Privacy Policy
Last updated: 26 May 2026
1. Who We Are
Tutorioo is operated by Janzay LLC, a Wyoming limited liability company, trading as "Tutorioo" ("Tutorioo", "we", "us", "our").
Janzay LLC
30 N Gould St Ste 100, Sheridan, WY 82801, United States
Email: support@tutorioo.com
This Privacy Policy explains how Janzay LLC collects, uses, discloses, and protects personal information in connection with the Tutorioo service, and the rights available to you under the California Consumer Privacy Act as amended by the California Privacy Rights Act (collectively, "CCPA/CPRA"), the Children's Online Privacy Protection Act ("COPPA"), and other US state comprehensive privacy laws including those of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Delaware, New Hampshire, New Jersey, Tennessee, Iowa, Nebraska, Minnesota, and Maryland, together with any other US state comprehensive privacy law as and when it comes into force.
2. Notice at Collection (CCPA/CPRA)
The table below summarises the categories of personal information we collect, the purposes for which each category is used, and the categories of recipients with whom that information may be shared. For the specific recipients of each data flow, see the sub-processor table in Section 9.
| CCPA category | Examples | Purposes | Categories of recipients |
|---|---|---|---|
| Identifiers | Name, email address, account identifier, IP address, device identifier, parent contact details | Account creation and authentication; service delivery; communication; fraud and abuse prevention | Hosting and database providers; authentication and CDN providers; email providers; fraud and bot defence providers |
| Commercial information | Subscription state, plan history, transaction confirmations (no card or bank data) | Billing, subscription management, fraud prevention | Payment processors (Paddle, PayPal) as the merchant of record |
| Internet or network activity | Pages visited, features used, session duration, error logs, request URLs | Service operation, debugging, security monitoring, analytics (consent-based) | Hosting, error monitoring, analytics and advertising-measurement providers (where consent applies) |
| Geolocation data | Country-level location derived from IP address only; no precise geolocation collected | Routing and language selection; abuse prevention | CDN and security providers |
| Audio and electronic information | Voice recordings (lecture recording feature), AI text-to-speech audio output, support correspondence | Speech-to-text transcription; tutoring; support | Speech-to-text providers; text-to-speech providers; support email providers |
| Professional or education-related information | Year group, subject, exam board, curriculum context, lesson history, quiz answers, homework submissions, progress reports | Delivering tutoring, generating progress reports, personalising learning | AI providers; hosting and email providers (for report delivery) |
| Inferences | AI-generated observations about learning patterns, topic difficulty, study habits | Personalisation of tutoring, study-plan generation, audio recaps (see Section 6) | AI providers |
We do not sellpersonal information for monetary consideration. Certain advertising-measurement data flows may qualify as "sharing" under California law — see Section 12.
3. Information We Collect
Information you provide directly
- Account information: name, email address, date of birth, year group
- Student learning data: lesson history, quiz answers and scores, homework submissions and uploaded images, lecture audio recordings, AI-generated progress reports
- Payment information: subscriptions are handled by Paddle (merchant of record) or PayPal. We do not receive, process, or store any card or bank account details — all payment data is held exclusively by these providers under their own privacy policies.
- Communications: support requests, feedback, and emails you send us
Information collected automatically
- Technical data: IP address, browser type and version, device type, operating system, country-level location header from our CDN
- Usage data: pages visited, features used, session duration, error logs
- Presence telemetry: see Section 7
- Cookies: see our Cookie Policy
4. How We Use Your Information
We use personal information for the purposes set out below. We limit our processing to what is reasonably necessary to deliver and improve the service you have requested.
| Purpose |
|---|
| Creating and managing your account |
| Providing AI tutoring lessons, homework help, and lecture recording features |
| Processing payments and managing subscriptions through our merchant-of-record providers |
| Sending service-related emails (e.g., lesson reports, account updates, parent approval emails) |
| Generating learning progress reports and study plans |
| Platform security, fraud prevention, abuse detection, and multi-account enforcement |
| Error monitoring, performance monitoring, and debugging |
| Website analytics (consent-based) |
| Advertising measurement (consent-based) |
| Marketing emails (opt-in, with one-click unsubscribe) |
| Responding to support requests and other communications |
| Complying with legal obligations (e.g., tax record retention) |
5. AI-Generated Content & Data Egress
What we send to AI providers. To deliver the tutoring service, we send the following categories of information to our AI providers (currently Google Gemini as the primary provider and OpenAI as a fallback and for vision and speech-to-text; see the sub-processor table in Section 9 for the complete list):
- The student's display name (typically a first name) and year group, so the model can address the student appropriately and generate age-suitable content.
