Last updated: June 2026

LessonLoop is built for the UK, and that includes data protection. We comply with the UK GDPR and the Data Protection Act 2018, and we make it easy for your studio to meet its obligations too.

Roles

For the pupil, guardian and lesson data in your account, your studio is the data controller and LessonLoop is the data processor. For our own website and account data, we are the controller. See our Privacy Policy for detail.

Data Processing Agreement

A DPA is available to every studio and forms part of our terms. It sets out the subject-matter, duration and nature of processing, the categories of data and data subjects, and our obligations as processor — including the sub-processors listed in our Privacy Policy.

How we help you comply

Right of access & portability — export a pupil or guardian’s data at any time.
Right to erasure — delete a record and its associated data, actioned through your studio.
Data minimisation — directory sharing and messaging are opt-in and minimised by default.
Security — encryption in transit and at rest, row-level isolation per studio, and a full audit log.
Lawful messaging — marketing preferences default to opt-out; transactional messages are clearly separated.

International transfers

Studio data is hosted in the EU. Where a sub-processor operates outside the UK/EEA, transfers are covered by appropriate safeguards such as the UK International Data Transfer Addendum.

Contact

Data protection enquiries: privacy@lessonloop.net. You also have the right to complain to the UK Information Commissioner’s Office (ICO).