Legal
Tutorperch customer privacy notice
Last updated: 2026-04-29
This privacy notice tells you what to expect us to do with your personal information when you use Tutorperch.
Contents
Contact details
If you have any questions about this notice or want to exercise any of your data protection rights, contact us at privacy@tutorperch.com.
What information we collect, use, and why
To provide services and goods, including delivery
- Names and contact details
- Purchase or account history
- Payment details (including card or bank information for transfers and direct debits)
- Account information
- Photographs or video recordings (tutor profile photos)
- Information relating to compliments or complaints (reviews)
- Tutor profile content: display name, bio, headline, hourly rate, subjects, levels, exam-board familiarity, languages, years of experience, town and postcode area. On-platform messages between users (after auto-redaction of contact details).
For the operation of customer accounts and guarantees
- Names and contact details
- Payment details (including card or bank information for transfers and direct debits)
- Purchase history
- Account information, including registration details
- Information used for security purposes
- Account-state markers (holiday mode, profile-hidden, scheduled-close, locked); audit-log records of admin actions taken on the account.
To prevent, detect, investigate or prosecute crimes
- Names and contact information
- Customer or client accounts and records
- Criminal offence data (Disclosure and Barring Service / Access NI / Disclosure Scotland checks)
- Financial transaction information
- Message content that triggered a report; reporter and reportee user IDs; incident reason code and severity; audit trail of admin actions taken; banned-email entries.
For service updates
- Names and contact details
- Strictly service-related notifications only at this stage. Marketing communications would only be added after explicit opt-in and an updated privacy notice.
To comply with legal requirements
- Name
- Contact information
- Financial transaction information
- Criminal offence data (Disclosure and Barring Service / Access NI / Disclosure Scotland checks)
- Any other personal information required to comply with legal obligations
- Safeguarding information
For dealing with queries, complaints or claims
- Names and contact details
- Payment details
- Account information
- Purchase or service history
- Witness statements and contact details
- Customer or client accounts and records
- Financial transaction information
- Correspondence
- Profile state at the time of the complaint; on-platform messages or reviews referenced in the complaint.
Lawful bases and data protection rights
Under UK data protection law, we must have a "lawful basis" for collecting and using your personal information. There is a list of possible lawful bases in the UK GDPR. You can find out more about lawful bases on the ICO's website.
Which lawful basis we rely on may affect your data protection rights, which include:
- Right of access — you can ask for copies of your personal information.
- Right to rectification — you can ask us to correct inaccurate or incomplete information.
- Right to erasure — you can ask us to delete your personal information.
- Right to restriction of processing — you can ask us to limit how we use your information.
- Right to object to processing — you can object to certain uses of your personal data.
- Right to data portability — you can ask that we transfer the information you gave us to another organisation, or to you.
- Right to withdraw consent — where we rely on consent, you can withdraw it at any time.
If you make a request, we'll respond without undue delay and within one month. To make a request, email privacy@tutorperch.com.
Our lawful bases
To provide services and goods
- Contract — we collect and use the information so we can carry out the service contract (these terms of use) with you. All of your data protection rights apply except the right to object.
- Legitimate interests — operating and improving the directory; ensuring system integrity, uptime, and security; aggregate non-identifying usage signals for product decisions. All of your rights apply except the right to data portability.
For the operation of customer accounts and guarantees
- Contract — to deliver the account features you signed up for.
- Legitimate interests — keeping accounts secure (session management, login-attempt tracking, magic-link token security); maintaining an audit log of admin actions on the account; enforcing account-state markers (lock, holiday mode, scheduled close).
To prevent, detect, investigate or prosecute crimes
- Legal obligation — for cooperation with police, court orders, and mandatory safeguarding referral duties.
- Legitimate interests — protecting users (especially under-18s referenced in user-generated content) and the platform's integrity; investigating reports of abuse, fraud, or harassment; maintaining the contact-details redaction system, the banned-emails list, and the audit trail of admin enforcement actions.
For service updates
- Contract — to notify you about material changes to terms, policies, or service availability that affect your contract with us.
- Legitimate interests — informing you about non-essential account-state changes (e.g. DBS verification expiry reminder) without requiring opt-in to every individual notice.
To comply with legal requirements
- Legal obligation — only basis. HMRC platform-reporting (6-year retention of unlock records), ICO subject-access compliance, court orders, mandatory safeguarding disclosures.
For dealing with queries, complaints or claims
- Contract — resolving service-related complaints is part of performing the contract.
