Privacy Policy

When you sign up, we collect your email address, your name, and your country (for currency + curriculum). When you use Lessona, we collect what you generate (lessons, presentations, resources) so you can access them across devices.

Optional context like your school name, year levels, and teaching style preferences is collected only if you fill it in. It improves the lesson plans Lessona writes for you.

We never collect, store, or process student data. No student names, no grades, no behaviour records, no photos. Lessona is built for planning teaching, not tracking learners.

Your data powers Lessona's features: lesson generation uses your profile to tune outputs, your subscription record drives access, your saved content shows up in your dashboard. We may email you about your account (receipts, important changes). Marketing emails (product updates, the Staffroom) are opt-in.

Lessona uses a small set of trusted providers to operate. These include Clerk for authentication, Stripe for payments, Anthropic and Google for AI generation, and infrastructure providers for hosting, our database, and transactional email. These providers process data only on our behalf, not for their own purposes.

We do not sell your data. We do not share it with advertisers. We do not let third parties train AI models on your inputs (see our AI Policy).

If you connect Google to Lessona, we request access to a small, fixed set of scopes so the calendar and export features can work:

• Google Calendar (read only): to display your calendar events alongside your Lessona timeline. We never modify your calendar.
• Google Drive (drive.file scope): to upload a PDF into your Drive when you export a lesson, presentation, or resource. This scope only lets Lessona see files Lessona itself creates. We cannot read your other Drive files.
• Email and basic profile: to confirm which Google account you connected.

Lessona's use and transfer to any other app of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically, Lessona does not use Google user data to serve advertising, does not share it with third parties for advertising or other purposes, does not use it to develop, improve, or train generalised AI or machine learning models, and only allows humans to access it where you have given explicit consent, for security investigations, or where required by law. You can disconnect Google from Lessona at any time on the Account page, which revokes Lessona's access immediately.

Account and content data is stored in Neon Postgres, hosted in Sydney (ap-southeast-2). When we expand to the EU and US we'll add regional databases so EU teachers' data stays in the EU and US teachers' data stays in the US.

We use industry-standard safeguards to protect your data, including data we receive from Google APIs:

• Encryption in transit: all traffic between your browser, Lessona, and our service providers travels over TLS 1.2 or higher. HTTP requests are rejected outright.
• Encryption at rest: all data in our primary database (Neon Postgres) is encrypted with AES-256. Backups, file uploads (Vercel Blob), and cached generation output use the same standard.
• OAuth tokens: Google access and refresh tokens are stored encrypted server-side and used only to call the specific scopes you authorised. They are never exposed to the browser, never logged, and never shared with any third party. You can revoke them at any time on your Lessona Account page (this calls Google's revocation endpoint immediately).
• Access controls: production systems require two-factor authentication. Access to user data is restricted to named individuals on a need-to-know basis and is auditable. Routine engineering work uses anonymised or synthetic data.
• Sub-processors: our infrastructure providers (Vercel, Neon, Clerk, Stripe, Anthropic, Google Cloud) are SOC 2 Type II audited and have signed Data Processing Addenda committing them to GDPR-compliant handling on our behalf.
• Workspace data and AI training: data we receive from Google Workspace APIs (Drive, Slides, Docs, Calendar) is handled under Google's Limited Use requirements. We never use it to develop, improve, or train generalised or specialised AI or machine learning models. It is used only to deliver the calendar-display and export features you explicitly trigger, and is not shared with our AI sub-processors (Anthropic, Google Gemini, etc.).
• Vulnerability disclosure: if you discover a security issue, email support@lessona.ai with subject "Security". We acknowledge within two working days and act within 30.
• Breach notification: if a security incident affects your data, we notify the relevant supervisory authority within 72 hours where required (GDPR, NZ Privacy Act 2020, Australian Privacy Act 1988) and notify you without undue delay.

Account data: for as long as your account is active. Generated content: until you delete it or close your account. After account closure, we hold a minimal record for 90 days (in case you change your mind) then permanently delete.

You can request a copy of your data, correct it, or delete it by emailing support@lessona.ai. We'll act within 30 days. EU/UK teachers have the same rights under GDPR; NZ teachers under the Privacy Act 2020; Australian teachers under the Privacy Act 1988.

Lessona uses essential cookies for authentication only. We don't use tracking cookies or third-party analytics that follow you around the web.

Privacy questions or requests: support@lessona.ai.