Privacy Policy — คุณไก่ทวง (Khun Kai Tuang)

Version: 1.0 Effective date: 28 April 2026 Last updated: 28 April 2026

At a glance — quick answers

Most of this policy is the legal detail, but here are the things teachers most often ask:

We never sell your data. Not to advertisers, not to other companies, not for any reason. (See §7.5.)
AI training is opt-in. You choose at signup. You can withdraw anytime. (See §5.)
Storage is in Thailand. Submission files live in AWS Bangkok (ap-southeast-7). (See §8.)
You can export or delete your data at any time. (See §11.)
If Inskru ever shuts down or is acquired, you get 90 days' notice plus a data export tool. (See Terms of Service §11A.)
For students under 20, the teacher and the school manage parental consent — we never talk to students directly. (See §12.)

The rest of this document explains the legal detail behind each of those points. If anything is unclear in either Thai or English, email inskruteam@inskru.com — we'd rather you ask than sign blindly.

1. Introduction

We're Inskru, a small team in Bangkok building tools that help Thai teachers spend less time chasing assignments and more time teaching. This Privacy Policy is how we tell you — clearly, in writing, and in both languages — what data we collect, why we collect it, and what we will (and won't) do with it. We follow Thailand's Personal Data Protection Act B.E. 2562 (2019) ("PDPA") not because we're required to, but because we want teachers and schools to trust us with their classrooms.

คุณไก่ทวง is an Inskru product that helps teachers run classrooms on LINE: posting assignments, collecting student work, grading quizzes, sharing feedback, and managing class workflows.

Data Controller:

Company: บริษัท อินสครู จำกัด (Inskru Company Limited)
Registered address: เลขที่ 1 ซอยนาคนิวาส 27 แยก 34 ถนนนาคนิวาส แขวงลาดพร้าว เขตลาดพร้าว กรุงเทพมหานคร 10230
Tax ID: 0-1055-61073-38-8
Privacy contact: inskruteam@inskru.com
General contact: inskruteam@inskru.com
Website: https://inskru.com

Data Protection Officer (DPO):

Email: inskruteam@inskru.com

This policy applies specifically to the คุณไก่ทวง product. Other Inskru products have their own policies; see https://inskru.com.

2. Who this policy applies to

Teachers registering and using คุณไก่ทวง
Students whose work, identity, and activity are uploaded by their teachers
Parents/guardians acting for minor students
School administrators managing classes through คุณไก่ทวง

3. Personal data we collect

We collect data across three layers of the product. The list below is not in priority order — every category may be used as described in Section 4 and Section 5.

3.1 Account & identity data

Teacher: LINE display name, profile picture, LINE user ID, email address (dashboard), school affiliation, grade level, subject areas
Student: full name, nickname, student ID number, LINE user ID
Optional: connected Google account (only if you connect Drive)
Authentication tokens, session data

3.2 Classroom & curriculum data

Class lists, classroom names, school year, term
Group memberships and group assignments
Assignments: titles, descriptions, instructions, due dates, attachments
Quizzes: questions, answer keys, grading rubrics, AI prompt templates
Custom feedback templates and saved responses

3.3 Student work & assessment data

Submitted files (images, documents, audio, video)
Submitted text and links
Quiz answers (multiple choice, short answer, image upload)
Submission metadata: timestamps, revision history, group authorship
Grades, scores, and pass/fail status
Teacher feedback and comments on submissions
AI-generated grading suggestions, and your accept/reject decisions

3.4 Communication data

LINE notifications sent to teachers and students through คุณไก่ทวง
In-app announcements and messages
Support inquiries (email, in-app chat)

3.5 Usage & technical data

Pages and features accessed, click patterns, session duration
Device type, browser version, screen size
IP address (used only for approximate region detection and abuse prevention)
Error logs and crash reports
Cookies and similar technologies (Section 13)

3.6 Payment data (paid tier only)

When you upgrade to the paid tier:

Transaction reference, amount, currency, payment status
Last 4 digits of payment card / payment method type
Billing email address
Date and time of payment

Full card numbers, CVV, and bank credentials are collected and stored by our payment processor, not by us. We never see or store full payment credentials.

