Tutorperch customer privacy notice

Contact details

The data controller is Tutorperch Ltd, a company registered in England and Wales (company number 17207346), registered office 124 City Road, London EC1V 2NX.

We are registered with the UK Information Commissioner's Office under registration number ZC142644.

If you have any questions about this notice or want to exercise any of your data protection rights, contact us at privacy@tutorperch.com.

What information we collect, use, and why

To provide services and goods, including delivery

• Names and contact details
• Purchase or account history
• Payment details (including card or bank information for transfers and direct debits)
• Account information
• Photographs or video recordings (tutor profile photos)
• Information relating to compliments or complaints (reviews)
• Tutor profile content: display name, bio, headline, hourly rate, subjects, levels, exam-board familiarity, languages, years of experience, town and postcode area. On-platform messages between users (after auto-redaction of contact details).

For the operation of customer accounts and guarantees

• Names and contact details
• Payment details (including card or bank information for transfers and direct debits)
• Purchase history
• Account information, including registration details
• Information used for security purposes
• Account-state markers (holiday mode, profile-hidden, scheduled-close, locked); audit-log records of admin actions taken on the account.

To prevent, detect, investigate or prosecute crimes

• Names and contact information
• Customer or client accounts and records
• Criminal offence data (Disclosure and Barring Service / Access NI / Disclosure Scotland checks)
• Financial transaction information
• Message content that triggered a report; reporter and reportee user IDs; incident reason code and severity; audit trail of admin actions taken; banned-email entries.

Identity verification (tutors only)

Every tutor passes a document + selfie identity check before they can publish. The check runs through either Stripe Identity or Didit; we use one at a time and can switch between them. From whichever provider is in use we receive and store only metadata, never the document image or biometric data: provider, session ID, verified first + last name, verified date of birth, attempt counter, and (if the check failed) the most recent error code. Provider-side handling is described under Identity verification providers in §sharing below. We process this special-category data under Article 9(2)(g) UK GDPR (substantial public interest in safeguarding and fraud prevention).

Safeguarding submission and verification (tutors only)

Tutors may voluntarily submit a safeguarding disclosure under one of three UK schemes: DBS Enhanced certificate (England + Wales), PVG scheme record (Scotland), or AccessNI Enhanced Disclosure (Northern Ireland). After the admin decision we retain only the reference number, the applicant's name and date of birth as they appeared on the disclosure, the issue date, and a clear / not-clear status, never the disclosure contents themselves (UK GDPR Article 10, criminal-offence data minimisation). The per-scheme processor flows (whether we hold a cert image, which issuer portal an admin reviews, what data is transmitted) are described under DBS, Disclosure Scotland, and AccessNI in §sharing below.

Qualification evidence submission (tutors only)

Tutors may voluntarily upload certificate evidence for a qualification already listed on their profile. We process the certificate images only for manual admin review; they are purged from storage when the admin records a decision (approve, reject, or cancel), when the tutor deletes the qualification, or within 21 days if no decision is recorded. We retain the review outcome on the qualification row (review status, method, verification date, content fingerprint, and Qualified Teacher flag where applicable) plus a submission record with the attestation text and timestamp, and whether the tutor asked us to check Qualified Teacher status on that upload. We do not confirm results with awarding bodies. Lawful basis: legitimate interests (fraud prevention and honest credential representation on the platform); the faithful-copy attestation the tutor ticks at upload is a Fraud Act 2006 declaration that supports that interest, not a separate consent basis. See section 11 of the Terms of Service.

Live status checks (tutors only)

Where a tutor has consented at submission, an admin may run a live status check. The mechanism differs per scheme:

• DBS, automated check against the DBS Update Service (Police Act 1997 s.116A). We send the certificate number, the applicant's name and date of birth, our organisation name, and the reviewing admin's name.
• PVG, an admin re-prompts the tutor to share their current record via Disclosure Scotland's Online Account; the tokenised share-link arrives at our verification address; the admin views the live record at the Disclosure Scotland portal (PVG (Scotland) Act 2007 ss. 52, 54, 55) and records what they saw. No data is sent to a third party, the share is initiated by the tutor and viewed by us in-portal.
• AccessNI, no live status-check service exists. The badge reflects the certificate as reviewed at the admin decision date, refreshed on our 3-year cycle.

