GDPR Compliance
Last updated: March 2026
1. Our Commitment
Rtuition is fully committed to compliance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”). We are based in the European Union, and all personal data is processed in accordance with GDPR requirements. We have implemented appropriate technical and organisational measures to ensure the security and lawfulness of all data processing activities.
2. Legal Basis for Processing
We process personal data under the following legal bases:
- Consent (Article 6(1)(a) GDPR) — For account creation and the processing of your data when you register for the service.
- Legitimate interest (Article 6(1)(f) GDPR) — For service improvement, including analysis of anonymised usage patterns to enhance AI response quality and platform performance.
- Performance of a contract (Article 6(1)(b) GDPR) — For the provision of paid subscription services, including payment processing and account management.
3. Data Processing Activities
The following table outlines the categories of personal data we process, the purposes for which they are processed, and the applicable retention periods.
| Data Category | Purpose | Retention |
|---|---|---|
| Email address, name | Account authentication and communication | Until account deletion |
| Conversation history | Provide tutoring and session continuity | Until user deletes |
| Usage data | Service improvement and analytics (anonymised) | 12 months (anonymised) |
| Payment information | Subscription billing via Stripe | As required by tax law |
| Session cookies | Authentication | Session duration |
4. Sub-processors
We engage the following sub-processors to deliver our services. Each sub-processor has been assessed for GDPR compliance, and appropriate data processing agreements are in place.
| Sub-processor | Purpose | Data Location |
|---|---|---|
| Supabase | Database hosting and authentication | European Union |
| Anthropic | AI processing (Claude API) | United States (with EU safeguards) |
| Stripe | Payment processing | United States (with EU safeguards) |
5. Your Rights Under GDPR
As a data subject, you have the following rights under the GDPR:
- Right of access (Article 15) — You have the right to obtain confirmation of whether your personal data is being processed and to request a copy of that data.
- Right to rectification (Article 16) — You have the right to request the correction of inaccurate personal data.
- Right to erasure (Article 17) — You have the right to request the deletion of your personal data, subject to legal retention requirements.
- Right to restriction of processing (Article 18) — You have the right to request that we restrict the processing of your data in certain circumstances.
- Right to data portability (Article 20) — You have the right to receive your personal data in a structured, commonly used, machine-readable format.
- Right to object (Article 21) — You have the right to object to processing based on legitimate interests.
- Right to lodge a complaint — You have the right to lodge a complaint with a supervisory authority (Data Protection Authority) in your Member State.
6. How to Exercise Your Rights
To exercise any of the rights described above, please contact our GDPR team at info@rtuition.com. We will respond to your request within 30 days of receipt. If the request is complex or we receive a high volume of requests, this period may be extended by a further 60 days, in which case we will notify you of the extension and the reasons for it.
7. Data Protection Officer
Our Data Protection Officer (DPO) can be reached at info@rtuition.com. The DPO is responsible for overseeing our data protection strategy and ensuring compliance with GDPR requirements. You may contact the DPO directly with any concerns regarding the processing of your personal data.
8. International Data Transfers
Where personal data is transferred outside the European Economic Area (EEA), we ensure that appropriate safeguards are in place in accordance with Chapter V of the GDPR. For data transferred to Anthropic (United States) for AI processing, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission. For data transferred to Stripe (United States) for payment processing, Stripe maintains its own GDPR compliance programme and relies on SCCs and additional supplementary measures.
9. Data Breach Notification
In the event of a personal data breach, Rtuition will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by Article 33 of the GDPR. Where the breach is likely to result in a high risk to your rights and freedoms, we will notify affected users without undue delay, in accordance with Article 34 of the GDPR. Notifications will include the nature of the breach, the likely consequences, and the measures taken to address and mitigate its effects.
10. Cookie Policy
Rtuition uses only strictly necessary cookies as defined by Article 5(3) of the ePrivacy Directive. These cookies are essential for the functioning of the service and are limited to session authentication. As strictly necessary cookies are exempt from consent requirements under EU law, no cookie consent banner is required. We do not use any analytics, tracking, or third-party advertising cookies.