Privacy Policy

1. Introduction

Inlay's mission is to help teachers plan and manage lessons and classroom organization efficiently. Protecting your privacy is fundamental to our mission and business. This Privacy Policy applies to the Inlay Service provided to teachers and school administrators, available through our websites at inlay.sh, the Inlay applications, and any other online or offline offerings (collectively "the Inlay Service", "the Service", "Inlay", "we", "us", or "our"). The primary users of the Inlay Service are teachers and school administrators, who create accounts and use the platform to manage classrooms, subjects, units, and lessons. Inlay is a lesson management tool; we do not collect, store, or process personal information about students. This policy explains how we collect, use, and protect personal information when you create an account ("Account Information") and when you use the platform to manage your teaching content ("Lesson Management Data").

In order to use the Inlay Service, you must create an account and agree to our Terms of Service.

1.1 Identity of Data Controller

Inlay Applications
Yakushintsi, Sadova 65
Vinnytsia, Ukraine

Privacy Contact: privacy@inlay.sh
Support: team@inlay.sh

EU Representative (GDPR Art 27): Inlay is established outside the European Union. As required by GDPR Article 27, we are in the process of appointing a named EU/EEA representative. Until that appointment is complete, EU/EEA residents may direct inquiries to privacy@inlay.sh and we will respond within the required timeframes. We will update this section with the representative's name and address once appointed.
Data Protection Officer: Inlay is not required to appoint a Data Protection Officer under GDPR. For all privacy inquiries, including requests to exercise your rights, please contact us at privacy@inlay.sh.

2. Who does Inlay collect information from?

We collect information from individuals who create accounts on Inlay, which includes teachers and school administrators as the account holders ("you"). We do not offer accounts to students and do not collect personal information about students through the Service.

3. How does Inlay obtain my information?

We receive information from the information that you provide, from your device(s), and from third-party services. The categories of sources from which we've collected or received information include:

• You: We collect the content, communications, and other information you provide when you create an account, build lesson plans, or otherwise use Inlay.
• Your device(s): We collect information from and about the computers, phones, and other web-connected devices you use to access Inlay.
• Third-Parties: When you create an Inlay account using a third-party single sign-on service (e.g. Google OAuth), we access the name, profile picture, and email address provided by these services, subject to the data sharing preferences you have set with respect to that third-party service.

4. What information does Inlay collect?

We intentionally limit our data collection to only what we need to provide the Inlay service for you. Through our provision of the Inlay Service, we may collect the following information:

Account Information

When you create an account on Inlay we collect your name, email address, password, and optional profile picture. Inlay may also collect your phone number if you enter it in your Account Settings.

Users can make changes to their profile and other account details in Account Settings.

Lesson Management Data

Teachers and administrators use Inlay to create and manage teaching content. This may include:

• Classroom names and organization
• Subjects, units, and lesson plans
• Lesson content, schedules, and related notes you enter
• Settings and preferences for your classrooms and content

This data is created and controlled by you. It is not student personal information and is not used to identify or profile individual students.

Communications

Inlay collects any information you send to us directly, such as email, support tickets, or chat communications, or through your responses to our optional surveys.

Information from your Google Account or other Third-Party Sign-in Service

Inlay allows school administrators and teachers to sign up for and log into our service using a Google Account. When you create an Inlay account using one of these Third-Party Services, we receive the name, profile picture, email address and other information (if available) provided by these services, subject to the data sharing preferences you have set with those third-party services. Inlay does not share your personal information with these services.

Account Usage and Log Data

When you use Inlay or visit our website, we collect information about your use of the Service, such as pages visited, amount of time spent on the Service, actions (e.g., views, edits, classroom access) and similar information about your interactions with Inlay. We also collect log data which includes information about your browser or device, such as your IP address, cookie identifiers, browser type, operating system, device information and identifiers, and your mobile carrier.

5. How does Inlay use this information?

We use this information to:

• Allow you to access and use the Service by verifying your identity and storing your account and lesson management data.
• Provide support to teachers and school administrators.
• Provide school administrators with information about how Inlay is performing in their school(s).
• If you've enabled notifications, notify you about activity on and updates to your account.
• Research, understand, and analyze user trends to improve and develop new features for our products and services.
• Promote and advertise the Services and enhancements to Inlay relevant for teachers and schools.
• Investigate, prevent, and detect activities on our service that we believe may violate the law, applicable regulations, or Inlay policies. We may, at the request of a school, investigate accounts to determine whether they comply with school policies.

