Privacy Policy
Last updated: 13 July 2026
This Privacy Policy explains how EDTECHLAB LTD (company 17103855, registered in England and Wales) ("we", "us", "our") collects, uses, and protects your personal data when you use intle.co.uk(the "Service"). Intle is a product within the EDTECHLAB LTD portfolio.
We act as the data controller for account, billing, security, support and our own analytics or marketing processing. When an organisation or session creator decides why and how participant names, emails and responses are collected, that organisation or creator is normally the controller and we process the participant data on its instructions. Our Data Processing Addendum supplies the standard UK GDPR Article 28 terms for that processing unless a signed customer agreement replaces it. These roles are governed by the UK General Data Protection Regulation (UK GDPR, as retained in UK law under the European Union (Withdrawal) Act 2018) and the Data Protection Act 2018.
For information about the parent company's privacy practices, see the EdTechLab Privacy Policy.
Our registered office is 167-169 Great Portland Street, London, England, W1W 5PF. Verify the current company record at Companies House.
Data We Collect
1.1 Account Data
When you register, we collect your email address and display name. If you sign in with Google OAuth, we receive your name, email, and profile picture from Google. We also store your chosen plan tier, authentication method, professional role, and your optional answer about who you create training for. You can edit that onboarding answer in Settings; we use it to tailor product guidance and analyse demand.
1.2 Generation Data
When you create content, we store your text prompts and any source files you upload (PDF, DOCX, PPTX, or TXT, up to 10 MB each). We also store the generated content, its detected content type, and generation metadata such as timestamps, status, and content-type classification.
1.3 Usage Data
We collect information about how you use the Service, including pages visited, generation counts, session hosting activity, SCORM downloads, and feature interactions. For public website visitors, we also collect aggregate traffic and engagement data such as page views, referrers, approximate location, device/browser type, and key on-site events (for example, CTA clicks and generator submissions) via Vercel Web Analytics. This data helps us enforce plan limits, understand demand, and improve the product.
1.4 Team & Billing Data
If you join or administer a team, we store team membership, roles, invitation records, and institutional branding settings. Payment information (card details, billing address) is collected and processed directly by Stripe in accordance with PCI DSS requirements; we do not store card numbers on our servers.
1.5 Campaign Attribution & Advertising Data
If you opt in to marketing cookies, we record consented campaign details such as the referring page, landing page, UTM parameters and Google click identifiers (including GCLID, GBRAID or WBRAID where present). The Google Ads tag may then process page-view, browser/device, ad-click and paid-subscription conversion data (plan, value, currency and a transaction identifier) for conversion measurement and eligible remarketing audiences. We do not send your email address, generated content or uploaded source files in these conversion events.
1.6 Technical Data
We automatically collect technical information such as IP address, browser type, operating system, and device information through server logs. Application monitoring through Sentry uses our EU project and passes through redaction that drops request bodies and strips sensitive values before events are stored. Hosted session participants may also have their IP address logged for session delivery and abuse prevention purposes.
How We Use Your Data
We use your personal data to:
- Provide, maintain, and improve the Service.
- Authenticate your identity and manage your account.
- Process your content generation requests via AI models.
- Enforce usage limits and plan restrictions.
- Process payments and manage subscriptions via Stripe.
- Send transactional emails (e.g. team invitations, magic links, generation notifications) via Resend.
- Respond to support requests.
- Detect and prevent fraud, abuse, or violations of our Terms of Service.
- Monitor application health and diagnose errors (Sentry).
- Measure website traffic and on-site engagement (Vercel Web Analytics).
- With your consent, attribute subscriptions to advertising, measure Google Ads conversions and build eligible remarketing audiences.
We do not sell your personal data. AI API data sent to OpenAI or Anthropic is not used for model training by default under their API/commercial terms unless a customer opts in. Standard provider retention or safety-review windows may still apply. We are confirming the workspace-specific data-control settings and describe the current AI data flow in our AI Transparency page.
