Privacy Policy

Last updated: April 24, 2026

This Privacy Policy explains how Upstart English Tuition ("we," "us," or "our") collects, uses, protects, and discloses the personal data of our customers ("you" or "your") when you purchase, access, or interact with our digital content through our platform. By purchasing, using, or accessing our services, you acknowledge that you have read and understood this Privacy Policy and consent to the collection, use, and disclosure of your information as described herein.

We are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy is designed to comply with applicable data protection laws, including the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other relevant privacy regulations.

What data do we collect?

To deliver and improve our services, we may collect the following categories of personal data:

1. Personal Information:

   • Name, email address, billing address, and other contact details provided during the purchase or registration process.

2. Purchase and Transaction Information:

   • Details about the digital content you purchase, including transaction amounts, dates, order history, and payment method type (not the full payment details).

3. Technical and Usage Information:

   • Information about your device and how you access our content, including:
     • IP address and geolocation data.
     • Browser type, version, and language preferences.
     • Device type, operating system, and screen resolution.
     • Pages visited, time spent on pages, and navigation patterns.
     • Referring URLs and exit pages.
     • Date and time stamps of access.

4. Payment Information:

   • Payment details, such as credit card information, are processed securely via Stripe, a PCI-DSS compliant third-party payment processor. We never store or directly handle your full payment card details on our servers.

5. Communications and Support:

   • Any messages, inquiries, feedback, or support requests you send to us, including email correspondence.

6. Account Information:

   • Username, password (encrypted), account preferences, and security settings if you create an account.

7. Cookies and Tracking Data:

   • Information collected through cookies, web beacons, and similar tracking technologies (see "Cookies and Tracking Technologies" section below).

How do we collect your data?

We collect data directly from you when:

• You purchase or access our digital content.
• You create an account or register for our services.
• You contact us for support, inquiries, or provide feedback.
• You subscribe to our newsletter or marketing communications.
• You participate in surveys, promotions, or contests.
• You interact with our platform or use its features.

We may also collect data automatically through:

• Cookies and Similar Technologies: When you access our platform, we use cookies, web beacons, pixels, and other tracking technologies to collect usage data.
• Analytics Services: Third-party analytics providers (such as Google Analytics) that help us understand platform usage.
• Log Files: Our servers automatically record certain information when you use the platform.

We may also receive information from:

• Payment Processors: Transaction confirmation and payment status from Stripe.
• Third-Party Services: If you choose to authenticate via third-party services (e.g., Google, OAuth providers).
• Public Sources: Information that is publicly available or provided by data partners for fraud prevention.

How do we use your data?

We use your data for the following purposes:

1. Service Delivery: Deliver and manage your access to the digital content you purchase.
2. Payment Processing: Process payments, issue invoices, and prevent fraudulent transactions.
3. Customer Support: Respond to your inquiries, provide technical support, and resolve issues.
4. Account Management: Create, maintain, and secure your account.
5. Legal Compliance: Comply with legal obligations, enforce our Terms of Use, and protect our rights.
6. Service Improvement: Analyze usage trends, gather feedback, and improve our offerings and user experience.
7. Communication: Send transactional emails (order confirmations, receipts, account notifications) and, with your consent, marketing communications.
8. Security: Detect, prevent, and address fraud, security issues, and technical problems.
9. Personalization: Customize your experience and provide relevant content recommendations.
10. Analytics: Understand how users interact with our platform to optimize performance.

Legal basis for processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data based on the following legal grounds:

1. Contract Performance: Processing is necessary to fulfill our contractual obligations to you (e.g., delivering purchased content).
2. Consent: You have given explicit consent for specific processing activities (e.g., marketing emails, non-essential cookies).
3. Legitimate Interests: Processing is necessary for our legitimate business interests, such as:
   • Fraud prevention and security.
   • Improving our services and platform functionality.
   • Understanding user behavior and preferences.
   • Direct marketing (where permitted by law).
4. Legal Obligation: Processing is required to comply with applicable laws and regulations.

You have the right to withdraw consent at any time or object to processing based on legitimate interests.

How do we protect your payment information?

We do not collect or store your credit card information. All payment transactions are processed securely through Stripe, a trusted PCI-DSS Level 1 compliant third-party payment processor that encrypts and handles your payment data using industry-standard security measures. This ensures your financial information remains private and secure.

