Privacy Policy
Last updated: April 2026
Data Controller
TutorBase is the data controller responsible for your personal data. We are registered with the Information Commissioner's Office (ICO) under the UK Data Protection Act 2018. ICO Registration Number: [PENDING — register at ico.org.uk before launch].
Contact: privacy@tutorbase.co.uk
Data We Collect
- Account information: full name, email address, and role (student or tutor).
- Tutor profiles: subjects, qualifications, DBS certificate details, bio, and availability.
- Payment information: processed securely by Stripe. We do not store card numbers.
- Booking and session data: session dates, topics, duration, and transaction history.
- WhatsApp support and reminder records: consent state, inbound support/onboarding messages, and outbound reminder audit records where WhatsApp is enabled.
- AI Tutor interactions: questions and responses when using the AI Tutor feature.
- Usage data: pages visited, feature usage, and platform activity.
Lawful Basis for Processing
| Data / Purpose | Lawful Basis |
|---|---|
| Booking, payment, session delivery | Contract performance |
| Tutor profile, verification, DBS | Contract performance |
| Fraud prevention, platform security | Legitimate interests |
| Platform improvement, analytics | Legitimate interests |
| Marketing emails | Consent (opt-in, withdrawable) |
| WhatsApp onboarding, support, and lesson reminders | Consent (opt-in, withdrawable) |
| Under-13 user data | Parental consent |
Third-Party Processors
We share data with the following processors, each bound by data processing agreements:
| Provider | Purpose |
|---|---|
| Supabase | Database hosting and authentication (EU servers) |
| Stripe | Payment processing and tutor payouts |
| Resend | Transactional emails (booking confirmations, reminders) |
| Twilio | WhatsApp onboarding, support handoff, and transactional reminder delivery when enabled |
| Anthropic | AI Tutor responses (question text processed, not stored by Anthropic) |
| OpenAI | Curriculum embedding for AI Tutor search (anonymised curriculum text only) |
Data Retention
| Data type | Retention period |
|---|---|
| Account and profile data | Until account deletion, then erased within 30 days |
| Financial records (bookings, payments) | 7 years (UK tax law requirement) |
| Session data | 2 years, then deleted |
| AI Tutor conversations | 90 days, then deleted |
| Marketing consent records | Until consent withdrawn, then 1 year for compliance evidence |
| WhatsApp consent and reminder audit records | Until consent withdrawn, then 1 year for compliance evidence |
Children's Data (Under-18)
TutorBase serves students of all ages, including children and young people.
- Under 13: A parent or guardian must create the account and provide consent. We require confirmation of this at sign-up. We do not knowingly collect data from under-13s without parental consent.
- Ages 13–17: Users may create accounts themselves. We collect only data necessary to deliver the service and never use it for marketing without explicit consent.
- AI Tutor conversations involving users under 18 are not used to train any AI models.
- If you believe a child's data has been collected without appropriate consent, contact privacy@tutorbase.co.uk and we will delete it within 72 hours.
Your Rights Under UK GDPR
- Right of access (SAR):request a copy of all data we hold about you. We respond within 30 days. Use the “Download my data” button in your profile, or email us.
- Right to rectification: ask us to correct inaccurate data.
- Right to erasure: delete your account via your profile page. We erase personal data within 30 days. Note: financial records are retained 7 years by law.
- Right to data portability: download your data in JSON format from your profile page.
- Right to object: object to processing based on legitimate interests by emailing us.
- Right to withdraw consent: unsubscribe from marketing at any time via the link in any email.
To exercise any right, email privacy@tutorbase.co.uk. If unsatisfied with our response, you may complain to the Information Commissioner's Office (ICO).
Cookies
We use strictly necessary cookies for authentication and security. We use optional analytics cookies only with your consent. See our Cookie Policy for full details.
Data Breaches
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the ICO within 72 hours and inform affected users without undue delay. To report a suspected breach, email privacy@tutorbase.co.uk.
Contact Us
For any privacy-related requests, contact us at privacy@tutorbase.co.uk. We respond within 30 days.