Last updated: 22 May 2026
1. About This Policy
Tipu is committed to protecting the privacy of everyone who uses our online tutoring platform — students, parents and guardians, and tutors. This Privacy Policy explains what personal data we collect, how and why we use it, who we share it with, how long we keep it, and the rights you have under data protection law.
This Policy applies to all of Tipu's services, including one-to-one tutoring at GCSE and A-Level, lesson packages, the Parent Support Programme, homeschooling support, and our AI-powered study tools.
We process personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR). Where children and young people are involved, we also follow the Information Commissioner's Office (ICO) Age Appropriate Design Code (the Children's Code).
2. Who We Are
Tipu LTD("Tipu") is the data controller responsible for your personal data. We are a company registered in England and Wales, operating the platform at https://www.tipu-learn.com.
If you have questions about this Policy or how we use your data, please contact us at admin@tipu-learn.com.
3. Personal Data We Collect
Depending on how you use the platform, we may collect the following categories of personal data:
From all users
- Identity data — name, date of birth, and (for adult students and tutors) any required age-verification information.
- Contact data — email address; phone number where you provide one.
- Account data — your encrypted password (Supabase-managed), role (student, parent, tutor, homeschool parent, admin), and account preferences.
- Communications data — emails you send to us, support enquiries, in-platform messages, and the metadata associated with them.
- Technical data — IP address, browser type and version, device information, time-zone setting, and authentication session tokens.
- Usage data — information about how you use the platform, such as pages visited and features used.
From parents and guardians
- Your contact and identity data as above.
- The identity of the child or children linked to your account, including the child's name, date of birth, year group, and learning needs you choose to share.
- Payment and billing information for Lessons booked on behalf of the child (handled by Stripe — see Section 9).
From students
- Identity and contact data as above.
- Year group, enrolled subjects, and (where you choose to share) learning interests or accessibility needs.
- Booking history, lesson attendance, and lesson reports prepared by your tutor.
- Content you submit to the platform, including notes, uploaded study materials, and your interactions with the AI study helper.
From tutors
- Identity and contact data as above.
- Profile information including biography, qualifications, subjects taught, and rates.
- Right-to-work and identity-verification information where required.
- Bank account details, sort code, address, and (if applicable) VAT registration details for payment of tutor fees.
- Lesson reports submitted after each Lesson and communications with clients and Tipu staff.
Safeguarding information
- Any disclosure, concern, or report received in relation to the safety or welfare of a student. This information is handled in accordance with our Safeguarding Policy and applicable law.
Some of this information falls within the "special category" data defined by UK GDPR (for example, information about a learning need or a safeguarding concern). We only process special category data where we have a lawful basis under UK GDPR and a separate condition under the Data Protection Act 2018 (typically substantial public interest in safeguarding children).
4. How We Collect Your Data
We collect personal data:
- Directly from you when you register, complete your profile, book or deliver a Lesson, complete forms, or contact us.
- Automatically as you use the platform (for example, technical and usage data via cookies and similar technologies — see our Cookie Policy).
- From parents when they create an account for a student under 18.
- From tutors when they submit lesson reports or other lesson-related information about a student.
- From third-party providers we work with, such as Stripe for payment confirmations or Cloudflare for security and CAPTCHA checks.
5. How We Use Your Data and Our Lawful Basis
Under UK GDPR we must have a lawful basis to process your personal data. The table below sets out the main purposes for which we process data and the lawful basis we rely on for each.
| Purpose | Lawful basis (UK GDPR Art. 6) |
|---|---|
| Creating and managing your account; verifying your identity | Performance of a contract |
| Processing Bookings, taking and refunding payments, and providing Lessons via Microsoft Teams | Performance of a contract |
| Sending booking confirmations, lesson reminders, and lesson reports | Performance of a contract |
| Paying tutors and complying with tax and accounting law | Legal obligation; performance of a contract |
| Preventing fraud, securing the platform, and investigating misuse | Legitimate interests (protecting our platform and users) |
| Safeguarding students and responding to disclosures or concerns | Legitimate interests; legal obligation; vital interests; and, for special category data, the "safeguarding of children" condition in the Data Protection Act 2018 |
| Improving the platform, fixing bugs, and developing new features (including AI features) | Legitimate interests (running and improving our service) |
| Sending service emails (e.g. password resets, security alerts, policy updates) | Performance of a contract; legitimate interests |
| Sending marketing emails about Tipu products and services | Consent (you can withdraw at any time) |
| Using non-essential cookies and analytics | Consent (managed via our cookie banner) |
| Responding to legal requests, court orders, and regulatory bodies | Legal obligation |
Where we rely on legitimate interests, we have carried out a balancing assessment to make sure that our interests do not override your rights and freedoms. You can ask us about that assessment at any time by emailing admin@tipu-learn.com.
