Privacy Policy

Last updated: November 25, 2025

1. Data Controller

The data controller responsible for your personal data is:

TutorboardAI

Operator: TutorboardAI

Email: niklas.developers@gmail.com

For all questions regarding data protection and the exercise of your rights, please contact us at the above email address.

2. Information We Collect and Legal Basis

We collect information that you provide directly to us. Below is a detailed list of the data we process and the legal basis for processing:

Account Information

  • Name, email address, password (encrypted)

Legal Basis: Contract performance (Art. 6(1)(b) GDPR) - necessary to provide our services and manage your account.

Payment Information

  • Payment details (processed securely through Stripe)
  • Billing address and transaction history

Legal Basis: Contract performance (Art. 6(1)(b) GDPR) - necessary to process your payments and subscriptions.

User Content

  • Diagram prompts and generated content
  • Saved diagrams and export history

Legal Basis: Contract performance (Art. 6(1)(b) GDPR) - necessary to provide the diagram generation service.

Usage Data

  • IP address, browser type, device information
  • Pages visited, features used, timestamps
  • Cookies and similar tracking technologies

Legal Basis: Legitimate interest (Art. 6(1)(f) GDPR) - to improve our services, ensure security, and analyze usage patterns. Some analytics cookies require your consent.

Communication Data

  • Email correspondence and support tickets

Legal Basis: Legitimate interest (Art. 6(1)(f) GDPR) - to respond to your inquiries and provide customer support.

3. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve our services
  • Process your payments and manage your subscription
  • Generate AI-powered diagrams based on your prompts
  • Send you technical notices, security alerts, and support messages
  • Respond to your comments and questions
  • Analyze usage patterns to improve user experience (with consent for analytics)
  • Comply with legal obligations
  • Protect against fraud and abuse

4. Third-Party Services

We use the following third-party service providers to operate our services:

Stripe (Payment Processing)

Stripe, Inc. processes all payment transactions. Your payment information is transmitted directly to Stripe and is not stored on our servers.

Privacy Policy: https://stripe.com/privacy

Resend (Email Service)

Resend is used to send transactional emails (verification, password reset, notifications).

Privacy Policy: https://resend.com/legal/privacy-policy

OpenAI / AI Service Providers

We use AI services to generate diagrams from your prompts. Your prompts are processed by these services but are not used to train their models.

5. Data Storage, Security, and Retention

Security Measures

We implement appropriate technical and organizational measures to protect your information from unauthorized access, alteration, disclosure, or destruction:

  • Encryption of data in transit (TLS/SSL) and at rest
  • Secure password hashing using industry-standard algorithms
  • Regular security assessments and updates
  • Access controls and authentication mechanisms
  • Secure database hosting with regular backups

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your personal information, we cannot guarantee its absolute security.

Data Retention Periods

We retain your personal data only as long as necessary for the purposes outlined in this policy:

  • Account Data: Retained while your account is active and for 30 days after account deletion
  • Payment Records: Retained for 7 years to comply with tax and accounting regulations
  • Generated Diagrams: Retained while your account is active or until you delete them
  • Usage Logs: Retained for up to 12 months for security and improvement purposes
  • Email Communications: Retained for 3 years for customer support purposes
  • Cookies: Session cookies expire when you close your browser; persistent cookies last up to 12 months

After the retention period, personal data is securely deleted or anonymized.

6. International Data Transfers

Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States, where our service providers are located.

When we transfer personal data outside the EEA, we ensure appropriate safeguards are in place:

  • EU Standard Contractual Clauses (SCCs) with service providers
  • Service providers certified under the EU-US Data Privacy Framework (where applicable)
  • Adequacy decisions by the European Commission for certain countries

You have the right to obtain information about the safeguards we use for international data transfers by contacting us.

7. Information Sharing

We do not sell, trade, or rent your personal information to third parties. We may share your information only in the following circumstances:

  • With service providers who assist in operating our services (e.g., Stripe for payments, Resend for emails)
  • When required by law or to respond to legal process
  • To protect our rights, privacy, safety, or property
  • In connection with a merger, sale, or acquisition of our business
  • With your explicit consent or at your direction

All third-party service providers are contractually obligated to protect your data and use it only for the purposes we specify.

8. Your Rights Under GDPR

Under the General Data Protection Regulation (GDPR), you have the following rights:

Right of Access (Art. 15 GDPR)

You have the right to obtain confirmation as to whether we process your personal data and, if so, to request access to that data along with information about the processing.

Right to Rectification (Art. 16 GDPR)

You have the right to request correction of inaccurate personal data and to complete incomplete personal data.

Right to Erasure / "Right to be Forgotten" (Art. 17 GDPR)

You have the right to request deletion of your personal data when there is no legitimate reason for us to continue processing it, or when you withdraw consent.

Right to Data Portability (Art. 20 GDPR)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller. You can export your diagrams and account data from your dashboard.

Right to Restriction of Processing (Art. 18 GDPR)

You have the right to request restriction of processing in certain circumstances, such as when you contest the accuracy of the data.

Right to Object (Art. 21 GDPR)

You have the right to object to processing based on legitimate interests or for direct marketing purposes at any time.

Right to Withdraw Consent (Art. 7(3) GDPR)

Where processing is based on consent, you have the right to withdraw your consent at any time. This includes withdrawing consent for analytics cookies through our cookie settings. Withdrawal does not affect the lawfulness of processing based on consent before withdrawal.

Right to Lodge a Complaint (Art. 77 GDPR)

You have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement.

How to Exercise Your Rights

To exercise any of these rights, please contact us at:

Email: niklas.developers@gmail.com

We will respond to your request within 30 days. We may ask you to verify your identity before processing your request.

9. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to collect information about your browsing activities. Here's a detailed breakdown:

Necessary Cookies (Always Active)

These cookies are essential for the website to function and cannot be disabled:

  • Session management and authentication
  • Security tokens and CSRF protection
  • Load balancing and server routing

Legal Basis: Necessary for contract performance (Art. 6(1)(b) GDPR)

Functional Cookies (Requires Consent)

These cookies enable enhanced functionality:

  • Remembering your preferences and settings
  • Language and region preferences
  • UI customizations

Legal Basis: Consent (Art. 6(1)(a) GDPR)

Analytics Cookies (Requires Consent)

These cookies help us understand how visitors use our website:

  • Page views and user behavior
  • Feature usage statistics
  • Performance monitoring

Legal Basis: Consent (Art. 6(1)(a) GDPR)

You can manage your cookie preferences at any time through our cookie consent banner or your browser settings. Disabling necessary cookies may affect the functionality of our services. You can withdraw your consent for optional cookies at any time.

10. Children's Privacy

Our services are not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately, and we will delete such information promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

  • Posting the new Privacy Policy on this page and updating the "Last updated" date
  • Sending you an email notification (for significant changes)
  • Displaying a prominent notice on our website

Your continued use of our services after such modifications constitutes your acknowledgment and acceptance of the modified Privacy Policy. We encourage you to review this Privacy Policy periodically.

12. Contact Us / Data Protection Officer

If you have any questions about this Privacy Policy, our data practices, or wish to exercise your rights, please contact us at:

TutorboardAI

Data Controller: TutorboardAI

Email: niklas.developers@gmail.com

We will respond to all requests within 30 days as required by GDPR.

Right to Lodge a Complaint: If you believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local data protection supervisory authority.