TutorBill← Back to home

Privacy Policy

Last updated: 19 May 2026

1. Who we are

TutorBill ("we", "us", "our") operates the tutoring management and invoicing platform available at tutorbill.com. We are committed to protecting the personal information we collect and process in the course of providing our services.

For privacy enquiries, contact us at: privacy@tutorbill.com

2. Our commitment

We are bound by the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs). This policy explains how we handle personal information in accordance with those obligations. We also aim to comply with applicable international privacy laws, including the EU General Data Protection Regulation (GDPR) where relevant.

3. What information we collect

We collect:

  • Account information — business name, name, email address, and password (stored as a one-way hash) when you register.
  • Student records — student names, subject, hourly rate, and parent or guardian email addresses, as entered by tutoring businesses using our platform. These students may be minors.
  • Lesson records — lesson dates, durations, subjects, notes, and completion status.
  • Invoice data — invoice numbers, amounts, GST figures, payment status, and due dates.
  • Organisation settings — business name, logo URL, brand colour, ABN, bank details, and Xero connection credentials.
  • Usage data — page visits and feature usage collected automatically by our infrastructure providers (Vercel).
  • Communication data — emails sent via our platform, including invoice emails sent to parent email addresses.

4. How we use your information

We use personal information only for the purposes for which it was collected:

  • To provide and operate the lesson management and invoicing service
  • To generate and send invoices to parent or guardian email addresses on behalf of tutoring businesses
  • To synchronise invoice data with Xero accounting software (where connected)
  • To generate financial reports including BAS summaries
  • To send transactional emails (invoice delivery, password reset, tutor invitations, parent portal access)
  • To maintain account security and prevent fraud
  • To improve and maintain the platform

We do not sell your personal information or use it for advertising purposes.

5. Children's data

Our platform is used by tutoring businesses to manage records for their students, who may include children under the age of 18. We do not collect information directly from children. All student data is entered by adult tutoring business operators who are responsible for having appropriate consent from the student's parent or guardian to share that data with a third-party service.

If you believe a child's data has been submitted to TutorBill without proper consent, please contact us immediately at privacy@tutorbill.com and we will take prompt action.

6. Who we share your information with

We share personal information with the following third-party service providers ("subprocessors") only to the extent necessary to provide our service:

Supabase / PostgreSQL

Database hosting. All data entered into TutorBill is stored on Supabase-managed PostgreSQL servers. Supabase is SOC 2 Type II certified. Servers are located in ap-southeast-2 (Sydney, Australia).

Vercel

Application hosting and serverless functions. Vercel processes request data to serve the application. Their infrastructure is globally distributed.

Resend

Transactional email delivery. Resend processes email addresses and email content to deliver invoices, invitations, and authentication emails on our behalf.

Xero (optional)

Accounting integration. If a tutoring business connects their Xero account, invoice data (student name, amount, due date) is shared with Xero to create invoices. This integration is optional and controlled by the account administrator.

We do not share personal information with any other third parties except as required by Australian law.

7. Data retention

We retain your personal information for as long as your account is active. After account deletion:

  • Invoice and financial records are retained for 7 years from the date of the transaction, as required under Australian taxation law (Tax Administration Act 1953).
  • All other personal data (student names, lesson records, account details) is deleted within 30 days of account closure upon request.
  • Email logs retained by Resend are subject to their own retention policy.

8. Your rights

Under the Australian Privacy Act and the APPs, you have the right to:

  • Access the personal information we hold about you
  • Correct inaccurate or incomplete personal information
  • Request deletion of your personal information (subject to legal retention requirements)
  • Make a complaint to the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au

If you are in the EU/EEA, you also have rights under the GDPR including data portability and the right to object to processing. To exercise any of these rights, email privacy@tutorbill.com. We will respond within 30 days.

9. Cookies

TutorBill uses the following cookies:

  • Session cookies (NextAuth) — required for authentication. Deleted when you close your browser or sign out.
  • Parent portal session cookies — HttpOnly, Secure cookies used to maintain parent portal sessions for 30 days.

We do not use advertising cookies, tracking pixels, or third-party analytics cookies.

10. Security

We take reasonable steps to protect personal information from misuse, loss, and unauthorised access. These measures include:

  • All passwords are stored as bcrypt hashes (cost factor 12) — we cannot read your password
  • All data is transmitted over HTTPS (TLS 1.2+)
  • Authentication tokens use HMAC-SHA256 signatures with timing-safe comparison
  • Multi-tenant data isolation: each organisation's data is strictly separated at the application layer
  • Sensitive credentials (API keys, database passwords) are stored as environment variables, not in code

No system is 100% secure. If you believe there has been a security breach affecting your data, contact us immediately at privacy@tutorbill.com.

11. Invoice emails to parents

Invoice emails are sent to parent/guardian email addresses on behalf of tutoring businesses. These emails are transactional in nature (relating to an existing tutoring service relationship). If you are a parent who has received an invoice email and wish to stop receiving them, please contact the tutoring business that sent the invoice directly — they control when invoices are sent.

12. Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify account holders by email at least 14 days before the changes take effect. Continued use of TutorBill after changes take effect constitutes acceptance of the updated policy.

13. Contact us

For any privacy-related questions, requests, or complaints:

Email: privacy@tutorbill.com

We aim to respond to all privacy enquiries within 30 days.