Privacy Policy

1. Introduction

Inlay's mission is to create an environment where early-grade students can thrive through predictable classroom routines and strong teacher relationships. Protecting your privacy is fundamental to our mission and business. This Privacy Policy applies to the Inlay Service provided to educational institutions and their users (including teachers, school administrators, and families) that is available through our websites at inlay.sh, the Inlay applications, and any other online or offline offerings (collectively "the Inlay Service", "the Service", "Inlay", "we", "us", or "our"). The primary users of the Inlay Service are teachers and school administrators, who create accounts and use the platform to manage classrooms and student information. Students (children) have a passive role: they do not hold accounts or use the Service directly; their information is managed by the teacher, and only when a parent or guardian has allowed data collection for that student. This policy explains how we collect, use and protect personal information that we collect through the Inlay Service, including when you create an account ("Account Information"), add student information to classrooms ("Student Data"), and track student progress ("Classroom Records"). Inlay also offers a Parent Portalwhere parents and guardians can manage data collection preferences and view their child's information when linked by the school.

In order to use the Inlay Service, you must create an account and agree to our Terms of Service.

1.1 Identity of Data Controller

Inlay Applications
Yakushintsi, Sadova 65
Vinnytsia, Ukraine

Privacy Contact: privacy@inlay.sh
Support: team@inlay.sh

EU Representative (GDPR Art 27): Inlay is established outside the European Union. If you are in the EU/EEA and need to contact our EU representative, please request their details at privacy@inlay.sh.
Data Protection Officer: Inlay is not required to appoint a Data Protection Officer under GDPR. For all privacy inquiries, including requests to exercise your rights, please contact us at privacy@inlay.sh.

2. Inlay and FERPA

When the Inlay Service is used by a teacher, school, school district or other K-12 educational institution (collectively referred to as "School") for an educational purpose, we may access, collect or receive personal information directly related to students ("Student Data") that is provided by the School or by the teacher. Student Data collected by Inlay includes personal information from students' education records that are subject to the Family Educational Rights and Privacy Act ("FERPA"), including student names, dates of birth, academic performance data, mood tracking information, teacher observations and notes, and family member contact information. Inlay receives and processes such Student Data as a "School Official" (as that term is used in FERPA and its implementing regulations) under the direct control of the school with regard to the use and maintenance of such information. Inlay agrees to work with our School partners to jointly ensure compliance with FERPA.

3. Inlay and COPPA

Inlay complies with the Children's Online Privacy Protection Act ("COPPA"). COPPA protects personal information collected from a child younger than 13. We do not knowingly collect information from a child under 13 unless a School has authorized us to collect such information through the provision of the Service on the School's behalf.

When a School uses Inlay for an educational purpose, we rely on the School to provide appropriate consent for Inlay to collect personal information about students under 13 for the use and benefit of the School and for no other commercial purpose, as permitted by COPPA. When authorized by the School, we use and process the child's personal information only for the purpose of providing the Service to the School and maintain such information no longer than necessary to provide the Service. Upon written request, we will provide the School the opportunity to review and delete the personal information collected about their students. If you are a parent and you have questions about your child's use of Inlay and any information collected, please discuss your questions with your child's School.

3.1 Parent Portal and verifiable parental consent

We also obtain verifiable parental consentthrough the Inlay Parent Portal. Parents and guardians can give or refuse consent for the teacher to collect, use, and disclose their child's personal information for educational purposes, per student. They can change this at any time in the Parent Portal under Settings > Data consent. When a parent refuses consent, we do not use that child's data for purposes that require parental consent under COPPA, and we restrict collection and use of that data in the platform accordingly. Where we obtain Student Data indirectly from a school (rather than directly from the parent or child), we provide this privacy information to parents within one month of obtaining the data or at the time of first communication with the parent, as required by GDPR Article 14 (e.g. via the school or the Parent Portal).

