Logo New Tutor Start learning now

Privacy Policy

Effective Date: July 28, 2025

Last Updated: July 28, 2025


1. Introduction

NewTutor ("we," "us," "our"), headquartered at Startup Santarém, Largo do Infante Santo, CIES – Centro de Inovação Empresarial de Santarém, Room 12, 2005-246 Santarém, Portugal, VAT number 517798590, is committed to protecting and respecting your privacy.

This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you visit our website or purchase our online course offerings, in full compliance with the EU General Data Protection Regulation (GDPR), the ePrivacy Directive, and other applicable EU laws.

By using NewTutor, you agree to the collection and use of information in accordance with this policy. We adhere to the principle of data minimization, collecting only the personal data that is necessary for the specified, explicit, and legitimate purposes outlined in this policy.


2. Data Controller

Jupiter Castle Unipessoal LDA (trading as NewTutor)

Address: Startup Santarém, Largo do Infante Santo, CIES – Room 12, 2005-246 Santarém, Portugal

Email: [email protected]

VAT No.: 517798590

Data Protection Officer (DPO): Liudmyla Myniuk

Contact Email: [email protected]

Business Hours: Monday to Friday, 10:00 AM to 4:00 PM (WET/WEST)


3. Who This Policy Applies To

This policy applies to website visitors who browse or interact with NewTutor, customers who register for and purchase our courses, and any individual whose personal data we process in connection with our services. We do not knowingly collect personal data from individuals under 18 years of age. If you are under 18, please do not provide any personal information through our platform. Should we discover that we have inadvertently collected personal data from someone under 18, we will delete such information promptly upon discovery.

We implement age verification measures through our registration process, which requires users to confirm they are 18 or older. Parents or guardians who believe their child has provided personal information to us should contact us immediately at [email protected].


4. Personal Data We Collect

4.1 Data You Provide to Us

When you register for our services, make a purchase, or interact with our platform, we collect the following personal data that you voluntarily provide: your full name, email address, taxpayer identification number (required for invoicing purposes), payment method and transaction details (processed securely through Stripe), support requests and correspondence, and newsletter subscription preferences.

4.2 Social Login Data

When you choose to authenticate using Google's social login service, we collect your Google-associated email address, public profile name, and unique platform identifier. Please note that Google's privacy policies also apply when you use their authentication services, and we recommend reviewing Google's privacy policy for information about their data practices.

4.3 Automatically Collected Data

Our systems automatically collect certain technical information necessary for platform operation and security. This includes your IP address, usage data such as course completion rates, time spent on lessons, pages visited, and learning progress, technical data including device and browser information, authentication and activity logs, and security-related information for fraud prevention and platform protection.


5. Purposes of Processing and Lawful Basis

We process your personal data only when we have a lawful basis under the GDPR. The following table outlines our processing purposes and corresponding lawful bases:

Data Type Purpose Lawful Basis
Account information Course delivery, account management Contract performance
Payment data Transaction processing, invoicing Contract performance
Taxpayer ID Legal invoicing requirements Legal obligation
Usage data Service improvement, platform security Legitimate interests
Social login data Authentication convenience Consent
Marketing preferences Newsletter communications Consent
Support communications Customer service provision Contract performance
Security logs Fraud prevention, platform security Legitimate interests

Our legitimate interests include ensuring platform security, preventing fraud, improving our services based on user behavior analysis, and maintaining the integrity of our educational platform. We have conducted balancing tests to ensure these interests do not override your fundamental rights and freedoms.


6. How We Use Your Data

We use your personal data to deliver the courses you have purchased and provide comprehensive customer support throughout your learning journey. Your information enables us to process payments securely through our payment processor Stripe and issue legally compliant invoices as required by Portuguese tax law.

We communicate with you regarding course updates, system notifications, and respond to your customer service inquiries. With your explicit consent, we may send you newsletters and promotional offers about our educational content. We analyze usage patterns and user behavior to continuously improve our platform's functionality, user experience, and educational effectiveness while maintaining your privacy.

