Privacy Policy

Last updated: 2026-06-26

This privacy policy describes how Instagrity collects, uses, stores, shares, and protects user data. It covers the core service and explains how Instagrity handles data from external providers such as Google, Microsoft, Stripe, and OpenAI when those integrations are connected.

Product data
Accounts, classes, essays, annotations, grading records, external-provider data where connected, and support submissions
Data sales
Instagrity does not sell student, classroom, or external-provider user data
Current processors
Supabase, Vercel, OpenAI, Stripe, Google, Microsoft, Resend, and similar infrastructure providers
School review
FERPA, COPPA, local privacy, and contracting review remain school responsibilities

Information Instagrity currently handles

Instagrity may store account details, profile names, class and roster information, assignment details, essay text, feedback data, annotations, premium entitlement records, support submissions, and system activity records required to operate the service. When external-provider integrations are connected, Instagrity also stores the provider-specific data described in the External provider data section below.

External provider data

Instagrity connects to external providers only when a user or authorized organization chooses to enable those features. The specific data accessed and how it is used depends on the provider and the feature being used.

Google services

When you use Google with Instagrity, the Google user data Instagrity accesses depends on the feature you choose to connect.

Google Sign-In. Instagrity may receive your Google account email address and Google account identifier to authenticate you, create or locate your Instagrity account, protect account access, and route you into the correct teacher, student, or admin workspace.

Google Drive import. Instagrity may receive your Google account email address, basic profile information, Google account identifier, selected file metadata, and the contents of files you explicitly select through the Google Drive Picker or an equivalent Google file-selection flow. Instagrity uses this data to import files you choose as classroom materials, assignment materials, or student-submission attachments.

Google Classroom integration. Instagrity may receive your Google account email address, basic profile information, Google account identifier, course lists, course metadata, roster information (Google Classroom user identifiers and student display names), grade-category data, coursework metadata, due dates, links, and related Classroom identifiers. Instagrity does not import or collect Google Classroom student email addresses. Instagrity uses this data to help teachers or authorized school users connect classes, map Google Classroom courses to Instagrity classes, preview or import rosters as Google Classroom roster placeholders, map categories, and import or sync coursework where the integration is enabled. Roster placeholders are matched to Instagrity student accounts when the student signs in or connects their Google account.

How Instagrity uses Google user data. Instagrity uses Google user data only to provide and improve user-facing Instagrity features that the user or organization authorizes. Google user data is used for authentication, account identity, selected Google Drive file import, Google Classroom course and class mapping, roster preview, import, and roster placeholder matching, category and coursework mapping, import, and sync, and for security, abuse prevention, support, audit, and legal compliance where needed.

No sale of Google user data. Instagrity does not sell Google user data.

Prohibited uses. Instagrity does not use Google user data for targeted advertising, personalized advertising, retargeting, interest-based advertising, selling to data brokers, providing to information resellers, determining credit-worthiness, lending, surveillance, or creating unrelated databases. Instagrity does not use Google user data to train AI models unrelated to the Instagrity service. If Google-derived classroom content is included in an Instagrity AI-assisted workflow requested by a teacher, student, or authorized school user, that processing is limited to providing the requested user-facing Instagrity feature.

Sharing and transfer. Google user data may be processed by Instagrity’s authorized infrastructure and service providers (Supabase, Vercel, OpenAI, Stripe, Google, Resend, and similar providers) only as needed to operate the service. Instagrity does not transfer Google user data to third parties for advertising, resale, data brokerage, credit, lending, surveillance, or unrelated model training. AI providers process classroom content only when an AI-assisted feature is requested and only to provide that feature. Stripe generally processes billing data rather than classroom or Google-derived content unless incidental account metadata is involved.

Data protection. Instagrity uses encryption in transit and managed infrastructure protections for data at rest. Access to Google user data is limited to authorized personnel and service providers who need access to operate, secure, support, or maintain the service. Instagrity uses application access controls, server-side integration routes, Supabase row-level security where applicable, rate limiting, challenge verification where configured, security-event logging, and audit-oriented records to help protect user data from unauthorized access, disclosure, alteration, or loss.

Human access. Humans do not review Google user data except when needed to provide support requested by the user or their school, investigate abuse or security issues, comply with legal obligations, or operate internal aggregated or de-identified service operations. When a teacher or school administrator intentionally imports or uses Google-derived content in Instagrity, normal teacher, administrator, and authorized collaborator access inside the product is part of the authorized classroom workflow.

Retention and deletion. Google account identifiers and connected external-account metadata are removed or disconnected from active service records when you delete your Instagrity account or disconnect the integration, subject to backup, legal, and audit retention. Google Drive files imported into Instagrity become classroom, assignment, or submission content and follow the same deletion and retention practices as other classroom content. Google Classroom imported or mapped classes, rosters, invitations, assignments, mapping records, and sync logs follow product deletion, administrative handling, and legal or audit retention practices. If Google access is revoked or tokens expire, Instagrity marks the connection state and stops syncing until reauthorization occurs.

Microsoft / Azure sign-in

When Microsoft sign-in is enabled and a user chooses it, Instagrity may receive the user’s Microsoft account email address, account identifier, and basic profile details needed for authentication. Instagrity uses this data to create or locate the user’s Instagrity account, protect account access, and route the user into the correct workspace. Microsoft sign-in data is used only for authentication and account identity within the Instagrity service. Instagrity does not sell Microsoft sign-in data or use it for advertising, data-broker resale, credit-worthiness, lending, or unrelated AI model training.