4. Who does Inlay collect information from?

We collect information from individuals who create accounts on Inlay, which includes teachers and school administratorsas the primary account holders ("you"). Students do not create accounts or directly use the Inlay Service;they have a passive role as data subjects. All Student Data is inputted and managed by teachers and school administrators through observation and classroom management activities, and only for students for whom a parent or guardian has allowed data collection. Parents and guardians may use the Parent Portal to manage consent and, where permitted, view their child's information.

5. How does Inlay obtain my information?

We receive information from the information that you provide, from your device(s), and from third-party services. The categories of sources from which we've collected or received information include:

• You: We collect the content, communications, and other information you provide when you create an account, add Student Data to classrooms, record observations, or otherwise use Inlay.
• Other users:We collect information that other people provide when they use Inlay, such as when a teacher adds a family member's contact information for communication about a student.
• Your device(s): We collect information from and about the computers, phones, and other web-connected devices you use to access Inlay.
• Third-Parties: When you create an Inlay account using a third-party single sign-on service (e.g. Google OAuth), we access the name, profile picture, and email address provided by these services, subject to the data sharing preferences you have set with respect to that third-party service.

6. What information does Inlay collect?

We intentionally limit our data collection to only what we need to provide the Inlay service for you. Through our provision of the Inlay Service, we may collect the following information:

Account Information

When you create an account on Inlay we collect your name, email address, password, and optional profile picture. Inlay may also collect your phone number if you enter it in your Account Settings. Teachers using Inlay may add a family member's email or phone number to facilitate communication about a student.

Students do not create accounts.Teachers and school administrators create student records which include information such as the student's name, optional date of birth, optional contact information, optional profile picture, and connections to their teacher and classroom.

Users can make changes to their profile and other account details in Account Settings.

Student Data

Inlay collects information about students that is inputted by teachers and school administrators. This Student Data may include:

• Student name (required)
• Date of birth (optional)
• Gender (optional)
• Contact information (optional: email, phone, address)
• Profile picture (optional)
• Academic performance tracking (advanced, proficient, basic, developing, unknown)
• Daily mood tracking (calm, happy, angry, sad)
• Teacher observations and notes (up to 8,000 characters per note)
• Teacher comments (up to 2,000 characters per comment)
• Task and assignment information
• Family member or guardian contact information (names, relationships, emails, phone numbers)
• Classroom membership and attendance data

Student Data that is inputted by teachers may be considered a student education record as defined by FERPA.

Classroom Information

Teachers may use Inlay to create and manage classrooms, including classroom name, grade level, schedule information, and lesson planning data. Teachers control which students are assigned to which classrooms and who has access to view or manage classroom data.

Communications

Inlay collects any information you send to us directly, such as email, support tickets, or chat communications, or through your responses to our optional surveys.

Information from your Google Account or other Third-Party Sign-in Service

Inlay allows school administrators and teachers to sign up for and log into our service using a Google Account. When you create an Inlay account using one of these Third-Party Services, we receive the name, profile picture, email address and other information (if available) provided by these services, subject to the data sharing preferences you have set with those third-party services. Inlay does not share your personal information with these services.

Account Usage and Log Data

When you use Inlay or visit our website, we collect information about your use of the Service, such as pages visited, amount of time spent on the Service, actions (e.g., views, edits, classroom access) and similar information about your interactions with Inlay. We also collect log data which includes information about your browser or device, such as your IP address, cookie identifiers, browser type, operating system, device information and identifiers, and your mobile carrier. We only collect usage data from teachers and school administrators, never from students.

7. How does Inlay use this information?

We use this information to:

• Allow you to access and use the Service by verifying your identity and storing your classroom data and Student Data.
• Provide support to teachers and school administrators.
• Provide school administrators with information about how Inlay is performing in their school(s).
• If you've enabled notifications, notify you about activity on and updates to your account.
• Research, understand, and analyze user trends to improve and develop new features for our educational products and services.
• Promote and advertise the Services and enhancements to Inlay relevant for teachers and schools. Note that we do not use Student Data to inform or enable advertising or marketing activities.
• Investigate, prevent, and detect activities on our service that we believe may violate the law, applicable regulations, or Inlay policies. We may, at the request of a school, investigate accounts to determine whether they comply with school policies.