3.7 Data we do NOT collect

Biometric data
Full payment credentials (card numbers, CVV, bank passwords)
Precise location data
Browsing activity outside the Service

4. Why we use your data (purposes)

We process personal data only for these specified purposes:

Purpose	Categories used	Lawful basis (PDPA §24)
Provide the Service	All operational data	Contract performance / legitimate interest
Authenticate users	Account & identity data	Contract performance
Distribute and grade student work	Classroom, student work, communication data	Contract performance
Send class-related notifications via LINE	Communication, identity data	Contract performance
Process subscription payments	Payment data, identity data	Contract performance
Sync your work to your Google Drive	Submission content, Drive credentials	Consent (opt-in)
AI-assisted grading on individual submissions	Submission content, rubric, prior decisions	Consent (opt-in)
Improve the Service through usage analytics	Usage data, anonymized event logs	Legitimate interest
Develop and improve AI features	All categories above, in de-identified form	Consent (separate opt-in at signup, see Section 5)
Send marketing communications about new features and offers	Account & identity data, communication channels	Consent (separate opt-in at signup, see Section 6)
Comply with legal obligations (incl. tax/accounting)	Any category as required	Legal obligation
Investigate security incidents	Audit logs, account data, technical data	Legitimate interest

We will not use your data for purposes incompatible with the above without obtaining your fresh consent.

5. Use of your data for AI development and improvement

5.1 Default: AI development is opt-in

By default, we do NOT use your data — including assignments, submissions, feedback, quiz answers, grading patterns, classroom information, or usage data — to develop or improve AI features.

You may grant separate, optional consent at signup (or any time later) via a dedicated consent checkbox. Refusing this consent does not affect your access to the Service in any way.

5.2 What you consent to (if you opt in)

The consent specifically authorizes the following activities, all performed on your data in de-identified form (with full names, LINE IDs, email addresses, student ID numbers, and school names stripped before any use):

Training — using your data as input to machine-learning models that improve their grading suggestions, feedback drafts, plagiarism detection, and the other AI features listed in §5.6.
Evaluating — using your data (and your accept/reject decisions on AI suggestions) to measure the accuracy and quality of our AI features over time.
Improving — using insights from your data to make existing AI features better, fix problems with their behavior, and develop new AI features within the Inskru product family that address the same educational use cases.

We retain de-identified development datasets for as long as legally permitted under your consent. We will not use these datasets for any other purpose without obtaining fresh consent.

5.3 What "all categories" covers

The following types of data may be used (still de-identified):

Submission content (files, text, links, quiz answers)
Teacher-authored content (assignments, rubrics, feedback comments, prompt templates)
Grading patterns (which submissions got which scores, why)
Classroom workflows (how teachers structure their assignments and feedback cycles)
Quiz response patterns (how students approach different question types)
Aggregated usage signals (which features are used together, common navigation paths)

5.4 What is NEVER used for AI development, even with your consent

Authentication credentials, passwords, OAuth tokens
Direct identifiers: full names, LINE IDs, email addresses, student ID numbers, school names (these are stripped before any development use)
Full payment credentials (we never collect them; Stripe handles them)
Data from users who have not consented or have withdrawn consent
Data from minor students under 10 unless their parents/guardians have consented through their teacher (see 5.7)
Data the user has explicitly deleted via the right to erasure

5.5 Withdrawing consent

You can withdraw consent at any time by emailing inskruteam@inskru.com. We will:

Stop adding your new data to development datasets immediately upon receiving your request
Use commercially reasonable efforts to delete or further anonymize your historical contributions to existing development datasets within 90 days. Where contributions cannot be isolated (e.g., already aggregated into trained model parameters), we will document this in our response to your withdrawal request
Confirm the withdrawal in writing

Important limitation: AI models that have already been trained on your historical data cannot be untrained — this is a known limitation of machine learning, not a refusal on our part. New models developed after your withdrawal will not include your data.

5.6 What kinds of AI features we may build

For transparency, AI features developed using this data may include (but are not limited to):

Improved automated grading suggestions
Auto-generated feedback drafts
Plagiarism and originality detection
Question-quality assessment for teachers
Personalized learning recommendations for students
Teacher productivity tools (assignment templates, smart filters)

We will not use this data to:

Develop AI models for purposes unrelated to education
Sell or license development datasets to other companies
Target advertising to you or your students

5.7 Children and AI development

Data from minor students (under 20 in Thailand under PDPA §20) is used in AI development only when:

The teacher who registered the student into the Service has provided AI consent at signup (Section 5.1), AND
The teacher has confirmed they have obtained appropriate parental/guardian consent under their school's data handling policy.

