1. Who We Are
- LENS (operated by Chamberlin Innovations SASU)
- Registered in France
- SIREN: 993 523 836
- Registered address: 870 Rue des Thermes, 65130 Capvern, France
- Email: support@theschoollens.com
We operate theschoollens.com and the LENS platform. We act as the data controller under the GDPR for school administrators, teachers, and parents who sign up directly. For student data submitted through a school account, we act as a data processor on behalf of the school, which remains the data controller.
2. What Personal Data We Collect
You provide
- Name, email address, role (admin, teacher, student, parent/guardian)
- School name and configuration details (for administrators)
- Classroom, group, and roster information (for teachers)
- Submitted work: text, images, audio recordings, video recordings
- Messages sent through the platform
- Guardian-child relationship links
- Responses to in-product forms, surveys, and assessments
Collected automatically
- Browser user-agent and device type
- IP address, stored temporarily in access logs for security
- Referrer, when available
- Session activity within the platform (pages viewed, actions taken) for operational analytics
AI-generated data
When you use LENS, we generate AI-produced content tied to your account or your school's account, including: transcripts of audio submissions, OCR of image submissions, summaries of student work, assessment scores, suggested feedback, weekly family snapshots, phoneme-level reading accuracy scores, and grouping suggestions. Teachers retain final publishing authority for all AI-generated content directed at students or parents.
No advertising cookies
We do not use advertising cookies or behavioral tracking. Only functional cookies strictly required for the site and app to operate (authentication, session, security) are used.
2.1 Student and Children's Data (COPPA & FERPA)
LENS is an educational tool intended for schools. All student accounts are created and provisioned by a school administrator or authorized teacher, never directly by the student or an advertiser.
Children's Privacy (COPPA, United States). We do not knowingly collect personal information directly from children under 13 without school or parental consent. When a school or teacher creates a student account, the school confirms that it has the authority — under its applicable policies and under COPPA's "school authorization" pathway — to consent to the collection of student data on behalf of parents.
Educational Records (FERPA, United States). When LENS is used by a U.S. school, we treat student-identifying data as part of the school's educational records. We only access, use, or disclose that data as needed to provide the contracted service, and we do not redisclose it to third parties except to authorized sub-processors listed in section 5.1.
School authorization. Schools using LENS are responsible for obtaining any parental consent required by local law. Parents can request access to, correction of, or deletion of their child's data by contacting the school, or by contacting us at privacy@theschoollens.com and we will route the request to the school.
Data minimization. We only collect the minimum data needed to deliver the educational function. We do not build student profiles for commercial advertising. We do not sell student data. Ever.
2.2 Voice, Audio, and AI Processing
LENS includes reading assessments, oral response activities, and other features that involve audio submissions from students.
How we process audio. When audio is submitted, the file is securely transmitted to our AI processors (including Mistral Voxtral for transcription and SpeechAce for word-level phoneme accuracy) solely to generate transcripts, feedback, scores, and reading-level analysis.
No training on student data. Student voice data, student written work, and all other student-generated content are NOT used to train any public or third-party AI models. Customer content remains under the control of the school and is processed only for that school's benefit.
Audio retention. Audio recordings may be stored for up to 36 months to support teacher review, parent snapshots, and longitudinal progress tracking. Users, teachers, or school administrators may delete recordings at any time. At the end of a school's contract, all audio is deleted or returned on request within 90 days.
3. How We Use Your Data
- Deliver the core service: assignments, submissions, assessments, feedback, snapshots, messaging, billing
- Generate AI-assisted outputs (transcripts, summaries, scores) for teacher review and approval
- Communicate with you about your account, submissions, or the service
- Maintain security, prevent abuse, and debug technical issues
- Improve product usability and accuracy, using aggregated or de-identified data where possible
- Comply with legal obligations
We do not sell your data, and we do not use it for advertising.
4. Legal Basis (GDPR)
- Contract — delivering the service to the school or user who subscribed.
- Consent — when you opt into optional communications (e.g., marketing emails).
- Legitimate interest — securing and maintaining the service, improving accuracy, preventing fraud, without overriding your fundamental rights.
- Legal obligation — accounting, audit, compliance with French or EU law.
5. Storage and Transfers
- Supabase (EU region) for database, authentication, file storage, and realtime
- Vercel (US) for application hosting, covered by GDPR safeguards including Standard Contractual Clauses
- Mistral (EU) for AI content analysis, OCR, and audio transcription via Voxtral
- SpeechAce (US) for word-level phoneme analysis, covered by Standard Contractual Clauses
- Google (US/EU) for Drive API (worksheet templates) and OAuth, covered by Standard Contractual Clauses
- Lemon Squeezy (US/Global) for payments, subscriptions, and merchant-of-record services
- MailerSend (EU/Global) for transactional and lifecycle email
Transfers outside the EU are protected by GDPR safeguards (Standard Contractual Clauses or equivalent).
5.1 Authorized Sub-Processors (GDPR Art. 28)
| Provider | Location | Purpose | Training on our data |
|---|---|---|---|
| Supabase | EU | Database, auth, storage, realtime | N/A |
| Vercel | US | Application hosting | N/A |
| Mistral | EU | AI content analysis, OCR, Voxtral transcription | No public model training |
| SpeechAce | US | Word-level phoneme accuracy scoring | No public model training |
| US/EU | Drive API, OAuth | Service-specific; no training for education use | |
| Lemon Squeezy | US/Global | Merchant of record, payments, tax | N/A |
| MailerSend | EU/Global | Transactional and lifecycle email | N/A |
6. Retention
- Active school accounts: data is retained for the duration of the service contract.
- Student submissions, transcripts, recordings, AI-generated feedback: up to 36 months, unless the school or user deletes them sooner.
- Parent/guardian accounts: retained while linked to an active student.
- Email communications: until you unsubscribe or the conversation closes.
- Server logs: 30 to 60 days for security purposes, then deleted.
- After contract end: data is deleted or returned to the school on request within 90 days, subject to any legal retention duties.
7. Your GDPR Rights
- Access, correct, or delete your data
- Object to or restrict processing
- Withdraw consent where consent is the basis
- Data portability
- File a complaint with CNIL in France (cnil.fr)
To exercise your rights, email privacy@theschoollens.com. Parents of students whose accounts are managed by a school should contact the school first; we will support the school in responding.
8. Sharing Your Data
We share data only with the service providers listed in section 5.1, strictly as needed to operate the service. We do not sell your data, we do not share it with advertisers, and we do not share student data with any third party outside the sub-processor list.
Schools may grant access to additional authorized staff members within their own account. Those permissions are controlled by the school administrator, not by us.
9. Security
- HTTPS encryption (TLS 1.3) in transit
- Encryption at rest for stored data
- Row-level security (RLS) policies at the database level, scoped per school
- Role-based access controls and least-privilege permissions
- Separation of school tenants so that one school cannot access another school's data
- Server-side processing with protected storage
- 72-hour breach notification workflow aligned with GDPR expectations
No system is 100% secure, but we apply industry-standard protections and operational safeguards.
10. Contact
- General support: support@theschoollens.com
- Privacy inquiries: privacy@theschoollens.com
- Legal inquiries: legal@theschoollens.com
- Supervisory authority: CNIL (France) — cnil.fr