7.1 Legal Basis for Processing (GDPR)

Under GDPR, we process personal information based on the following legal grounds:

• Contract Performance: Processing necessary to provide the Inlay Service under our Terms of Service (account management, service delivery, customer support)
• Legal Obligation: Compliance with applicable laws such as FERPA, COPPA, tax requirements, and responding to lawful requests
• Consent: Marketing communications and optional analytics (which can be withdrawn at any time)
• Legitimate Interests: Fraud prevention, security, and service improvement (only where not overridden by data subject rights)

For Student Data processed under the school exception of COPPA, the school provides consent on behalf of parents for educational purposes only.

7.2 Requirement to Provide Data (GDPR Art 13(2)(e))

Where we need your personal data to perform our contract with you (e.g. account and email to provide the Inlay Service) or to comply with a legal obligation, you must provide it. If you do not provide that data, we will not be able to provide the Service or fulfil our obligations. Other information is optional: for example, optional profile fields (e.g. phone number, profile picture), marketing preferences, and optional analytics. You can withdraw consent for marketing and optional features at any time in Account Settings or via the unsubscribe link in our emails; data collection consent for students can be withdrawn in the Parent Portal under Settings > Data consent.

7.3 Automated Decision-Making and Profiling (GDPR Art 13(2)(f), 22)

Inlay does not use automated decision-making (including profiling) that produces legal effects concerning you or similarly significantly affects you. If we introduce such processing in the future, we will inform you and respect your rights under GDPR Article 22.

8. Does Inlay allow third-party advertising or share user data for advertising third-party products?

No.Our business model is straightforward: we charge for subscriptions that provide access to our classroom management features and we have no interest in advertising third-party products or services within the Inlay Service. We do not allow third-party advertisers or data brokers to collect information about our users' use of the Inlay Service for their own purposes, nor do we share such information or personally identifiable information with third parties for their own advertising or marketing purposes.

We also do not allow in-app purchases or advertising within the classroom management platform.

We do not track users across other applications or services, and we do not use data collected through the Inlay Service for cross-app or cross-site tracking.

9. In what limited circumstances may Inlay need to share my information?

Recipients of your personal data fall into the following categories: schools and teachers (for Student Data and service delivery), cloud and infrastructure providers, payment processors, and (when required by law) courts and law enforcement. We share data with third parties only in the limited circumstances detailed below:

• We share information within Inlay in accordance with the functionality of the Service. For example, Student Data is shared with the student's assigned teacher(s) and school administrators. Certain Student Data may also be shared with authorized family members at the direction of the school or teacher, depending on the settings and functionality selected by the school or teacher.
• Inlay may assist the school or teacher in providing access to Student Data to authorized individuals upon request, including as required by FERPA.
• We may provide school administrators with information about how Inlay is performing in their school(s).
• Inlay may disclose your information to a third party to comply with applicable laws or regulations, or a valid legal request – including to meet national security or law enforcement requirements. If we are compelled to release your data, we will do our best to provide you with advance notice by email, unless we are prohibited from doing so by law.
• We use a small number of third-party service providers in order to operate and improve Inlay – for example, a cloud infrastructure provider that manages our servers or a payment processor that handles subscription billing. These services need access to certain information in order to work, but are contractually obligated to meet our strict security standards, maintain the accuracy of the data they collect, and must only use information in identifiable form for purposes of providing or supporting the Inlay Service.
• We may disclose or transfer your Account Information and Student Data in connection with the sale, merger, bankruptcy, sale of assets, or reorganization of our company. You will be notified via email or some other means as required by law of any change in ownership or uses of your Personal Information, as well as any choices you may have regarding your information (including the right to delete your information). The promises in this Privacy Policy will apply to your data as transferred to the new entity. If Inlay goes out of business without a successor, Inlay will delete your information. In the event that we sell, divest or transfer our business to a new corporate owner, we will not transfer Student Data unless the new owner has agreed to data privacy standards no less stringent than our own or we will provide Schools with notice and an opportunity to opt out of the transfer of Student Data by deleting the Student Data before the transfer occurs.

