Privacy Policy
Your Data. Your Trust.
How we collect, use, and protect your personal information.
Effective Date: December 7, 2025
Last Updated: December 12, 2025
1. About This Policy
Bespoke Learning operates from Ontario, Canada and provides educational services globally. This Privacy Policy explains how we collect, use, disclose, and protect your personal information.
We comply with applicable privacy laws including:
- PIPEDA - Personal Information Protection and Electronic Documents Act (Canada)
- GDPR - General Data Protection Regulation (European Union)
- UK GDPR and Data Protection Act 2018 (United Kingdom)
- FADP - Swiss Federal Act on Data Protection (Switzerland)
- CCPA/CPRA - California Consumer Privacy Act (United States)
- COPPA - Children's Online Privacy Protection Act (United States)
- Other applicable international privacy laws where we operate
If this Policy conflicts with a mandatory right under the law of your residence that cannot be waived, that mandatory right prevails.
2. Information We Collect
2.1 Personal Information
Contact Information
Name, email, phone number, mailing address
Account Information
Username, password (encrypted), profile preferences, timezone
Educational Information
Academic history, learning objectives, courses, assessments, progress
Payment Information
Billing address, payment method. Card numbers processed by Stripe.
2.2 Session Recording and AI-Generated Data
Audio Recording and Transcription (Core Service Feature)
All tutoring sessions are audio recorded and transcribed using AI tools. This is required to deliver transcripts, learning analysis, and continuity between sessions.
Video Recording (Optional): Video may be recorded only if you enable it.
AI-Generated Content: Transcripts, session summaries, learning reports, and personalized recommendations created by AI tools.
2.3 Technical Information
- Usage Data: Pages visited, time spent, click patterns, session activity
- Device Information: IP address, browser type, operating system, device identifiers
- Cookies and Tracking: Information collected through cookies (see Cookie Policy)
- Security & Fraud Prevention: Google reCAPTCHA collects IP address, device, and interaction data to detect bots and abuse (covered by Google Privacy Policy and Terms of Service).
- Maps & Address Autofill: When you use address lookup or autocomplete, Google Maps/Places receives address queries and related device data to return results.
2.4 AI Tools and Session Recording (Important)
We use artificial intelligence tools to deliver our core learning features. Audio recording and transcription are required for service delivery; video recording remains optional.
Audio Recording and Transcription
- What happens: All sessions are audio recorded. Audio sent to Google Gemini for transcription. Transcripts analyzed by OpenAI ChatGPT for learning reports.
- What data is shared: Audio of sessions; session content and discussions; student first names only (never full names).
- Retention: Audio deleted within 24-48 hours after transcription. Transcripts retained for service duration plus 12 months.
- Your control: Access, download, or request deletion of transcripts via hello@bespokelearning.io
Video Recording (Optional)
- When enabled: Captures video (face, surroundings, screen content) along with audio.
- Retention: Videos retained for service duration plus 12 months.
- Additional consent: Illinois residents must provide facial geometry consent under BIPA.
AI Provider Commitments
- Google: Processes recordings according to Cloud Services terms; does not use your data to train general AI models.
- OpenAI: API data is not used to train OpenAI models.
Flint (Student Chatbot)
Optional AI chatbot for practice between sessions. Has its own privacy policy.
Brisk (Lesson Planning)
Assists tutors with lesson planning. No personal student data shared.
AI Data Protection Measures
- • First names only (never full names or surnames)
- • No financial, family, address, or contact information shared with AI tools
- • Data minimization - only information necessary for educational purposes
- • Encryption in transit for all AI API connections
- • Regular review of AI provider terms and data practices
2.5 Tutor Session Notes
What tutors record:
- • Learning progress and observations
- • Teaching strategies that work well
- • Areas needing additional support
- • Educational recommendations
Storage locations: Google Docs, Portal internal notes, paper notes
Retention: During active service plus 12 months after last session
Access: Tutor, administrative staff, and parents/students upon request
2.6 Learning Support and Accommodation Information
If you voluntarily share information about learning disabilities, medical conditions, accommodations, or mental health considerations, this is treated as sensitive personal information under privacy laws.
