Privacy Policy

What Tutoring Notes is

Tutoring Notes is a web application that helps private tutors record session audio, draft session notes, run a shared whiteboard during lessons, and share read-only updates with students and their families.

What data we collect

• Account information: email address, hashed password, and optional display name when you create a tutor account.
• Session notes: student names, session dates, topics, homework, assessment, plan, and links you enter.
• Session audio recordings when you use the Record or Upload feature (stored in Vercel Blob — see below).
• Whiteboard session data: timestamped stroke logs, optional PDF / image inserts, and a session snapshot used for the parent replay surface.
• Parent / guardian email addresses you enter when sending updates.
• Outbound email logs (subject, recipient, body text, share link) retained for delivery troubleshooting.
• Feedback submissions (messages and optional contact email).
• Waitlist entries (email and optional name) submitted through interest forms or contact, retained for outreach.
• Gmail OAuth tokens if you use “Connect Gmail” (see Google account and Gmail below).
• Standard technical logs (IP address, user agent, timestamps) collected by our hosting provider for security and reliability.

How we use your data

Your data is used solely to operate the product: signing you in, storing and displaying notes / audio / whiteboard sessions, generating share links, and sending the email updates you choose to send. We do not sell Google user data, and we do not sell personal information to data brokers, advertising platforms, or cold callers.

Sharing, disclosure, and recipients

We share or disclose information only as needed to run the product, as described below.

• Google. When you connect a Google account or use Gmail through the app, data needed for that feature is processed by Google under Google's terms and your Google account settings (OAuth tokens, API calls to send mail you initiate, and metadata Google logs as part of those APIs). We do not control Google's servers; we follow Google's applicable API and limited-use requirements for data we receive from Google APIs.
• Infrastructure and service providers. Tutoring Notes runs on hosted infrastructure and uses subprocessors that each handle a specific slice of the product:
  • Vercel — application hosting + serverless functions (US region).
  • Neon — PostgreSQL database (US region).
  • Vercel Blob — object storage for session audio and whiteboard snapshots (US region).
  • OpenAI — AI note generation and audio transcription (Whisper). See AI note generation section below.
• People you direct us to contact. When you send an email or share content from the app (for example a session update to a parent's address), the recipient receives the information you chose to send.
• Legal and safety. We may disclose information if required by law, regulation, legal process, or to protect the rights, safety, and security of users, the public, or our services.
• Business transfers. If we are involved in a merger, acquisition, or asset sale, user information may be transferred as part of that transaction; we will require the successor to honor commitments consistent with this policy or notify you as applicable law requires.

Google account and Gmail (Connect Gmail)

When you click “Connect Gmail,” the app requests permission to send email on your behalf using the Gmail API (gmail.send scope) and to read your email address (userinfo.email scope). These permissions are used exclusively to send session-update emails from your Gmail account when you click “Send update” in the app. We do not read, search, index, modify, or delete any of your existing emails. Google user data we receive through Gmail APIs is used only to provide the user-facing email- sending feature you asked for, consistent with Google's applicable API and Limited Use requirements.

We store a refresh token so the app can send on your behalf without asking you to sign in each time. OAuth tokens and related credentials are kept in server-side configuration or secure database storage, never embedded in web pages or public repositories. You can disconnect Gmail at any time from Settings → Email, which deletes the stored token; you can also revoke access directly from your Google Account security settings.

AI note generation (OpenAI)

When you use the Auto-fill from session feature, content you provide (typed notes, uploaded audio, or in-browser recording) is sent to OpenAI via their API to structure it into session notes. Your student's name and up to two recent note summaries are included as context.

OpenAI's API data usage policy states that data submitted through the API is not used to train their models. See OpenAI's API data usage policy for details. If you prefer not to send session content to OpenAI, simply do not use the Auto-fill feature — it is entirely optional.

Session audio recordings (Vercel Blob)

When you upload or record a session audio file, the recording is stored in Vercel Blob (private, US region). Audio is never publicly accessible — all playback links are short-lived signed URLs generated at render time.

Recordings are sent to OpenAI Whisper for transcription as part of the note generation flow. The same API data policy applies: data is not used for training. Audio is not shared with any other third party.

The Include audio recording in parent share link option is off by default. When you enable it, the parent or student can listen to the session recording on their notes page. Obtain appropriate consent before enabling this option, especially for sessions involving minors.

Where data is stored

Data is stored in a PostgreSQL database hosted on Neon (US region). The application is hosted on Vercel. Both providers maintain their own security and compliance practices.

Data retention and deletion

We retain data as long as your account exists and as needed to provide the service and meet legal obligations. Tutors can delete individual students and notes from within the app. If you want your account or all associated data deleted, contact us at the email below and we will process the request promptly.

Security

We use commercially reasonable safeguards appropriate to the sensitivity of tutoring data and the nature of our hosted software:

• Encryption in transit. All connections to the application use HTTPS (TLS).
• Password storage. Tutor account passwords are hashed with bcrypt before storage; raw passwords are never written to logs or the database.
• Hosting and data stores. We rely on Vercel and Neon's protections for servers, databases, and object storage (access controls, network isolation, and encryption at rest where the vendor provides it by default for the tiers we use).
• Authentication and access. Every tutor request requires sign-in; application logic enforces ownership boundaries so a tutor only sees their own students and sessions.
• Secrets and OAuth tokens. API keys, client secrets, and OAuth refresh tokens are kept in server-side configuration or secure storage — not embedded in web pages or public repositories.
• Limited use of Google data. Google user data obtained through Google APIs is used only to provide the user-facing features you asked for (sending mail you trigger), consistent with this policy and Google's applicable Limited Use requirements.

No method of transmission or storage is 100% secure; if you have a specific security concern, contact us using the address below.

Children

Tutoring Notes is intended for use by tutors (adults). Tutors are responsible for obtaining any parent, guardian, or organizational consent required before entering student information, recording sessions, or sending share links — including for sessions involving minors. Minors do not have tutor accounts in the app.

Parent or student share links are tokenized and revocable; a parent or guardian receives the link from the tutor and can view session content without creating an account. If you believe a tutor has shared a minor's information without appropriate consent, or that a child's personal information has been collected inappropriately, contact us at the email below and we will address it.

Changes

We may update this policy from time to time. The “Last updated” date above will change when we do. Material changes may also be communicated in-product or by email where practical. Continued use of the app after changes means you accept the updated policy.

Contact

For privacy questions, data deletion requests, or concerns specific to Tutoring Notes, email arangarx+tutoringnotes@gmail.com. For general Mortensen Apps inquiries, see www.mortensenapps.com.