Privacy Policy

This policy explains how Tutorbase Ltd. ("Tutorbase," "we," "our," or "us") collects, uses, shares, and protects personal information when you visit our website or use our tutoring management platform (together, the "Service").

Tutorbase is a business-to-business platform. The organizations that subscribe to the Service (tutoring centers, language schools, test prep providers, and similar organizations) are the controllers of the personal information they enter into the Service about their students, parents, and staff. Tutorbase acts as a processor for that information on the organization's instructions. We are the controller for the information we collect directly from website visitors, account holders, and our subscribers.

This policy applies to both roles. We identify which role applies in each section below where it matters.

Tutorbase Ltd. is a private company incorporated in the Hong Kong Special Administrative Region of the People's Republic of China.

• Registered office: Unit 103, 1/F Mirror Tower, 61 Mody Road, Tsim Sha Tsui, Hong Kong.
• Privacy contact: privacy@tutorbase.com
• EU representative (GDPR Article 27): EMA GmbH, Eichenweg 7, 95686 Fichtelberg, Germany. Email: bk@ema-partner.de. EMA GmbH has been mandated under Article 27 of the GDPR to act as our representative in the European Union. Data subjects in the EEA may contact EMA GmbH on matters concerning Tutorbase's processing of their personal data, in addition to contacting us directly.
• Data protection officer: We are not required to appoint a Data Protection Officer under GDPR Art 37 because our core activities do not consist of large-scale systematic monitoring of data subjects or large-scale processing of special categories of personal data. The privacy contact above handles all requests.

If you have questions about how an organization that uses Tutorbase is processing your data (for example, your tutoring center), please contact that organization directly. They control that data; we process it on their behalf.

3.1 Information you provide directly to us

• Account information: Name, email address, phone number, organization details, role, and password (handled by our authentication provider Clerk) when you create an account or are invited to one.
• Billing information: Billing address, tax identifiers, and limited payment method metadata. Card numbers and bank account details are handled by Stripe and are not stored on Tutorbase systems.
• Communications: The content of messages you send us (email, support tickets, demo bookings, contact form submissions, and similar) and any attachments.
• Marketing forms: If you sign up for the waitlist, request a demo, or submit a contact form, we collect the fields on that form (typically name, work email, organization name, country).

3.2 Information our subscribers (organizations) enter

Organizations using Tutorbase enter information about their students, parents, teachers, and lessons into the Service. This may include names, contact details, schedules, attendance, lesson notes, invoices, payment records, and similar operational data. We process this information on the organization's behalf as a processor. The organization is the controller.

3.3 Information collected automatically

• Usage data: Pages visited, features used, actions taken, and approximate timestamps. We use this to operate the Service, improve it, and detect abuse.
• Device and connection data: IP address (truncated where possible for marketing analytics), browser type, operating system, device type, preferred language, and referrer URL.
• Geolocation (country-level): We detect approximate country from your IP address to display prices in a relevant currency. This detection runs at the edge and does not store your IP address; it stores only the resulting currency choice in a cookie.
• Error and performance data: When the Service encounters an error, we capture the error, the URL it occurred on, and a limited amount of surrounding context (such as the user role and the page area). Session replays are sampled and capture a small percentage of sessions to help us reproduce issues; text content of form fields is masked.

3.4 Information from third parties

If you sign in using an OAuth provider (such as Google), we receive a limited profile from that provider as scoped by the consent you grant. If your organization integrates third-party services (for example, a payment processor), we receive operational data necessary to keep the Service in sync.

We use personal information for the purposes below. Where the European Union General Data Protection Regulation (GDPR), the United Kingdom GDPR, or laws derived from them apply to you, we also identify the legal basis under Article 6.