Legal Basis for Processing
Under Articles 6 and 9 of the UK GDPR, we process your data on the following lawful bases:
- Contract performance (Article 6(1)(b)) — to provide the Service you signed up for, process generations, manage your account, and fulfil subscription obligations.
- Legitimate interests (Article 6(1)(f)) — to improve the Service, enforce our Terms, prevent abuse, monitor application health, and maintain security. We have assessed that these interests do not override your fundamental rights and freedoms; you may object to processing on this basis (see Section 8).
- Legal obligation (Article 6(1)(c)) — for tax records, accounting, and regulatory compliance, including responding to lawful requests from authorities.
- Consent (Article 6(1)(a)) — for optional analytics, Google Ads conversion measurement and eligible remarketing, campaign attribution, and optional marketing communications. You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.
Third-Party Processors
We use the following third-party providers to deliver the Service. Where a provider processes personal data on our behalf, we require Article 28 terms before the relevant production processing. The table distinguishes verified facts from contract or region details still being confirmed; a public DPA link is not, by itself, evidence that our workspace-specific agreement has been executed:
| Provider | Purpose | Data shared | Region | Status | DPA |
|---|---|---|---|---|---|
| Vercel | Application hosting, serverless functions, deployment logs, web analytics, speed insights, and AI SDK transport. | Request metadata, server logs, IP-derived request context, page-view and product-event metadata when analytics consent is granted. | being confirmed | being confirmed | Link |
| Supabase | Authentication, Postgres database, file storage, realtime, and application data layer. | Account data, auth/session data, generation records, uploaded source files, generated outputs, session and analytics tables. | EU - eu-west-1 (Ireland) | verified | Link |
| OpenAI | Primary AI inference for content detection, planning, generation, editing, and repair passes. | Briefs, extracted source-file text, URL text, generated content, prompts, outputs, and generation metadata needed to provide the request. | being confirmed | being confirmed | Link |
| Anthropic | Fallback AI inference for generation resilience and selected repair/fallback paths. | The same AI payload categories as OpenAI when the fallback path is used: prompts, extracted source text, generated content, and outputs. | being confirmed | being confirmed | Link |
| Stripe | Payment processing, subscription management, invoicing, and tax records. | Billing contact details, Stripe customer/subscription identifiers, invoice metadata, payment status, and plan information. Card data is handled by Stripe, not stored by intle. | being confirmed | being confirmed | Link |
| Resend | Transactional email delivery and deliverability webhooks. | Email addresses, email content, delivery status, bounce metadata, and transactional notification context. | being confirmed | being confirmed | Link |
| Upstash | Redis-backed burst rate limiting for abuse prevention and fair-use controls. | Short-lived rate-limit keys derived from user IDs, participant/session identifiers, routes, and IP-derived keys where applicable. | being confirmed | being confirmed | Link |
| Cloudflare Turnstile | Bot and abuse prevention on sign-in, sign-up, and contact flows. | Challenge tokens and browser/device/network signals used to distinguish human users from automated abuse. | being confirmed | being confirmed | Link |
| Sentry | Error monitoring, performance diagnostics, and masked error-only replay where consent allows replay. | Error events, traces, redacted breadcrumbs, opaque user IDs, masked replay data, and operational diagnostics. Request bodies are dropped by intle redaction. | EU - Germany | verified | Link |
| Inngest | Background job orchestration for AI generation, email dispatch, billing follow-ups, and scheduled maintenance jobs. | Generation job metadata, user/team identifiers needed for job routing, status events, retries, and operational job logs. | being confirmed | being confirmed | Link |
We do not sell your personal data. If you opt in to marketing cookies, the Google Ads tag sends consented page, ad-click and conversion-event data to Google for advertising measurement and eligible remarketing. Google processes that data under its applicable advertising terms; see how Google uses conversion and event data. We do not send generated content or uploaded source files to Google Ads. The same processor source data drives our public Sub-processors page.