10. Who can view Student Data in Inlay?

Student data is private to the classroom by default. Users cannot view Student Data in Inlay unless they are the assigned teacher, school administrator, or an authorized family member invited by the teacher or school administrator. Teachers control who can access Student Data by authorizing specific people to have access within their classroom settings.

Teachers decide whether family members can view student information and progress. Teachers can also control visibility settings for student data within their classrooms.

School administrators can access all Student Data and classroom information within their Inlay organization.

Parents and guardians linked by the school can view their child's Student Data in the Parent Portal when they have given data collection consent for that child.

11. Do you work with third-party analytics services?

Inlay is constantly improving, and we use aggregate data about how Inlay is used — for example what features teachers use or what pages you visit — to inform those decisions.

We use two third-party analytics services, for improvement only (not for advertising):

• Vercel Analytics — page views and clicks, to understand how our sites are used and to improve performance.
• PostHog — usage and feature analytics (e.g. which pages and features are used), to improve our product and user experience.

Both collect aggregate, non-advertising data. We do not use this data for advertising, third-party marketing, or targeted ads. Analytics run only on our marketing website and on the Parent Portal, and only track teacher, administrator, and parent actions; we never use Student Data for analytics. The classroom management platform where teachers manage Student Data does not use any third-party analytics or tracking.

The Inlay Service (classroom platform, Parent Portal, and product used by schools and students) does not use third-party tracking or targeted advertising. Optional marketing cookies described in this policy apply only to our marketing website (inlay.sh), not to the educational product.

12. How do you use cookies?

Cookies are small text files that we transfer to your web browser that allow us to identify your web browser and store information about your account. We use cookies to keep you logged into Inlay, customize your Inlay experience, and understand how you use Inlay. We do not use third party cookies within the Inlay Service for targeted advertising purposes. You can choose to remove or disable cookies via your browser settings. Please be aware that Inlay may not work properly if you disable or decline all cookies. See our Cookie Policy for more information.

13. How to View, Correct, Edit, Export, or Update Your Personal Information

You have the right to access, correct, or download for transport to a similar service any of your Personal Information collected by Inlay, where permitted under applicable law. If you are a teacher or school administrator, you can update the information associated with your Inlay account directly by logging into your Inlay account and viewing the Account Settings section.

Parents can manage data collection consent (give, refuse, or change) at any time in the Parent Portal under Settings > Data consent; for other requests they may contact the teacher, school, or privacy@inlay.sh. If you are a parent or guardian and want to correct, edit, download, or update information about your child, or to access or inspect the child's personal information or educational records maintained by Inlay, please direct your request to your teacher or school, or contact us at privacy@inlay.sh if you need additional assistance.

Teachers and school administrators can export Student Data from the Platform at any time in standard formats (CSV, Excel).

14. Account Retention And Termination

We do not knowingly retain Student Data beyond the time period required to support the school's educational purpose, unless authorized by the school or family member. The school is responsible for identifying Student Data which is no longer needed for an educational purpose by submitting a deletion request. We will delete or de-identify Student Data within 30 days of receipt of a request from the School. Even if we do not receive a deletion request from the School, we may delete or de-identify Student Data after a period of inactivity in accordance with our standard data retention schedule. If you are a parent or guardian and would like to delete your child's information from Inlay, please work directly with your teacher or school to request deletion.

