Privacy Policy
This policy explains how Lermu handles personal data. Plain language where possible. If something's unclear, email us at hello@lermu.com.
Who we are
Lermu is a trading name of Lermu Ltd (Company Number to be confirmed), a company registered in England and Wales. Our contact address will be published here once incorporation is complete. For now, the fastest way to reach us is hello@lermu.com.
We are the data controller for the personal information described in this policy. This means we decide how and why your data is processed.
What data we collect
When a parent signs up
We collect: your name, email address, password (stored as a hashed value, never in plain text), billing address, and payment card details (handled entirely by Stripe — we never see or store full card numbers ourselves).
When a child uses the platform
We collect: the child's first name (or nickname of your choice), year group, session history (which questions they answered, correct/incorrect, time spent), and performance across skills. We do not collect a child's surname, date of birth, school name, address, or any other identifying information beyond what's needed to show their progress.
Automatic data
When you use the site, our servers automatically record: IP address, browser type, device type, pages visited, and timestamps. This is used for security, debugging, and service improvement. We do not sell this data or use it for advertising.
Why we collect it
We process your data for the following legitimate purposes:
To provide the service. We need your email to let you log in and send you service updates. We need your child's session history to show you their progress and adapt their practice.
To process payments. We use Stripe to handle subscriptions. We share the minimum data required (email, billing address) to complete transactions.
To improve the product. We review aggregated, non-identifying usage patterns to understand what works and what doesn't. No individual parent or child is identified in this analysis.
Legal obligations. We keep certain records (billing, refunds) as required by UK tax and consumer protection law.
Your legal basis
Under UK GDPR, we rely on these lawful bases:
Contract. Processing is necessary to provide the service you're paying for.
Legitimate interests. For service improvement, security, and fraud prevention — balanced against your rights.
Consent. Where we ask for optional data (e.g., feedback surveys) or send marketing emails beyond essential service updates.
Legal obligation. Where UK law requires us to keep records.
Children's privacy
Lermu is designed to be used by children in Years 4–6 (ages 8–11), with a parent or legal guardian as the account holder and payer.
A child cannot create their own account. The parent account holder creates the child profile and is responsible for the child's use of the service.
We follow the UK Information Commissioner's Office Age Appropriate Design Code. Specifically:
— We collect the minimum data needed to provide the service. No marketing profiling of children.
— Parents can see and export everything we hold on their child at any time from the parent dashboard.
— Parents can delete their child's data at any time. Deletion is permanent within 30 days.
— We never share children's data with third parties for marketing or advertising.
— We never use dark patterns, nudge techniques, or persuasive design features aimed at keeping children on the platform longer than necessary.
Where your data lives
Your data is stored on EU-region servers operated by Supabase (our database provider) and Vercel (our hosting provider). Data is encrypted in transit and at rest.
Payment data is processed by Stripe in the US and UK under Standard Contractual Clauses. Stripe is a PCI-DSS Level 1 certified payment processor.
Who we share data with
We share data with a small number of service providers who help us run Lermu. Each is bound by a data processing agreement:
Stripe — payment processing
Supabase — database and authentication
Vercel — website hosting
Resend (or equivalent email service) — transactional emails (welcome, password reset, receipts)
We do not share your data with advertisers, brokers, or any party outside the operational providers listed above.
We may be required to share data with UK law enforcement or regulatory bodies if served with a valid legal request.
How long we keep it
Active account data: for as long as your subscription is active, plus 30 days after cancellation (to allow for accidental re-subscription).
Billing records: 6 years, as required by UK tax law.
Child performance data: deleted permanently within 30 days of parent-initiated deletion, or 6 months after account closure.
Anonymous analytics: retained indefinitely in aggregated form that cannot identify any individual.
Your rights
Under UK GDPR, you have the right to:
Access. Ask for a copy of the data we hold on you or your child.
Correction. Ask us to fix any data that's wrong.
Deletion. Ask us to delete your data.
Restriction. Ask us to pause processing while you check something.
Portability. Ask for your data in a machine-readable format you can take elsewhere.
Objection. Object to our processing where we rely on legitimate interests.
Withdraw consent. Where we process based on consent, you can withdraw it at any time.
To exercise any of these rights, email hello@lermu.com. We respond within 30 days.
If you're unhappy with how we've handled your data, you have the right to complain to the UK Information Commissioner's Office at ico.org.uk.
Security
We take data security seriously. Passwords are hashed using industry-standard algorithms. Data is encrypted in transit (HTTPS everywhere) and at rest. Access to production systems is restricted to authorised personnel only.
No system is 100% secure. If we detect a breach affecting your data, we'll notify you and the Information Commissioner's Office within 72 hours of becoming aware, as required by law.
Cookies
See our separate Cookie Policy.
Changes to this policy
We may update this policy as Lermu evolves. Material changes will be notified by email. The "Last updated" date at the top reflects when the current version took effect.
Contact
Questions about this policy, or about your data: hello@lermu.com.