicitly does something disqualifying — Q11 (Data Safety). An explicit gate violation beats the privacy score.
Hard-fail gate(s): Q11 — an explicit disqualifying practice. This beats the privacy score.
Dimension scorecard
| Dimension | Score | |
|---|
| Data Collection GATE |
| 55.0% |
| Data Sharing GATE |
| 100.0% |
| Data Sold GATE |
| 100.0% |
| Data Rights GATE |
| 66.7% |
| Data Safety GATE ⚠ |
| 20.0% |
| Ads & Tracking GATE |
| 100.0% |
| Parental Consent |
| 100.0% |
| School Purpose |
| 100.0% |
| AI & Model-Training GATE |
| 50.0% |
| Jurisdiction & Residency |
| 100.0% |
Findings — 18 questions, every answer cited
Data Collection
Q1Does the vendor limit collection/use of information to only data required for the product? GATE
✓ Good
T3
Answer: Yes
“For clarity, we do not collect, maintain, use or share any Personal Data of a Student User beyond that needed for authorized educational/school purposes, or as authorized by the Student User or his/her parent or legal guardian, or teacher or school administrator under this Student User Privacy Policy and the Additional Terms for Student Data from Educational Institution.”
Policy explicitly limits collection to data needed for educational purposes.
Q2Does the vendor collect PII beyond what's necessary for the stated educational purpose?
✓ Good
T3
Answer: No
“For clarity, we do not collect, maintain, use or share any Personal Data of a Student User beyond that needed for authorized educational/school purposes, or as authorized by the Student User or his/her parent or legal guardian, or teacher or school administrator under this Student User Privacy Policy and the Additional Terms for Student Data from Educational Institution.”
Policy explicitly states they do not collect PII beyond what is needed for educational purposes.
Q3Is any image of the user collected?
✗ Concern
T3
Answer: Yes
“Voice Recording and Photos: The Services provide the functionality that allow Student Users to create voice recordings or upload photos in connection with their projects. We do not require Student Users to submit any voice recordings or photos, but Student Users can voluntarily opt to use such functionality to create voice recordings or upload photos.”
Policy explicitly states that voice recordings and photos can be collected from student users.
Q4Does the vendor collect precise geolocation data?
? Not addressed
T0
Answer: Unclear
Policy does not address collection of precise geolocation data. Location-enabled browser is mentioned but not precise geolocation.
Data Sharing
Q5Does the vendor limit data sharing with third parties to the purpose for which it was collected? GATE
✓ Good
T3
Answer: Yes
“We only share the Personal Data of our Student Users with service providers or other parties that are subject to restrictions to collect, use, or share your Personal Data in ways that are consistent with commitments in this Student User Privacy Policy.”
Policy states sharing is limited to purposes consistent with the privacy policy.
Q6Does the vendor impose contractual limits on how third parties use shared personal information? GATE
✓ Good
T3
Answer: Yes
“We only share the Personal Data of our Student Users with service providers or other parties that are subject to restrictions to collect, use, or share your Personal Data in ways that are consistent with commitments in this Student User Privacy Policy.”
Policy indicates contractual restrictions on third-party use of shared data.
Data Sold
Q7Does the vendor sell or rent users' personal information to third parties? GATE
✓ Good
T3
Answer: No
“In no instance do we sell any Personal Information of Student Users to anyone.”
Policy explicitly states they do not sell student personal information.
Data Rights
Q8Do the student / educator / parent / school retain ownership of data and IP of uploaded content? GATE
✓ Good
T3
Answer: Yes
“For example, if a Student User chooses to publish his/her projects to the public community of the Services, the data of such projects, including any voice recordings and/or photos, will be shared with other users of the community, if the project is approved by Tynker. Any published voice recording and/or photos can be accessed, used, downloaded or modified by other users of our Services.”
Policy indicates students retain ability to control publication of their content; parents/guardians and teachers can manage account access and disable community function.
Q9Can the user delete all of their PII and personal information from the vendor?
✓ Good
T3
Answer: Yes
“If you are a parent or guardian of a Student User of our Services who is under 13 years of age, you may contact us at any time to ask that (a) we stop collecting Personal Data from such Student User, (b) we delete any Personal Data already collected from such Student User (although note that we may further retain information in an anonymous or aggregated form where that information would not identify such Student User personally), or (c) we stop disclosing Personal Data collected from such Student User to third parties, but continue to allow for collection and use of Personal Data collected from such Student User in connection with the Services.”
Policy allows deletion of PII upon request by parent/guardian.
Q10Does the vendor auto-delete data after a defined period of inactivity (data sunset)?
? Not addressed
T0
Answer: Unclear
Policy does not address automatic deletion of data after a defined period of inactivity.