International Data Transfers
Our primary database, authentication, and storage layer is verified in Supabase eu-west-1, and Sentry is verified in its EU region. AI inference is processed outside the UK/EU by default, and several other processor regions are still being confirmed. When personal data is transferred outside the United Kingdom or European Economic Area, we ensure appropriate safeguards are in place in accordance with Chapter V of the UK GDPR, including:
- UK adequacy regulations — where the UK Secretary of State has made an adequacy decision for the recipient country under Section 17A of the Data Protection Act 2018.
- UK International Data Transfer Agreement (UK IDTA) or EU Standard Contractual Clauses with the UK Addendum — where adequacy does not apply, we rely on contractual safeguards approved by the ICO to ensure your data receives equivalent protection.
Where required, we conduct Transfer Risk Assessments to evaluate the legal framework in the recipient country and the supplementary measures applied by each processor. Rows marked “being confirmed” in our processor list do not yet have a public region claim.
Cookies & Local Storage
In accordance with the Privacy and Electronic Communications Regulations 2003 (PECR), we use the following cookies and browser storage mechanisms:
- Strictly necessary cookies and storage - authentication cookies (set by Supabase to maintain your signed-in session), our session-security cookie, your saved preferences (such as theme), and the cookie that records your consent choices. These are strictly necessary for the Service to function and do not require consent under PECR Regulation 6(4).
- Performance & analytics (consent-based)- with your opt-in consent we use Vercel Web Analytics, Vercel Speed Insights, our own first-party page-view counter, and Sentry session replay (error investigation only, fully masked). None of these run until you accept them in the cookie banner, and “Reject all” leaves the Service fully functional.
- Marketing & advertising (consent-based) - with your separate marketing opt-in, we load the Google Ads tag for conversion measurement and eligible remarketing, and record consented campaign attribution. The tag, its advertising cookies, advertising pings and our campaign-attribution cookie remain blocked unless you opt in.
Your choices are stored in a first-party cookie for six months, after which we ask again; we also keep a time-stamped record of consents and withdrawals (with hashed identifiers only) as required by ICO guidance. You can change your decision at any time via “Cookie preferences” in the footer. Withdrawing marketing consent sends a denied consent state to the loaded tag, stops further Google Ads measurement, unmounts the tag, and deletes Intle’s campaign-attribution cookie and accessible Google conversion cookies from this site. It does not affect processing lawfully carried out before withdrawal. The full inventory of every cookie and storage key we use — including durations and justifications — is in our Cookie Policy.
Data Retention
We retain personal data only for as long as necessary for the purpose collected:
- Account and generation data — retained while your account is active, subject to the creation-history window for your plan. Self-service account deletion removes the profile, generations, hosted-session records, uploads, exported packages, and user-owned branding/media from the live application as part of the deletion flow.
- Consent records — the link to your account is removed on deletion. A pseudonymous record may be retained to demonstrate when consent was given or withdrawn.
- Billing records — retained for the period required by applicable accounting and tax law. Stripe may retain transaction records under its own legal obligations after an intle account is deleted.
- Server logs, security records, and encrypted backups — may persist after live deletion for the limited retention periods operated by our processors, then expire through their normal retention cycles. We do not restore deleted account data to active use except where necessary for disaster recovery or legal obligations.
- Support correspondence — retained only while needed to resolve the request, maintain security, meet legal obligations, or establish or defend legal claims.
Your Rights Under UK GDPR
Under the UK GDPR and the Data Protection Act 2018, you have the following rights in relation to your personal data:
- Access (Article 15) — request a copy of the personal data we hold about you.
- Rectification (Article 16) — ask us to correct inaccurate or incomplete data.
- Erasure(Article 17) — ask us to delete your personal data ("right to be forgotten"), subject to any legal obligations requiring retention.
