TCAI Privacy Policy

Last updated: January 2026

At TutorCruncher, protecting your personal data is a top priority. We handle your information in line with the UK GDPR and, where relevant, the EU GDPR. This Privacy Policy explains what data we collect, why we collect it, how we use it, your rights, and how to contact us.

Who We Are

Company: TutorCruncher Ltd, England & Wales (Company No. 08385970)
Registered Office: The Food Exchange, New Covent Garden Market, Nine Elms, London SW8 5EL
Email: info@tutorcruncher.com

Data Protection Officer: Maahi Islam, Customer Success Manager & Data Protection Officer – maahi@tutorcruncher.com

Controller vs Processor

TutorCruncher as Controller: We act as Controller when we determine the purposes and means of processing your data directly (e.g., for our platform users).

TutorCruncher as Processor: When you use TutorCruncher through a tutoring organisation, that organisation is the Controller. We act only on their instructions.

Joint Processing: In some cases, TutorCruncher and a customer may act as joint Controllers. In such cases, data subjects will be informed of their rights and which party manages requests.

What Personal Data We Collect

We collect data to provide services, maintain security, and improve your experience. Examples include:

Account Data: Name, email, phone number, address, company details
Billing & Payment Data: Payment info processed via Stripe, GoCardless, or similar
Communication Data: Emails, messages, support requests via Intercom or email
Usage & Device Data: IP addresses, browser/device info, login timestamps, pages viewed, interactions with services, telephony logs, system activity, location data, video-conference data
Integration Data: Data shared with optional third-party apps (e.g., online classrooms, CRMs)
Marketing Preferences: Communication choices and consent

Indirect Data Sources: We may also receive data from third parties or your organisation. You are responsible for ensuring authority to provide such data, and that individuals are informed according to this Privacy Policy.

How We Use Your Personal Data

We only use your data where we have a legal basis under GDPR.

Purpose	Data Type	Legal Basis	Notes
Provide and manage platform & services	Account, Usage, Integration Data	Contract	Necessary to deliver our services
Process payments & Invoices	Billing & Payment Data	Contract / Legal Obligation	Required to manage subscriptions and payments
Respond to enquiries & support requests	Communication Data	Legitimate Interest	Internal support and service quality; Legitimate Interest Assessment documented
Marketing communications	Marketing Preferences	Consent	Only sent if opted in; opt-out anytime via preferences link or email
Analytics & improve platform	Usage & Device Data	Legitimate Interest	Aggregated where possible; access limited to authorised staff; users may object
Legal & regulatory compliance	Account, Billing, Logs	Legal Obligation	Required for compliance with laws and tax obligations
Personalise content & ads	Account, Usage, Marketing Data	Consent / Legitimate Interest	Users can opt out; profiling not used for legal or similarly significant effects

Automated decision-making: We do not use Personal Data for automated decision-making or profiling that produces legal or similarly significant effects.

Cookies, Tracking & Analytics

We use cookies, pixels, and similar tools to improve your experience and analyse usage.

Types of Cookies:

Required: Essential for logging in, transactions, and security
Functional: Improve performance and functionality
Targeting/Advertising: Show relevant ads and track performance

Consent:

Prior consent is obtained for all non-essential cookies in accordance with UK GDPR and PECR.
You can manage or opt out via browser settings or the Cookie Preferences link.
Behavioural advertising opt-out guidance is available via the Network Advertising Initiative.

Analytics:

Google Analytics and BigQuery may collect usage data; IP anonymisation is enabled.
Users can opt out via browser add-ons or settings.
Cookie retention is clearly documented in our cookie banner and policy.

Sharing Your Personal Data

We only share Personal Data as necessary:

Sub-Processors & Service Providers: Hosting, cloud services, analytics, payments, support, marketing, security, and operations. All are bound by GDPR-compliant Data Processing Agreements (DPAs). Customers are notified of new Sub-Processors and can object.

