Privacy Policy

InClasso Ltd ("InClasso", "we", "our", "us") is the data controller for personal data processed through the InClasso platform — an educational social platform designed for school-age children and young people aged 8–17.

Our registered address and Data Protection Officer details are listed in Section 15. Where InClasso processes personal data on behalf of a school or institution, it does so as a data processor under a separate Data Processing Agreement (DPA) with that institution as the controller.

This Privacy Policy applies to all personal data collected through:

• The InClasso web platform at inclasso.com
• The InClasso mobile applications (iOS and Android)
• API services consumed by third-party developers under a developer agreement
• Email and other communications with InClasso

It applies to all user categories: youth accounts (including those under 13), parent / guardian accounts, teacher accounts, institution administrators,creators, and developers.

Account data

• Full name and display name
• Email address (and parent / guardian email for accounts under 13)
• Date of birth (used to apply the correct age-gating controls)
• Hashed password (we never store passwords in plain text)
• School name and grade (for youth accounts enrolled via an institution)

Content & activity data

• Posts, comments, chat messages, and uploaded media
• Reactions, follows, and social graph connections
• Quiz and learning activity results (stored under the institution's DPA)
• Moderation incident records (created when content is flagged)
• Appeal submissions and their outcomes

Technical & security data

• IP address at registration and on login (raw IPs purged after 90 days)
• Browser user-agent string
• Session identifiers stored in HttpOnly cookies
• Failed login attempts and security audit events
• Error traces submitted to Sentry (anonymised before transmission)

Payment data

• We do not store full card numbers or CVV codes
• Payment processing is handled by Stripe — we store only pseudonymised references
• Transaction amounts, dates, and subscription tier are retained for 7 years for statutory accounting

Data we do NOT collect

We only process personal data for the purposes described below. Each purpose has a documented lawful basis — see Section 6 and the full processing register table for the detail.

• Creating and maintaining your account and authenticating your identity
• Delivering educational content, quizzes, and social features
• Keeping the platform safe — detecting and preventing abuse, grooming, hate speech, spam, and illegal content through our 8-layer automated content moderation pipeline
• Notifying you of safety incidents, password resets, account actions, and erasure confirmations
• Enabling schools to manage classrooms, track progress, and communicate with parents under a DPA
• Improving the platform through anonymised analytics (only with your explicit consent)
• Complying with our legal obligations — including COPPA, UK GDPR, EU GDPR, and statutory financial reporting
• Processing and responding to moderation appeals

Verifiable parental consent

Before any child under the applicable age threshold can create a InClasso account, we require verifiable parental consent (COPPA § 312.5). This means:

• A parent or guardian provides their email address during registration
• An email confirmation link is sent to the parent's email — the link expires in 48 hours
• The account is held in a "pending parental consent" state until confirmed
• No personal data from the child is used for any purpose until consent is confirmed

What data we collect from children under 13

• First and last name
• Email address (used only for account authentication)
• Date of birth (age-gating only)
• Parent or guardian email address (for consent verification and safety notifications)
• School name (optional, for institution-linked accounts)

We collect no more information than is reasonably necessary to provide the service to the child (COPPA § 312.7).

No targeted advertising to children

We do not serve behavioural or targeted advertising to any user under 13. Analytics for children's accounts are anonymised and used only for platform safety and improvement — never for commercial profiling (COPPA § 312.7(b)).

Parental rights (COPPA)

Parents and guardians of children under 13 may at any time:

• Review all personal information we hold about their child — email privacy@inclasso.com
• Refuse further collection or use of their child's data — withdraw consent in the parent account portal
• Request deletion of their child's account and all associated data — Settings → Privacy → Request deletion
• Consent to collection without consenting to disclosure to third parties

Requests are processed within 30 days. Identity verification may be required to protect the child.

Data retention for children

Youth account data is retained only for as long as the account is active. Upon an erasure request (or withdrawal of parental consent), the account is soft-deleted immediately and permanently erased within a 30-day tombstone window. Financial records relating to subscription payments are pseudonymised rather than deleted for the 7-year statutory period.

The table below is generated from our internal GDPR Art. 13/14 processing register (machine-readable version available at GET /api/privacy/processing-notice).

