Data Processing Agreement

This Data Processing Agreement ("DPA") supplements the lessonu Terms of Service. lessonu Pty Ltd ("lessonu") acts as the Processor; the Customer who signed up to the Service (a school, teacher, or organisation) acts as the Controller. Their students, parents, and end-users are the Data Subjects.

"Personal Data" has the meaning given to it under the EU General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act (CCPA), and means any information relating to an identified or identifiable natural person.

lessonu processes Personal Data on behalf of the Customer for the duration of the Customer's active subscription. Following termination, Customer retains access to data export tools for 30 days. After that period, Personal Data is deleted in accordance with the retention schedule in our Privacy Policy.

lessonu processes Personal Data to deliver the tutoring SaaS features that Customer has subscribed to. This includes lesson scheduling, billing and invoicing, transactional communication, virtual classroom delivery, and reporting. Processing is limited to what is necessary to operate the Service.

For Customers (teachers, school administrators, organisation owners, and adult students who self-manage their accounts): name, email, role, billing details, and account activity.

For end-users with an account managed on their behalf (typically minor students under a parent or guardian account, or students under a school administrator): name, email, lesson history, attendance, and teacher-authored notes. Payment records sit with whichever account holds billing responsibility — usually the parent or school for minor students, or the student themselves for adult learners.

lessonu does not request or process special categories of data (health, biometric, political, etc.) and Customer agrees not to submit such data to the Service.

Customer instructs lessonu to process Personal Data only for the purposes set forth in our Terms of Service and this DPA, and as necessary to provide the Service. Customer may issue further documented instructions in writing; lessonu will inform Customer if, in its opinion, an instruction infringes applicable data protection law.

lessonu ensures that personnel authorised to process Personal Data are bound by confidentiality obligations. We implement appropriate technical and organisational security measures, including encryption in transit (TLS 1.2+) and at rest (AES-256), row-level security in the database, audit logging, principle-of-least-privilege access controls, and regular review of subprocessor security postures.

lessonu will assist Customer in fulfilling its obligations to respond to Data Subject requests, conduct data protection impact assessments, and engage with supervisory authorities.

Customer authorises lessonu to engage subprocessors to deliver the Service. The current list of subprocessors is published at /subprocessors. By signing up to the Service, Customer consents to the engagement of these subprocessors.

lessonu will give Customer at least 30 days written notice (via email and an update to the subprocessors page) before adding a new subprocessor. Customer may object on reasonable data-protection grounds; if the objection cannot be resolved, Customer may terminate the affected portion of the Service.

For Personal Data originating in the EU, UK, or Switzerland that is transferred to a subprocessor outside those regions, lessonu relies on the European Commission's Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum, or an equivalent lawful transfer mechanism with each affected subprocessor.

lessonu will provide reasonable assistance to Customer in responding to Data Subject requests for access, rectification, erasure, restriction, portability, or objection. Most requests can be fulfilled by Customer directly through the dashboard; for the rest, we will respond to Customer's request within 30 days.

lessonu will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer's data. For Customers subject to GDPR / UK GDPR, notification will be made within 72 hours where feasible, to support Customer's Article 33 reporting obligation. For Customers subject to the Australian Notifiable Data Breaches scheme (Privacy Act 1988 (Cth), Part IIIC), notification will be made as soon as practicable and in any event within 30 calendar days; our internal assessment target is 5 business days from discovery.

The notification will describe the nature of the breach, the categories and approximate number of Data Subjects affected, the likely consequences, and the measures taken or proposed to address it. See also /privacy §9 for our customer-facing breach notification commitment.

Once per calendar year, on reasonable prior written notice, Customer may request a summary of lessonu's most recent third-party security assessment. lessonu is not currently SOC2 certified; in place of a certification, lessonu will provide a written attestation of compliance with this DPA, including a description of the technical and organisational measures in place.

Upon termination of the Service, Customer may export all Personal Data through the dashboard for a period of 30 days. After that period, lessonu will delete the data in accordance with the retention policy described in the Privacy Policy, except where retention is required by law (such as financial records retained for tax-compliance purposes).

Each party's liability under this DPA is subject to the limitations and exclusions set out in the lessonu Terms of Service. Nothing in this DPA limits a party's liability where such limitation is prohibited by applicable data protection law.

This DPA is governed by the laws of the State of New South Wales, Australia, consistent with the Terms of Service. Where mandatory data protection law of another jurisdiction applies to a specific Data Subject, that law prevails to the extent required.

Questions about this DPA, or requests to execute it as a countersigned document, should be sent to lessonu.team@gmail.com.