Privacy Policy

    EnglishOther languages on request

    Your Data. Your Trust.

    How we collect, use, and protect your personal information.

    Effective Date: December 7, 2025

    Last Updated: December 7, 2025

    1. About This Policy

    Bespoke Learning operates from Ontario, Canada and provides educational services globally. This Privacy Policy explains how we collect, use, disclose, and protect your personal information.

    We comply with applicable privacy laws including:

    • PIPEDA - Personal Information Protection and Electronic Documents Act (Canada)
    • GDPR - General Data Protection Regulation (European Union)
    • UK GDPR and Data Protection Act 2018 (United Kingdom)
    • FADP - Swiss Federal Act on Data Protection (Switzerland)
    • CCPA/CPRA - California Consumer Privacy Act (United States)
    • COPPA - Children's Online Privacy Protection Act (United States)
    • Other applicable international privacy laws where we operate

    If this Policy conflicts with a mandatory right under the law of your residence that cannot be waived, that mandatory right prevails.

    2. Information We Collect

    2.1 Personal Information

    Contact Information

    Name, email, phone number, mailing address

    Account Information

    Username, password (encrypted), profile preferences, timezone

    Educational Information

    Academic history, learning objectives, courses, assessments, progress

    Payment Information

    Billing address, payment method. Card numbers processed by Stripe.

    2.2 Session Recording and AI-Generated Data

    Audio Recording and Transcription (Core Service Feature)

    All tutoring sessions are audio recorded and transcribed using AI tools. This is required to deliver transcripts, learning analysis, and continuity between sessions.

    Video Recording (Optional): Video may be recorded only if you enable it.

    AI-Generated Content: Transcripts, session summaries, learning reports, and personalized recommendations created by AI tools.

    2.3 Technical Information

    • Usage Data: Pages visited, time spent, click patterns, session activity
    • Device Information: IP address, browser type, operating system, device identifiers
    • Cookies and Tracking: Information collected through cookies (see Cookie Policy)
    • Security & Fraud Prevention: Google reCAPTCHA collects IP address, device, and interaction data to detect bots and abuse (covered by Google Privacy Policy and Terms of Service).
    • Maps & Address Autofill: When you use address lookup or autocomplete, Google Maps/Places receives address queries and related device data to return results.

    2.4 AI Tools and Session Recording (Important)

    We use artificial intelligence tools to deliver our core learning features. Audio recording and transcription are required for service delivery; video recording remains optional.

    Audio Recording and Transcription

    • What happens: All sessions are audio recorded. Audio sent to Google Gemini for transcription. Transcripts analyzed by OpenAI ChatGPT for learning reports.
    • What data is shared: Audio of sessions; session content and discussions; student first names only (never full names).
    • Retention: Audio deleted within 24-48 hours after transcription. Transcripts retained for service duration plus 12 months.
    • Your control: Access, download, or request deletion of transcripts via hello@bespokelearning.io

    Video Recording (Optional)

    • When enabled: Captures video (face, surroundings, screen content) along with audio.
    • Retention: Videos retained for service duration plus 12 months.
    • Additional consent: Illinois residents must provide facial geometry consent under BIPA.

    AI Provider Commitments

    • Google: Processes recordings according to Cloud Services terms; does not use your data to train general AI models.
    • OpenAI: API data is not used to train OpenAI models.

    Flint (Student Chatbot)

    Optional AI chatbot for practice between sessions. Has its own privacy policy.

    Brisk (Lesson Planning)

    Assists tutors with lesson planning. No personal student data shared.

    AI Data Protection Measures

    • • First names only (never full names or surnames)
    • • No financial, family, address, or contact information shared with AI tools
    • • Data minimization - only information necessary for educational purposes
    • • Encryption in transit for all AI API connections
    • • Regular review of AI provider terms and data practices

    2.5 Tutor Session Notes

    What tutors record:

    • • Learning progress and observations
    • • Teaching strategies that work well
    • • Areas needing additional support
    • • Educational recommendations

    Storage locations: Google Docs, Portal internal notes, paper notes

    Retention: During active service plus 12 months after last session

    Access: Tutor, administrative staff, and parents/students upon request

    2.6 Learning Support and Accommodation Information

    If you voluntarily share information about learning disabilities, medical conditions, accommodations, or mental health considerations, this is treated as sensitive personal information under privacy laws.

