Privacy Policy — TutorNest

1. Who We Are

TutorNest is an online tutoring marketplace operated by TutorNest Ltd ("TutorNest", "we", "our", "us"). We operate the website tutornest.org and the application at app.tutornest.org.

For the purposes of the UK General Data Protection Regulation (UK GDPR) and the EU General Data Protection Regulation (EU GDPR), TutorNest Ltd acts as the data controller for the personal data of users in the United Kingdom and the European Economic Area.

If you have any questions about this Privacy Policy or how we handle your personal data, please contact us at contact@tutornest.org.

2. What Information We Collect

We collect information you provide directly to us and information generated through your use of the platform. The categories of data we collect include:

(a) Account Information

When you register for an account, we collect your full name, email address, password (stored as a cryptographic hash — we never store your plain-text password), profile photo, and date of birth (used solely to verify you meet the minimum age requirement).

(b) Profile Information

For tutors: qualifications, subjects taught, professional biography, availability schedule, hourly rate, and any documents submitted for credential verification.

For parents and families: details about your child or children, including first name, year group or academic level, and learning goals or areas of difficulty. You are in control of how much detail you provide.

(c) Session Data

We record booking history, session dates and durations, optional session notes (where enabled), and ratings and written reviews submitted by either party following a completed session.

(d) Payment Information

We use reputable third-party payment processors (including Stripe, Paystack and Flutterwave) to handle all payment transactions. We do not store your card number, bank details or full payment credentials on our servers. Our payment processors provide us with limited payment-related information (e.g., transaction ID, payment status, last 4 digits of card) solely for the purposes of reconciliation and support.

(e) Device and Usage Data

We automatically collect certain technical data when you visit our platform, including your IP address, browser type and version, operating system, referring URL, pages visited, time spent on pages, and error logs. This data is collected via server logs and our analytics tools. Where possible, this data is aggregated and anonymised.

(f) Communications

When you contact our support team by email or use any in-app messaging feature, we retain the content of those communications in order to provide support, resolve disputes, and improve our services.

3. How We Use Your Information

We use the information we collect for the following purposes:

Core service delivery: To match tutors with students and families using our AI-powered matching algorithm, and to facilitate bookings, sessions, and payments.
Payment processing: To process bookings, issue refunds, pay tutors for completed sessions, and maintain financial records.
Credential verification: To verify that tutors hold the qualifications and certifications they claim, and to conduct identity checks.
Account communications: To send you important information about your account, bookings, sessions, and any changes to our policies or services.
Marketing communications: Where you have opted in, to send you updates about new features, promotions, or content we think you may find valuable. You can withdraw your consent at any time.
Platform safety and quality: To detect and prevent fraud, abuse, and other prohibited activities; to enforce our Terms of Service; and to maintain a safe environment for all users.
Legal compliance: To fulfil our legal obligations, including financial record-keeping, responding to lawful requests from authorities, and safeguarding obligations.
Product improvement: To analyse how users interact with our platform in order to improve features, fix issues, and develop new services. Where possible, we use aggregated and anonymised data for this purpose.
Dispute resolution: To investigate and resolve disputes between tutors, parents, and students.

4. Legal Bases for Processing (GDPR)

For users in the UK or European Economic Area, we process your personal data under the following legal bases as defined by UK GDPR / EU GDPR:

Performance of a Contract (Article 6(1)(b))

The majority of our processing — creating and managing your account, facilitating bookings and sessions, processing payments, and verifying tutor credentials — is necessary to perform the contract between you and TutorNest.

Legitimate Interests (Article 6(1)(f))

We process certain data on the basis of our legitimate interests, which include: maintaining platform safety and preventing fraud; analysing usage to improve our services; and communicating with users about relevant platform updates. We have balanced these interests against your rights and freedoms, and we are satisfied that our legitimate interests do not override your fundamental rights.

Legal Obligation (Article 6(1)(c))

We are required by law to retain certain financial records (for tax and accounting purposes) and to comply with safeguarding obligations where relevant. We process data to the extent required to meet these obligations.

Consent (Article 6(1)(a))

Where we send you marketing emails or use non-essential cookies, we do so only on the basis of your freely given, specific and informed consent. You may withdraw your consent at any time by clicking "unsubscribe" in any marketing email or by contacting us at contact@tutornest.org. Withdrawing consent does not affect the lawfulness of any processing carried out before the withdrawal.

5. Sharing Your Information

We do not sell your personal data. We share your data only in the following circumstances:

(a) Other Users of the Platform

Tutor profiles — including name, photo, qualifications, subjects, bio, and ratings — are visible to parents and students searching for tutors. Once a booking is confirmed, session-specific information (time, date, duration, relevant notes) is shared between the matched tutor and family.

(b) Payment Processors

We share necessary payment information with our payment processors, including Stripe, Paystack, and Flutterwave, as required to complete transactions. These processors are contractually bound to handle your data securely and in accordance with applicable law.

(c) Cloud and Infrastructure Providers

We use Supabase for our database and authentication infrastructure, and Vercel for hosting and content delivery. These providers act as data processors on our behalf and are contractually bound to our data protection requirements.

(d) Analytics Providers

We may share aggregated and anonymised usage data with analytics providers to help us understand how our platform is used. This data cannot reasonably be used to identify individual users.