Your data also helps us maintain platform security, prevent fraudulent activities, and ensure compliance with applicable legal obligations including tax reporting and record-keeping requirements.


7. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, and protect our legitimate interests. Account data and associated course information are retained for the duration of your active account plus seven days following account closure to ensure complete service termination.

Marketing consents and associated communications are retained until you withdraw your consent through your account settings or by contacting us directly. Customer support tickets and related communications are maintained for up to three years after the last interaction to ensure continuity of service and resolution tracking.

Invoice data is retained for ten years in accordance with Portuguese accounting and tax law requirements. We do not store complete payment card details on our systems, as these are handled securely by Stripe. Authentication logs and security-related data are retained for 90 days to maintain platform security and investigate any potential security incidents.

Course completion records, certificates, and learning progress data are maintained as long as your account remains active and until you request account deletion.

7.1 Data Deletion Process

When data reaches its retention limit, it is immediately marked for deletion in our active systems. Complete removal from our main systems occurs within seven days of the retention deadline. Our encrypted backup systems retain data for an additional seven days before permanent deletion to ensure system integrity and disaster recovery capabilities. After this period, all personal data is irreversibly deleted from our systems.


8. Data Sharing and Third-Party Processors

8.1 Subprocessors and Service Providers

We work with carefully selected third-party service providers who process personal data on our behalf under strict contractual obligations. Cloudflare provides content delivery network services, traffic protection, and maintains security logs, with data processing occurring within the EU. Stripe processes all payment transactions and maintains transaction records under PCI DSS compliance standards.

Amazon Web Services (AWS) handles our email delivery infrastructure for platform notifications and authentication emails, with all processing conducted within EU data centers. Simple Analytics provides privacy-focused website analytics without using cookies or tracking individual users. Google provides authentication services when you choose to use social login, processing only the minimum data necessary for authentication purposes.

All our subprocessors are required to implement appropriate technical and organizational measures to protect your personal data and process it only according to our documented instructions and applicable data protection laws.

8.2 Legal Disclosures

We may disclose personal data when required by law, in response to valid legal requests from public authorities, to protect our rights and property, or to investigate potential violations of our terms of service. Any such disclosures will be limited to the minimum data necessary and will comply with applicable legal requirements.

8.3 International Data Transfers

All primary data processing takes place within the European Union to ensure the highest level of data protection. For social login authentication, only the minimum necessary data is transferred to Google under GDPR-approved safeguards including Standard Contractual Clauses. We do not transfer personal data to countries outside the EEA unless adequate protection measures are in place.


9. Payment Processing and Stripe

We use Stripe, Inc. as our payment processor to handle all financial transactions securely. Stripe maintains PCI DSS compliance and implements industry-standard security measures to protect payment information. We do not store complete payment card details on our servers; this sensitive information is securely handled by Stripe's certified systems.

Stripe may transfer payment data outside the European Economic Area under Standard Contractual Clauses or adequacy decisions approved by the European Commission. For detailed information about Stripe's data practices, please review their privacy policy at https://stripe.com/privacy.

Transaction data necessary for our business operations, such as payment confirmation and invoice generation, is retained according to our data retention schedule while maintaining the highest security standards.


10. Cookies and Tracking Technologies

We use cookies and similar technologies solely for essential platform functionality and internal operational purposes. Our cookies are strictly necessary for user authentication, maintaining your session security, remembering your login status, and ensuring proper platform functionality.

We do not use cookies for advertising, marketing tracking, or behavioral analysis. We do not share cookie data with third parties for marketing purposes, nor do we create user profiles for advertising. The cookies we deploy are essential for providing you with our educational services and maintaining platform security.

You can manage cookie preferences through your browser settings, though disabling essential cookies may affect platform functionality. We do not use third-party advertising cookies or tracking pixels that follow your browsing behavior across other websites.


11. Data Security

We implement comprehensive technical and organizational security measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. All sensitive data is encrypted both at rest and in transit using industry-standard encryption protocols. Our platform uses SSL/TLS encryption for all communications between your device and our servers.

