Privacy Policy

Last updated: 12 February 2026 · Version 2.0

TL;DR

• We only collect what is needed to run the service: your account info, your timetable, your lesson notes, and any files you attach.
• We do not sell or rent your data, run advertising, or train AI/ML models on the content you upload.
• We share data only with the named sub-processors below (Stripe, Resend, Emergent, your sign-in provider, your chosen cloud-drive provider).
• You can export or delete every piece of data we hold about you, at any time, from Settings → Manage data.
• This service is governed by German law (see the Terms of Use) but mandatory UK / EU consumer and data-protection rights still apply to you in the UK and EU.

Contents

1. 1. Who we are
2. 2. What data we collect
3. 3. Why we collect it
4. 4. Our lawful bases
5. 5. Where & how it is stored
6. 6. How long we keep it
7. 7. Sub-processors
8. 8. International transfers
9. 9. Cloud drive integrations
10. 10. Cookies & local storage
11. 11. Emails we send
12. 12. Children & pupil data
13. 13. Schools & MATs
14. 14. Your data-subject rights
15. 15. Security
16. 16. Breach notification
17. 17. Changes to this policy
18. 18. Contact

1. Who we are (Data Controller)

For the purposes of the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the EU GDPR (Regulation (EU) 2016/679) and the German Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG), the data controller for personal data processed by the Lesson Ready service is:

Lesson Ready (sole trader operated by Stewart McKane)
Am Blauent Stein 18, 50997 Köln, Germany
Email: privacy@lessonready.app

Lesson Ready is a small operation and currently falls below the statutory thresholds at which appointment of a Data Protection Officer (DPO / Datenschutzbeauftragter) is mandatory under UK GDPR Article 37 or GDPR Article 37. The privacy contact above handles all data-subject requests and supervisory-authority correspondence.

2. What personal data we collect

Lesson Ready only ever processes data you actively put in (or that we generate to make sign-in work). Specifically:

2.1 Account data

• Your email address.
• The display name returned by your sign-in provider (Google, Microsoft) or the local-part of your email if you used the magic-link option.
• Your profile picture URL only if your sign-in provider returns one (we never download or re-host the image).
• Which sign-in method created the account (magic, google or microsoft) — purely so we can show meaningful telemetry to the operator.
• Server-side session tokens (random, expire after 7 days).

2.2 Teaching content

• School years, classes, holidays, recurring timetable slots, lesson instances, statuses, custom fields and any free-text notes you write.
• Files you upload directly (Pro plan) — stored in Emergent Object Storage; 5 MB per file, 15 MB cumulative per lesson.
• Links and metadata for files you attach from Google Drive, OneDrive or Dropbox (see §9).

2.3 Billing data (Pro plan only)

• Your Stripe customer ID and subscription ID.
• The plan tier, status, current period end and last invoice status returned by Stripe.
• We never see or store your card number, CVC, or full PAN — those go directly to Stripe.

2.4 Service operation data

• Per-request server logs (IP address, user-agent, route and response code) kept for up to 30 days for debugging and abuse prevention.
• Email delivery logs from Resend (message ID, send timestamp, delivery state) for up to 180 days.
• Magic-link tokens (random, HMAC-signed, expire after 10 minutes).

3. Why we collect each category

4. Lawful bases (UK GDPR / GDPR Art. 6)

• Performance of a contract (Art. 6(1)(b)) — for account data, teaching content and billing data: we cannot run the service without them.
• Legitimate interests (Art. 6(1)(f)) — for service and email delivery logs (purpose: keeping the service running, secure and abuse-free; we balance this against your interests and you can object via §14).
• Consent (Art. 6(1)(a)) — for optional marketing communications, which are off by default and can be withdrawn at any time without affecting the service.
• Legal obligation (Art. 6(1)(c)) — for invoice records (UK 6-year statutory retention; German Abgabenordnung §147 generally 10 years for tax records).

Lesson Ready does not rely on Art. 6(1)(d) (vital interests) or Art. 6(1)(e) (public task) — neither applies to this service.

5. Where and how data is stored

Lesson Ready is hosted on the Emergent platform, which provides container infrastructure and managed databases. Personal data is stored:

• In a MongoDB database running inside the Emergent platform (encryption at rest via the underlying disk/volume encryption; access controlled by network policy + authentication).
• Uploaded files in Emergent Object Storage — at-rest encryption applied by the storage layer; access via signed, short-lived URLs only.
• Operational logs in the platform's log subsystem.

All traffic between your browser and Lesson Ready is encrypted with TLS 1.2 or higher.

6. How long we keep your data

7. Sub-processors

Lesson Ready engages the following sub-processors. Each has been selected for its compliance posture and signed (or operates under) the relevant Data Processing Addendum. This list is reviewed before any change; material additions will be announced at least 14 days in advance by email to active accounts.

The cloud-drive providers in the bottom three rows process data on your behalf when you choose to attach a file from them — Lesson Ready never receives the file contents (see §9). A current copy of this list is maintained on this page; an email update is sent before any new sub-processor is added.

8. International data transfers

Where personal data is transferred outside the UK or the EEA, Lesson Ready relies on the following transfer mechanisms (in order of preference):

1. UK adequacy decisions or EU adequacy decisions where one exists for the destination country (e.g. the EU–US Data Privacy Framework for certified US recipients).
2. Standard Contractual Clauses (EU Commission Decision 2021/914) and the UK International Data Transfer Addendum issued by the ICO.
3. Where reasonably available, additional supplementary measures (encryption in transit, encryption at rest, contractual access controls).

Copies of the SCCs / IDTAs covering each sub-processor are available from privacy@lessonready.app on request.

9. Google Drive, OneDrive and Dropbox attachments

When you attach a file from Google Drive, OneDrive or Dropbox, Lesson Ready stores only:

• The sharing URL of the file in the provider's cloud.
• The display filename, MIME type, size, provider icon URL and the provider-issued file ID (where available, so we can offer "Open in [Provider]").

We never download, cache or transmit the file contents. Access remains governed by the permissions you set inside the provider's product. Revoking Lesson Ready's picker permission from your Google / Microsoft / Dropbox account will cause those links to stop resolving, but Lesson Ready will retain the link metadata until you remove it or close your account.

10. Cookies and local storage

• One essential session cookie (session_token) — strictly necessary to keep you signed in. No consent banner needed under PECR / ePrivacy because it is essential to a service you have requested.
• One localStorage token mirroring the session cookie — used as a fallback for mobile browsers that strip third-party cookies.
• An MSAL sessionStorage cache when (and only when) you choose Microsoft sign-in or the OneDrive picker. Cleared on tab close.

We do not run advertising, analytics or third-party trackers by default.

11. Emails we send

• Service emails (sign-in links, data exports, billing receipts) — sent under the contract you have entered into; not opt-out.
• Daily summary emails — optional. Off by default. Switch on in Settings; switch off with one click in any summary email or from Settings.
• Marketing emails — only with explicit, separate opt-in consent. Currently not sent.

12. Children, pupil data and special category data

Lesson Ready is intended for use by adult education professionals planning their own work. It is not designed as a pupil-facing platform, an assessment management system, or a system for processing special category data (UK GDPR Art. 9 / GDPR Art. 9) such as health, ethnicity, biometrics, religious belief, trade-union membership or sexual orientation.

You must not upload identifiable personal data about individual pupils(e.g. SEND profiles, safeguarding notes, medical information, behaviour incidents identifying a child by name or admission number) into Lesson Ready. The service has not been DPIA-assessed for that purpose and is not contractually fit for it. If you need to plan around a specific child's needs, store the identifiable detail in your school's approved MIS and use only de-identified shorthand inside Lesson Ready (e.g. "Pupil A").

13. Schools, MATs and other employers

When an individual teacher signs up with their work email, Lesson Ready operates as an independent controller for the teacher's account and the content they place into it. Lesson Ready does not currently sell an instance to a school or multi-academy trust as a corporate customer, and there is therefore no controller → processor relationship between Lesson Ready and your employer in respect of your use of the consumer service.

If you are a head of department, DSL, DPO or governor reviewing whether Lesson Ready is suitable for your staff to use, please complete your own due diligence (data flow mapping, supplier risk assessment, sub-processor review, retention review) and contact us at privacy@lessonready.app for any clarifications. We are happy to provide a populated supplier-assessment questionnaire.

14. Your rights under UK GDPR / EU GDPR

• Right of access — request a copy of all data we hold about you (use Settings → Manage data → Export, or email us).
• Right to rectification — correct anything inaccurate, directly from the relevant page in the app.
• Right to erasure ("right to be forgotten") — delete a year, week, class, file, or your entire account at any time from Settings → Manage data.
• Right to restriction — pause processing while a dispute is investigated.
• Right to data portability — download a structured JSON export of everything you've created.
• Right to object — to any processing based on legitimate interests (we will stop unless we have an overriding reason).
• Right to withdraw consent — applies only to processing based on consent (currently only marketing emails).
• Right not to be subject to automated decision-making — Lesson Ready does not perform automated decision-making with legal or similarly significant effects under Art. 22.
• Right to lodge a complaint with a supervisory authority:
  • UK — the Information Commissioner's Office (ico.org.uk).
  • Germany — your federal state's data-protection authority (Landesdatenschutzbehörde), or the BfDI (bfdi.bund.de) for federal matters.
  • Other EU/EEA — your national authority (full list at edpb.europa.eu).

We will respond to verified data-subject requests within one month of receipt as required by Art. 12(3). If a request is unusually complex we may extend by a further two months and will tell you within the first month.

15. Security measures

• TLS for all web traffic; HSTS enforced on production.
• At-rest encryption on database volumes and object storage.
• Magic-link tokens are HMAC-SHA-256 signed and bound to a 10-minute expiry.
• Session tokens are 256-bit random, scoped to one user, expire after 7 days.
• Calendar feed URLs use rotatable, signed tokens you can revoke from Settings.
• Per-user data isolation is enforced at every API endpoint with explicit ownership checks.
• Production access is limited to the operator, with logging and least-privilege credentials.

No service can guarantee absolute security. We continuously review our controls but cannot provide a no-breach warranty.

16. Personal data breach notification

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will notify the competent supervisory authority (UK ICO and/or our lead EU authority) within 72 hours of becoming aware, as required by UK GDPR / GDPR Article 33. Where the breach is likely to result in a high risk to you, we will also notify you directly without undue delay, consistent with Article 34. We maintain an internal breach register.

17. Changes to this policy

We may update this policy from time to time. Substantive changes will be announced at least 14 days in advance by email to active accounts and on this page. The "Last updated" date at the top will always reflect the latest version. Continued use of the service after the effective date constitutes acceptance of the revised policy; if you do not agree you may close your account.

18. Contact

For any data-protection question, request, or complaint, please email privacy@lessonready.app. For general support, use hello@lessonready.app.

This document explains how Lesson Ready handles personal data. It is provided in good faith and reviewed periodically, but it is not a substitute for independent legal advice. If you, your school or your organisation rely on a specific compliance outcome, please obtain your own UK / EU / German legal review before adopting the service.