6. Children and Young People
The safety and privacy of children and young people is a priority. The platform is designed for use by students of all ages preparing for GCSE and A-Level examinations, including children under 18.
Under Article 8 of the UK GDPR, children aged 13 or over can give their own consent for online services in the UK. Children under 13 require parental consent. For that reason:
- Tipu accounts for students under 18 must be created and managed by a parent or legal guardian, who provides consent on behalf of the child and accepts our Terms.
- We do not knowingly collect personal data from a child under 13 without parental authorisation. If you believe a child has provided us with personal data without appropriate consent, please contact us at admin@tipu-learn.com and we will delete that data unless we have a separate lawful basis to retain it.
- We follow the principles of the ICO Children's Code (the Age Appropriate Design Code). In practical terms this means: non-essential cookies and analytics are off by default until you choose otherwise; we do not profile children; we do not use children's personal data for behavioural advertising; we do not sell personal data; and we aim to collect only the personal data we need to deliver tutoring.
- Parents retain visibility of their child's bookings, payments, and lesson reports through the parent dashboard.
7. Lesson Delivery
Lessons are delivered online through Microsoft Teams. Microsoft is an independent data controller for the platform it provides and processes personal data in accordance with its own privacy notice.
Tipu does not record Lessons. If we ever change that — for example, to introduce optional recordings for safeguarding or quality-assurance reasons — we will update this Privacy Policy and tell you in advance.
8. Who We Share Your Data With
We share personal data only where necessary and only with parties that have appropriate safeguards in place. The main categories of recipients are:
Other users of the platform
- Tutors see the information needed to deliver a Lesson — for example, the student's first name, year group, subjects, and any notes you choose to provide.
- Parents see information about their linked child's bookings, lesson reports, and credit balance.
- Lesson reports are sent to the parent and, where appropriate, to the adult student.
Service providers (data processors) acting on our instructions
- Stripe — payment processing. Stripe is the controller for the payment data it collects directly from you (such as card details). See stripe.com/privacy.
- Microsoft Teams (Microsoft Ireland Operations Ltd) — video calls and meeting links.
- Supabase — authentication, encrypted database storage, and file storage.
- Resend — transactional email delivery (booking confirmations, lesson reports, password resets).
- Cloudflare — security, CAPTCHA, and content delivery.
- Vercel — hosting of the Tipu web application.
- AI providers — to power our AI study helper and flashcard generation features. We do not deliberately include identifying information about a child in prompts sent to AI providers, and we use API tiers whose terms do not permit providers to train their foundation models on customer prompts.
Professional advisors and authorities
- Our accountants, auditors, lawyers, and insurers where they need access to provide their services.
- Law-enforcement agencies, regulators, courts, and statutory safeguarding partners where we are legally required to share information or where it is necessary to protect a child.
Business transfers
- If Tipu is involved in a merger, acquisition, financing, or sale of assets, personal data may be transferred as part of that transaction. We will tell you in advance and your data will continue to be protected by an equivalent privacy policy.
We do not sell personal data and we do not share personal data with third parties for their own marketing purposes.
9. International Data Transfers
Some of our service providers (including Stripe, Microsoft, Resend, and certain AI providers) may process personal data outside the United Kingdom, including in the European Economic Area and the United States.
Where personal data is transferred outside the UK to a country that has not been recognised by the UK government as providing an adequate level of protection, we put appropriate safeguards in place. These typically include the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or another mechanism permitted by UK GDPR.
You can request a copy of the safeguards we use by emailing admin@tipu-learn.com.
10. How Long We Keep Your Data
We keep personal data only for as long as we need it for the purposes set out in this Policy. The exact retention period depends on the category of data and the reason we hold it:
- Account and profile data — for as long as your account is active, plus up to 24 months after closure to handle queries and disputes.
- Booking and lesson records — for as long as the related account is active, plus the period required by tax and accounting law (currently six years from the end of the relevant financial year).
- Payment records — six years from the date of the transaction, in line with UK tax law.
- Safeguarding records — kept securely for as long as necessary having regard to statutory guidance on the retention of child-protection records.
- Marketing preferences — until you withdraw your consent or for two years after your last engagement, whichever is sooner.
- Server logs and security data — typically up to 12 months.
Once we no longer need personal data we will delete it or anonymise it so that it can no longer be linked back to you.
