What Tutoring Notes is

Tutoring Notes is a web application that helps private tutors record session audio, draft session notes, run a shared whiteboard during lessons, and share read-only updates with students and their families.

What data we collect

• Account information: email address, hashed password, and optional display name when you create a tutor account.
• Session notes: student names, session dates, topics, homework, assessment, plan, and links you enter.
• Session audio recordings when you use the Record or Upload feature (stored in Vercel Blob — see below).
• Whiteboard session data: timestamped stroke logs, optional PDF / image inserts, and a session snapshot used for the parent replay surface.
• Parent / guardian email addresses you enter when sending updates.
• Outbound email logs (subject, recipient, body text, share link) retained for delivery troubleshooting.
• Feedback submissions (messages and optional contact email).
• Waitlist entries (email and optional name) submitted through interest forms or contact, retained for outreach.
• Gmail OAuth tokens if you use “Connect Gmail” (see Google account and Gmail below).
• Standard technical logs (IP address, user agent, timestamps) collected by our hosting provider for security and reliability.
• LearnerProfile information: a student’s name and grade level entered when creating a student profile. For students under 13, this is personal information subject to COPPA protections.
• Session transcripts automatically generated from session audio by the OpenAI transcription service (see below). Transcripts are derived from and linked to the session audio recording.
• Parent or guardian contact information collected during the account-claim and consent flow for students, including for verifiable parental consent purposes for students under 13.

How we use your data

Your data is used solely to operate the product: signing you in, storing and displaying notes / audio / whiteboard sessions, generating share links, and sending the email updates you choose to send. We do not sell Google user data, and we do not sell personal information to data brokers, advertising platforms, or cold callers.

Sharing, disclosure, and recipients

We share or disclose information only as needed to run the product, as described below.

• Google. When you connect a Google account or use Gmail through the app, data needed for that feature is processed by Google under Google's terms and your Google account settings (OAuth tokens, API calls to send mail you initiate, and metadata Google logs as part of those APIs). We do not control Google's servers; we follow Google's applicable API and limited-use requirements for data we receive from Google APIs.
• Infrastructure and service providers. Tutoring Notes runs on hosted infrastructure and uses subprocessors that each handle a specific slice of the product:
  • Vercel — application hosting + serverless functions (US region).
  • Neon — PostgreSQL database (US region).
  • Vercel Blob — object storage for session audio and whiteboard snapshots (US region).
  • OpenAI — AI note generation and audio transcription (Whisper). See AI note generation section below.
• People you direct us to contact. When you send an email or share content from the app (for example a session update to a parent's address), the recipient receives the information you chose to send.
• Legal and safety. We may disclose information if required by law, regulation, legal process, or to protect the rights, safety, and security of users, the public, or our services.
• Business transfers. If we are involved in a merger, acquisition, or asset sale, user information may be transferred as part of that transaction; we will require the successor to honor commitments consistent with this policy or notify you as applicable law requires.

Google account and Gmail (Connect Gmail)

When you click “Connect Gmail,” the app requests permission to send email on your behalf using the Gmail API (gmail.send scope) and to read your email address (userinfo.email scope). These permissions are used exclusively to send session-update emails from your Gmail account when you click “Send update” in the app. We do not read, search, index, modify, or delete any of your existing emails. Google user data we receive through Gmail APIs is used only to provide the user-facing email- sending feature you asked for, consistent with Google's applicable API and Limited Use requirements.

We store a refresh token so the app can send on your behalf without asking you to sign in each time. OAuth tokens and related credentials are kept in server-side configuration or secure database storage, never embedded in web pages or public repositories. You can disconnect Gmail at any time from Settings → Email, which deletes the stored token; you can also revoke access directly from your Google Account security settings.

AI note generation (OpenAI)

When you use the Auto-fill from session feature, content you provide (typed notes, uploaded audio, or in-browser recording) is sent to OpenAI via their API to structure it into session notes. Your student's name and up to two recent note summaries are included as context.

OpenAI's API data usage policy states that data submitted through the API is not used to train their models. See OpenAI's API data usage policy for details. If you prefer not to send session content to OpenAI, simply do not use the Auto-fill feature — it is entirely optional.

Session audio recordings (Vercel Blob)

When you upload or record a session audio file, the recording is stored in Vercel Blob (private, US region). Audio is never publicly accessible — all playback links are short-lived signed URLs generated at render time.

Recordings are sent to OpenAI via the /v1/audio/transcriptions endpoint (Whisper) for transcription as part of the note generation flow. OpenAI acts as a subprocessor processing audio on our instructions under a data processing agreement; audio data is not used to train OpenAI’s models. Audio is not shared with any other third party.

Audio recordings of tutoring sessions may contain the voices of students, including students under 13. Audio of students under 13 is collected only with verifiable parental consent. See the Children’s data and parental rights (COPPA) section below for the applicable retention schedule and how to exercise your rights.

The Include audio recording in parent share link option is off by default. When you enable it, the parent or student can listen to the session recording on their notes page. Obtain appropriate consent before enabling this option, especially for sessions involving minors.

Where data is stored

Data is stored in a PostgreSQL database hosted on Neon (US region). The application is hosted on Vercel. Both providers maintain their own security and compliance practices.

Data retention and deletion

We retain data as long as your account exists and as needed to provide the service and meet legal obligations. Tutors can delete individual students and notes from within the app. If you want your account or all associated data deleted, contact us at the email below and we will process the request promptly.

