Privacy Policy

Last updated: 15 January 2026

1. Introduction

Welcome to Lessonly. We are committed to protecting and respecting your privacy in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our web application designed for teachers and educators.

Please read this policy carefully to understand our practices regarding your personal data. By using Lessonly, you acknowledge that you have read and understood this Privacy Policy.

2. Data Controller

For the purposes of UK data protection law, the data controller is:

Lessonly Ltd

Company Registration Number:

Registered Address:

Email: contact@lessonly.co.uk

If you have any questions about this Privacy Policy or our data practices, please contact our Data Protection Officer at contact@lessonly.co.uk.

3. Personal Data We Collect

3.1 Information You Provide

We collect personal data that you voluntarily provide when registering or using Lessonly:

  • Identity Data: Full name, username, title
  • Contact Data: Email address, phone number (optional)
  • Professional Data: School/institution name, job title, subjects taught, key stage/year groups
  • Account Data: Username and password (encrypted)
  • Profile Data: Profile picture, preferences, settings

3.2 Information Collected Automatically

When you use our Service, we automatically collect:

  • Technical Data: IP address, browser type and version, operating system, device type
  • Usage Data: Pages visited, features used, time spent on pages, click patterns
  • Location Data: Approximate location based on IP address
  • Log Data: Access times, error logs, referring URLs

3.3 Educational Content

We collect content you create or upload:

  • Lesson plans and schemes of work
  • Teaching resources and materials
  • Timetables and calendar events
  • Notes, comments, and annotations
  • Uploaded documents and files

4. Lawful Basis for Processing

Under UK GDPR, we must have a lawful basis for processing your personal data. We rely on the following legal bases:

PurposeLawful Basis
Creating and managing your accountContract performance
Providing the ServiceContract performance
Processing paymentsContract performance
Sending service updates and notificationsContract performance / Legitimate interests
Improving our ServiceLegitimate interests
Analytics and performance monitoringLegitimate interests
Marketing communicationsConsent
Preventing fraud and ensuring securityLegitimate interests / Legal obligation
Complying with legal requirementsLegal obligation

Legitimate Interests: Where we rely on legitimate interests, we have conducted a balancing test to ensure our interests do not override your fundamental rights and freedoms.

5. How We Use Your Personal Data

We use your personal data for the following purposes:

  • To register you as a user and create your account
  • To provide, operate, and maintain the Lessonly Service
  • To personalise your experience and deliver relevant content
  • To process transactions and manage billing
  • To communicate with you about your account, updates, and support
  • To send you marketing communications (where you have consented)
  • To analyse usage patterns and improve our Service
  • To detect, prevent, and address technical issues or security threats
  • To comply with our legal and regulatory obligations
  • To enforce our Terms of Service

6. Data Sharing and Disclosure

We do not sell your personal data to third parties. We may share your personal data only in the following circumstances:

6.1 Service Providers

We share data with trusted third-party service providers who assist us in operating our Service:

  • Supabase: Database hosting and authentication (data may be processed in the EU/EEA)
  • Payment processors: To process subscription payments
  • Email service providers: To send transactional emails
  • Analytics providers: To analyse Service usage

All service providers are contractually bound to process your data only on our instructions and in compliance with UK GDPR.

6.2 Legal Requirements

We may disclose your personal data if required to do so by law or in response to valid requests by public authorities (e.g., a court or government agency).

6.3 Business Transfers

If we are involved in a merger, acquisition, or sale of assets, your personal data may be transferred. We will provide notice before your data is transferred and becomes subject to a different privacy policy.

6.4. Artificial Intelligence and Automated Processing

Important: Lessonly uses artificial intelligence (AI) technology to help generate lesson plans and educational content. This section explains how we use AI and how your data is processed.

6.5 How We Use AI

Lessonly incorporates AI-powered features to assist teachers in creating educational content. Our AI features include:

  • Generating lesson plan suggestions and outlines
  • Creating learning objectives and success criteria
  • Suggesting teaching activities and resources
  • Generating differentiated content for various ability levels
  • Creating assessment questions and quizzes
  • Providing curriculum-aligned content suggestions

6.6 AI Service Providers

To provide our AI features, we use third-party AI service providers. When you use AI features, the following data may be shared with these providers:

  • Your prompts and instructions (e.g., topic, year group, subject)
  • Context you provide about the lesson
  • Selected preferences (e.g., curriculum, difficulty level)
ProviderPurposeData SharedLocation
[AI PROVIDER - e.g., OpenAI]Content generationPrompts, context[LOCATION]

6.7 Data Sent to AI Providers

When you use our AI features, we send the following information to our AI service providers:

✅ Data We DO Send

  • • Your lesson generation prompts
  • • Subject, topic, and year group
  • • Curriculum preferences (e.g., National Curriculum)
  • • Lesson duration and structure preferences
  • • Differentiation requirements you specify

❌ Data We DO NOT Send

  • • Your name or email address
  • • Your school or institution name
  • • Student names or personal data
  • • Your account credentials
  • • Payment information

6.8 AI Training Data

Your data is not used to train AI models.

We have agreements with our AI providers that your prompts and the content generated for you will not be used to train their AI models. Your data is processed only to provide you with the requested output.

