1. Who is responsible (Data Controller)

The controller of your personal data within the meaning of the EU General Data Protection Regulation (GDPR) is:

Lukas Kaeb
Altenhoeferallee 70
60438 Frankfurt
Germany
E-mail: hello@leeway.website

We have not appointed a Data Protection Officer because we are not legally required to do so (Art. 37 GDPR). For any data-protection question, please contact us at the e-mail address above.

2. What we collect and why

Account data

When you register, we store your e-mail address, name, hashed password, and role (Student, Tutor, Parent, or Admin). This is required to operate your account (Art. 6 (1)(b) GDPR — contract performance).

Tutoring content

Homework submissions, written and audio feedback, grades, files you upload (PDF / image / Word / audio), exam results, study packs, and notifications are stored to provide the tutoring service (Art. 6 (1)(b) GDPR).

AI assistance

AI assistance is part of the tutoring workflow for tutor-reviewed draft feedback and practice generation. We process selected student work and learning context for this purpose as part of providing the service (Art. 6 (1)(b) GDPR) and, where applicable, our legitimate interest in operating and improving the learning workflow (Art. 6 (1)(f) GDPR). Parents can turn child-content AI assistance off from the parent portal; when it is off, those AI routes are blocked server-side. Tutors remain responsible for final feedback, grades, and teaching decisions.

For source-material study packs, DOCX files are extracted locally before a minimized text signal is sent to DeepSeek. PDF and image uploads may be sent to Google Gemini for source-signal extraction; only the minimized text signal is then sent to DeepSeek to draft editable study-pack items.

Calendar integration (optional)

If you connect a Google account to sync lessons, we store an encrypted refresh token (AES-256-GCM at rest), your connected Google e-mail, and lesson event IDs. We only request the calendar.events scope. The legal basis is your consent (Art. 6 (1)(a) GDPR); you can disconnect at any time from your tutor settings, after which we revoke the token.

Audit logs

For security and accountability we keep an internal log of sensitive actions (logins, role changes, deletions, voice-note uploads). The legal basis is our legitimate interest in detecting abuse and meeting our security duties (Art. 6 (1)(f) GDPR).

Error reports

If something crashes, we send a scrubbed error report to Sentry (see processor list below). Personal identifiers (e-mail, name, tokens, cookies, query strings) are stripped before sending. Only your user ID and role are attached, so we can correlate the report to your account if you ask us to investigate.

Tracking and cookies

We do not use marketing cookies, advertising trackers, or third-party analytics on the public marketing pages. The application uses a session cookie set by NextAuth for login — this is strictly necessary and does not require consent under ePrivacy.

3. Processors and third-party recipients

We use the following providers to operate the service. Some act as processors under their data-processing terms; we keep provider regions, subprocessors, retention defaults, and transfer safeguards under review.

  • Supabase (database and Edge Functions) — stores account/profile data, parent links, consent records, assignments, submissions, exam results, study packs, audit logs, DSAR logs, and AI telemetry.
  • Vercel (hosting, serverless compute) — EU and US edge nodes may be involved. Processes request metadata, app data in transit, runtime logs, and deployment environment data.
  • Vercel Blob (private file storage) — stores uploaded and generated homework files, audio, images/PDFs, correction files, exam-answer uploads, and study-pack audio.
  • Resend (transactional e-mail) — sends verification, invite, reset, notification, contact, and parent digest e-mails.
  • Upstash Redis (rate limiting) — stores transient action counters and user/IP-derived rate-limit keys, not learning content.
  • Sentry (optional error monitoring) — receives scrubbed error diagnostics when configured. Request bodies, cookies, and console breadcrumbs are disabled; e-mails, tokens, names, and other PII-like fields are redacted before sending.
  • Google Calendar APIs/OAuth (optional tutor calendar sync) — processes encrypted tutor refresh tokens, connected Google e-mail addresses, calendar IDs, event IDs, and lesson scheduling metadata. Tokens are revoked on disconnect.
  • Google Gemini/AI Studio and Google Cloud Text-to-Speech (AI, transcription, and speech features) — may process selected prompts, student submission content or audio, PDF/image uploads for study-pack source-signal extraction, generated output, words to synthesize, and generated audio metadata when those features are enabled or used in the tutoring workflow.
  • DeepSeek (AI feedback, generation, and free-text translation) — may process submission content, prompts, generated feedback, minimized source-material text signals, generated draft study-pack items, tutor/parent free text, locale metadata, and AI usage telemetry when enabled or used in the tutoring workflow. We treat this as high-risk processing and do not describe AI processing as “privacy-safe” by default.