    • • Used solely for appropriate educational support
    • • Recorded in confidential tutor notes
    • • Never shared with AI tools or third parties without explicit consent
    • • You can access, correct, or request deletion of this information

    2.7 Age-Related Data Collection

    Under 13

    • • Verifiable parental consent required
    • • Only necessary information collected
    • • Parents can review, correct, or delete

    Ages 13-17

    • • Parental awareness and oversight
    • • Parent Portal visibility
    • • Gradual account control

    18+

    • • Full independent account control
    • • Can request separation from parental oversight

    3. How We Use Your Information

    Service Delivery

    • • Provide tutoring and educational support
    • • Match students with appropriate tutors
    • • Prepare personalized lesson plans
    • • Track learning progress

    Account Management

    • • Create and maintain accounts
    • • Process bookings and scheduling
    • • Manage credits and subscriptions
    • • Provide customer support

    AI-Enhanced Learning

    • • Generate session transcripts
    • • Create personalized learning reports
    • • Provide practice chatbot interactions
    • • Improve teaching strategies

    Communication

    • • Send booking confirmations
    • • Provide session reports
    • • Respond to support requests
    • • Share important service updates

    Payment Processing

    • • Process payments through Stripe
    • • Issue invoices
    • • Comply with tax requirements

    Security & Legal

    • • Detect and prevent fraud
    • • Maintain system security
    • • Comply with applicable laws
    • • Respond to legal requests

    5. Information Sharing

    5.1 Who We Share With

    Tutors and Educational Staff

    Tutors receive: Student name, age/grade, learning goals, session history, progress notes, accommodation needs (when disclosed)

    Tutors cannot access: Billing information, full family details, communications with other tutors

    Service Providers

    Stripe: Payment processing
    Wise: Contractor payments
    Google (Gemini, Workspace): Session recording, transcription
    Google reCAPTCHA: Bot and fraud protection for forms
    Google Maps / Places: Address lookup and autofill on selected forms
    OpenAI (ChatGPT): Learning analysis
    Flint: Student practice chatbot
    Clerk: Portal authentication
    Vercel: Website hosting
    Supabase: Database services
    Zoom/Google Meet: Video conferencing
    Brevo: Marketing emails

    Google reCAPTCHA and Google Maps/Places operate under the Google Privacy Policy and Terms of Service; we use them solely for security, spam prevention, and address lookup/autofill.

    • Educational Partners: Schools or institutions you explicitly authorize
    • Legal Authorities: When required by law, court order, or to protect rights and safety
    • Business Transfers: In connection with merger, acquisition, or sale of assets

    5.2 We Do Not Sell Your Information

    We do not sell personal information in exchange for money.

    We do not use children's information for advertising purposes.

    6. International Data Transfers

    We serve students globally. Your information may be transferred to and processed in Canada, the United States, and other countries with different data protection laws.

    Safeguards we implement:

    • Standard Contractual Clauses approved by European Commission
    • Transfers only to countries with adequate protection
    • Additional technical and organizational security measures
    • Compliance with data localization requirements where applicable

    7. Data Security

    Technical Measures

    • • Encryption of data in transit (TLS/SSL)
    • • Encryption of sensitive data at rest
    • • Secure access controls and authentication
    • • Regular security audits
    • • PCI-compliant payment processing

    Organizational Measures

    • • Role-based access to systems and data
    • • Staff training on data protection
    • • Confidentiality agreements with tutors
    • • Regular data backup
    • • Incident response plan

    Breach notification: If a breach affects your personal information, we will notify you and relevant authorities as required by law, typically within 72 hours of discovering the breach.

    8. Data Retention

    Data TypeRetention Period
    Account data90 days after account deletion
    Educational records (including tutor notes)Active service + 12 months
    Audio recordingsDeleted within 24-48 hours after transcription
    Video recordingsEnd of contract + 12 months
    TranscriptsDuration of service + 12 months
    Financial recordsMinimum 7 years (tax law)
    Marketing dataUntil you unsubscribe

    9. Your Rights

    Depending on your location, you may have the following rights:

    Access

    Request copy of personal information we hold

    Rectification

    Correct inaccurate or incomplete information

    Erasure

    Request deletion (subject to limitations)

    Portability

    Receive your data in machine-readable format

    Restriction

    Request that we limit certain processing

    Objection

    Object to processing or direct marketing

    Withdraw Consent

    Withdraw consent at any time

    Access Tutor Notes

    Request copies of all tutor notes

    To exercise these rights:

    Email privacy@bespokelearning.io

    We aim to respond within 30 days (45 days for California requests).

    10. Children's Privacy

    We primarily serve students under 18 and treat children's data with special care.