- • Used solely for appropriate educational support
- • Recorded in confidential tutor notes
- • Never shared with AI tools or third parties without explicit consent
- • You can access, correct, or request deletion of this information
2.7 Age-Related Data Collection
Under 13
- • Verifiable parental consent required
- • Only necessary information collected
- • Parents can review, correct, or delete
Ages 13-17
- • Parental awareness and oversight
- • Parent Portal visibility
- • Gradual account control
18+
- • Full independent account control
- • Can request separation from parental oversight
3. How We Use Your Information
Service Delivery
- • Provide tutoring and educational support
- • Match students with appropriate tutors
- • Prepare personalized lesson plans
- • Track learning progress
Account Management
- • Create and maintain accounts
- • Process bookings and scheduling
- • Manage credits and subscriptions
- • Provide customer support
AI-Enhanced Learning
- • Generate session transcripts
- • Create personalized learning reports
- • Provide practice chatbot interactions
- • Improve teaching strategies
Communication
- • Send booking confirmations
- • Provide session reports
- • Respond to support requests
- • Share important service updates
Payment Processing
- • Process payments through Stripe
- • Issue invoices
- • Comply with tax requirements
Security & Legal
- • Detect and prevent fraud
- • Maintain system security
- • Comply with applicable laws
- • Respond to legal requests
4. Legal Basis for Processing
For users in EU, UK, Switzerland, and similar jurisdictions:
Contract Performance
Providing tutoring services under our agreement with you
Legitimate Interests
Improving services, maintaining security, analytics
Consent
Marketing, optional AI features, certain cookies, session recording
Legal Obligation
Tax compliance, accounting requirements, regulatory requests
5. Information Sharing
5.1 Who We Share With
Tutors and Educational Staff
Tutors receive: Student name, age/grade, learning goals, session history, progress notes, accommodation needs (when disclosed)
Tutors cannot access: Billing information, full family details, communications with other tutors
Service Providers
Google reCAPTCHA and Google Maps/Places operate under the Google Privacy Policy and Terms of Service; we use them solely for security, spam prevention, and address lookup/autofill.
- Educational Partners: Schools or institutions you explicitly authorize
- Legal Authorities: When required by law, court order, or to protect rights and safety
- Business Transfers: In connection with merger, acquisition, or sale of assets
5.2 We Do Not Sell Your Information
We do not sell personal information in exchange for money.
We do not use children's information for advertising purposes.
6. Google Account Integration & Data Usage
Incremental Authorization
When you connect your Google account to Bespoke Learning, we use incremental authorization, meaning we only request additional permissions when you use features that need them.
6.1 What We Access
Initial Connection (Required for Basic Features)
- Calendar Events: Create and manage tutoring session events with Google Meet links
- Email Address: Identify your account and match it with your Bespoke Learning profile
Optional Permissions (Requested Only When You Use These Features)
- Google Docs: Add AI-generated feedback comments to your TOK/EE essays (requested when you click "Provide Feedback")
- Google Drive (Read-Only): View meeting notes and tutoring materials (requested when you click "View Meeting Notes")
- Full Calendar Access: Check multiple calendars for scheduling conflicts (requested when tutors add additional calendar sources)
6.2 How We Use Your Google Data
Calendar Data
- • Create tutoring session events with Google Meet video links
- • Send calendar invitations to students and tutors
- • Check tutor availability across multiple calendars to prevent double-booking
- • Sync busy/free time slots for accurate scheduling
Google Docs Data
- • Read essay content to generate AI feedback (TOK and Extended Essay features)
- • Add inline comments with suggestions and improvements
- • Important: Document content is processed in real-time and never stored permanently
Google Drive Data
- • List recent meeting notes and tutoring materials
- • Display file names, dates, and preview links
- • Read-only access - we never modify or delete your files
6.3 Data Storage & Security
OAuth Tokens
Encrypted and stored in Clerk (SOC 2 Type II certified)
Calendar Data
Stored in PostgreSQL database with row-level security
Document Content
Not stored - processed in memory only during feedback generation
Encryption
AES-256 at rest, TLS 1.3 in transit
Access Control: Your data is accessible only to you and your assigned tutors
6.4 Your Privacy Rights
You Control Your Data:
- Disconnect Anytime: Remove Google integration from Settings → Calendar
- Granular Permissions: Choose which optional features to enable
- Immediate Deletion: When you disconnect, all Google tokens are deleted instantly
- Revoke Access: You can also revoke access from your Google Account settings
We Never:
- ✗Sell your data to third parties
- ✗Use your documents for advertising
- ✗Train AI models on your personal content
- ✗Share your calendar or documents with anyone outside Bespoke Learning
- ✗Access your data beyond the stated purposes
6.5 Google API Services User Data Policy
Bespoke Learning's use and transfer to any other app of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.
