Privacy Policy

1.1 Account Data

When you register, we collect your email address and display name. If you sign in with Google OAuth, we receive your name, email, and profile picture from Google. We also store your chosen plan tier and authentication method.

1.2 Generation Data

When you create content, we store your text prompts and any source files you upload (PDF, DOCX, PPTX, or TXT, up to 10 MB each). We also store the generated content, its detected content type, and generation metadata such as timestamps, status, and content-type classification.

1.3 Usage Data

We collect information about how you use the Service, including pages visited, generation counts, session hosting activity, SCORM downloads, and feature interactions. For public website visitors, we also collect aggregate traffic and engagement data such as page views, referrers, approximate location, device/browser type, and key on-site events (for example, CTA clicks and generator submissions) via Vercel Web Analytics. This data helps us enforce plan limits, understand demand, and improve the product.

1.4 Team & Billing Data

If you join or administer a team, we store team membership, roles, invitation records, and institutional branding settings. Payment information (card details, billing address) is collected and processed directly by Stripe in accordance with PCI DSS requirements; we do not store card numbers on our servers.

1.5 Technical Data

We automatically collect technical information such as IP address, browser type, operating system, and device information through server logs. Application monitoring through Sentry uses our EU project and passes through redaction that drops request bodies and strips sensitive values before events are stored. Hosted session participants may also have their IP address logged for session delivery and abuse prevention purposes.

We use your personal data to:

• Provide, maintain, and improve the Service.
• Authenticate your identity and manage your account.
• Process your content generation requests via AI models.
• Enforce usage limits and plan restrictions.
• Process payments and manage subscriptions via Stripe.
• Send transactional emails (e.g. team invitations, magic links, generation notifications) via Resend.
• Respond to support requests.
• Detect and prevent fraud, abuse, or violations of our Terms of Service.
• Monitor application health and diagnose errors (Sentry).
• Measure website traffic and on-site engagement (Vercel Web Analytics).

We do not sell your personal data. AI API data sent to OpenAI or Anthropic is not used for model training by default under their API/commercial terms unless a customer opts in. Standard provider retention or safety-review windows may still apply. We are confirming the workspace-specific data-control settings and describe the current AI data flow in our AI Transparency page.

Under Articles 6 and 9 of the UK GDPR, we process your data on the following lawful bases:

• Contract performance (Article 6(1)(b)) — to provide the Service you signed up for, process generations, manage your account, and fulfil subscription obligations.
• Legitimate interests (Article 6(1)(f)) — to improve the Service, enforce our Terms, prevent abuse, monitor application health, and maintain security. We have assessed that these interests do not override your fundamental rights and freedoms; you may object to processing on this basis (see Section 8).
• Legal obligation (Article 6(1)(c)) — for tax records, accounting, and regulatory compliance, including responding to lawful requests from authorities.
• Consent (Article 6(1)(a)) — where applicable, for optional marketing communications. You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

We share your data with the following third-party service providers who process data on our behalf under written data processing agreements in accordance with Article 28 of the UK GDPR:

We do not share your personal data with any third party for their own marketing or advertising purposes. The same source data drives our public Sub-processors page.

Our primary database, authentication, and storage layer is verified in Supabase eu-west-1, and Sentry is verified in its EU region. AI inference is processed outside the UK/EU by default, and several other processor regions are still being confirmed. When personal data is transferred outside the United Kingdom or European Economic Area, we ensure appropriate safeguards are in place in accordance with Chapter V of the UK GDPR, including:

• UK adequacy regulations — where the UK Secretary of State has made an adequacy decision for the recipient country under Section 17A of the Data Protection Act 2018.
• UK International Data Transfer Agreement (UK IDTA) or EU Standard Contractual Clauses with the UK Addendum — where adequacy does not apply, we rely on contractual safeguards approved by the ICO to ensure your data receives equivalent protection.

Where required, we conduct Transfer Risk Assessments to evaluate the legal framework in the recipient country and the supplementary measures applied by each processor. Rows marked “being confirmed” in our processor list do not yet have a public region claim.

In accordance with the Privacy and Electronic Communications Regulations 2003 (PECR), we use the following cookies and browser storage mechanisms:

• Strictly necessary cookies and storage - authentication cookies (set by Supabase to maintain your signed-in session), our session-security cookie, your saved preferences (such as theme), and the cookie that records your consent choices. These are strictly necessary for the Service to function and do not require consent under PECR Regulation 6(4).
• Performance & analytics (consent-based)- with your opt-in consent we use Vercel Web Analytics, Vercel Speed Insights, our own first-party page-view counter, and Sentry session replay (error investigation only, fully masked). None of these run until you accept them in the cookie banner, and “Reject all” leaves the Service fully functional.

