Privacy Policy
Effective: April 17, 2026 · Operator: Lesson of the Day, PBC
The Daily Lesson is built with privacy by design. We do not sell your data. We do not run third-party analytics. Education is a human right, not an advertising opportunity.
1. Who We Are
Lesson of the Day, PBC ("LOTD," "we," "us") operates The Daily Lesson at thedailylesson.com. Contact: privacy@lotdpbc.com.
2. What We Collect
Without an account
You can use The Daily Lesson without providing any personal information. We collect:
- Device identifier: A random ID stored in your browser's localStorage for progress tracking. It never leaves your device unless you create an account.
- Operational telemetry: Route, lesson day, language, coarse country code (from Cloudflare CF-IPCountry header), and referrer — for service operation only.
- IP address: Retained less than 24 hours in transient server logs for abuse prevention. Not stored in any database.
With an account
When you create an account, we additionally collect:
- Email address — for authentication (magic links), account recovery, and transactional notifications.
- Display name (optional) — shown to co-learners in live classes.
- Age band, language, timezone — to personalize your learning experience.
- Lesson progress — days completed, quiz scores, streaks, words explored.
- Billing country — for purchasing-power-parity pricing.
- Stripe customer ID — we do not store credit card numbers; Stripe handles all payment data.
Affiliate participants
If you participate in the affiliate program, we additionally store your affiliate code, referral graph, commission ledger, and payout information (Stripe Connect ID or USDC wallet address).
Live classes
Live classes may be recorded (audio + video). Recordings are stored encrypted in R2 for 24 hours and then permanently deleted. Recordings are accessible only to class attendees via signed URLs.
3. How We Use Your Data
- Deliver and personalize your learning experience
- Authenticate your identity and manage sessions
- Process payments and manage subscriptions
- Calculate and pay affiliate commissions
- Send transactional emails (magic links, receipts, class reminders)
- Detect and prevent fraud and abuse
- Maintain service availability and security
We do not use your data for advertising, profiling, or sale to third parties.
4. Cookies
We use a minimal set of cookies. See our Cookie Notice for details.
5. Data Sharing
We share data only with these categories of processors, and only as necessary:
| Provider | Purpose | Data shared |
|---|---|---|
| Cloudflare | Infrastructure (Workers, D1, R2) | All data transits Cloudflare; encrypted at rest |
| Stripe | Payment processing | Email, billing country, payment method (held by Stripe) |
| Resend / Postmark | Email delivery | Email address, message content |
| LiveKit | Live class video/audio | User ID (pseudonymous), audio/video streams |
We do not share data with advertising networks, data brokers, or analytics providers.
6. Children's Privacy (COPPA)
We do not knowingly collect personal information from children under 13 without verifiable parental consent. Children under 13 may only use The Daily Lesson under a Family plan managed by a parent or guardian. See our Parental Consent Policy.
7. Your Rights (GDPR, CCPA, UK-GDPR)
Depending on your jurisdiction, you have the right to:
- Access your personal data
- Correct inaccurate data
- Delete your account and data ("right to be forgotten")
- Export your data in a portable format
- Object to processing (where applicable)
- Opt out of sale of personal information (we do not sell data, but you may exercise this right)
To exercise any right: privacy@lotdpbc.com or /you → Settings → Delete account.
Account deletion: Removes your personal data within 30 days. Affiliate attribution edges are severed (future commissions cease). Anonymized aggregate data (lesson completion counts) may be retained for service improvement.
GDPR lawful basis: Consent (account creation), Contract (subscription), Legitimate interest (fraud prevention, service operation).
8. Data Retention
| Data type | Retention |
|---|---|
| Server logs (IP) | Less than 24 hours |
| Class recordings (adult) | 24 hours |
| Class recordings (kids) | 30 days |
| Account data | Until account deletion |
| Payment records | 7 years (tax/legal compliance) |
| Commission ledger | 7 years (tax/legal compliance) |
| Fraud flags | 2 years |
9. Security
- All connections encrypted via TLS 1.3
- Data encrypted at rest (Cloudflare D1, R2)
- Passwordless authentication (magic links, single-use, 15-minute expiry)
- Session tokens: HttpOnly, Secure, SameSite=Lax
- Rate limiting and abuse detection on all endpoints
- Cloudflare Turnstile on authentication endpoints
10. International Transfers
Data is processed on Cloudflare's global edge network. For EU/UK users, Cloudflare maintains adequate safeguards under EU Standard Contractual Clauses. We have executed Cloudflare's Data Processing Addendum (DPA), available at cloudflare.com/trust-hub/gdpr.
11. EU/UK Representative
If you are in the European Economic Area or United Kingdom, our designated representative under GDPR Article 27 can be contacted at: privacy@lotdpbc.com. (Formal EU representative appointment pending — this section will be updated with the representative's name and address.)
12. Changes
Material changes will be communicated via email at least 14 days before taking effect. The effective date above reflects the latest version.
13. Contact
Lesson of the Day, PBC
Data Protection Contact: privacy@lotdpbc.com
lotdpbc.com