Integritetspolicy

Privacy Policy

By providing Personal Information to us, you agree to the terms of this Privacy Policy.

Last updated: August 27, 2025

Background

Lernico AI (the “Service”) is developed and operated by Lernico Labs AB (the “Company”) to provide teachers with an AI assistant for all their work, helping them plan lessons, give feedback, and personalize learning using AI. This Privacy Policy describes our practices for information collected through our websites, apps and related services that link to or reference this Privacy Policy (collectively, the “Services”).

This Policy is designed to meet requirements under the EU/EEA GDPR and, when we process information for U.S./Canadian institutions under their direction, applicable U.S./Canadian student privacy laws. Where local law provides stronger protections, we follow those.

Roles & Scope

Teacher self‑serve accounts (B2C). For individual teacher accounts created directly with us, the Company is the data controller for the personal data processed in connection with those accounts.

Schools and districts (B2B). When a school, municipality, academy trust, or district procures the Service and authorizes us to process Student Data on its behalf, the educational institution is the data controller (or equivalent under applicable law) and the Company acts as its data processor. Our processing is governed by the applicable data processing agreement (DPA) with that institution.

Personal Data We Collect

Identity & Contact – name (or chosen name), email address (required for teachers), role/title, school/organization.
Account & Authentication – chosen username, hashed passwords, authentication tokens and preferred language.
Educational & Content Data – lesson plans, assignments, feedback you create, prompts you submit, files you upload, and student work and results only when provided or authorized by the school/teacher.
Usage & Device Data – activity logs, clickstream, performance metrics, IP address, device identifiers, browser type, app/version, crash logs, and cookie identifiers.
Support & Communications – messages you send to support, survey responses, and call/meeting notes where applicable.
Billing Data (teachers only) – limited payment information, such as payment method metadata, processed securely by our third-party payment provider. We do not store full card details.

If you submit personal data of others (e.g., class rosters or student work), you represent that you are authorized to do so and to allow our processing consistent with this Policy and any applicable DPA.

Lawful Bases for Processing (GDPR)

Performance of a contract (e.g., to provide accounts, process payments, deliver core features).
Legitimate interests (e.g., to secure, improve, and support the Services, balanced against your rights).
Consent (e.g., optional cookies or marketing communications).
Legal obligations (e.g., accounting, regulatory compliance).

How We Use Personal Data

Provide and operate the Services, including account provisioning, access control, rostering, assignments, grading assistance, and personalization features.
Respond to inquiries and support requests; troubleshoot, and resolve incidents.
Send service/administrative notices, such as updates to features, security, and terms.
Enable teacher–student workflows, e.g., letting teachers assign tasks to students and view results (as configured by the school).
Maintain safety and security, including monitoring for abuse, misuse, and threats.
Improve and develop the Services, including analytics about features and performance.
Provide marketing communications to teachers and school staff (never to students) where permitted by law, with the ability to opt out at any time.

Our Services are designed for teacher use. We do not require or intend that teachers submit identifiable student data. If you choose to include student information in prompts, uploads, or lesson content, you represent that you have the authority to do so and that such use complies with applicable law. Lernico processes such information only as necessary to provide the requested functionality, does not use it for secondary purposes, and deletes or anonymizes logs within 30 days.

We do not use student personal data for behavioral advertising or to build profiles unrelated to educational purposes.

Student Data (Schools as Controller)

When an educational institution (e.g., municipality/district, school, or trust) procures and configures the Service, the institution is the data controller for Student Data and the Company acts as its data processor. We will:

process Student Data only to provide and support the Services as instructed by the institution and our DPA;
not use or disclose Student Data for targeted advertising or to build profiles unrelated to an educational purpose;
provide access to Student Data only to authorized school users (e.g., teachers, admins) consistent with configured roles;
retain Student Data only as long as necessary to deliver the Services and as instructed by the institution, then delete or return it upon request; and
notify designated school contacts of any Student Data breach within 24–48 hours of confirmation, and cooperate to meet legal notification requirements.

We will not make material changes affecting Student Data use without notifying schools in advance and providing appropriate choices. Parents and students should direct access, correction, or deletion requests to their school, which will instruct us as appropriate.