For students under 10, parental consent is mandatory under PDPA §20(1). Teachers must confirm this consent before adding under-10 students. Parents may withdraw consent for their specific child's data at any time by contacting their child's teacher or our DPO directly (see Section 12).

Note: The teacher-mediated (school-mediated) consent model used here follows industry-standard EdTech practice (Google Classroom, Khan Academy, Seesaw). Teachers warrant via Section 3 of our Terms of Service that they have obtained necessary parental consents. See Privacy Policy §12 for the full framework.

6. Marketing communications

6.1 Default: marketing is opt-in

By default, we do NOT send you marketing communications about new features, tips, or special offers. You will continue to receive service notifications required for using the Service (assignment alerts, submission notifications, billing, legal notices) regardless of your marketing preference — these are part of the Service itself, not marketing.

6.2 What you consent to (if you opt in)

If you provide marketing consent at signup (or any time later), we may send you:

LINE messages about new features, product tips, and learning content
Email newsletters
In-app notifications about promotions, special offers, and product updates
Surveys and feedback requests

6.3 Withdrawing marketing consent

You can withdraw marketing consent at any time:

Click Unsubscribe at the bottom of any email we send
Use the LINE OA's "Stop notifications" command (see help center)
Email inskruteam@inskru.com
Toggle off the marketing preference in your account settings (when available)

We will stop sending marketing communications within 7 days of receiving your request. Service notifications continue regardless.

6.4 What we will NEVER do

Share your contact information with third-party advertisers
Send marketing on behalf of unrelated companies
Use marketing communications to circumvent consent for other purposes (e.g. AI development)

We comply with Thailand's Direct Marketing Act B.E. 2545 (2002) in addition to the PDPA.

7. How we share your data

7.1 Service providers (data processors)

LINE Corporation — for messaging and authentication
Google LLC — only if you connect Google Drive for backup
Amazon Web Services, Inc. (Asia Pacific Thailand region) — for file storage
Supabase Inc. — for database hosting
Vercel Inc. — for application hosting
Stripe Inc. — for processing subscription and one-time payments (card and PromptPay). Full card and bank credentials are submitted directly to Stripe and never reach our servers. Your use of payment features is also subject to Stripe's privacy policy.
Anthropic, OpenAI, or other AI providers — for AI-assisted grading on individual submissions, if you opt into that feature

Each processor is bound by a data processing agreement (DPA) under PDPA §40, requiring them to handle data only on our instructions and to PDPA-equivalent security standards.

7.2 Within your school

Teachers can view submissions from their own students
If your school has purchased an institutional package and you have joined it by entering the school's package code, the school's designated administrator can view, for teachers in that package only:
- your full name and LINE display name
- the school name you self-reported on signup
- the date you joined the package
- the list of classrooms you manage
- the titles, due dates, and submission counts of assignments you have created
- your active or inactive status (based on last activity)
- the full names, LINE display names, student numbers, and LINE profile pictures of students enrolled in your classrooms
- grade metadata for those students' submissions (score, status, submission timestamp) — but not the submission content itself
The school administrator cannot see student submission content, AI grading content, the contents of your assignments, your email address, your LINE user ID, or any data outside the package.

Lawful basis: contractual necessity (PDPA §24(3)) between Inskru and the school, combined with the school's legitimate interest (PDPA §24(5)) in overseeing the use of a package it purchased. The relationship between your school and Inskru is governed by a separate Institutional Package Agreement; the in-product disclosure shown when you enter the school code lists exactly what your administrator will see, and you must confirm before joining.

7.3 Other Inskru products

We may share aggregated, anonymized usage data with other Inskru Company Limited products to improve our overall service quality. No identifiable personal data is shared between products without your consent.
Your acceptance of this Privacy Policy at signup includes consent for us to use de-identified data (per Section 5) to develop AI features that may be deployed across multiple Inskru products.

7.4 Legal requirements

We may disclose data when required by Thai law, court order, or to protect our legal rights. We will notify affected users where legally permitted.

7.5 We will NEVER

Sell your personal data to third parties
Share student work with anyone outside your school without your consent
Allow third-party advertisers to access your data
Provide identifiable data to AI providers without your active opt-in
Use minor student data for AI training without parental consent

8. International data transfers

Primary storage location: Most personal data is stored in Thailand (AWS ap-southeast-7 region, Bangkok). However, certain categories may be processed in or transit through other regions (see below).