- Restriction (Article 18) — ask us to restrict processing of your data in certain circumstances, for example while we verify accuracy.
- Data portability (Article 20) — request your data in a structured, commonly used, machine-readable format (e.g. JSON or CSV).
- Objection (Article 21) — object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
- Withdraw consent (Article 7(3)) — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
- Automated decision-making (Article 22) — you have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. The Service uses AI for content generation but does not make automated decisions about your access, pricing, or legal rights.
To exercise any of these rights, email us at admin@intle.co.uk. We will respond within one calendar month from receipt of your request, as required by Article 12(3) of the UK GDPR. We will not charge a fee unless the request is manifestly unfounded or excessive.
Data Security
We implement appropriate technical and organisational measures to protect your data as required by Article 32 of the UK GDPR, including:
- Encryption in transit (TLS 1.2+) for all connections.
- Encryption at rest for stored data in Supabase eu-west-1.
- Row-level security (RLS) policies on our database ensuring users can only access their own data.
- Access controls and least-privilege principles for internal systems.
- Rate limits on AI generation, editing, uploads, tracking, contact, and session-response routes.
- Magic-byte upload checks, decompression-bomb limits, and SSRF guards for user-supplied URLs.
- CSRF Origin/Sec-Fetch checks for state-changing API requests.
- HMAC-signed participant cookies for hosted-session participant endpoints.
- Application error monitoring via Sentry EU with redaction and request-body dropping.
No method of electronic transmission or storage is 100% secure. In the event of a personal data breach, we will notify the Information Commissioner's Office within 72 hourswhere the breach is likely to result in a risk to individuals' rights and freedoms, as required by Article 33 of the UK GDPR. Where the breach is likely to result in a high risk, we will also notify affected individuals without undue delay under Article 34.
Children's Privacy
Intle account creation is not directed to children under 16, and account holders must be at least 16. Hosted learning sessions may, however, be used by a school or other organisation with participants under 16. The session organiser chooses whether a session requests a name or email; those fields are off unless enabled, and the server discards them when disabled. Google Ads tags and campaign-attribution capture are also disabled on hosted-participant and join routes.
An organisation using intle with under-16s must have an appropriate lawful basis, provide an age-appropriate privacy notice, configure the session to collect only what is necessary, obtain parental or guardian authorisation where applicable, and put the required controller-processor terms in place. Participants see a privacy notice before a hosted session creates their record. If you believe a child's data was supplied outside an authorised school, organisation or guardian context, contact us so we can investigate and delete it where required. We assess child-facing processing against the ICO's Age Appropriate Design Code(Children's Code).
Privacy contact
We have not appointed a Data Protection Officer. Privacy enquiries and data-rights requests should be directed to the contact below. We will reassess whether a formal DPO is required if the scale or nature of processing changes.
In the meantime, privacy enquiries should be directed to admin@intle.co.uk.
Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email and by posting the updated policy on this page with a revised "Last updated" date. Where changes materially affect how we process your data, we will provide at least 30 days' notice and, where required, seek your renewed consent.
Complaints & Supervisory Authority
If you are not satisfied with our response to a privacy request, or you believe we are processing your personal data in a way that is not compliant with UK data protection law, you have the right to lodge a complaint with the United Kingdom's supervisory authority:
- Information Commissioner's Office (ICO)
- Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
- Telephone: 0303 123 1113
- Website: ico.org.uk
- Complaints: ico.org.uk/make-a-complaint
We encourage you to contact us first at admin@intle.co.uk so we can try to resolve your concern before you escalate to the ICO.
Contact Us
If you have questions about this Privacy Policy or wish to exercise your data rights:
- Email: admin@intle.co.uk
- Data controller: EDTECHLAB LTD, company 17103855
- Registered office: 167-169 Great Portland Street, London, England, W1W 5PF
- Parent website: edtechlab.co.uk
- Parent company contact: hello@edtechlab.co.uk