Customers / Organisations: When acting as Controller, we process data only on their instruction.

Third Parties: Minimal data may be shared with social media, advertising networks, or other platforms.

Corporate Changes: In a merger, acquisition, or sale, data may be transferred with reasonable notification.

Anonymous / Aggregated Data: May be shared publicly or with partners to analyse trends.

Sub-Processors & Third-Party Providers

To deliver our services, we work with trusted providers who process data on our behalf under GDPR-compliant Data Processing Agreements (DPAs).

Provider	Purpose	Data Type	Region
Heroku	Application hosting	User data	EU
Redis Enterprise	Data caching	User data	EU
Google Cloud Platform (BigQuery)	Analytics & warehousing	Usage data	EU / US
Cloudflare	Security & CDN	IP / network data	Global
Logfire	Logging & monitoring	Application data	EU / US
Sentry	Error tracking	Usage data	EU / US
Stripe	Payments	User & payment data	EU / US
Mandrill (Mailchimp)	Transactional email	Contact & message data	US
Intercom	Customer support	Contact data	EU / US
LessonSpace	Whiteboard tool	User data	EU/US

International Transfers

Some Sub-Processors process data outside the UK/EEA (e.g., US). We ensure appropriate safeguards:

UK International Data Transfer Agreement (IDTA)
EU Standard Contractual Clauses (SCCs) with UK Addendum where relevant
Encryption and access controls
Transfer Risk Assessments conducted as needed
All transfers comply with UK GDPR requirements post-Brexit

Data Retention

Data Type	Retention Period
Account & Billing	Up to 7 years (legal/tax purposes)
Logs & Errors	Typically 12 months; longer if required for audits/security
Marketing Data	Until consent is withdrawn
Customer Data	According to customer retention policies
Video & Telephony Data	6 months after session unless deletion requested
Integration / Third-Party Data	Retained according to customer or integration settings; deleted if customer settings lapse

AI

We use artificial intelligence technologies to provide our services. Personal data submitted by users is not used to train, retrain, or improve AI models, and is processed solely for the purpose of delivering the requested services.

Video & Telephony Data

During video or online classroom sessions, your device may share camera, microphone, location, or telephony log data.

Sessions are encrypted where possible.
You can request deletion via your organisation or us; deletion depends on the third-party platform retention policy.

Children’s Data

Our services are not directed at children under 13.

Tutoring organisations must obtain parental consent for minors.
For ages 13–16, parental consent is recommended.
We implement measures to avoid accidental collection of children’s data and delete it promptly if discovered.

Data Security & Breaches

We use organisational, technical, and physical safeguards including:

Encryption of data in transit and at rest
Access controls and audit logs
Two-factor authentication where possible

In the event of a breach posing high risk, we notify affected individuals and the ICO within 72 hours.

Your Rights

Under UK GDPR, you have the right to:

Access your data
Request correction or deletion
Object to or restrict processing
Withdraw consent
Data portability (where applicable)
Object to automated decision-making (currently not used)

How to exercise your rights:

If your data is held by a TutorCruncher customer (Controller), contact them.
Otherwise, email info@tutorcruncher.com. We respond within one month.

Complaints:

You can escalate to the ICO: ico.org.uk, casework@ico.org.uk, or 0303 123 1113.

Data Processing Agreement (DPA)

Customers processing client data through TutorCruncher require a DPA. It outlines roles, responsibilities, and Sub-Processor obligations. All Sub-Processors are bound by GDPR-equivalent contracts. Download the DPA here.

Updates to This Privacy Policy

We may update this Policy to reflect changes in services, legal requirements, or privacy practices.

Major updates will be communicated to users.
Previous versions and effective dates are archived for reference.

Contact Us

TutorCruncher Ltd
The Food Exchange, New Covent Garden Market, Nine Elms, London SW8 5EL
📧 info@tutorcruncher.com
🌐 www.tutorcruncher.com