Common SensePrivacy Program
D

Privacy Evaluation for Desmos

Overview

This review is of the Desmos experience, as described by the privacy and related policies below which are in effect as of the date of this evaluation, March 18th 2025. This evaluation only considers policies that have been made publicly available prior to an individual using the application or service.

Rating

The overall privacy score is 72%. This product received a Warning rating based on the following details:
  • Personal information is not sold or rented to third parties.
  • Personal information is not shared for third-party marketing.
  • Personalised advertising is not displayed.
  • Data are not collected by third-parties for their own purposes.
  • User's information is not used to track and target advertisements on other third-party websites or services.
  • This product does not create or use data profiles for personalised advertisements.
Transparency
  • Do the policies clearly indicate the version or effective date of the policies?
  • Do the policies clearly indicate a changelog or past policy versions are publicly available for review?
  • Do the policies clearly indicate whether or not a user is notified if there are any material changes to the policies?
  • Do the policies clearly indicate the method used to notify a user when policies are updated or materially changed?
  • Do the policies clearly indicate whether or not any updates or material changes to the policies will be accessible for review by a user prior to the new changes being effective?
  • Do the policies clearly indicate whether or not any changes to the policies are effective immediately and continued use of the product indicates consent?
  • Do the policies clearly indicate which products are covered by the policies?
  • Do the policies clearly indicate whether or not a user can contact the company about any privacy policy questions, complaints, and changes to the policies?
  • Do the policies clearly indicate the company's privacy principles by short explanations, layered notices, bullet points, a table of contents, or outlined privacy principles of the company?
  • Do the policies clearly indicate they are available in any language(s) other than English?
  • Do the policies clearly indicate whether or not the product is intended to be used by children under the age of 13?
  • Do the policies clearly indicate whether or not the product is intended to be used by teens 13 to 18 years of age?
  • Do the policies clearly indicate whether or not the product is intended to be used by adults over the age of 18?
  • Do the policies clearly indicate whether or not the product is intended to be used by parents or guardians?
  • Do the policies clearly indicate whether or not the product is intended to be used by students in preschool or preK-12?
  • Do the policies clearly indicate whether or not the product is intended to be used by teachers?
Data Collection
  • Do the policies clearly indicate whether or not the company collects personally identifiable information (PII)?
  • Do the policies clearly indicate what type of categories of personally identifiable information are collected?
  • Do the policies clearly indicate whether or not geolocation data are collected?
  • Do the policies clearly indicate whether or not any health or biometric data are collected?
  • Do the policies clearly indicate whether or not any behavioral or activity related data are collected?
  • Do the policies clearly indicate whether or not sensitive personal information is collected?
  • Do the policies clearly indicate whether or not any data is collected automatically?
  • Do the policies clearly indicate whether or not the company collects personal information or education records from preK-12 students?
  • Do the policies clearly indicate whether or not the company collects personal information from children under 13 years of age?
  • Do the policies clearly indicate whether or not the company excludes specific types of data from collection?
  • Do the policies clearly indicate whether or not the company excludes specific types of collected data from coverage under its privacy policy?
  • Do the policies clearly indicate whether or not the company limits the collection of information to only data that are specifically required for the product?
Data Sharing
  • Do the policies clearly indicate if collected information (this includes data collected via automated tracking or usage analytics) is shared with third parties?
  • Do the policies clearly indicate what type of categories of information are shared with third parties?
  • Do the policies clearly indicate whether or not third-party services are used to support the company's product?
  • Do the policies clearly indicate the role or purpose of third-party service providers?
  • Do the policies clearly indicate the categories of related third parties, such as subsidiaries or affiliates with whom the company shares data?
  • Do the policies clearly indicate whether or not privacy policy links are provided to any third-party service provider, data processor, partner, or affiliate?
  • Do the policies clearly indicate whether or not data collected or maintained by the first-party company can be augmented, extended, or combined with data from third-party sources?
  • Do the policies clearly indicate whether or not data shared with third-party companies can be augmented, extended, or combined with data from any source?
  • Do the policies clearly indicate whether or not any third-party, social, or federated login is supported to use the product?
  • Do the policies clearly indicate whether or not the company collects any information from any third-party login providers?
  • Do the policies clearly indicate whether or not the company shares any information with third-party login providers?