(e) Legal Authorities

We will disclose personal data to law enforcement, courts, regulatory bodies, or other third parties where we are required to do so by law, court order, or to protect the rights, property, or safety of TutorNest, our users, or the public.

6. International Data Transfers

TutorNest operates globally, serving users across Africa, the United Kingdom, the United States, and beyond. As a result, your personal data may be transferred to, stored in, and processed in countries other than your country of residence — including the United Kingdom, the European Union, and the United States.

Where we transfer personal data from the UK or EEA to countries that have not been deemed to provide an adequate level of data protection, we rely on appropriate safeguards, including Standard Contractual Clauses (SCCs) approved by the European Commission and/or UK International Data Transfer Agreements (IDTAs), to ensure your data is protected to a standard equivalent to that required under UK GDPR and EU GDPR.

If you would like further information about the specific safeguards we use for any particular transfer, please contact us at contact@tutornest.org.

7. Data Retention

We retain your personal data for as long as your account is active and for a period of two (2) years after account closure, in order to handle any post-closure inquiries, disputes, or legal claims.

Payment and financial records are retained for seven (7) years from the date of the transaction in compliance with tax and accounting legislation.

Specific types of data may be retained for shorter or longer periods depending on the purpose for which they were collected and applicable legal requirements. For example, server logs may be retained for a shorter period for security monitoring purposes.

You may request deletion of your personal data before the end of the standard retention period (see Section 8 — Your Rights). Please note that we may be unable to delete certain data where we are required to retain it by law.

8. Your Rights

Depending on your location, you have various rights regarding your personal data. We describe these below.

Rights under UK GDPR / EU GDPR

Right of access: You have the right to request a copy of the personal data we hold about you (a Subject Access Request).
Right to rectification: You have the right to request that we correct inaccurate or incomplete personal data.
Right to erasure ("right to be forgotten"): You have the right to request deletion of your personal data in certain circumstances.
Right to restriction of processing: You have the right to request that we restrict how we use your data in certain circumstances.
Right to data portability: You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.
Right to object: You have the right to object to processing based on legitimate interests, and to object to direct marketing at any time.
Right to withdraw consent: Where processing is based on consent, you have the right to withdraw that consent at any time without affecting the lawfulness of prior processing.

Rights under CCPA (California Residents)

Right to know: The right to request information about the categories and specific pieces of personal information we have collected about you.
Right to delete: The right to request deletion of your personal information, subject to certain exceptions.
Right to opt out of sale: We do not sell your personal information. Should this ever change, we will update this policy and provide an opt-out mechanism.

How to Exercise Your Rights

To exercise any of the above rights, please contact us at contact@tutornest.org. We will respond to your request within 30 days. In some cases we may need to verify your identity before processing your request.

If you are based in the UK, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk. If you are in the EU, you may lodge a complaint with the data protection authority in your member state.

9. Cookies

We use cookies and similar tracking technologies on our platform. Cookies are small text files placed on your device that help us deliver a better user experience, keep you signed in, and understand how you use the platform.

We use strictly necessary cookies (required for the platform to function), performance and analytics cookies (to understand usage patterns), and functional cookies (to remember your preferences).

For full details about the specific cookies we use, their purpose, duration, and how to manage your preferences, please see our Cookie Policy.

10. Children's Privacy

TutorNest is a family-centred platform designed to help parents and guardians find qualified tutors for their children. Parent or guardian accounts are used to manage bookings and sessions on behalf of minors.

We do not knowingly collect personal data directly from children under the age of 13. All accounts must be created by adults (18+). Parents and guardians provide limited information about their children (such as name, year group and learning needs) as part of the matching process.

All tutors on the platform are verified to be 18 years of age or older.

If you believe we have inadvertently collected personal data from a child under 13 without appropriate parental consent, please contact us immediately at contact@tutornest.org and we will take prompt steps to delete that information.

11. Security

We take the security of your personal data seriously and implement a range of technical and organisational measures to protect it, including:

Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher (HTTPS).
Password security: Passwords are hashed using bcrypt — we never store plain-text passwords.
Access controls: Access to personal data is restricted to employees and contractors who need it to perform their job functions, and is governed by least-privilege principles.
Secure infrastructure: We use reputable, security-accredited cloud providers (Supabase, Vercel) with their own robust security programmes.
Regular security reviews: We conduct periodic reviews of our security practices and update them as threats evolve.

No method of transmission over the internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security. If you discover or suspect any security vulnerability or breach involving TutorNest, please notify us immediately at contact@tutornest.org.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons.

Where we make material changes to this policy — changes that significantly affect how we collect, use, or share your personal data — we will notify you by email (to the address associated with your account) and/or by displaying a prominent notice within the platform, at least 14 days before the changes take effect.

For non-material updates (such as clarifications or editorial corrections), we will update the "Last updated" date at the top of this page. We encourage you to review this policy periodically.

Your continued use of TutorNest after the effective date of any changes constitutes your acceptance of the updated policy.

13. Contact Us

If you have any questions, concerns, or requests relating to this Privacy Policy or how we handle your personal data, please contact us:

Email: contact@tutornest.org

We aim to respond to all privacy-related enquiries within 5 business days. For formal rights requests under GDPR, we will respond within the legally required 30-day timeframe.