LETO Class

Legal

Privacy Policy

This Privacy Policy explains how MGDA Group Limited ("we", "us", "our") collects, uses, shares, and protects your personal data when you use the LETO Class platform. We are committed to protecting your privacy and handling your data in accordance with the General Data Protection Regulation (GDPR) and applicable data protection laws.

1. DATA CONTROLLER

The data controller responsible for your personal data is:

Company: MGDA Group Limited

Company Number: 15986984

Registered Address: 85 Great Portland Street, London, England, W1W 7LT

Email: privacy@letoclass.com

2. EU REPRESENTATIVE

As we are established outside the European Union but offer services to individuals in the EU, we have appointed an EU representative in accordance with Article 27 of the GDPR.

EU Representative: [Name of EU Representative]

Address: [Address in France]

Email: [EU Representative Email]

You may contact our EU representative for any matters relating to the processing of your personal data under the GDPR.

3. DATA WE COLLECT

3.1 Account Data

When you create an account, we collect:

(a) Full name;

(b) Email address;

(d) Profile photo (optional);

(e) Password (stored in encrypted form);

(f) Account role (Student/Tutor).

3.2 Academic Data

To provide our tutoring marketplace services, we collect:

(a) University or educational institution;

(b) Campus;

(d) Degree level (bachelor's, master's, PhD);

(e) Academic year;

(f) Graduation year;

(g) Subjects (for Tutors);

(h) Languages and proficiency levels.

3.3 Financial Data

For payment processing, we collect:

(a) Wallet balance and transaction history;

(b) Booking and payment records;

(d) Payout history (for Tutors).

Note: We do not store your full payment card details. Card information is processed directly by Stripe and is subject to Stripe's privacy policy.

3.4 Usage Data

When you use the Platform, we automatically collect:

(a) Booking history;

(b) Messages sent through the Platform;

(d) Video call participation data (join times, duration --- but not call content);

(e) Search queries and browsing activity on the Platform.

3.5 Technical Data

We automatically collect certain technical information:

(a) IP address;

(b) Browser type and version;

(d) Timezone;

(e) Access times and dates;

(f) Error logs and performance data.

3.6 Data from Third Parties

If you register using a third-party service (such as Google), we receive:

(a) Your name and email address from that service;

(b) Profile photo (if available);

4. HOW WE USE YOUR DATA

We use your personal data for the following purposes:

Purpose Data Used Legal Basis

Providing the Platform Account, Academic, Usage Contract performance

Processing payments Financial, Account Contract performance

Facilitating bookings Account, Academic, Usage Contract performance

Communication Account, Usage Contract / Legitimate interest

Customer support All relevant data Contract / Legitimate interest

Fraud prevention Financial, Technical, Usage Legitimate interest

Platform improvement Usage, Technical Legitimate interest

Legal compliance All relevant data Legal obligation

Marketing (with consent) Account Consent

4.1 Legal Bases Explained

Contract Performance: Processing necessary to provide you with our services under the Terms of Service.

Legitimate Interest: Processing necessary for our legitimate business interests, where those interests are not overridden by your rights. Our legitimate interests include fraud prevention, security, and service improvement.

Legal Obligation: Processing necessary to comply with our legal obligations (e.g., tax reporting, responding to legal requests).

Consent: Processing based on your explicit consent, which you may withdraw at any time.

5. DATA SHARING

5.1 Service Providers (Data Processors)

We share your data with the following third-party service providers who process data on our behalf:

---------------- --------------------------- ------------------------ ----------------

Provider Purpose Data Shared Location

Stripe Payment processing Financial, Account US/EU (SCCs)

Supabase Database & Authentication All Platform data EU (Frankfurt)

Resend Email delivery Email, Name US (SCCs)

Agora Video calls Account, Call metadata US/EU (SCCs)

---------------- --------------------------- ------------------------ ----------------

SCCs = Standard Contractual Clauses for international data transfers.

All our service providers are bound by data processing agreements that require them to protect your data and use it only for the purposes we specify.

This list may be updated from time to time. We will notify you of any material changes to our sub-processors that may affect the processing of your personal data.

5.2 Other Users

Certain information is shared with other users as part of the Platform's functionality:

(a) Tutor profiles (name, photo, qualifications, ratings) are visible to Students;

(b) Student profile information is visible to Tutors they book with;

(d) Reviews are publicly visible on Tutor profiles.

5.3 Legal Requirements

We may disclose your data if required to do so by law or in response to valid requests by public authorities (e.g., courts, law enforcement, tax authorities).

5.4 Business Transfers

If we are involved in a merger, acquisition, or sale of assets, your personal data may be transferred as part of that transaction. We will notify you of any such change and any choices you may have regarding your data.

