Last updated: April 19, 2026. Legal entity: MB Tutlio. Contact: info@tutlio.lt.
1. General provisions
This privacy policy (hereinafter – the Policy) establishes how MB Tutlio (legal entity code to be listed in the register), operating the Tutlio platform (hereinafter – the Service Provider, we), collects, uses, and protects your personal data. We operate in accordance with Lithuanian Republic legislation: the General Data Protection Regulation (GDPR) (EU 2016/679), the Lithuanian Personal Data Protection Act, electronic services and electronic communications laws, and other applicable legislation.
Contact: For questions and requests regarding data processing: info@tutlio.lt. You can send data subject rights requests to this email or through Platform settings.
2. Data controllers and roles
- Platform provision: Ensuring platform functionality, technical support, service delivery under contract.
- Security: Technical data security, implementation of security measures, ensuring data protection.
- Automated processes: Sending automated notifications (reminders, confirmations, payment reminders) according to Tutor/Organization settings.
- Payment processing: Subscription management, payment process support together with Stripe.
- Service improvement: Platform functionality improvement, bug fixes.
2.1. MB Tutlio, as a data controller, processes data for the following purposes:
- Legal basis: Having a legal basis for processing all student personal data entered into the Platform (consent, contract, legitimate interest).
- Disclosure: Informing students and their parents/guardians about data processing on the Platform and providing a link to this Privacy Policy.
- Data accuracy: Ensuring that data entered into the Platform is correct and up to date.
- Data subject rights: Responding to student requests regarding their data (access, erasure, rectification, portability), using Platform features or contacting MB Tutlio for assistance.
- Business purposes: Using data for business purposes (lesson organization, communication with students, financial management).
2.2. The Tutor/Organization, as a data controller, is responsible for:
MB Tutlio and the Tutor/Organization (Platform client) act as joint data controllers within the meaning of GDPR Article 26 for certain data processing operations. Each controller has clearly defined obligations and responsibilities:
- Registration and account data: email, full name, phone number, password (stored encrypted).
- Payment data: payment history, session payment status; card details are processed only through Stripe (we do not see full card details).
- Subscription data: subscription plan, expiration date, trial usage (one trial per account).
- Lesson and schedule data: lesson times, topics, notes, cancellations, reminder delivery.
- Students (if you are a tutor): student names, emails, phone numbers, payer (parent) details if provided.
- Technical data: IP address, browser type, login times, for legitimate interests (security, abuse prevention).
3. What data we collect
5. Purposes and legal bases (GDPR Art. 6)
To ensure convenient schedule management, the Platform allows users to link their account with Google Calendar (using OAuth authentication). We request access only to your Google Calendar events (read and write permissions) in order to synchronize lessons scheduled on the Platform with your personal calendar.
Tutlio's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
4. Google API Data Usage (Google API Limited Use Policy)
Your Google Calendar data is used exclusively for two-way calendar synchronization. We do not transfer, sell, or share your Google user data with any third parties (including advertising networks or other partners).
We process data for: contract performance (account, lesson, payment administration), legitimate interests (platform security, sending cancellation and payment reminders, billing), your consent (where required), and legal compliance. We use email for payment and cancellation notifications; cancellation rules are described in the Terms of Service.
6. Data storage and security
- Supabase (Supabase Inc.): Database hosting and management. Data is stored in the EU region. Privacy Policy
- Stripe: Payment processing and subscription management. Privacy Policy
- Resend: Email delivery service (reminders, invitations, notifications). Privacy Policy
6.1. Sub-processors
MB Tutlio uses the following trusted sub-processors for data processing:
All sub-processors are carefully selected and comply with GDPR requirements. They commit to processing data only according to our instructions and ensuring appropriate security measures.
We store data only for as long as necessary for contract performance and compliance with legal requirements (e.g., accounting). We use appropriate technical and organizational measures (encryption, access control, trusted data hosting providers including Supabase and Stripe) to protect data from unauthorized access, loss, or misuse.
- If you are a student: For data entered by your tutor, please contact them first. We will help implement your rights, but the primary responsible party is your tutor/organization.
- If you are a tutor/organization: You can manage student data through Platform settings. When needed, we will help implement data subject rights.
- Data export: You can export your data through Platform settings or by requesting our assistance.
7. Your rights (GDPR)
7.1. Data security breach notification
If a data security breach occurs that may pose a risk to your rights and freedoms, we will inform you and the competent authorities within 72 hours of discovery, as required by GDPR. Tutors/Organizations using the Platform commit to immediately notifying us of any observed security incidents.
You have the right to: access your data, rectify it, erase it ("right to be forgotten"), restrict processing, object, data portability, and lodge a complaint with the State Data Protection Inspectorate (VDAI). Send requests to: info@tutlio.lt. We will respond within 30 days.
Important clarifications:
8. Cookies and analytics
We use essential cookies for login and platform operation. If we use analytics tools, this is described in the relevant information and can be managed through your browser or our settings.
9. Changes
The Policy may be updated. We will inform you about significant changes by email or through the platform. By continuing to use the services after changes are published, you agree to the updated Policy.