Privacy Policy

1.1 Information You Provide

We collect information you voluntarily provide when using our Service:

1.2 Information Collected Automatically

When you access our Service, we automatically collect:

Device and Usage Information:

• IP address
• Browser type and version
• Operating system
• Device identifiers
• Pages viewed and actions taken
• Time and date of access
• Referring URLs

Location Information:

• General location based on IP address
• Timezone settings

1.3 Information from Third Parties

We may receive information from:

Payment Processors: Transaction status and payment confirmations from Stripe

OAuth Providers: If you sign in using Google or other providers (if enabled)

Educational Institutions: If you join through an organization

2.1 Providing and Improving the Service

• Create and manage your account
• Facilitate communication between teachers, students, and parents
• Process lesson scheduling and payments
• Track educational progress and grades
• Send notifications and reminders
• Provide customer support
• Analyze usage to improve features

2.2 Personalization

• Customize your dashboard and experience
• Recommend teachers or courses based on preferences
• Adjust timezone and display preferences

2.3 Communications

• Send transactional emails (account confirmation, password reset)
• Notify you of lesson schedules and task deadlines
• Send service updates and announcements
• Marketing communications (with your consent)

2.4 Safety and Security

• Detect and prevent fraud and abuse
• Enforce our Terms of Service
• Protect the rights and safety of users
• Comply with legal obligations

2.5 Analytics and Research

• Understand how users interact with our Service
• Measure effectiveness of features
• Conduct research to improve education delivery

3.1 With Other Users

Teachers and Students: Information necessary to facilitate educational relationships (e.g., names, profile information, lesson content)

Parents and Guardians: Access to linked student's educational records

Organization Members: Within the same organization, as appropriate for educational purposes

3.2 With Service Providers

We share information with the following third-party vendors who perform services on our behalf:

Stripe: Payment processing, including Stripe Connect for teacher payouts. When teachers connect their Stripe account, identity verification and banking details are shared directly with Stripe for payout processing

Fly.io: Cloud hosting of our application servers and managed PostgreSQL database (infrastructure provider)

Cloudflare R2: Object storage for user-uploaded files (profile photos, lesson attachments, and recordings)

Resend: Transactional email delivery (account verification, password reset, and lesson notifications)

Daily.co: Video call infrastructure for live lessons

OpenAI: AI-powered features including music notation generation, lesson notes, and quiz generation. Content you submit to AI features is sent to OpenAI for processing

Sentry: Error monitoring and crash reporting, configured with personally-identifiable-information redaction enabled and session replay disabled

All service providers are bound by contractual obligations to protect your data. We do <strong>not</strong> use advertising networks or third-party analytics providers such as Google Analytics, and we do not sell your personal information.

3.3 For Legal Reasons

We may disclose information:

• To comply with legal obligations
• To respond to lawful requests from authorities
• To protect our rights, privacy, safety, or property
• To enforce our Terms of Service
• In connection with legal proceedings

3.4 Business Transfers

If ConviTutor is involved in a merger, acquisition, or sale of assets, your information may be transferred. We will notify you of any such change.

3.5 With Your Consent

We may share information for other purposes with your explicit consent.

4.1 How We Use Cookies

We use only strictly necessary cookies to provide the Service. We do not use preference, analytics, or marketing cookies. All cookies set by ConviTutor are HttpOnly (not accessible to JavaScript) and Secure (HTTPS-only in production).

4.2 Cookies Set by ConviTutor

4.3 Third-Party Service Cookies

The following services integrated into ConviTutor may set their own cookies. These are necessary for the services they provide:

• Stripe (payment processing): may set cookies for fraud prevention and payment session management.
• Sentry (error monitoring): may set cookies for crash reporting. Configured with privacy protections — no personal data is collected.
• Daily.co (video calls): may set cookies for video session management.

4.4 Legal Basis

All cookies used by ConviTutor qualify as strictly necessary under the ePrivacy Directive (Article 5(3)) because they are required to provide services you have explicitly requested — such as logging in, making payments, and joining video calls. No consent banner is required for these cookies.

4.5 Your Choices

You can control cookies through your browser settings. However, because all ConviTutor cookies are strictly necessary, disabling them will prevent core features like authentication and payments from working.

4.6 Do Not Track

We do not use tracking or analytics cookies, so "Do Not Track" browser signals do not apply to our cookie usage.

5.1 Security Measures

We implement appropriate technical and organizational measures to protect your data:

Encryption: Data encrypted in transit (HTTPS/TLS) and at rest

Access Controls: Role-based access limiting who can view data

Authentication: Secure password hashing and optional two-factor authentication

Monitoring: Regular security audits and vulnerability assessments

Backups: Regular encrypted backups with secure storage

5.2 Your Responsibilities

You are responsible for:

• Keeping your password confidential
• Using a strong, unique password
• Logging out on shared devices
• Notifying us of unauthorized account access

5.3 Breach Notification

In the event of a data breach affecting your personal information, we will notify affected users without undue delay, and in any event within 72 hours of becoming aware of a breach involving personal data, where feasible. We will also notify relevant supervisory authorities as required by applicable law.

