Legal
Privacy Policy
Last updated: 1 April 2025
Who we are
Lesson Flow ("we", "us", "our") operates the Lesson Flow platform at lessonflow.uk. We are committed to protecting your personal information and being transparent about how we use it.
For UK GDPR purposes, Lesson Flow is the Data Controller for the personal data of instructors and account holders. For learner data stored by instructors using our platform, the instructor is the Data Controller and Lesson Flow is the Data Processor.
Contact us at: hello@lessonflow.uk
What data we collect
Account holders (instructors)
- Name, email address, phone number
- Driving school name and details
- Payment information (processed by Stripe — we do not store card details)
- Usage data and activity logs
Learner data (entered by instructors)
- Name, phone number, email address
- Driving licence number
- Lesson history and progress notes
- Payment records
- Notes made by the instructor
How we use your data
- To provide the service — storing and displaying your data, sending automated notifications, processing payments
- To communicate with you — account notifications, support responses, service updates
- To improve the service — aggregated, anonymised usage analytics
- Legal compliance — where required by law
We do not sell your data. We do not use your data for advertising. We do not share your data with third parties except as described in this policy.
Legal basis for processing
- Contract — processing necessary to provide the service you've subscribed to
- Legitimate interests — fraud prevention, security, service improvement
- Legal obligation — where required by law
- Consent — marketing communications (you can withdraw at any time)
Third parties we use
| Service | Purpose | Location |
|---|---|---|
| Supabase | Database and authentication hosting | EU |
| Stripe | Payment processing | US (Privacy Shield) |
| Vercel | Website hosting | EU |
| Twilio | WhatsApp message delivery | US (Privacy Shield) |
| Resend | Email delivery | EU (Ireland) |
Data retention
- Active account data is retained for the duration of your subscription
- After account closure, data is retained for 30 days then permanently deleted
- Payment records are retained for 7 years for legal compliance
- You can request immediate deletion by contacting us
Your rights
Under UK GDPR you have the right to:
- Access — request a copy of the data we hold about you
- Rectification — correct inaccurate data
- Erasure — request deletion of your data ("right to be forgotten")
- Portability — receive your data in a machine-readable format
- Restriction — limit how we process your data
- Objection — object to processing based on legitimate interests
To exercise any of these rights, contact us at hello@lessonflow.uk. We will respond within 30 days.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
Cookies
We use essential cookies to keep you logged in and remember your preferences. See our Cookie Policy for full details.
Security
We use industry-standard security measures including encrypted connections (HTTPS), hashed passwords, and row-level database security. However, no system is completely secure and we cannot guarantee absolute security.
Changes to this policy
We may update this policy from time to time. We will notify you by email of any significant changes. The date at the top of this page shows when it was last updated.