This means:
- We only request permissions necessary for features you use
- We don't share your Google data with third parties
- We use your data solely for the tutoring services you requested
- We maintain strict security and confidentiality standards
6.6 Data Retention
| Data Type | Retention Period | Deletion |
|---|---|---|
| OAuth Tokens | Until you disconnect Google | Immediate upon disconnect |
| Calendar Events | Duration of tutoring session + 6 months | Auto-deleted after retention period |
| Document IDs | Until feature is no longer used | Deleted with your account |
| Drive File Metadata | Not stored (fetched in real-time) | N/A |
6.7 Children's Privacy (COPPA & FERPA Compliance)
For students under 18:
- Parental consent required before connecting Google account
- Educational records protected under FERPA
- Limited data collection (no behavioral tracking)
- No advertising or data selling
- Additional protections for students under 13
6.8 International Users (GDPR Compliance)
For users in the EU/EEA:
- Legal basis: Consent (you explicitly authorize Google integration)
- Right to access: View all data we have from your Google account
- Right to deletion: Disconnect Google to delete all associated data
- Right to portability: Export your calendar data from Settings
- Data Processing Agreement available upon request
Questions About Google Integration?
6. International Data Transfers
We serve students globally. Your information may be transferred to and processed in Canada, the United States, and other countries with different data protection laws.
Safeguards we implement:
- Standard Contractual Clauses approved by European Commission
- Transfers only to countries with adequate protection
- Additional technical and organizational security measures
- Compliance with data localization requirements where applicable
7. Data Security
Technical Measures
- • Encryption of data in transit (TLS/SSL)
- • Encryption of sensitive data at rest
- • Secure access controls and authentication
- • Regular security audits
- • PCI-compliant payment processing
Organizational Measures
- • Role-based access to systems and data
- • Staff training on data protection
- • Confidentiality agreements with tutors
- • Regular data backup
- • Incident response plan
Breach notification: If a breach affects your personal information, we will notify you and relevant authorities as required by law, typically within 72 hours of discovering the breach.
8. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | 90 days after account deletion |
| Educational records (including tutor notes) | Active service + 12 months |
| Audio recordings | Deleted within 24-48 hours after transcription |
| Video recordings | End of contract + 12 months |
| Transcripts | Duration of service + 12 months |
| Financial records | Minimum 7 years (tax law) |
| Marketing data | Until you unsubscribe |
9. Your Rights
Depending on your location, you may have the following rights:
Access
Request copy of personal information we hold
Rectification
Correct inaccurate or incomplete information
Erasure
Request deletion (subject to limitations)
Portability
Receive your data in machine-readable format
Restriction
Request that we limit certain processing
Objection
Object to processing or direct marketing
Withdraw Consent
Withdraw consent at any time
Access Tutor Notes
Request copies of all tutor notes
To exercise these rights:
Email privacy@bespokelearning.io
We aim to respond within 30 days (45 days for California requests).
10. Children's Privacy
We primarily serve students under 18 and treat children's data with special care.
