Schoolyland

What you getHow it worksPricingFAQ
Contact
Claim a founding spot→

Navigate
What you getHow it worksPricingFAQ
Contact
Claim a founding spot→

Privacy Policy

Last updated: July 2026 · Version 1.1

This Privacy Policy describes how Schoolyland (“Schoolyland“, “we“, “us“) collects, uses, stores, transfers, and protects personal data in connection with our services at schoolyland.com.

This Policy applies to: every visitor to schoolyland.com · every prospect who fills in a form, leaves details, or otherwise contacts us · every Schoolyland customer · every user of the AI layer (MCP service).

This Policy is written with the EU General Data Protection Regulation (GDPR) as its baseline, and it applies alongside the privacy laws of the State of Israel, where Schoolyland is established. It should be read together with our Terms of Service and, for the AI layer, the MCP Privacy Policy.

1. Who we are (data controller)

1.1 Data controller: Schoolyland, a business registered in Israel (Business Registration No. 300638657), operator of schoolyland.com.

1.2 Contact for privacy matters:
Email: [email protected]
Contact form: schoolyland.com/contact

1.3 Note on our two roles. Schoolyland acts in two distinct roles: data controller — for data about visitors, prospects, and our own customers; and data processor — for data belonging to our customers’ own clients (“End Users“), which our customers collect through the platforms we build for them. See Section 3.

2. Definitions (short)

“Personal data” — any information relating to an identified or identifiable natural person. “Processing” — any operation performed on personal data (collection, storage, use, disclosure, transfer, deletion). “Customer Platform” — the WordPress platform Schoolyland builds and/or maintains for a customer. “End User” — a person who uses a Customer Platform (e.g., buys a course from our customer or joins their mailing list). “Subprocessor” — an external provider that processes data on our behalf (Section 6).

3. Controller vs. processor — whose data is whose

3.1 Your data (we are the controller). Data about you as a visitor, prospect, or customer of Schoolyland — we decide how and why it is processed, and this Policy governs it.

3.2 Your clients’ data (we are a processor). When our customer runs a platform with the systems we provide (CRM, store, courses, community), the customer collects data about their own End Users: names, emails, orders, course enrollment, community activity. That data belongs to our customer, who is its controller. Schoolyland processes it only on the customer’s behalf and instructions, as follows:

  • we act only per the customer’s instructions and the Terms of Service
  • we protect the data with the security measures in Section 8
  • we cooperate with the customer in fulfilling End Users’ data-subject requests
  • we do not disclose the data to any third party except our Subprocessors, to the extent needed to deliver the service, or under a binding legal obligation
  • upon termination of the agreement, we delete or return the data, unless law requires retention

This section serves as a built-in summary of our data-processing commitments. Customers who require a formal, signed Data Processing Agreement (DPA) — contact us and we will provide one.

3.3 We do not market to End Users, ever. If an End User contacts us directly (thinking we are the platform itself), we refer them to our customer. We do not provide support to End Users.

4. What data we collect

4.1 Visitors to schoolyland.com

Collected automatically: IP address; browser type and version; operating system; device type; pages visited and visit duration; referrer URL; campaign parameters (UTM), if present; and essential cookies (Section 12).

4.2 Prospects who fill in a form or contact us

First and last name; email address; the content of your messages; answers to any intake or fit-check questions; and the source of your inquiry.

4.3 Customers (after purchase)

Everything above, plus: billing details (name, email, billing address) — full payment details (card number, etc.) are held by PayPal under PCI-DSS and are never stored on Schoolyland’s servers; order history; your platform details — URL and access credentials (application passwords are stored encrypted with AES-256-CBC); support tickets and correspondence history; and service usage metadata (e.g., software versions, last activity).

4.4 MCP (AI layer) users

Your platform URL; an encrypted WordPress application password; a tenant token; your subscription tier; compatibility-check history; and audit logs containing metadata only — tool name, timestamp, status, and duration of each action, kept for 30 days and then deleted automatically.

What we never collect through the MCP service: the business content that passes through the tools (page text, email content, documents); your End Users’ data as our own; or the content of your AI conversations. Full detail: MCP Privacy Policy.