Children’s personal information — retention schedule (COPPA §312.10). Session audio recordings, session transcripts, session notes, LearnerProfile information (name and grade level), and parent or guardian contact information for students who are minors are retained for the duration of the active tutor–student relationship and for 24 months after the account is closed, after which they are permanently deleted. We retain this information to allow tutors and parents to review session history and track student progress during and reasonably after the tutoring relationship. We do not retain children’s personal information indefinitely. Verified deletion requests (see Children’s data and parental rights below) are honored before that schedule expires.

Security

We use commercially reasonable safeguards appropriate to the sensitivity of tutoring data and the nature of our hosted software:

• Encryption in transit. All connections to the application use HTTPS (TLS).
• Password storage. Tutor account passwords are hashed with bcrypt before storage; raw passwords are never written to logs or the database.
• Hosting and data stores. We rely on Vercel and Neon's protections for servers, databases, and object storage (access controls, network isolation, and encryption at rest where the vendor provides it by default for the tiers we use).
• Authentication and access. Every tutor request requires sign-in; application logic enforces ownership boundaries so a tutor only sees their own students and sessions.
• Secrets and OAuth tokens. API keys, client secrets, and OAuth refresh tokens are kept in server-side configuration or secure storage — not embedded in web pages or public repositories.
• Limited use of Google data. Google user data obtained through Google APIs is used only to provide the user-facing features you asked for (sending mail you trigger), consistent with this policy and Google's applicable Limited Use requirements.

No method of transmission or storage is 100% secure; if you have a specific security concern, contact us using the address below.

Children

Tutoring Notes is intended for use by tutors (adults). Tutors are responsible for obtaining any parent, guardian, or organizational consent required before entering student information, recording sessions, or sending share links — including for sessions involving minors. Minors do not have tutor accounts in the app.

Parent or student share links are tokenized and revocable; a parent or guardian receives the link from the tutor and can view session content without creating an account. If you believe a tutor has shared a minor's information without appropriate consent, or that a child's personal information has been collected inappropriately, contact us at the email below and we will address it.

Children’s data and parental rights (COPPA)

Tutoring Notes is a platform designed for K–12 tutoring and knowingly collects personal information from students who may be under 13. We are subject to the Children’s Online Privacy Protection Act (COPPA), 16 CFR Part 312. We require verifiable parental consent before collecting personal information from or about a child under 13.

What children’s personal information we collect and why. For a student under 13, personal information we collect and process includes:

• Session audio recordings containing the child’s voice — collected to enable transcription and note generation for the tutor’s session record.
• Session transcripts automatically derived from audio via OpenAI (subprocessor) for note generation and session history.
• Session notes created by or for the tutor summarizing session content, topics, and progress related to the student.
• LearnerProfile information — the student’s name and grade level — to identify the student and provide contextual note generation.
• Parent or guardian contact information (email) collected during the account-claim and consent process for communication and consent purposes.

Subprocessors handling children’s data. Session audio is transmitted to OpenAI via the /v1/audio/transcriptions endpoint for transcription only. OpenAI acts as a subprocessor operating under a data processing agreement on our instructions; child audio is not used to train OpenAI’s models. Session data is stored in Vercel Blob (audio files) and Neon (database records), both US-region. No children’s personal information is shared with any other third party.

How we use children’s personal information. Children’s personal information is used exclusively to: deliver the tutoring session recording, transcription, and note-generation service; enable the tutor to review session history and track the student’s progress; and (with parental consent) allow the parent or guardian to review session content through a tokenized, revocable share link. We do not use children’s personal information for advertising, profiling, or any purpose unrelated to the child’s tutoring sessions.

Retention (COPPA §312.10). Session audio recordings, transcripts, and notes, together with LearnerProfile information (name and grade level) and parent contact information, are retained for the duration of the active tutor–student relationship and for 24 months after the account is closed, after which they are permanently deleted. We retain this information to allow tutors and parents to review session history and track student progress during and reasonably after the tutoring relationship. We do not retain children’s personal information indefinitely.

Parental rights. As a parent or legal guardian, you have the right to:

• Review the personal information we have collected from your child.
• Direct us to delete your child’s personal information.
• Revoke consent and refuse to permit further collection or use of your child’s personal information (consent revocation stops future recording).

To exercise any of these rights, contact us at arangarx+tutoringnotes@gmail.com. We will comply with verified requests as required by COPPA (16 CFR §312.6).

Consent revocation and data already collected (two tracks). Session audio recordings, transcripts, and notes are created only with a parent or guardian’s consent. Withdrawing consent stops future recording; it does not automatically delete content already created under your prior consent. As a parent or legal guardian, you may request to review or delete your child’s personal information at any time by contacting us at arangarx+tutoringnotes@gmail.com. We honor verified requests as required by the Children’s Online Privacy Protection Act (COPPA).

Educational use by the tutor. With parental consent, a child’s session recordings, transcripts, and notes may be used by the tutor for educational purposes directly related to that child’s instruction — for example, reviewing past sessions to plan future lessons or identifying recurring learning gaps. This consent is part of the account setup and is revocable going forward: revoking it stops future access for those purposes and the tutor is notified. Content already made available to the tutor under prior consent is not automatically retracted on revocation; you may request deletion of specific content separately.

Changes

We may update this policy from time to time. The “Last updated” date above will change when we do. Material changes may also be communicated in-product or by email where practical. Continued use of the app after changes means you accept the updated policy.

Contact

For privacy questions, data deletion requests, or concerns specific to Tutoring Notes, email arangarx+tutoringnotes@gmail.com. For general Mortensen Apps inquiries, see www.mortensenapps.com.