This document outlines how MindMup complies with the US Family Educational Rights and Privacy Act (FERPA) and Children’s Online Privacy Protection Act (COPPA), and how you can exercise your rights under FERPA or COPPA if your students or child are using MindMup.
Important note: The information below relates to MindMup Gold Organisational subscriptions, which are intended for schools. Personal and team subscriptions, which are intended for individuals or small commercial organisations, are not covered by this page.
A quick summary
At MindMup, we care about your privacy and data. Users are our most important stakeholders, not a product to be sold to shady information brokers. We store the minimum information required to provide you with the service, share it only with compliant processors when required for operational purposes, and do not let any other third-party link, track or access information about our users.
MindMup is operated by a company registered in the United Kingdom (for our company details, see the contact page). We work under the jurisdiction of the UK Information Commissioner’s Office, and apply European Union GDPR privacy protection rules, which are in general stronger than equivalent US regulations. We are glad to offer the same level of privacy protection to all our users, not just those resident in the EU.
What kind of education records does MindMup store?
Users can create and store mind maps with MindMup. These are documents typically used by school children as part of their school assignments, to capture ideas, provide structure to writing assignments, collect research data or outline plans for school projects.
Schools do not automatically transfer any internal education records or information to MindMup.
MindMup does not automatically collect education records from any third party.
Does MindMup have access to medical and psychological treatment records?
We do not automatically retrieve any such information from school systems. Unless a user (such as a staff member) accidentally copies such information into a MindMup document, we do not hold any medical and psychological treatment records.
How does MindMup limit access to student information?
Each document starts as private, available only to the person who created it. Authors can optionally share the document with collaborators (such as a teacher sharing their template document with students in a class), or opt to publish it so the document can be viewed on a public web site (for example, to embed in the school portal).
MindMup limits access to documents as directed by users. We do not automatically publish or make the information available to other users or third parties. MindMup does not use these records for any purpose other than those explicitly authorized in our terms of service.
Can schools prevent students from accidentally publishing information?
Yes, school administrators can block students from sharing or publishing maps outside the school. See Configuring Organisational Access for more information.
What data processors does MindMup use?
To process user information covered by FERPA and COPPA, MindMup is using Amazon Web Services (AWS). You can read more about AWS and FERPA compliance on their FERPA Compliance in the AWS Cloud page.
Optionally, schools may choose to let students and staff save documents to Google Drive. In such case, the user generated data is not stored by MindMup at all. Even in case when a school uses Google Drive storage, MindMup keeps a copy basic user profile information (covered by the “directory” information type in FERPA for auditing and security purposes).
For signing into the application, we integrate with Google GSuite for Education and Microsoft Office 365.
The MindMup web site does not include any widgets or analytics that would allow third parties to track users without their knowledge.
What personally identifiable information does MindMup store and process?
Organisational subscriptions require users to sign in with their school account, using an authentication provider such as Google or Microsoft. We only store basic profile information (such as the user account identifier, email and domain), along with the time of the authentication operation, for security and auditing purposes. This information is covered by the “directory” category of FERPA.
In case of attempted payment fraud or security violations, we store the e-mail associated with the operation and the meta-data about the incident for security purposes and to prevent fraud.
All other personal information, including directory information and passwords is not stored by MindMup, but by the chosen authentication provider (Google or Microsoft).
Does MindMup disclose personally identifiable information to third parties?
Apart from storing information as described above, for the purpose of authentication, authorisation and fraud prevention, MindMup does not disclose personally identifiable information information to any third party.
Which countries is the data stored in?
We use the us-east-1 AWS data centre, located in the US (North Virginia).
How long does MindMup store data for?
Any information related to security or auditing, including information on attempted payment fraud, may be stored indefinitely.
If you use MindMup Cloud storage for user data, user data is stored for the duration of the subscription, and for a period of up to six months after the subscription is stopped or expires.
If you use Google Drive for storing user data, then the storage is controlled by your school contract with Google, not by MindMup.
Is the data stored securely?
MindMup maintains reasonable administrative, technical and physical safeguards to protect the security, confidentiality and integrity of personally identifiable student information in our custody.
If you use MindMup Cloud storage for user data, the information is stored encrypted at rest, and it is encrypted in transit. You can find more information on the technical means of encryption and storage on our Data Security page.
If you use Google Drive to store maps, all changes to map content are directly sent from user’s browser to Google Drive, using HTTPS (encrypted at transit). MindMup does not send the map data anywhere else or keep additional copies or backups. The storage is controlled by your school contract with Google, not by MindMup.
Does MindMup keep data backups?
If you use MindMup Cloud storage for user data, we use automated backup and redundant storage capabilities provided by AWS for user documents.
If you use Google Drive to store maps, we do not provide automated backup or redundant storage. School IT administrators can configure this directly on Google Drive.
How to request access to your child’s records maintained by MindMup?
If you are a parent, you should first contact your school IT administrator, and ask that they provide you with access. In turn, they should contact us and we will provide copies of the records we hold for the student.
If you are a school IT administrator, and your school uses Google Drive to store documents, you can directly provide the access to the relevant Google Drive files as you would for any other Drive-integrated tool. There is no special procedure to access MindMup files.
If you are a school IT administrator, and your school uses MindMup cloud storage to store documents, please send an e-mail to contact@mindmup.com with the following information:
- student email identifier
- the type of documents you request access to
- the date range for the documents
How to request correcting the information maintained by MindMup?
Generally, the information stored by MindMup is user generated, not provided through an automated process. MindMup users can correct the information themselves, as long as they are the author of the appropriate document, or have been shared the document with write-access privileges.
If the document you want to correct is not possible to correct that way, and you are a parent, you should first contact your school IT administrator, and ask that they contact us to correct the information for you.
If you are a school IT administrator, and your school uses Google Drive to store documents, you can directly correct the information by modifying the Google Drive files.
If you are a school IT administrator, and your school uses MindMup cloud storage to store documents, please send an e-mail to contact@mindmup.com with the following information:
- document identifier (URL)
- the information you want us to update
- the new version of the information
How to request more information from MindMup?
Please send an e-mail to contact@mindmup.com.
Has any personal data been disclosed inadvertently in the past, or as a result of a security or privacy breach?
We are not aware of any security or privacy breaches related to data stored by MindMup.
What is the MindMup privacy policy
We have published our Privacy Policy online.