Last updated: July 2026 · Version 1.1
This Privacy Policy describes how Schoolyland (“Schoolyland“, “we“, “us“) collects, uses, stores, transfers, and protects personal data in connection with our services at schoolyland.com.
This Policy applies to: every visitor to schoolyland.com · every prospect who fills in a form, leaves details, or otherwise contacts us · every Schoolyland customer · every user of the AI layer (MCP service).
This Policy is written with the EU General Data Protection Regulation (GDPR) as its baseline, and it applies alongside the privacy laws of the State of Israel, where Schoolyland is established. It should be read together with our Terms of Service and, for the AI layer, the MCP Privacy Policy.
1.1 Data controller: Schoolyland, a business registered in Israel (Business Registration No. 300638657), operator of schoolyland.com.
1.2 Contact for privacy matters:
Email: [email protected]
Contact form: schoolyland.com/contact
1.3 Note on our two roles. Schoolyland acts in two distinct roles: data controller — for data about visitors, prospects, and our own customers; and data processor — for data belonging to our customers’ own clients (“End Users“), which our customers collect through the platforms we build for them. See Section 3.
“Personal data” — any information relating to an identified or identifiable natural person. “Processing” — any operation performed on personal data (collection, storage, use, disclosure, transfer, deletion). “Customer Platform” — the WordPress platform Schoolyland builds and/or maintains for a customer. “End User” — a person who uses a Customer Platform (e.g., buys a course from our customer or joins their mailing list). “Subprocessor” — an external provider that processes data on our behalf (Section 6).
3.1 Your data (we are the controller). Data about you as a visitor, prospect, or customer of Schoolyland — we decide how and why it is processed, and this Policy governs it.
3.2 Your clients’ data (we are a processor). When our customer runs a platform with the systems we provide (CRM, store, courses, community), the customer collects data about their own End Users: names, emails, orders, course enrollment, community activity. That data belongs to our customer, who is its controller. Schoolyland processes it only on the customer’s behalf and instructions, as follows:
This section serves as a built-in summary of our data-processing commitments. Customers who require a formal, signed Data Processing Agreement (DPA) — contact us and we will provide one.
3.3 We do not market to End Users, ever. If an End User contacts us directly (thinking we are the platform itself), we refer them to our customer. We do not provide support to End Users.
Collected automatically: IP address; browser type and version; operating system; device type; pages visited and visit duration; referrer URL; campaign parameters (UTM), if present; and essential cookies (Section 12).
First and last name; email address; the content of your messages; answers to any intake or fit-check questions; and the source of your inquiry.
Everything above, plus: billing details (name, email, billing address) — full payment details (card number, etc.) are held by PayPal under PCI-DSS and are never stored on Schoolyland’s servers; order history; your platform details — URL and access credentials (application passwords are stored encrypted with AES-256-CBC); support tickets and correspondence history; and service usage metadata (e.g., software versions, last activity).
Your platform URL; an encrypted WordPress application password; a tenant token; your subscription tier; compatibility-check history; and audit logs containing metadata only — tool name, timestamp, status, and duration of each action, kept for 30 days and then deleted automatically.
What we never collect through the MCP service: the business content that passes through the tools (page text, email content, documents); your End Users’ data as our own; or the content of your AI conversations. Full detail: MCP Privacy Policy.
| # | Purpose | Legal basis |
|---|---|---|
| 1 | Delivering the services (platform setup, hosting, maintenance, support, MCP) | Contract (Art. 6(1)(b)) |
| 2 | Account management, billing, and invoicing | Contract + legal obligation (Art. 6(1)(b), (c)) |
| 3 | Responding to inquiries and support requests | Contract / pre-contractual steps |
| 4 | Operational monitoring, availability, and security | Legitimate interests (Art. 6(1)(f)) |
| 5 | Service improvement and usage analysis | Legitimate interests |
| 6 | Service updates and renewal notices to active customers | Contract + legitimate interests |
| 7 | Marketing emails to prospects who opted in | Consent (Art. 6(1)(a)) — withdrawable at any time |
| 8 | Handling data-subject requests | Legal obligation |
| 9 | Record-keeping and legal compliance | Legal obligation |
| 10 | Defending our rights in disputes | Legitimate interests |
| 11 | Business transfers (merger, acquisition) | Legitimate interests |
We collect only the data needed for these purposes and do not use it for other purposes.
To deliver our services, we work with the following external providers, which process data on our behalf:
| Subprocessor | Role | Processing location |
|---|---|---|
| devim.cloud | Hosting of schoolyland.com and Customer Platforms | Germany (EU) |
| PayPal | Payment processing | Global (US/EU entities) |
| Mailgun | Email delivery (transactional and marketing) | EU / US |
| Bunny.net | Video hosting and CDN | EU (global CDN) |
| Anthropic (Claude) | Processing of AI requests through the MCP service | US |
| Cloudflare | CDN, DNS, and security layer for schoolyland.com | Global |
Currently not in use on schoolyland.com: analytics tools (e.g., Google Analytics), advertising pixels, heatmap/behavior tools, or third-party chatbots. If we add any, we will update this Policy and, where required, request your consent first.
6.1 Changes to Subprocessors. We may add or replace a Subprocessor. A material change will be announced 30 days in advance where required.
