Code.org—a tech non-profit backed by Mark Zuckerberg, Jack Dorsey, and other top brass—wants to improve computer science education for young women and minorities. And hey, that's great. But it wouldn't be a Zuck joint without something insidious: the group will hold private data about kids for years.

The initiative is trying to sign up entire school districts to test the curriculum: Code.org will provide schools with course materials, teacher stipends, and general support. What a deal! But as Slashdot just pointed out, there's some iffy fine print in the sample contract (read it in full at the bottom):

[It] not only calls for collecting children's data for Code.org ("Code.org's ongoing studies review longitudinal student achievement data for the current year, the preceding four (4) to six (6) academic years, until the end of the student's academic history in the district"), but also locks teachers into a 2+ year commitment on behalf of Code.org ("Each teacher selected to participate in the Code.org Program shall commit to teaching in the Code.org Program for a minimum of two school years through a letter of intent administered by the district"). Among other requirements, the contract calls for "an Entity participating in the Code.org Program" to "offer courses, select teachers to receive professional development, and to market these courses to students and parents."

The relevant bit about student data is here:

Code.org promises it complies with all pertinent privacy laws and will do its darndest to keep it all locked up. But beyond performance reviews, it's unclear what will be done with the test scores of children, and to what end. Code.org reserves the right to figure that out as it goes along:

Use or access to any protected data obtained as a result of these studies will be limited to representatives with a legitimate interest in accessing this data, which will include the Entity Coordinator, school administrators, and other persons who are specifically authorized by the Entity as having a legitimate interest in receiving the data.

You should probably just trust them.