We do not use advertising cookies, third-party tracking cookies, or behavioural profiling. Your choices are stored in a first-party cookie for six months, after which we ask again; we also keep a time-stamped record of consents and withdrawals (with hashed identifiers only) as required by ICO guidance. You can change your decision at any time via “Cookie preferences” in the footer. The full inventory of every cookie and storage key we use — including durations and justifications — is in our Cookie Policy.

We retain personal data only for as long as necessary for the purpose collected:

• Account data — retained while your account is active. Upon account deletion, personal data is removed within 30 days, except where retention is required by law.
• Generation data (prompts, content, uploaded files) — retained while your account is active and for 90 days after account deletion to allow recovery, after which it is permanently deleted.
• Billing records — retained for 7 years to comply with HMRC requirements under the Value Added Tax Act 1994 and the Companies Act 2006.
• Server and error logs — retained for up to 90 days for operational diagnostics and security monitoring.
• Support correspondence — retained for 24 months after resolution, or longer if required to defend legal claims.

Under the UK GDPR and the Data Protection Act 2018, you have the following rights in relation to your personal data:

• Access (Article 15) — request a copy of the personal data we hold about you.
• Rectification (Article 16) — ask us to correct inaccurate or incomplete data.
• Erasure(Article 17) — ask us to delete your personal data ("right to be forgotten"), subject to any legal obligations requiring retention.
• Restriction (Article 18) — ask us to restrict processing of your data in certain circumstances, for example while we verify accuracy.
• Data portability (Article 20) — request your data in a structured, commonly used, machine-readable format (e.g. JSON or CSV).
• Objection (Article 21) — object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
• Withdraw consent (Article 7(3)) — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
• Automated decision-making (Article 22) — you have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. The Service uses AI for content generation but does not make automated decisions about your access, pricing, or legal rights.

To exercise any of these rights, email us at admin@intle.co.uk. We will respond within one calendar month from receipt of your request, as required by Article 12(3) of the UK GDPR. We will not charge a fee unless the request is manifestly unfounded or excessive.

We implement appropriate technical and organisational measures to protect your data as required by Article 32 of the UK GDPR, including:

• Encryption in transit (TLS 1.2+) for all connections.
• Encryption at rest for stored data in Supabase eu-west-1.
• Row-level security (RLS) policies on our database ensuring users can only access their own data.
• Access controls and least-privilege principles for internal systems.
• Rate limits on AI generation, editing, uploads, tracking, contact, and session-response routes.
• Magic-byte upload checks, decompression-bomb limits, and SSRF guards for user-supplied URLs.
• CSRF Origin/Sec-Fetch checks for state-changing API requests.
• HMAC-signed participant cookies for hosted-session participant endpoints.
• Application error monitoring via Sentry EU with redaction and request-body dropping.

No method of electronic transmission or storage is 100% secure. In the event of a personal data breach, we will notify the Information Commissioner's Office within 72 hourswhere the breach is likely to result in a risk to individuals' rights and freedoms, as required by Article 33 of the UK GDPR. Where the breach is likely to result in a high risk, we will also notify affected individuals without undue delay under Article 34.

The Service is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. The age threshold of 16 aligns with the UK's implementation of Article 8 of the UK GDPR for information society services, as specified in Section 9 of the Data Protection Act 2018.

If you believe a child under 16 has provided us with personal data, please contact us immediately and we will take steps to delete it. We are mindful of the ICO's Age Appropriate Design Code(Children's Code) and will assess its applicability as the Service evolves.

EdTechLab Ltd is not currently required to appoint a Data Protection Officer under Article 37 of the UK GDPR, as our core activities do not involve large-scale processing of special category data or large-scale regular and systematic monitoring of individuals. If this changes, we will appoint a DPO and update this policy accordingly.

In the meantime, privacy enquiries should be directed to admin@intle.co.uk.

We may update this Privacy Policy from time to time. We will notify you of material changes by email and by posting the updated policy on this page with a revised "Last updated" date. Where changes materially affect how we process your data, we will provide at least 30 days' notice and, where required, seek your renewed consent.

If you are not satisfied with our response to a privacy request, or you believe we are processing your personal data in a way that is not compliant with UK data protection law, you have the right to lodge a complaint with the United Kingdom's supervisory authority:

• Information Commissioner's Office (ICO)
• Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
• Telephone: 0303 123 1113
• Website: ico.org.uk
• Complaints: ico.org.uk/make-a-complaint

We encourage you to contact us first at admin@intle.co.uk so we can try to resolve your concern before you escalate to the ICO.

If you have questions about this Privacy Policy or wish to exercise your data rights:

• Email: admin@intle.co.uk
• Parent company:EdTechLab Ltd, registered in England & Wales
• Parent website: edtechlab.co.uk
• Parent company contact: hello@edtechlab.co.uk