Privacy Policy

1. Introduction and Scope

Interakly ("we", "us", "our") operates the interactive video platform at interakly.com ("the Service"). This Privacy Policy explains how we collect, use, store, share, and protect personal data when you use the Service, whether as an educator creating interactive videos, a viewer or student engaging with them, or an administrator managing an institutional account.

By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. Where the Service is used in an educational setting, this policy should be read in conjunction with any Data Processing Agreement (DPA) between Interakly and the educational institution.

2. Who This Policy Applies To

This policy covers three categories of users:

• Educators — account holders who create, configure, and publish interactive videos
• Viewers and students — individuals who watch and interact with videos, whether authenticated or anonymous
• Administrators — institutional representatives who manage LTI integrations, platform settings, or Data Processing Agreements on behalf of a school, district, or organization

3. Information We Collect — From Educators

• Account information: name, email address, and profile data provided through our authentication provider (Clerk)
• Payment information: billing details collected and processed by our payment processor (Paddle) — we do not store credit card numbers
• Video content: uploaded or linked videos, captions, thumbnails, and associated metadata
• Interaction configurations: questions, answer options, scoring rules, chapter markers, polls, and other interactive element settings
• Workspace configurations: code templates, worksheet content, flashcard decks, map markers, equation presets, and dashboard layouts
• Settings and preferences: video settings, access controls, collection organization, webhook configurations, and LTI platform registrations

4. Information We Collect — From Viewers and Students

• Identity information: name and email address, if the video creator has enabled email or name collection gates; Clerk user ID if the viewer is authenticated
• Session data: anonymous session tokens (stored in browser localStorage), session creation and completion timestamps, and session identifiers
• Quiz and interaction responses: answers to questions (multiple choice, true/false, free text, numeric, fill-in-the-blank, ordering, matching, image labeling, hotspot), poll selections, and rating scale values
• Scores and grades: computed scores, points awarded, completion status, and leaderboard rankings
• Watch behavior: video progress, watch duration, interaction timestamps, and engagement heatmap events
• Rich media submissions: audio responses, drawing/annotation submissions, and timestamped comments
• Workspace state: code written in the code editor, notes, whiteboard drawings, worksheet answers, data table content, equation inputs, flashcard progress, map interactions, graph configurations, and board entries

5. Information We Collect — From LTI Launches

When Interakly is launched from a Learning Management System (LMS) via LTI 1.3, the LMS sends us the following data as part of the launch request:

• LMS user identifier (opaque, platform-scoped)
• Course and context identifiers (course ID, deployment ID)
• Assignment and Grade Services (AGS) endpoint URLs for grade passback
• LMS platform identifiers (issuer, client ID, deployment ID)

We do not request or receive student names, email addresses, or other personally identifiable information through the LTI launch unless the LMS platform is configured to include them. LTI data is used solely to link sessions to the correct assignment and deliver grade passback.

6. Information We Collect — Automatically

When you access the Service, we may automatically collect:

• IP address (used for rate limiting and abuse prevention; not stored long-term)
• Device type and screen resolution
• Browser type and version
• Referring URL
• Pages visited and features used

We do not use this data for advertising, profiling, or cross-site tracking.

7. How We Use Your Information

• Provide the Service: store and deliver videos, render interactions, compute scores, persist workspace state, and display analytics to educators
• Grade passback: deliver scores to LMS platforms via LTI Assignment and Grade Services
• Webhook delivery: send session and response event data to educator-configured webhook endpoints
• Authentication: verify identity via Clerk and manage session tokens for anonymous viewers
• Payments: process subscriptions and billing via Paddle
• Security: rate limit requests, detect abuse, validate tokens, and enforce access controls
• Service improvement: analyze aggregated usage patterns to develop and improve features
• Communication: send transactional emails related to your account or billing

8. What We Do NOT Do

• We do not sell, rent, or trade personal data to any third party
• We do not use personal data for advertising or behavioral targeting
• We do not build personal profiles of students for non-educational purposes
• We do not use student data to train artificial intelligence or machine learning models
• We do not retain student data longer than necessary to provide the Service

9. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, we process your personal data under the following legal bases:

• Contract: processing necessary to provide the Service you have requested (Article 6(1)(b))
• Legitimate interests: security, fraud prevention, service improvement, and analytics that do not override your fundamental rights (Article 6(1)(f))
• Consent: where you have given explicit consent, such as optional email collection (Article 6(1)(a))
• Legal obligation: where processing is required to comply with applicable law (Article 6(1)(c))

For children under 16, we rely on the educational institution's authority to consent on behalf of the child under Article 8 of the GDPR, as the Service is used for educational purposes under the institution's direction.

10. Student Data and FERPA

When Interakly is used by a school or educational institution subject to the Family Educational Rights and Privacy Act (FERPA), we recognize that student data may constitute "education records" under FERPA. In these cases:

• Interakly acts as a "school official" with a legitimate educational interest, as defined under 34 CFR § 99.31(a)(1)
• We process student education records under the direct control of the educational institution and solely for the purposes specified in our agreement with the institution
• We do not re-disclose student education records to third parties except as permitted under FERPA or as directed by the educational institution
• We do not use student education records for any purpose other than providing the Service to the institution
• Parents and eligible students may exercise their right to inspect and review education records through their educational institution

We offer Data Processing Agreements (DPAs) to schools and districts that include FERPA-specific commitments. Contact privacy@interakly.com to request a DPA.

11. Children's Privacy and COPPA

Interakly does not market to or knowingly collect personal information directly from children under 13. When the Service is used by a school or school district for students under 13:

• The school provides consent on behalf of the parent under the COPPA "school consent" provision (16 CFR § 312.5(c))
• Data collected from students is used solely for educational purposes as directed by the school
• We do not use children's personal information for any commercial purpose unrelated to the educational services
• Parents may review, request deletion of, or refuse further collection of their child's information by contacting the school, which may then direct us to take appropriate action
• We collect only the minimum information necessary to provide the educational Service

If you are a parent and believe your child has provided personal information to us without appropriate consent, contact us at privacy@interakly.com and we will promptly investigate and delete the data if appropriate.

12. California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) provides you with additional rights regarding your personal information:

• Right to know: you may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, our business purposes for collection, and the categories of third parties with whom we share it
• Right to delete: you may request deletion of your personal information, subject to certain exceptions
• Right to correct: you may request correction of inaccurate personal information
• Right to opt out of sale/sharing: we do not sell or share personal information for cross-context behavioral advertising. There is no need to opt out because we do not engage in these practices
• Right to non-discrimination: we will not discriminate against you for exercising your CCPA rights

To exercise these rights, contact us at privacy@interakly.com. We will verify your identity and respond within 45 days.

Categories of personal information collected (as defined by CCPA): identifiers (name, email), internet activity (usage data, watch behavior), education information (quiz responses, scores), and audio/visual information (audio responses, video content uploaded by educators).

13. Data Sharing and Third Parties

We share personal data only with the following third-party service providers who process data on our behalf and solely for the purposes of operating the Service:

Each provider processes data under their own privacy policy and applicable data processing agreements. We do not sell, rent, or trade personal data to any third party.

14. Cookies and Local Storage

We use only essential cookies and browser storage mechanisms required for the Service to function. We do not use advertising, analytics, or third-party tracking cookies.

• Authentication cookies: Clerk session cookies to maintain your login state
• localStorage: anonymous session tokens (with 24-hour TTL), workspace state, viewer variable values, collection view preferences
• sessionStorage: transient viewer variable state during a viewing session

These storage mechanisms are strictly necessary and do not require consent under the ePrivacy Directive.