• Provide the Service: Operate the platform, authenticate users, route lessons, generate invoices, send transactional emails, and process payments. Legal basis: performance of a contract (Art 6(1)(b)) for account holders; legitimate interest (Art 6(1)(f)) for users acting on behalf of an organization.
• Keep the Service safe: Detect, investigate, and prevent fraud, abuse, unauthorized access, and breaches of our terms. Legal basis: legitimate interest (Art 6(1)(f)) and legal obligation (Art 6(1)(c)).
• Improve the Service: Analyze usage to fix bugs, refine features, and prioritize roadmap. Legal basis: legitimate interest (Art 6(1)(f)), with consent (Art 6(1)(a)) for analytics cookies and similar non-essential tracking technologies.
• Communicate with you: Send service announcements, security notices, billing messages, and replies to your questions. Legal basis: performance of contract (Art 6(1)(b)) for service communications; consent (Art 6(1)(a)) for product newsletters and marketing emails (which you can unsubscribe from at any time).
• Comply with legal obligations: Retain records as required by tax, accounting, and similar laws; respond to lawful requests. Legal basis: legal obligation (Art 6(1)(c)).

For data we process on behalf of a subscriber organization (their students, parents, staff, and lesson records), our role is processor, not controller. We use that data only as the organization instructs us, plus what is necessary to operate the Service securely.

We do not sell personal information. We share it only with the categories of recipients below, and only as necessary.

5.1 Sub-processors

We use a limited set of vendors to operate the Service. They process personal information only on our instructions and are bound by data processing agreements with us. The current list of sub-processors, their purpose, and their region is at tutorbase.com/sub-processors. We will notify subscribers of changes to that list at least 30 days before a new sub-processor begins processing personal data, where reasonably practicable.

5.2 Your tutoring organization

If your tutoring center, school, or other organization uses Tutorbase, that organization can see information about its students, parents, and staff that is entered into the Service. We do not give one subscriber organization access to another's data; the Service enforces tenant isolation.

5.3 Legal and safety disclosures

We may disclose personal information when we believe in good faith that disclosure is required by law, necessary to protect the rights, property, or safety of a person, or necessary to enforce our terms.

5.4 Business transfers

If Tutorbase is involved in a merger, acquisition, sale of assets, or insolvency, personal information may be transferred. We will notify subscribers and post a notice on this page where required by law.

Tutorbase is based in Hong Kong. Several of our sub-processors are based in the United States or operate services hosted in the United States. This means personal information may be transferred to, and processed in, countries outside your country of residence, including countries that may have different data protection laws.

Where we transfer personal information from the European Economic Area, the United Kingdom, or Switzerland to a country that does not have an adequacy decision from the European Commission (or the UK Information Commissioner's Office, as applicable), we rely on the European Commission's Standard Contractual Clauses (Module 1, Module 2, or Module 4 depending on the relationship) or the UK International Data Transfer Addendum, supplemented by appropriate technical and organizational measures.

Where we transfer personal information from Hong Kong, we comply with the obligations of the Personal Data (Privacy) Ordinance in respect of cross-border transfers.

You can request a copy of the transfer mechanism for a specific sub-processor by emailing privacy@tutorbase.com.

We retain personal information for as long as necessary to provide the Service and for the periods set out below. Where we act as a processor for a subscriber organization, we retain or delete data according to the organization's instructions, subject to the limits below.

• Account and profile data: For the life of the account, plus 12 months after closure, to handle billing reconciliation and possible reactivation. After that, the account is deleted or anonymized.
• Subscriber-controlled data (students, parents, lessons, invoices): For the life of the subscription, plus a 30-day grace period after termination during which the subscriber can export the data. After 30 days the data is deleted unless the subscriber instructs otherwise in writing or we are required to retain it for legal or accounting reasons.
• Billing and tax records: 7 years from the close of the relevant accounting period, in line with applicable tax retention rules.
• Marketing-site analytics: Cookie-based analytics are retained for up to 90 days after collection.
• Error and performance logs: Sentry error data and application logs are retained for up to 90 days.
• Marketing email subscribers: For as long as you remain subscribed, plus 12 months after unsubscribe to maintain a suppression list and demonstrate consent compliance.
• Backups: Rolling backups are retained for up to 30 days, after which they are automatically overwritten.

We use technical and organizational measures appropriate to the risk of processing, including:

• Encryption in transit (TLS 1.2 or higher) and at rest
• Role-based access control and the principle of least privilege for personnel access to systems
• Tenant data isolation between subscriber organizations
• Logging and monitoring of administrative access
• Defined incident-response procedures and breach notification commitments to subscribers and, where applicable, to regulators within 72 hours of becoming aware of a notifiable personal data breach
• Vendor selection that prefers SOC 2 Type II- or ISO 27001-attested providers for hosting, authentication, payments, and observability

No method of transmission over the internet or method of electronic storage is perfectly secure. If you believe your account has been compromised or you have identified a vulnerability, please contact security@tutorbase.com.

