# MetaPet Schools ICT/Privacy Review Checklist

Use this checklist with the governance pack. Mark each row before approving a pilot.

| Artifact | Review question | Status | Notes |
| --- | --- | --- | --- |
| Privacy Policy | Does it explain what the school deployment stores, where it is stored, and who controls exports? | Pass / Fail |  |
| Child Privacy Notice | Is the child-facing explanation short and understandable? | Pass / Fail |  |
| Parent/Carer Privacy Notice | Does the family-facing notice explain aliases, local storage, and deletion clearly? | Pass / Fail |  |
| Data Flow Diagram | Does the diagram match observed classroom use? | Pass / Fail |  |
| Data Inventory | Are the stored items limited to what the pilot needs? | Pass / Fail |  |
| Retention and Deletion Schedule | Are retention expectations short and deletion steps clear? | Pass / Fail |  |
| Third-Party Services Register | Does observed traffic match the declared services? | Pass / Fail |  |
| Security Controls Summary | Are route restrictions, local storage, and deletion controls described accurately? | Pass / Fail |  |
| Privacy Impact Assessment | Are major risks and mitigations documented? | Pass / Fail |  |
| Boundaries Statement | Is the school deployment clearly distinct from broader product surfaces? | Pass / Fail |  |

## Boundary Checks

- Confirm `/` resolves into the school surface for the school profile
- Confirm blocked routes redirect back into the school deployment
- Confirm routine use does not expose auth, pricing, or social features
- Confirm exports remain adult-initiated

## Approval Note

Record any condition that must be met before the pilot starts.