Data Processing Addendum
1. Parties
This Data Processing Agreement (“Agreement”) forms part of the agreement between:
LessonLab AI Ltd
A company incorporated in England and Wales
Registered address: Bayside Business Centre, 48 Willis Way, Poole, Dorset, England, BH15 3TB
(“LessonLab”, “Processor”)
and
The Customer
(being a teacher, school, educational organisation, or authorised user of the LessonLab platform)
(“Customer”, “Controller”)
2. Definitions
- Controller: The entity that determines the purposes and means of processing personal data.
- Processor: The entity that processes personal data on behalf of the Controller.
- Personal Data: Any information relating to an identified or identifiable individual.
- UK GDPR: The United Kingdom General Data Protection Regulation and Data Protection Act 2018.
3. Roles of the Parties
3.1 Controller Responsibilities
The Customer acts as the Data Controller for any personal data relating to students, staff, or other individuals that they choose to input into the LessonLab platform.
The Controller determines:
- What personal data is processed
- The purpose of processing
- Whether personal data is included in AI prompts
3.2 Processor Responsibilities
LessonLab AI Ltd acts as a Data Processor for Customer content and student data, and as a Data Controller for its own account, billing, and operational data.
LessonLab processes personal data only on documented instructions from the Controller, as required to provide the service.
4. Scope of Processing
LessonLab may process the following categories of personal data:
- Teacher account information (name, email, login credentials)
- Student information (e.g. names, usernames, class or year group, performance data)
- User-submitted content and AI-generated outputs
- Platform usage and audit logs
LessonLab does not intentionally process special category data (including health, SEN, safeguarding, or medical information).
5. AI Processing and User Content
5.1 AI Inputs
Personal data may be processed by AI systems only where the Customer has chosen to include such data in a prompt or input.
LessonLab:
- Does not automatically inject student names or identifiers into AI prompts
- Does not enrich, infer, or append additional personal data
- Processes AI prompts solely to generate the requested output
5.2 AI Outputs and Storage
AI outputs may be stored temporarily to allow users to:
- View results
- Edit content
- Delete content
LessonLab retains AI outputs and associated inputs until deleted by the user.
5.3 AI Providers
LessonLab uses third-party AI providers (e.g. OpenAI) to generate responses.
LessonLab does not permit customer data to be used to train public AI models and selects providers that contractually prohibit such use.
AI providers may retain data for a limited period in accordance with their own retention policies (typically up to 30 days), after which it is deleted.
6. Subprocessors
LessonLab may engage the following subprocessors:
- Supabase – database hosting, authentication, and storage (EU-hosted)
- Replit – application hosting and infrastructure
- OpenAI – AI text generation
- Stripe – payment processing
All subprocessors provide GDPR-compliant Data Processing Agreements and, where applicable, Standard Contractual Clauses (SCCs).
LessonLab may update subprocessors from time to time and will ensure equivalent data protection safeguards are in place.
7. Data Location and Transfers
Primary data storage is hosted within the European Union.
Where data is transferred outside the UK or EU, LessonLab relies on appropriate safeguards, including Standard Contractual Clauses, as provided by its subprocessors.
8. Security Measures
LessonLab implements appropriate technical and organisational measures to protect personal data, including:
- Encryption in transit (HTTPS/TLS)
- Encryption at rest (managed by infrastructure providers)
- Role-based access controls and row-level security
- Authenticated access to protected resources
- Restricted staff access to production systems
- Secure cloud hosting environments
- Separation of development and production environments
9. Data Retention and Deletion
- Personal data is retained only for as long as necessary to provide the service
- Upon account or content deletion, data is permanently removed from LessonLab’s systems
- LessonLab does not retain independent backups of deleted user data beyond infrastructure-level backup policies
- Supabase-managed backups follow standard retention periods
10. Assistance and Compliance
LessonLab will:
- Assist Controllers with data subject requests where applicable
- Provide information necessary to demonstrate compliance with this Agreement
- Maintain appropriate records of processing activities
11. Audit Rights
Audit rights may be satisfied through:
- Written documentation
- Security summaries
- Policy disclosures
Physical or on-site audits are not required unless legally mandated.
12. Personal Data Breaches
In the event of a personal data breach, LessonLab will:
- Notify affected Controllers without undue delay
- Provide information necessary to meet the Controller’s regulatory obligations
- Cooperate in mitigation and remediation efforts
13. Governing Law
This Agreement is governed by the laws of England and Wales, and UK GDPR applies.
14. Contact
Data protection enquiries may be directed to:
LessonLab AI Ltd
Email: info@lessonlabai.com
We use essential cookies to keep you logged in and ensure the website functions properly. These are necessary for the service to work and don't require your consent. Learn more about our cookie usage