We use cookies

We use essential cookies to keep you signed in, and optional analytics cookies to improve the platform. Your affiliate referral is tracked via URL parameters, not cookies. Cookie policy

Privacy Policy

How we collect, use, and protect your personal data. Compliant with UK GDPR and the Data Protection Act 2018.

Last updated: March 2026

1. Who We Are

Lesso ("we", "us", "our") is the data controller for personal data processed through lesso.app. For data protection queries, contact us at privacy@lesso.app.

You have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk if you believe we have not handled your data correctly.

2. Data We Collect and Why

DataLawful BasisPurpose
Name, email addressContractAccount creation, authentication, communications
Payment details (card via Stripe)ContractProcessing subscription payments — card data never touches our servers
Course content (creators)ContractHosting and delivering courses to subscribers
Discussion posts (learners)ContractProviding community features within courses
Bank/payment details (creators, affiliates)ContractProcessing manual monthly payouts
Usage data (pages viewed, session data)ConsentImproving the platform with Vercel Analytics — only collected after you accept analytics cookies.
Affiliate referral dataContract / ConsentTracking referral attribution for commission purposes
IP addressLegitimate interestSecurity, fraud prevention, and abuse detection
Marketing preferencesConsentSending promotional emails (you can unsubscribe at any time)
Conversion event data (pseudonymous browser ID)ConsentSent to X (Twitter) when a creator publishes a course — only if marketing cookies are accepted

3. Who We Share Data With

We do not sell personal data to third parties. We share data only with service providers necessary to operate the platform:

  • Stripe — payment processing. See Stripe's Privacy Policy.
  • Vercel Analytics — anonymised usage analytics, only loaded with your explicit consent.
  • Resend — transactional and notification emails.
  • Supabase — database and authentication infrastructure, hosted in the EU.
  • X (Twitter) — conversion tracking pixel, loaded only with marketing consent. A pseudonymous browser identifier is shared when a creator publishes a course. See X's Privacy Policy.

Creator earnings data is visible only to the creator and to Lesso staff for payout processing. Affiliates can see which creators they referred and aggregated revenue data — they cannot see individual learner data.

4. Data Retention

  • Active accounts: data retained while your account remains active.
  • Closed accounts: personal data deleted within 90 days of closure, except where retention is required by law.
  • Financial records: retained for 6 years per HMRC requirements.
  • Discussion posts: may be anonymised rather than deleted to preserve discussion thread integrity.
  • Analytics data: retained for up to 12 months in anonymised form.

5. Your Rights Under UK GDPR

You have the following rights regarding your personal data. To exercise any of them, email privacy@lesso.app. We will respond within one calendar month.

  • Right of access — request a copy of the personal data we hold about you (Subject Access Request).
  • Right to rectification — request correction of inaccurate or incomplete data.
  • Right to erasure — request deletion of your data, subject to legal retention obligations.
  • Right to restrict processing — request that we limit how we use your data.
  • Right to data portability — receive your data in a structured, machine-readable format.
  • Right to object — object to processing based on legitimate interest.
  • Right to withdraw consent — withdraw marketing or analytics consent at any time via your cookie preferences.

6. International Data Transfers

Some of our service providers (including Stripe and Vercel) may process data outside the UK. Where this occurs, we rely on Standard Contractual Clauses or UK adequacy decisions to ensure appropriate safeguards are in place.

7. Children

The platform is not directed at children under 16. If we become aware that a child under 16 has provided personal data without appropriate consent, we will delete it promptly.

8. Security

We implement appropriate technical and organisational measures to protect your data, including: TLS encryption in transit; secure credential storage (we use magic link authentication — no passwords stored); access controls on internal systems; and regular security reviews.

Card payment data never touches our servers — it is handled directly by Stripe.

We will notify you and the ICO of any data breach that poses a risk to your rights and freedoms within 72 hours of becoming aware of it.

9. Cookies

See our Cookie Policy for full details on the cookies we use and how to manage your preferences.

Contact

Data protection queries: privacy@lesso.app

ICO complaints: ico.org.uk