Privacy Policy

Tutor accounts

• Name and email address — to create and manage your account.
• Password (hashed) — to authenticate you. We never store plain-text passwords.
• Security key credentials — if you register a hardware key or passkey for two-factor authentication.
• Stripe account ID — to process payouts to your bank account via Stripe Connect.
• IP address and user agent — for security logging and session management.

Student and parent data (entered by tutors)

• Student names, subjects, and year groups.
• Parent names, email addresses, and billing preferences.
• Lesson dates, times, durations, and notes.
• Invoice amounts and payment status.

Tutors are the data controllers for their students and parents. We process this data on their behalf as a data processor. Tutors are responsible for obtaining any necessary consent from parents and students before entering their data into the platform.

• To provide the TutorStudio service.
• To process payments via Stripe on behalf of tutors.
• To send transactional communications (e.g. invoices, receipts).
• To detect and prevent fraud and abuse.
• To comply with legal obligations.

We do not sell your data to third parties. We do not use your data for advertising.

Data is stored on servers within the European Economic Area. Sensitive fields (such as parent email addresses) are encrypted at rest. All data in transit is protected by TLS. We maintain access logs and session records for security purposes.

• Stripe — payment processing and connected account management. Stripe is the data controller for payment card data. See stripe.com/gb/privacy.
• Discord — if you choose to link your Discord account to the TutorStudio community server, we store your Discord user ID. We use it for account verification, role management (granting the Member or Pro role), and moderation continuity across Discord and the platform. We do not share your Discord identifier with third parties. The link is removed if you leave the server or unlink from your account settings.

You have the right to:

• Access the personal data we hold about you.
• Correct inaccurate data.
• Request deletion of your data (subject to legal retention requirements).
• Object to processing or request restriction.
• Data portability.
• Lodge a complaint with the ICO at ico.org.uk.

To exercise any of these rights, email [email protected].

We retain account data for as long as your account is active. After account deletion, we retain financial records (invoices, payment logs) for 7 years to comply with HMRC requirements. Security logs are retained for 90 days.

We use a single session cookie (td_session) to keep you logged in. It is HttpOnly, Secure, and SameSite=Lax. We do not use advertising or tracking cookies.

We may update this policy from time to time. We will notify registered tutors of material changes by email.