  • Do the policies clearly indicate whether or not a user's information that is shared or sold to a third-party is only done so in an anonymous or de-identified format?
  • Do the policies clearly indicate whether or not the de-identification process is done with a reasonable level of justified confidence, or whether the company provides links to any information that describes their de-identification process?
  • Do the policies clearly indicate whether or not the company imposes contractual limits on how third parties can use personal information that the company shares or sells to them?
  • Do the policies clearly indicate whether or not the company imposes contractual limits that prohibit third parties from reidentifying or combining data with other data sources that the company shares or sells to them?
  • Do the policies clearly indicate the company's intention or purpose for sharing a user's personal information with third parties?
  • Do the policies clearly indicate whether or not any information is shared with third parties for analytics purposes?
  • Do the policies clearly indicate whether or not any information is shared with third parties for research or product improvement purposes?
  • Do the policies clearly indicate whether or not personal information is shared with third parties for marketing purposes?
  • Do the policies specify any types of categories of collected information that will not be shared with third parties?
  • Do the policies clearly indicate whether or not a user's personal information is sold, or exchanged for anything of value to third parties?
  • Do the policies clearly indicate whether or not the company may obtain a user's information from a third party?
  • Do the policies clearly indicate whether or not outbound links on the product to third-party external resources are age-appropriate?
  • Do the policies clearly indicate whether or not any third party is authorized to access a user's information?
  • Do the policies clearly indicate whether or not a user's personal information is collected by a third party?
  • Do the policies clearly indicate whether or not a user's information can be deleted from a third party?
Respect for Context
  • Do the policies clearly indicate whether or not the company limits the use of data collected by the product to the purpose of providing the service?
  • Do the policies clearly indicate the context or purpose for which data are collected?
  • Do the policies clearly indicate whether or not the company treats personal information combined with non-personally identifiable information as personal information?
  • Do the policies clearly indicate whether or not notice is provided to a user if the company changes the purpose or context in which data are collected?
  • Do the policies clearly indicate whether or not the company obtains consent if the practices in which a user's data are collected change or are inconsistent for the purpose in which it was collected?
  • Do the policies clearly indicate whether or not the company may terminate a user's account if they engage in any prohibited activities?
Individual Control
  • Do the policies clearly indicate whether or not a user can create or upload content to the product?
  • Do the policies clearly indicate whether or not the company obtains opt-in consent from a user at the time any information is collected?
  • Do the policies clearly indicate whether or not the company has a grievance or remedy mechanism for users to file a complaint after the company restricts or removes a user's content or account?
  • Do the policies clearly indicate whether or not a user can control the use of their information through privacy settings?
  • Do the policies clearly indicate whether or not a user can opt out from the disclosure or sale of their data to a third party?
  • Do the policies clearly indicate whether or not a user can request the company to provide all the personal information the company has shared with third parties?
  • Do the policies clearly indicate whether or not the company will provide the affected user with notice in the event the company receives a government or legal request for their information?
  • Do the policies clearly indicate whether or not a user retains ownership to the Intellectual Property rights of the data collected or uploaded to the product?
  • Do the policies clearly indicate whether or not the company may claim a copyright license to the data or content collected from a user?
  • Do the policies clearly indicate whether or not the company limits its copyright license of a user's data?
Access & Accuracy
  • Do the policies clearly indicate whether or not the company provides authorized individuals a method to access or review a user's personal information?
  • Do the policies clearly indicate whether or not there are methods to restrict what data are accessible to specific users?
  • Do the policies clearly indicate whether or not the company provides a process available for the school, parents, or eligible students to review student information?
  • Do the policies clearly indicate whether or not the company takes steps to maintain the accuracy of data they collect and store?
  • Do the policies clearly indicate whether or not the company provides authorized individuals with the ability to modify data?
  • Do the policies clearly indicate whether or not the company provides a process for the schools, parents, or eligible students to modify inaccurate student information?
  • Do the policies clearly indicate how long the company has to modify a user's inaccurate data after the company is given notice?
  • Do the policies clearly indicate the company has a data retention policy, including any data sunsets or any time-period after which a user's data will be automatically deleted if they are inactive on the product?
