Privacy Policy
Last updated: March 23, 2026
1. Data Controller
The Draft My Lesson service is operated by JD Michael Casanova, independent developer.
Contact: [email protected]
2. Data Collected
We collect the following data:
| Data | Purpose | Legal Basis |
|---|---|---|
| Name, email | Account creation and management | Contract |
| Password (bcrypt encrypted) | Authentication | Contract |
| Subjects, levels, teaching preferences | Personalization of generated lessons | Contract |
| Student nicknames, class names | Pedagogical context | Contract |
| Generated lessons and history | Teaching continuity, progress tracking | Contract |
| UTM parameters (source, medium, campaign) | Marketing acquisition measurement | Legitimate interest |
| Browsing data (pages viewed, duration) | Audience analytics (Google Analytics) | Consent |
| Conversion events | Advertising measurement (Meta Pixel) | Consent |
| Card fingerprint (pseudonymized) | Abuse prevention (single use of free trial) | Legitimate interest |
Students are identified exclusively by nicknames. We ask teachers to never enter a student's real name.
3. Cookies and Trackers
We use cookies only with your explicit consent, collected via our cookie banner. You can decline without any impact on the service.
| Cookie | Purpose | Duration |
|---|---|---|
| cookie_consent | Remember your cookie choice | Persistent (localStorage) |
| dml_session | Authentication session | 7 days (httpOnly cookie) |
| Google Analytics (_ga, _ga_*) | Anonymized audience analytics | 2 years (if consented) |
| Meta Pixel (_fbp) | Advertising conversion measurement | 90 days (if consented) |
Google Analytics is configured with the anonymize_ip: true option. Consent Mode v2 is enabled: no cookies are set before your acceptance.
4. Use of Artificial Intelligence
To generate lessons, student handouts, and exercises, we transmit the pedagogical information you enter (subject, level, duration, teaching direction, lesson history) to a third-party language model. This processing is necessary for the execution of the service.
The data sent does not contain any personally identifiable information (no real student names, no email addresses). Only pedagogical information is transmitted.
5. Sub-Processors and Data Transfers
| Sub-Processor | Service | Location | Data Concerned |
|---|---|---|---|
| MiniMax | Lesson generation (LLM) | China | Pedagogical content (no PII) |
| OpenRouter | Semantic embeddings | United States | Indexed pedagogical text |
| Resend | Transactional emails | United States | Email address |
| Cloudflare | CDN, DNS, tunnel | International | Network traffic |
| Google (Analytics) | Audience analytics | United States | Anonymized browsing (if consented) |
| Meta (Pixel) | Advertising measurement | United States | Conversion events (if consented) |
| Stripe | Payment and billing | United States / EU | Email, name, payment data |
International data transfers are governed by Standard Contractual Clauses (SCCs) where applicable, and comply with relevant data protection frameworks including GDPR (EU/UK), the Australian Privacy Act 1988, PIPEDA (Canada), and the New Zealand Privacy Act 2020.
6. Storage and Security
- Data is stored on self-hosted infrastructure in Europe (EU).
- Passwords are encrypted with bcrypt (salt 12).
- Communications are protected by HTTPS (TLS 1.2+).
- Authentication tokens expire after 7 days.
- Data access is restricted by role-based access controls.
7. Data Retention
| Data | Duration |
|---|---|
| User account | Until account deletion |
| Generated lessons | Until deleted by user or account deletion |
| Analytics data | 14 months (Google Analytics configuration) |
| Server logs | 30 days |
| Card fingerprint | Until account deletion |
8. Your Rights
In accordance with applicable data protection regulations — including the EU/UK GDPR, the California Consumer Privacy Act (CCPA/CPRA), the Australian Privacy Act 1988, PIPEDA (Canada), and the New Zealand Privacy Act 2020 — you have the following rights:
- Right of access: obtain a copy of your personal data
- Right to rectification: correct inaccurate data
- Right to erasure: request deletion of your data
- Right to data portability: receive your data in a structured format
- Right to object: object to the processing of your data
- Right to withdraw consent: withdraw your cookie consent at any time
To exercise these rights, contact us at [email protected]. We will respond within 30 days.
You may also file a complaint with the relevant data protection authority in your jurisdiction.
For California residents (CCPA/CPRA): We do not sell your personal information. You have the right to know what personal information we collect, request deletion, and opt out of any future sale. To exercise these rights, contact us at the email above.
For Australian residents: You may also contact the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au if you believe your privacy has been breached.