TutorGO!

Privacy Policy

Last updated: [DATE]

1. Data Controller

A-Digital Works Ltd is the data controller for personal data processed through Tutor GO! UK. Contact: [EMAIL ADDRESS], [REGISTERED ADDRESS].

2. Data We Collect

We collect the following categories of personal data:

Account data: name, email address, phone number, date of birth, profile photo.

Tutor-specific data: government-issued ID (for verification), DBS certificate, Bunka-cho certification, teaching qualifications, bio and profile information.

Payment data: processed by Stripe. We do not store card numbers.

Chat messages: messages sent through the Platform messaging system.

Usage data: device information, IP addresses, pages visited, actions taken.

Minor-specific data: guardian name, email, and consent record for users aged 16-17.

3. Legal Bases for Processing

Contract performance: operating the Platform, processing payments, facilitating bookings.

Legitimate interests: safety features, DBS verification, incident investigation, service improvement, fraud prevention.

Legal obligation: tax record retention (HMRC), law enforcement requests.

Consent: optional certification badge display, marketing communications.

4. Data Sharing

We share data with other users (profile information only, never contact details), Stripe (payment processing), hosting providers (Supabase, Vercel), DBS check providers, and law enforcement when required by law or to prevent imminent harm. We do not sell your personal data to third parties.

5. Data Retention

Account data is retained for 24 months after account closure. Transaction records are retained for 6 years (HMRC requirement). Chat messages are retained for 12 months after account closure. DBS certificates are destroyed immediately after verification; only verification status is retained. ID documents are destroyed after 30 days. Incident reports are retained for 6 years (Limitation Act 1980). Banned user identifiers are retained indefinitely for safety purposes. Analytics data is anonymised after 24 months.

6. Your Rights

Under UK GDPR, you have the right to access your personal data, rectify inaccurate data, request erasure (with limitations), restrict processing, data portability, and object to processing. Some rights are subject to limitations: transaction records cannot be deleted during the 6-year HMRC retention period, incident reports cannot be deleted during the 6-year Limitation Act period, and banned user identifiers cannot be deleted for safety reasons.

7. Security

We use TLS/SSL encryption in transit, encryption at rest for stored data, role-based access controls, and rely on the security infrastructure provided by Supabase, Stripe, and Cloudflare.

8. International Transfers

Where data is transferred outside the UK, we rely on Standard Contractual Clauses or adequacy decisions to ensure appropriate protection.

9. Cookies

We use essential cookies (required for the Platform to function) and analytics cookies (with your consent). We do not use advertising or tracking cookies.

10. Children

Users under 16 are prohibited from using the Platform. Users aged 16-17 may only register with verified parental or guardian consent.

11. Complaints

If you have concerns about how we handle your data, please contact us at [EMAIL ADDRESS]. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.