5. Purposes and legal bases (GDPR Art. 6)

# Purpose Legal basis
1 Delivering the services (platform setup, hosting, maintenance, support, MCP) Contract (Art. 6(1)(b))
2 Account management, billing, and invoicing Contract + legal obligation (Art. 6(1)(b), (c))
3 Responding to inquiries and support requests Contract / pre-contractual steps
4 Operational monitoring, availability, and security Legitimate interests (Art. 6(1)(f))
5 Service improvement and usage analysis Legitimate interests
6 Service updates and renewal notices to active customers Contract + legitimate interests
7 Marketing emails to prospects who opted in Consent (Art. 6(1)(a)) — withdrawable at any time
8 Handling data-subject requests Legal obligation
9 Record-keeping and legal compliance Legal obligation
10 Defending our rights in disputes Legitimate interests
11 Business transfers (merger, acquisition) Legitimate interests

We collect only the data needed for these purposes and do not use it for other purposes.

6. Subprocessors

To deliver our services, we work with the following external providers, which process data on our behalf:

Subprocessor Role Processing location
devim.cloud Hosting of schoolyland.com and Customer Platforms Germany (EU)
PayPal Payment processing Global (US/EU entities)
Mailgun Email delivery (transactional and marketing) EU / US
Bunny.net Video hosting and CDN EU (global CDN)
Anthropic (Claude) Processing of AI requests through the MCP service US
Cloudflare CDN, DNS, and security layer for schoolyland.com Global

Currently not in use on schoolyland.com: analytics tools (e.g., Google Analytics), advertising pixels, heatmap/behavior tools, or third-party chatbots. If we add any, we will update this Policy and, where required, request your consent first.

6.1 Changes to Subprocessors. We may add or replace a Subprocessor. A material change will be announced 30 days in advance where required.

6.2 Plugins on Customer Platforms. We install plugins on Customer Platforms (e.g., WooCommerce, FluentCRM, LearnDash, backup plugins). Some may process data or transfer it to their providers. The customer, as owner of the platform and controller of their End Users’ data, is responsible for reviewing each plugin’s terms, configuring it according to the laws that apply to them, and documenting it in their own privacy policy. Schoolyland is responsible for correct initial installation only.

6.3 Self-hosted management tools. Our internal site-management infrastructure runs on our own servers; it does not transfer Customer Platform data to third parties.

7. International data transfers

7.1 Where your data lives. Schoolyland’s servers and Customer Platforms hosted by us run on physical servers in Germany (EU), operated by devim.cloud.

7.2 Transfers to Israel. Schoolyland is established in Israel. The European Commission has issued an adequacy decision for Israel, so transfers of personal data from the EU/EEA to Israel are permitted under GDPR without additional safeguards.

7.3 Transfers to the US. Some providers (Anthropic, PayPal, parts of Mailgun, Cloudflare) process data in the United States. These transfers rely on the EU–US Data Privacy Framework where the provider is certified, and/or Standard Contractual Clauses (SCCs), together with the providers’ own security commitments.

8. Security

We apply multi-layered security measures:

  • Encryption in transit — all communication over HTTPS/TLS
  • Encryption at rest — sensitive credentials (application passwords, API keys) encrypted with AES-256-CBC
  • Payment data — processed by PayPal under PCI-DSS; never stored on our servers
  • Access control — strong authentication on internal management platforms, role-based permissions, and access on an operational need-to-know basis only
  • Full isolation between customers — containerized hosting; no customer can access another customer’s data
  • Monitoring — automated availability, performance, and access monitoring; audit logs contain technical metadata only, never business content
  • Infrastructure protection (devim.cloud) — backups twice daily with 14-day retention, real-time malware scanning and cleanup, DDoS protection, SSL with auto-renewal
  • Rate limiting and abuse prevention on the MCP service, including protection against SSRF, prompt injection, and related attack vectors

No system is perfectly secure. Schoolyland is not liable for security events beyond its reasonable control, subject to the liability terms in the Terms of Service.

9. Data breach procedure

Upon identifying a personal-data breach we: document the event immediately, isolate the vulnerability, and assess the scope; notify the competent supervisory authority within 72 hours where required by GDPR Art. 33; notify affected individuals without undue delay where the breach is likely to result in a high risk to them (Art. 34); and record the event and apply lessons learned.

10. Your rights

If you are in the EU/EEA or UK, you have the following rights under GDPR (and equivalent rights exist under Israeli privacy law):

  • Access (Art. 15) — receive a copy of the personal data we hold about you
  • Rectification (Art. 16) — correct inaccurate or outdated data
  • Erasure (Art. 17) — request deletion, where no legal ground requires retention (invoices, for example, must be kept 7 years under Israeli law)
  • Restriction of processing (Art. 18)
  • Data portability (Art. 20) — receive your data in a structured, machine-readable format (CSV/JSON)
  • Objection (Art. 21) — object to processing based on legitimate interests, and to direct marketing at any time
  • Withdraw consent (Art. 7(3)) — where processing is based on consent; every marketing email includes a working unsubscribe link, effective immediately
  • Complain to a supervisory authority — your local EU data-protection authority, or the Israeli Privacy Protection Authority

Exercising your rights: email [email protected] with your full name, the email associated with your account (for identity verification), and the details of your request. We respond within 30 days; in complex cases we may extend by a further 30 days with notice.

