Privacy Policy
Last Updated: March 7, 2026
1. Introduction
Tudius Inc. (“we,” “us,” “our,” or the “Company”) operates the Tudius platform (the “Platform”), an automated personal academy platform that provides tutors with technology tools to manage their independent tutoring practice — including scheduling, lesson planning, progress tracking, automated reporting, and payment processing — and connects students with tutors. We are incorporated in Canada and headquartered in Toronto, Ontario.
Tudius Inc. is not a school, private career college, or educational institution under any provincial or federal statute. We provide software tools that tutors use to manage their independent tutoring practices. Any references to “academy” in our branding describe the comprehensive nature of our technology platform, not an educational institution.
We are committed to protecting your privacy and handling your personal information responsibly. This Privacy Policy describes how we collect, use, disclose, retain, and protect your personal information when you use our Platform, in accordance with applicable Canadian and international privacy legislation.
This Policy applies to all users of the Platform, including tutors, students, parents/guardians of minor students, and visitors.
Privacy Officer: Taeyoung Park, Chief Executive Officer
Privacy Contact: tycpark0317@gmail.com
Mailing Address: Toronto, Ontario, Canada
The Privacy Officer is responsible for overseeing compliance with this Policy and applicable privacy legislation, as required under Quebec's Act to modernize legislative provisions as regards the protection of personal information (S.Q. 2021, c. 25, s. 3.1).
2. Applicable Laws
This Privacy Policy is designed to comply with:
- Personal Information Protection and Electronic Documents Act (PIPEDA, S.C. 2000, c. 5) — Canada's federal private-sector privacy law
- Quebec Law 25 (An Act to modernize legislative provisions as regards the protection of personal information, S.Q. 2021, c. 25) — applicable to all Quebec residents using the Platform
- Alberta Personal Information Protection Act (PIPA, S.A. 2003, c. P-6.5) — applicable to Alberta residents
- Children's Online Privacy Protection Act (COPPA, 15 U.S.C. ss 6501-6506; 16 C.F.R. Part 312, as amended effective June 23, 2025) — applicable to users under 13 in the United States
- Canada's Anti-Spam Legislation (CASL, S.C. 2010, c. 23) — governing commercial electronic messages
We apply the strictest applicable standard across all jurisdictions to ensure consistent protection for all users.
3. Information We Collect
We collect only the personal information necessary for the purposes identified in this Policy, in accordance with PIPEDA Schedule 1, Principle 4 (Limiting Collection).
3.1 Information You Provide Directly
Account Registration (All Users)
- Email address
- Password (stored in hashed form by our authentication provider; we never have access to your plaintext password)
- Role selection (student or tutor)
- Full name (optional at signup)
Tutor Profile
- Biography text
- Profile photos
- Tutoring rate (per 30-minute session)
- Subjects taught
- Location (city/neighbourhood text)
- Geographic coordinates (for map-based search; stored at reduced precision)
- Online availability setting
- Short-term and trial lesson availability settings
Student Profile
- Preferred subjects
- Location (city/neighbourhood text)
Booking Information
- Booking type (recurring, short-term, or trial)
- Scheduling details (day of week, start time, duration)
- Booking status and cancellation records
Reviews
- Star rating (1-5)
- Written review comments (publicly displayed on the tutor's profile)
Follow Relationships
- Records of which students follow which tutors
Academic Data (Academy Features) NEW
- Lesson plans created by tutors for their students
- Assignment records and completion status
- Session notes recorded by tutors after each session
- Grade and score data entered by tutors
- Progress metrics derived from the above data
Calendar and Availability Data NEW
- Tutor availability windows (days and hours available for tutoring)
- Calendar sync metadata (free/busy status only; see Section 3.3)
Parent/Guardian Contact Information NEW
- Parent/guardian email address (for COPPA consent verification and progress report delivery)
- Parent/guardian communication preferences for automated reports
3.2 Information Collected Automatically
Technical Information
- IP address
- Browser type and version
- Device information
- Pages visited and interaction patterns
- Timestamps of access
Authentication Data
- Session tokens (stored in HTTP-only cookies; not accessible to client-side scripts)
- Authentication state
Platform-Generated Data NEW
- Automated progress report content (generated from academic data entered by tutors)
- Automated report generation metadata (timestamps, delivery status)
- Automated reminder and check-in event logs
- Accountability tracking events (session attendance, assignment completion timestamps)
3.3 Information from Third-Party Services
Stripe (Payment Processing)
- We receive opaque payment identifiers (Stripe Payment ID, Checkout Session ID) from Stripe Inc. We do NOT receive, process, or store your credit card numbers, CVV codes, bank account numbers, or other cardholder data. All payment card information is collected and processed directly by Stripe through their hosted checkout page.
