TutorLab

Legal

Privacy Policy

Last updated: 27 May 2026

The short version

TutorLab is a UK-based software service built for private tutors. We collect only what we need to run your account, process your payments, and generate the lesson plans, parent reports and invoices you ask us to.

We will never sell your data, your students' data, or your parents' contact details to anyone. We don't run ads. We don't share data across tutor accounts.

If you want us to delete your data, email harry@trytutorlab.uk and we will do so within 30 days.

Who we are

TutorLab is operated from the United Kingdom. For the purposes of UK GDPR and the Data Protection Act 2018, TutorLab is the data controller for personal data you provide when using our service. You can contact us at harry@trytutorlab.uk.

What data we collect

Account data. Your name, email address, country, and an encrypted password hash. We never store passwords in plain text.

Billing data. Subscription status and plan. Card details are handled by Stripe and never touch our servers — we only receive a token and the last four digits of your card for display.

Student and session data. Information you add about your students (name, year group, exam board), your session notes, and any lesson plans, parent reports, homework or invoices you generate. This data belongs to you. You can export or delete it at any time.

Usage data. Basic logs — page requests, IP address, browser — used to keep the service running and catch abuse. We do not build advertising profiles.

Cookies. We use a small number of essential cookies to keep you signed in. We do not use third-party advertising cookies.

Tutor directory profiles (unclaimed)

TutorLab maintains a public directory of UK tutors. In addition to tutors who have registered with us, the directory includes profiles of independent tutors sourced from publicly accessible professional websites (tutor listings, personal websites, directories).

Legal basis: Legitimate Interests (Article 6(1)(f) UK GDPR)

We rely on legitimate interests as our lawful basis for processing this data. Our legitimate interest is to operate a public directory connecting parents and students with independent tutors — a purpose analogous to established business directories such as Yell, Thomson Local, and Google Business Profile. We have carried out a Legitimate Interests Assessment (LIA) concluding that:

  • The purpose (helping parents find tutors) is legitimate and genuine.
  • Processing is necessary — we cannot run an effective directory without tutor profile data.
  • The impact on tutors' rights is minimal — data is limited to what tutors have already chosen to publish publicly in a professional context.

What we hold. For unclaimed profiles we store: full name, subjects taught, general location (town or city), hourly rate range, a short professional headline, and a contact email address. The contact email is used only to notify the tutor of their profile — it is never displayed publicly.

Article 14 notice. UK GDPR Article 14 requires us to inform individuals whose data we collected indirectly. We satisfy this obligation by sending the tutor a notification email when we first make professional contact, which explains what data we hold, why, and how they can claim, correct or remove their profile.

ICO guidance on B2B marketing from public sources. The ICO acknowledges that organisations may use publicly available business contact information for professional outreach where there is a genuine legitimate interest and the individual has a reasonable expectation their details may be used in this way. Independent tutors advertising their services publicly fall within this category.

Your right to removal. If you are a tutor listed in our directory and wish to have your profile removed, you can request removal instantly using the link below. We will remove your profile within 24 hours and suppress your contact details so you are not contacted again.

Request profile removal

How we use your data

We use your data only to: run your account and keep you signed in, generate the lesson plans, reports and invoices you ask for, process subscription payments, send service emails (receipts, password resets, outages), and improve the product based on aggregate usage patterns.

We will not use your session notes or student data to train third-party AI models. Generations are processed via our AI providers (see below) and are not retained for training by them under our agreements.

Who we share data with

We share data only with the processors we rely on to run TutorLab:

  • Supabase — hosts our database and authentication. EU-region hosting.
  • Stripe — processes subscription payments. Card details are handled directly by Stripe.
  • Google Gemini — processes text you submit when generating lesson plans, reports, homework or exam questions. Inputs are not retained for model training under our terms.
  • Resend — sends transactional emails (receipts, password resets, profile notifications).
  • Gravatar (Automattic) — for unclaimed tutor profiles, we generate a Gravatar URL from a hashed version of the tutor's email to display a profile photo if one is publicly available. No data is sent to Gravatar beyond a one-way hash.
  • Vercel — hosts the TutorLab web application. Infrastructure only — no user data is shared beyond what passes through normal HTTPS requests.

We will never share your data with advertisers, data brokers, or other tutors.

Where your data is stored

Primary data is hosted in UK or EU regions. Some processors (for example AI providers) may process data in the US. Where this happens we rely on Standard Contractual Clauses or equivalent safeguards under UK GDPR.

How long we keep it

We keep account and session data for as long as your account is active. If you close your account we delete personal data within 30 days, except where we need to retain it for legal reasons (for example billing records, which we keep for 6 years as required by UK tax law).

Your rights

Under UK GDPR you have the right to:

  • Access the data we hold about you.
  • Correct inaccurate data.
  • Delete your data (the “right to be forgotten”).
  • Export your data in a portable format.
  • Object to specific processing.
  • Complain to the UK Information Commissioner's Office (ICO) at ico.org.uk.

To exercise any of these rights email harry@trytutorlab.uk. We will respond within 30 days.

A note on student data

Students whose information you add to TutorLab are typically minors. You should only add the minimum information you need to tutor them, and you should have the parent or guardian's permission to do so. TutorLab is a tool for tutors — we do not have a direct relationship with the students whose names appear in your account, and we rely on you to use the service responsibly under your own legal basis for processing.

Changes to this policy

If we make meaningful changes to how we handle data we will email registered account holders in advance. The “Last updated” date at the top of this page always reflects the most recent revision.

Contact

Questions about privacy or data requests: harry@trytutorlab.uk.

← Back to TutorLab