14.1 Data Retention Schedule

We retain different types of data for different periods based on legal requirements and educational purposes:

• Active User Accounts: Indefinitely while account is active and in use
• Inactive Accounts: 2 years of inactivity, then account flagged for deletion
• Student Data: Duration of school subscription plus 30 days grace period for export
• Deleted Accounts: 30-day grace period to recover, then permanent deletion
• Technical Logs: 90 days for security and debugging purposes
• Support Tickets: 3 years for quality assurance and legal compliance
• Billing Records: 7 years (legal requirement for tax purposes)
• Marketing Consent: Until withdrawn or 2 years of inactivity

After the retention period expires, data is either permanently deleted or anonymized so it can no longer identify individuals.

If your school or district ends their subscription with Inlay and requests deletion of data, we will delete all Student Data within 30 days unless retention is required by law.

Teachers and administrators may close or request to delete their accounts through Account Settings or by contacting privacy@inlay.sh. If you request that your account or any content be deleted, Inlay may still retain information for a limited period as needed to provide customer support and prevent accidental deletion, or as required or permitted by law. If you terminate your account, all of your data will be unavailable to you immediately.

Please note: We may not be able to immediately or completely delete all data in response to a deletion request, such as information retained in technical support records, customer service records, backups, and other similar business records. We will not be required to delete any information which has been de-identified or disassociated with personal identifiers such that the remaining information cannot reasonably be used to identify a particular individual.

Inlay reserves the right to suspend or permanently delete accounts that have not been accessed by the account holder and appear to have been abandoned. Prior to permanently deleting an abandoned account, Inlay will attempt to notify the account holder by email.

15. How does Inlay keep your data safe?

Inlay takes protecting your security and privacy seriously and we've put a number of measures in place to protect the integrity of your information, including:

15.1 Technical Safeguards

• Encryption: TLS 1.3 for data in transit, AES-256 for sensitive data at rest. Sensitive fields, including teacher notes, comments, and certain student information, are protected with field-level encryption (AES-256) at rest.
• Access Controls: Role-based access with principle of least privilege
• Authentication: Multi-factor authentication (MFA) for administrative accounts
• Network Security: Firewalls, intrusion detection systems, DDoS protection
• Data Centers: Access-controlled, SOC 2 certified facilities

15.2 Administrative Safeguards

• Regular employee privacy and security training
• Background checks for employees with data access
• Confidentiality agreements for all staff
• Incident response and breach notification procedures
• Regular third-party security audits
• Vendor due diligence and data processing agreements

15.3 Data Breach Notification

In the event of a security breach that affects personal information, we will:

• Notify Schools: Within 72 hours of discovery (GDPR/COPPA requirement)
• Notify Affected Individuals: Promptly if high risk to rights and freedoms
• Report to Authorities: As required by applicable law
• Provide Details: Nature of breach, data affected, steps taken, recommendations

You can report security concerns to security@inlay.sh.

16. Does Inlay comply with state student data privacy laws?

Protecting students' privacy is fundamental to our mission and business. We are committed to the following principles to protect Student Data:

• We collect, maintain and use Student Data only for purposes which we are authorized by School.
• We do not use or disclose Student Data for behavioral or targeted advertising purposes.
• We will not build a personal profile of a student other than for supporting school or educational purposes.
• We will not knowingly retain Student Data beyond the time period necessary to support the School's purpose.
• We will never sell Student Data to third parties, unless the sale is part of a corporate transaction, such as a merger, acquisition, bankruptcy, or other sale of assets, and the successor entity is subject to these same commitments for the previously collected Student Data.
• We maintain a comprehensive security program that is reasonably designed to protect the security, confidentiality and integrity of Student Data against risks – such as unauthorized access or use, or unintended or inappropriate disclosure – through the use of administrative, technological and physical safeguards appropriate to the sensitivity of the information.
• We will clearly and transparently disclose our data policies and practices.
• We support access to and correction of Student Data by the parent or guardian by assisting the School respond to such requests.
• We provide resources to support educational institutions, teachers and parents to protect the security and privacy of Student Data while using the Inlay Service.
• We will not make any material changes to our Privacy Policy that relate to the collection or use of Student Data without first giving notice to the School and providing a choice before the Student Data is used in a materially different manner than was disclosed when the information was collected.
• We will incorporate privacy and security when developing or improving our educational products and services and comply with applicable laws.

17. Changes to Our Privacy Policy

Inlay may from time to time make changes to this Privacy Policy to account for changes to our practices or applicable law. The "Last Updated" date at the top of this policy indicates when this Policy was last revised. Your continued use of the Services means you thereby agree to the new Privacy Policy.

We will not make any material changes to this Privacy Policy that relate to the collection or use of Student Data without first giving notice to the teacher or educational institution and providing a choice before Student Data is used in a materially different manner than was disclosed when the information was collected.

18. International Data Transfers

Our Services are operated from Ukraine. If you access our Services from outside Ukraine, your information may be transferred to, stored, and processed in Ukraine or other countries where our service providers operate.

For users in the European Economic Area (EEA), United Kingdom, or Switzerland, we ensure appropriate safeguards are in place for international data transfers, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions where applicable
• Appropriate technical and organizational measures to protect data

By using our Services, you consent to the transfer of your information to countries outside your country of residence, which may have different data protection laws. We take steps to ensure your data receives adequate protection wherever it is processed.

19. Your Rights

Depending on your location, you may have the following rights regarding your personal information:

19.1 GDPR Rights (EU/EEA Users)

• Right to Access: Request a copy of your personal data
• Right to Rectification: Correct inaccurate information
• Right to Erasure: Request deletion of your data (see Section 19.1.1)
• Right to Restrict Processing: Limit how we use your data
• Right to Data Portability: Receive your data in machine-readable format
• Right to Object: Object to processing based on legitimate interests
• Right to Withdraw Consent:You may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal nor processing based on other legal grounds. Withdraw marketing consent in Account Settings or via the unsubscribe link in our emails; withdraw data collection consent for your child in the Parent Portal under Settings > Data consent.
• Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority in your country of residence, place of work, or place of the alleged infringement. You can find your EU/EEA authority in the EDPB list of supervisory authorities; for the UK, see the Information Commissioner's Office (ICO).

19.1.1 Right to Erasure ("Right to be Forgotten", GDPR Art 17)

You have the right to obtain erasure of your personal data without undue delay and we will respond in any event within one month. You can make a request verbally or in writing to any of our contacts (e.g. privacy@inlay.sh or support). The right applies in particular when: the data is no longer necessary for the purposes for which it was collected; you withdraw consent (where consent was the basis); you object to processing and there is no overriding legitimate interest; the data has been unlawfully processed; we must erase the data to comply with a legal obligation; or the data was processed in relation to information society services offered to a child. This right is not absolute: we may retain data where necessary for legal obligations, legal claims, or other exceptions under GDPR Article 17(3). We may charge a reasonable fee or refuse a request only if it is manifestly unfounded or excessive (GDPR Art 12(5)).

19.2 CCPA Rights (California Users)

• Right to Know:What personal information is collected and how it's used
• Right to Delete: Request deletion of personal information
• Right to Opt-Out: We do not sell personal information
• Right to Non-Discrimination: Equal service regardless of privacy choices

19.3 How to Exercise Your Rights

To exercise any of these rights, please contact us at privacy@inlay.sh. Under GDPR we will respond within one month of receiving your request. Where a request is complex or you have made several requests, we may extend the period by up to two further months; we will inform you of any extension and the reasons within the first month. Under CCPA we will respond within 45 days. We may need to verify your identity before processing your request.

For Student Data, parents should contact their child's school first, or contact us directly for assistance.

20. Contact Information

If you have any questions or feedback about this Privacy Policy, please contact us:

• Privacy inquiries: privacy@inlay.sh
• Security concerns: security@inlay.sh
• Support: team@inlay.sh
• Address: Inlay Applications, Yakushintsi, Sadova 65, Vinnytsia, Ukraine