Back

Privacy Policy

Last updated: April 2026

1. Introduction

LESSO Ltd ("we", "our", "us") is committed to protecting the privacy of educators who use our platform. This Privacy Policy explains how we collect, use, store, and protect your personal data in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

LESSO is a teacher productivity platform that provides AI-powered document generation, lesson planning, and educational resource creation through our AI assistant, Mrs J. We process personal data in line with the UK GDPR, the Data Protection Act 2018, the Data (Use and Access) Act 2025, and the Privacy and Electronic Communications Regulations (PECR).

2. UK Data Sovereignty

Customer and personal data are stored and processed exclusively in the United Kingdom. We use Civo Ltd (LON1 region) as our UK-sovereign infrastructure provider, with relax.ai — a trademark of the same legal entity, Civo Ltd — providing the primary AI processing layer. Microsoft Azure OpenAI Service in the UK South region is configured as a fallback for AI inference. All three are pinned to UK regions by configuration.

  • All processing of customer and personal data occurs within UK borders
  • Civo Ltd is a UK-owned, UK-headquartered company; data held there is subject only to UK law
  • Microsoft Azure UK South is contractually pinned to UK region for inference; we disclose the residual CLOUD Act consideration honestly on our sub-processor page
  • ISO 27001 and Cyber Essentials Plus certified infrastructure (Civo); G-Cloud listed

3. Data Controller and Compliance Contact

LESSO Ltd is the data controller for personal data collected through our platform.
General contact: hello@lesso.co.uk

Luke, our co-founder, handles all compliance for LESSO and can be reached directly at support@lesso.co.uk for any privacy question, subject access request, or concern about how we handle data.

Where LESSO is provided to a school or multi-academy trust under a B2B contract, the school is the data controller for the personal data of its staff users and LESSO acts as the data processor under Article 28 UK GDPR. See Section 9 below.

3a. Sub-processors

We use the following sub-processors. All are pinned to UK regions for the processing of LESSO customer and personal data. The full dated table, the honest CLOUD Act note, and an email-subscription for change notifications are at /sub-processors in our Trust Hub.

  • Civo Ltd (including relax.ai) (UK) — UK-sovereign cloud infrastructure (LON1 region) hosting the LESSO application and customer data, plus primary AI inference via relax.ai (Llama 3.1 405B). relax.ai is a trademark of Civo Ltd — the same legal entity, the same DPO, the same DPA, the same UK jurisdiction. We list it once because it is one supplier.
  • Microsoft Azure OpenAI Service — fallback AI inference, configured to UK South region. Microsoft is a US-headquartered processor; the residual CLOUD Act consideration is documented honestly on the sub-processor page.
  • Stripe — subscription billing (PCI-DSS compliant).
  • Resend — transactional email delivery (account, billing, product notifications).

4. Data We Collect

Account Information

  • Name, email address, job title, and employer
  • Year group and subjects taught
  • Account credentials (securely hashed)

Teaching Data

  • Lesson plans and calendar events
  • Generated documents and teaching materials
  • Uploaded resources (templates, branding, curriculum frameworks)

Conversation Data

  • Chat interactions with Mrs J (our AI assistant)
  • Preferences and feedback

Technical Data

  • Browser type, device information
  • Usage patterns and session data
  • Anonymised analytics (if enabled)

5. Legal Basis for Processing

We process your personal data based on the following legal grounds:

Contract Performance (Article 6(1)(b))

Processing necessary to provide the LESSO service you have subscribed to, including document generation, lesson planning, and AI assistance.

Legitimate Interests (Article 6(1)(f))

Service personalisation and operational analytics: we process your account settings, preferences, and aggregated usage signals to personalise Mrs J's outputs to your teaching style and to operate, secure, and improve the LESSO service (including capacity planning and the fair-use accounting described in our Fair Use Policy).

Binding no-training commitment: we do not use your prompts, conversations, or generated content to train AI models — not our own, not Civo's, not relax.ai's, not Microsoft's. This commitment is binding and is reflected in our Data Processing Agreement with schools. If we ever offer a UK-trained-model contribution feature in the future, it will be a named, per-school opt-in with a separate consent flow and the default off; pre-existing prompts and outputs will never be retroactively pulled into training.

We have conducted a legitimate interests assessment for the in-scope personalisation and operational processing and determined that:

  • The processing directly benefits teachers by improving relevance and reliability
  • Data is aggregated where possible and minimised by default
  • You can object or opt out at any time via Settings → Privacy & Data
  • The processing does not override your fundamental rights

Consent (Article 6(1)(a))

For optional marketing communications and newsletters. You can withdraw consent at any time.

