Privacy notice
Effective for the current product version. This page is generated from the same codebase it describes: when a data flow changes, this page changes in the same commit. interacty is operated from the United Kingdom; data is hosted in the European Union (AWS eu-west-1, Ireland). No advertising trackers, and no analytics cookies.
For universities & LMS administrators
Exported SCORM packages are fully self-contained and make no network calls. Our build pipeline rejects any package that references an external resource; this is enforced by automated checks, not policy. When learners take an interacty SCORM package on your LMS (Moodle, Blackboard, Canvas, …):
- All learner tracking (completion, score, interactions, suspend data) flows through your LMS's own SCORM API. It never leaves your LMS.
- interacty receives no learner data whatsoever from exported packages: no telemetry, no callbacks, no beacons.
- The standalone HTML export stores progress in the learner's own browser (localStorage) only.
Under GDPR your institution remains the sole controller of learner data; for exported packages interacty is not a processor of it at all, because the data never reaches us. A signed DPA covering creator accounts is available on request.
Who is the controller?
The operator of interacty.co.uk (contact: saihisaad.pro@gmail.com) is the controller for creator-account data described below. For learner data inside your LMS, your institution is the controller and interacty plays no role.
What we collect, why, and for how long
| Data | Purpose · lawful basis | Retention |
|---|---|---|
| Account: email, password hash, optional display name | Sign-in and account management · contract (Art. 6(1)(b)) | Until you delete your account (email us; deletion removes projects, versions, uploads, and publications) |
| Your content: projects, version history, uploaded images | The product itself · contract | Versions: newest 50 per project. Uploads and projects: until you delete them (dashboard / editor) |
| Published links (hosted HTML, aggregate view counter) | Hosting you asked for · contract | Until you revoke; revoking also deletes the stored bytes. We count views as a number; no visitor identities, no IP storage by the application |
| AI usage: prompts/briefs and relevant project content sent to a model when YOU use an AI feature; usage ledger (token counts, latency, credit charges, never your text) | Providing AI features and fair billing · contract | Response cache: 14 days. Ledger: lifetime of the account (it is your billing record) |
| Billing: Stripe customer id, plan status | Payments · contract + legal obligation | Card details never touch our systems (Stripe is the payment processor) |
| Community gallery submissions (opt-in): a project you chose to share, optional nickname | Publishing you explicitly requested · consent (withdraw by asking for removal; pending submissions can be withdrawn in-product) | Until removed; human-reviewed before anything becomes public; uploaded images are not accepted in v1 |
| Live sessions: participant nickname (sanitized, max 24 chars, no account needed), whitelisted answer events | The live session the host runs · legitimate interest of the host | Answers are relayed live and never stored on our servers. Sessions expire automatically after 30 minutes; only an aggregate participant count remains |
Infrastructure providers keep short-lived operational logs (e.g. request logs) for security and reliability; we add no application-level tracking on top.
Where data lives, and who processes it
| Processor | What for | Where |
|---|---|---|
| Supabase (AWS) | Database, authentication, file storage, serverless functions | EU, eu-west-1 (Ireland) |
| Stripe | Payments and invoices | EU/US, under Stripe's GDPR terms; card data stays with Stripe |
| OpenAI / Anthropic | AI generation, only when you invoke an AI feature | US, under each provider's Data Processing Addendum and Standard Contractual Clauses; API inputs are not used to train their models per provider API policies |
| Resend | Transactional email only (payment receipts, account and billing notices). No marketing email. Receives your email address and the message content | US/EU, under its Data Processing Addendum |
| Vercel | Serving this website and the studio (static files) | Global CDN |
Your rights, and the buttons that exercise them
- Access & portability: your projects are yours; open them any time and use Download for a complete, self-contained copy (HTML or SCORM).
- Rectification: edit anything in the studio; your display name is editable on the dashboard.
- Erasure: delete projects from the dashboard (removes the project and its version history); revoke published links (deletes the hosted bytes); withdraw pending gallery submissions in-product. For full account deletion, email the contact above, and we action it within 30 days.
- Objection / withdrawal of consent: community sharing and AI features are entirely opt-in per use; nothing runs in the background.
- Complaints: you may lodge a complaint with the UK ICO or your local EU supervisory authority.
What we deliberately do not do
- No advertising trackers, no third-party analytics, no cookie banners needed: the only browser storage is your sign-in session and on-device drafts/preferences (localStorage).
- No selling or sharing of personal data. No profiling, no automated decisions with legal effect.
- No training of AI models on your content by us; provider API policies exclude training on API data.
- No learner-data collection from exported packages, verified by the same automated self-containment checks every export passes.
Security & breach notification
Access to your content is enforced at the database row level (PostgreSQL row-level security): the same boundary our own staff tooling must pass. Uploads and published artifacts live in private storage buckets fronted by capability checks. If a personal-data breach ever creates a risk to you, we will notify the supervisory authority within 72 hours and affected users without undue delay (Art. 33/34).