We do not sell or rent personal data. We only share data with authorities when legally compelled.

4. Children’s data

Bomi Academy is software for tutors and small academies. It is used by tutors, students, and parents; some students may be minors. We process student data only for tutoring, learning, account, safety, and accountability purposes described in this policy.

Parent and guardian involvement is handled through parent invites, consent controls, and account data controls where applicable. Parents or legal guardians may exercise the rights below on behalf of their child.

5. How long we keep your data

  • Account data: while your account is active, and only as long as needed after a fulfilled deletion request to handle security, disputes, abuse prevention, and legal duties. Deletion requests are reviewed by scope because parent, student, and tutor records can overlap.
  • Submissions and feedback: for the duration of the tutor-student relationship unless eligible records are deleted earlier. Core soft-deleted records such as groups, assignments, submissions, lessons, study packs, and rubric templates are scheduled for hard purge after 30 days; private uploaded/generated files for those records are deleted before the database purge where supported.
  • Audit and DSAR logs: normally up to 12 months, unless an incident, dispute, or legal duty requires longer retention.
  • Operational records: claimed or expired invites are normally deleted after 30 days; stale onboarding drafts, parent digest run logs, and AI feedback draft text after 90 days; in-app notifications after 180 days; and generic AI usage telemetry after 12 months.
  • Operational error reports: local resolved reports are normally deleted 30 days after resolution; still unresolved local reports are normally deleted after 90 days. Sentry retention follows the configured provider settings.
  • Backups: retained according to provider backup settings. Individual deletion from backups may not happen immediately, but data ages out as backups roll over.
  • Invoices and tax-relevant records: 10 years, as required by § 147 AO (German Fiscal Code).

6. Your rights

Under the GDPR you have the right to:

  • access the personal data we hold about you (Art. 15);
  • rectification of inaccurate data (Art. 16);
  • erasure (“right to be forgotten”) where the legal grounds apply (Art. 17);
  • restriction of processing (Art. 18);
  • data portability in a structured, machine-readable format (Art. 20);
  • object to processing based on legitimate interests (Art. 21);
  • withdraw consent at any time, without affecting the lawfulness of past processing (Art. 7 (3)).

Authenticated parents can download their data from the parent data page. Students can download their data from the account data controls. The export is provided as a ZIP bundle with structured data and uploaded/generated files where available. Parents and students can also submit an authenticated deletion request from those data controls.

You can also exercise these rights by e-mailing hello@leeway.website. We respond within 30 days.

You also have the right to lodge a complaint with a supervisory authority. The competent authority for our establishment is:

Der Hessische Beauftragte für Datenschutz und Informationsfreiheit
Postfach 3163
65021 Wiesbaden
Germany
https://datenschutz.hessen.de

7. Security

We use TLS for all data in transit, AES-256-GCM for sensitive fields at rest (e.g. OAuth refresh tokens), bcrypt for password hashing, rate-limiting on authentication endpoints, and standard security headers (CSP, HSTS, X-Frame-Options). Application-level authorization checks restrict access so tutors, parents, and students only receive data they are allowed to see.

8. International transfers

Some providers may process personal data outside the EEA, depending on provider configuration and the feature used. Where required, transfers rely on provider Data Privacy Framework certifications, EU Standard Contractual Clauses, or other safeguards. AI providers are treated separately because student work and international transfers create higher risk.

9. Changes to this policy

We may update this policy when our processing changes. The current version is dated below; material changes will be announced via in-app notification or e-mail at least 14 days before they take effect.