6.2 Plugins on Customer Platforms. We install plugins on Customer Platforms (e.g., WooCommerce, FluentCRM, LearnDash, backup plugins). Some may process data or transfer it to their providers. The customer, as owner of the platform and controller of their End Users’ data, is responsible for reviewing each plugin’s terms, configuring it according to the laws that apply to them, and documenting it in their own privacy policy. Schoolyland is responsible for correct initial installation only.
6.3 Self-hosted management tools. Our internal site-management infrastructure runs on our own servers; it does not transfer Customer Platform data to third parties.
7.1 Where your data lives. Schoolyland’s servers and Customer Platforms hosted by us run on physical servers in Germany (EU), operated by devim.cloud.
7.2 Transfers to Israel. Schoolyland is established in Israel. The European Commission has issued an adequacy decision for Israel, so transfers of personal data from the EU/EEA to Israel are permitted under GDPR without additional safeguards.
7.3 Transfers to the US. Some providers (Anthropic, PayPal, parts of Mailgun, Cloudflare) process data in the United States. These transfers rely on the EU–US Data Privacy Framework where the provider is certified, and/or Standard Contractual Clauses (SCCs), together with the providers’ own security commitments.
We apply multi-layered security measures:
No system is perfectly secure. Schoolyland is not liable for security events beyond its reasonable control, subject to the liability terms in the Terms of Service.
Upon identifying a personal-data breach we: document the event immediately, isolate the vulnerability, and assess the scope; notify the competent supervisory authority within 72 hours where required by GDPR Art. 33; notify affected individuals without undue delay where the breach is likely to result in a high risk to them (Art. 34); and record the event and apply lessons learned.
If you are in the EU/EEA or UK, you have the following rights under GDPR (and equivalent rights exist under Israeli privacy law):
Exercising your rights: email [email protected] with your full name, the email associated with your account (for identity verification), and the details of your request. We respond within 30 days; in complex cases we may extend by a further 30 days with notice.
Account deletion vs. data deletion: closing your account ends the relationship and all services (see Terms of Service, Section 8); data we must keep by law (e.g., invoices) is retained. A specific erasure request under this section does not automatically end your services.
| Data type | Retention period |
|---|---|
| Prospects who did not become customers | 24 months from last contact |
| Active customers | For the duration of the active agreement |
| Former customers | 7 years from last payment (legal obligation — Israeli tax law) |
| Invoices and receipts | 7 years (legal obligation) |
| MCP audit logs | 30 days (automatic deletion) |
| General server/audit logs | 12 months |
| Automatic platform backups | 14 days (rolling) |
| Support conversations | Duration of agreement + 24 months |
| Marketing list | Until consent is withdrawn (unsubscribe) |
| Cookies | Up to 24 months, by type (Section 12) |
Deletion beyond the automatic items occurs upon a data-subject request (Section 10), as required by law, or when the data no longer serves a purpose.
12.1 schoolyland.com currently uses essential cookies only: session and cart cookies (WooCommerce), login cookies for account holders, and security cookies set by our CDN/security layer (Cloudflare). Essential cookies do not require consent — they are necessary for the site to function.
12.2 We do not currently use analytics, advertising, or behavior-tracking cookies on schoolyland.com. If we introduce any, we will first present a consent banner and update this Policy.
12.3 You can block or delete cookies through your browser settings; blocking essential cookies may break checkout and login.
12.4 This section applies to schoolyland.com only. Customer Platforms are responsible for their own cookie policies.
Our services are intended for adults (18+) and registered business entities. We do not knowingly collect personal data from anyone under 18; if we learn that we have, we will delete it promptly. If our customer’s own audience includes minors, full responsibility for complying with the laws protecting minors’ data — including parental consent — rests with the customer, as controller of that data.
14.1 What we collect: platform URL, encrypted credentials, and per-action metadata (tool name, timestamp, user identifier, result status, duration) — kept 30 days.
14.2 What we never collect: business content passing through the tools, your End Users’ data as our own, or the content of your AI conversations.
14.3 Transfer to Anthropic. Using the MCP service means that the specific data needed to execute each requested action is processed by Anthropic (Claude), under the Anthropic Privacy Policy. If you connect a different AI tool to your platform, that connection is made by you, under that provider’s terms.
14.4 Kill switch. You may revoke the platform application password or disable the MCP service at any time — this immediately stops all AI-layer processing.
14.5 Full details. This section is a summary. The complete privacy terms of the MCP service are published in the dedicated MCP Privacy Policy.
We may disclose personal data: under a court order or binding legal demand; in legal proceedings to which Schoolyland is a party; to defend our legal rights (responding to claims, enforcing the Terms, preventing fraud or abuse); in a merger, acquisition, or sale of activity (subject to the recipient assuming the same privacy obligations, with prior notice where possible); or with your explicit consent. Where lawful, we will notify you before such disclosure.
schoolyland.com may link to third-party sites and services. We are not responsible for their privacy practices; review their policies before sharing personal data.
We may update this Policy from time to time. Material changes will be announced at least 30 days in advance by email and/or a prominent notice on the site; non-material changes take effect upon publication. The “Last updated” date appears at the top.
Schoolyland
Email: [email protected]
Contact form: schoolyland.com/contact
EU/EEA residents may also contact their local data-protection authority. Israeli residents may contact the Privacy Protection Authority (Ministry of Justice).
Version 1.1, published July 2026. This Policy applies to services purchased through schoolyland.com. Services purchased through schoolyland.co.il are governed by the Hebrew Privacy Policy published there.
Companion documents: Terms of Service · MCP Terms of Service · MCP Privacy Policy