Access to personal data is strictly controlled and limited to authorized personnel who require access to perform their job functions. We implement multi-factor authentication for administrative access and maintain detailed access logs for security monitoring. Our systems undergo regular security audits and vulnerability assessments to identify and address potential security risks.

Data backups are encrypted and stored securely with limited retention periods as outlined in our data retention policy. We maintain incident response procedures to quickly address any potential security breaches and have established protocols for notifying relevant authorities and affected individuals when required.


12. Your Rights Under GDPR

As a data subject under the GDPR, you have several important rights regarding your personal data. You have the right to access your personal data and receive information about how we process it. You can request rectification of any inaccurate or incomplete personal data we hold about you.

You have the right to request erasure of your personal data under certain circumstances, commonly known as the "right to be forgotten." You can request restriction of processing when you contest the accuracy of data, object to processing, or when we no longer need the data but you require it for legal claims.

You have the right to data portability, allowing you to receive your personal data in a structured, commonly used format and transmit it to another controller. You can object to processing based on legitimate interests or for direct marketing purposes at any time.

Where we process your data based on consent, you have the right to withdraw that consent at any time without affecting the lawfulness of processing based on consent before its withdrawal. You also have the right to lodge a complaint with the Portuguese National Data Protection Commission (CNPD) if you believe we have not handled your personal data appropriately.

12.1 Exercising Your Rights

To exercise any of these rights, you can access your account settings through the "Edit Profile" page on our platform, send an email to [email protected], or send a registered letter to our physical address. We may require identity verification to ensure the security of your personal data and prevent unauthorized access.

We will respond to your request within 30 days of receipt. In complex cases, we may extend this period by an additional 60 days and will inform you of any extension and the reasons for delay. For manifestly unfounded or excessive requests, we may charge a reasonable fee or refuse to act on the request.


13. Automated Decision-Making and Profiling

We do not engage in automated decision-making or profiling that produces legal effects or significantly affects you. Any automated processing we conduct is limited to technical functions necessary for platform operation, such as fraud detection algorithms that flag suspicious payment activities for manual review. You will not be subject to decisions based solely on automated processing that affect your access to our services or educational content.


14. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Portuguese National Data Protection Commission (CNPD) within 72 hours of becoming aware of the breach. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you without undue delay.

Our breach notification will include the nature of the breach, the categories and approximate number of individuals affected, the likely consequences of the breach, and the measures we have taken or propose to take to address the breach and mitigate its adverse effects. We maintain detailed incident logs and response procedures to ensure rapid and effective breach response.


15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service offerings. When we make significant changes that affect how we process your personal data, we will notify you by email at least 30 days before the changes take effect, provided we have your current email address.

We will also post the updated policy on our platform with a prominent notice indicating the changes. We encourage you to review this Privacy Policy periodically to stay informed about how we protect your personal data. Your continued use of our services after the effective date of any changes constitutes acceptance of the revised Privacy Policy.


16. Contact Information

For any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us:

Email: [email protected]

Address: Startup Santarém, Largo do Infante Santo, CIES – Room 12, 2005-246 Santarém, Portugal

Business Hours: Monday to Friday, 10:00 AM to 4:00 PM (WET/WEST)

We are committed to addressing your privacy concerns promptly and transparently. Our Data Protection Officer, Liudmyla Myniuk, is available to assist with any data protection matters.


17. Supervisory Authority

If you believe we have not adequately addressed your privacy concerns or if you wish to file a complaint about our data processing practices, you may contact the Portuguese National Data Protection Commission:

National Data Protection Commission (CNPD)

Address: Av. D. Carlos I, 134, 1º, 1200-651 Lisbon, Portugal

Telephone: +351 213 928 400

Email: [email protected]

Website: https://www.cnpd.pt

The CNPD is the lead supervisory authority for data protection matters in Portugal and can provide guidance on your rights and investigate complaints about data processing activities.