Back to home

Privacy Policy

Last updated: March 15, 2026

This Privacy Policy explains how we collect, use, store, and protect your personal data when you use the Tutor IDE platform. Because many of our users are children aged 8–16, we take extra care to handle data responsibly and transparently.

1. Data Controller

The data controller responsible for your personal data is:

  • Company: Anvic IT, PrzemysΕ‚aw Jakubski
  • Tax identification (NIP): 8792519376
  • Country: Poland (European Union)
  • Contact email: contact@tutoride.dev
  • Website: tutoride.dev

For any privacy-related questions or requests, you can reach us at contact@tutoride.dev.

2. Data We Collect

We collect only the data necessary to provide and improve our educational service:

2.1 Account Information

  • Username and display name
  • Email address (optional for student accounts, required for billing accounts)
  • Profile avatar (uploaded image or system-generated initials)
  • Profile bio and color preference
  • Language preference
  • Password (stored as a secure, irreversible hash β€” we never store your actual password)

2.2 Code Projects

  • HTML, CSS, and JavaScript source files you create
  • Project metadata: title, description, publication status, creation and modification dates
  • Uploaded media files (images used in your projects)

2.3 AI Chat History

  • Messages you send to the AI tutor and the responses you receive
  • Chat session metadata (timestamps, session titles)

Chat history is stored to maintain conversation context, enable teacher oversight of student interactions, and help us improve the tutoring experience.

2.4 Educational Progress

  • Challenge attempts and scores (lessons and CSS Battle)
  • XP points, levels, and achievements
  • Teacher grades and feedback on assignments

2.5 Usage and Analytics Data

  • Login timestamps and session duration
  • Pages visited and features used (via Google Analytics with anonymized IP)
  • Browser type, screen resolution, and general device information

2.6 Payment Data

  • Billing name and address (for invoice generation)
  • Subscription plan and payment history
  • Payment card details are processed directly by Stripe β€” we never see or store your full card number

2.7 Moderation Data

  • Automated content moderation logs (flagged text in projects or chat)
  • These logs are visible only to teachers and administrators and are used solely for student safety

We process your personal data based on the following legal grounds:

  • Contract performance (Art. 6(1)(b) GDPR) β€” processing necessary to provide the Tutor IDE service you signed up for, including account management, project hosting, AI tutoring, and classroom features.
  • Legitimate interest (Art. 6(1)(f) GDPR) β€” platform security, abuse prevention, content moderation for student safety, service improvement, and analytics. We balance our interests against your rights and freedoms, particularly for minor users.
  • Consent (Art. 6(1)(a) GDPR) β€” for optional features such as marketing communications and non-essential analytics. You can withdraw consent at any time.
  • Legal obligation (Art. 6(1)(c) GDPR) β€” retention of billing and tax records as required by Polish and EU law.

4. Children's Privacy

Tutor IDE is specifically designed for young learners aged 8–16. We are committed to protecting children's privacy and complying with GDPR requirements for processing minors' data (Article 8).

4.1 How Student Accounts Are Created

  • Classroom accounts: Teachers or school administrators create student accounts and are responsible for obtaining appropriate parental or institutional consent. The teacher or school acts as the party authorizing data processing on behalf of the student.
  • Self-registration: Students under 16 who register independently should do so with their parent's or guardian's knowledge and consent.
  • Invite codes: Students joining a classroom via an invite code are placed under the supervision of the inviting teacher.

