Privacy Policy

1. Who this policy applies to

This policy applies to teachers, school administrators, and other authorized account holders who use Lessaro. Lessaro does not provide student-facing accounts or collect information directly from students. Any student information in Lessaro is provided by the teacher or administrator operating the account.

Schools and districts processing student data on Lessaro are additionally covered by our Data Processing Addendum, which is automatically incorporated into the Terms of Service for Institution use.

2. Information you provide

We collect the following when you use Lessaro:

Account information

• Your email address (used for magic-link sign-in)
• Your role (e.g., teacher)

Educational content you create

• Classes, class names, class periods, grade levels
• Student records you enter, typically names, optional email addresses, and any notes you add
• Optional parent contact details (one parent WhatsApp number per student), captured by the teacher under their attestation of parental consent. See “Parent contact information” below.
• Assignments, categories, weighted grade schemes, scores, and grading history
• Lessons: objectives, bell work, hooks, process notes, exit tickets, homework, worksheets
• Worksheet files you upload (PDFs, Word docs, images)

Parent contact information

Educators may optionally store one parent WhatsApp number per student so Lessaro can hand off parent-summary messages directly to that contact in WhatsApp. The number is captured by the teacher in the student edit dialog. To save it, the teacher must tick a consent checkbox attesting they have the parent or guardian's permission to use this channel for class communications. Lessaro records the timestamp of that attestation alongside the number so a consent-trail exists for every stored phone.

The platform never independently verifies parental consent. Educators and their schools remain the source of truth for consent itself (typically via enrollment paperwork or recorded verbal permission), and Lessaro stores only the attestation they sign in-app. Removing the phone number clears the consent timestamp. The two fields rise and fall together at both the application and database layers.

Subscription and billing information

When you subscribe to Lessaro Pro, Stripe collects your payment method and billing details on our behalf. We do not store your full card number or CVC. We receive only the subscription status, customer ID, and minimal billing metadata needed to operate the account.

Smart features and generated output

When you use Smart features, we send the lesson objective, class context, and any guidance you provide to our language- model providers (listed in Section 6) to generate output. We do not log your prompts for training or share them with third parties beyond what's required to generate a response.

Technical information

Minimal technical data necessary to operate the Service. That means your session token, request timestamps, and basic error logs. We do not run analytics trackers, cookies for advertising, or fingerprinting.

3. How we use information

We use the information we collect to:

• Operate the Service (store your classes, lessons, grades)
• Generate Smart content when you request it, by sending relevant inputs to our language-model providers
• Process payments and manage your subscription
• Send essential service emails (magic-link sign-in, receipts)
• Investigate and respond to security issues, abuse, or legal requests
• Improve the Service in aggregate (e.g., fix bugs)

We do not sell your information. We do not use your content to train machine-learning models. We do not serve advertising.

4. Student data (FERPA / COPPA)

Lessaro processes student educational records only on behalf of the educator who enters them. In United States regulatory terms, Lessaro acts as a “school official” with a “legitimate educational interest” under FERPA, to the extent applicable to your school or district.

Because Lessaro does not interact with students directly, we do not knowingly collect personal information from children under 13. If students are under 13 and you enter their information, you represent that you have the authority and any parental consent required by COPPA or other applicable law.

We recommend minimizing the personal information you enter about students. Lessaro functions fully with just first names, last names, and an optional external student ID. Email and notes are optional.

Dominican Republic, Ley 172-13

For users in the Dominican Republic, our processing follows the principles of Ley No. 172-13 sobre Protección de Datos Personales: lawful basis, purpose limitation, data minimization, accuracy, limited retention, and the rights of access, rectification, cancellation, and opposition (derechos ARCO). Educators remain the Controller of Student Data under the Service, and Brinl acts as Processor.

5. How we share information

We share information only in these cases:

With service providers

Third-party providers that help us operate Lessaro (listed in Section 6). These providers process information solely to provide services to us and are contractually bound to handle it securely.

For legal compliance

If required to comply with a lawful legal process, court order, or government request. We will only comply with valid, narrowly- scoped requests and notify you where legally permitted.

In a business transaction

If Brinl LLC is involved in a merger, acquisition, or asset sale, information may be transferred to the successor entity subject to the terms of this policy or a comparable replacement.

6. Third-party service providers

Lessaro relies on the following sub-processors to deliver the Service. Each has its own privacy and security practices, and we select providers with strong reputations and enforceable data agreements.

• Vercel — application hosting and delivery.
• Neon — managed PostgreSQL database for your Lessaro data.
• Stripe. Subscription billing and payment processing.
• Moonshot (Kimi). Smart generation (lesson scaffolds and worksheets).
• OpenAI. Text embeddings used to match your inputs against our research corpus.
• Resend. Transactional email delivery (magic-link sign-in).

We may update this list as we change providers. Material changes will be communicated alongside a policy update.

7. International data transfers

Our service providers may process data in the United States, European Union, or other jurisdictions depending on the provider. If you use Lessaro from outside the United States, you understand and consent to the transfer of your information to jurisdictions that may have different data-protection laws than your country of residence.

8. Data security

We use industry-standard measures to protect your data — HTTPS for all traffic, encrypted database storage, scoped access tokens for service-to-service communication, and signed session tokens. No system is perfectly secure, and we cannot guarantee absolute security. You can reduce risk by keeping your email account secure (since we authenticate via magic link) and promptly notifying us of any suspected unauthorized access.

9. Data retention and deletion

We retain your account data while your account is active. If you delete your account, we delete your data within 30 days, except where retention is required by law (e.g., financial records for tax purposes).

You can request deletion or a copy of your data at any time by emailing legal@brinl.com. We will respond within 30 days.

10. Your rights

Depending on your jurisdiction, you may have rights to access, correct, export, or delete your personal information, and to object to or restrict certain processing. Residents of California, the European Union, the United Kingdom, and other jurisdictions with comparable laws may have additional rights.

To exercise any of these rights, email us at legal@brinl.com. We will verify your identity and respond within 30 days.

11. Cookies and tracking

Lessaro uses a minimal set of cookies strictly necessary to operate the Service:

• An authentication session cookie (so you stay signed in between page loads)
• A CSRF-protection token to prevent request-forgery attacks

We do not use cookies for advertising or third-party behavioral tracking.

12. Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or with an in-app notice. The “Last updated” date at the top of this page reflects the most recent revision.

13. Contact

Brinl LLC
260 Shirley Ln, Pennsburg, PA 18071, United States
Building real impact in next-gen learning.

Privacy and data-rights requests: legal@brinl.com
General inquiries: info@brinl.com