Stripe billing

Instagrity uses Stripe to support subscription checkout, billing, seat purchases, invoices, refunds, disputes, and payment-status handling. Instagrity may store Stripe customer identifiers, subscription status, purchased seat counts, invoice or checkout references, refund and dispute metadata, and entitlement records needed to operate paid plans. Payment card details are handled by Stripe and are not stored or used by Instagrity for classroom workflows. Billing data is used for account administration, payment support, accounting, audit, abuse prevention, and legal obligations. Stripe does not receive classroom content or external-provider user data from Google or Microsoft integrations unless incidental account metadata is involved.

OpenAI / AI service providers

When a teacher, student, or authorized school user requests an AI-assisted feature, Instagrity may process relevant classroom content through AI service providers to provide grading, feedback, coaching, assessment, rubric, or instructional-support features. AI processing is limited to the requested Instagrity feature and related service operations. Instagrity does not sell classroom content or external-provider user data to AI providers. Instagrity does not use that data for targeted advertising, data-broker resale, credit-worthiness, lending, or training AI models unrelated to the Instagrity service. Premium teacher seats and entitlement rules govern whether AI features are available for a given classroom workflow.

Supabase, Vercel, Resend, and infrastructure providers

Instagrity uses infrastructure providers to host the application, authenticate users, store product data, deliver transactional emails, monitor reliability, and protect the service.

Supabase may process authentication, database, storage, and access-control data.

Vercel may process hosting, deployment, performance, and request data needed to serve the application.

Resend may process recipient, sender, subject, delivery, and message-content data needed to send service emails.

These providers process data only as needed to operate, secure, support, or maintain Instagrity. They do not receive data for advertising, data-broker resale, credit-worthiness, lending, or unrelated model training. Additional infrastructure providers may be introduced as the product evolves. See the Service providers and subprocessors section below for additional detail.

How information is used

Data is used to authenticate accounts, organize classes, publish assignments, accept writing submissions, generate or display grading results, release teacher feedback, support account and billing workflows, investigate issues, and keep the service available and secure. Provider-specific data uses are detailed in the External provider data section above.

Baseline privacy commitments for every account

Every account uses Instagrity's baseline privacy and data-handling commitments. Self-serve accounts do not waive those protections. Data is handled to authenticate users, run classroom workflows, provide billing and support operations, maintain security, and operate the service responsibly under the current standard terms.

Self-serve accounts and custom package commitments

Self-serve accounts use Instagrity's standard privacy, security, deletion, and processor terms. Larger custom or 201+ seat packages may also include enhanced contractual commitments such as DPA review, district procurement support, security review responses, breach-notice procedures, or custom data-processing terms when separately agreed.

Student writing, classroom records, and school-authorized use

When Instagrity is used in a classroom or school context, student writing, student identity details, grades, and related workflow records may constitute education records or student records under FERPA or similar local rules. Instagrity is designed to support school-authorized educational use, but each school, district, teacher, or organization remains responsible for determining whether the service fits its own legal, policy, and parent-notice requirements.

COPPA and age-related use

If children under 13 use Instagrity, the service is intended to be used only under school, teacher, parent, or other legally appropriate authorization. The school or responsible organization remains responsible for deciding whether COPPA consent, direct notice, or related obligations apply in its deployment context.

AI and model-assisted processing

Instagrity may process teacher, student, and classroom content through AI-assisted workflows when grading, feedback, coaching, prompt, or assessment-help features are requested. Premium teacher seats and teacher entitlement rules govern whether those AI features are available for a given classroom workflow. AI-related processing may involve third-party vendors used to operate the service. Provider-specific AI data handling is described in the External provider data section above.

Security and data protection

Instagrity uses encryption in transit and managed infrastructure protections for data at rest. Access to user data is limited to authorized personnel and service providers who need access to operate, secure, support, or maintain the service. Instagrity uses application access controls, server-side integration routes, Supabase row-level security where applicable, rate limiting, challenge verification where configured, security-event logging, and audit-oriented records to help protect user data from unauthorized access, disclosure, alteration, or loss. Provider-specific protections are described in the External provider data section above.

Retention, deletion, and archive handling

Deleting content through product workflows, administrative handling, or contractual schedules may remove live product access copies, but backups, system logs, billing records, archived recovery copies, audit trails, and legally required retention copies may remain for limited periods. The current implementation also includes an administrator-controlled deleted-essay archive for recovery and audit purposes. Provider-specific retention and deletion practices are described in the External provider data section above.

Service providers and subprocessors

Based on the current architecture, Instagrity may rely on processors such as Supabase for authentication and database services, Vercel for hosting, OpenAI for AI-assisted grading or feedback processing when enabled, Stripe for billing, Google for sign-in and related platform services where enabled, Resend for email delivery, and Microsoft for sign-in where enabled. Additional providers may be introduced as the product evolves. Provider-specific data handling, sharing, and transfer limits are described in the External provider data section above.

Billing, audit, and legal retention

Billing records, entitlement changes, refund activity, chargeback or dispute records, and related audit logs may be retained as needed to operate the service, review payment issues, prevent abuse, satisfy accounting needs, or comply with legal obligations.

Disclosure and legal process

Instagrity may disclose information where required by law, to protect the rights or safety of users or the service, to investigate abuse or security incidents, or to operate the platform through authorized vendors and subprocessors acting on Instagrity's behalf.

Updates to this policy

Instagrity may update this Privacy Policy as the service evolves. If Instagrity materially changes how it collects, uses, stores, shares, or transfers external-provider user data, Instagrity will update this page and provide notice through the service or another appropriate channel where practical. If a new data use requires additional consent, Instagrity will request that consent before using data for the new purpose.