We retain on the submission row: the verbatim consent text the tutor saw, the timestamp the consent was given, the timestamp any check was run, the admin's name at the time, the outcome, and any error reason. The result feeds the safeguarding decision and is never disclosed to anyone outside the admin team.

For service updates

• Names and contact details
• Strictly service-related notifications only at this stage. Marketing communications would only be added after explicit opt-in and an updated privacy notice.

To comply with legal requirements

• Name
• Contact information
• Financial transaction information
• Criminal offence data (Disclosure and Barring Service / Access NI / Disclosure Scotland checks)
• Any other personal information required to comply with legal obligations
• Safeguarding information

For dealing with queries, complaints or claims

• Names and contact details
• Payment details
• Account information
• Purchase or service history
• Witness statements and contact details
• Customer or client accounts and records
• Financial transaction information
• Correspondence
• Profile state at the time of the complaint; on-platform messages or reviews referenced in the complaint.

Lawful bases and data protection rights

Under UK data protection law, we must have a "lawful basis" for collecting and using your personal information. There is a list of possible lawful bases in the UK GDPR. You can find out more about lawful bases on the ICO's website.

Which lawful basis we rely on may affect your data protection rights, which include:

• Right of access, you can ask for copies of your personal information.
• Right to rectification, you can ask us to correct inaccurate or incomplete information.
• Right to erasure, you can ask us to delete your personal information.
• Right to restriction of processing, where one of the four UK GDPR Article 18 grounds applies (you contest accuracy, the processing is unlawful but you don't want erasure, we no longer need the data but you need it for legal claims, or you're awaiting verification of an objection) you can ask us to limit how we use it.
• Right to object to processing, where we process your data on the basis of legitimate interest or for direct marketing, you can object. We'll stop unless we can show compelling legitimate grounds that override your rights, or the processing is for legal claims.
• Right to data portability, where processing is on the basis of consent or contract and is carried out by automated means, you can ask that we transfer the information you gave us to another organisation, or to you.
• Right to withdraw consent, where we rely on consent, you can withdraw it at any time.
• Right not to be subject to automated decisions, see the Automated decisions section.

If you make a request, we'll respond without undue delay and within one month. To make a request, email privacy@tutorperch.com. We verify your identity by sending a magic-link to the email on file before fulfilling a request.

Our lawful bases

To provide services and goods

• Contract, we collect and use the information so we can carry out the service contract (these terms of use) with you. All of your data protection rights apply except the right to object.
• Legitimate interests, operating and improving the directory; ensuring system integrity, uptime, and security; in-product event logging (page paths, searches you type, signed-in user actions) for funnel-health monitoring on our admin dashboard. All of your rights apply except the right to data portability.

For the operation of customer accounts and guarantees

• Contract, to deliver the account features you signed up for.
• Legitimate interests, keeping accounts secure (session management, login-attempt tracking, magic-link token security); maintaining an audit log of admin actions on the account; enforcing account-state markers (lock, holiday mode, scheduled close).

To prevent, detect, investigate or prosecute crimes

• Legal obligation, for cooperation with police, court orders, and mandatory safeguarding referral duties.
• Legitimate interests, protecting users (especially under-18s referenced in user-generated content) and the platform's integrity; investigating reports of abuse, fraud, or harassment; maintaining the contact-details redaction system, the banned-emails list, and the audit trail of admin enforcement actions.

For service updates

• Contract, to notify you about material changes to terms, policies, or service availability that affect your contract with us.
• Legitimate interests, informing you about non-essential account-state changes (e.g. DBS verification expiry reminder) without requiring opt-in to every individual notice.

To comply with legal requirements

• Legal obligation, only basis. HMRC platform-reporting (6-year retention of unlock records), ICO subject-access compliance, court orders, mandatory safeguarding disclosures.

For dealing with queries, complaints or claims

• Legitimate interests, defending the platform against claims; retaining correspondence for the limitation period; linking new complaints to prior incidents on the same user; learning from past disputes to improve the service.

