Privacy Policy
InClasso is built for children. This policy explains exactly what data we collect, why we collect it, how long we keep it, and how you can control it — in plain language, backed by our GDPR Art. 13/14 processing register.
1. Who We Are
InClasso Ltd ("InClasso", "we", "our", "us") is the data controller for personal data processed through the InClasso platform — an educational social platform designed for school-age children and young people aged 8–17.
Our registered address and Data Protection Officer details are listed in Section 15. Where InClasso processes personal data on behalf of a school or institution, it does so as a data processor under a separate Data Processing Agreement (DPA) with that institution as the controller.
2. Scope & Who This Applies To
This Privacy Policy applies to all personal data collected through:
- The InClasso web platform at inclasso.com
- The InClasso mobile applications (iOS and Android)
- API services consumed by third-party developers under a developer agreement
- Email and other communications with InClasso
It applies to all user categories: youth accounts (including those under 13), parent / guardian accounts, teacher accounts, institution administrators,creators, and developers.
If you are a child under 13 (or under 16 in applicable EU member states) and are reading this, please ask a parent or trusted adult to read this with you. Your parent or guardian must give their verifiable consent before you can use InClasso.
3. Data We Collect
Account data
- Full name and display name
- Email address (and parent / guardian email for accounts under 13)
- Date of birth (used to apply the correct age-gating controls)
- Hashed password (we never store passwords in plain text)
- School name and grade (for youth accounts enrolled via an institution)
Content & activity data
- Posts, comments, chat messages, and uploaded media
- Reactions, follows, and social graph connections
- Quiz and learning activity results (stored under the institution's DPA)
- Moderation incident records (created when content is flagged)
- Appeal submissions and their outcomes
Technical & security data
- IP address at registration and on login (raw IPs purged after 90 days)
- Browser user-agent string
- Session identifiers stored in HttpOnly cookies
- Failed login attempts and security audit events
- Error traces submitted to Sentry (anonymised before transmission)
Payment data
- We do not store full card numbers or CVV codes
- Payment processing is handled by Stripe — we store only pseudonymised references
- Transaction amounts, dates, and subscription tier are retained for 7 years for statutory accounting
Data we do NOT collect
4. How We Use Your Data
We only process personal data for the purposes described below. Each purpose has a documented lawful basis — see Section 6 and the full processing register table for the detail.
- Creating and maintaining your account and authenticating your identity
- Delivering educational content, quizzes, and social features
- Keeping the platform safe — detecting and preventing abuse, grooming, hate speech, spam, and illegal content through our 8-layer automated content moderation pipeline
- Notifying you of safety incidents, password resets, account actions, and erasure confirmations
- Enabling schools to manage classrooms, track progress, and communicate with parents under a DPA
- Improving the platform through anonymised analytics (only with your explicit consent)
- Complying with our legal obligations — including COPPA, UK GDPR, EU GDPR, and statutory financial reporting
- Processing and responding to moderation appeals
5. Children's Privacy (COPPA & GDPR Art. 8)
This section applies to children under 13 in the United States (COPPA), and children under 16 in EU/EEA member states where the local age of digital consent is set at 16 (GDPR Art. 8). In the UK the age is 13.
Verifiable parental consent
Before any child under the applicable age threshold can create a InClasso account, we require verifiable parental consent (COPPA § 312.5). This means:
- A parent or guardian provides their email address during registration
- An email confirmation link is sent to the parent's email — the link expires in 48 hours
- The account is held in a "pending parental consent" state until confirmed
- No personal data from the child is used for any purpose until consent is confirmed
What data we collect from children under 13
- First and last name
- Email address (used only for account authentication)
- Date of birth (age-gating only)
- Parent or guardian email address (for consent verification and safety notifications)
- School name (optional, for institution-linked accounts)
We collect no more information than is reasonably necessary to provide the service to the child (COPPA § 312.7).
No targeted advertising to children
We do not serve behavioural or targeted advertising to any user under 13. Analytics for children's accounts are anonymised and used only for platform safety and improvement — never for commercial profiling (COPPA § 312.7(b)).
Parental rights (COPPA)
Parents and guardians of children under 13 may at any time:
- Review all personal information we hold about their child — email privacy@inclasso.com
- Refuse further collection or use of their child's data — withdraw consent in the parent account portal
- Request deletion of their child's account and all associated data — Settings → Privacy → Request deletion
- Consent to collection without consenting to disclosure to third parties
Requests are processed within 30 days. Identity verification may be required to protect the child.
