1. Scope & Compliance Framework
This Privacy Policy governs data processing activities for Thinking In Educating (“we”, “us”) operating through https://www.thinkingineducating.com. We comply with:
- General Data Protection Regulation (GDPR)
- California Consumer Privacy Act (CCPA)
- Children’s Online Privacy Protection Act (COPPA)
- Utah Consumer Privacy Act (UCPA)
2. Data Controller Information
Legal Entity: Thinking In Educating LLC
Address: 548 Market St PMB 98732, San Francisco, CA 94104
Data Protection Officer: research@thinkingineducating.com
3. Data Collection Matrix
| Data Category | Purpose | Legal Basis | Retention Period |
|---|---|---|---|
| Identity Data (Name, Email) | Account Creation, Newsletter | Performance of Contract | 3 years post-account closure |
| Technical Data (IP, Device ID) | Security Monitoring, Analytics | Legitimate Interest | 26 months |
| Cookie Data | Ad Personalization, Functional Cookies | Consent | 13 months |
| Children’s Data | COPPA-compliant Services | Parental Consent | Until age 13+30 days |
4. Third-Party Data Sharing Disclosure
We engage with these verified partners:
Advertising Services
- Google AdSense (Privacy Policy)
- Mediavine (for sites with 50k+ monthly sessions)
Analytics Providers
- Google Analytics 4 (Data Retention: 14 months)
- Microsoft Clarity (Session Recordings)
Payment Processors
- Stripe (PCI-DSS Level 1 Certified)
- PayPal (PII Encryption Standard)
5. Cookie Policy Compliance
We implement IAB TCF 2.0 framework with these cookie categories:
| Category | Example | Control Method |
|---|---|---|
| Essential | CSRF tokens | Cannot opt-out |
| Analytics | GA4 client_id | Cookie Banner Toggle |
| Advertising | Google _gcl_au | Consent Manager |
| Social Media | Facebook Pixel | Explicit Permission |
6. International Data Transfers
Personal data may be transferred to:
- Google LLC (USA) under EU-US Data Privacy Framework
- AWS CloudFront (Global) using SCCs Module 1
- Cloudflare CDN with Schrems II compliance
7. Your Legal Rights (GDPR/CCPA)
Access
Request full data export in machine-readable format (JSON/CSV)
Rectification
Update profile via account portal or email request
Erasure
Submit “Right to Forget” request through Automated Tool
Opt-Out
Global Privacy Control (GPC) signal honored within 72 hours
Appeal
Challenge decisions via research@thinkingineducating.com
8. Security Protocols
- AES-256 encryption for data at rest
- SOC 2 Type II certified hosting (AWS)
- Annual penetration testing by Cure53
- Bug Bounty Program via HackerOne
9. Children’s Privacy (COPPA)
- Strict 13+ age verification gate
- Parental consent required via Verified Parents Portal
- Zero behavioral advertising for under-16 users
10. Policy Updates Notification
- Material changes: 30-day advance email notice
- Version tracking with Git repository public log
- Archive access to previous 5 versions
11. Dispute Resolution
- EU/UK: Data subject complaint to EDPB
- US: JAMS Arbitration Case No. TIE2024
- 24/7 Breach Reporting: main@thinkingineducating.com
Attestations
✅ TRUSTe Certified Privacy Seal
✅ California Do Not Track Disclosure
✅ AdChoices Program Participant