Privacy Policy

Last updated: April 12, 2026

1. Introduction

Zutor ("we", "us", "our") operates the website zutor.app. This Privacy Policy explains how we collect, use, and protect your personal information when you use our Service.

We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

2. Data Controller

Zutor
Email: alex@zutor.app

3. Information We Collect

Information you provide:

• Account data: name, email address, password
• Student data: names, contact details, subjects, lesson notes, and payment records you enter into the Service
• Payment data: processed and stored by our payment partner Paddle. We do not store your credit card details.
• Communications: emails or messages you send to our support team

Information collected automatically:

• Usage data: pages visited, features used, session duration - collected via Umami, a privacy-friendly analytics tool that uses no cookies and does not identify individual users
• Device data: browser type, operating system, screen resolution
• Cookies: essential cookies for authentication and session management

4. How We Use Your Information

We use your information to:

• Provide and maintain the Service
• Process subscriptions and payments (via Paddle)
• Send transactional emails (account confirmation, password reset)
• Send lesson reminders (email and/or Telegram, if enabled by you)
• Sync your tutoring lessons with your Google Calendar (only if you connect Google Calendar in Settings)
• Improve the Service based on usage patterns
• Respond to support requests

Google Calendar integration

If you choose to connect your Google Calendar, we request the calendar.events scope. This allows Zutor to:

• Create events in your Google Calendar that correspond to lessons you create in Zutor
• Update these events when you edit the corresponding lesson in Zutor
• Delete these events when you delete the corresponding lesson in Zutor

We only manage events created by Zutor. We do not read, modify, or share other events on your calendar. Zutor's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We do not use your Google Calendar data for advertising, do not sell it, and do not allow humans to read it except (a) with your explicit consent, (b) for security investigations, or (c) when required by law.

You can disconnect Google Calendar at any time from Settings; this revokes Zutor's access tokens and stops all future syncing. Existing events created in your Google Calendar remain there until you delete them.

We do not use your information to:

• Sell your data to third parties
• Send unsolicited marketing emails (unless you opt in)
• Build advertising profiles

5. Legal Basis for Processing (GDPR)

• Contract: processing necessary to provide the Service you signed up for
• Consent: optional features like Telegram reminders and marketing emails
• Legitimate interest: improving the Service, preventing fraud

6. Data Sharing

We share your data only with:

• Paddle - payment processing (as Merchant of Record)
• Resend - transactional emails (reminders, account notifications)
• Telegram - lesson reminders and notifications, only if you connect your Telegram account
• Google Calendar - lesson events sync, only if you connect Google Calendar (sends event title, time, duration, your timezone, and lesson notes)
• Sentry - error monitoring to improve service reliability (may include technical context such as user ID when an error occurs)
• Umami - privacy-friendly website analytics (no personal data, no cookies)
• Hosting provider - for storing and serving the application

We do not sell, rent, or trade your personal information. All third-party providers are bound by data processing agreements.

7. Data Retention

• Your data is retained for as long as your account is active.
• If you delete your account, your data is permanently deleted within 30 days.
• Payment records may be retained for up to 7 years for legal and tax compliance.

8. Your Rights (GDPR)

You have the right to:

• Access your personal data
• Rectify inaccurate data
• Delete your account and data
• Export your data (available via CSV export in the Service)
• Restrict processing of your data
• Object to processing based on legitimate interest
• Withdraw consent at any time for optional features

To exercise any of these rights, contact us at alex@zutor.app.

9. Cookies

We use only essential cookies required for the Service to function:

• Session cookie: keeps you logged in
• CSRF token: protects against cross-site request forgery

We do not use tracking cookies, advertising cookies, or analytics cookies that identify individual users.

10. Data Security

We protect your data with:

• HTTPS/TLS encryption for all connections
• Encrypted passwords (bcrypt hashing)
• Regular security updates
• Access controls limiting who can access production data

11. International Transfers

Your data is stored on servers in the Netherlands (EU). If data is transferred outside the EU (e.g., to third-party providers), we ensure appropriate safeguards are in place (e.g., Standard Contractual Clauses).

12. Children's Privacy

The Service is designed for tutors (adults) and is not intended for direct use by children under 18. Tutors may enter student data that includes information about minors (such as names and lesson notes). Tutors are responsible for obtaining appropriate consent from parents or guardians before entering such data. We do not knowingly allow children to create accounts. If you believe a child has registered an account, please contact us at alex@zutor.app.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email. The "Last updated" date at the top indicates the latest revision.

14. Contact

For privacy-related questions or requests:

Email: alex@zutor.app
Website: https://zutor.app