Privacy Policy
Last updated: March 23, 2026
1. Data Controller
The Draft My Lesson service is operated by Drafted By (JD Michael Casanova).
Contact: [email protected]
2. Data Collected
We collect the following data:
| Data | Purpose | Legal Basis |
|---|---|---|
| Name, email | Account creation and management | Contract |
| Password (bcrypt encrypted) | Authentication | Contract |
| Subjects, levels, teaching preferences | Personalization of generated lessons | Contract |
| Student nicknames, class names | Pedagogical context | Contract |
| Generated lessons and history | Teaching continuity, progress tracking | Contract |
| UTM parameters (source, medium, campaign) | Marketing acquisition measurement | Legitimate interest |
| Browsing data (pages viewed, duration) | Audience analytics (Google Analytics) | Legitimate interest (opt-out available) |
| Conversion events | Advertising measurement (Meta Pixel) | Legitimate interest (opt-out available) |
| Card fingerprint (pseudonymized) | Abuse prevention (single use of free trial) | Legitimate interest |
Students are identified exclusively by nicknames. We ask teachers to never enter a student's real name.
3. Cookies and Trackers
We use analytics cookies to understand how our service is used and to improve it. You can opt out at any time via the "Manage cookies" link in the footer, without any impact on the service.
| Cookie | Purpose | Duration |
|---|---|---|
| cookie_consent | Remember your cookie choice | Persistent (localStorage) |
| dml_session | Authentication session | 7 days (httpOnly cookie) |
| Google Analytics (_ga, _ga_*) | Anonymized audience analytics | 2 years |
| Meta Pixel (_fbp) | Advertising conversion measurement | 90 days |
Google Analytics is configured with the anonymize_ip: true option. You can opt out of analytics tracking at any time via the footer.
4. Use of Artificial Intelligence
To generate lessons, student handouts, and exercises, we transmit the pedagogical information you enter (subject, level, duration, teaching direction, lesson history) to language models provided by third-party vendors (see table below). We reserve the right to change providers or models at any time in order to improve service quality. This processing is necessary for the execution of the service.
The data sent does not contain any personally identifiable information (no real student names, no email addresses). Only pedagogical information is transmitted.
5. Sub-Processors and Data Transfers
| Sub-Processor | Service | Location | Data Concerned |
|---|---|---|---|
| MiniMax | Content generation (LLM) | China | Pedagogical content (no PII) |
| OpenAI | Content generation (LLM) | United States | Pedagogical content (no PII) |
| OpenRouter | API routing & semantic embeddings | United States | Pedagogical content, indexed text |
| Resend | Transactional emails | United States | Email address |
| Cloudflare | CDN, DNS, tunnel | International | Network traffic |
| Google (Analytics) | Audience analytics | United States | Anonymized browsing (if consented) |
| Meta (Pixel) | Advertising measurement | United States | Conversion events (if consented) |
| Stripe | Payment and billing | United States / EU | Email, name, payment data |
International data transfers are governed by Standard Contractual Clauses (SCCs) where applicable, and comply with relevant data protection frameworks including GDPR (EU/UK), the Australian Privacy Act 1988, PIPEDA (Canada), and the New Zealand Privacy Act 2020.
6. Storage and Security
- Data is stored on self-hosted infrastructure in Europe (EU).
- Passwords are encrypted with bcrypt (salt 12).
- Communications are protected by HTTPS (TLS 1.2+).
- Authentication tokens expire after 7 days.
- Data access is restricted by role-based access controls.
7. Data Retention
| Data | Duration |
|---|---|
| User account | Until account deletion |
| Generated lessons | Until deleted by user or account deletion |
| Analytics data | 14 months (Google Analytics configuration) |
| Server logs | 30 days |
| Card fingerprint | Until account deletion |
8. Your Rights
In accordance with applicable data protection regulations — including the EU/UK GDPR, the California Consumer Privacy Act (CCPA/CPRA), the Australian Privacy Act 1988, PIPEDA (Canada), and the New Zealand Privacy Act 2020 — you have the following rights:
- Right of access: obtain a copy of your personal data
- Right to rectification: correct inaccurate data
- Right to erasure: request deletion of your data
- Right to data portability: receive your data in a structured format
- Right to object: object to the processing of your data
- Right to opt out: disable analytics cookies at any time via the footer
To exercise these rights, contact us at [email protected]. We will respond within 30 days.
You may also file a complaint with the relevant data protection authority in your jurisdiction.
For California residents (CCPA/CPRA): We do not sell your personal information. You have the right to know what personal information we collect, request deletion, and opt out of any future sale. To exercise these rights, contact us at the email above.
For Australian residents: You may also contact the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au if you believe your privacy has been breached.