Last updated: 10 September 2024
This Privacy Policy explains how TAP EGO LTD (trading as Tutor Today) collects and uses personal data in connection with our website, apps and services, including micro-classes, one-to-one sessions, lesson recordings, messaging, and AI-assisted study tools.
1) Who we are (Controller)TAP EGO LTD (trading as Tutor Today)
Company number: 10559197
Registered office: 20–22 Wenlock Road, London, N1 7GU, United Kingdom
We are the data controller for the processing described in this notice.
How to contact us about privacy: Use the contact form on our Website or write to the registered office above (mark your letter FAO: Privacy). We’ll respond without undue delay.
Supervisory authority: You have the right to complain to the Information Commissioner’s Office (ICO): Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, ico.org.uk, 0303 123 1113.
2) What data we collect
We collect and process:
Account & identity data: name, username, role (student, parent/guardian, tutor), age range/school year (for students), profile photo/avatar, country/region, time zone.
Parent/guardian data (for under-18s): name, relationship, contact details, consent records.
Contact data: email, phone (optional), postal address (if needed for invoicing).
Learning profile & activity: subjects, goals, learning style/preferences, class and attendance history, in-class test/worksheet results, tutor feedback, AI recommendations and progress analytics.
Content & communications: messages sent, homework uploads, whiteboard notes, in-platform chat, and support tickets.
Recordings: audio/video of lessons, screen/whiteboard and chat transcripts (where recording is enabled), plus automated speech-to-text for feedback/quality/safeguarding.
Payments & transactions: order history, product/subscription purchased, price, currency, limited payment metadata. We do not store full card numbers—Stripe/PayPal handle these.
Marketing & preferences: EPS subscriptions, OneSignal push opt-ins, consent history, unsubscribe and suppression records.
Technical & usage data: device/browser data, IP address, log files, cookies/SDK identifiers, crash logs, session timestamps, internal analytics (e.g., BI dashboards built from server logs), Site unique device identifiers where used.
Special category data: we do not require health or other special-category data for service delivery. Please avoid sharing it in chat or uploads. If you voluntarily share such data (e.g., dyslexia disclosure), we process it with your explicit consent or to protect vital interests (safeguarding), and we minimise and protect it.
3) How we collect data
Directly from you when you register, purchase, message, upload homework, join lessons, or change settings.
From parents/guardians setting up accounts for under-18 learners.
From tutors (e.g., attendance, feedback, grades for in-class tests).
Automatically via cookies/SDKs and server logs.
From processors/integrations we use to run the service (see Section 7).
4) Why we use your data (purposes) & our lawful bases
Account set-up & service delivery. We use your data to register accounts, provide lesson and classroom access, organise micro-class rosters and one-to-one bookings, and—where enabled—record sessions for safety, quality, and learning review. Our lawful bases are contract, plus legitimate interests for safety/quality, and consent for recording where required by law.
Payments & subscriptions. We process WooCommerce orders, Stripe/PayPal payments, receipts, and fraud checks on the basis of contract and legal obligation (e.g., accounting/tax).
Tutor onboarding & compliance. We handle identity/background-check status, scheduling, and payouts under contract, legitimate interests (platform integrity), and—where applicable—legal obligation.
Learning analytics & AI assistance. We generate transcriptions, progress insights, personalised recommendations (e.g., via Toby AI), and resource suggestions under legitimate interests (improving learning and safety), and under consent where the features are optional.
Communications. We send transactional emails (reminders, receipts), service updates, and safeguarding alerts under contract and legitimate interests (service continuity/safety).
Marketing. We send newsletters (MailPoet), push notifications (OneSignal), and offers with consent—or under the PECR soft opt-in for our own similar products to existing customers. You can opt out at any time.
Safety, safeguarding & disputes. We support abuse prevention, moderation, incident logs, complaints, and chargebacks under legitimate interests, legal claims, and vital interests where a child may be at risk.
Security & operations. We run logging, intrusion detection, uptime monitoring, backups, and analytics (e.g., BI and DB services) under legitimate interests to provide a secure, reliable service.
Legal/regulatory. We keep tax and accounting records and respond to lawful requests on the basis of legal obligation.
We do not use lesson content to train third-party foundation models. Where we use AI providers, they act under our instructions as processors or we apply settings that disable training on your data.
5) Children & young people
Our services support learners under 18. For under-18s, a parent/guardian must create/oversee the account and provide consent. We may take steps to verify the adult’s relationship to the learner. We do not knowingly collect data from children under 13 without verifiable parental consent. If you believe a child has provided data without consent, please contact us so we can delete or secure it.
6) Recordings & transcripts
We may record lessons (audio/video, whiteboard, chat) for safeguarding, quality assurance, feedback, and catch-up.
Recordings may be accessible to the Student, their Parent/Guardian, the Tutor, and authorised staff.
You must not download, screen-record or share recordings externally unless we explicitly provide a download and licence to do so.
Where required, we obtain consent for recording; otherwise we rely on legitimate interests balanced against participants’ rights. You can object (see Section 10), though opting out may limit participation in certain classes.
Default retention: 12 months, or longer where needed for safeguarding, disputes, legal claims, or where a course explicitly provides extended access.
7) Who we share data with (processors & recipients)
We share only what’s necessary, under contract:
Hosting & platform: Established hosting service, managed backups/uptime.
Payments: Stripe Payments Europe/Stripe, and/or PayPal—card/bank details handled by them; we receive tokenised references and status.
Communications: Estblished EPS (email newsletters & transactional templates), OneSignal (browser/mobile push—opt-in required), Onsite live chat messages (real-time chat within our site).
Scheduling & events: Internal calendar tools (class schedules).