Stripe uses tokenization to process payments, meaning your actual payment details are never transmitted to or stored on our servers. For more information about Stripe's security practices, please visit their Privacy Policy and Security documentation.

How do we protect your data?

We take the security of your personal data seriously and implement appropriate technical and organizational measures to protect it against unauthorized access, alteration, disclosure, loss, or destruction. These measures include:

1. Encryption: Data is encrypted in transit using TLS/SSL protocols and at rest where appropriate.
2. Access Controls: Strict access controls limit who can access personal data to authorized personnel only.
3. Secure Infrastructure: Our platform is hosted on secure, industry-standard cloud infrastructure with built-in security features.
4. Regular Security Audits: We conduct regular security assessments and vulnerability testing.
5. Employee Training: Our team is trained on data protection best practices and confidentiality obligations.
6. Monitoring: We monitor our systems for suspicious activity and potential security breaches.
7. Data Minimization: We collect only the data necessary to provide our services.

However, no method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your personal data, we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials.

How long do we retain your data?

We retain your personal data only as long as necessary to fulfill the purposes described in this Privacy Policy or as required by law. Retention periods vary depending on the type of data and the purpose for which it was collected:

1. Account Information: Retained for as long as your account is active or as needed to provide you services.
2. Transaction Records: Retained for a minimum period required by tax and accounting regulations (typically 7-10 years).
3. Communication Records: Retained for the duration necessary to address your inquiry or as required for legal compliance.
4. Marketing Data: Retained until you withdraw consent or opt out.
5. Technical and Usage Data: Typically retained for 12-24 months unless needed for security or legal purposes.

After the retention period expires, we will securely delete or anonymize your personal data. You may request earlier deletion of your data by contacting us, subject to our legal obligations to retain certain records. When you request deletion or close your account, some data may be retained for legal, regulatory, or legitimate business purposes (such as transaction records for tax compliance), cached or archived copies may take additional time to be purged, and data previously shared with third-party processors will be deleted in accordance with their retention policies and our instructions.

Who do we share your data with?

We may share your data with the following categories of third parties:

1. Payment Processors:

   • Stripe: To process transactions securely and handle payment-related services.

2. Service Providers and Business Partners:

   • Cloud hosting providers (for infrastructure and content delivery).
   • Analytics services (e.g., Google Analytics) to understand platform usage.
   • Email service providers for transactional and marketing communications.
   • Customer support tools and ticketing systems.
   • Content delivery networks (CDNs) for faster content distribution.

3. Legal Authorities and Compliance:

   • Government authorities, law enforcement, or regulatory bodies if required by law, court order, or in response to valid legal requests.
   • To enforce our Terms of Use or protect the rights, property, or safety of Upstart English Tuition, our users, or others.

4. Business Transfers:

   • In the event of a merger, acquisition, reorganization, sale of assets, or bankruptcy, your personal data may be transferred to the acquiring or successor entity. We will notify you by email and/or by a prominent notice on the platform of any such change in ownership or use of your personal data, and of any choices you may have regarding your data.

5. Professional Advisors:

   • Lawyers, accountants, auditors, and other professional advisors who require access to data for business purposes.

We do not sell, rent, or share your personal data with third parties for their direct marketing purposes. All third-party service providers are contractually obligated to protect your data and use it only for the purposes for which it was disclosed.

Your rights

Depending on your location and applicable laws, you have the following rights regarding your personal data:

1. Right to Access: Request copies of the personal data we hold about you.
2. Right to Correction (Rectification): Request correction of inaccurate or incomplete data.
3. Right to Deletion (Erasure): Request deletion of your personal data under certain conditions, subject to legal retention requirements.
4. Right to Restriction: Request that we limit the processing of your data under certain circumstances.
5. Right to Data Portability: Receive your data in a structured, commonly used, and machine-readable format and transfer it to another controller. This right applies only to personal data you have provided to us that we process by automated means on the basis of your consent or the performance of a contract, as set out in Article 20 GDPR.
6. Right to Object: Object to the processing of your data for direct marketing, legitimate interests, or research purposes.
7. Right to Withdraw Consent: If processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing prior to withdrawal.
8. Right Not to be Subject to Automated Decision-Making: Request human review of automated decisions that have legal or significant effects on you.
9. Right to Lodge a Complaint: File a complaint with your local data protection authority if you believe your rights have been violated.

