← Back to Home
LessonHouse

Privacy Policy – LessonHouse

Last Updated: September 12, 2025

This Privacy Policy explains how LessonHouse (“we”, “us”, “our”) collects, uses, shares, and protects personal data when you use our platform available at lessonhouse.app (the “Service”).

We comply with the EU General Data Protection Regulation (GDPR) and applicable national data protection laws in Europe. Information specific to United States residents (including California) appears below.

This document is for general information only and is not legal advice.

1) Controller & Publisher

Controller (Service user accounts)
Raymond RUTJES, sole proprietor (France) – SIREN 512 378 225 – SIRET 512 378 225 00043
Registered address: 7 Rue de l'Entente, 69720 Saint-Bonnet-de-Mure, France
Privacy e-mail: [email protected]

Role for “clients of our users” data
For data that our users (coaches, teachers, home-service providers) enter about their clients (e.g., students), LessonHouse acts as a processor under the GDPR; the user remains the controller. A Data Processing Agreement (DPA) is available on request at [email protected].

2) Data We Collect

  • Account data: first and last name, e-mail, password (hashed), profile settings.
  • Usage data: in-app activity, technical logs (IP address, device identifiers, error events).
  • “Clients of our users” data: first and last name, date of birth, addresses, e-mail, phone, notes and session history, as entered by the user. No health data by default.
  • Payments: processed by Stripe. We do not store or process card numbers.
  • Integrations: if you connect Google Calendar (optional), we sync event data (title, date/time, invitees, locations) to create/update invitations.
  • Analytics & web tracking: via PostHog to understand user journeys and improve the product (page views, clicks, events).

3) Purposes & Legal Bases

  • Provide the Service (account creation, CRM, scheduling, notifications) – Contract performance.
  • Payments & invoicing (via Stripe) – Contract performance & legal obligations.
  • Security, fraud prevention, and operations (Cloudflare, Sentry, logs) – Legitimate interests.
  • Product improvement & analytics (PostHog) – Legitimate interests or Consent where required (e.g., cookies).
  • Communications (transactional e-mails via AWS SES, support) – Contract performance & legitimate interests.
  • Optional third-party integrations (Google Calendar) – Consent.

4) Recipients & Processors

We use service providers that process data on our behalf:

  • Stripe (payments & invoicing)
  • PostHog (product & web analytics)
  • Sentry (monitoring, error tracking)
  • AWS Simple Email Service (SES) (transactional e-mails)
  • Cloudflare (CDN, security, anti-DDoS)
  • Hetzner, Germany (hosting)

These providers are bound by contractual confidentiality, security, and GDPR compliance obligations. The list may evolve; the up-to-date version will be published on this page.

5) Locations & International Transfers

Data is primarily hosted within the European Union (Hetzner, Germany). Some providers may involve transfers to third countries (e.g., the United States). Such transfers are safeguarded by the EU Standard Contractual Clauses (SCCs) and/or equivalent recognized mechanisms. We do not currently offer US-localized hosting.

6) Data Retention

  • User account: for the duration of your use, then deletion/anonymization within a reasonable time after closure.
  • “Clients of our users” data: as configured by the user (they may rectify/delete). We delete upon account closure or on the controller’s instruction.
  • Billing records: up to 10 years (accounting/tax obligations).
  • Logs & analytics: generally up to 13 months.

7) Your Rights (GDPR)

You have the rights of access, rectification, erasure, restriction, objection, and data portability. Where permitted, you may also define instructions for your data after death.

To exercise your rights, contact: [email protected]. We may verify your identity before responding.

You may lodge a complaint with your supervisory authority (e.g., CNIL in France) if you believe your rights are infringed.

“Clients of our users” data: please first contact the controller (the coach/teacher using LessonHouse). We will assist them with your request.

8) Minors

Users may manage data relating to minors (students). The user agrees to have the appropriate legal basis (e.g., parental consent) and to comply with applicable laws. LessonHouse implements appropriate security measures and acts as a processor for such data.

9) Security

We implement technical and organizational measures appropriate to risk: encryption in transit, environment separation, access controls, firewall/anti-DDoS (Cloudflare), monitoring and incident response (Sentry), backups. If a breach is likely to result in a risk to your rights and freedoms, we will notify the competent authority and, where required, affected individuals.

To report a security incident: [email protected].

10) Cookies & Analytics

We use cookies/trackers for:

  • Required: site operation and security.
  • Analytics & product: PostHog to analyze usage and improve experience.

Where required, your consent is obtained via a cookie banner. You may withdraw consent at any time via your browser settings and/or our banner. Refusing non-essential cookies will not block access to the Service but may limit some features.

11) Integrations: Google Calendar

Connecting Google Calendar is optional. By enabling it, you authorize us to create/update events (titles, dates/times, locations, invitees) to facilitate scheduling and invitations. You can revoke access at any time from your Google account and/or the Service settings.

12) Information for United States Residents (Overview)

If you reside in a U.S. state with consumer privacy laws (e.g., California: CCPA/CPRA), you may have rights to access, delete, and portability, as well as the right to opt out of certain sharing. We do not sell your personal data. To exercise your rights, contact [email protected].

13) Sources of Data

We collect data: (i) directly from you; (ii) from your devices and browsing (via PostHog and logs); (iii) from services you connect (Google Calendar); and (iv) via our technical providers (Stripe, Cloudflare, etc., as necessary for operations).

14) Automated Decision-Making

We do not make decisions producing legal effects concerning you based solely on automated processing, including profiling.

15) Changes to this Policy

We may amend this Policy to reflect legal, technical, or business developments. The “Last Updated” date will be adjusted. For material changes, we will notify you via appropriate means (banner, e-mail, in-app notice).

16) Contact

Practical Legal Notes

  • For “clients of our users” data, a Data Processing Agreement (DPA) is available on request.
  • We maintain a record of processing activities, apply data minimization, and periodically review our processors.
  • For cookie compliance, display a consent banner appropriate to the jurisdictions you target.