- For tutors: Stripe Connect account identifiers and payment enablement status
- For tutor subscriptions: Stripe Customer ID, Subscription ID, subscription tier and status
Google Maps (Location Services)
When you enter a location on your profile, we use Google Maps API to convert your address to geographic coordinates for map-based tutor search functionality.
Google Calendar (Calendar Sync) NEW
- If you choose to connect your Google Calendar, we access only your free/busy status using the
calendar.freebusyOAuth scope. We do NOT read event titles, descriptions, attendees, locations, or any other event content. We use free/busy data solely to display your availability for tutoring sessions. - Calendar sync is entirely optional and requires your separate, express consent.
- You may disconnect your calendar at any time, and all sync data is deleted immediately upon disconnection.
Email Service Provider (Automated Reports) NEW
When automated progress reports are sent to parents/students, we use an email service provider to deliver these messages. The email service provider processes recipient email addresses and report content solely for delivery purposes under a Data Processing Agreement.
3.4 Information We Do NOT Collect
- Credit card numbers, CVV codes, or bank account details (handled exclusively by Stripe)
- Government-issued identification numbers
- Health information or medical records
- Racial or ethnic origin
- Religious or philosophical beliefs
- Biometric data
- Life pattern data: We do NOT collect information about your daily routines, including wake times, sleep times, meal schedules, or other personal habits (NEW — explicitly prohibited)
- Individual Education Plan (IEP) data or formal learning disability diagnoses, unless expressly provided by the tutor in session notes (NEW)
- Google Calendar event titles, descriptions, attendees, or content — only free/busy status (NEW)
4. How We Use Your Information
We use your personal information only for the purposes identified at or before the time of collection, as required by PIPEDA Schedule 1, Principle 2 (Identifying Purposes).
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Account creation and authentication | Email, password, role | Contractual necessity (PIPEDA s. 7(1)(b)) |
| Tutor profile display and search | Bio, photos, rate, subjects, location, coordinates | Contractual necessity — core platform function |
| Student-tutor matching | Preferred subjects, location | Contractual necessity |
| Booking management | Booking details, schedule, status | Contractual necessity |
| Payment processing | Stripe payment identifiers, amounts | Contractual necessity |
| Tutor subscription billing | Stripe customer/subscription IDs, tier, status | Contractual necessity |
| Public reviews and rankings | Ratings, review text | Express consent (review submission is a voluntary, affirmative action; reviews are publicly visible) |
| Follow relationships | Student-tutor follow records | Contractual necessity |
| Map-based tutor search | Geographic coordinates | Express consent (location permission at profile creation) |
| Lesson plan management NEW | Lesson plans, assignment records | Express consent (academy feature activation) |
| Automated progress report generation NEW | Academic data (lesson plans, assignments, grades, session notes) | Express consent (separate opt-in for report generation) |
| Progress report delivery to parents NEW | Report content, parent email address | Express consent (parent consent for receiving reports) |
| Automated reminders and check-ins NEW | Booking schedule, session data, student contact | Express consent (separate opt-in for automated communications) |
| Calendar availability display NEW | Availability windows, calendar free/busy status | Express consent (calendar sync opt-in) |
| Platform security and fraud prevention | IP address, session tokens, access logs | Legitimate interest in platform security (PIPEDA Principle 7) |
| Legal compliance | Various, as required | Legal obligation |
We do NOT use your personal information for:
- Targeted advertising or behavioural profiling
- Sale to third parties
- Automated decision-making that produces legal effects without human oversight (see Section 11 on Rankings and Section 19 on Academic Reports)
- Any purpose not listed above without obtaining your separate consent
- Training artificial intelligence or machine learning models (NEW)
5. Consent
In accordance with PIPEDA Schedule 1, Principle 3 (Consent) and Quebec Law 25 (S.Q. 2021, c. 25), we obtain your consent for the collection, use, and disclosure of your personal information. Consent must be clear, free, informed, and specific for each purpose (Law 25 requirement).