5.5 No Sale of Data

We do not sell your personal data to third parties for marketing or any other purposes.

6. INTERNATIONAL TRANSFERS

Your personal data may be transferred to, and processed in, countries outside the European Economic Area (EEA), including the United Kingdom and the United States.

When we transfer data outside the EEA, we ensure appropriate safeguards are in place:

(a) Standard Contractual Clauses (SCCs) approved by the European Commission;

(b) Adequacy decisions by the European Commission (where applicable);

For transfers from the UK, we rely on equivalent mechanisms including the UK International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs.

You may request a copy of the safeguards we use by contacting us at privacy@letoclass.com.

7. DATA RETENTION

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected:

Data Type Retention Period Reason

Account data Duration of account + 3 years Contract, legal claims

Financial records 7 years after transaction Tax/accounting requirements

Booking history 7 years Tax/accounting, disputes

Messages 3 years after last message Dispute resolution

Technical logs 12 months Security, debugging

Marketing consent Until withdrawn Consent management

When you delete your account, we will delete or anonymize your personal data within 30 days, except for data we are required to retain for legal or regulatory purposes.

8. YOUR RIGHTS

Under the GDPR, you have the following rights regarding your personal data:

8.1 Right of Access

You have the right to request a copy of the personal data we hold about you. You can access most of your data directly through your account settings.

8.2 Right to Rectification

You have the right to request correction of inaccurate or incomplete personal data. You can update most of your information directly in your account.

8.3 Right to Erasure ("Right to be Forgotten")

You have the right to request deletion of your personal data in certain circumstances, such as when the data is no longer necessary for the purposes for which it was collected. You can delete your account through your account settings.

Note: We may need to retain certain data for legal or legitimate business reasons (see Section 7).

8.4 Right to Restriction of Processing

You have the right to request that we restrict the processing of your data in certain circumstances, such as while we verify the accuracy of your data or assess a request for erasure.

8.5 Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit that data to another controller.

8.6 Right to Object

You have the right to object to processing of your personal data based on legitimate interests. We will stop processing unless we have compelling legitimate grounds that override your interests.

You may object to direct marketing at any time, and we will stop processing your data for that purpose.

You have the right not to be subject to decisions based solely on automated processing that significantly affect you. We do not currently make such automated decisions.

Where we process your data based on consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

8.9 Exercising Your Rights

To exercise any of these rights, please contact us at privacy@letoclass.com. We will respond to your request within one month. In complex cases, we may extend this by up to two additional months, and we will inform you if this is necessary.

There is no fee for exercising your rights, although we may charge a reasonable fee for manifestly unfounded or excessive requests.

9. DATA SECURITY

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

(a) Encryption of data in transit (TLS/SSL) and at rest;

(b) Secure authentication mechanisms;

(d) Regular security assessments and monitoring;

(e) Employee training on data protection.

While we take data security seriously, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

If we become aware of a data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and notify you without undue delay where required.

10. COOKIES

We use cookies and similar technologies on our Platform. Cookies are small text files stored on your device that help us provide and improve our services.

For detailed information about the cookies we use and how to manage your preferences, please see our separate Cookie Policy.

Under French law (CNIL guidelines), we obtain your consent before placing non-essential cookies on your device. You can manage your cookie preferences at any time through our cookie consent tool.

11. CHILDREN'S PRIVACY

LETO Class is intended for users who are at least 18 years old. We do not knowingly collect personal data from children under 18.

If we become aware that we have collected personal data from a child under 18, we will take steps to delete that information as soon as possible. If you believe we may have collected data from a child under 18, please contact us at privacy@letoclass.com.

12. CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

If we make material changes, we will notify you by:

(a) Email (to the address associated with your account);

(b) A prominent notice on the Platform;

We encourage you to review this Privacy Policy periodically. Your continued use of the Platform after changes take effect constitutes your acceptance of the revised policy.

13. COMPLAINTS

If you have concerns about how we handle your personal data, we encourage you to contact us first so we can try to resolve your concerns.

You also have the right to lodge a complaint with a supervisory authority. If you are located in France, you may contact:

CNIL (Commission Nationale de l'Informatique et des Libertés)

3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France

Website: www.cnil.fr

If you are located in the UK, you may contact the Information Commissioner's Office (ICO) at ico.org.uk.

14. CONTACT US

If you have any questions about this Privacy Policy or our data practices, please contact us:

Data Controller: MGDA Group Limited

Address: 85 Great Portland Street, London, England, W1W 7LT

Privacy Email: privacy@letoclass.com

General Support: support@letoclass.com