- The subject, exam board, and curriculum context of the lesson.
- The student's verbatim answers to tutoring prompts, quiz questions and homework questions, and the conversation history of the active session.
- Uploaded homework images. When a student uploads a photo of handwritten work for marking, we send that image to the AI provider for optical character recognition (OCR) and assessment. We cannot reliably guarantee that an uploaded image does not incidentally contain the student's full name, the school's name, a date, or other content that the student has written on the page. Where students or parents do not want this information to leave our service, they should redact it from the page before uploading, or use the text-entry alternative where available.
- Voice recordings. Where students use the lecture-recording feature, the audio is sent to our speech-to-text provider for transcription. The transcript is then available to AI features that summarise the lecture or generate study notes from it.
- AI-generated observations and learning patterns about the student (see "AI inferences about your learning" below) are re-fed into AI providers when generating personalised study plans, audio recaps and similar features.
What we do not send to AI providers. We do not send: payment information; the student's date of birth; the parent's name, email or phone number; the student's legal name (where it differs from the display name).
AI training. We do not use student-submitted content to train AI models. We send data to our AI providers through their business/enterprise API tiers, on which submitted content is not used to train their models, and we select no-training and zero/limited-retention settings where a provider offers them.
Automated decisions. AI features at Tutorioo are educational personalisation tools. They do not produce decisions that have legal or similarly significant effects on the student.
6. AI Inferences About Your Learning
AI inferences about your learning. To personalise the tutoring experience, Tutorioo's AI features generate inferences about each student over time — for example, which topics the student appears to find difficult, the student's apparent learning speed, the times of day at which the student studies most productively, and short narrative observations that summarise patterns the AI has noticed across recent sessions. These inferences are stored against the student's account and re-used by features such as study-plan generation, weekly review summaries, audio recaps, and adaptive question selection.
These inferences are an automated form of profiling under data-protection law, but they are used only for the educational purpose of personalising tutoring. They do not produce decisions that have legal or similarly significant effects on the student.
Your rights over these inferences. A parent (or a student aged 13 or over acting on their own behalf where appropriate) can ask us to show what inferences we hold about a student, request correction of an inference the student believes is wrong, or request deletion of all stored inferences. Requests can be made by contacting support@tutorioo.com.
7. Real-Time Activity (Presence Telemetry)
Real-time activity for support and safety. While a student or parent is signed in to the service, we record the page or screen they are currently viewing and the time they were last active. This information is used to (a) keep the session open while the user is active, (b) generate accurate study-time totals for parent reports, and (c) allow our support team to see the context of a problem when a user contacts us for help. The information is not used for advertising and is not shared with third parties for their own purposes.
8. Sensitive Personal Information
Sensitive personal information. Under California's CPRA and similar US state laws, certain categories of personal information are designated as "sensitive personal information" (SPI) — for example, precise geolocation, racial or ethnic origin, religious or philosophical beliefs, the content of mail/email/text messages, genetic data, biometric identifiers, health information, and information about sex life or sexual orientation.
The service does not require, and does not ask the student to provide, any such information. However, because tutoring sessions involve free-text input from the student, sensitive content may incidentally appear in the student's answers, support messages, or uploaded homework — for example, where a science homework question concerns a health topic, or where a student volunteers information about their religion in a humanities answer.
Where Tutorioo processes sensitive personal information only because the student has incidentally provided it during use of the service, we use it solely to deliver and improve the tutoring service requested by the user. We do not use it to infer characteristics about the user, and we do not use it for advertising or sale. You have the right to limit our use of your sensitive personal information — see "Your Privacy Rights" below.
9. Sub-Processors and Data Sharing
We do not sell personal information for monetary consideration. We share data only with trusted service providers ("sub-processors") who help us operate the platform, and only to the extent they need it to provide their service to us.