5.1 Legal Basis for Processing (GDPR)

Under GDPR, we process personal information based on the following legal grounds:

• Contract Performance: Processing necessary to provide the Inlay Service under our Terms of Service (account management, service delivery, customer support)
• Legal Obligation: Compliance with applicable laws, tax requirements, and responding to lawful requests
• Consent: Marketing communications and optional analytics (which can be withdrawn at any time)
• Legitimate Interests: Fraud prevention, security, and service improvement (only where not overridden by data subject rights)

5.2 Requirement to Provide Data (GDPR Art 13(2)(e))

Where we need your personal data to perform our contract with you (e.g. account and email to provide the Inlay Service) or to comply with a legal obligation, you must provide it. If you do not provide that data, we will not be able to provide the Service or fulfil our obligations. Other information is optional: for example, optional profile fields (e.g. phone number, profile picture), marketing preferences, and optional analytics. You can withdraw consent for marketing and optional features at any time in Account Settings or via the unsubscribe link in our emails.

5.3 Automated Decision-Making and Profiling (GDPR Art 13(2)(f), 22)

Inlay does not use automated decision-making (including profiling) that produces legal effects concerning you or similarly significantly affects you. If we introduce such processing in the future, we will inform you and respect your rights under GDPR Article 22.

6. Does Inlay allow third-party advertising or share user data for advertising third-party products?

No. Our business model is straightforward: we charge for subscriptions that provide access to our lesson management features and we have no interest in advertising third-party products or services within the Inlay Service. We do not allow third-party advertisers or data brokers to collect information about our users' use of the Inlay Service for their own purposes, nor do we share such information or personally identifiable information with third parties for their own advertising or marketing purposes.

We also do not allow in-app purchases or advertising within the lesson management platform.

We do not track users across other applications or services, and we do not use data collected through the Inlay Service for cross-app or cross-site tracking.

7. In what limited circumstances may Inlay need to share my information?

Recipients of your personal data fall into the following categories: cloud and infrastructure providers, payment processors, and (when required by law) courts and law enforcement. We share data with third parties only in the limited circumstances detailed below:

• We share information within Inlay in accordance with the functionality of the Service (e.g., with school administrators in your organization when you grant access).
• We may provide school administrators with information about how Inlay is performing in their school(s).
• Inlay may disclose your information to a third party to comply with applicable laws or regulations, or a valid legal request – including to meet national security or law enforcement requirements. If we are compelled to release your data, we will do our best to provide you with advance notice by email, unless we are prohibited from doing so by law.
• We use a small number of third-party service providers in order to operate and improve Inlay. These include:
  • Supabase — cloud database and infrastructure hosting
  • Vercel — web hosting and deployment
  • Stripe — payment processing for subscription billing
  • Vercel Analytics & PostHog — usage analytics (marketing website only; see Section 9)
  Each provider is contractually obligated to meet our strict security standards, maintain the accuracy of the data they receive, and use information only for the purpose of providing or supporting the Inlay Service.
• We may disclose or transfer your Account Information and Lesson Management Data in connection with the sale, merger, bankruptcy, sale of assets, or reorganization of our company. You will be notified via email or some other means as required by law of any change in ownership or uses of your Personal Information, as well as any choices you may have regarding your information (including the right to delete your information). The promises in this Privacy Policy will apply to your data as transferred to the new entity. If Inlay goes out of business without a successor, Inlay will delete your information.

8. Do you work with third-party analytics services?

Inlay is constantly improving, and we use aggregate data about how Inlay is used — for example what features teachers use or what pages you visit — to inform those decisions.

We use two third-party analytics services, for improvement only (not for advertising):

• Vercel Analytics — page views and clicks, to understand how our sites are used and to improve performance.
• PostHog — usage and feature analytics (e.g. which pages and features are used), to improve our product and user experience.

Both collect aggregate, non-advertising data. We do not use this data for advertising, third-party marketing, or targeted ads. Analytics run only on our marketing website; the lesson management platform does not use third-party analytics or tracking.

Optional marketing cookies described in this policy apply only to our marketing website (inlay.sh), not to the product used by teachers and schools.

9. How do you use cookies?

Cookies are small text files that we transfer to your web browser that allow us to identify your web browser and store information about your account. We use cookies to keep you logged into Inlay, customize your Inlay experience, and understand how you use Inlay. We do not use third party cookies within the Inlay Service for targeted advertising purposes. You can choose to remove or disable cookies via your browser settings. Please be aware that Inlay may not work properly if you disable or decline all cookies. See our Cookie Policy for more information.