Storage location nuances:

New file storage and database hosting is in Thailand (AWS ap-southeast-7).
Historical data from before our Thailand migration may still reside in Singapore (Supabase) until we complete the backfill to the Bangkok region.
AI grading services (Anthropic, OpenAI) operate from servers in the United States and Europe. When you opt into AI grading on a submission, that submission is sent to these providers.
Google Drive sync (optional, your consent) transfers files to Google servers, which may be located outside Thailand.
Vercel application hosting may serve requests from edge servers in Asia-Pacific.
AI training infrastructure may use computing resources outside Thailand. Your de-identified training data (per Section 5) may be processed on servers in the United States, Europe, or Singapore for model training.

For each international transfer we rely on:

Your consent (PDPA §28(1)) — granted by accepting this Privacy Policy at signup, plus the per-feature opt-ins for AI grading and Drive sync, OR
The recipient's adherence to standards equivalent to PDPA (PDPA §28(2)) via our data processing agreements with them.

9. How long we keep your data

Data category	Retention period
Account data (teachers, students)	While your account is active + 1 year after last activity
Assignments, quizzes, rubrics	While account is active; archived when account is deleted
Feedback, grades, AI suggestions	Linked to assignments; same retention
Submission files (active access)	Typically at least 180 days from upload, accessible via the Service
Submission files (archived)	Files older than 180 days may be moved to long-term archive; retained for at least 5 years for grade dispute / academic record purposes; may be permanently deleted thereafter
Payment records (transaction reference, amount, last 4 digits, billing email)	5 years from transaction date, as required by Thai tax and accounting law
Notification logs (LINE messages)	As retained by the LINE platform
Application logs	As required by our infrastructure providers (typically around 30 days)
Backup copies	As required by infrastructure provider retention policies (typically 30-35 days)
AI training datasets (with consent)	Retained as long as legally permitted under your consent; commercially reasonable efforts to delete/anonymize within 90 days of consent withdrawal
Account deletion requests	Processed within 30 days; some data retained for legal compliance up to 5 years

About the 180-day file archival

After approximately 180 days, submitted files may become inaccessible through the normal Service interface. They remain securely stored in long-term archive and can be:

Accessed through your Google Drive backup (if you connected Drive)
Restored on request via support (typically 12 to 48 hours due to long-term archive retrieval times)

We strongly recommend connecting Google Drive if you need long-term in-app access. This 180-day window applies only to files; account, classroom, and assignment data remain accessible until your account is deleted.

After your account is deleted, all personal data is permanently removed except where retention is required by Thai law (e.g., audit logs).

10. How we keep your data secure

Encryption in transit: Industry-standard TLS protocols
Encryption at rest: Industry-standard algorithms (AES-256 or equivalent) provided by our infrastructure providers
Access controls: Role-based access; production data access is restricted to authorized engineers and audited via our infrastructure provider's logging
Network security: Private bucket policies, signed-URL access only, region-locked storage in Thailand for new file uploads
Authentication: LINE Login or Supabase Auth
Vulnerability monitoring: Error tracking and automated dependency scanning
Backups: Encrypted backups maintained by our infrastructure providers

If we detect a personal data breach, we will notify the Personal Data Protection Committee within 72 hours and affected users within a reasonable time, in line with PDPA §37(4).

11. Your rights under the PDPA

Right	What it means	How to exercise
Right to be informed (§23)	Know how your data is used	This document; contact us
Right of access (§30)	Get a copy of your data	Email DPO; we respond within 30 days
Right to rectification (§35–36)	Correct inaccurate data	Account settings or email DPO
Right to erasure (§33)	Delete your data	Request via app or email DPO
Right to data portability (§31)	Receive data in machine-readable format	Email DPO
Right to restrict processing (§34)	Pause use of your data while a dispute is resolved	Email DPO
Right to object (§32)	Object to processing for specific purposes	Email DPO
Right to withdraw consent	Withdraw any consent at any time	Account settings (for Drive sync, AI grading) or email DPO (for AI training and others)
Right to lodge a complaint	Complain to the PDPC	https://www.pdpc.or.th

To exercise any right, contact our DPO at inskruteam@inskru.com. We will:

Verify your identity before acting
Respond within 30 days (extendable to 60 days for complex requests with notice)
Not charge a fee unless the request is manifestly unfounded

Note on archived files: if you request access to or deletion of files older than 180 days that have been archived, the operation typically takes 12 to 48 hours due to long-term archive retrieval times.