We retain personal data only for as long as necessary for the purpose for which it was collected, or as required by law. The retention periods below are drawn directly from our processing register:

We share data only in the following circumstances:

Service providers (data processors)

We engage the following categories of processors under written data processing agreements (DPAs) that prohibit them from using data for their own purposes:

• Email delivery — SendGrid (transactional) and Mailchimp (marketing, consent-only)
• Error monitoring — Sentry (anonymised traces only)
• Payment processing — Stripe (no card data stored by InClasso)
• Cloud infrastructure — AWS (data hosted in the EU / UK)
• Content moderation AI — OpenAI Moderation API (text snippets only, not youth PII)

Schools and institutions

Where InClasso is used as a school platform, the institution is a separate data controller. InClasso processes student data on behalf of the institution under a DPA and the institution's own privacy notice. Parents should contact the school for the institution's privacy policy.

Law enforcement and safeguarding

We may disclose data without prior notice where required by law, court order, or where we believe it is necessary to protect the safety of a child or prevent serious harm. In the case of child exploitation material (CSAM), we are legally required to report to the National Center for Missing & Exploited Children (NCMEC) and relevant authorities without delay.

Business transfers

If InClasso is acquired or merged with another entity, your data may be transferred as part of that transaction. You will be notified and can request deletion before any transfer occurs.

Protecting children's data is our highest engineering priority. Key controls include:

• All traffic encrypted with TLS 1.3; HTTPS-only with HSTS
• Authentication uses HttpOnly, Secure cookies — no tokens in localStorage
• Passwords hashed with bcrypt (work factor 12); never stored in plain text
• Eight-layer automated content moderation pipeline (child safety scanned first)
• Role-based access control — staff access is least-privilege and audited
• Database credentials and secrets managed via environment variables; never in code
• Regular penetration testing and dependency vulnerability scanning
• Sentry error monitoring with PII scrubbing before transmission
• Breach notification: we will notify affected users and the ICO within 72 hours of discovering a notifiable breach

We use the following categories of cookies. You can manage your preferences at any time via the Cookie Settings panel in the footer.

We do not use third-party advertising cookies. We do not share cookie data with social media platforms.

Under UK GDPR, EU GDPR, and applicable data protection law, you have the following rights. All rights requests are processed within 30 days (or 3 months for complex cases, with notice within the first month).

We will not charge a fee for exercising these rights unless requests are manifestly unfounded or excessive. We may need to verify your identity before processing a request.

As the parent or legal guardian of a child using InClasso, you may:

• Review all personal information held about your child — email privacy@inclasso.com
• Request deletion of your child's account and all associated data
• Refuse or withdraw consent for any data collection beyond what is strictly necessary to deliver the service
• Consent to our collection of your child's data without consenting to disclosure to third parties
• Appeal any moderation action taken against your child's account — inclasso.com/appeal
• Access activity reports and safety incident notifications through the parent account portal
• Request a copy of your child's data in a portable format

To verify your identity as a parent, we may ask you to confirm details that only you would know from the account registration. We will never ask for government ID numbers by email.

InClasso is headquartered in the United Kingdom. Our primary infrastructure runs on AWS in the EU/UK region (eu-west-1, eu-west-2). We do not routinely transfer personal data outside the UK/EEA.

Where we engage processors that operate globally (e.g. SendGrid, Sentry, OpenAI):

• We ensure appropriate safeguards are in place — Standard Contractual Clauses (SCCs) or UK International Data Transfer Agreements (IDTAs)
• Data minimisation is applied — only the minimum necessary data is transferred
• OpenAI Moderation API receives text snippets only, never youth PII or identifiable information

If you have a concern about how we handle your personal data, please contact us first at privacy@inclasso.com. We aim to resolve all complaints within 30 days.

You also have the right to lodge a complaint with your national supervisory authority at any time:

• UK: Information Commissioner's Office (ICO) — ico.org.uk | 0303 123 1113
• EU: Your local Data Protection Authority — edpb.europa.eu/about-edpb/board/members_en
• US (COPPA): Federal Trade Commission — ftc.gov/tips-advice/business-center/privacy-and-security/children's-privacy

Registered address: InClasso Ltd, United Kingdom. EU representative details available on request from legal@inclasso.com.

We may update this Privacy Policy to reflect changes in the law, our practices, or our service. When we make material changes we will:

• Post the updated policy on this page with a new effective date
• Send an in-app notification and email to all registered users at least 14 days before the change takes effect
• Where a change affects children's data, send a fresh parental consent request where legally required
• Maintain a version history — previous versions are available on request from privacy@inclasso.com

Continued use of InClasso after the effective date constitutes acceptance of the updated policy. If you do not agree, you may request deletion of your account before the effective date.