6.1 Retention Periods

We retain your data for as long as necessary to:

• Provide the Service while your account is active
• Comply with legal obligations
• Resolve disputes
• Enforce our agreements

Specific retention periods:

Account Data: Retained while account is active, plus 30 days after deletion request

Educational Records: Retained for 7 years after last activity (for record-keeping purposes)

Payment Records: Retained for 7 years (tax and legal compliance)

Dispute Records: Payment dispute details, correspondence, and resolution outcomes retained for 7 years for compliance and fraud prevention

Messages: Retained for 3 years after account deletion

Analytics Data: Aggregated data retained indefinitely; individual data for 2 years

6.2 Data Deletion

You may request deletion of your data. Some data may be retained as required by law or for legitimate business purposes. See "Your Rights and Choices" for more information.

7.1 Access and Portability

You have the right to:

• Access your personal data
• Request a copy of your data in a portable format
• Know what information we have collected

7.4 Restriction and Objection

You may:

• Restrict processing of your data in certain circumstances
• Object to processing for direct marketing
• Object to automated decision-making

7.7 Communication Preferences

You can:

• Opt out of marketing emails via the unsubscribe link
• Manage notification preferences in your account settings
• Transactional messages cannot be opted out while your account is active

7.8 GDPR Rights (European Users)

If you are in the European Economic Area (EEA), you have additional rights under GDPR:

• Right to lodge a complaint with a supervisory authority
• Right to data portability
• Right to erasure ("right to be forgotten")
• Right to restrict processing

7.9 CCPA Rights (California Users)

If you are a California resident, you have rights under CCPA:

• Right to know what personal information is collected
• Right to know if personal information is sold or disclosed
• Right to opt out of the sale of personal information (we do not sell data)
• Right to delete personal information
• Right to non-discrimination for exercising your rights

7.2 Correction

You can update or correct your information through your account settings or by contacting us.

7.3 Deletion

You may request deletion of your account and personal data. We will delete or anonymize your data, except where retention is required by law.

7.5 Withdraw Consent

Where we rely on consent, you may withdraw it at any time. This does not affect prior processing.

7.6 Exercising Your Rights

To exercise these rights, please use our contact form. We may need to verify your identity before processing your request. We will respond to verified data subject requests within 30 days. If we need additional time (up to 60 additional days for complex requests), we will notify you of the extension and the reason.

8.1 Age Requirements

• Users aged 13 and older may create their own account; users under 18 (or the applicable age of majority in their jurisdiction) must have verifiable parental or guardian consent
• Users under 13 may participate only through a Student account that is created, linked to, and actively supervised by a parent or legal guardian using a linked Parent account
• During onboarding, users may optionally provide their birth year for demographic and compliance purposes
• Teachers, Organization Owners, Organization Secretaries, and Organization Teachers must be at least 18 years of age

8.2 Parental Consent

For users under 13, we strongly encourage use of our linked Parent account system, where a parent or legal guardian creates and verifies their own ConviTutor account and maintains oversight of the child's educational activities through the Parent dashboard:

• Accounts for children under 13 should be created by a parent or guardian using the linked Parent account flow
• Parent/guardian maintains control and oversight through the Parent dashboard
• We provide mechanisms for parents to create and supervise their children's accounts

8.3 COPPA Compliance

We are committed to protecting children's privacy in accordance with the Children's Online Privacy Protection Act (COPPA) in the United States:

• We provide mechanisms for parents to create and supervise their children's accounts through our linked Parent account system
• We encourage all users under 13 to use ConviTutor only through a Parent-linked account
• Parents can review, delete, or refuse further collection of their child's information
• We do not require children to provide more information than necessary

8.4 Educational Records

For students, we may act as a "school official" under FERPA when working with educational institutions. Educational records are protected and only shared as permitted by law.

9.1 Data Location

Your data may be processed and stored in the United States or other countries where our service providers operate.

9.2 Transfer Safeguards

When transferring data internationally, we use appropriate safeguards:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Data Processing Agreements with service providers
• Compliance with applicable data protection laws

9.3 Your Consent

When your data is transferred internationally, we rely on Standard Contractual Clauses (SCCs) and Data Processing Agreements as the primary legal mechanism. Your use of the Service from outside the United States involves the transfer of data to our servers in the United States.

10.1 External Links

Our Service may contain links to third-party websites. We are not responsible for their privacy practices. Please review their privacy policies.

10.2 Integrated Services

We integrate with third-party services:

• Stripe: For payment processing. See Stripe's Privacy Policy
• YouTube: For embedded videos. See Google's Privacy Policy

10.3 Social Features

If you use social sharing features, information may be shared according to your settings on those platforms.

11.1 Updates

We may update this Privacy Policy from time to time. We will notify you of material changes by:

• Posting the updated policy on our website
• Sending an email to your registered address
• Displaying a notice within the Service

11.2 Effective Date

Material changes will not take effect until at least 30 days after notice is provided. Non-material changes (clarifications, formatting) may take effect immediately. Your continued use of the Service after changes take effect constitutes acceptance.

11.3 Review

We encourage you to review this Privacy Policy periodically.