Privacy Policy

1. Who is responsible (Data Controller)

The controller of your personal data within the meaning of the EU General Data Protection Regulation (GDPR) is:

Lukas Kaeb
Eisenacher Straße 1
96450 Coburg
Germany
E-mail: hello@leeway.website

We have not appointed a Data Protection Officer because we are not legally required to do so (Art. 37 GDPR). For any data-protection question, please contact us at the e-mail address above.

2. What we collect and why

Account data

When you register, we store your e-mail address, name, hashed password, and role (Student, Tutor, Parent, or Admin). This is required to operate your account (Art. 6 (1)(b) GDPR — contract performance).

Tutoring content

Homework submissions, written and audio feedback, grades, files you upload (PDF / image / Word / audio), exam results, study packs, and notifications are stored to provide the tutoring service (Art. 6 (1)(b) GDPR).

Calendar integration (optional)

If you connect a Google account to sync lessons, we store an encrypted refresh token (AES-256-GCM at rest), your connected Google e-mail, and lesson event IDs. We only request the calendar.events scope. The legal basis is your consent (Art. 6 (1)(a) GDPR); you can disconnect at any time from your tutor settings, after which we revoke the token.

Audit logs

For security and accountability we keep an internal log of sensitive actions (logins, role changes, deletions, voice-note uploads). The legal basis is our legitimate interest in detecting abuse and meeting our security duties (Art. 6 (1)(f) GDPR).

Error reports

If something crashes, we send a scrubbed error report to Sentry (see processor list below). Personal identifiers (e-mail, name, tokens, cookies, query strings) are stripped before sending. Only your user ID and role are attached, so we can correlate the report to your account if you ask us to investigate.

Tracking and cookies

We do not use marketing cookies, advertising trackers, or third-party analytics on the public marketing pages. The application uses a session cookie set by NextAuth for login — this is strictly necessary and does not require consent under ePrivacy.

3. Processors and third-party recipients

We use the following processors under written agreements (Art. 28 GDPR Data Processing Agreements):

• Supabase (database, file storage, edge functions) — EU region. Stores all account, submission, and audit data.
• Vercel (hosting, serverless compute) — EU and US edge nodes. Processes request data.
• Resend (transactional e-mail) — US-based. Sends notification e-mails. Transfer to the US is covered by the EU-US Data Privacy Framework or Standard Contractual Clauses.
• Google LLC (Calendar API, Gemini AI vision) — US-based, used only if you opt-in to Calendar sync or your tutor uses AI-assisted draft grading on files you upload. Transfer is covered by the EU-US Data Privacy Framework.
• DeepSeek (AI grading drafts) — based in the People’s Republic of China. Tutors can opt to use DeepSeek to draft homework feedback. If used, the homework submission text is sent to DeepSeek for inference. China is not currently covered by a GDPR adequacy decision; transfers rely on Standard Contractual Clauses and additional safeguards. Tutors should avoid sending personal data of third parties through this feature.
• Sentry (error tracking) — US-based, transfers covered by SCCs / DPF. Only scrubbed error data is sent.
• Upstash (rate-limit storage) — EU region. Stores transient counters, not personal content.

We do not sell or rent personal data. We only share data with authorities when legally compelled.

4. Children’s data

Bomi Academy is primarily used by tutors and the students they teach, some of whom are minors. Where a student is under 16 years of age (the age threshold set by § 22 BDSG / Art. 8 GDPR in Germany), the legal basis for processing their personal data is the consent of the holder of parental responsibility.

In practice this means: a tutor invites a student or parent; account creation and use by a minor presumes that a parent or legal guardian has consented to that use. Parents may exercise all GDPR rights below on behalf of their child.

5. How long we keep your data

• Account data: while your account is active, plus up to 90 days after account deletion to handle disputes and prevent abuse.
• Submissions and feedback: for the duration of the tutor–student relationship; tutors can delete individual submissions; students leaving a group keep nothing tied to that group.
• Audit logs: 12 months.
• Backups: rolling 30-day backups.
• Invoices and tax-relevant records: 10 years, as required by § 147 AO (German Fiscal Code).

6. Your rights

Under the GDPR you have the right to:

• access the personal data we hold about you (Art. 15);
• rectification of inaccurate data (Art. 16);
• erasure (“right to be forgotten”) where the legal grounds apply (Art. 17);
• restriction of processing (Art. 18);
• data portability in a structured, machine-readable format (Art. 20);
• object to processing based on legitimate interests (Art. 21);
• withdraw consent at any time, without affecting the lawfulness of past processing (Art. 7 (3)).

To exercise any of these rights, e-mail hello@leeway.website. We respond within 30 days.

You also have the right to lodge a complaint with a supervisory authority. The competent authority for our establishment is:

Der Hessische Beauftragte für Datenschutz und Informationsfreiheit
Postfach 31 63
65021 Wiesbaden
https://datenschutz.hessen.de

7. Security

We use TLS for all data in transit, AES-256-GCM for sensitive fields at rest (e.g. OAuth refresh tokens), bcrypt for password hashing, rate-limiting on authentication endpoints, and standard security headers (CSP, HSTS, X-Frame-Options). Application-level authorization enforces that one tutor’s data is never visible to another tutor.

8. International transfers

Where personal data leaves the EEA (e.g. transfers to US-based processors such as Vercel, Resend, Google, or Sentry), transfers are made under the EU-US Data Privacy Framework or under EU Standard Contractual Clauses with appropriate supplementary measures.

9. Changes to this policy

We may update this policy when our processing changes. The current version is dated below; material changes will be announced via in-app notification or e-mail at least 14 days before they take effect.