4.2 Data Minimization for Minors

  • Student accounts do not require an email address
  • We collect only the minimum data necessary for the educational service
  • We do not engage in behavioral advertising or profiling of minors
  • We do not sell or share children's data with advertisers

4.3 Teacher and School Responsibility

When a teacher or school creates student accounts, they act as the responsible party for ensuring appropriate consent has been obtained from parents or guardians. We provide teachers with tools to manage and delete student data. Schools using the platform agree to a data processing arrangement where:

  • The school or teacher is the data controller for student data collected in the educational context
  • Anvic IT acts as a data processor, processing student data only as necessary to provide the service
  • Teachers can export, modify, or delete student data at any time through the admin panel

4.4 Parental Rights

Parents or guardians of minor users may at any time:

  • Request to review their child's personal data
  • Request correction or deletion of their child's data
  • Withdraw consent for data processing
  • Contact us directly at contact@tutoride.dev or work through their child's teacher

5. AI Data Processing

Our AI tutor feature sends chat messages to third-party AI providers for processing. Here is what you should know:

  • Providers: We use DeepSeek and OpenAI, configurable per organization. The AI provider used for your organization is set by your teacher or administrator.
  • What is sent: Your chat messages and, for context, the contents of your currently open project files. No personal identifiers (such as your real name or email) are sent to AI providers.
  • No training on your data: Your messages and code are never used to train AI models. Our contracts with AI providers explicitly prohibit using customer data for model training.
  • Content moderation: Chat messages are automatically scanned for inappropriate content before being sent to the AI provider.
  • Teacher oversight: All AI chat sessions are visible to your teacher or organization administrator for educational oversight and student safety.

6. Third-Party Data Processors

We share data with the following third-party services, solely as necessary to operate the platform. Each processor is bound by a data processing agreement (DPA):

6.1 Hosting and Infrastructure

  • OVH (OVHcloud) β€” server hosting. Our servers are located in France (EU). OVH processes data in accordance with GDPR.

6.2 AI Processing

  • DeepSeek β€” AI chat processing. Chat messages are sent for response generation only. DeepSeek is contractually prohibited from using your data for training.
  • OpenAI β€” AI chat processing (alternative provider). Based in the United States. Data transfers are protected by Standard Contractual Clauses (SCCs). OpenAI's API data usage policy prohibits training on API inputs.

6.3 Payments

  • Stripe β€” payment processing. Stripe is PCI DSS Level 1 certified. We never receive or store your full card number. Stripe's privacy policy governs payment data processing.

6.4 Email

  • Resend β€” transactional email delivery (account verification, password resets, notifications). Only your email address and the email content are shared.

6.5 Analytics

  • Google Analytics β€” website usage analytics with IP anonymization enabled. Google Analytics uses its own cookies (see Section 8). We use this data to understand how the platform is used and to improve the experience. No personally identifiable information is shared with Google.

We do not sell, rent, or share your personal data with any other third parties for their own purposes.

7. International Data Transfers

Your data is primarily stored and processed within the European Union (France, via OVH). However, some of our processors operate outside the EU:

  • OpenAI (United States) β€” when OpenAI is configured as your organization's AI provider, chat messages are transferred to the US under Standard Contractual Clauses (SCCs) approved by the European Commission.
  • Stripe (United States) β€” payment data is transferred under Stripe's Data Processing Agreement and SCCs.
  • Google (United States) β€” anonymized analytics data is transferred under Google's data processing terms and SCCs.

In all cases, we ensure appropriate safeguards are in place as required by GDPR Chapter V.

8. Cookies

We use a minimal set of cookies. Here is a complete list:

8.1 Strictly Necessary Cookies (No Consent Required)

These cookies are essential for the platform to function. They cannot be disabled.

  • sessionid β€” authenticates your session and keeps you logged in. Expires when you log out or after inactivity.
  • csrftoken β€” protects against cross-site request forgery attacks. Required for form submissions and API calls.

8.2 Analytics Cookies

Google Analytics sets the following cookies to help us understand how the platform is used:

  • _ga β€” distinguishes unique visitors. Expires after 2 years.
  • _ga_* β€” maintains session state. Expires after 2 years.

IP addresses are anonymized before being sent to Google. We do not use Google Analytics data for advertising or cross-site tracking.

8.3 No Tracking or Advertising Cookies

We do not use any third-party tracking cookies, advertising cookies, or social media cookies. We do not participate in any ad networks or retargeting programs.