5.1 Implied Consent
We rely on implied consent for data processing that is obvious and necessary for the primary service you have requested:
- Account creation when you voluntarily sign up
- Booking management when you create a booking
- Payment processing when you initiate a payment through Stripe Checkout
5.2 Six Granular Consent Categories REVISED
In compliance with Quebec Law 25's prohibition on bundled consent, we maintain six separate consent categories. Each requires independent, unambiguous consent. You may consent to any combination of these categories independently:
| # | Consent Category | Description | Who Consents | How to Withdraw |
|---|---|---|---|---|
| 1 | Core Tutoring Services | Collection of booking, scheduling, and payment data necessary for the tutoring service | Tutor and Student (implied at signup) | Account deletion |
| 2 | Calendar Sync | Connection to Google Calendar for free/busy availability display | Tutor (express opt-in via OAuth) | Disconnect calendar in settings |
| 3 | Progress Reports to Parents | Generation and delivery of automated progress reports to parent/guardian email | Student or Parent (express opt-in) + Tutor (express activation) | Toggle off in report settings |
| 4 | Automated Reminders | Session reminders, lesson plan alerts, and accountability check-in notifications | Student or Parent (express opt-in) | Toggle off in notification settings |
| 5 | Marketing Communications | Promotional emails, newsletter, new feature announcements | All users (separate express opt-in, CASL s. 6(1)) | Unsubscribe link or settings |
| 6 | Analytics | Aggregated, de-identified usage data for platform improvement | All users (express opt-in) | Toggle off in privacy settings |
Withdrawal of consent for any category is as easy as giving consent, as required by Quebec Law 25. Withdrawal does not affect the lawfulness of processing performed before withdrawal. Note that withdrawing consent for Category 1 (Core Tutoring) requires account closure, as the Platform cannot function without this data.
5.3 Consent for Minors EXPANDED
- Users under 13: Cannot create accounts on this Platform. If we discover that a user is under 13, we will immediately delete their account and all associated personal information (COPPA, 15 U.S.C. s. 6502).
- Users aged 13-17: Require verified parental or guardian consent before account creation. We will request the parent/guardian's email address and send a consent notification. The parent/guardian may review, modify, or revoke consent at any time (Quebec Law 25: under-14 consent requirement; COPPA: constructive knowledge provisions).
- Users aged 14-17 in Quebec: Require parental or guardian consent per Quebec Law 25.
- Academic data for minors: (NEW) Parental consent for account creation does NOT automatically extend to academy features. Parents must provide separate consent for each applicable consent category (Categories 3, 4, and 6 above) before academic data about their child is collected, processed, or shared. This reflects the Quebec Law 25 prohibition on bundled consent and the COPPA requirement for separate consent for third-party disclosure (16 C.F.R. s. 312.5, as amended).
- Parental opt-out from reports: (NEW) Parents may opt out of receiving automated progress reports without terminating the tutoring relationship. Opting out of reports does not affect the underlying tutoring service.
See Section 12 (Children's Privacy) for complete details.
5.4 Withdrawing Consent
You may withdraw your consent at any time by:
- Updating your privacy settings in your account dashboard (per-category toggles)
- Contacting the Privacy Officer at tycpark0317@gmail.com
- Deleting your account
Withdrawal of consent is as easy as giving consent, as required by Quebec Law 25.
6. Disclosure and Sharing
We disclose your personal information only in the following circumstances:
6.1 Public Display
The following information is publicly visible on the Platform by design:
- Tutor profiles: Bio, photos, rate, subjects, location (text), online availability, short-term/trial settings
- Reviews: Reviewer's display name, rating, and comment text (displayed on the tutor's profile)
- Rankings: Aggregated ranking scores by subject (derived from reviews)
6.2 Platform Participants
- Tutors can see the profiles of students who have active bookings with them (preferred subjects, location)
- Students can see tutor profiles for search and booking purposes
- Booking parties can see booking details, session schedules, and payment records for their own bookings
- Parents/Guardians (NEW) can see: (a) their child's academic progress data (lesson plans, assignment status, session notes, grades) if the tutor has activated academy features AND the parent has consented to Category 3 (Progress Reports); (b) automated progress reports delivered to their email. Parents can only access data for their own verified child — not other students
6.3 Third-Party Service Providers
We share personal information with the following service providers, who process it on our behalf under contractual data protection obligations:
| Provider | Location | Data Shared | Purpose |
|---|---|---|---|
| Supabase Inc. | United States | All platform data (profiles, bookings, sessions, payments, reviews, academic data, lesson plans, progress reports) | Database hosting, authentication, real-time services |
| Stripe Inc. | United States | Payment identifiers, amounts, customer/subscription data, Connect account data | Payment processing, subscription billing, tutor payouts |
| Vercel Inc. | United States | Server-side request data, IP addresses, access logs | Application hosting and delivery |
| Google (Google Maps API) | United States | Location queries, geographic coordinates | Map display and geocoding |
| Google (Calendar API) NEW | United States | Free/busy calendar status only (no event content) | Calendar availability sync (opt-in only) |
| Email Service Provider NEW | United States | Parent/student email addresses, automated report content | Automated progress report delivery |
Each provider is contractually bound by a Data Processing Agreement (DPA) that requires them to protect your personal information in accordance with applicable privacy legislation. See Section 9 (Cross-Border Transfers) for details.