- Legitimate interests — defending the platform against claims; retaining correspondence for the limitation period; linking new complaints to prior incidents on the same user; learning from past disputes to improve the service.
Where we get personal information from
- Directly from you
If a user-generated message or review you write happens to mention another person, we hold that text as user-generated content; we don't separately purchase or receive personal data about anyone from third-party sources.
How long we keep information
Retention periods vary by data type. The full schedule is at the retention schedule below.
Sharing information outside the UK
Where necessary, our data processors may share personal information outside the UK. When they do, they comply with the UK GDPR and put appropriate safeguards in place.
For further information or a copy of the safeguard for any of the transfers below, email privacy@tutorperch.com.
Cloudflare, Inc.
- Category of recipient: Cloud infrastructure / hosting provider.
- Country: United States of America.
- Transfer mechanism: Addendum to the EU Standard Contractual Clauses (SCCs). The EU-US Data Privacy Framework, with its UK Extension, provides a complementary basis where Cloudflare is self-certified.
Stripe, Inc. (parent of Stripe Payments UK Ltd)
- Category of recipient: Payment processor / payments infrastructure.
- Country: United States of America.
- Transfer mechanism: Addendum to the EU Standard Contractual Clauses (SCCs). The EU-US Data Privacy Framework, with its UK Extension, provides a complementary basis.
Children
Tutorperch accounts are for adults (18+). We don't intentionally collect data about children, but we recognise that:
- Some 16-18 year olds may sign up directly to find a tutor for their own studies. We can't fully age-verify a magic-link email at signup.
- Parents and guardians using the platform on behalf of a child may reference that child by name, age, or year group in messages or reviews — that text becomes user-generated content held on the platform.
Where children are referenced in user-generated content, we treat that data with the same protections as any other personal data. We've designed the platform with the ICO's Age-Appropriate Design Code principles in mind: data minimisation, default- private profiles for non-tutor accounts, no profiling for advertising, no nudging patterns, no behavioural retargeting.
Parents and guardians remain responsible for the safety of any child during off- platform lessons. We don't run lessons; once a tutor's contact details are unlocked, the tutoring relationship is between the tutor and the family, off-platform.
Retention schedule
The full list of personal data we hold and how long we keep it.
- Account data (email, display name, role, profile)
Retention period
Until account closure
Notes
30-day grace mode allows reactivation; immediate close is irreversible.
- Tutor profile content (bio, photo, subjects, qualifications, etc.)
Retention period
Until account closure
Notes
Pseudonymised on close.
- Messages between users
Retention period
Until both accounts closed
Notes
Threads freeze (read-only) when either party closes; hard-deleted when both parties have closed.
- Reviews
Retention period
Until both accounts closed
Notes
Same lifecycle as messages.
- Unlock transaction records (£20 finder's fee)
Retention period
6 years
Notes
HMRC platform-reporting obligation — retained regardless of account closure.
- DBS certificate image
Retention period
Until admin verify decision
Notes
Purged from R2 immediately after the review decision is made.
- DBS metadata (cert number, applicant name, DOB, issue date, status)
Retention period
Up to 3 years
Notes
Until the badge expires (3 years from cert issue date) or the tutor revokes the verification.
- Banned-emails list
Retention period
Indefinitely
Notes
Prevents ban-evasion via re-signup.
- Audit log of admin actions
Retention period
Indefinitely
Notes
Compliance and safeguarding traceability.
- Safeguarding evidence (e.g. content preserved for IWF/police referral)
Retention period
Per IWF / police instructions only
Notes
Held outside the standard schedule when content has been preserved as evidence following a safeguarding referral. Released only when law-enforcement clears.
- Magic-link sign-in tokens
Retention period
15 minutes
Notes
Single-use; deleted on consume or expiry.
- Email-change confirmation tokens
Retention period
1 hour
Notes
Single-use.
- Account-close confirmation tokens
Retention period
1 hour
Notes
Single-use.
- Admin-invite tokens
Retention period
7 days
Notes
Single-use; revocable.
- Session cookies
Retention period
30 days
Notes
Sliding window — extended on activity.
This schedule may be updated as the platform evolves. Material changes will be flagged to signed-in users in advance.
How to complain
If you have any concerns about our use of your personal data, please contact us first at privacy@tutorperch.com. We aim to respond to complaints within 10 working days.
If you remain unhappy after raising a complaint with us, you can also complain to the Information Commissioner's Office (ICO).
Information Commissioner's OfficeWycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
Helpline: 0303 123 1113
www.ico.org.uk/make-a-complaint