| Provider | Purpose | Categories of data received | Jurisdiction |
|---|---|---|---|
| Supabase | Primary database hosting and file storage | Account data; learning data; uploaded homework images; lecture audio recordings | United Kingdom (AWS eu-west-2, London) |
| Google (Gemini) | Primary AI tutoring model; report generation | Student display name, year group, subject, exam board, curriculum context, lesson conversation history, uploaded homework images (which may incidentally include handwritten names, school identifiers, and dates) | United States |
| OpenAI | Fallback AI tutoring model, vision OCR, speech-to-text | Same categories as Gemini when used as fallback; uploaded homework images for OCR; voice audio for transcription | United States |
| AssemblyAI | Live and batch speech-to-text for lecture recordings | Voice audio streamed from the browser; transcript reconciliation metadata | United States |
| Replicate | Premium text-to-speech (Kokoro model) | Tutoring text to be spoken aloud (no PII categories) | United States |
| Microsoft Edge TTS | Default text-to-speech | Tutoring text to be spoken aloud (no PII categories) | Microsoft global infrastructure |
| Paddle | Subscription billing (Merchant of Record) | Parent name, email, billing address, payment method, subscription state, IP address | United Kingdom / global |
| PayPal | Alternative subscription billing | Parent payer identifier, subscription state | United States |
| Resend | Transactional and report emails | Parent email address; PDF report attachments containing the student's name and AI-generated session summary | United States |
| Hostinger (SMTP & IMAP) | Outbound and inbound support email | Full inbound and outbound support email contents | European Union |
| Slack (webhook notifications) | Internal operational alerts to staff | New-signup and purchase notifications; see "Updates to this practice" below | United States |
| Sentry | Error tracking, performance monitoring, and session replay (masked) | Authenticated user identifier and role on errors; request URLs and stack traces; masked DOM replay (text, inputs and media are masked) | European Union (Frankfurt, Germany) |
| Meta (Facebook Pixel) | Advertising conversion measurement (consent-based) | Page-view, lead, registration, trial-start, subscription and purchase events from the marketing site | United States |
| Google Ads (gtag) | Advertising conversion measurement (consent-based) | Signup and purchase conversion events from the marketing site | United States |
| Google Analytics 4 | Web analytics (consent-based) | Anonymised usage events and pseudonymous identifiers from the marketing site | United States |
| Google reCAPTCHA (v2 and v3) | Bot and fraud defence on authentication endpoints | Browser session, interaction signals, IP address | United States |
| FingerprintJS | Multi-account and fraud detection | Browser visitor identifier and hardware/browser signals | United States |
| Cloudflare | Content delivery, DDoS protection, edge caching | All inbound HTTP traffic; connecting IP address; country-level geolocation header | Global edge |
| Upstash (Redis) | Job queue and cache for background processing | Job payloads, which may transiently include personal data being processed | Verify region in Upstash dashboard |
| Vercel | Frontend and marketing-site hosting; performance telemetry | Page-performance metrics and URL paths | Global edge |
| Render | Backend application hosting | All backend request traffic and processing | United States (verify exact region in Render dashboard) |
| Amazon Web Services (S3, Secrets Manager — fallback storage path only) | Optional alternative storage backend; secrets retrieval | Uploaded files where the alternative storage path is used | United States |
Updates to this practice. We are in the process of reducing the personal data we send to Slack so that internal staff notifications contain only obfuscated identifiers rather than names and email addresses. We are also reviewing whether we can pin AssemblyAI processing to a European endpoint. These changes will be reflected in this table as they are deployed.
US disclaimer.We do not sell personal information for money. Some of the third parties listed above (Meta, Google Ads) receive personal information for cross-context behavioural advertising, which may constitute "sharing" under California law. See "Do Not Sell or Share My Personal Information" below.
10. Children's Privacy (COPPA)
Tutorioo is not directed to children under 13 and we do not knowingly collect personal information from any child under 13. The service is intended for students aged 13 and over (typically US Grade 8 and above). Our practices reflect the Children's Online Privacy Protection Act and its implementing rule, 16 CFR Part 312.
Age gate at sign-up
Every account-creation path on Tutorioo asks for a date of birth. If the date of birth indicates the user is under 13, the registration is rejected and no account, profile, or other personal information is stored. There is no "parental approval" route that would allow a child under 13 to register, and the previously documented under-13 parental-approval flow has been removed.
If we learn of a child under 13 on the service
If we become aware that we have inadvertently collected personal information from a child under 13 — for example, because the user provided a false date of birth at sign-up, or because a parent or guardian notifies us — we will promptly delete that information and close the account. Parents and guardians who believe their child under 13 has an account on Tutorioo may contact us at support@tutorioo.com and we will action the deletion as soon as we have verified the report.
Users aged 13 and over
Users aged 13 to 17 may create their own accounts. Parents and guardians may exercise the privacy rights described in Sections 11 and 13 on a 13-to-17-year-old's behalf by contacting us from the email address associated with the relevant parent account.
No advertising profiling of minors on the service
We do not use minors' data for marketing or behavioural advertising purposes, do not profile minors for commercial purposes, and do not share minors' data with advertisers. Analytics and advertising cookies remain off by default and are subject to consent (see our Cookie Policy).