Account deletion vs. data deletion: closing your account ends the relationship and all services (see Terms of Service, Section 8); data we must keep by law (e.g., invoices) is retained. A specific erasure request under this section does not automatically end your services.

11. Data retention

Data type Retention period
Prospects who did not become customers 24 months from last contact
Active customers For the duration of the active agreement
Former customers 7 years from last payment (legal obligation — Israeli tax law)
Invoices and receipts 7 years (legal obligation)
MCP audit logs 30 days (automatic deletion)
General server/audit logs 12 months
Automatic platform backups 14 days (rolling)
Support conversations Duration of agreement + 24 months
Marketing list Until consent is withdrawn (unsubscribe)
Cookies Up to 24 months, by type (Section 12)

Deletion beyond the automatic items occurs upon a data-subject request (Section 10), as required by law, or when the data no longer serves a purpose.

12. Cookies

12.1 schoolyland.com currently uses essential cookies only: session and cart cookies (WooCommerce), login cookies for account holders, and security cookies set by our CDN/security layer (Cloudflare). Essential cookies do not require consent — they are necessary for the site to function.

12.2 We do not currently use analytics, advertising, or behavior-tracking cookies on schoolyland.com. If we introduce any, we will first present a consent banner and update this Policy.

12.3 You can block or delete cookies through your browser settings; blocking essential cookies may break checkout and login.

12.4 This section applies to schoolyland.com only. Customer Platforms are responsible for their own cookie policies.

13. Minors

Our services are intended for adults (18+) and registered business entities. We do not knowingly collect personal data from anyone under 18; if we learn that we have, we will delete it promptly. If our customer’s own audience includes minors, full responsibility for complying with the laws protecting minors’ data — including parental consent — rests with the customer, as controller of that data.

14. AI layer (MCP) — privacy specifics

14.1 What we collect: platform URL, encrypted credentials, and per-action metadata (tool name, timestamp, user identifier, result status, duration) — kept 30 days.

14.2 What we never collect: business content passing through the tools, your End Users’ data as our own, or the content of your AI conversations.

14.3 Transfer to Anthropic. Using the MCP service means that the specific data needed to execute each requested action is processed by Anthropic (Claude), under the Anthropic Privacy Policy. If you connect a different AI tool to your platform, that connection is made by you, under that provider’s terms.

14.4 Kill switch. You may revoke the platform application password or disable the MCP service at any time — this immediately stops all AI-layer processing.

14.5 Full details. This section is a summary. The complete privacy terms of the MCP service are published in the dedicated MCP Privacy Policy.

15. Disclosure required by law

We may disclose personal data: under a court order or binding legal demand; in legal proceedings to which Schoolyland is a party; to defend our legal rights (responding to claims, enforcing the Terms, preventing fraud or abuse); in a merger, acquisition, or sale of activity (subject to the recipient assuming the same privacy obligations, with prior notice where possible); or with your explicit consent. Where lawful, we will notify you before such disclosure.

16. Links to other sites

schoolyland.com may link to third-party sites and services. We are not responsible for their privacy practices; review their policies before sharing personal data.

17. Changes to this Policy

We may update this Policy from time to time. Material changes will be announced at least 30 days in advance by email and/or a prominent notice on the site; non-material changes take effect upon publication. The “Last updated” date appears at the top.

18. Contact

CONTACT — DATA CONTROLLER

Schoolyland

Email: [email protected]

Contact form: schoolyland.com/contact

EU/EEA residents may also contact their local data-protection authority. Israeli residents may contact the Privacy Protection Authority (Ministry of Justice).

Version 1.1, published July 2026. This Policy applies to services purchased through schoolyland.com. Services purchased through schoolyland.co.il are governed by the Hebrew Privacy Policy published there.

Companion documents: Terms of Service · MCP Terms of Service · MCP Privacy Policy

Schoolyland

Business infrastructure you own, connected to AI.

  • [email protected]

Navigate

  • Home
  • What you get
  • How it works
  • Pricing

Answers

  • FAQ
  • Documentation
  • Email us

Legal

  • Terms of Service
  • Privacy Policy
  • MCP Terms of Service
  • MCP Privacy Policy
  • Accessibility

© 2026 Schoolyland · All rights reserved