Gamification & automation: Estblished Gamification system (points/badges/leaderboards).
AI & classroom tooling: AI (recommendations, Q&A, tutor matching) hosted by/for us; transcription/analytics services under our instructions; online classroom provider(s) used for live lessons.
Analytics & BI: Established BI systems (dashboards built from operational data); server logs; limited privacy-respecting analytics/scripts where used.
Verification & compliance: Background-check providers (for Tutors) where applicable.
Professional/advisory: Legal, accounting, insurance and auditors (only where necessary).
Authorities: Police, courts or regulators where legally required, or to protect vital interests.
International transfers may occur (e.g., to the EEA/US). Where they do, we use appropriate safeguards such as the UK Addendum to the EU Standard Contractual Clauses or the ICO IDTA, plus technical/organisational measures.
8) How long we keep data (retention)
We retain personal data only for as long as needed for the purposes described in this policy or to meet our legal obligations.
Account profile & class history. We keep your account details and class history while your account is active, then for a further 24 months. We may retain limited metadata for longer to honour suppression/opt-out requests and to prevent fraud or abuse.
Orders, invoices & payouts. We keep transactional records for 6 years to meet UK tax and accounting requirements.
Lesson recordings & transcripts. Our default retention is 12 months (see Section 6). We may keep them longer where required for safeguarding, complaints handling, or legal hold.
Messages & logs. We keep messages and standard operational logs for 24 months. Security logs may be retained for different periods depending on risk and system needs.
Marketing consent & suppression. We store consent records for 6 years. Suppression lists (minimal data) are kept indefinitely so we can reliably honour opt-outs.
Tutor background-check evidence. We keep verification evidence for the duration of tutoring and up to 3 years after the tutor’s last activity, for compliance purposes.
We may also anonymise data for statistics and research. Anonymised data is not personal data.
9) Cookies, SDKs & PECR
We use cookies and similar technologies to run our site and improve the service.
Categories
Strictly necessary (essential for login, checkout, security; e.g., WooCommerce/session cookies).
Functional (remember preferences like time zone).
Analytics (understand usage/performance, reduce errors; e.g., internal metrics surfaced via Metabase; where third-party analytics are used, they will be listed in the cookie banner).
Marketing (MailPoet open/click tracking, OneSignal push token; only with your consent/opt-in).
Consent: On first visit, our cookie banner lets you accept/decline non-essential cookies. You can change your choices at any time via the cookie settings link in the footer. For push notifications (OneSignal), your browser will ask you to opt-in; you can revoke permission in browser or device settings.
For email marketing, we rely on consent or soft opt-in for similar products/services to existing customers (PECR). You can unsubscribe at any time (link in every email).
10) Your rights (UK GDPR)
You can exercise these rights at any time (we’ll respond within one month):
Access to your personal data and a copy.
Rectification of inaccurate or incomplete data.
Erasure (“right to be forgotten”) where applicable.
Restriction of processing in certain circumstances.
Portability (receive data you provided to us in a structured, commonly used, machine-readable format, and ask us to transfer it to another controller where feasible).
Object to processing based on our legitimate interests, including profiling (e.g., analytics, AI recommendations); we will stop unless we have compelling legitimate grounds or the processing is for legal claims.
Withdraw consent where processing is based on consent (e.g., marketing emails, optional cookies, certain recordings).
Complain to the ICO (see Section 1).
Identity verification: We may ask for reasonable information to confirm your identity and protect accounts.
11) Automated decision-making & profiling
We use analytics and AI to recommend classes, resources, and next steps (profiling in the ordinary sense). These processes do not produce legal or similarly significant effects without human involvement. You can object (Section 10) and request a human review where applicable.
12) Security
We use appropriate technical and organisational measures, including TLS encryption in transit, access controls/least privilege, staff training, audit logging, and regular patching. Payment data is handled by PCI-compliant processors (Stripe/PayPal). No system is 100% secure; if we become aware of a personal-data breach likely to risk your rights and freedoms, we will notify you and the ICO where required.
13) Third-party links
Our site may contain links to third-party websites. Their privacy practices are their own; please review those policies.
14) Changes to this policy
We may update this policy from time to time. Material changes will be posted on our Website and, where appropriate, we will notify you (e.g., by email or in-app notice). The date at the top shows when it was last updated.
15) Contact us (privacy)
Questions or requests about this policy or your data?
Please use the contact form on our Website or write to:
TAP EGO LTD (trading as Tutor Today)
FAO: Privacy
20–22 Wenlock Road, London, N1 7GU, United Kingdom
Annex A – Summary of key cookies/technologies (indicative)
(Exact names are avilable upon request and may change; see the live cookie banner for the current list.)
Ecimmerce tool/session – essential for cart/checkout (Strictly necessary).
Website login/session – keep you signed in (Strictly necessary).
EPS tracking – email open/click metrics (Marketing/Analytics; consent/soft opt-in).
Push Message Provider – push token & delivery (Marketing/Functional; opt-in required).
DB – device ID, messaging where used (Functional/Analytics; consent where required).
Internal analytics – aggregated server/app logs (Analytics; typically cookieless—site banner will reflect if a cookie/SDK is used).
Annex B – Tutor-specific notes
We may request and store background-check status (e.g., DBS/Disclosure Scotland/Access NI) and verification dates; we typically store a reference rather than a full certificate.
We share necessary information with Students/Parents for scheduling and delivery (name, bio, ratings, class timetable).
Payouts are handled via Stripe/PayPal; we receive only the data needed to reconcile transactions.
We may review lesson quality via recordings, transcripts, attendance and feedback for performance management and safeguarding (Legitimate interests).
