Applies when using the Tutlio platform.
1. General provisions
This privacy policy (the Policy) explains how MB Tutlio (company code 307617263), which operates the Tutlio platform (the Service Provider, we), collects, uses and protects personal data. We operate in accordance with the laws of the Republic of Lithuania: the General Data Protection Regulation (GDPR) (EU 2016/679), the Law on Legal Protection of Personal Data of the Republic of Lithuania, laws on electronic services and electronic communications, and other applicable legislation.
2. Data Controller and Data Processor roles
When providing B2B cloud services, data protection roles are strictly separated in accordance with GDPR requirements: the Tutor / Organization (the Platform client) acts exclusively as the Data Controller for all personal data of students and their parents/guardians entered into the Platform. MB Tutlio acts exclusively as the Data Processor, within the meaning of Article 28 GDPR, for students' personal data and processes it only on the Client's instructions. MB Tutlio acts as the Data Controller only for the registration and billing data of the Tutors/Organizations themselves, meaning its direct B2B clients.
2.1. The Tutor/Organization, as Data Controller, is responsible for: legal basis; information notices; data accuracy; data subject rights.
2.2. MB Tutlio, as Data Processor, processes students' data for the following purposes: provision of the Platform; security; automated processes; payment processing.
3. What data we collect
Registration and account data of Clients: email address, first name and surname, phone number, password stored encrypted, meaning in hash format. Payment data: payment history, session payment status. Payment card or banking data is processed only through licensed partners, Stripe or UAB Perlas Finance. MB Tutlio does not see or store full payment card details or bank login data. Subscription data: subscription plan, validity date, trial use. Lesson and schedule data: lesson times, topics, notes, cancellations, sending of reminders. Student data entered by the Tutor: student names, email addresses, phone numbers, payer data for parents/guardians. Technical data: IP address, browser type, login times, for legitimate interests such as system security and prevention of abuse.
4. Use of Google API data and Google API Limited Use Policy
To provide convenient schedule management, the Platform allows users to connect their account with Google Calendar using OAuth authentication. We request access only to your Google Calendar events, with read and write permissions, so that lessons scheduled in the Platform can be synchronized with your personal calendar. Your Google calendar data is used solely to ensure two-way calendar synchronization. We do not transfer, sell or share your Google user data with any third parties, including advertising networks or other commercial partners. Tutlio's use and transfer to any other application of information received from Google APIs strictly complies with the Google API Services User Data Policy, including the Limited Use requirements.
5. Purposes and legal basis under Article 6 GDPR
We process data for: performance of a contract, including account, lesson and payment administration; legitimate interests, including platform security and billing; your consent where required by law; and compliance with legal obligations, including accounting. We use email to provide information about payments and cancellations; cancellation rules are described in the Platform Terms of Use.
6. Data retention and security
We retain data only for as long as needed to perform the contract and comply with legal requirements, such as accounting. We use appropriate technical and organizational measures, including encryption in transit and at rest, access control and automatic backups, to protect data against unauthorized access, loss or misuse.
6.1. Sub-processors
MB Tutlio uses carefully selected sub-processors that comply with GDPR requirements to provide cloud and payment infrastructure: Supabase Inc.; Stripe, Inc.; UAB Perlas Finance; Resend (Zernonia, Inc.). All sub-processors undertake to process personal data only according to our instructions and to apply the strictest security standards, including SCC contractual clauses when transferring data outside the EU.
7. Your rights under GDPR
To exercise data rights, contact us by email at info@tutlio.lt. If you are a student or a student's parent/guardian, for data entered into the Platform by your tutor or school, first contact them directly. They are your Data Controller. We will help the Data Controller technically exercise your rights, but the main responsible person is your tutor/organization. If you are a tutor/organization, you can independently manage, correct, delete or export students' data through Platform settings. Where technical assistance is needed, we will help you exercise data subject rights.
7.1. Notification of personal data breaches
If a personal data breach occurs, we will inform the Data Controller, meaning the Tutor/Organization, no later than within 72 hours after becoming aware of the breach. The Data Controller is responsible for any further notification of data subjects or supervisory authorities (VDAI) as required by GDPR.
8. Cookies and analytics
We use only necessary technical cookies required for user login, session maintenance and secure operation of the platform. We do not use third-party marketing cookies inside the Platform without separate consent.
9. Changes
This Policy may be updated as services are improved. We will inform existing clients about significant changes by email or by a notice inside the platform. By continuing to use the services after publication of changes, you agree to the updated Privacy Policy. A Data Processing Agreement (DPA) additionally applies to B2B clients.