6.9 AI Data Retention

Data sent to AI providers for processing:

  • Is processed in real-time to generate your content
  • May be temporarily retained by the provider for up to 30 days for abuse monitoring and safety purposes
  • Is not permanently stored by AI providers
  • Generated content is stored in your Lessonly account until you delete it

6.10 Your Choices Regarding AI

You have the following choices regarding AI features:

  • AI features are optional – you can create content manually without using AI
  • You can review, edit, or delete any AI-generated content
  • You maintain full control over whether to use or save AI-generated content
  • You can request information about AI processing by contacting us

7. International Data Transfers

Your personal data may be transferred to, and processed in, countries outside the United Kingdom. When we transfer your data outside the UK, we ensure appropriate safeguards are in place:

  • Transfers to countries with an adequacy decision from the UK Government
  • Standard Contractual Clauses (SCCs) approved by the ICO
  • International Data Transfer Agreement (IDTA)
  • Binding Corporate Rules where applicable

You may request a copy of the safeguards we have put in place by contacting us at contact@lessonly.co.uk.

8. Data Security

We have implemented appropriate technical and organisational measures to protect your personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage. These measures include:

  • Encryption of data in transit (TLS/SSL) and at rest
  • Secure password hashing using industry-standard algorithms
  • Row-level security policies for database access
  • Regular security assessments and penetration testing
  • Access controls and authentication mechanisms
  • Regular automated backups
  • Staff training on data protection

Whilst we implement safeguards designed to protect your data, no security system is impenetrable. We cannot guarantee the absolute security of your data.

9. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, including to satisfy any legal, accounting, or reporting requirements.

To determine the appropriate retention period, we consider:

  • The nature and sensitivity of the personal data
  • The potential risk of harm from unauthorised use or disclosure
  • The purposes for which we process the data
  • Applicable legal requirements

Retention periods:

  • Account data: Retained whilst your account is active, plus 30 days after deletion
  • User content: Deleted within 30 days of account deletion
  • Transaction records: 7 years (legal requirement)
  • Usage/analytics data: 26 months
  • Marketing consent records: 3 years after last interaction

10. Your Rights Under UK GDPR

Under UK data protection law, you have the following rights:

Right of Access

You have the right to request a copy of the personal data we hold about you (known as a "Subject Access Request").

Right to Rectification

You have the right to request correction of inaccurate or incomplete personal data.

Right to Erasure ("Right to be Forgotten")

You have the right to request deletion of your personal data in certain circumstances.

Right to Restrict Processing

You have the right to request that we restrict processing of your personal data in certain circumstances.

Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, machine-readable format.

Right to Object

You have the right to object to processing based on legitimate interests or for direct marketing purposes.

Right to Withdraw Consent

Where processing is based on consent, you have the right to withdraw consent at any time.

Rights Related to Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing that significantly affect you.

To exercise any of these rights:

  • Email us at contact@lessonly.co.uk
  • We will respond to your request within one month
  • We may ask for identification to verify your identity
  • These rights are generally free to exercise, but we may charge a reasonable fee for excessive or unfounded requests

11. Cookies and Similar Technologies

Lessonly uses cookies and similar tracking technologies. Cookies are small text files stored on your device that help us provide and improve our Service.

Types of Cookies We Use

  • Strictly Necessary Cookies: Essential for the Service to function (authentication, security). These cannot be disabled.
  • Functional Cookies: Remember your preferences and settings to enhance your experience.
  • Analytics Cookies: Help us understand how you use the Service so we can improve it.

Managing Cookies: You can control and manage cookies through your browser settings. Please note that disabling certain cookies may affect the functionality of Lessonly.

For more information about our use of cookies, please see our Cookie Policy.

12. Marketing Communications

We may send you marketing communications about our products and services where you have given your consent or where we have a legitimate interest to do so (e.g., if you are an existing customer).

Your choices:

  • You can opt out of marketing emails at any time by clicking the "unsubscribe" link
  • You can update your marketing preferences in your account settings
  • You can contact us at contact@lessonly.co.uk

Please note that even if you opt out of marketing communications, we may still send you service-related communications (e.g., account notifications, security alerts).

13. Children's Privacy

Lessonly is designed for teachers and educational professionals, not for children. We do not knowingly collect personal data from children under 13 years of age.

If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately at contact@lessonly.co.uk. We will take steps to delete such information promptly.

14. Third-Party Links

Lessonly may contain links to third-party websites or services. We are not responsible for the privacy practices of these external sites. We encourage you to read the privacy policies of any third-party sites you visit.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

  • Posting the new Privacy Policy on this page
  • Updating the "Last updated" date at the top of this page
  • Sending you an email notification (for significant changes)

We encourage you to review this Privacy Policy periodically for any changes.

16. Complaints

If you have any concerns about our use of your personal data, you have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues:

Information Commissioner's Office

Website: ico.org.uk

Telephone: 0303 123 1113

Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

We would appreciate the opportunity to address your concerns before you approach the ICO, so please contact us first at contact@lessonly.co.uk.

17. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us:

Lessonly Ltd

Company Number:

Registered Address:

Email: contact@lessonly.co.uk

Data Protection Officer: contact@lessonly.co.uk

Website: https://lessonly.co.uk