← Back to TutorDesk

Privacy Policy

Last updated: [DATE]

This Privacy Policy explains how [YOUR COMPANY / TRADING NAME] ("we", "us", "TutorDesk") collects, uses, and protects personal data when you use the TutorDesk application and website (the "Service"). We are committed to handling your data in line with the UK GDPR and the Data Protection Act 2018.

1. Who we are (Data Controller)

For tutors' own account data, the data controller is [YOUR COMPANY NAME], [ADDRESS]. Contact: [CONTACT EMAIL].

Where a tutor uses TutorDesk to manage information about their own students and the students' parents/guardians, the tutor is the data controller for that information and we act as a data processor on the tutor's behalf.

2. Data we collect

  • Account data (tutors): name, email, password (stored only as a secure hash), business/trading name, number of students, subjects taught.
  • Operational data you enter: students' names, year/grade, subjects, contact details, parent/guardian names and emails, lessons, homework, grades, invoices, payments, messages, and uploaded files.
  • Portal accounts: student/parent email and a securely hashed password, used to access the portal.
  • Technical data: limited log data such as IP address and timestamps for security and rate-limiting (e.g. failed login attempts).

3. Children's data

TutorDesk is designed for tutors to record information about students, who may be children. Tutors are responsible for having an appropriate lawful basis (and, where required, parental consent) to enter a child's data. We process this data only to provide the Service to the tutor. We do not knowingly use children's data for marketing or profiling.

4. How we use data & lawful bases

  • To provide and operate the Service (performance of a contract).
  • To secure accounts and prevent abuse (legitimate interests).
  • To send essential service emails such as verification and password resets (performance of a contract).
  • To comply with legal obligations.

5. Service providers (sub-processors)

We use trusted providers to run the Service, including:

  • Supabase — database, authentication, and file storage.
  • [EMAIL PROVIDER, e.g. Resend/Postmark] — transactional email.
  • [HOSTING PROVIDER, e.g. Vercel] — application hosting.

These providers process data on our instructions under appropriate agreements.

6. Data security

We apply technical and organisational measures including encryption in transit (HTTPS), per-account database isolation (row-level security), hashed passwords (bcrypt), short-lived signed URLs for file access, and rate limiting on authentication. No system is completely secure, but we work to protect your data and will notify you and the ICO of a breach where legally required.

7. Data retention

We keep personal data for as long as your account is active. You may delete data within the app at any time, and you can request deletion of your account and associated data by contacting us. Some data may be retained where required by law. [ADJUST RETENTION PERIODS AS NEEDED.]

8. Your rights

Under UK GDPR you have rights to access, rectify, erase, restrict, and port your personal data, and to object to certain processing. To exercise these, contact [CONTACT EMAIL]. If a tutor holds your data (e.g. you are a student or parent), please contact that tutor, who is the controller; we will assist them as processor. You may also complain to the UK Information Commissioner's Office (ico.org.uk).

9. Cookies & local storage

We use essential browser storage (e.g. localStorage) to keep you signed in and remember preferences. We do not use third-party advertising cookies. [UPDATE IF YOU ADD ANALYTICS.]

10. Changes to this policy

We may update this policy from time to time. Material changes will be notified within the Service or by email.

11. Contact

Questions? Email [CONTACT EMAIL].