Sharing & Disclosure

We do not sell or rent personal data. We share personal data only with:

Trusted processors who provide hosting, storage, analytics, communications, authentication, and support. They may process data solely under our instructions and appropriate safeguards.
Educational institutions linked to your account (e.g., a district, school, or class) to enable configured features and oversight.
Business transfers related to mergers, acquisitions, or asset sales. We will notify affected users and institutions of material changes of control and applicable choices.
Legal compliance and safety when required to meet legal obligations or to protect the rights, safety, and integrity of users and the Service.

When we use data for statistics or service analytics, we aggregate or de‑identify it whenever possible.

AI, Prompts, and Model Training

No foundation‑model training on your personal data. We do not use personal data to train third‑party foundation models.
No provider log retention. Prompts/outputs sent to AI providers are processed in real time only; they are not stored or retained by those providers beyond the request itself.
Product improvement. We may use aggregated and de‑identified usage data to improve quality, safety, and performance. Limited human review may be used for abuse prevention and support, under strict access controls.
Institution controls. For school/district deployments, use of data for product improvement is governed by your DPA and can be restricted or disabled per institutional settings.
Google & Microsoft integrations. Our use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy (Limited Use). For Microsoft 365/Graph integrations, we access only the minimum scopes needed to provide the Service and do not use such data for advertising or profiling.

Data Location, Transfers & Retention

Location. For EU/EEA customers, we store personal data in the EU/EEA. For U.S./Canada customers, we store personal data in the United States. Where data is transferred across regions (e.g., to vetted processors), we use recognized transfer mechanisms such as EU Standard Contractual Clauses and additional safeguards.

Retention. We retain personal data for as long as necessary to provide the Services, comply with legal obligations, resolve disputes, and enforce agreements. For school customers, retention is governed by our DPA and/or the institution’s instructions. Typical retention includes: account data until account closure, billing data per statutory accounting rules, and support communications until resolved. AI provider logs are retained ≤ 30 days solely for abuse monitoring.

Security

We implement administrative, technical, and organizational measures to protect personal data against unauthorized or unlawful processing and against accidental loss, destruction, or damage. Measures include access controls, encryption in transit and at rest where applicable, role‑based access, logging, and employee confidentiality obligations. You are responsible for safeguarding your account credentials and restricting access to your devices.

For institutional customers, we notify designated contacts of confirmed incidents involving Student Data within 24–48 hours of confirmation and cooperate to meet applicable legal and contractual notification requirements.

We regularly review and test our security measures to adapt to evolving threats.

Cookies & Similar Technologies

We currently use only strictly necessary cookies to operate the Service (e.g., to keep you signed in and secure). We do not use analytics, advertising, or other non‑essential cookies at this time. If we later introduce optional analytics cookies, we will request your consent and provide in‑product controls to manage preferences.

Your Rights

Subject to applicable law, you may have the right to access, rectify, erase, restrict, object, and port your personal data, and to withdraw consent where we rely on consent. For teacher self‑serve accounts, contact us using the details below. For data processed on behalf of an educational institution, please submit requests through your school/district, which controls the data and will instruct us as appropriate.

You also have the right to lodge a complaint with your local supervisory authority.

US residents (CCPA/CPRA): you may also request access to, or deletion of, your personal information, and we will not discriminate against you for exercising these rights.

Communications Preferences

Teachers and school staff may opt out of marketing emails at any time using the unsubscribe link in our emails or by contacting us. We will continue to send important service, security, and transactional messages.

Government Requests & Transparency

We narrowly review and, where appropriate, challenge overbroad government or law‑enforcement requests. We require lawful process, limit disclosures to the minimum required, and notify affected customers where legally permissible.

Contact Us

Lernico Labs AB
Registered address: Teknikringen 11428
Email: legal@lernico.ai

Data Protection Officer: Lernico has not appointed a Data Protection Officer. Please direct inquiries to the contact above.

Changes to This Policy

We may update this Privacy Policy from time to time. The “Last updated” date shows when it was last revised. Material changes will be notified via email to account holders, an in‑app notice, and/or our website. Continued use of the Service after the effective date constitutes acceptance of the revised Policy.

Key Definitions

“Personal data” / “Personal information” means information relating to an identified or identifiable individual.
“Controller/Processor” have the meanings given in the GDPR.
“Educational institution” includes schools, municipalities/districts, academy trusts, and similar bodies.
“Student Data” means personal data about students processed to provide the Services to an educational institution.

If you need this Policy in Swedish or another language, please contact us.