This document is pending formal legal review. It does not constitute legal advice. For questions, contact support@interlaza.com.
Last updated: April 2026
Introduction
INTERLAZA (“we”, “us”, “our”) is committed to protecting the privacy of our users. This Privacy Policy explains how we collect, use, store, and protect information when you use the INTERLAZA platform — an adaptive match-to-sample training application designed for instructors, clinicians, and parents working with children.
This policy is designed with the EU General Data Protection Regulation (GDPR), the US Children’s Online Privacy Protection Act (COPPA), and other applicable privacy frameworks in mind.
By using INTERLAZA, you agree to the practices described in this policy.
Data Controller
INTERLAZA is operated as a sole proprietorship (Freiberufler) registered in Germany.
For all privacy matters, contact: support@interlaza.com
Data We Collect
We collect the following categories of information:
Account information
Email address and password when you create an account. Passwords are never stored in plain text — they are handled via Supabase Auth using bcrypt encryption.
Session data
Student profiles (first name or alias, approximate age range, avatar color — no surnames, addresses, or contact information), program configurations, exercise settings, trial responses (tap selections on screen), and mastery records. This data is created and managed by the adult account holder.
Usage analytics
Pages visited and features used, collected via Umami Analytics (see the Analytics section below). No personal data is collected.
Contact form submissions
Email address and message content, used only to respond to your inquiry.
AI feature data
When you explicitly use AI-powered features (progress report generation, intervention suggestions), anonymized session summaries are sent to the Anthropic Claude API. This data is not stored by Anthropic beyond the duration of the request.
If you choose to provide your own Anthropic API key (instead of using INTERLAZA’s built-in proxy), your key is stored in your browser’s localStorage in plain text. You are responsible for securing access to your device and browser when using this option.
Error monitoring data
When errors occur in the application, diagnostic information (error message, stack trace, browser type, and a recording of the session leading up to the error) may be sent to our error monitoring service (Sentry). All text in error recordings is masked and all media is blocked. No session data, student names, or personal information is included — only technical debugging context. See the Third-Party Services section below.
How Your Data Is Stored
Local-first architecture
INTERLAZA uses a local-first architecture. All session data — students, programs, sessions, trial logs, mastery records — is stored in your browser’s IndexedDB database. This data never leaves your device unless you explicitly enable cloud sync.
What IndexedDB means for you
IndexedDB is a browser-native database built into every modern web browser. Your session data lives on your device, not on our servers. This means:
- The app works fully offline once loaded.
- Your data is as secure as your device.
- Clearing browser data or uninstalling the browser will permanently delete this data. We recommend using the Data Export feature (Settings → Data Export) regularly.
Optional cloud sync
If you enable cloud sync, your data is replicated to Supabase PostgreSQL servers (AWS infrastructure, US-East region). Data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Sync uses a last-write-wins conflict resolution strategy. You can disable sync and request deletion of cloud data at any time by contacting support@interlaza.com.
Data residency
Local data resides on your device in whatever jurisdiction you are located. Cloud-synced data is stored on AWS US-East (Virginia, USA). If you are in the EU and have data residency concerns, you may choose to use INTERLAZA in local-only mode without enabling cloud sync. The app is fully functional without cloud sync.
How We Use Your Data
We use the data we collect to:
- Provide and improve the Service.
- Generate AI-powered reports and suggestions when you explicitly use these features.
- Respond to support and contact form inquiries.
We do not:
- Sell, rent, or share your data with third parties.
- Use session data for advertising or marketing purposes.
- Access individual student records without your explicit consent.
Legal Basis for Processing (GDPR)
For users in the European Economic Area, we process personal data on the following legal bases:
- Contract performance (Art. 6(1)(b)): Processing necessary to provide you with the Service and fulfill your subscription.
- Legitimate interests (Art. 6(1)(f)): Aggregated, anonymous analytics to understand how the Service is used and improve it.
- Consent (Art. 6(1)(a)): AI-powered features and cloud sync, both of which are opt-in. You may withdraw consent at any time.
