Privacy Policy
Last updated: April 2, 2026
Summary
- We collect only what is necessary to deliver your personalised learning experience.
- We never sell your personal data. We share it only with the service providers listed below.
- Payment details are handled entirely by Stripe; we never see or store your full card number.
- AI-generated content (quiz answers, flashcard responses, canvas transcripts) is processed by Google Gemini and is not used to train third-party models.
- You can export or delete your data at any time from Account Settings.
1. Introduction
Tutix ("we," "our," or "us") operates the web application at tutix.ai (the "Platform"). This Privacy Policy explains what personal data we collect, why we collect it, how we process and protect it, and the rights you have over it. It applies to all users of the Platform, including visitors who browse without creating an account.
By creating an account or continuing to use the Platform, you acknowledge that you have read and understood this Privacy Policy. If you do not agree, please discontinue use of the Platform.
2. Information We Collect
2.1 Information You Provide Directly
- Account credentials: Email address, display name, and password (or Google OAuth token if you sign in with Google). Passwords are hashed by Firebase Authentication and are never stored in plaintext.
- Learner profile: Study preferences, learning goals, curriculum year, and subjects you choose during onboarding or in Account Settings.
- User-created content: Study notes, flashcard decks, quiz attempts, homework uploads, custom course materials, AI chat messages, and canvas/whiteboard session data (drawings, audio transcripts, annotations).
- Payment information: Billing name, address, and payment method. This data is collected and processed exclusively by Stripe. We receive only a tokenised reference, the last four digits of your card, card brand, and transaction status. We never see or store your full card number, CVV, or bank credentials.
- Support communications: Messages you send via the Contact form, email, or in-app feedback.
2.2 Information Collected Automatically
- Usage telemetry: Pages visited, features used, timestamps, session durations, learning event logs (lesson starts, quiz completions, flashcard reviews), and mastery progress tracked by our Cog+ learning-intelligence engine.
- Device and browser data: Browser type and version, operating system, viewport size, and language preference.
- Network data: IP address (used for rate-limiting and abuse prevention; not used for profiling). We do not perform IP-based geolocation profiling.
- Cookies: See Section 7 below.
2.3 Information Generated by AI Processing
When you use AI features (AI Chat, Canvas Live Tutor, quiz generation, flashcard generation, homework help, textbook chat, or custom course creation), your prompts and relevant context are sent to Google Gemini for processing. The AI-generated responses (explanations, quiz questions, flashcard content, canvas annotations, audio transcripts) are stored in your account in Google Cloud Firestore. Google's Gemini API data-use policy states that data sent via the API is not used to train foundation models.
3. How We Use Your Information
| Purpose | Data Categories | Legal Basis (UK GDPR) |
|---|---|---|
| Provide and personalise the learning experience (lessons, quizzes, flashcards, AI tutoring, Cog+ mastery model, learning plans) | Account, learner profile, user content, usage telemetry | Contract performance |
| Process payments, manage subscriptions, issue invoices and refunds | Account, payment token, order history | Contract performance |
| Send transactional emails (welcome, password reset, subscription confirmations, usage alerts) | Account email, subscription status | Contract performance |
| Detect abuse, enforce rate limits, prevent fraud | IP address, request metadata, request ID | Legitimate interest |
| Aggregate analytics to improve Platform features (opt-in only via consent banner) | Anonymised usage events | Consent |
| Respond to legal obligations, regulatory requests, or enforce our Terms | Any relevant data | Legal obligation / Legitimate interest |
4. Data Storage, Retention, and Security
4.1 Infrastructure
- Application hosting: DigitalOcean App Platform (managed application hosting; encrypted in transit and protected by platform security controls).
- Database: Google Cloud Firestore (encrypted at rest with AES-256; encrypted in transit with TLS 1.2+).
- Authentication: Firebase Authentication (passwords hashed with scrypt; OAuth tokens managed by Google).
- File storage: S3-compatible object storage or local encrypted volumes (user uploads, canvas thumbnails, generated slide assets).
- Payments: Stripe (PCI DSS Level 1 certified).
4.2 Retention Periods
- Active accounts: Data is retained for as long as your account exists.
- Deleted accounts: When you delete your account (Account Settings → Delete Account), we purge your Firestore documents, uploaded files, and AI job records within 30 days. Anonymised aggregate analytics are retained.
- Cog+ learning events: Raw learning events are retained for 90 days, after which they are consolidated into aggregate mastery scores and the raw events are deleted.
- Billing records: Transaction records, invoices, and Stripe event logs are retained for 7 years to comply with financial reporting obligations.
- Server logs: Request logs (including IP addresses and request IDs) are retained for 30 days for debugging and security purposes, then automatically purged.