11. How We Protect Your Data
We take the security of your personal data seriously and use appropriate technical and organisational measures, including:
- Encryption in transit (HTTPS/TLS) and at rest for sensitive data.
- Role-based access controls and row-level security policies on our database, so that staff and users only see the data they are entitled to see.
- Strong authentication for all user accounts, with hashed and salted passwords managed by Supabase Auth.
- Rate limiting and CAPTCHA on sensitive endpoints to prevent abuse and credential-stuffing.
- Regular security reviews of our code, dependencies, and third-party providers.
- Staff training on safeguarding, data protection, and information security.
No system is completely secure. If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and tell you directly where the breach is likely to result in a high risk.
12. Your Rights
Under UK GDPR you have a number of rights in relation to your personal data. You can exercise these rights free of charge in most circumstances. Your rights are:
- Right of access — to receive a copy of the personal data we hold about you.
- Right to rectification — to ask us to correct inaccurate or incomplete personal data.
- Right to erasure — to ask us to delete your personal data where there is no good reason for us to continue processing it. This right is not absolute — we may need to keep some information to meet legal obligations (for example, tax records) or to defend legal claims.
- Right to restrict processing — to ask us to suspend the processing of your personal data in certain circumstances.
- Right to data portability — to ask us to provide your personal data in a structured, commonly used, and machine-readable format, or to transfer it to another controller.
- Right to object — to object to processing based on our legitimate interests, and to object at any time to direct-marketing processing.
- Right to withdraw consent — where we rely on consent, you can withdraw it at any time without affecting the lawfulness of processing before that point.
- Right to complain to the ICO — see Section 18.
To exercise any of these rights, email admin@tipu-learn.com. We may ask you to verify your identity before we act on your request. We will respond within one month, although for complex requests we may extend this by a further two months and will tell you if we do so.
Parents may exercise these rights on behalf of children under 18 where it is appropriate to do so. From age 13, children can exercise rights themselves where they are able to understand what they are asking for; we will balance that with our duties to keep them safe.
13. Cookies and Similar Technologies
Tipu uses a small number of cookies and similar technologies to keep you signed in, remember your preferences, secure the platform, and (where you consent) help us understand how the service is used.
You can read about the specific cookies we use, manage your preferences, and find out how to control cookies in your browser in our Cookie Policy.
14. Automated Decision-Making and AI
We do not make any decision that produces a legal or similarly significant effect about you solely by automated means.
Our AI study helper and flashcard generation tools use third-party large-language-model providers to generate study content in response to your prompts. AI outputs are educational suggestions rather than decisions about you. You should not rely on them for academic assessments, examinations, or other significant decisions (see our Terms & Conditions).
We work with AI providers whose API terms of service do not allow them to use customer prompts or outputs to train their underlying foundation models, and we choose API tiers that offer this protection. We do not deliberately send identifying information about a child to AI providers, and we ask you not to enter sensitive personal information about yourself or anyone else into the AI tools.
15. Marketing Communications
We may send you marketing emails about Tipu services where you have asked to hear from us or where we are entitled to do so under the "soft opt-in" in PECR (because you are an existing customer and the marketing relates to similar services).
You can opt out at any time by clicking the "unsubscribe" link in any marketing email or by emailing admin@tipu-learn.com. We will continue to send essential service emails — for example, booking confirmations, lesson reports, and security alerts — even if you opt out of marketing.
Marketing communications about Tipu are addressed to the adult account holder — the parent or guardian — and not to the child. We will not send marketing emails to a Tipu account we have identified as belonging to a person under 18.
16. Changes to This Policy
We may update this Policy from time to time to reflect changes in our services, technology, or the law. We will post the updated Policy on this page and update the "last updated" date at the top. Where the changes are material we will tell you directly, for example by email or by a notice on the platform.
17. How to Contact Us
If you have any questions about this Policy, would like to exercise your rights, or have a concern about how we handle your personal data, please contact us:
- Privacy and data protection: admin@tipu-learn.com
- General enquiries: contact@tipu-learn.com
- Website: https://www.tipu-learn.com
- Company: Tipu LTD, registered in England and Wales.
We aim to acknowledge privacy enquiries within 2 business days and to provide a substantive response within one month.
18. Complaining to the ICO
We hope to resolve any concern you have through our complaints process. If you are not satisfied with our response, you have the right to complain to the Information Commissioner's Office (ICO), the UK's data-protection regulator.
- Website: ico.org.uk
- Helpline: 0303 123 1113
- Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
By creating a Tipu account and using the platform, you confirm that you have read, understood, and agree to this Privacy Policy.