  • Do the policies clearly indicate whether or not there are any exceptions to the standard data retention policy (including valid requests to inspect the data)?
  • Do the policies clearly indicate whether or not the company will delete a user's personal information when the data are no longer necessary to fulfill its intended purpose?
  • Do the policies clearly indicate whether or not a user's data are deleted upon account cancellation or termination?
  • Do the policies clearly indicate whether or not a user can delete any of their information from the company?
  • Do the policies clearly indicate whether or not the company provides a process for an authorized user to delete a user's personal information?
  • Do the policies clearly indicate how long the company may take to delete a user's data after the company is given notice?
  • Do the policies clearly indicate whether or not a user can export or download their data, including any user created content on the product?
  • Do the policies clearly indicate whether or not a user may assign an authorized user or legacy contact to access and download their data?
Data Transfer
  • Do the policies clearly indicate whether or not the company can transfer a user's data in the event of the company's merger, acquisition, or bankruptcy?
  • Do the policies clearly indicate whether or not the company can assign its rights or delegate its duties under the policies to a successor company without notice or consent to the user?
  • Do the policies clearly indicate whether or not the company will notify users of a data transfer to a third-party successor, in the event of a company's bankruptcy, merger, or acquisition?
  • Do the policies clearly indicate whether or not a user can request to delete their data prior to its transfer to a third-party successor in the event of a company bankruptcy, merger, or acquisition?
  • Do the policies clearly indicate whether or not the third-party successor of a data transfer is contractually required to provide the same privacy compliance required of the company?
Security
  • Do the policies clearly indicate whether or not the company or an authorized third party verifies a user's identity with additional personal information?
  • Do the policies indicate whether or not the company requires a user to create an account with a username and password in order to use the product?
  • Do the policies clearly indicate whether or not the company provides user managed accounts for other authorized users (eg. a parent, teacher, school or district)?
  • Do the policies clearly indicate whether or not the security of a user's account is protected by multi-factor authentication?
  • Do the policies clearly indicate whether or not a third party with access to a user's information is contractually required to provide the same level of security protections as the company?
  • Do the policies clearly indicate whether or not reasonable security standards are used to protect the confidentiality of a user's personal information?
  • Do the policies clearly indicate whether or not the company implements physical access controls or limits employee access to user information?
  • Do the policies clearly indicate whether or not all data in transit is encrypted?
  • Do the policies clearly indicate whether or not all data in storage is encrypted?
  • Do the policies clearly indicate what jurisdiction a user's personal information may be subject to?
  • Do the policies clearly indicate whether or not the company provides notice in the event of a data breach?
  • Do the policies clearly indicate whether or not the data privacy or security practices of the company are internally or externally audited?
Responsible Use
  • Do the policies clearly indicate whether or not a user can interact with trusted users?
  • Do the policies clearly indicate whether or not a user can interact with untrusted users?
  • Do the policies clearly indicate whether or not information must be shared or revealed by a user in order to participate in social interactions?
  • Do the policies clearly indicate whether or not a user's personal information can be displayed publicly in any way?
  • Do the policies clearly indicate whether or not a user has control over how their personal information is displayed to others?
  • Do the policies clearly indicate whether or not the company reviews, screens, or monitors user-created content?
  • Do the policies clearly indicate whether or not the company takes reasonable measures to delete all personal information from a user's postings before they are made publicly visible?
  • Do the policies clearly indicate whether or not social interactions between users of the product may be moderated?
  • Do the policies clearly indicate whether or not social interactions, including private and direct messages, are logged by the company and are available for review or audit?
  • Do the policies clearly indicate whether or not an authorized user has the ability to filter or block inappropriate content?
  • Do the policies clearly indicate whether or not inappropriate content, harassment, or cyberbullying can be reported?
  • Do the policies clearly indicate the company provides notice, resources, or processes that support safe and appropriate social interactions on the product?
Advertising
  • Do the policies clearly indicate whether or not a user may receive service- or administrative-related email or text message communications from the company or a third party?
  • Do the policies clearly indicate whether or not traditional or contextual advertisements are displayed to a user based on a webpage's content, and not that user's data?
  • Do the policies clearly indicate whether or not advertising based on a user's personal information are displayed on the first-party product?
  • Do the policies clearly indicate whether or not third-party tracking technologies collect any information from a user of the product for the third-party's own purposes including advertising?