6.4 Legal Obligations
We may disclose personal information without consent where required by law, including:
- In response to a court order, subpoena, or lawful request by a government authority
- To comply with applicable legislation (PIPEDA s. 7(3)(c))
- To protect the rights, safety, or property of Tudius Inc., our users, or the public
6.5 Business Transfers
In the event of a merger, acquisition, or sale of all or a portion of our assets, your personal information may be transferred as part of that transaction. You will be notified of any change in ownership or use of your personal information.
6.6 No Sale of Personal Information
We do NOT sell your personal information to any third party. We do NOT share your personal information with third parties for their own marketing purposes. We do NOT disclose children's personal information to third parties for targeted advertising purposes (COPPA, 16 C.F.R. s. 312.5, as amended).
7. Data Retention
We retain personal information only as long as necessary for the purposes for which it was collected, in accordance with PIPEDA Schedule 1, Principle 5 (Limiting Use, Disclosure, and Retention) and the COPPA amended rule's data retention requirements (16 C.F.R. s. 312.10, as amended).
| Data Category | Retention Period | Basis |
|---|---|---|
| Account profile data | Duration of active account + 30 days after deletion request | Service provision |
| Booking records | 7 years after booking completion | Canada Revenue Agency requirements (Income Tax Act, s. 230(1)) |
| Payment records | 7 years after transaction | CRA requirements; financial audit obligations |
| Review content | Duration of active account; anonymized or deleted upon account deletion | Service provision |
| Session tokens | Duration of authenticated session | Security |
| Server access logs | 90 days | Security monitoring and incident response |
| Breach incident records | Minimum 5 years (24-month minimum per PIPEDA s. 10.3) | PIPEDA s. 10.3; Quebec Law 25 s. 63.8 |
| Lesson plans NEW | Duration of tutoring relationship + 30 days after last session | Purpose fulfillment; tutor may export before deletion |
| Assignment records NEW | Duration of tutoring relationship + 90 days | Purpose fulfillment; needed for final report generation |
| Grade/score data NEW | Duration of tutoring relationship + 90 days | Purpose fulfillment |
| Session notes NEW | Duration of tutoring relationship + 30 days | Purpose fulfillment; may contain subjective assessments |
| Progress reports (sent) NEW | 2 years after generation | Dispute resolution and accuracy verification |
| Calendar sync data NEW | Real-time only; deleted immediately on disconnect | Data minimization |
| Parent/guardian contact info NEW | Duration of minor's account or until consent revocation | COPPA compliance + service delivery; deleted within 30 days of consent revocation |
| Accountability check-in logs NEW | 90 days (rolling window) | Operational; no long-term retention justified |
| Automated reminder logs NEW | 90 days (rolling window) | Operational |
When retention periods expire, personal information is permanently deleted or irreversibly anonymized. We do not retain children's personal information indefinitely (COPPA, 16 C.F.R. s. 312.10, as amended).
Written Data Retention Policy: In compliance with the amended COPPA rule, this Section 7 constitutes our published written data retention policy, disclosing the purposes of collection, business need for retention, and deletion timeframes for all categories of personal information.
8. Security Safeguards
We implement security safeguards appropriate to the sensitivity of the personal information, as required by PIPEDA Schedule 1, Principle 7 (Safeguards).
Technical Measures
- Encryption at rest for all stored data (provided by Supabase)
- Encryption in transit (TLS/HTTPS for all connections)
- Row-Level Security (RLS) policies on every database table, ensuring users can only access data they are authorized to see
- HTTP-only, Secure session cookies (not accessible to client-side JavaScript; prevents cross-site scripting attacks)
- Content Security Policy (CSP) headers to prevent injection attacks
- Strict Transport Security (HSTS) to enforce HTTPS connections
- Input validation on all data submissions (server-side)
- Immutable booking fields protected by database triggers (student_id, tutor_id, type, rate cannot be modified after booking creation)
- Academic data protected by role-based RLS: (NEW) Lesson plans and session notes are accessible only to the creating tutor, the enrolled student, and the student's verified parent/guardian. Tutors cannot access other tutors' lesson plans
- Parent access verification: (NEW) Parent/guardian access to student academic data requires a verified parent-student relationship, enforced at the database level
Organizational Measures
- Designated Privacy Officer responsible for privacy compliance
- Data access limited to what is necessary for each user role
- Third-party processors bound by Data Processing Agreements
- No storage of payment card data on Platform servers (PCI DSS SAQ A compliant)
Payment Security
All payment card information is collected, processed, and stored exclusively by Stripe Inc. through their PCI DSS Level 1 certified infrastructure. Our Platform is SAQ A compliant — we never receive, transmit, or store cardholder data. Only opaque Stripe-generated identifiers are stored in our database.