Under 13
- • Verifiable parental consent required
- • Parent creates and manages account
- • Only necessary information collected
- • Parents can review, correct, or delete
Ages 13-17
- • Services with parental awareness
- • Parents maintain oversight via Portal
- • More autonomy as appropriate
- • No targeted advertising
Age 18+
- • Full independent account control
- • Can request separation from parental oversight
COPPA Compliance (US)
- • We obtain verifiable parental consent for under-13 users
- • We do not condition participation on disclosure of more information than necessary
- • We do not share children's information for advertising
Parents: Contact privacy@bespokelearning.io to exercise children's privacy rights.
11. California Privacy Rights (CCPA/CPRA)
11.1 Categories of Information Collected
- Identifiers (name, email, phone, IP address)
- Commercial information (purchases, sessions)
- Internet activity (browsing history)
- Geolocation data (approximate location)
- Education information (academic records)
- Audio/visual information (session recordings)
11.2 Your California Rights
Know and Access
Request information collected, used, or shared
Delete
Request deletion (subject to exceptions)
Correct
Request correction of inaccurate information
Non-Discrimination
Equal service regardless of privacy rights exercise
11.4 How to Exercise California Rights
Email: privacy@bespokelearning.io (Subject: "CCPA Rights Request")
Phone: +1 (647) 770-2074 (Privacy requests must be confirmed in writing)
GPC: We honor Global Privacy Control signals from supported browsers
Response time: 45 days (may extend to 90 days for complex requests)
12. Marketing and Communications
Marketing Emails
Newsletters, promotions, educational resources (with consent where required)
Service Communications
Booking confirmations, session reminders, progress reports (cannot opt out)
How to Unsubscribe
- • Click "Unsubscribe" link in any marketing email
- • Email hello@bespokelearning.io with "Unsubscribe" in subject
- • Update preferences in Portal settings
Processing time: Within 10 business days
13. Changes to This Policy
We may update this Privacy Policy from time to time.
- Material changes: We will notify you by email or prominent website notice at least 30 days before changes take effect where feasible.
- Continued use: Using our services after the effective date constitutes acceptance of changes.
- "Last Updated" date: See top of this Policy for latest revision date.
14. Contact Us
Bespoke Learning Solutions
Toronto, Ontario, Canada
Note: Privacy requests require written submission (email). Phone available for general questions only.
15. Supervisory Authorities
If not satisfied with our response, you may lodge a complaint with:
European Union
Your national Data Protection Authority
California
California Privacy Protection Agency or California Attorney General
Other Jurisdictions
Your local data protection or privacy authority
We encourage you to contact us first so we can resolve your concern directly.
Appendix: Jurisdiction-Specific Provisions
CHSwitzerland (FADP)
Swiss Data Protection Rights
Under FADP, you have the right to access, rectify, request deletion, object to processing, request data portability, and lodge complaints with FDPIC.
14-Day Withdrawal Right
Swiss consumers have 14-day withdrawal right under Swiss Code of Obligations. Email hello@bespokelearning.io within 14 days to withdraw.
Swiss Dispute Resolution
Swiss users may bring claims in Swiss courts. Small claims (under CHF 30,000) may be brought in Swiss consumer courts.
EUEuropean Union (GDPR)
GDPR Rights
Full rights listed in Section 9 apply. Special Category Data (learning disabilities, health information) requires explicit consent under GDPR Article 9.
14-Day Withdrawal Right
EU consumers have 14-day withdrawal right under Consumer Rights Directive.
EU Dispute Resolution
Online Dispute Resolution Platform: https://ec.europa.eu/consumers/odr
EU users may bring claims in courts of their member state of residence.
UKUnited Kingdom (UK GDPR)
UK Data Protection
UK GDPR and Data Protection Act 2018 apply. Rights and processes similar to EU GDPR.
Supervisory Authority: Information Commissioner's Office (ICO) - www.ico.org.uk, Phone: 0303 123 1113
14-Day Cancellation Right
UK consumers have 14-day cancellation right under Consumer Contracts Regulations 2013.
Other Jurisdictions
For users in jurisdictions not specifically addressed:
- • Local consumer protection laws apply where they provide greater protection
- • You have rights under local data protection laws
- • We comply with local legal requirements where we operate
- • Contact privacy@bespokelearning.io for jurisdiction-specific questions