Last updated: 15 January 2026
At Lessonly, we are committed to protecting your personal data and respecting your privacy rights. This page explains your rights under the UK General Data Protection Regulation (UK GDPR) and the EU General Data Protection Regulation (EU GDPR), and how you can exercise them.
The General Data Protection Regulation (GDPR) is a comprehensive data protection law that gives individuals control over their personal data. Whether you are based in the United Kingdom or the European Economic Area (EEA), you have specific rights regarding how your personal data is collected, used, and stored.
This page should be read in conjunction with our Privacy Policy, which provides full details about how we process your personal data.
Under GDPR, the "data controller" is the organisation that determines the purposes and means of processing personal data. For Lessonly, the data controller is:
Lessonly Ltd
Company Registration Number:
Registered Address:
Website: https://lessonly.co.uk
We have appointed a Data Protection Officer to oversee our data protection strategy and ensure compliance with GDPR. You can contact our DPO for any data protection queries:
Under Article 6 of the GDPR, we must have a valid legal basis to process your personal data. We rely on the following legal bases:
Processing necessary to perform our contract with you or to take steps at your request before entering into a contract.
Examples: Creating your account, providing the Lessonly service, processing payments, customer support.
Processing necessary for our legitimate interests or those of a third party, provided your rights don't override those interests.
Examples: Improving our services, analytics, fraud prevention, security monitoring, business administration.
Processing based on your specific, informed, and unambiguous consent. You can withdraw consent at any time.
Examples: Marketing communications, optional analytics cookies, newsletter subscriptions.
Processing necessary to comply with a legal obligation to which we are subject.
Examples: Tax and accounting requirements, responding to lawful requests from authorities, regulatory compliance.
Where we rely on legitimate interests, we have conducted a Legitimate Interests Assessment (LIA) to balance our interests against your rights and freedoms. You can request a copy of our LIA by contacting our DPO.
Processing of your prompts and inputs by AI systems to provide the lesson generation service you have requested.
Legal basis: Contract performance (providing the service you requested) and, where applicable, consent for optional AI features.
Lessonly uses artificial intelligence to generate educational content. This section explains how AI processing relates to your GDPR rights.
When you use our AI-powered lesson generation features:
Article 22 of the GDPR gives you the right not to be subject to decisions based solely on automated processing that produce legal effects or similarly significantly affect you.
Our AI features do not fall under Article 22 because:
When you use AI features, the following data is processed:
| Data Type | Purpose | Legal Basis | Retention |
|---|---|---|---|
| Lesson prompts | Generate content | Contract | Transient (up to 30 days by provider) |
| Subject/topic | Context for generation | Contract | Transient |
| Year group/key stage | Age-appropriate content | Contract | Transient |
| Curriculum preferences | Aligned content | Contract | Transient |
Our AI features are powered by third-party providers. Data transfers to these providers are protected by:
| Provider | Location | Transfer Safeguard | Training Data Policy |
|---|---|---|---|
| [e.g., OpenAI] | [e.g., USA] | [e.g., SCCs + UK Addendum] | Data not used for training |
| [e.g., Anthropic] | [e.g., USA] | [e.g., SCCs + UK Addendum] | Data not used for training |
In relation to AI processing, you have the right to:
We have contractual agreements with our AI providers ensuring that:
In accordance with Article 35 of the GDPR, we have conducted a Data Protection Impact Assessment for our AI features. This assessment evaluates the risks to your rights and freedoms and the measures we have implemented to mitigate those risks. You may request a summary of our DPIA by contacting our Data Protection Officer.
Under UK GDPR and EU GDPR, you have the following rights regarding your personal data. These rights are not absolute and may be subject to certain conditions and exemptions.
You have the right to obtain confirmation as to whether we process your personal data and, if so, to request access to that data. This is commonly known as a "Subject Access Request" (SAR).
What you can request:
You have the right to request correction of inaccurate personal data and to have incomplete data completed.
How to rectify your data:
You have the right to request deletion of your personal data in certain circumstances.
When you can request erasure:
Note: We may not be able to delete your data if we need to keep it for legal compliance, legal claims, or other lawful purposes. We will inform you if this is the case.
You have the right to request that we restrict processing of your personal data in certain circumstances.
When you can request restriction:
When processing is restricted, we will only store your data and not process it further without your consent (unless for legal claims, protecting others' rights, or important public interest).
You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.
This right applies when:
Data formats we provide: JSON, CSV
You can export your data directly from your Lessonly account settings, or contact us for assistance.
You have the right to object to processing of your personal data in certain circumstances.
You can object to:
How to object: Email contact@lessonly.co.uk with details of your objection, or use the unsubscribe link in marketing emails.