12. Children's privacy

คุณไก่ทวง serves K-12 education. Much of our processed data belongs to minors under 20 years old (the threshold for full legal capacity in Thailand under PDPA §20).

12.1 Our model — school-mediated consent

Schools and teachers, acting under their educational mandate, are the parties with the direct relationship to students and their parents. They are best positioned — and legally responsible under the Education Act and the Civil and Commercial Code — to obtain consent for student participation in classroom activities, including the use of educational technology like คุณไก่ทวง.

This means:

Schools and teachers are the data controllers with respect to parental consent collection. By using the Service, teachers represent and warrant (per Section 3 of our Terms of Service) that they have obtained any required parental or guardian consents under their school's data handling policies.
Inskru is a data processor / joint controller for the technical delivery of the Service. We rely on the teacher's representation that proper consent has been obtained at the school level.
For students under 10 (PDPA §20(2)): parental consent is mandatory. The teacher's representation upon registering an under-10 student includes a warranty that this consent has been obtained and is on file at the school.
For students 10–19 (PDPA §20(1) read with Civil and Commercial Code §§22-24): consent requirements depend on the minor's capacity for the specific act. The teacher manages this in line with their school's policy.

This framework follows the standard EdTech model used by Google Classroom, Khan Academy, Seesaw, and other platforms operating in Thai schools, and aligns with how Thai schools have historically handled student data and educational technology consents.

12.2 Parental rights

Parents/guardians of minor students have the right to:

Access their child's data
Request deletion of their child's data
Object to AI training use of their child's data (overrides teacher-level consent for that specific child)
Withdraw consent for any opt-in feature affecting their child

To exercise these rights, parents should contact the child's teacher first (who can act through คุณไก่ทวง's parental rights tools), or contact our DPO directly with proof of relationship.

12.3 What we don't do with children's data

We do not market to minor students
We do not allow third-party advertisers to access student data
We do not include under-10 student data in AI development datasets unless the registering teacher has provided AI consent at signup AND represented that they have obtained verified parental consent
We honor parental withdrawal requests by removing the affected child's data from AI development corpora within 90 days
We do not require students themselves to create accounts with individual passwords — students access the Service through their teacher's class, never directly

12.4 School-package context

Where a school has purchased an institutional package (Section 7.2), the school's designated administrator sees the names of students enrolled in participating teachers' classes, including students who are minors under PDPA §20. The Institutional Package Agreement between Inskru and the school requires the school administrator to:

not contact those minor students or their parents/guardians directly using the data viewed in the school portal
not use minor students' personal data for any purpose other than oversight of teacher activity
refer any parental inquiry about a minor's data to Inskru, where the Section 12.1 process applies

Inskru remains the primary point of contact for parental rights exercises. The school administrator is not authorised to act on parental data subject rights requests under PDPA.

13. Cookies and tracking technologies

Cookie/technology	Purpose	Duration
Session cookies	Keep you signed in	Until logout
Preference cookies	Remember language and UI settings	1 year
Authentication tokens (Supabase, LINE)	Authenticate API requests	1 hour to 30 days
Analytics (anonymized)	Understand feature usage	30 days

We do not use third-party advertising cookies or cross-site tracking. You can disable cookies in your browser, but the Service may not function correctly without them.

14. Changes to this Privacy Policy

We may update this policy to reflect:

Changes to the Service (new features, integrations, AI capabilities)
Changes in Thai law or PDPA guidance
Changes to our data practices

For material changes (new purposes, new data categories, new recipients), we will:

Notify you via LINE message and/or email at least 30 days before the change takes effect
Where required by PDPA, request your fresh consent before applying the change to your data

If Inskru is shut down or acquired, see Terms of Service §11A for our operational commitments. Your personal data remains governed by this Privacy Policy under any successor entity until you receive 30 days' notice of any material change, at which point you may opt out (treated as an account-deletion request subject to PDPA retention exceptions).

Continued use of the Service after the effective date of a change constitutes acceptance of the updated policy.

15. Contact us

Data Protection Officer: inskruteam@inskru.com
Mailing address: เลขที่ 1 ซอยนาคนิวาส 27 แยก 34 ถนนนาคนิวาส แขวงลาดพร้าว เขตลาดพร้าว กรุงเทพมหานคร 10230
General inquiries: inskruteam@inskru.com

You may also lodge a complaint with the Personal Data Protection Committee (PDPC) at https://www.pdpc.or.th if you believe we have violated your rights under the PDPA.