  • Do the policies clearly indicate whether or not a user's information is used to track users and display personalised advertisements on other third-party websites or services?
  • Do the policies clearly indicate whether or not the company allows third parties to use a user's data to create an automated profile or engage in data enhancement for the purposes of personalised advertising?
  • Do the policies clearly indicate whether or not the company or third party filters advertisements for kids (e.g., no alcohol, gambling, violence, or sexual content)?
  • Do the policies clearly indicate whether or not the company may send marketing emails, text messages, or other related communications that may be of interest to a user?
  • Do the policies clearly indicate whether or not the company may ask a user to participate in any third-party sweepstakes, contests, surveys, or other similar promotions?
  • Do the policies clearly indicate whether or not a user can opt out of any advertising?
  • Do the policies clearly indicate whether or not a user can opt out or unsubscribe from a company or third party marketing communication?
  • Do the policies clearly indicate whether or not the company responds to a "Do Not Track" signal or other opt-out mechanisms from a user?
  • Do the policies clearly indicate whether the company provides a link to a description and the effects of any program or protocol the company follows that offers consumers a choice not to be tracked?
Compliance
  • Do the policies clearly indicate whether or not the company has actual knowledge that personal information from children under 13 years of age is collected by the product?
  • Does the company clearly provide a section or heading for children in their policies, or provide a separate kid's privacy policy or COPPA notice for kids?
  • Do the policies clearly indicate whether or not the company restricts or prohibits creating an account for a child under 13 years of age?
  • Do the policies clearly indicate whether or not the product is primarily used, designed, and marketed for preschool or K-12 school purposes?
  • Do the policies clearly indicate the process by which education records are entered into the product? For example, are student data entered by district staff, school employees, parents, teachers, students, or some other person?
  • Do the policies clearly indicate whether or not the company provides a contract to a Local Educational Agency (LEA)?
  • Do the policies clearly indicate whether or not the company is under the direct control of the educational institution and designates themselves a 'School Official' under FERPA?
  • Do the policies clearly indicate whether or not the company or a third party obtains verifiable parental consent before they collect or disclose personal information?
  • Do the policies clearly indicate whether or not a parent can consent to the collection and use of their child's personal information without also consenting to the disclosure of the information to third parties?
  • Do the policies clearly indicate whether or not the company responds to a request from a parent or guardian to prevent further collection of their child's information?
  • Do the policies clearly indicate whether or not the company deletes personal information from a child under 13 years of age if collected without parental consent?
  • Do the policies clearly indicate whether or not the company provides notice to parents or guardians of the methods to provide verifiable parental consent?
  • Do the policies clearly indicate whether or not responsibility or liability for obtaining verified parental consent is transferred to the school or district?
  • Do the policies clearly indicate the companys's legal jurisdiction that applies to the construction, interpretation, and enforcement of the policies?
  • Do the policies clearly indicate whether or not the company requires a user to waive the right to a jury trial, or settle any disputes by Alternative Dispute Resolution (ADR)?
  • Do the policies clearly indicate whether or not the company requires the user to waive their right to join a class action lawsuit?
  • Do the policies clearly indicate whether or not the company can use or disclose a user's data under a requirement of applicable law to comply with a legal process, to respond to governmental requests, to enforce their own policies, for assistance in fraud detection and prevention, or to protect the rights, privacy, safety or property of the company, its users, or others?
  • Do the policies clearly indicate whether or not the company has signed any privacy pledges or received any other privacy certifications?
  • Do the policies clearly indicate whether or not a user's data are subject to International data transfer or jurisdiction laws, such as a privacy shield or a safe harbor framework that protects the cross-border transfer of a user's data?
  • Do the policies clearly indicate whether or not the company is categorized as a Data Controller or a Data Processor, and whether it has identified a Data Protection Officer (DPO) for the purposes of GDPR compliance?

About Privacy Evaluations

The privacy evaluations have been designed with the help and support of a consortium of schools and districts across the United States. These evaluations are designed to help educators make informed decisions about the potential privacy implications of educational technology used to support teaching and learning.

Our core evaluation criteria will always be freely available. People are encouraged to read the questions we use and our information security primer. Vendors are encouraged to use our questions and the information security primer to self-evaluate. You can also learn more about our evaluation process. Please be in touch with any questions or feedback.