    Under 13

    • • Verifiable parental consent required
    • • Parent creates and manages account
    • • Only necessary information collected
    • • Parents can review, correct, or delete

    Ages 13-17

    • • Services with parental awareness
    • • Parents maintain oversight via Portal
    • • More autonomy as appropriate
    • • No targeted advertising

    Age 18+

    • • Full independent account control
    • • Can request separation from parental oversight

    COPPA Compliance (US)

    • • We obtain verifiable parental consent for under-13 users
    • • We do not condition participation on disclosure of more information than necessary
    • • We do not share children's information for advertising

    Parents: Contact privacy@bespokelearning.io to exercise children's privacy rights.

    11. California Privacy Rights (CCPA/CPRA)

    11.1 Categories of Information Collected

    • Identifiers (name, email, phone, IP address)
    • Commercial information (purchases, sessions)
    • Internet activity (browsing history)
    • Geolocation data (approximate location)
    • Education information (academic records)
    • Audio/visual information (session recordings)

    11.2 Your California Rights

    Know and Access

    Request information collected, used, or shared

    Delete

    Request deletion (subject to exceptions)

    Correct

    Request correction of inaccurate information

    Non-Discrimination

    Equal service regardless of privacy rights exercise

    11.4 How to Exercise California Rights

    Email: privacy@bespokelearning.io (Subject: "CCPA Rights Request")

    Phone: +1 (647) 770-2074 (Privacy requests must be confirmed in writing)

    GPC: We honor Global Privacy Control signals from supported browsers

    Response time: 45 days (may extend to 90 days for complex requests)

    12. Marketing and Communications

    Marketing Emails

    Newsletters, promotions, educational resources (with consent where required)

    Service Communications

    Booking confirmations, session reminders, progress reports (cannot opt out)

    How to Unsubscribe

    • • Click "Unsubscribe" link in any marketing email
    • • Email hello@bespokelearning.io with "Unsubscribe" in subject
    • • Update preferences in Portal settings

    Processing time: Within 10 business days

    13. Changes to This Policy

    We may update this Privacy Policy from time to time.

    • Material changes: We will notify you by email or prominent website notice at least 30 days before changes take effect where feasible.
    • Continued use: Using our services after the effective date constitutes acceptance of changes.
    • "Last Updated" date: See top of this Policy for latest revision date.

    14. Contact Us

    Bespoke Learning Solutions

    Toronto, Ontario, Canada

    Note: Privacy requests require written submission (email). Phone available for general questions only.

    15. Supervisory Authorities

    If not satisfied with our response, you may lodge a complaint with:

    Canada

    Office of the Privacy Commissioner of Canada

    www.priv.gc.ca

    European Union

    Your national Data Protection Authority

    United Kingdom

    Information Commissioner's Office (ICO)

    www.ico.org.uk

    Switzerland

    Federal Data Protection and Information Commissioner (FDPIC)

    www.edoeb.admin.ch

    California

    California Privacy Protection Agency or California Attorney General

    Other Jurisdictions

    Your local data protection or privacy authority

    We encourage you to contact us first so we can resolve your concern directly.

    Appendix: Jurisdiction-Specific Provisions

    CHSwitzerland (FADP)

    Swiss Data Protection Rights

    Under FADP, you have the right to access, rectify, request deletion, object to processing, request data portability, and lodge complaints with FDPIC.

    14-Day Withdrawal Right

    Swiss consumers have 14-day withdrawal right under Swiss Code of Obligations. Email hello@bespokelearning.io within 14 days to withdraw.

    Swiss Dispute Resolution

    Swiss users may bring claims in Swiss courts. Small claims (under CHF 30,000) may be brought in Swiss consumer courts.

    EUEuropean Union (GDPR)

    GDPR Rights

    Full rights listed in Section 9 apply. Special Category Data (learning disabilities, health information) requires explicit consent under GDPR Article 9.

    14-Day Withdrawal Right

    EU consumers have 14-day withdrawal right under Consumer Rights Directive.

    EU Dispute Resolution

    Online Dispute Resolution Platform: https://ec.europa.eu/consumers/odr

    EU users may bring claims in courts of their member state of residence.

    UKUnited Kingdom (UK GDPR)

    UK Data Protection

    UK GDPR and Data Protection Act 2018 apply. Rights and processes similar to EU GDPR.

    Supervisory Authority: Information Commissioner's Office (ICO) - www.ico.org.uk, Phone: 0303 123 1113

    14-Day Cancellation Right

    UK consumers have 14-day cancellation right under Consumer Contracts Regulations 2013.

    Other Jurisdictions

    For users in jurisdictions not specifically addressed:

    • • Local consumer protection laws apply where they provide greater protection
    • • You have rights under local data protection laws
    • • We comply with local legal requirements where we operate
    • • Contact privacy@bespokelearning.io for jurisdiction-specific questions