Your Rights Under GDPR
If you are located in the European Economic Area, you have the following rights regarding your personal data:
-
Right of access: Request a copy of the data we hold about you. You can export all session data directly from the app via Settings → Data Export. For data held in our systems (account information, contact records), contact support@interlaza.com.
-
Right to rectification: Correct inaccurate data directly within the application. For account-level data, contact us.
-
Right to erasure: Delete all local session data via Settings or the browser console utility (
window.clearAllData()). To request deletion of cloud-synced or account data, contact support@interlaza.com. -
Right to data portability: Export all your data in JSON or CSV format via Settings → Data Export. The export is machine-readable and includes all session records.
-
Right to restrict processing: Contact us to restrict processing of your data while a complaint or inquiry is being investigated.
-
Right to object: Contact us to object to processing of your data based on legitimate interests.
To exercise any of these rights, contact support@interlaza.com. We will respond within 30 days.
You also have the right to lodge a complaint with your local data protection authority. In Germany, this is the Landesbeauftragte für den Datenschutz.
Children’s Data (COPPA)
INTERLAZA is designed to assist instructors and parents working with children from 18 months and up who benefit from structured learning activities.
We do not collect personal information directly from children. All student data is created and managed by the adult account holder (instructor or parent). The child-facing trial interface collects only trial responses (tap selections on screen) with no personal identifiers — no names, photos, or contact information are entered by the child.
Student profiles created by the adult account holder contain only: a first name or alias, an approximate age range, and an avatar color selection. We encourage the use of aliases rather than real names for student profiles.
The adult account holder is responsible for obtaining any necessary parental consent before creating student profiles and using the platform for learning sessions. In the US, instructors using this tool with children under 13 should ensure their own COPPA compliance as applicable to their professional context.
Data Retention
- Local data: Retained on your device until you delete it (via the app or by clearing browser data). We have no control over locally-stored data.
- Cloud data: Retained while your account is active, plus 30 days after you request account deletion. After 30 days, cloud data is permanently deleted.
- Contact form messages: Retained for up to 12 months, then deleted.
- Analytics data: Aggregated and anonymous — no individual records exist to delete.
Third-Party Services
INTERLAZA uses the following third-party services. Each has its own privacy policy:
| Service | Purpose | Privacy Policy |
|---|---|---|
| Supabase | Authentication, optional cloud sync | supabase.com/privacy |
| Anthropic Claude API | Optional AI features | anthropic.com/privacy |
| Sentry | Error monitoring and diagnostics (env-gated, 10% sampling) | sentry.io/privacy |
| Stripe | Subscription billing and payment processing | stripe.com/privacy |
| Umami Analytics | Website analytics (cookieless, no personal data) | umami.is/privacy |
| Crisp | Optional live chat support widget (env-gated) | crisp.chat/privacy |
| Resend | Contact form emails | resend.com/privacy |
| Cloudflare Pages | Website hosting and CDN | cloudflare.com/privacypolicy |
Cookies
INTERLAZA does not use cookies for tracking or advertising.
We use Umami Analytics, which is fully cookieless. No tracking pixels or third-party cookies are set. The only browser storage used is:
- IndexedDB: All session data (local-first, on your device)
- localStorage: App preferences and configuration — including language selection, account tier, user role, onboarding state, accessibility preferences (low stimulation mode, audio settings), PWA install dismissal state, cloud sync consent, and optionally your Anthropic API key if you provide one. No session data or student information is stored in localStorage.
Progressive Web App (PWA)
INTERLAZA can be installed as an app on your device. When installed, a service worker caches the application shell (HTML, CSS, JavaScript) and stimulus images for offline access. No session data is cached by the service worker — all session data is stored in IndexedDB. You can clear the service worker cache at any time via your browser settings.
Changes to This Policy
We may update this Privacy Policy from time to time. Changes will be reflected in the “Last updated” date at the top of this page. Continued use of INTERLAZA after changes are posted constitutes your acceptance of the revised policy. We will notify active subscribers of material changes by email.
Contact
If you have any questions about this Privacy Policy or wish to exercise your data rights:
Data Protection Contact: support@interlaza.com
General Support: support@interlaza.com