9. Cross-Border Transfers
Your personal information may be transferred to, stored in, and processed in the United States, where our service providers operate. The United States does not have a comprehensive federal privacy law equivalent to PIPEDA or Quebec Law 25.
In accordance with Quebec Law 25 s. 17 and PIPEDA Schedule 1, Principle 1 (Accountability), we have conducted Privacy Impact Assessments for each cross-border transfer and executed Data Processing Agreements with each provider. We have implemented the following safeguards:
| Provider | Transfer Safeguards |
|---|---|
| Supabase | Data Processing Agreement with GDPR Art. 28 terms; EU Standard Contractual Clauses; encryption at rest and in transit |
| Stripe | Data Processing Agreement; PCI DSS Level 1 certification; EU Standard Contractual Clauses |
| Vercel | Data Processing Agreement; GDPR-compliant terms; encryption in transit |
| Google Maps | Data Processing Amendment; limited to location query data |
| Google Calendar NEW | Data Processing Amendment; limited to free/busy status data only; no event content transferred |
| Email Service Provider NEW | Data Processing Agreement; processes email addresses and report content for delivery only; no data retention beyond delivery confirmation |
Tudius Inc. remains accountable for your personal information regardless of where it is processed. Our contractual arrangements with each provider require them to maintain privacy protections equivalent to those required under Canadian law.
For Quebec residents: Privacy Impact Assessments for each cross-border transfer are available upon request to the Privacy Officer.
10. Your Rights
You have the following rights regarding your personal information. To exercise any of these rights, contact the Privacy Officer at tycpark0317@gmail.com.
10.1 Right of Access (PIPEDA Principle 9)
You may request access to the personal information we hold about you. We will respond within 30 days of receiving your request. We may charge a reasonable fee for manifestly unfounded or excessive requests.
10.2 Right to Correction (PIPEDA Principle 6)
You may request correction of inaccurate or incomplete personal information. You may also update most of your information directly through your account settings.
10.3 Right to Deletion
You may request deletion of your account and personal information. Upon receiving a deletion request:
- Your profile information will be permanently deleted within 30 days
- Booking and payment records will be anonymized (personal identifiers removed) but retained for 7 years as required by the Canada Revenue Agency
- Your reviews will be anonymized or deleted
- Your follows will be deleted
- Session cookies and authentication data will be immediately invalidated
- Academic data: (NEW) Lesson plans, assignment records, session notes, and grade data will be offered for export (see Section 10.4) and then permanently deleted within 30 days
- Progress reports: (NEW) Sent reports will be anonymized (personal identifiers removed) and retained for up to 2 years for dispute resolution
- Calendar sync: (NEW) Immediately disconnected and all sync data deleted
- Parent contact info: (NEW) Deleted within 30 days (or immediately upon parent request)
10.4 Right to Data Portability EXPANDED
You may request a copy of your personal information in a structured, commonly used, machine-readable format (JSON or CSV). This right is provided under Quebec Law 25 and aligns with GDPR Art. 20 for any EU-based users.
Academic data portability: (NEW) You may export all academic data associated with your account, including lesson plans, assignment records, grades, session notes, and all progress reports ever generated. Export is available in JSON format and human-readable PDF summary. This ensures you can take your academic history with you if you switch tutors or platforms.
10.5 Right to De-indexing (Quebec Law 25 s. 28.1)
Quebec residents may request that personal information disseminated through the Platform be de-indexed from search engine results. If your profile or review information is indexed by search engines, you may request its removal. We will implement technical measures (such as noindex directives) within a reasonable time.
10.6 Right to Information About Automated Processing
You have the right to be informed about any automated decision-making that produces effects concerning you, including our tutor ranking algorithm (see Section 11) and automated progress reports (see Section 19).