9.1 Do Not Track (DNT) Signals

Some browsers offer a "Do Not Track" (DNT) signal to indicate that a user does not want to be tracked across websites. Because there is no universally accepted standard for how websites should respond to DNT signals, Inlay does not currently alter its data collection practices in response to DNT browser signals. We rely instead on the limited, purpose-bound data collection described in this policy. You can limit data collection through your browser's cookie settings or by opting out of optional analytics as described in Section 8.

10. How to View, Correct, Edit, Export, or Update Your Personal Information

You have the right to access, correct, or download for transport to a similar service any of your Personal Information collected by Inlay, where permitted under applicable law. If you are a teacher or school administrator, you can update the information associated with your Inlay account directly by logging into your Inlay account and viewing the Account Settings section.

Teachers and school administrators can export their lesson management data from the Platform at any time in standard formats (CSV, Excel) where the product supports export.

11. Account Retention And Termination

Teachers and administrators may close or request to delete their accounts through Account Settings or by contacting privacy@inlay.sh. If you request that your account or any content be deleted, Inlay may still retain information for a limited period as needed to provide customer support and prevent accidental deletion, or as required or permitted by law. If you terminate your account, all of your data will be unavailable to you immediately.

11.1 Data Retention Schedule

The schedule below specifies why we retain each category and for how long.

• Active User Accounts: Retained while the account is active and in use, to provide the Service.
• Inactive Accounts: 2 years of inactivity, then account flagged for deletion; reason: to allow re-activation while avoiding indefinite retention.
• Lesson Management Data: Retained while your account is active and for up to 30 days after account deletion (grace period for recovery), unless you request earlier deletion.
• Deleted Accounts: 30-day grace period to recover, then permanent deletion
• Technical Logs: 90 days for security and debugging purposes
• Support Tickets: 3 years for quality assurance and legal compliance
• Billing Records: 7 years (legal requirement for tax purposes)
• Marketing Consent: Until withdrawn or 2 years of inactivity

After the retention period expires, data is either permanently deleted or anonymized so it can no longer identify individuals.

If your school or organization ends their subscription with Inlay and requests deletion of data, we will delete associated account and lesson data within 30 days unless retention is required by law.

Please note: We may not be able to immediately or completely delete all data in response to a deletion request, such as information retained in technical support records, customer service records, backups, and other similar business records. We will not be required to delete any information which has been de-identified or disassociated with personal identifiers such that the remaining information cannot reasonably be used to identify a particular individual.

Inlay reserves the right to suspend or permanently delete accounts that have not been accessed by the account holder and appear to have been abandoned. Prior to permanently deleting an abandoned account, Inlay will attempt to notify the account holder by email.

12. How does Inlay keep your data safe?

Inlay takes protecting your security and privacy seriously and we've put a number of measures in place to protect the integrity of your information, including:

12.1 Technical Safeguards

• Encryption: TLS 1.3 for data in transit, AES-256 for sensitive data at rest
• Access Controls: Role-based access with principle of least privilege
• Authentication: Multi-factor authentication (MFA) for administrative accounts
• Network Security: Firewalls, intrusion detection systems, DDoS protection
• Data Centers: Access-controlled, SOC 2 certified facilities

12.2 Administrative Safeguards

• Written information security program: We maintain a written information security program designed to protect personal information, including regular testing and monitoring of our safeguards.
• Regular employee privacy and security training
• Background checks for employees with data access
• Confidentiality agreements for all staff
• Incident response and breach notification procedures
• Regular third-party security audits
• Vendor due diligence and data processing agreements

12.3 Data Breach Notification

In the event of a security breach that affects personal information, we will:

• Notify Affected Users: Within 72 hours of discovery where required by applicable law (including GDPR)
• Notify Affected Individuals: Promptly if high risk to rights and freedoms
• Report to Authorities: As required by applicable law
• Provide Details: Nature of breach, data affected, steps taken, recommendations

You can report security concerns to security@inlay.sh.

13. Changes to Our Privacy Policy

Inlay may from time to time make changes to this Privacy Policy to account for changes to our practices or applicable law. The "Last Updated" date at the top of this policy indicates when this Policy was last revised.