Where we get personal information from

• Directly from you
• Publicly-available archives of the First Tutors website (Common Crawl and the Wayback Machine), captured before First Tutors closed in 2026. We use these to reconstruct unclaimed tutor profiles so previous First Tutors tutors can optionally claim their reviews onto a Tutorperch profile. See the First Tutors archive section below for what we hold, the lawful basis, and how to ask for removal.
• From a referee a tutor names, when we ask that person for a short reference about the tutor. If you are a referee, the tutor gave us your name and email so we could contact you. See the tutor references section below for what we do with it and how to ask us to delete it (UK GDPR Article 14).

If a user-generated message or review you write happens to mention another person, we hold that text as user-generated content. We don't buy personal data from data brokers or any other commercial source.

First Tutors archive

When First Tutors closed in 2026 we indexed the publicly-available archive of the site (Common Crawl + the Wayback Machine) so previous First Tutors tutors can claim their old profile + reviews onto Tutorperch if they want to. The archive lives in a separate, read-only database (tutorperch-ft-archive) and is never used to populate a profile that hasn't been claimed by the tutor it belongs to.

What we hold: tutor display name, town, subjects/levels, reviews (reviewer's chosen display name, rating, body text), and where applicable an archived profile photo URL. Everything was publicly visible on First Tutors at the time of capture; we don't hold contact details (those were behind First Tutors' paywall).

Lawful basis: legitimate interest (UK GDPR Art 6(1)(f)), to preserve the public review record of UK tutors disrupted by First Tutors' closure and to let tutors continue their work on a successor platform. Our legitimate-interest balancing assessment is on file and available to data subjects on request.

How to ask for removal: if you appear in the archive (as a tutor or as a reviewer) and you'd like your records taken down, email privacy@tutorperch.com. We'll remove the records or, for tutors, you can claim your profile and control it yourself at /me/external-reviews/firsttutor.

Tutor references

As a matter of Tutorperch policy, and in line with our reading of the Conduct of Employment Agencies and Employment Businesses Regulations 2003 (reg 22), we ask every tutor for two references from people who are not related to them before their profile can go live. If a tutor names you as a referee, we email you a short form. We received your name and email from the tutor.

What we hold: your name, how you say you know the tutor, your answer on whether they're suitable, your yes/no answer on any concern, and the consent you gave on the form. We delete your email address once we've reviewed and accepted the reference (or within 30 days if you don't respond), keeping only a one-way hash of it. Your reference is held as our record that we carried out the check and is never shown to the tutor. We keep it while the tutor's account is open, and for at least a year after it closes to meet the reg 29 records floor, then delete it.

Lawful basis: legitimate interest (UK GDPR Art 6(1)(f)), to keep tutoring on the platform trustworthy and to support our child-safety obligations. Our legitimate-interest balancing assessment is on file and available on request.

Your rights: you can ask us what we hold about you, ask us to correct it, or withdraw your reference at any time by emailing privacy@tutorperch.com. Because you don't have an account with us, we look you up by the hash of your email.

How long we keep information

Retention periods vary by data type. The full schedule is at the retention schedule below.

Who we share information with

Data processors

Cloudflare, Inc.

Hosts our website and database, stores uploaded files, and provides bot protection on signup. Operates on our instruction under the standard Cloudflare data-processing addendum, with our data primarily held on their UK and EU infrastructure.

We also use Cloudflare Analytics Engine to log a small set of in-product events for our own operational analytics (page paths, search queries you type into the directory, and the user identifier of signed-in actions like profile views, unlock payments, and messages sent). Cloudflare retains these events for 90 days on a rolling window; per-day totals are then archived in our database for long-term trend analysis. We don't share this data with third parties.

Postcodes.io (Ideal Postcodes)

When you type into a location field (postcode, town, or area) on Tutorperch, either when setting up a tutor profile or when searching for tutors near a location, the query text you type is forwarded via our server to postcodes.io to resolve your input to UK postcode and place data (under the Open Government Licence). We don't send your IP address or any other identifying details with the query; postcodes.io sees a Cloudflare egress IP, not yours. We never store a tutor's full postcode, only the outward part (e.g. "BA2") and the area you choose. See our Attributions page for the underlying data licence.

Resend, Inc.

Sends our outbound transactional and lifecycle emails (sign-in magic links, email-change and account-close confirmations, payment receipts, refund notices, identity-verification results, safeguarding decisions, qualification-review decisions, message and review notifications). Receives the message content and recipient details as needed to deliver, and returns delivery, bounce, and complaint metadata to us. Used as a processor under the standard Resend data-processing agreement.