9. Data Retention

  • Active accounts: Your data is retained for as long as your account remains active and you continue using the service.
  • Deleted accounts: When you delete your account (or request deletion), all associated data β€” including projects, chat history, profile information, achievements, and uploaded files β€” is permanently deleted within 30 days.
  • Student accounts removed by teacher: When a teacher removes a student from their classroom, the student's data associated with that classroom is handled according to the teacher's deletion settings.
  • Payment and tax records: Invoices and billing records are retained for 5 years after the transaction, as required by Polish tax regulations.
  • Moderation logs: Content moderation alerts are retained for the duration of the account and deleted with it.
  • Audit logs: Administrative action logs are retained for 1 year for security and compliance purposes.

10. Data Security

We implement appropriate technical and organizational measures to protect your data:

  • Encryption in transit: All connections use HTTPS/TLS encryption
  • Secure password storage: Passwords are hashed using industry-standard algorithms and are never stored in plain text
  • Access controls: Administrative access is restricted and logged
  • EU hosting: Data is stored on servers in France (European Union)
  • Regular updates: We keep our software and dependencies up to date with security patches
  • Content moderation: Automated scanning protects students from inappropriate content
  • Minimal data collection: We collect only the data necessary to provide the service

While no system is 100% secure, we are committed to protecting your data and will notify affected users promptly in the event of a data breach, as required by GDPR Article 33.

11. Your Rights Under GDPR

Under the General Data Protection Regulation, you have the following rights regarding your personal data:

  • Right of access (Art. 15) β€” You can request a copy of all personal data we hold about you. You can also use the in-app data export feature in your account settings.
  • Right to rectification (Art. 16) β€” You can correct inaccurate or incomplete data via your profile settings or by contacting us.
  • Right to erasure (Art. 17) β€” You can delete your account and all associated data through the account settings, or request deletion by contacting us.
  • Right to data portability (Art. 20) β€” You can export your data in a machine-readable format using the in-app data export feature.
  • Right to restrict processing (Art. 18) β€” You can request that we limit how we use your data in certain circumstances.
  • Right to object (Art. 21) β€” You can object to processing based on legitimate interest, including analytics and profiling.
  • Right to withdraw consent (Art. 7(3)) β€” Where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.

How to Exercise Your Rights

You can exercise most of these rights directly through the platform:

  • Data export: Available in your account settings (Dashboard β†’ Account)
  • Account deletion: Available in your account settings
  • Profile updates: Edit your profile in account settings

For any other requests, or if you need assistance, contact us at contact@tutoride.dev. We will respond within 30 days, as required by GDPR. If your request is complex, we may extend this by an additional 60 days, and we will inform you of the extension.

Parents or guardians can exercise these rights on behalf of their minor children.

12. Supervisory Authority

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the relevant supervisory authority. For Anvic IT, the competent authority is:

  • UODO (UrzΔ…d Ochrony Danych Osobowych / Office for Personal Data Protection)
  • ul. Stawki 2, 00-193 Warszawa, Poland
  • Website: uodo.gov.pl

We encourage you to contact us first so we can try to resolve your concern directly.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or platform features. When we make material changes:

  • We will notify registered users via email at least 30 days before the changes take effect
  • We will update the "Last updated" date at the top of this page
  • For significant changes affecting children's data, we will provide prominent notice to teachers and, where possible, to parents

We recommend reviewing this policy periodically. Continued use of the platform after changes take effect constitutes acceptance of the updated policy.

14. Contact Us

For questions, concerns, or requests regarding this Privacy Policy or your personal data:

  • Email: contact@tutoride.dev
  • Data controller: Anvic IT, PrzemysΕ‚aw Jakubski, NIP 8792519376
  • Country: Poland, European Union

We aim to respond to all inquiries within 7 business days. For formal GDPR requests, we will respond within the legally required 30-day period.