Non-material changes (such as clarifications, corrections, or administrative updates) take effect when posted. Your continued use of the Services after such changes constitutes acceptance.

Material changes — meaning changes that affect how we collect, use, or share your personal data in a way that differs meaningfully from what was disclosed when the data was collected — will be communicated to you directly before they take effect (for example, by email or an in-app notice). Where required by GDPR or other applicable law, we will obtain fresh consent for material changes rather than relying on continued use. You will have a meaningful opportunity to review the changes and, where relevant, to delete your data if you do not accept them.

13.1 Change Log

• v1.0 — February 19, 2026: Initial policy published.
• v1.1 — March 15, 2026: Prior version included student-data and school-privacy provisions.
• v2.0 — May 23, 2026: Updated to reflect that Inlay is a lesson management platform for teachers only; removed COPPA, FERPA, student data, Parent Portal, and related sections; reframed data collection around account and lesson management data.

14. International Data Transfers

Our Services are operated from Ukraine. If you access our Services from outside Ukraine, your information may be transferred to, stored, and processed in Ukraine or other countries where our service providers operate.

For users in the European Economic Area (EEA), United Kingdom, or Switzerland, we ensure appropriate safeguards are in place for international data transfers, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions where applicable
• Appropriate technical and organizational measures to protect data

Where personal data is transferred internationally, we rely on the appropriate safeguards listed above — in particular Standard Contractual Clauses — rather than on user consent as a transfer mechanism. These safeguards ensure your data receives equivalent protection to that required in your country of residence, regardless of where it is processed.

15. Your Rights

Depending on your location, you may have the following rights regarding your personal information:

15.1 GDPR Rights (EU/EEA Users)

• Right to Access: Request a copy of your personal data
• Right to Rectification: Correct inaccurate information
• Right to Erasure: Request deletion of your data (see Section 15.1.1)
• Right to Restrict Processing: Limit how we use your data
• Right to Data Portability: Receive your data in machine-readable format
• Right to Object: Object to processing based on legitimate interests
• Right to Withdraw Consent: You may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal nor processing based on other legal grounds. Withdraw marketing consent in Account Settings or via the unsubscribe link in our emails.
• Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority in your country of residence, place of work, or place of the alleged infringement. You can find your EU/EEA authority in the EDPB list of supervisory authorities; for the UK, see the Information Commissioner's Office (ICO).

15.1.1 Right to Erasure ("Right to be Forgotten", GDPR Art 17)

You have the right to obtain erasure of your personal data without undue delay and we will respond in any event within one month. You can make a request verbally or in writing to any of our contacts (e.g. privacy@inlay.sh or support). The right applies in particular when: the data is no longer necessary for the purposes for which it was collected; you withdraw consent (where consent was the basis); you object to processing and there is no overriding legitimate interest; the data has been unlawfully processed; we must erase the data to comply with a legal obligation. This right is not absolute: we may retain data where necessary for legal obligations, legal claims, or other exceptions under GDPR Article 17(3). We may charge a reasonable fee or refuse a request only if it is manifestly unfounded or excessive (GDPR Art 12(5)).

15.2 CCPA/CPRA Rights (California Users)

California residents have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

• Right to Know: What personal information is collected about you, how it is used, and with whom it is shared
• Right to Delete: Request deletion of your personal information, subject to certain exceptions
• Right to Correct: Request correction of inaccurate personal information we maintain about you
• Right to Opt-Out of Sale or Sharing: We do not sell or share personal information for cross-context behavioral advertising. You therefore have nothing to opt out of, but you may contact us at privacy@inlay.sh to confirm this at any time.
• Right to Limit Use of Sensitive Personal Information: You may request that we limit our use of sensitive personal information to only what is necessary to provide the Service.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of these rights — you will receive the same quality of service regardless of your privacy choices.

15.3 How to Exercise Your Rights

To exercise any of these rights, please contact us at privacy@inlay.sh. Under GDPR we will respond within one month of receiving your request. Where a request is complex or you have made several requests, we may extend the period by up to two further months; we will inform you of any extension and the reasons within the first month. Under CCPA we will respond within 45 days. We may need to verify your identity before processing your request.

16. Contact Information

If you have any questions or feedback about this Privacy Policy, please contact us:

• Privacy inquiries: privacy@inlay.sh
• Security concerns: security@inlay.sh
• Support: team@inlay.sh
• Address: Inlay Applications, Yakushintsi, Sadova 65, Vinnytsia, Ukraine