Twilio Inc.

Sends the one-time SMS verification code when we ask a first-time sender to confirm a UK mobile before their first message (anti-spam / anti-fraud). Receives the mobile number and returns the verification result. We instruct Twilio to keep message records for the minimum window. Used as a processor under the standard Twilio data-processing addendum.

Amazon Web Services (AWS)

When automated message screening is switched on, the text of messages between users is sent to AWS to be checked for scams, abuse, and attempts to share contact details before the finder's fee is paid. That check runs entirely in AWS's UK (London) region, so your messages do not leave the UK; we store only a short safety result, and the message text itself is not kept by AWS. When automated profile screening is switched on, the public free-text parts of a tutor profile (headline, bio, block-discount details) are likewise sent to AWS to be checked against our Tutors Code of Conduct, and again only a short result is stored. The AI model we use for the profile check is only offered in AWS's European region, so that check runs within the EU rather than the UK alone, still inside the UK/EU area covered by UK data-protection rules. Used as a processor under the AWS Data Processing Addendum.

Google LLC (Google Workspace)

Receives inbound mail addressed to our team aliases (such as privacy@tutorperch.com, support@tutorperch.com, and hello@tutorperch.com). Holds the sender, subject, body, and any attachments along with the standard mailbox metadata. Used as a processor under the standard Google Workspace data-processing addendum.

Stripe Payments UK Ltd

Processes the finder's-fee transaction when a student unlocks a tutor's contact details, including cardholder name, billing address, payment-card details, and transaction metadata. We never see or store full card numbers; Stripe processes the card and returns a transaction reference, which is what we keep on the user's account. Stripe also processes refunds and the one-off tutor verification fee.

Identity verification providers

We use either Stripe Identity (Stripe, Inc.) or Didit (Didit, S.L.) for the tutor document + selfie identity check. The provider receives the government- issued ID and a selfie directly from the tutor's browser, and returns the verified first name, last name, and date of birth, which we use for the manual cross-check at DBS review. An admin briefly views the selfie once at the profile-photo review step, streamed through our server with no persistence on our side; the selfie is not used as the profile picture. We instruct the provider to delete the verification record (document image + biometric data) after the safeguarding decision is recorded. Stripe Identity stores data in the United States; Didit stores data in the European Economic Area.

Disclosure and Barring Service (DBS), UK government

When a DBS tutor consents at submission, an admin may run a status check against the DBS Update Service (a UK government service operated by DBS, an executive non-departmental public body sponsored by the Home Office). We transmit the certificate number, the applicant's name and date of birth, our organisation name, and the reviewing admin's name. The Service returns whether anything has changed on the certificate since issue. The transmission is governed by Police Act 1997 s.116A and is made on the basis of the tutor's prior written consent, which we retain.

Disclosure Scotland, Scottish Government

Where a Scotland-based tutor holds a PVG scheme record under the Protection of Vulnerable Groups (Scotland) Act 2007 and consents at submission, an admin may view their current record by clicking the tokenised share-link the tutor sends via Disclosure Scotland's Online Account service (account.disclosure.scot). No data is transmitted from us to Disclosure Scotland, the tutor initiates the share, and we view the record on Disclosure Scotland's portal. The basis is the tutor's prior written consent under PVG Act 2007 ss. 52, 54, and 55, which we retain.

AccessNI, Northern Ireland Department of Justice

Where a Northern Ireland-based tutor holds an AccessNI Enhanced Disclosure under the Police Act 1997 (NI) and consents at submission, the tutor shares their digital certificate via their NIDA (NIDirect LOA2 account) with our verification address. A tokenised share-link is emailed to us; an admin clicks the link and views the live certificate on AccessNI's portal (the link expires after 5 days and is single-use). No data is transmitted from us to AccessNI, the share is tutor-initiated. Unlike the DBS Update Service, AccessNI does not operate an ongoing recheck against the same certificate after issue, each verification is a view of the certificate as held by AccessNI at the time of share. The legal basis for our retention is the tutor's prior written consent under the AccessNI Code of Practice, which we keep.