10.7 Complaint Mechanism (PIPEDA Principle 10)
If you believe your privacy rights have been violated, you may:
- Contact the Privacy Officer at tycpark0317@gmail.com
- File a complaint with the Office of the Privacy Commissioner of Canada (OPC): www.priv.gc.ca
- Quebec residents: File a complaint with the Commission d'acces a l'information du Quebec (CAI): www.cai.gouv.qc.ca
- Alberta residents: File a complaint with the Office of the Information and Privacy Commissioner of Alberta (OIPC): www.oipc.ab.ca
11. Automated Decision-Making and Rankings
Our Platform uses an automated ranking system for tutors. The ranking algorithm calculates a score based on:
- Average review rating from student reviews
- Number of reviews (weighted logarithmically to avoid manipulation)
The formula is: rank_score = average_rating x ln(review_count + 1)
Rankings are calculated per subject and determine a tutor's position in search results for that subject.
Your rights regarding rankings:
- You may request an explanation of how your ranking was calculated
- You may contest your ranking position by contacting the Privacy Officer
- A human review process is available for ranking disputes
Rankings are recalculated automatically when reviews are added, updated, or deleted. No individual has the ability to manually override rankings outside of the dispute resolution process.
Automated progress reports are also a form of automated processing. See Section 19 for details on how reports are generated, your rights regarding report content, and the tutor review safeguard.
12. Children's Privacy SUBSTANTIALLY EXPANDED
Tudius Inc. takes the privacy of children seriously. As a tutoring platform that provides academy-level management tools, we recognize that our Platform serves users under 18, including students in K-12 education.
12.1 Age Requirements
- Under 13: You must be 13 years of age or older to create an account on this Platform. We do not knowingly collect personal information from children under 13. If we learn that we have collected personal information from a child under 13 without verifiable parental consent, we will delete that information promptly (COPPA, 15 U.S.C. s. 6502).
- Ages 13-17: Users between 13 and 17 may use the Platform only with verified parental or guardian consent.
- Under 14 (Quebec): Quebec residents under 14 require parental or guardian consent per Quebec Law 25.
12.2 Parental Consent Process
For users aged 13-17, we require:
- The minor provides a parent/guardian's email address during registration
- We send a consent notification to the parent/guardian explaining what information is collected and how it is used
- The parent/guardian must affirmatively consent before the minor's account is activated
- Parents/guardians may review their child's personal information, revoke consent, and request account deletion at any time
Academy feature consent for minors: (NEW) Parental consent for account creation does NOT automatically extend to academy features. Before academic data about a minor is collected, the parent/guardian must provide separate consent for each applicable consent category (see Section 5.2). This separate consent is required under both Quebec Law 25 (bundled consent prohibition) and the amended COPPA rule (separate consent for third-party disclosure, 16 C.F.R. s. 312.5, as amended).
12.3 Protections for Minor Accounts
For accounts identified as belonging to users under 18:
- No targeted advertising or behavioural profiling
- No sale or sharing of data for marketing purposes
- No disclosure of personal information to third parties for targeted advertising (COPPA, 16 C.F.R. s. 312.5, as amended)
- Data collection limited to what is strictly necessary for the tutoring service
- Enhanced security controls on account access
- Academic data minimization: (NEW) Academic data collected for minors is limited to what is necessary for the tutoring service. Engagement metrics designed to increase platform usage are NOT collected from minor accounts
- No AI training: (NEW) Personal information of minor users is never used for training artificial intelligence or machine learning models
- Data retention limits: (NEW) Personal information of minor users is retained only as long as reasonably necessary for the purpose for which it was collected, and is never retained indefinitely (COPPA, 16 C.F.R. s. 312.10, as amended)
12.4 COPPA 2026 Compliance REVISED
In compliance with the amended COPPA rule (effective June 23, 2025; compliance deadline April 22, 2026):
- We do not engage in targeted advertising directed at users under 13
- We do not send push notifications that monetize children's data
- We require separate parental consent before disclosing children's personal information to third parties for any purpose beyond the core tutoring service (16 C.F.R. s. 312.5, as amended)
- Data collected from minor users is limited to service necessity only
- We maintain and publish a written data retention policy (Section 7) as required by the amended rule
- We do not retain children's personal information indefinitely
- Parental access and deletion rights are fully supported
- Ed-tech context: (NEW) While the FTC did not adopt ed-tech-specific amendments in the 2026 final rule, the FTC has stated it will continue to enforce COPPA in the educational technology context consistent with its existing guidance. As a platform providing educational management tools, we apply heightened COPPA scrutiny to all academic data collected about minors
12.5 Parent Portal NEW
Parents/guardians of minor users have access to a parent portal where they can:
- View all personal information collected about their child
- View academic data (lesson plans, assignments, grades, session notes) if Category 3 consent is active
- View all automated progress reports sent about their child
- Modify or revoke consent for any consent category (Section 5.2)
- Request correction of inaccurate information in progress reports
- Request deletion of their child's account and all associated data
- Export their child's academic data in JSON or PDF format
12.6 Reporting Concerns
If you believe a child under 13 has created an account on this Platform, please contact the Privacy Officer immediately at tycpark0317@gmail.com. We will investigate and take appropriate action, including account deletion if warranted.
13. Commercial Electronic Messages (CASL) EXPANDED
In compliance with Canada's Anti-Spam Legislation (CASL, S.C. 2010, c. 23):
13.1 Transactional Messages (Exempt)
The following messages are transactional in nature and do not require separate consent:
- Email verification during account creation
- Booking confirmations and cancellation notices
- Payment receipts and subscription status updates
- Security alerts (password changes, suspicious activity)
13.2 Automated Service Messages NEW
The following automated messages are classified as transactional under CASL s. 6(6)(a) because they provide information about an ongoing service the recipient has consented to:
- Automated progress reports sent to parents/students (provided Category 3 consent is active and no promotional content is included)
- Session reminders sent to students before scheduled sessions
- Lesson plan alerts sent to tutors before sessions
- Accountability check-in notifications about specific booked sessions
13.3 Commercial Messages (Consent Required)
The following types of messages require your separate, express consent (Category 5):
- Promotional offers and discounts
- Newsletter and platform updates
- New feature announcements (beyond essential service updates)
- Marketing communications from Tudius Inc.
You may opt out of commercial messages at any time by:
- Clicking the “unsubscribe” link in any commercial email
- Updating your communication preferences in your account settings
- Contacting the Privacy Officer
Unsubscribe requests are processed within 10 business days, as required by CASL s. 11(1).
All commercial electronic messages include:
- Sender identification (Tudius Inc.)
- Contact information (Privacy Officer email and mailing address)
- Functional unsubscribe mechanism
14. Cookies and Similar Technologies
14.1 Essential Cookies
We use essential cookies that are strictly necessary for the Platform to function:
- Authentication session cookies (HTTP-only, Secure, SameSite): Maintain your login session
- CSRF protection tokens: Prevent cross-site request forgery attacks
These cookies are necessary for the Platform to operate and cannot be disabled.
14.2 No Tracking or Advertising Cookies
We do NOT use:
- Third-party tracking cookies
- Advertising or retargeting cookies
- Social media tracking pixels
- Analytics cookies that track individual users across websites
15. Data Governance
In compliance with Quebec Law 25 s. 63.3-63.4, Tudius Inc. maintains a data governance framework that includes:
- This Privacy Policy
- A data retention and destruction schedule (Section 7)
- Access request handling procedures (Section 10)
- A complaint handling process (Section 10.7)
- A confidentiality incident register (maintained internally per Law 25 s. 63.8)
- Privacy Impact Assessment records for cross-border transfers
- Privacy Impact Assessments for each academy feature (NEW) — assessed before implementation per Law 25 s. 3.3
- Written data retention policy (NEW) — published as Section 7 per amended COPPA rule
These governance documents are available upon request to the Privacy Officer.
16. Breach Notification
In the event of a security breach involving your personal information, we follow a structured response protocol in compliance with PIPEDA s. 10.1 and Quebec Law 25 s. 63.8:
- Assessment: We assess whether the breach creates a real risk of significant harm (RROSH) to affected individuals, considering the sensitivity of the information, the probability of misuse, and the number of individuals affected.
- Notification to Regulators: If a RROSH determination is made, we notify the Office of the Privacy Commissioner of Canada (OPC) as soon as feasible, and the Commission d'acces a l'information du Quebec (CAI) with diligence, if Quebec residents are affected.
- Notification to You: If the breach creates a real risk of significant harm to you, we will notify you directly, describing the nature of the breach, the types of personal information involved, steps we have taken, steps you can take, and how to contact the Privacy Officer.
- Record-Keeping: All security incidents are recorded in our confidentiality incident register and retained for a minimum of 24 months (PIPEDA s. 10.3).
- Minor-Specific Notification: (NEW) If a breach involves academic data or other personal information of minor users, we will notify the parent/guardian directly in addition to the minor's account holder.
17. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes:
- We will update the “Last Updated” date at the top of this Policy
- We will notify you by email or through a prominent notice on the Platform
- Material changes take effect 30 days after notification, unless earlier compliance is required by law
- Your continued use of the Platform after the effective date constitutes acceptance of the updated Policy
For Quebec residents: Any material change to this Policy that affects your rights will be communicated to you directly, and we will obtain your renewed consent where required by Law 25.