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you.
Our approach:
Lessonly does not currently make any solely automated decisions that have legal or similarly significant effects on users. If this changes, we will update this policy and ensure you have the right to obtain human intervention, express your point of view, and contest the decision.
Where we process your data based on consent, you have the right to withdraw that consent at any time.
How to withdraw consent:
Note: Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal.
You can exercise any of your rights by contacting us using the methods below:
Data Protection Officer
Lessonly Ltd
To help us process your request efficiently, please include:
To protect your data, we may need to verify your identity before processing your request. This may include:
| Stage | Timeframe |
|---|---|
| Acknowledgement of request | Within 5 working days |
| Standard response | Within 1 month |
| Complex requests (extension) | Up to 3 months total |
If we need to extend the response time, we will inform you within one month of receiving your request, explaining why the extension is necessary.
In most cases, you will not have to pay a fee to exercise your rights. However, we may charge a reasonable fee if your request is:
Alternatively, we may refuse to comply with the request in such circumstances. If we charge a fee or refuse your request, we will inform you and explain our reasons.
For full details about the personal data we collect, please see our Privacy Policy. Below is a summary:
| Category | Examples | Legal Basis |
|---|---|---|
| Identity Data | Name, username, title | Contract |
| Contact Data | Email address, phone number | Contract |
| Professional Data | School name, job title, subjects taught | Contract |
| Account Data | Username, password (encrypted) | Contract |
| Technical Data | IP address, browser type, device info | Legitimate Interests |
| Usage Data | Pages visited, features used | Legitimate Interests |
| Content Data | Lesson plans, resources, documents | Contract |
| Marketing Data | Preferences, subscriptions | Consent |
We do not intentionally collect special category data (e.g., racial or ethnic origin, political opinions, religious beliefs, health data, biometric data). If you include such data in your content, you do so at your own discretion.
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, in accordance with Article 5(1)(e) of the GDPR (storage limitation principle).
| Data Type | Retention Period | Reason |
|---|---|---|
| Account data | Duration of account + 30 days | Service provision |
| User content | Until deleted or account closure + 30 days | Service provision |
| Transaction records | 7 years | Legal obligation (tax/accounting) |
| Analytics data | 26 months | Legitimate interests |
| Marketing consent | Until withdrawn + 3 years | Legal compliance |
| Support tickets | 3 years after resolution | Legitimate interests |
| Security logs | 12 months | Security/legitimate interests |
After the retention period expires, your data will be securely deleted or anonymised.
Your personal data may be transferred to, stored, and processed in countries outside the United Kingdom and European Economic Area (EEA). When we transfer your data internationally, we ensure appropriate safeguards are in place as required by Articles 44-49 of the GDPR.
Transfers to countries recognised by the UK Government or European Commission as providing adequate protection for personal data.
EU Commission-approved standard contractual clauses that provide appropriate safeguards for data transfers.
UK-specific transfer agreement approved by the ICO for transfers from the UK.
The UK Addendum used alongside EU SCCs to cover UK data transfers.
| Provider | Purpose | Location | Safeguard |
|---|---|---|---|
| Supabase | Database & authentication | EU (Frankfurt) / USA | SCCs |
| Vercel | Hosting | Global CDN | SCCs |
| [Payment Provider] | Payment processing | [Location] | [Safeguard] |
| [Email Provider] | Transactional emails | [Location] | [Safeguard] |
You may request a copy of the safeguards we have put in place for international transfers by contacting our DPO at contact@lessonly.co.uk.
In accordance with Article 32 of the GDPR, we have implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach (as required by Article 33). If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly (Article 34).
If you are not satisfied with how we handle your personal data or respond to your requests, you have the right to lodge a complaint with a supervisory authority.
Information Commissioner's Office (ICO)
Website: ico.org.uk
Telephone: 0303 123 1113
Live chat: ico.org.uk/live-chat
Address:
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
You may lodge a complaint with your local data protection authority. A list of EU/EEA supervisory authorities can be found at:
European Data Protection Board - MembersCommon supervisory authorities:
Before contacting a supervisory authority: We would appreciate the opportunity to address your concerns directly. Please contact our Data Protection Officer at contact@lessonly.co.uk first, and we will do our best to resolve your issue.
We may update this GDPR information page from time to time to reflect changes in our practices or legal requirements. We will notify you of any material changes by:
If you have any questions about this GDPR information, your rights, or our data practices, please contact us:
This page references the following GDPR articles:
Principles
Lawfulness
Consent
Transparency
Right of Access
Rectification
Erasure
Restriction
Portability
Right to Object
Automated Decisions
Security & Breach
Int'l Transfers
Right to Complain