Others we share information with

• Organisations we need to share information with for safeguarding reasons
• Professional or legal advisors
• Financial or fraud investigation authorities
• Relevant regulatory authorities (HMRC, ICO, Ofcom)
• Organisations we are legally obliged to share personal information with
• Emergency services
• Publicly on our website, tutor profiles and reviews are publicly visible by design (that's the directory model). Tutors choose to publish their profile.

Sharing information outside the UK

Where necessary, our data processors may share personal information outside the UK. When they do, they comply with the UK GDPR and put appropriate safeguards in place.

For further information or a copy of the safeguard for any of the transfers below, email privacy@tutorperch.com.

Every transfer below is covered by the same standard mechanism: the Addendum to the EU Standard Contractual Clauses (SCCs), with the EU-US Data Privacy Framework's UK Extension as a complementary basis where the recipient is self-certified.

Children

Tutorperch accounts are for adults (18+). We don't intentionally collect data about children, but we recognise that:

• Some 16-18 year olds may sign up directly to find a tutor for their own studies. We can't fully age-verify a magic-link email at signup.
• Parents and guardians using the platform on behalf of a child may reference that child by name, age, or year group in messages or reviews, that text becomes user-generated content held on the platform.

Where children are referenced in user-generated content, we treat that data with the same protections as any other personal data. We've designed the platform with the ICO's Age-Appropriate Design Code principles in mind: data minimisation, default- private profiles for non-tutor accounts, no profiling for advertising, no nudging patterns. We don't use your data for behavioural advertising, retargeting, or cross-site profiles. We do capture engagement signals on Tutorperch itself (time spent on the page, scroll depth, outbound clicks) to understand which content works; see the in-product event log row in the retention schedule.

Parents and guardians remain responsible for the safety of any child during off- platform lessons. We don't run lessons; once a tutor's contact details are unlocked, the tutoring relationship is between the tutor and the family, off-platform.

Automated decisions

Two systems on the platform can take an automated decision that affects you without a person reviewing it first: our anti-abuse engine (which detects suspicious account behaviour) and our scam-detection engine (which detects patterns associated with fake accounts or coordinated review fraud). Where either system's score crosses a defined threshold, the action it can take is to lock the account pending review; you can still sign in, but you can't send messages or take other actions until an admin has looked at the case.

What we use them for: preventing fraud, harassment, and contact-detail bypass (UK GDPR Art 6(1)(f) legitimate interest; condition for automated decision-making under Art 22(2)(b), necessary for entering into or performing the contract between you and Tutorperch). The systems use signals like number of messages sent in a short window, per-message contact-redaction trips, repeat-near-duplicate outgoing text, and IP/UA stability across accounts. They do not consider any special-category data.

Your rights: under UK GDPR Article 22(3) you can ask for a human review of any automated decision affecting you. Every account that is auto-locked is paired with an internal incident that an admin reviews, usually within 48 hours, and the /locked page that's shown to affected users carries a "Request a review" form you can use to add your own context. If you disagree with the outcome of that review, you can contest the decision by emailing privacy@tutorperch.com.

Message screening: we also use an automated system to screen messages between users for scams, abuse, and attempts to share contact details before the finder's fee is paid (UK GDPR Art 6(1)(f) legitimate interest in keeping the platform safe and protecting people from fraud and harassment; the screening runs on Amazon Web Services, see the processors list above). This is not a solely-automated decision about you: where a message is flagged for routine review, a person on our team looks at it before a decision is made, rather than it being blocked automatically. If an account is suspended or restricted for serious misuse, the messages it sends may not be delivered. The screening looks at the message text only, never special-category data about you, and we keep only a short safety result (see the retention schedule).

Profile screening (tutors): when switched on, an automated system checks the public free-text parts of a tutor profile (headline, bio, block-discount details) against our Tutors Code of Conduct when the profile is published or edited (UK GDPR Art 6(1)(f) legitimate interest in keeping the directory safe and honest; the screening runs on Amazon Web Services in the EU region, see the processors list above). This is not a solely-automated decision with adverse effect: the system can approve a routine edit for publication or refer a profile to a person on our team, but it never rejects, hides, or suspends a profile by itself. Those decisions are always made by a person.

Email communications

We split the emails we send into four categories, each with a different lawful basis under the UK GDPR and PECR. Auth and security emails always reach you while you have an account. The other categories can be turned off from the email preferences link in the footer of every email we send, or with the one-click "Unsubscribe" button mailbox providers like Gmail show next to the sender name.