11. Your Privacy Rights
Subject to applicable law, you have the following rights with respect to your personal information:
- Right to know — request the categories and specific pieces of personal information we have collected about you, the categories of sources, the purposes, and the categories of recipients.
- Right to delete — request deletion of personal information we have collected from you, subject to legal exceptions.
- Right to correct — request correction of inaccurate personal information that we maintain about you.
- Right to opt out of sale or sharing — opt out of the sale or sharing (for cross-context behavioural advertising) of your personal information. See Section 12.
- Right to limit use of sensitive personal information — direct us to limit the use of sensitive personal information to what is necessary to provide the service. See Section 8.
- Right to data portability — receive a copy of your personal information in a structured, commonly used, machine-readable format.
- Right to non-discrimination — we will not deny you goods or services, charge different prices, or provide a different level or quality of service because you exercised a privacy right.
To exercise any of these rights, contact us at support@tutorioo.com. An in-app data-export and account-deletion tool is currently being built; in the meantime our support team will fulfil rights requests by email.
Authorised agents.You may designate an authorised agent to make a rights request on your behalf. The authorised agent must provide written authorisation from you, and we will verify the agent's identity and authority before responding. We may also ask you to verify your own identity directly.
Response timeframes. We will confirm receipt of a verifiable consumer request within 10 business days and respond to the substance of the request within 45 days. Where reasonably necessary, we may extend the response window by an additional 45 days, and we will notify you of the extension and the reason.
12. Do Not Sell or Share My Personal Information
We do not sell personal information for monetary consideration.However, some advertising-measurement data flows on our marketing site (Meta Pixel, Google Ads) may constitute "sharing" under California law because they involve the disclosure of personal information for cross-context behavioural advertising.
To exercise your right to opt out of the sale or sharing of your personal information, email support@tutorioo.comwith the subject line "Do Not Sell or Share — Opt Out". We are also building a one-click opt-out toggle in your account settings and will honour Global Privacy Control (GPC) signals once that toggle is live. In the meantime, opting out via Meta and Google's own controls (e.g., Ad Settings) will suppress the relevant cross-context advertising data flows from Tutorioo.
You can also reject advertising and analytics cookies via the cookie banner on this site at any time by clicking "Manage Cookies" in the page footer.
13. Your State Privacy Rights
In addition to the CCPA/CPRA rights above, residents of certain US states have rights under their state's comprehensive privacy laws, including the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), the Utah Consumer Privacy Act (UCPA), the Texas Data Privacy and Security Act (TDPSA), the Oregon Consumer Privacy Act (OCPA), the Montana Consumer Data Privacy Act (MCDPA), and the comprehensive privacy laws of Delaware, New Hampshire, New Jersey, Tennessee, Iowa, Nebraska, Minnesota, and Maryland, as well as any other US state comprehensive privacy law as and when it comes into force.
Subject to applicable law, these rights include:
- Right to access the personal information a controller has collected about you.
- Right to correct inaccurate personal information (where applicable under your state's law).
- Right to delete personal information.
- Right to data portability — receive a copy of your data in a portable, readily-usable format.
- Right to opt out of targeted advertising.
- Right to opt out of the sale of personal information.
- Right to opt out of profiling in furtherance of decisions that produce legal or similarly significant effects. As described in Sections 5 and 6, Tutorioo does not engage in such profiling.
To exercise a state privacy right, email support@tutorioo.com identifying your state of residence and the right you wish to exercise.
Appeal process. If we deny a rights request you submitted under a state privacy law, you may appeal by replying to our denial email within a reasonable time. We will respond to the appeal within 60 days, explaining the action we have taken or the reasons for not acting. If your appeal is denied, you may contact your state attorney general to submit a complaint.
14. Minors aged 13 to 15 — CPRA Opt-In
Under the California Privacy Rights Act, the sale or sharing of personal information of a consumer under 16 requires opt-in consent. Because Tutorioo does not knowingly accept users under 13 (see Section 10), this provision applies in practice to Tutorioo consumers aged 13, 14 or 15.
Tutorioo does not sell personal information for monetary consideration.Cross-context advertising data flows on Tutorioo currently take place via Meta Pixel and Google Ads tags. Those tags are loaded both on our public marketing pages and inside our authenticated application, and they fire only when the user has previously accepted marketing cookies via our cookie consent banner (the consent cookie is shared across subdomains, so a choice made on the marketing site applies inside the app). The cookie consent banner is therefore today's primary opt-out for these tags. We do not currently apply an additional automatic suppression layer based on the user's age — so a marketing-cookie opt-in given before a minor account was created may still result in those tags firing for that account. If you are aware that a consumer using Tutorioo is under 16, you should reject marketing cookies via the banner or contact support@tutorioo.com. An automatic age-based suppression for accounts known to belong to a user under 16 is on our engineering roadmap and this section will be updated when it ships.