How to Exercise Your Rights:

To exercise any of these rights, please contact us at upstart.tuition@icloud.com with a clear description of your request. We will respond to your request within the timeframe required by applicable law (typically 30 days).

We may request additional information to verify your identity before processing your request. In some cases, we may be unable to fulfill your request due to legal obligations or legitimate business needs, in which case we will explain the reason for the denial.

Cookies and tracking technologies

We use cookies and similar tracking technologies to enhance your experience, analyze platform usage, and deliver personalized content. Cookies are small text files stored on your device when you visit our platform.

Where required by applicable law (including the ePrivacy Directive 2002/58/EC as implemented in the European Economic Area and the United Kingdom), non-essential cookies, web beacons, pixels, and similar technologies are only set with your prior opt-in consent, obtained before any such cookie is placed. You can grant, withdraw, or adjust your consent at any time through the cookie preferences mechanism made available on this platform. Withdrawing consent does not affect the lawfulness of processing carried out on the basis of consent before its withdrawal.

Types of Cookies We Use:

1. Essential Cookies: Required for the platform to function properly (e.g., authentication, security, session management).
2. Analytics Cookies: Help us understand how users interact with the platform (e.g., Google Analytics).
3. Functional Cookies: Remember your preferences and settings.
4. Marketing Cookies: Used to deliver relevant advertisements and track campaign effectiveness (with your consent where required).

Managing Cookies:

You can manage your cookie preferences through your browser settings. Most browsers allow you to:

• View and delete cookies.
• Block third-party cookies.
• Block all cookies (note: this may affect platform functionality).
• Receive notifications when cookies are set.

International data transfers

Your personal data may be transferred to, stored, and processed in countries other than your country of residence, including countries that may not have the same data protection laws as your jurisdiction.

Where personal data is transferred from the European Economic Area, the United Kingdom, or Switzerland to a third country, we rely, as a primary matter, on one of the transfer mechanisms recognised under Chapter V of the GDPR (and its UK equivalent), namely:

1. Adequacy Decisions: Transfers to countries or sectors that the European Commission (or, as applicable, the UK Government) has determined to provide an adequate level of data protection.
2. Standard Contractual Clauses (SCCs): European Commission-approved SCCs (supplemented, where applicable, by the UK International Data Transfer Addendum or the UK IDTA), together with any additional technical, contractual, and organisational safeguards identified through a transfer impact assessment.
3. Binding Corporate Rules: Where our service providers have approved Binding Corporate Rules in place.

Only where none of the above mechanisms is available will we rely on a derogation under Article 49 GDPR (such as transfers necessary for the performance of a contract with you or transfers based on your explicit informed consent), and we will do so on a narrow, case-by-case basis. A copy of the safeguards applied to a specific transfer can be obtained by contacting us at upstart.tuition@icloud.com.

Children's privacy

Our platform and services are intended for adults. Consistent with our Terms of Use, you must be at least 18 years old (or the age of majority in your jurisdiction) to create an account or make a purchase.

In addition:

• United States (COPPA). We do not knowingly collect, use, or disclose personal data from children under the age of 13 within the meaning of the Children's Online Privacy Protection Act.
• European Economic Area and United Kingdom (GDPR). Where the processing of a child's personal data is based on consent in connection with an information society service, such consent is only valid if given or authorised by the holder of parental responsibility over the child, in line with Article 8 GDPR. The applicable age threshold is 16, unless a lower age (not below 13) is set by the law of the user's Member State.
• Other jurisdictions. We comply with any higher or lower age thresholds mandated by the child-protection laws of the user's place of residence.

If you are a parent or guardian and believe your child has provided us with personal data, please contact us at upstart.tuition@icloud.com and we will promptly delete such information. If we discover that we have inadvertently collected personal data from a child below the applicable threshold, we will take immediate steps to delete it.

California privacy rights (CCPA/CPRA)

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

1. Right to Know: You can request information about the categories and specific pieces of personal data we have collected, the sources, purposes, and third parties with whom we share it.
2. Right to Delete: You can request deletion of your personal data, subject to certain exceptions.
3. Right to Opt-Out: You have the right to opt out of the "sale" of your personal data. We do not sell your personal data.
4. Right to Correct: You can request correction of inaccurate personal data.
5. Right to Limit Use of Sensitive Personal Information: If applicable, you can limit our use of sensitive personal information.
6. Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights.