6. AI and Automated Decision-Making

Mrs J, our AI assistant, processes your requests to generate educational content. This involves:

  • Content Generation: Creating lesson plans, PowerPoints, worksheets, and other teaching materials based on your instructions
  • Personalisation: Learning your teaching style, preferred formats, and curriculum requirements to deliver "right first time" results
  • Context Memory: Remembering previous conversations to provide consistent, tailored assistance (can be disabled)

Article 22 — automated decision-making. Mrs J does not make decisions about you, about any teacher, or about any pupil that produce legal effects or similarly significant effects. Mrs J does not mark pupils' work, generate predicted grades, or evaluate learning outcomes. Every output — including drafted parent emails, drafted feedback, and drafted resources — is reviewed by the teacher in the loop before it leaves the platform.

For more details on how Mrs J uses data, see our AI Transparency Statement.

7. Data Retention

To deliver our "right first time" promise, we retain your lesson history, documents, and Mrs J interactions for a minimum of 12 months. This allows Mrs J to understand your teaching style and consistently create materials that match your brand and preferences.

  • Account data: Retained while your account is active
  • Teaching materials and chat history: 12 months minimum for service quality
  • Billing records: 7 years (legal requirement)
  • Analytics data: Anonymised and aggregated, retained indefinitely

You can request deletion of your data at any time. Deletion requests are processed within 30 days as required by UK GDPR.

8. Your Rights

Under UK GDPR, you have the following rights:

  • Right of Access (Article 15): Request a copy of all data we hold about you
  • Right to Rectification (Article 16): Correct inaccurate personal data
  • Right to Erasure (Article 17): Request deletion of your personal data
  • Right to Restrict Processing (Article 18): Limit how we use your data
  • Right to Data Portability (Article 20): Receive your data in a machine-readable format
  • Right to Object (Article 21): Object to processing based on legitimate interests

To exercise these rights, visit Settings → Privacy & Data in your LESSO account, or email Luke, our co-founder, at support@lesso.co.uk.

9. Data Sharing and the School Relationship

We do not sell your personal data. We share data only with:

  • The sub-processors listed in Section 3a above, all UK-region pinned, all bound by written data-processing terms
  • Your school or multi-academy trust where they are the data controller for your account under a B2B contract — see below
  • Communication providers when you connect Google Workspace or Microsoft 365 to your own LESSO account
  • Regulators or courts where we are required to do so by UK law

Where the school is the controller. When LESSO is provided to you by your school or trust under a B2B contract, the school is the data controller for your staff account and LESSO acts as the data processor under Article 28 UK GDPR. The school controls the lawful basis for your use of LESSO at work, the retention of your work-related materials within their tenancy, and the procedure for subject access requests submitted by you in your capacity as their employee. We publish a Data Processing Agreement to schools that reflects this relationship.

We will never share teacher prompts or generated content with the school's senior leadership in a form that allows individual-teacher surveillance. School-level reporting available to leadership is aggregated and anonymised by design.

10. Security

We implement industry-standard security measures including:

  • Encryption in transit (TLS 1.3) and at rest (AES-256)
  • Multi-factor authentication options
  • Regular security audits and penetration testing
  • Employee access controls and training
  • Incident response procedures

11. Cookies

We use essential cookies for authentication and session management. Optional analytics cookies are only set with your consent. You can manage cookie preferences at any time via the cookie banner or Settings → Privacy & Data.

12. Children's Data — Architectural Choice, Not a Disclaimer

LESSO is for adults whose job is to teach children. Our minimum user age is 18, our account-creation flow is restricted to verified educators, and Mrs J is teacher-facing only — no pupil accounts, no pupil-data processing, no AI marking. There is no pupil account today and there is no plan for one. See our AI Transparency Statement for the full position. Schools writing their own staff-use AI policy can use the free generator at /school-ai-policy — Mrs J drafts it live in under a minute and emails the PDF and Word version to your DPO.

This is a deliberate architectural choice. The first time someone in a leadership or product conversation suggests letting pupils use Mrs J directly, this paragraph is the answer: they cannot. We help the teacher; the teacher helps the child. That is the whole architecture.

If you believe a child under 18 has somehow provided us with personal data, email Luke, our co-founder, at support@lesso.co.uk and we will delete it without delay.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via email or in-app notification. Continued use of LESSO after changes constitutes acceptance of the updated policy.

14. Contact Us

For privacy-related inquiries or to exercise your rights, contact Luke, our co-founder, who handles all compliance:
Email: support@lesso.co.uk
General contact: hello@lesso.co.uk

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

LESSO Ltd | Registered in England and Wales

Trust HubTerms of ServiceAI Transparency