Data retention for children
Youth account data is retained only for as long as the account is active. Upon an erasure request (or withdrawal of parental consent), the account is soft-deleted immediately and permanently erased within a 30-day tombstone window. Financial records relating to subscription payments are pseudonymised rather than deleted for the 7-year statutory period.
6. Lawful Bases (GDPR) — Full Processing Register
The table below is generated from our internal GDPR Art. 13/14 processing register (machine-readable version available at GET /api/privacy/processing-notice).
| Processing activity | Applies to | Lawful basis | Retention | Can withdraw? |
|---|---|---|---|---|
| Account creation & authentication Name, email, hashed password, IP address at registration | Parents, youth 13+, creators, developers | ConsentArt. 6(1)(a) | Lifetime of account; anonymised on deletion | Yes Right to Erasure — Settings → Privacy → Delete Account |
| Youth account creation (under 13) Name, email, date of birth, parent/guardian email, school name | Children under 13 | Parental consentArt. 6(1)(a) + Art. 8 | Until consent withdrawn + 30-day tombstone, then permanently deleted | Yes Parent submits erasure request via Settings → Privacy |
| School enrolment & classroom management Name, grade, class assignments, progress data, attendance | Youth, teachers, institutions | ContractArt. 6(1)(b) | Duration of school relationship; deleted per institution DPA | No Contact your institution administrator |
| Analytics & product improvement Anonymised page views, feature usage events, error traces (Sentry) | All authenticated users, anonymous visitors | ConsentArt. 6(1)(a) | Consent records 2 years; raw events per third-party processor policy | Yes Cookie Settings — withdraw analytics consent at any time |
| Security monitoring & abuse prevention IP address, user-agent, audit log entries, failed login attempts | All users | Legitimate interestArt. 6(1)(f) | Anonymised logs 3 years; raw IPs purged after 90 days | No Right to Object — email privacy@inclasso.com (evaluated per Art. 21) |
| Transactional email notifications Email address, notification content | All authenticated users | ContractArt. 6(1)(b) | Not stored beyond delivery; SendGrid delivery logs per SendGrid policy | No Cannot be opted out while account is active — essential to the service |
| Marketing & promotional emails Email address, first name | Users who have opted in | ConsentArt. 6(1)(a) | Until consent withdrawn; consent records for 2 years | Yes Unsubscribe link in any marketing email, or Notification Preferences |
| Financial records retention Payment amounts, dates, pseudonymised descriptions | Paying users | Legal obligationArt. 6(1)(c) | 7 years from date of transaction (statutory accounting requirement) | No Financial records are pseudonymised (not deleted) for the statutory period even after an erasure request |
7. Data Retention
We retain personal data only for as long as necessary for the purpose for which it was collected, or as required by law. The retention periods below are drawn directly from our processing register:
Active account lifetime; anonymised immediately on deletion
Active account + 30-day tombstone; permanently erased after
Raw IPs purged after 90 days; anonymised audit logs retained 3 years
Per third-party processor policy (consent records 2 years)
Not stored by InClasso beyond delivery
7 years from transaction date (statutory obligation)
Until withdrawn; consent record retained 2 years
3 years (required for child safety accountability)
Retained after account deletion to prevent duplicate background-check fees and fraud (GDPR Art. 6(1)(f) legitimate interest). You may object via privacy@inclasso.com or Freelancer Hub settings.
9. Security Measures
Protecting children's data is our highest engineering priority. Key controls include:
- All traffic encrypted with TLS 1.3; HTTPS-only with HSTS
- Authentication uses HttpOnly, Secure cookies — no tokens in localStorage
- Passwords hashed with bcrypt (work factor 12); never stored in plain text
- Eight-layer automated content moderation pipeline (child safety scanned first)
- Role-based access control — staff access is least-privilege and audited
- Database credentials and secrets managed via environment variables; never in code
- Regular penetration testing and dependency vulnerability scanning
- Sentry error monitoring with PII scrubbing before transmission
- Breach notification: we will notify affected users and the ICO within 72 hours of discovering a notifiable breach
11. Your Privacy Rights
Under UK GDPR, EU GDPR, and applicable data protection law, you have the following rights. All rights requests are processed within 30 days (or 3 months for complex cases, with notice within the first month).
Right of access (Art. 15)
Receive a copy of all personal data we hold about you and information about how it is processed.
