top of page
BP-trial-hero_1.png

Sign up for free access to selected BrainPOP and BrainPOP Jr. animated movies and learning activities.

BPS-sample-investigation.png

Experience BrainPOP Science with a sample investigation (50 minutes).

GDPR Notice

Last Updated: May 12, 2026

​

Scope and Controller

 

This GDPR Privacy Notice (“Notice”) supplements BrainPOP’s Website Privacy Policy and Product Privacy Policy. It applies to individuals located in the European Economic Area (EEA), the United Kingdom (UK), and Switzerland whose Personal Data is processed by BrainPOP and its affiliates (“BrainPOP,” “we,” “our,” or “us”).

​

BrainPOP processes Personal Data in two capacities:
 

  • Data Controller: For our own business operations, including sales, marketing, website analytics, and administration.
     

  • Data Processor: When providing educational services on behalf of our school and district customers who use individual student accounts. In this capacity, the school or district is the Data Controller and BrainPOP processes data under their instructions.

​

The Data Controller for BrainPOP's own processing activities is:

​

BrainPOP, Attn: Legal Department, 71 W 23rd Street, 18th Floor, New York, NY 10010, United States

​

Email: privacy@brainpop.com

​

Personal Data We Process

​

The categories of Personal Data we process, the purposes, and the legal bases are set out below.

​

As Data Controller (Own Operations)

 

Category of Data
Purpose
Legal Basis
Retention Period
Name, email, CV, application materials
Processing job applications
Steps prior to entering a contract; legitimate interest
Per applicable employment law
Name, email, message content
Responding to inquiries and support requests
Legitimate interest; performance of contract
2 years after last communication
Pseudonymous identifiers, browsing data
Personalized product suggestions and content
Legitimate interest (service improvement)
24 months
IP address, browser type, pages visited
Website analytics, performance monitoring
Legitimate interest (website improvement)
24 months (then aggregated)
Email address, interaction data
Tracking interaction with marketing emails
Legitimate interest (marketing effectiveness)
24 months
Name, email address
Marketing communications, newsletters
Consent (B2C email marketing); Legitimate interest (B2B where permitted)
Until consent withdrawn or unsubscribe
Name, email, phone number, school affiliation
Sales inquiries, customer relationship management
Legitimate interest (business operations)
Duration of customer relationship + 2 years

As Data Processor (Educational Services)

 

When BrainPOP processes Student Records on behalf of a school or district (the Data Controller), we do so under the instructions of that institution and in accordance with our Data Processing Agreement. The categories of data processed include:

​

  • Student names, usernames, passwords, class and grade information
     

  • Student responses to assignments, quizzes, and other educational activities
     

  • Voice recordings (when students use recording features)
     

  • Teacher names, email addresses, and class information
     

  • IP addresses and usage data

​

Schools and districts determine the purposes and means of processing. BrainPOP processes this data solely to provide the educational services and as otherwise instructed by the school or district. 

​

Legal Bases for Processing​


We rely on the following legal bases under Article 6 GDPR:​

​

  1. Consent (Article 6(1)(a)): Where you have given consent to the processing, such as for marketing communications. You may withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal.
     

  2. Performance of a Contract (Article 6(1)(b)): Where processing is necessary to perform our contractual obligations to you or to take steps at your request prior to entering into a contract.
     

  3. Legitimate Interests (Article 6(1)(f)): Where processing is necessary for our legitimate interests (such as business operations, marketing effectiveness, website improvement, and security) and those interests are not overridden by your rights. Our legitimate interest assessments are available upon request.
     

  4. Legal Obligation (Article 6(1)(c)): Where processing is necessary to comply with a legal obligation.

​

Children's Data

​

Where BrainPOP processes children’s data in the EU/UK, the legal basis is typically the performance of a contract with the educational institution (the school or district) and/or the consent of a holder of parental responsibility, as applicable under Article 8 GDPR and local implementing legislation. Schools using BrainPOP are responsible for ensuring that appropriate consent or authorization has been obtained.​

​

International Data Transfers

​

BrainPOP is based in the United States. Personal Data from individuals in the EEA, UK, and Switzerland is transferred to the United States for processing. We ensure appropriate safeguards for these transfers as follows:
 

  • Standard Contractual Clauses (SCCs): We rely on the European Commission’s Standard Contractual Clauses (as adopted by Commission Implementing Decision (EU) 2021/914) for transfers of Personal Data from the EEA to the United States. For UK transfers, we rely on the UK International Data Transfer Agreement or the UK Addendum to the EU SCCs, as applicable.
     

  • Supplementary Measures: Where required, we implement supplementary technical and organizational measures to ensure an adequate level of protection, including encryption of data in transit and at rest, access controls, and contractual obligations on sub-processors.

​

To request execution of Standard Contractual Clauses or for information about our transfer safeguards, please contact us at privacy@brainpop.com.

 

Student and Teacher Data

 

All Personal Data collected from students and teachers through BrainPOP’s educational products is stored and processed within the United States. We do not transfer student or teacher data to servers outside the United States.

 

Automated Decision-Making and Profiling​

 

BrainPOP uses an AI-assisted grading tool (the “AI Grading Tool”) within BrainPOP Science. This tool analyzes student responses and provides scoring suggestions to teachers. The AI Grading Tool does not make decisions that have legal or similarly significant effects on students. All AI-generated scores are suggestions only; teachers retain full control and must approve or modify scores before they are visible to students.

​

Teachers may hide the  AI Grading Tool at any time through their account settings. To disable the AI Grading Tool feature complete, please email privacy@brainpop.com. For more information, see the AI section of our Product Privacy Policy.

​

Your Rights Under GDPR

 

If you are located in the EEA, UK, or Switzerland, you have the following rights regarding your Personal Data. To exercise these rights where BrainPOP acts as Data Controller, please contact us at accessrequests@brainpop.com.


Where BrainPOP acts as Data Processor (for Student Records), parents and guardians should contact their school or district to exercise their rights. We will work with the school to facilitate requests.

 

Right of Access (Article 15)

 

You have the right to obtain confirmation of whether we process your Personal Data, and if so, to request access to that data, including the purposes of processing, the categories of data involved, and the recipients to whom the data has been or will be disclosed. You may request one copy of the data free of charge; additional copies may be subject to a reasonable fee.
 

Right to Rectification (Article 16)

​

You have the right to request correction of inaccurate Personal Data and, taking into account the purposes of processing, to have incomplete data completed.
 

Right to Erasure (Article 17)

​

Under certain circumstances, you have the right to request erasure of your Personal Data, including where the data is no longer necessary for the purposes for which it was collected, where you withdraw consent, or where the data has been unlawfully processed.
 

Right to Restriction of Processing (Article 18)

​

Under certain circumstances, you have the right to restrict processing of your Personal Data. Where processing is restricted, we may only store the data and process it with your consent or for the establishment, exercise, or defense of legal claims.
 

Right to Data Portability (Article 20)

​

Where processing is based on consent or a contract and is carried out by automated means, you have the right to receive your Personal Data in a structured, commonly used, and machine-readable format and to transmit it to another controller without hindrance.

​

Right to Object (Article 21)

​

You have the right to object to processing of your Personal Data based on legitimate interests. Where you object, we will cease processing unless we demonstrate compelling legitimate grounds that override your interests. Where Personal Data is processed for direct marketing, you have an absolute right to object at any time.
 

Right to Withdraw Consent

​

Where processing is based on your consent, you have the right to withdraw consent at any time. Withdrawal of consent does not affect the lawfulness of processing that took place before the withdrawal.
 

Right to Lodge a Complaint

​

If you believe that our processing of your Personal Data violates applicable data protection law, you have the right to lodge a complaint with a supervisory authority. You may lodge a complaint with the supervisory authority in the EU/UK Member State of your habitual residence, place of work, or place of the alleged infringement.

 

Sub-Processors​

 

When acting as Data Processor, we may engage sub-processors to assist in providing the Services. Sub-processors are contractually required to process data only as instructed and to maintain appropriate security measures. A current list of sub-processors is available at brainpop.com/discover/third-party-service-providers. We will notify school and district customers before engaging new sub-processors that process Student Records, providing an opportunity to object.
 

Data Security

 

We maintain technical and organizational measures appropriate to the risks presented by our processing activities, including encryption, access controls, regular security assessments, and annual SOC 2 Type II audits. For details, see the Security section of our Product Privacy Policy.

 

Data Retention

 

We retain Personal Data only for as long as necessary for the purposes described in this Notice or as required by applicable law. Specific retention periods are set out in the table in the Personal Data We Process section above and in the Data Retention section of our Product Privacy Policy and Website Privacy Policy. When Personal Data is no longer needed, we securely delete or anonymize it.

​

Changes to This Notice

 

We may update this GDPR Privacy Notice from time to time. Material changes will be communicated by email to affected individuals and by posting the updated Notice on our website. The effective date will be indicated at the top of this Notice.

 

Contact Information

 

For questions about this GDPR Privacy Notice or to exercise your rights:
 

bottom of page