Privacy Policy

Last updated: May 3, 2026

This Privacy Policy explains what information Tag-a-Tutor collects, how we use it, and the rights you have over it. We try to keep this short and plain. If anything is unclear, email info@tagatutor.org and we'll explain.

Children under 13: Tag-a-Tutor's TAG feature is designed for parents to request tutoring for younger students. We only collect information about a child after a parent has signed up and entered it themselves. If you're a parent who wants information about your child removed, email us at the address above.

1. Who runs Tag-a-Tutor

Tag-a-Tutor is operated by Jack Cleveland, a student at Parish Episcopal School in Dallas, Texas. The platform is hosted on Vercel and stores its data in a managed Postgres database (Neon). We are not affiliated with any school or school district except as a service provider.

2. What we collect

Student and teacher accounts

From Google sign-in: name, email address, profile picture URL, and the email-domain hint Google provides (used to identify which school you belong to).
From your profile: grade level, free blocks/periods, subjects you can tutor or want help with, an optional bio, and any availability information you choose to enter.
From your activity: sessions you book or tutor, ratings and reviews you write, messages you send through the in-app chat, and help-board posts you create or claim.

Parent accounts (TAG)

Email address, hashed password, the school you selected, your child's name, and any notes you write about your child (free-text "anything we should know").
Details from each TAG request you submit: subject, kid's grade and age, learning differences if you choose to share them, what you'd like the tutor to help with, preferred method/time, and location.

Automatic technical data

Your IP address and basic browser/device information from server logs.
Session cookies that keep you signed in for up to 7 days.

We do not knowingly collect more than this. We do not run advertising trackers, social-media pixels, or third-party analytics.

3. Why we collect it

To run the service: showing tutors to students, routing requests to the right tutor or facilitator, sending notification emails, etc.
To keep school data separated: every record is tagged with a school ID so users from one school can't see data from another.
To keep accounts secure: detect suspicious sign-ins, prevent unauthorized access.
To improve the platform: aggregate, non-identifying usage information helps us decide what to build next.

4. Who else sees your data

People at your school see what the role-based UI shows them: students see other students' tutoring profiles; tutors see requests addressed to them; school admins and TAG facilitators see all records at their school for the purposes of moderation and approval.
Subprocessors who power the platform (each governed by their own privacy commitments and acting only on our written instructions):
- Vercel Inc. — web hosting (US).
- Neon Inc. — managed Postgres database (US East region).
- Google LLC — Google Sign-In (OAuth) for student/teacher authentication.
- Zoho Corporation — outbound email delivery (notifications and password resets).
- Cloudflare, Inc. — DNS for the tagatutor.org domain.
Nobody else. We do not sell user data. We do not share data with marketers or unrelated third parties. We do not use student data for advertising, profiling, or to train any artificial-intelligence model. We will only release information to law enforcement in response to a valid legal request and, where legally permitted, will notify the affected school first.

5. Children's privacy (COPPA)

The Children's Online Privacy Protection Act ("COPPA") regulates the online collection of personal information from children under 13 in the United States. Tag-a-Tutor handles COPPA compliance through two pathways:

School-authorized use. When a school engages Tag-a-Tutor under a Data Processing Agreement and authorizes use of the platform for educational purposes, the school may consent to the collection of student information (including from students under 13) on behalf of parents, as permitted by FTC guidance for school-authorized educational technology services. In this case, the school is responsible for parental notice; Tag-a-Tutor uses the information only to provide the agreed-upon services.
Direct parent submission (TAG). When a parent independently submits information about a child under 13 through the TAG request form, the parent is providing verifiable parental consent at the moment of submission, for the limited purpose of operating the TAG match.

Under either pathway, Tag-a-Tutor commits that information about children under 13 is:

Used only to provide the educational services described in this policy and the school's DPA;
Not used for behavioral advertising, third-party marketing, or AI/ML model training;
Not sold or rented to any third party;
Subject to deletion within 30 days of a verifiable parental request or of the child's account becoming inactive for 12+ months, whichever comes first.

A parent may, at any time, review, correct, or delete their child's information by signing into the parent dashboard or emailing info@tagatutor.org.

6. School privacy (FERPA)

The Family Educational Rights and Privacy Act ("FERPA") protects student education records held by schools that receive federal funding, and is the standard most U.S. schools apply regardless of funding source. When a school engages Tag-a-Tutor:

The school owns its data. All student, teacher, and operational records associated with a school's tenant remain the property of the school. Tag-a-Tutor holds and processes that data only as a service provider.
Tag-a-Tutor acts as a "school official" with "legitimate educational interest" as that term is used in 34 CFR § 99.31(a)(1)(i)(B), under the direct control of the school with respect to the use and maintenance of education records.
No secondary use. Tag-a-Tutor will not redisclose personally identifiable information from education records, except as authorized by the school in writing or as required by law.
Parental rights. Tag-a-Tutor will support the school in fulfilling parents' FERPA rights to inspect, review, correct, or delete records held in the platform — typically by providing exports or deletions on request.
Data Processing Agreement. Before any school's data is loaded into the platform, Tag-a-Tutor and the school will sign a Data Processing Agreement (DPA) that codifies these commitments. Our standard DPA is available at tagatutor.org/dpa.

7. How long we keep things

Account records (student, tutor, parent): as long as the account is active. Inactive accounts are deleted after 24 months of inactivity unless the school instructs otherwise.
Session and review history: retained for the duration of the school's contract plus the current academic year, so admins can run end-of-year reports.
Messages: retained for the duration of the school's contract; deleted within 30 days of contract termination.
Server logs: 30 days, then automatically rotated.
On contract termination, all of a school's tenant data is exported to the school in machine-readable form and then permanently deleted from production and backups within 60 days, unless retention is required by law.

Individuals can also request deletion of their own account and associated records at any time by emailing the address at the top of this page; we will complete such requests within 30 days.

8. Security

Specific measures we take:

All connections use HTTPS with modern TLS.
Parent passwords are stored as one-way salted hashes (Werkzeug PBKDF2) — we cannot read them.
The Postgres database is encrypted at rest and in transit by our subprocessor (Neon) and is reachable only from authorized application hosts.
Session cookies are flagged Secure, HttpOnly, and SameSite=Lax.
Sensitive credentials (database URL, OAuth secrets, API keys) are stored as encrypted environment variables, never in source code.
Access to production systems is limited to the named operators identified in our DPA, each using personal credentials and two-factor authentication where available.

Breach notification. If we become aware of a confirmed data incident affecting a school's data, we will notify the school's designated security contact in writing within 72 hours, and provide reasonable assistance in any required parent or regulatory notifications. No security system is perfect — but we follow industry-standard practices for a service of this size and will say so honestly when something goes wrong.

9. Your rights

Regardless of where you live, you can:

Ask what information we have about you.
Ask us to correct it.
Ask us to delete it.
Withdraw any consent you've given us.

If you live in California, the EU, or another jurisdiction with specific privacy laws (CCPA, GDPR, etc.), you have additional rights under those laws. Email us and we'll honor them.

10. Changes to this policy

If we make material changes, we'll update the "Last updated" date at the top and, if the change is significant, notify active users by email. Continuing to use Tag-a-Tutor after a change means you accept the updated policy.

11. Contact

Questions, requests, or concerns: info@tagatutor.org.