ThingLink is GDPR, COPPA, and FERPA compliant. We are always happy to answer questions about how your data is handled, your local laws, and any other concerns so that you can feel confident about using ThingLink in the classroom, workplace, or any other environment.
This article contains answers to some of the most frequently asked questions. The documents regulating your use of ThingLink are available at:
Where is the data stored?
ThingLink main data storage is located in Ireland via Microsoft Azure and Amazon Web Services (AWS) cloud servers. Some data we share with our subprocessors is stored outside of the European Union, including the US. You can review our subprocessors at thinglink.com/subprocessors
If you are using ThingLink for an educational institution, please note that ThingLink acts as a data processor and the institution is the data controller.
What kind of personal data is collected?
For registered users, we collect the following kinds of data:
- account information (username, email address, date of birth for students)
- user’s content
- payment information
- communications with ThingLink staff
- data from third-party accounts (Google, Microsoft, X (formerly known as Twitter), Facebook accounts) if you choose to sign up with them
- communications between users (EDU accounts only)
- Technical activity log (IP address, interaction with the system)
For those who simply view ThingLinks on thinglink.com, we proccess:
- IP address, user agent, preferred language. We process IP addresses to serve content and combine this data with other information to differentiate user sessions, but we do not store IP addresses on their own & cannot link them to a person.
- Anonymous data about the user’s flow through the system
Does ThingLink collect data via embedded content?
We collect the viewer’s IP address, user agent (browser information) and anonymous statistics about viewers’ interaction with the content. The first two are required to optimize content delivery.
However, if the ThingLink embed contains any other third-party embeds (e.g. YouTube videos), they may collect additional data and place their own cookies.
Does ThingLink share customer data with third parties?
Yes, some data (including PII) is shared with our subprocessors:
- our hosting and content delivery providers
- web analytic services (do not receive PII)
- payment processor + payment tools (not applicable to schools or invoiced customers)
- helpdesk and sales communication tools (receive some PII when a user contacts us)
You can review our subprocessors at thinglink.com/subprocessors
When we disclose your information to our subprocessors, we do so under the same conditions upon which you share your data with us and limit their use of your data to the sole purpose of assisting us with providing the ThingLink service. Apart from our subprocessors, ThingLink does not disclose your Personal Data to third parties unless,
- you have provided us with your express opt-in consent for doing so;
- the disclosure is reasonably necessary for us to be able to enforce our Terms of Service;
- the disclosure is reasonably necessary for the purposes of detecting and preventing fraud or security breaches, or applicable law requires us to disclose it.
We may share aggregate and anonymized User Data (provided that it does not contain any Personal Data) to select third parties.
How long does ThingLink retain user data?
For individual accounts, the data is stored until the user’s account is deleted. Technical activity logs are stored for 90 days, or 30 days if the user’s account is deleted.
For organizational (i.e. corporate, school, or university) accounts, all data is retained as long as ThingLink is providing the service. If any personal data becomes outdated or should be removed for some other reason while the contract lasts, the organization's admin user can delete or modify it via the user interface.
What technical and other security measures are in place?
All data is encrypted in transit, and sensitive data is encrypted at rest. Backups are configured to run weekly on in-scope systems, and a backup restore test is performed at least annually to validate the backup data and backup process.
Access to customer data is role-based. Only select employees can access customer data for the purposes of providing the service or customer support. All employees undergo regular privacy and security trainings.
ThingLink utilizes automated intrusion detection systems and carries out regular security reviews.
Who can I contact if I have further questions?
If you have any further security or privacy-related questions, please submit a support request or send an email to your ThingLink point of contact.
Information for educational institutions & DPIAs
Is student data publicly accessible?
No, as long as students use student accounts their data is available to:
- ThingLink staff
- Their teachers
- Other students belonging to the same teacher/school (this can be disabled via organization settings).
The only exception is student content - students can choose to make their content available to anyone with a link. See below.
Can students make their content publicly available?
Students can create unlisted content that can be viewed by anyone who has access to the link. However, such content won't appear on Google or other search engines unless the content is posted on a publicly available page.
You can learn more about different content privacy settings here.
Can I modify or delete my or my students' data?
Yes, most data can be modified without contacting ThingLink staff. Furthermore, users can delete their account which will lead to immediate termination of their data, with the exception of logs which will be purged 30 days after the account is deleted.
Most of your data can be accessed or changed via Account settings.
Does ThingLink use student data for commercial/marketing purposes?
No. As long as students use student accounts, they are exempt from any marketing activities conducted by ThingLink.
Can students see each other’s data?
If students belong to the same school or teacher group, they can see their peers’ usernames, profile pictures, and content (this can be disabled via organization settings). They cannot see other data (email address, date of birth, etc).
Is ThingLink FERPA/COPPA compliant?
Note that in the case of organizational use of ThingLink, we act as a data processor - you are the data controller. As such, it is the school's (or teacher's) responsibility to collect parental consent. COPPA allows the child’s school, school districts and other educational institutions to obtain consent for the online collection of personal information from children who are students of the school, district, or institution.