We keep an audit log of which emails were sent to which user (category and template name only, never the body) for 24 months, so we can answer subject-access requests and diagnose delivery issues. The log is purged on account closure.

Retention schedule

The full list of personal data we hold and how long we keep it.

Account data (email, display name, role, profile)

Retention period

Until account closure

Notes

30-day grace mode allows reactivation; immediate close is irreversible.

Tutor profile content (bio, photo, subjects, qualifications, etc.)

Retention period

Until account closure

Notes

Pseudonymised on close.

Messages between users

Retention period

Until both accounts closed

Notes

Threads freeze (read-only) when either party closes; hard-deleted when both parties have closed.

Message-screening result (automated safety check)

Retention period

Kept with the message; deleted when the message is

Notes

When automated message screening is on, we keep a short safety result for each message, used to spot scams, abuse, and contact-detail sharing. It never includes a copy of your message. It is kept alongside the message and deleted when the message is deleted (once both people have closed their accounts), or sooner if you ask us to erase your data.

Profile-screening result (automated safety check, tutors)

Retention period

Kept with the tutor profile; deleted when the profile is

Notes

When automated profile screening is on, we keep a short result for each check of a tutor profile against our Tutors Code of Conduct (for example, off-platform redirection or misleading claims). It may quote short snippets of the public profile text being checked, and nothing else. It is deleted when the tutor profile is deleted, or sooner on an erasure request.

Mobile number (first-time senders, when SMS verification is on)

Retention period

Number deleted on send, or within 7 to 30 days; one-way hash kept while your account is open

Notes

If we ask you to verify a UK mobile by text code before your first message, we use it only to confirm the number and deter spam, and we never share it with the tutor. We use Twilio to send the code. The number itself is deleted as soon as your message is sent (or within 7 days if you do not finish verifying, or 30 days if your message is held for manual review). We also keep a one-way hash of the number to stop the same number being used to create several accounts; that hash is deleted when you close your account.

Reviews

Retention period

Until both accounts closed

Notes

Same lifecycle as messages. The reviewer's name is masked to 'Closed account' if the writer closes their account before the subject does.

Unlock transaction records (finder's fee)

Retention period

6 years

Notes

HMRC platform-reporting obligation, retained regardless of account closure.

DBS certificate image (the upload itself)

Retention period

Until admin verify decision

Notes

DBS only, PVG and AccessNI use issuer-portal share-links with no upload. Purged from R2 when the admin records a decision, or within 21 days of upload if no decision is recorded. Held under a separate restricted prefix in the meantime.

Qualification certificate images (the upload itself)

Retention period

Until admin review decision

Notes

Optional tutor-initiated evidence for credential review marks. Purged from R2 when the admin records approve, reject, or cancel, when the tutor deletes the qualification, or within 21 days of upload if no decision is recorded. A clearer-copy request keeps the current files until the tutor re-uploads. Held under a separate restricted prefix (max 5 files, 10 MB each).

Qualification verification metadata (review status, method, verified date, content fingerprint, Qualified Teacher flag)

Retention period

Until account closure or qualification removed

Notes

The public read model on each qualification row. Never includes certificate images. Editing qualification details after approval may invalidate the mark when the content fingerprint no longer matches.

Qualification evidence attestation record (verbatim text + timestamp)

Retention period

Lifetime of the qualification submission row

Notes

Anchors the Fraud Act faithful-copy declaration the tutor ticked at upload. Cleared when the tutor profile is removed.

Qualified Teacher intent flag on qualification submission (seeking_qualified_teacher)

Retention period

Lifetime of the qualification submission row

Notes

Records whether the tutor asked us to check QTS (Teaching Regulation Agency record) or QTLS (Society for Education and Training) for that upload (PGCE-style teaching rows). Cleared when the tutor profile is removed.

Safeguarding metadata (reference number, applicant name, DOB, issue date, clear/not-clear status, scheme kind)

Retention period

Up to 3 years

Notes

Until the badge expires (3 years from our verification date) or the tutor revokes the verification. Same fields across DBS, PVG, and AccessNI; never includes the disclosure contents.