4.3 Security Measures
- All data in transit is encrypted with TLS 1.2 or higher. HSTS is enforced on all production responses.
- Session cookies are
HttpOnly,Secure, andSameSite=Strict. - Content Security Policy (CSP), X-Frame-Options, and X-Content-Type-Options headers are set on every response.
- All API endpoints enforce user-scoped ownership validation; you can only access your own data.
- Rate limiting is applied to authentication endpoints and expensive AI operations.
- Uploaded files are validated by extension and MIME type; SVG files are blocked. Served files use signed URLs with time-limited tokens.
5. Data Sharing and Third-Party Processors
We do not sell, rent, or trade your personal data. We share data only with the following categories of processors, each bound by data-processing agreements:
| Provider | Purpose | Data Shared |
|---|---|---|
| Google Cloud / Firebase | Authentication, database, AI processing (Gemini) | Account credentials, all user-created content, learning data, AI prompts and responses |
| Stripe | Payment processing, subscription management, invoicing | Email, billing name/address, payment method, transaction amounts |
| DigitalOcean | Application hosting and compute | All request data in transit (encrypted) |
| S3-compatible object storage | File and blob storage | Uploaded files, generated assets, canvas thumbnails |
| Google Analytics (GA4) | Aggregate usage analytics (consent-gated) | Anonymised page views and events (only after you accept the cookie banner) |
We may also disclose personal data when required by law, regulation, or court order, or to protect the rights, safety, or property of Tutix, our users, or the public.
6. Your Rights
Under applicable data protection law (including UK GDPR and, where applicable, EU GDPR), you have the following rights:
- Access: Request a copy of the personal data we hold about you. You can export your progress data and notes directly from Account Settings → Export.
- Rectification: Update or correct inaccurate information via Account Settings or by contacting us.
- Erasure: Delete your account and all associated data via Account Settings → Delete Account. Deletion is processed within 30 days.
- Restriction: Request that we restrict processing of your data while we resolve a dispute or verify accuracy.
- Portability: Receive your data in a structured, machine-readable format (JSON export available in Account Settings).
- Objection: Object to processing based on legitimate interest. We will cease processing unless we demonstrate compelling legitimate grounds.
- Withdraw consent: Where processing is based on consent (e.g., analytics cookies), you may withdraw consent at any time by adjusting your cookie preferences.
To exercise any of these rights, email [email protected]. We will respond within 30 days. If you are unsatisfied with our response, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO).
7. Cookies and Tracking Technologies
We use cookies as follows:
| Cookie | Type | Purpose | Duration |
|---|---|---|---|
| __session | Strictly necessary | Firebase session authentication | 5 days |
| session | Strictly necessary | Flask server-side session | 7 days |
| cookie_consent | Strictly necessary | Records your cookie consent choice | 1 year |
| _ga, _ga_* | Analytics (consent-gated) | Google Analytics 4 measurement | Up to 2 years |
Strictly necessary cookies cannot be disabled as they are essential for the Platform to function. Analytics cookies are loaded only after you accept via the consent banner. You can also control cookies through your browser settings, though disabling session cookies will prevent you from logging in.
8. International Data Transfers
Our infrastructure providers (Google Cloud, Stripe, DigitalOcean, and S3-compatible storage providers) may process data in the United States and other jurisdictions outside the UK/EEA. Where this occurs, transfers are protected by: (a) the provider's participation in approved transfer mechanisms (e.g., EU-US Data Privacy Framework), (b) Standard Contractual Clauses (SCCs) approved by the relevant data protection authority, or (c) an adequacy decision by the UK Secretary of State or European Commission.
9. Children's Privacy
Tutix is designed for students aged 13 and older. We do not knowingly collect personal data from anyone under 13. Users between the ages of 13 and 17 must have parental or guardian consent before creating an account. If we become aware that we have collected data from a child under 13 without verified parental consent, we will delete that data promptly. If you believe a child under 13 has provided us with personal data, please contact us at [email protected].
10. Changes to This Policy
We may update this Privacy Policy to reflect changes in our practices or legal requirements. For material changes (e.g., new categories of data collected, new third-party processors, changes to retention periods), we will notify registered users by email at least 14 days before the changes take effect and post a prominent notice on the Platform. The "Last updated" date at the top of this page indicates the most recent revision. Continued use of the Platform after the effective date constitutes acceptance of the revised policy.
11. Contact and Data Controller
The data controller for the purposes of applicable data protection law is Tutix. For any questions, concerns, or requests relating to this Privacy Policy or your personal data:
Privacy inquiries: [email protected]
General support: [email protected]
Contact form: tutix.ai/contact