18. Contact Information
For any questions, concerns, or requests related to this Privacy Policy or your personal information:
Response Times
- Access requests: Within 30 days (PIPEDA s. 8(3))
- Correction requests: Promptly upon verification
- Deletion requests: Within 30 days
- De-indexing requests: Within a reasonable time
- Complaints: Acknowledged within 5 business days; substantive response within 30 days
- Academic data export requests: Within 30 days (NEW)
- Consent withdrawal requests: Processed within 5 business days (NEW)
19. Academic Data and Progress Reporting NEW
This section describes how we handle academic data collected through the Platform's academy features (lesson plans, assignments, grades, session notes, and automated progress reports).
19.1 What Academic Data We Collect
When tutors activate academy features for a student, the following academic data may be collected:
- Lesson plans: Curriculum outlines, learning objectives, and session agendas created by the tutor
- Assignment records: Tasks assigned to the student, completion status, and due dates
- Grade/score data: Scores and assessments entered by the tutor
- Session notes: Post-session observations and notes recorded by the tutor
- Progress metrics: Derived data calculated from the above (e.g., completion rates, score trends)
All academic data is created and entered by the tutor. The Platform does not independently assess student academic performance.
19.2 Automated Progress Report Generation
The Platform generates automated progress reports by aggregating academic data entered by tutors. Reports summarize lesson plan coverage, assignment completion, grade trends, and tutor session notes.
How reports are generated:
- Reports are generated from data entered by the tutor and automated tracking (assignment completion timestamps, session attendance)
- Reports may be generated on a weekly or monthly schedule, as configured by the tutor
Tutor review safeguard (PIPEDA Principle 6 — Accuracy):
- Before any automated progress report is sent to a parent or student, the tutor must review and approve the report content
- Tutors may edit, correct, or withhold any report before delivery
- This safeguard is required by PIPEDA Principle 6 (Accuracy) — automated reports constitute representations of fact about student performance and must be accurate
“This report is generated based on data entered by your tutor and automated tracking. It does not constitute an official academic assessment. Contact your tutor directly for clarification or to discuss your child's progress.”
19.3 Automated Decision-Making Disclosure (Quebec Law 25 s. 12.1)
Automated progress reports constitute personal information rendered by automated processing. In compliance with Quebec Law 25 s. 12.1, we inform you that:
- Reports are generated by automated processing of academic data
- The personal information used includes lesson plans, assignment completion data, grade data, and session notes
- You have the right to contest the content of any automated report
- You may request human review of any report by contacting the Privacy Officer or your tutor directly
19.4 Academic Data Ownership and Portability
- Tutor-created content: Lesson plans and session notes are created by tutors. Tutors retain the right to export their lesson plans at any time
- Student academic records: Students (or parents of minors) may export all academic data associated with their account at any time in JSON or PDF format
- On relationship end: When a tutoring relationship ends, both the tutor and student may export their respective data. After the retention period (Section 7), academic data is permanently deleted
19.5 What Academic Data Is NOT
Academic data collected through the Platform:
- Is NOT an official academic record, transcript, or credential
- Does NOT constitute an assessment by an educational institution
- Does NOT replace or supplement Ontario Student Records (OSR) or any provincial student record system
- Cannot be used for school admission, academic placement, or official evaluation purposes
20. Calendar Integration NEW
20.1 Calendar Sync Scope
If you choose to connect your Google Calendar (Category 2 consent), the Platform accesses only your free/busy status using the calendar.freebusy Google API scope. This means:
What we CAN see:
- Whether a time slot is marked as “free” or “busy” on your calendar
What we CANNOT and DO NOT see:
- Event titles or names
- Event descriptions or notes
- Event attendees or invitees
- Event locations
- Any other event content or metadata
20.2 How Calendar Data Is Used
Free/busy data is used solely to:
- Display your availability for tutoring sessions on the Platform
- Prevent double-booking with existing calendar commitments
- Suggest available time slots to students browsing your profile
20.3 Calendar Data Handling
- Calendar data is processed in real-time and is NOT stored persistently on our servers
- We do not retain historical calendar data
- Disconnecting your calendar immediately deletes all sync data
- Calendar data is never shared with students, parents, or any third party — only the derived “available/unavailable” status is displayed
20.4 Disconnecting Calendar
You may disconnect your Google Calendar at any time through your account settings. Upon disconnection:
- All calendar sync data is deleted immediately
- Your availability display reverts to manually entered availability windows
- No residual calendar data is retained
This Privacy Policy is effective as of March 7, 2026.
This document was drafted with AI assistance and is intended as a comprehensive draft for review. It does not constitute legal advice from a licensed attorney. Tudius Inc. recommends review by qualified privacy counsel before final publication.