Shine the Light Law:

California residents may request information about the disclosure of personal information to third parties for their direct marketing purposes. We do not share personal data with third parties for their direct marketing purposes.

To Exercise Your California Rights:

Contact us at upstart.tuition@icloud.com with "California Privacy Rights" in the subject line. We will verify your identity before processing your request.

European data protection rights (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have enhanced rights under the General Data Protection Regulation (GDPR):

• All rights listed in the "Your Rights" section above apply to you.
• You have the right to lodge a complaint with your local supervisory authority (data protection authority).
• You can object to processing based on legitimate interests or for direct marketing at any time.
• You have the right to not be subject to automated decision-making, including profiling, that produces legal or significant effects.

Marketing communications

With your consent, we may send you marketing emails about our products, services, promotions, and updates. You can opt out of marketing communications at any time by:

1. Clicking the "unsubscribe" link in any marketing email.
2. Updating your communication preferences in your account settings.
3. Contacting us at upstart.tuition@icloud.com.

Even if you opt out of marketing communications, we will still send you transactional emails related to your purchases and account (e.g., order confirmations, receipts, password resets).

Data breach notification

In the event of a data breach that poses a risk to your rights and freedoms, we will:

1. Notify the relevant supervisory authority within 72 hours of becoming aware of the breach (where required by law).
2. Notify affected users without undue delay if the breach is likely to result in high risk to your rights and freedoms.
3. Provide information about the nature of the breach, potential consequences, and measures taken to mitigate harm.

We maintain incident response procedures to detect, respond to, and recover from security incidents.

Automated decision-making and profiling

We use automated systems to analyze certain data for the following purposes:

• Fraud detection and prevention. We score transactions and account activity against risk signals such as device fingerprints, IP reputation, velocity patterns, and inconsistencies between billing and access data, in order to decline, challenge, or flag transactions that appear fraudulent.
• Personalised content recommendations. We infer your likely interests from your purchase history, viewing history, and on-platform behaviour in order to surface relevant Products and content.
• Platform optimisation and performance. We analyse aggregated usage patterns to tune caching, ranking, and delivery.

The general logic of these systems consists in comparing the attributes of an event or user against statistical models and rule sets to produce a risk or relevance score. The specific weights, feature sets, and thresholds are treated as confidential and proprietary; we will describe them at a level sufficient to allow you to understand how a decision concerning you was reached, without disclosing trade secrets or compromising the integrity of our fraud-prevention systems.

In line with Article 22 GDPR, we do not, as a rule, subject you to decisions based solely on automated processing — including profiling — that produce legal effects concerning you or similarly significantly affect you. Where such processing is exceptionally necessary for entering into or performing a contract with you, is authorised by law, or is based on your explicit consent, you have the right to obtain human intervention on the part of Upstart English Tuition, to express your point of view, and to contest the decision. Requests can be made to upstart.tuition@icloud.com.

Third-party links and services

Our platform may contain links to third-party websites, services, or applications that are not operated by us. We are not responsible for the privacy practices or content of these third parties.

We encourage you to review the privacy policies of any third-party sites or services you visit. This Privacy Policy applies only to information collected through our platform.

Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or operational needs. Updates will be posted on this page with an updated effective date at the top.

Significant Changes:

If we make material changes to how we handle your personal data, we will provide additional notice by:

• Sending an email notification to the address associated with your account.
• Displaying a prominent notice on our platform.
• Requesting your consent where required by law.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information. Your continued use of the platform after changes are posted constitutes your acceptance of the updated Privacy Policy.

Contact information and data protection officer

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: upstart.tuition@icloud.com

Data Protection Inquiries: For specific data protection questions, privacy rights requests, or complaints, please include "Privacy Request" or "Data Protection" in your email subject line.

Response Time: We aim to respond to all inquiries within 30 days, or within the timeframe required by applicable law.

Supervisory Authority:

If you are located in the EEA, UK, or Switzerland and believe we have not addressed your concerns adequately, you have the right to lodge a complaint with your local data protection authority.

We will make reasonable efforts to address your concerns and resolve any disputes in a timely and satisfactory manner.