Data Safety
Q11Can students contact or interact with UNKNOWN users (strangers / the general public) in environments NOT supervised by a teacher or school? (Teacher-managed or within-class interaction, and content-only sharing, do NOT count.) GATE
✗ Concern
T3
Answer: Yes
“For example, if a Student User chooses to publish his/her projects to the public community of the Services, the data of such projects, including any voice recordings and/or photos, will be shared with other users of the community, if the project is approved by Tynker. Any published voice recording and/or photos can be accessed, used, downloaded or modified by other users of our Services.”
Policy describes a public community where students can publish projects accessible to other users, which allows interaction with unknown users.
Ads & Tracking
Q12Does the vendor display behavioral or targeted advertising to students inside the product? (Sending product/marketing emails to account holders does NOT count.) GATE
✓ Good
T3
Answer: No
“We do not use or disclose Personal Data of a Student User or any other information of Student User collected through such Student User's Educational Institution (whether personal information or otherwise) for behavioral targeting of advertisements to students.”
Policy explicitly prohibits behavioral advertising to students.
Q13Does the vendor share students' personal information with third parties for third-party advertising or ad-targeting? GATE
✓ Good
T3
Answer: No
“We do not use or disclose Personal Data of a Student User or any other information of Student User collected through such Student User's Educational Institution (whether personal information or otherwise) for behavioral targeting of advertisements to students.”
Policy explicitly states student data is not shared with third parties for ad-targeting.
Parental Consent
Q14Does the vendor limit collection for children aged 13 or under, or require parental/school consent?
✓ Good
T3
Answer: Yes
“The Children's Online Privacy Protection Act ('COPPA') requires that online service providers obtain parental consent before they knowingly collect personally identifiable information online from children who are under 13 years of age. We do not knowingly or intentionally collect or solicit personally identifiable information from a child under 13 without obtaining verifiable consent from that child's parent or guardian ('Parental Consent').”
Policy requires parental consent for children under 13 and limits collection for this age group.
School Purpose
Q15Does the vendor state the product is intended for students in preschool or preK-12?
✓ Good
T3
Answer: Yes
“Please read this Privacy Policy to learn how we treat your personal data if you are a student user of Tynker Services under the age of 18 ('Student User').”
Policy is specifically for student users under 18, indicating the product is intended for K-12 students.
AI & Model-Training
Q16Does the vendor use student/user data — including uploaded content — to train, fine-tune, or improve AI/ML models? GATE
✓ Good
T3
Answer: No
“We use these recordings to provide and improve the quality of our Services and to provide customer support to Users.”
Policy states recordings are used to improve services but does not explicitly state they are used to train AI/ML models. The statement about 'improve' refers to service quality and customer support, not model training.
Q17Does the vendor disclose which AI sub-processors/models power its features and any automated decisions affecting students?
? Not addressed
T0
Answer: Unclear
Policy does not disclose specific AI sub-processors, models, or automated decision-making systems affecting students.
Jurisdiction & Residency
Q18Does the vendor disclose where data is stored and which privacy regimes it complies with?
✓ Good
T3
Answer: Yes
“Tynker's Student Privacy Policy and our services are designed to meet our responsibilities under FERPA to protect personal information from students' educational records.”
Policy mentions FERPA compliance but does not explicitly state storage locations. Additional information about data storage locations is not provided in the student policy.
Jurisdiction & residency — Nord Anglia footprint
Vendor named 1 of 11 Nord Anglia countries. Shown alongside the verdict, not folded into the score —
a vendor can be strong on privacy yet leave residency gaps for specific countries.
“Tynker's Student Privacy Policy and our services are designed to meet our responsibilities under FERPA to protect personal information from students' educational records. The Children's Online Privacy Protection Act ('COPPA') requires that online service providers obtain parental consent before they knowingly collect personally identifiable information online from children who are under 13 years of age.”
| Country | Privacy law | Coverage |
|---|
| MexicoLatAm | LFPDPPP | ⚠ Gap |
| Costa RicaLatAm | Law 8968 | ⚠ Gap |
| PanamaLatAm | Law 81/2019 | ⚠ Gap |
| Dominican RepublicLatAm | Law 172-13 | ⚠ Gap |
| BrazilLatAm | LGPD | ⚠ Gap |
| ColombiaLatAm | Ley 1581/2012 | ⚠ Gap |
| EcuadorLatAm | LOPDP (2021) | ⚠ Gap |
| PeruLatAm | Law 29733 | ⚠ Gap |
| ChileLatAm | Law 21.719 | ⚠ Gap |
| UruguayLatAm | Law 18.331 | ⚠ Gap |
| United States | FERPA / COPPA | ✓ Named |
| GDPR (overlay) | Nord Anglia is UK-headquartered, global | ⚠ Gap |