15. International Data Transfers
Where your data is processed. Our primary database and file storage are hosted in the United Kingdom (Supabase, on AWS eu-west-2 in London). Some of the other providers listed in our sub-processor table are based in, or process data in, the United States or operate globally, so using them involves transferring some personal information internationally — including, for US users, processing in the United Kingdom.
We limit what is shared with each provider to what they need to deliver their service to us, and we protect personal information with encryption in transit and at rest and with access controls. For our AI providers, we send data only through their business/enterprise tiers, on which submitted content is not used to train their models. If you have questions about a specific provider, contact us at support@tutorioo.com.
16. Data Retention
We retain different types of data for different periods:
| Data Type | Retention Period |
|---|---|
| Account information | Until you delete your account. Deletion is immediate and irreversible. |
| Lesson sessions and transcripts | Until you delete your account (deleted immediately with account) |
| Homework sessions and uploads | Until you delete your account (deleted immediately with account) |
| Progress reports | Until you delete your account (deleted immediately with account) |
| Payment records | 7 years (legal obligation for tax and accounting purposes) |
| Security and audit logs | 180 days |
| Analytics data | 1 year |
| Support correspondence | 2 years after last contact |
When you delete your account, your personal data is deleted immediately. Some data may be retained longer if required by law (e.g., payment records for tax purposes).
17. Data Security
We implement appropriate technical and organisational measures to protect your personal information, including:
- Encryption in transit (TLS/HTTPS).
- Field-level encryption at rest, in our primary stores, for sensitive personal information including:
- legal names and display names;
- dates of birth;
- phone numbers;
- IP addresses, user-agent strings, and device fingerprints;
- free-text personal information you submit through support tickets, contact forms, affiliate-program profiles, invite flows, and email-delivery logs.
- Some fields are stored without field-level encryption by deliberate design, because the system cannot function correctly without them being directly readable:
- email addresses, which we use as your account identifier and for operational routing (e.g. delivering the email itself);
- your tutoring-session content (lesson transcripts, conversation history, and lesson-step data), which the AI tutor needs to read during the session;
- pseudonymous identifiers issued by our payment processors (Paddle and PayPal subscription and customer IDs), which are pointers to records held by those processors rather than personal information themselves.
- Application-layer tenant isolation. For full transparency: rather than relying on database row-level security, we enforce strict per-family ownership checks in our application on every request, combined with the field-level encryption described above. This application-layer isolation is the control that keeps one family's data inaccessible to another.
- Regular security audits and monitoring.
- Access controls and authentication requirements.
While we take reasonable precautions, no method of transmission over the internet or electronic storage is 100% secure.
18. Children's Online Privacy Protection Act — Service Not Directed to Children Under 13
Tutorioo is not directed to children under the age of 13 and we do not knowingly collect personal information from any child under 13. See Section 10 for the full description of our children's privacy posture, the age gate applied at every sign-up path, and the process for reporting an account believed to belong to a child under 13.
Parents and guardians who believe Tutorioo has inadvertently collected personal information from a child under 13 (for example, because the user provided a false date of birth at sign-up) may contact us at support@tutorioo.com. On verification we will promptly delete the information and close the account, in accordance with the FTC's COPPA Rule (16 CFR Part 312).
19. Commercial Email (CAN-SPAM)
Every commercial email we send identifies Janzay LLC as the sender, includes Janzay LLC's Wyoming postal address (30 N Gould St Ste 100, Sheridan, WY 82801, United States), and includes a clear one-click unsubscribe link. Unsubscribe requests are honoured promptly. Marketing-email preferences are being expanded in our unsubscribe portal, where you will be able to opt out of individual categories of email (e.g., product updates, parent-marketing, study tips) independently.
20. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you via email or through a notice on our platform. The "Last updated" date at the top indicates when the policy was last revised.
21. Contact Us
For any questions about this Privacy Policy or how we handle your personal information, please contact us:
Janzay LLC
30 N Gould St Ste 100, Sheridan, WY 82801, United States
Email: support@tutorioo.com
For privacy-specific requests including opt-out and rights requests, email support@tutorioo.comwith a clear subject line (for example, "Right to Know Request", "Right to Delete Request", or "Do Not Sell or Share — Opt Out").
If you are a UK or EU visitor using this US site, our UK privacy policy at /privacy is an additional reference for UK GDPR-specific topics.