Ducklings Privacy Architecture

A Transparency Document for Educators, Administrators, Parents, and Students

Version 1.0 | December 2025

Our Privacy Philosophy

Ducklings was built on a simple principle: you can't leak what doesn't exist.

Most educational platforms collect personal information and promise to protect it. We took a different approach. We designed Ducklings so that personal information is never collected in the first place. This isn't a policy—it's how the system is built.

Your school knows who your students are. We don't. And we never will.

What Ducklings Stores

When a student participates in Ducklings, we store:

Data - Example - Purpose

Student ID - STU-WCH-2025-0847 - Track participation within the simulation

School ID - SCH-AB-0234 - Associate students with their school

Team ID - TEAM-FIN-03 - Group collaboration

Province - AB - Geographic aggregation for national simulation

Engagement metrics - Proposals: 12, Votes: 34 - Learning outcomes measurement

Simulation activity - Budget decisions, coalition votes - Educational content

What Ducklings Never Stores

We do not collect, store, or have access to:

  • Student names
  • Parent or guardian names
  • Home addresses
  • Phone numbers
  • Email addresses (authentication is handled externally)
  • Birth dates
  • Health information
  • Photographs
  • Any other personally identifiable information (PII)

This is not a policy choice. Our database has no fields for this information. It cannot be entered, stored, or retrieved because it doesn't exist in our system.

How Identity Works

The Mapping Lives at Your School

Your school's Student Information System (SIS) maintains the connection between student IDs and real identities. This mapping never enters our platform.

We receive only the anonymous identifier. We can tell you that STU-0847 submitted 12 proposals. We cannot tell you who STU-0847 is, because we genuinely don't know.

The Circle of Knowledge

A student's identity is known only to those who should know it:

  • The student (knows their own ID)
  • Their teachers (can see their roster in your school's systems)
  • Their parents/guardians (through your school's normal channels)
  • Their teammates (through normal classroom interaction)
  • School administration (through your existing systems)

Ducklings exists outside this circle. We see participation. We never see people.

Who Can See What

We designed Ducklings to mirror the physical security of a real school. Just as a student can't wander into the district office, our digital access follows the same logic.

Students See:

  • Their own participation and progress
  • Their team's collaborative work
  • School engagement ranking on the bulletin board (relative position only)
  • National simulation results (aggregate)

Teachers See:

  • Their classroom roster (by student ID)
  • Individual student participation within their class
  • Team engagement and collaboration metrics
  • School-level comparisons (anonymized)

School Administrators See:

  • All classrooms in their school
  • School-wide engagement metrics
  • Teacher effectiveness (aggregate)
  • District comparison (their school's relative position)

District Administrators See:

  • All schools in their district (aggregate metrics)
  • School-level comparisons
  • District-wide trends
  • Provincial comparison (their district's relative position)

Provincial Administrators See:

  • District-level aggregates only
  • Provincial trends and outcomes
  • They cannot see individual student data

What About Awards?

At semester end, recognition works through a "bubble-up" process:

  1. System identifies top district by engagement
  2. System identifies top school within that district
  3. School nominates their top student (with consent)
  4. Province announces the nomination they received

The province never browses student records. They receive only what schools choose to share.

The Bulletin Board

Every school lobby displays an engagement ranking:

This board shows:

  • Relative rankings (1st, 2nd, 3rd)
  • Visual percentage bars
  • Your school's position

This board does NOT show:

  • Raw participation numbers
  • Individual student activity
  • Which students are or aren't participating
  • Any information that could identify individuals

The purpose is motivation, not surveillance.

What Happens in a Data Breach?

Educational data breaches make headlines because they expose sensitive information about children. Names, addresses, grades, behavioral notes—all leaked.

If Ducklings were breached, an attacker would find:

STU-WCH-2025-0847: 12 proposals, 34 votes, Finance team STU-WCH-2025-0312: 8 proposals, 28 votes, Healthcare team TEAM-FIN-03: 89% engagement rate

This data is meaningless without your school's identity mapping, which we don't have. An attacker cannot:

  • Determine who any student is
  • Contact any student or family
  • Correlate activity with real identities
  • Use the data for identity theft or harassment

The breach is architecturally worthless.

Authentication and Single Sign-On

Students don't create accounts on Ducklings. They authenticate through your school's existing systems via secure single sign-on (SSO).

When a student logs in:

  1. Your school's identity provider confirms "this is a valid student"
  2. It sends us only their anonymous student ID
  3. We never see their password
  4. We never see their real identity
  5. The session is established using only the anonymous ID

Your school remains the authoritative source of identity. We remain intentionally ignorant.

Data Retention and Deletion

During the Semester

All participation data is associated with anonymous student IDs. Activity is tracked for educational purposes and learning outcomes measurement.

At Semester End

The semester is archived. Archives contain:

  • Aggregate participation metrics
  • Proposals passed and failed
  • Simulation outcomes
  • No individual student identities (we never had them)

Student Departure

If a student leaves your school, simply remove their access through your SSO provider. Their anonymous ID remains in our historical records, but:

  • It was never connected to their identity in our system
  • Without your school's mapping, it's just a meaningless string
  • No action from us is required

Data Deletion Requests

If you require deletion of a specific student ID's activity, contact us. We can remove it. However, note that this deletes only anonymous participation records—we have no personal information to delete because we never collected any.

Compliance and Legal

FOIP/FIPPA (Alberta/Canada)

Ducklings is designed for compliance with Canadian privacy legislation. By not collecting PII, we eliminate most compliance obligations related to personal information protection. There is no personal information to protect.

FERPA (United States)

For schools operating under FERPA, Ducklings qualifies as a system with no "education records" as defined by the Act, since we maintain no personally identifiable information about students.

GDPR (European Union)

Our architecture implements "privacy by design" as required by GDPR Article 25. We practice data minimization to its logical extreme: we minimize personal data to zero.

Audits Welcome

We welcome privacy audits and security assessments. Auditors consistently find the same thing: there's nothing to find.

Our Commitment

We believe civic education is essential for democracy. We also believe children's privacy is non-negotiable.

These beliefs aren't in conflict. Ducklings proves you can build powerful educational technology that provides deep insights into learning outcomes while maintaining absolute privacy.

We will never:

  • Add fields to collect personal information
  • Purchase or import identity data
  • Attempt to de-anonymize student IDs
  • Share participation data in identifiable form
  • Use student activity for advertising or profiling

We will always:

  • Maintain architectural separation between identity and activity
  • Support your school's role as identity authority
  • Provide transparency about what we store and why
  • Welcome questions, audits, and accountability

Questions?

For Educators and Administrators: Contact your CanuckDUCK account representative or email [email protected]

For Parents: Your first point of contact is your child's school. They control access and can answer questions about how Ducklings is used in the classroom. For questions about our privacy architecture, email [email protected]

For Students: Talk to your teacher! They can explain how your participation is tracked and who can see what.

For Privacy Officers and Legal Teams: We welcome detailed technical discussions. Contact [email protected] to schedule a consultation.

Document History

Version

Date

Changes

1.0

December 2025

Initial release

Ducklings is a product of CanuckDUCK Research Corporation, Calgary, Alberta, Canada.

This document is publicly available and may be freely distributed to stakeholders.