How: Email privacy@inclasso.com with "Subject Access Request" in the subject line.
Right to rectification (Art. 16)
Correct inaccurate or incomplete personal data.
How: Update via account Settings, or email privacy@inclasso.com.
Right to erasure — "Right to be forgotten" (Art. 17)
Request deletion of your personal data. Financial records are pseudonymised rather than deleted for the 7-year statutory period.
How: Settings → Privacy → Request account deletion. Or email privacy@inclasso.com.
Right to restriction of processing (Art. 18)
Ask us to pause processing of your data while accuracy is contested or an objection is evaluated.
How: Email privacy@inclasso.com.
Right to data portability (Art. 20)
Receive your personal data in a structured, machine-readable format (JSON/CSV), or have it transmitted to another controller.
How: Settings → Privacy → Download my data. Or email privacy@inclasso.com.
Freelance teacher verification registry opt-out
If you are a freelance / substitute teacher, we may retain your email after account deletion solely to avoid charging the background-check fee twice. You may object and request removal of this record.
How: Freelancer Hub → account settings, POST /api/freelancer/verification-registry/opt-out while signed in, or email privacy@inclasso.com.
Right to object (Art. 21)
Object to processing based on legitimate interests (e.g. security monitoring). We will stop unless we demonstrate compelling legitimate grounds.
How: Email privacy@inclasso.com with "Right to Object" in the subject line.
Right to withdraw consent
Withdraw any consent you have given (analytics, marketing emails). Withdrawal does not affect lawfulness of prior processing.
How: Cookie Settings, Notification Preferences, or email privacy@inclasso.com.
Rights related to automated decision-making (Art. 22)
Our automated content moderation can restrict content or accounts. You have the right to request human review of these decisions through our Appeals process.
How: Use the Appeals Centre at inclasso.com/appeal or email appeals@inclasso.com.
We will not charge a fee for exercising these rights unless requests are manifestly unfounded or excessive. We may need to verify your identity before processing a request.
12. Rights of Parents & Guardians
As the parent or legal guardian of a child using InClasso, you may:
- Review all personal information held about your child — email privacy@inclasso.com
- Request deletion of your child's account and all associated data
- Refuse or withdraw consent for any data collection beyond what is strictly necessary to deliver the service
- Consent to our collection of your child's data without consenting to disclosure to third parties
- Appeal any moderation action taken against your child's account — inclasso.com/appeal
- Access activity reports and safety incident notifications through the parent account portal
- Request a copy of your child's data in a portable format
To verify your identity as a parent, we may ask you to confirm details that only you would know from the account registration. We will never ask for government ID numbers by email.
13. International Data Transfers
InClasso is headquartered in the United Kingdom. Our primary infrastructure runs on AWS in the EU/UK region (eu-west-1, eu-west-2). We do not routinely transfer personal data outside the UK/EEA.
Where we engage processors that operate globally (e.g. SendGrid, Sentry, OpenAI):
- We ensure appropriate safeguards are in place — Standard Contractual Clauses (SCCs) or UK International Data Transfer Agreements (IDTAs)
- Data minimisation is applied — only the minimum necessary data is transferred
- OpenAI Moderation API receives text snippets only, never youth PII or identifiable information
14. Complaints & Supervisory Authority
If you have a concern about how we handle your personal data, please contact us first at privacy@inclasso.com. We aim to resolve all complaints within 30 days.
You also have the right to lodge a complaint with your national supervisory authority at any time:
- UK: Information Commissioner's Office (ICO) — ico.org.uk | 0303 123 1113
- EU: Your local Data Protection Authority — edpb.europa.eu/about-edpb/board/members_en
- US (COPPA): Federal Trade Commission — ftc.gov/tips-advice/business-center/privacy-and-security/children's-privacy
15. Contact Us
Registered address: InClasso Ltd, United Kingdom. EU representative details available on request from legal@inclasso.com.
16. Changes to This Policy
We may update this Privacy Policy to reflect changes in the law, our practices, or our service. When we make material changes we will:
- Post the updated policy on this page with a new effective date
- Send an in-app notification and email to all registered users at least 14 days before the change takes effect
- Where a change affects children's data, send a fresh parental consent request where legally required
- Maintain a version history — previous versions are available on request from privacy@inclasso.com
Continued use of InClasso after the effective date constitutes acceptance of the updated policy. If you do not agree, you may request deletion of your account before the effective date.
GET /api/privacy/processing-notice