Live status-check consent record (verbatim text + timestamp)

Retention period

Lifetime of the safeguarding submission row

Notes

Anchors any DBS Update Service call (Police Act 1997 s.116A) or Disclosure Scotland portal review (PVG Act 2007 ss.52/54/55) we ran on this submission to the consent the tutor actually gave. Cleared when the tutor profile is removed.

Live status-check result + admin name + timestamp

Retention period

Lifetime of the safeguarding submission row

Notes

For DBS: API result (clean/had-content/new-info/error). For PVG: admin-recorded portal review outcome. AccessNI has no live status check. Held with the submission record; cleared when the tutor profile is removed.

Tutor reference content (referee name, how they know the tutor, their suitability comment, consent record)

Retention period

Account life, then 1 more year

Notes

A reference a third-party referee gives so a tutor can be listed (Conduct of Employment Agencies and Employment Businesses Regulations 2003, reg 22). Held as our record that the check was done; never shown to the tutor. Kept for the life of the tutor account and then for at least a year after closure to meet the reg 29 records floor, after which it is deleted. Incomplete invites a referee never answered are deleted at closure.

Referee's email address

Retention period

Until the reference is verified, then deleted

Notes

Deleted (replaced with a one-way hash) once we accept the reference, or within 30 days if the referee never responds. The hash lets us prevent duplicate invites and handle a referee request to be forgotten; it cannot be turned back into the email.

Identity verification metadata (provider, session ID, verified name + DOB, attempts, last error)

Retention period

Until tutor profile is removed

Notes

We use either Stripe Identity or Didit for the tutor document + selfie check. We store only metadata on our side, never the document image or biometric data. We instruct the provider to delete the verification record after the safeguarding decision is locked in.

Contact-form submissions (sent to hello@tutorperch.com)

Retention period

In our inbox per the founder's personal-mailbox retention

Notes

Submitted via the /contact page; we don't keep a separate copy on the platform.

Email-send log (category, template name, timestamp)

Retention period

24 months

Notes

Audit trail of which transactional / lifecycle emails were sent to which user. Never includes the message body. Purged immediately on account closure.

In-product event log (Cloudflare Analytics Engine)

Retention period

90 days raw, then per-day totals indefinitely

Notes

Page paths, search queries you type, and signed-in user actions (profile views, unlock payments, messages sent). Used by our admin dashboard to monitor funnel health. Raw rows roll off the 90-day window naturally; daily totals are retained afterwards in anonymised form and no longer identify individuals.

Email-engagement attribution

Retention period

90 days raw, then nulled out

Notes

Records when you click a link in one of our reminder, notification, or broadcast emails: the campaign name, the page you landed on, and your account ID. We use it to decide which reminders work and which to retire. No tracking pixel is embedded in the email itself; the record is created server-side when you click through. If you've turned off marketing email in your preferences we don't send marketing-medium emails to you and there's nothing to record for that medium. Acquisition snapshot (one row per account capturing the campaign that brought you in) has its campaign fields nulled out 90 days after signup.

Email-preference token + bitmask

Retention period

Until account closure

Notes

A per-user token in unsubscribe links so the preference centre identifies you without a sign-in. Cleared on account closure.

Banned-emails list

Retention period

Indefinitely

Notes

Prevents ban-evasion via re-signup.

Audit log of admin actions

Retention period

Indefinitely

Notes

Compliance and safeguarding traceability.

Safeguarding evidence (e.g. content preserved for IWF/police referral)

Retention period

Per IWF / police instructions only

Notes

Held outside the standard schedule when content has been preserved as evidence following a safeguarding referral. Released only when law-enforcement clears.

Single-use authentication tokens (sign-in, email-change, account-close, admin invite)

Retention period

15 minutes to 7 days, depending on type

Notes

All single-use; deleted on consume or expiry.

Session cookies

Retention period

30 days

Notes

Sliding window, extended on activity.

This schedule may be updated as the platform evolves. Material changes will be flagged to signed-in users in advance.

How to complain

If you have any concerns about our use of your personal data, please contact us first at privacy@tutorperch.com. We aim to respond to complaints within 10 working days.

If you remain unhappy after raising a complaint with us, you can also complain to the Information Commissioner's Office (ICO).

If a data breach occurs that's likely to affect you, we will notify you without undue delay. We will also notify the ICO within 72 hours of becoming aware, as required by UK GDPR Articles 33 and 34.