Privacy Policy

Last updated: 22 April 2026

This policy covers the data Lectu collects and processes when your institution uses our school operating platform. Lectu is currently in an early-access pilot; this document will be revised before general availability and any material change will be communicated to participating institutions.

What we collect

• Academic records— students' names, enrolment details, section and group assignments, attendance, and grades.
• Account data — user profiles for teachers, admins, and students (email, name, role), plus authentication credentials. Passwords are stored as PBKDF2-SHA256 hashes.
• Usage data — minimal server logs used for abuse prevention and incident response, retained for 14 days.
• Optional — parent or guardian emails if the institution enables family-facing notifications.

We do not collect health data, commercial data, or behavioural data beyond what is required to operate the platform.

How we use it

Data is used exclusively to operate the school portal for the institution that owns it. We never sell data, never share it with advertisers, and never use it to train models.

Where it lives

Each institution's data is stored in a per-tenant PostgreSQL database hosted in a managed cloud region. Data is encrypted at rest and in transit. Backups are retained for 30 days.

Who can see it

Access is strictly scoped by role:

• Students see only their own records.
• Teachers see only the sections and students assigned to them.
• Admins see only their institution.
• Lectu engineering staff may access production data only when responding to a support ticket opened by the institution, and access is logged and audited.

Retention

If your institution terminates its contract, all data is permanently deleted within 30 days. You can request a data export at any time.

Contact

Questions, access requests, or deletion requests can be sent to contact@lectu.live.

This is draft is not made by lawyer. Contact us with any concerns.