15. Data Retention and Deletion

• Educator accounts: data is retained for as long as the account is active. Upon account deletion, we remove all personal data and associated content within 30 days
• Video and response data: retained until the video creator deletes the video or their account. When a video is deleted, all associated responses, sessions, analytics, workspace states, and comments are cascade-deleted
• Anonymous session data: session tokens in browser localStorage expire after 24 hours. Server-side session records are retained until the associated video is deleted
• LTI data: OIDC state records are automatically cleaned up after 10 minutes. Launch records are retained for grade passback and are deleted when the associated video is deleted
• Rate limit data: automatically cleaned up hourly via scheduled functions

Educational institutions may request bulk deletion of all student data associated with their institution by contacting privacy@interakly.com.

16. Data Security

We implement appropriate technical and organizational measures to protect your data:

• Encryption in transit: all data is transmitted over TLS (HTTPS)
• Password hashing: video access passwords use server-side PBKDF2 hashing via Web Crypto API
• Token security: all anonymous session token comparisons use constant-time (timing-safe) comparison to prevent timing attacks
• Rate limiting: request rate limits protect against brute-force attacks and abuse
• Signed video URLs: video streams use RS256 JWT-signed URLs with 2-hour expiry to prevent unauthorized access
• Server-side grading: quiz correctness is always computed server-side and never trusted from the client
• Answer stripping: correct answers and explanations are stripped from data sent to viewers before they submit responses
• Sandboxed code execution: user code runs in isolated Firecracker microVMs with no network access to internal systems
• Input validation: strict size limits on all user inputs (configurations, responses, URLs, email addresses)
• Webhook security: webhook deliveries are signed with HMAC-SHA256 so recipients can verify authenticity

No system can guarantee absolute security. If we become aware of a security breach that affects your personal data, we will notify affected users and relevant authorities as required by applicable law.

17. International Data Transfers

Interakly is operated from Sweden. Our infrastructure providers (Convex, Cloudflare, Clerk) may process data in the United States and other countries. When personal data is transferred outside the EEA, we rely on:

• The EU-US Data Privacy Framework, where the recipient is certified
• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions by the European Commission, where applicable

You may request information about the specific transfer mechanisms used for your data by contacting privacy@interakly.com.

18. Your Rights

GDPR Rights (EEA, UK, Switzerland)

• Access: request a copy of the personal data we hold about you
• Rectification: request correction of inaccurate or incomplete data
• Erasure: request deletion of your personal data ("right to be forgotten")
• Portability: request your data in a structured, machine-readable format
• Restriction: request that we restrict processing of your data
• Objection: object to processing based on legitimate interests
• Withdraw consent: where processing is based on consent, you may withdraw it at any time

CCPA/CPRA Rights (California)

See Section 12 above for your California-specific rights.

FERPA Rights (Students)

Students and parents exercise FERPA rights (access, amendment, consent) through their educational institution. The institution may then direct us to take appropriate action on the relevant records.

To exercise any of these rights, contact us at privacy@interakly.com. We will respond within 30 days (or the timeframe required by applicable law).

19. Data Processing Agreements

We offer Data Processing Agreements (DPAs) tailored for educational institutions. Our DPA template includes FERPA-specific commitments, COPPA school consent provisions, GDPR-compliant data processing terms, and breach notification procedures.

Schools, districts, and institutions may request a DPA by contacting privacy@interakly.com. We also accept institution-provided DPAs and are available to participate in state student data privacy agreement processes.

20. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting a notice on the Service or sending an email to your registered address at least 30 days before the changes take effect. For changes that affect how we handle student data, we will also notify educational institutions directly.

Your continued use of the Service after changes become effective constitutes acceptance of the updated policy. The "Last updated" date at the top of this page indicates when the policy was most recently revised.

21. Contact

For privacy-related inquiries:

• General privacy: privacy@interakly.com
• General support: support@interakly.com
• COPPA / children's privacy inquiries: privacy@interakly.com (subject line: "COPPA Inquiry")
• FERPA / student records inquiries: privacy@interakly.com (subject line: "FERPA Inquiry")
• Data Processing Agreement requests: privacy@interakly.com (subject line: "DPA Request")

If you are in the EU and are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority.