Privacy Policy

lessonu is a scheduling and operations platform for private teachers and small organisations — independent tutors, music and instrument teachers, language coaches, exam-prep specialists, adult-education providers, schools, and studios. This policy covers everyone who creates an account with us: teachers, school administrators, adult students booking their own lessons, and parents managing accounts on behalf of a child.

We collect information you provide directly when creating an account, including your name, email address, your role on the platform (teacher, school administrator, student, or parent / guardian where applicable), and any organisation or studio affiliation you choose to provide. We also collect information generated through your use of the Service — lesson schedules, attendance, teacher notes, payment records, and in-app communication.

For lessons involving students under 18, additional information may be collected to satisfy child-safety obligations — see /safeguarding.

We automatically collect technical information including IP address, browser type, device information, and usage patterns to improve the Service and detect abuse.

We use the information we collect to:

• Provide, maintain, and improve the Service
• Process payments and send billing-related communications
• Send transactional emails (lesson reminders, verification emails, invoices)
• Respond to support requests and communicate with you
• Monitor and analyse usage trends to improve user experience
• Detect, prevent, and address technical issues, abuse, or fraud

We do not sell your personal information to third parties. We do not use student data for advertising under any circumstances.

Your data is stored on servers located in Australia (Sydney region) via our infrastructure provider, Supabase. Data is encrypted in transit using TLS 1.2+ and at rest using AES-256 encryption. Access to production data is limited to a small number of lessonu staff, requires multi-factor authentication, and is audit-logged.

We implement industry-standard security controls — row-level security in the database, principle-of-least-privilege access, intrusion detection on the hosting layer, rate limiting on public endpoints, and regular security review of our subprocessors.

lessonu maintains automated daily backups of customer data via Supabase. Production data is recoverable to any point within the last seven days through Point-in-Time Recovery. Backups are encrypted at rest and stored in the same Australian region as the primary database.

We test the restore path at least quarterly. Our internal recovery objectives are: RPO (recovery point objective) of 5 minutes for the database; RTO (recovery time objective) of 4 hours for a full restore. Files uploaded to the resource library are stored in versioned Supabase Storage with the same backup coverage.

Payment information is not stored on our servers. Stripe holds all card data directly and is PCI DSS Level 1 compliant; we retain only transaction metadata (date, amount, status, payment method type).

We use the following third-party services to operate lessonu:

• Supabase — Authentication, database hosting, file storage, and backups. Data is processed under Supabase's privacy policy and stored on Australian servers.
• Stripe — Payment processing. Stripe handles all credit-card information directly and is PCI DSS Level 1 compliant. lessonu does not store credit-card details.
• Resend — Transactional email delivery for notifications, verification emails, and invoices.
• Twilio — SMS reminder delivery for lessons and invoices.
• LiveKit — Real-time video for the in-app classroom. Lesson video is not recorded by default; recording is opt-in per lesson with consent.
• Sentry — Error tracking with PII scrubbing applied before transmission.
• Cloudflare Turnstile — Bot prevention on sign-up and public booking pages.

A current list with the categories of data shared with each subprocessor is published at /subprocessors.

lessonu complies with the 13 Australian Privacy Principles (APPs) set out in the Privacy Act 1988 (Cth). Specifically:

• APP 1 — Open management of personal information. This policy is our open statement; we keep it current and link it from the footer of every page.
• APP 5 — Notification of collection. We tell you what we collect at the point of collection (signup form, booking form) and via this policy.
• APP 6 — Use and disclosure. We use personal information only for the purposes described in §3 above, or with your consent, or as required by law.
• APP 11 — Security. We take reasonable steps to protect personal information from misuse, loss, and unauthorised access (see §4 + §5 above).
• APP 12 — Access. You may request access to the personal information we hold about you at any time. Use the self-serve export at Settings → Export for a JSON export of your account; otherwise emaillessonu.team@gmail.com and we'll respond within 30 days.
• APP 13 — Correction. You may correct most personal information directly in the dashboard. For data you can't edit yourself, email lessonu.team@gmail.com.

You may also lodge a complaint with the Office of the Australian Information Commissioner at oaic.gov.au.

For users in New Zealand, lessonu complies with the 13 Information Privacy Principles (IPPs) in the Privacy Act 2020. You have the right to access (IPP 6) and correct (IPP 7) your personal information, and to expect that lessonu only uses and discloses it for the purpose for which it was collected (IPP 10 + IPP 11). Use the self-serve export at Settings → Export, or email lessonu.team@gmail.com.

Cross-border disclosure (IPP 12). Customer data for NZ users is stored on Australian servers (Supabase Sydney). Australia is a jurisdiction with comparable privacy law to New Zealand under the OPC's guidance and the AU–NZ Mutual Recognition arrangements, so storage in Sydney satisfies IPP 12. A small number of subprocessors are located in the United States — Stripe (payments) and LiveKit (lesson video). Where we transfer NZ personal information to those subprocessors, we rely on their certifications and contractual undertakings to provide comparable protections, as permitted by IPP 12(1)(f).

You may lodge a complaint with the Office of the Privacy Commissioner at privacy.org.nz or by phone on 0800 803 909.

We retain your personal information for as long as your account is active or as needed to provide the Service. Upon account deletion, we remove your personal data within 90 days, except where retention is required by law — for example, financial records (invoices, tax-invoice data) are retained for 7 years in accordance with Australian tax law.

Anonymised and aggregated data that cannot be used to identify you may be retained indefinitely for analytics and service improvement.

lessonu maintains a documented breach assessment and notification process. The The lessonu founder (our designated Privacy Officer) is accountable for the assessment decision; the internal runbook lives in our operations repository and is reviewed quarterly.

For Australian customers — we comply with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Cth). If an eligible data breach occurs, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as soon as practicable after becoming aware of it, and in any event within 30 calendar days as required by §26WK of the Act. Our internal assessment target is 5 business days of discovery.

For New Zealand customers — we comply with the mandatory notification regime under Part 6 of the Privacy Act 2020. Where a notifiable privacy breach occurs (one likely to cause serious harm), we will notify affected individuals and the Office of the Privacy Commissioner without undue delay.

Notifications describe the nature of the breach, the categories of information involved, the likely consequences, and the steps we are taking. Customers with a countersigned Data Processing Agreement may have shorter contractual SLAs — see /dpa §10.

lessonu uses essential cookies to maintain your session and authentication state. These are strictly necessary for the Service to function and cannot be disabled. We do not use advertising cookies and we do not allow third-party advertisers to set cookies on our domain.

We use first-party analytics (logged via Axiom and our own event-recording endpoint) to understand product usage. These events contain only your account ID and product interactions, never the contents of your lessons, notes, or messages. You can control browser-level cookie behaviour through your browser preferences.

A current list of the third-party services we use to deliver lessonu, together with the categories of data shared with each, is published at /subprocessors. Customers processing personal data of EU/UK data subjects on our platform can review and execute our Data Processing Agreement at /dpa; email lessonu.team@gmail.com to request a countersigned copy.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will notify registered users of material changes via email at least 14 days before they take effect. The "Last updated" date at the top of this page indicates when the policy was last revised.

If you have questions or concerns about this Privacy Policy or our data practices, please contact our Privacy Officer: