Skip to main content
Lemma

Privacy

Privacy policy

Last updated 23 May 2026

This policy explains what data Lemma collects when you use lemmamaths.co.uk or the Lemma app at app.lemmamaths.co.uk, why we collect it, how we store it, and what your rights are. It applies to candidates, parents who pay on a candidate's behalf, and any other visitor to either site.

Who we are

Lemma is operated from the United Kingdom. Formal company registration details will be published here before the service launches commercially. We are the data controller for the personal data described in this policy. Our contact email for privacy matters is privacy@lemmamaths.co.uk.

What data we collect

We collect only what we need to run the service. Specifically:

  • Account data: email address, display name, password (stored as a salted hash, never in plain text), and the target exam date you optionally enter.
  • Payment data: we do not store card details. Payments are processed by Stripe, who handle the card data directly under their own privacy terms. We receive a confirmation of the transaction and a Stripe customer reference.
  • Usage data: which problems you have viewed, which you have solved, which lessons you have watched, and the time you spent on each. This data is what powers your progress dashboard.
  • Technical data: server logs (IP address, user agent, request path, timestamp), retained for thirty days for security and debugging.

Lawful basis

Under UK GDPR, we rely on the following lawful bases:

  • Contract for account data, payment data, and usage data: you cannot use the course without us holding this information.
  • Legitimate interest for short-retention technical logs (security, fraud prevention, service stability).

How long we keep it

Account, payment, and usage data are kept for the duration of your access (twelve months from purchase) and for a further twelve months after that, so that you can return to the service if you choose to resubscribe. After that, account and usage data are deleted. Payment records are kept for six years under HMRC requirements.

Who we share it with

We share data only with the third parties needed to run the service:

  • Stripe — payment processing.
  • Railway — backend and database hosting.
  • Cloudflare — static site hosting and content delivery for the marketing site.
  • Bunny — video hosting for course lessons.

Each of these acts as a data processor. They do not receive more than the data required to perform their function, and we rely on their contractual terms to ensure data is handled to UK GDPR standards.

We do not sell your data, share it with advertisers, or use it to build profiles outside the service.

Cookies

The marketing site (lemmamaths.co.uk) sets no cookies. The app (app.lemmamaths.co.uk) sets a single session cookie used to keep you logged in. The cookie is httpOnly, secure, sameSite=lax, and expires when your session ends or after thirty days of inactivity, whichever is sooner. We do not use third-party advertising cookies, retargeting pixels, or social-media trackers.

Your rights

Under UK GDPR you have the right to:

  • request a copy of the personal data we hold about you;
  • ask us to correct inaccurate data;
  • ask us to delete your data (subject to the HMRC retention requirement on payment records);
  • ask us to limit how we use your data;
  • ask us to port your data to another service;
  • object to processing based on legitimate interest.

To exercise any of these rights, email privacy@lemmamaths.co.uk. We respond within one calendar month.

Complaints

If you are unhappy with how we have handled your data, you may complain to the Information Commissioner's Office at ico.org.uk.

Changes to this policy

We will update this policy when our processing changes. Material changes will be notified to you by email at least fourteen days before they take effect. The current version date appears at the top of this page.