We use cookies and similar technologies (collectively, "cookies") on our website. Some are necessary for the Service to work. Others help us understand how the site is used and improve it. You can manage your preferences at any time using the "Cookie Settings" link in the footer.

9.1 Categories

• Necessary: Required for core site functions such as authentication, remembering your detected currency, and recording your cookie choices. These cannot be turned off.
• Analytics: Help us understand which pages and features are used and where users encounter problems. Loaded only with your consent where consent is required.
• Marketing: We do not currently run advertising or behavioral retargeting. If we add marketing cookies in the future, they will be off by default and we will update this policy.

9.2 Cookies we set

• tb_currency: Stores your detected or chosen currency for price display. Duration: 1 year. Necessary.
• tutorbase_cookie_consent: Stores your cookie preferences. Duration: 1 year. Necessary.
• Clerk session cookies: Set by Clerk when you sign in to the application. Necessary.
• PostHog analytics: Set by our product analytics tool when you accept analytics cookies. Duration: up to 1 year.
• Google Analytics 4 (via Google Tag Manager): Set by Google Analytics when you accept analytics cookies, to provide aggregated usage statistics. Duration: up to 2 years for client identifiers.

Third-party content we embed (such as the Google Maps view on our contact page or video embeds in blog posts) may set additional cookies when loaded. We aim to flag such embedded content where present.

Depending on where you live, you may have some or all of the rights below. To exercise any right, email privacy@tutorbase.com. We aim to respond within 30 days. We may need to verify your identity before acting on the request.

• Access a copy of the personal information we hold about you
• Correct inaccurate or incomplete information
• Delete your personal information, subject to legal retention obligations
• Restrict or object to certain processing activities
• Receive your personal information in a portable format
• Withdraw consent where processing is based on consent; withdrawal does not affect prior lawful processing
• Lodge a complaint with a supervisory authority. In the EEA: your local DPA. In the UK: the Information Commissioner's Office (ico.org.uk). In Hong Kong: the Privacy Commissioner for Personal Data (pcpd.org.hk).

If your data was entered into the Service by a tutoring center or other organization, that organization is the controller and you should direct your request to them first. We will support the organization in honoring valid requests.

Tutorbase is sold to businesses (tutoring centers, language schools, and similar organizations). Account holders must be at least 18 years old. We do not knowingly market the Service to children and we do not knowingly collect personal information directly from children.

Subscribers may enter information about minor students into the Service as part of operating their business (names, contact details, schedules, lesson history). In that case, the subscriber organization is the controller of that information. By using Tutorbase, the subscriber represents that they have obtained any consent required under applicable law (including, in the United States, the Children's Online Privacy Protection Act (COPPA); in the European Union, Article 8 of the GDPR; and equivalent local law elsewhere) before entering minor student data.

If you believe a child's information has been collected by Tutorbase directly (rather than entered by a subscriber organization) without appropriate consent, please contact privacy@tutorbase.com so we can investigate and remove it where appropriate.

12.1 Automated decision-making

We do not make decisions producing legal or similarly significant effects on you based solely on automated processing of your personal data.

12.2 Marketing emails

If you sign up to receive product updates, we send you marketing emails until you unsubscribe. Every marketing email contains a one-click unsubscribe link. You can also opt out at any time by emailing privacy@tutorbase.com. Service emails (billing, security, support replies) continue regardless because they are necessary for your use of the Service.

12.3 Do Not Track

Browsers may send a "Do Not Track" signal. There is currently no consistent industry standard for responding to that signal, so we do not change our behavior based on it. You can manage tracking through the Cookie Settings link in the footer.

We may update this policy from time to time. When we do, we will update the "Last updated" date at the top. For changes that materially affect your rights or how we use your information, we will give you advance notice through the Service or by email where we have your address.

If you have any questions about this policy or our data practices, please contact us: