TeachersFlow (accessible via the TeachersFlow web app)
Last updated: April 6, 2026
Effective date: April 6, 2026
1. Introduction
This Privacy Policy explains how TeachersFlow ("we", "us", "our", the "Service") collects, uses, stores, and protects your personal data when you use our web app for managing tutoring activities.
We are committed to protecting your privacy in compliance with:
- General Data Protection Regulation (GDPR) — Regulation (EU) 2016/679
- Law of Georgia on Personal Data Protection
- TeachersFlow Terms of Service
By using TeachersFlow, you agree to the collection and use of information in accordance with this policy.
2. Data Controller
Service: TeachersFlow
Data Controller: Individual Entrepreneur Eduard Abdullin (Georgia)
Operating as: TeachersFlow
Registered address: Tbilisi, Georgia
Website: https://teachersflow.app
Contact email: [email protected]
As an individual entrepreneur processing data on a limited scale, we are not required to appoint a Data Protection Officer (DPO) under GDPR Article 37. For all data protection inquiries, contact us at [email protected].
3. Data We Collect
3.1 Account Data
When you register or sign in, we store:
| Data | Purpose | Legal Basis |
|---|---|---|
| Account ID | Account identification | Legitimate interest / Contract performance |
| Email address | Authentication, notifications, account recovery | Contract performance |
| First name | Display in the application | Contract performance |
| Last name | Display in the application | Contract performance |
| Language preference | Interface localization | Contract performance |
| Currency preference | Payment display and formatting | Contract performance |
| Timezone | Schedule display in your local time | Contract performance |
We do NOT collect: phone numbers, physical addresses, or any data beyond what is required to provide the Service.
3.2 Data You Provide
As a teacher using the Service, you may enter the following data about your students:
- Student names
- Free-form notes about students
- Lesson balance and pricing information
- Student contact identifiers (optional)
- Schedule information (days, times, duration of lessons)
- Group names and membership
- Payment records (number of lessons, confirmation status)
Important: We do not process real financial transactions for lesson payments. The Service only tracks payment status between teachers and students. Actual money transfers happen outside the application.
3.3 Subscription Payment Data
If you subscribe to a paid plan (Starter or Pro), payment is processed through a third-party payment provider. We receive and store from the payment provider:
- Transaction identifier
- Subscription amount and currency
- Subscription period and expiration date
- Payment status
We do NOT receive or store: credit card numbers, bank account details, or any other direct financial instruments. All payment processing is handled by the payment provider under their own privacy policy.
3.4 Analytics Data
We collect anonymized usage analytics to improve the Service:
- Product events: page views, feature usage (e.g., "lesson created", "student added") — stored in our own database without personally identifiable information tied to external parties
- Self-hosted web analytics (Umami): page views and custom events; Umami is self-hosted on our servers, no data is sent to third parties; campaign parameters are stripped from URLs before tracking
- Error tracking (Sentry): application error reports; Personally Identifiable Information (PII) is disabled in our Sentry configuration; only technical error details are transmitted
3.5 Technical Data
- JWT authentication tokens (stored in a secure httpOnly cookie in your browser)
- Request timestamps and IP addresses in server logs (retained for security purposes)
4. How We Use Your Data
We use collected data exclusively for:
| Purpose | Legal Basis (GDPR) |
|---|---|
| Providing the Service (schedule management, student tracking) | Art. 6(1)(b) — Contract performance |
| User authentication via email/password | Art. 6(1)(b) — Contract performance |
| Sending lesson reminders and notifications via in-app and email channels | Art. 6(1)(b) — Contract performance |
| Processing subscription payments | Art. 6(1)(b) — Contract performance |
| Application error monitoring and debugging | Art. 6(1)(f) — Legitimate interest |
| Usage analytics to improve the Service | Art. 6(1)(f) — Legitimate interest |
| Ensuring security and preventing abuse (rate limiting, fraud prevention) | Art. 6(1)(f) — Legitimate interest |
We do NOT:
- Sell your data to third parties
- Use your data for advertising or profiling
- Share individual-level data with third parties for marketing purposes
- Make automated decisions that produce legal effects concerning you
5. Third-Party Services
We use the following third-party services:
| Service | Purpose | Data Shared | Privacy Policy |
|---|---|---|---|
| Email Delivery Providers (SMTP) | Email delivery and notification routing | Email address and message metadata | Provider-specific privacy policies |
| Google Sign-In (GSI) | OAuth authentication provider | Email address, first name, last name, profile picture, Google user ID | https://policies.google.com/privacy |
| Google Calendar API | Optional calendar synchronization for lesson scheduling | Calendar events, OAuth tokens | https://policies.google.com/privacy |
| Paddle | Merchant of record for paid subscriptions (Starter and Pro plans) | User ID, email, payment amounts, subscription status | https://www.paddle.com/legal/privacy |
| Telegram Bot API | Account linking and payment processing via Tribute | Telegram user ID, username | https://telegram.org/privacy |
| Sentry | Error tracking (PII disabled) | Error stack traces only, no personal data | https://sentry.io/privacy/ |
| Google Ads | Conversion tracking on the landing page and web app (loaded only with user consent via cookie consent banner; conversion event fires on successful registration only) | Anonymized page visit data, registration conversion events | https://policies.google.com/privacy |
We also use self-hosted analytics tools that run on our own server — no data is sent to third parties through them.
6. Data Storage and Security
6.1 Storage
- All data is stored on a single dedicated server within the EU
6.2 Security Measures
- Encryption in transit: All connections are encrypted via TLS/SSL
- Authentication: Email/password + JWT tokens
- Network security: Firewall, intrusion prevention, database accessible only locally
- Rate limiting: Per-user request rate limiting to prevent abuse
7. Data Retention
- Active accounts: Data is retained for as long as your account is active
- Inactive accounts: Accounts with no activity for 180 days (6 months) are automatically eligible for deletion through our data retention system
- Server logs: Retained for 30 days for security and debugging purposes, then automatically rotated and deleted
- Analytics events: Retained for 365 days (1 year) for product improvement, then automatically purged
- Database backups: Retained for 14 days, then automatically deleted
- Deleted account data: When you delete your account, all personal data is removed immediately from the active database. Data may persist in encrypted backups for up to 14 days before automatic deletion. A deletion audit log ensures that deleted accounts are not restored from backups
You may request earlier deletion of your data at any time (see Section 9).
8. International Data Transfers
Our server is hosted by Hetzner, a German company. Your data may be stored and processed within the European Union. We do not intentionally transfer personal data outside the EU/EEA, except:
- Email delivery providers: Notification delivery infrastructure may process message metadata in various jurisdictions according to provider privacy policies.
- Sentry: Error reports (without PII) may be processed by Sentry's servers. See Sentry's privacy policy.
- Paddle: Payment processing may involve servers outside the EU/EEA. Paddle acts as merchant of record and processes payments under their own data controller obligations. See Paddle's Privacy Policy.
- Google Services (Sign-In, Calendar, Ads): Google may process data internationally. Google complies with the EU-US Data Privacy Framework. See Google's Privacy Policy.
Where data is transferred outside the EU/EEA, we rely on the service provider's compliance mechanisms, including EU Standard Contractual Clauses (SCCs) and adequacy decisions where applicable.
9. Your Rights
Under GDPR (EU residents)
You have the right to:
- Access — Request a copy of your personal data (Art. 15)
- Rectification — Request correction of inaccurate data (Art. 16)
- Erasure ("Right to be forgotten") — Request deletion of your data (Art. 17)
- Restriction — Request restriction of processing (Art. 18)
- Data portability — Receive your data in a structured, machine-readable format (Art. 20)
- Objection — Object to processing based on legitimate interest (Art. 21)
- Lodge a complaint with a supervisory authority
Under the Law of Georgia on Personal Data Protection
You have the right to:
- Access your personal data and information about its processing
- Request correction, updating, blocking, or deletion of your personal data where required by law
- Withdraw consent to personal data processing at any time (when processing is based on consent)
- Lodge a complaint with the competent supervisory authority in Georgia
How to Exercise Your Rights
Contact us at [email protected] with your request. We will respond within the timeframe required by applicable law. We may ask you to verify your identity via your account email.
To delete your account and all associated data, you may also use the in-app functionality or contact us directly.
10. Children's Privacy
TeachersFlow is not intended for use by individuals under 16 years of age. We do not knowingly collect personal data from children under 16. If we become aware that a child under 16 has provided us with personal data, we will take steps to delete such data.
Teachers may store information about their students who may be minors. The teacher is responsible for ensuring they have appropriate authorization to store such data.
11. Cookies and Local Storage
TeachersFlow uses the following browser storage:
11.1 Strictly Necessary Cookie
teachersbot_jwt— an httpOnly, Secure cookie containing your authentication token (JWT). This cookie is essential for maintaining your session and does not require consent under the ePrivacy Directive. Max-age: 30 days.
11.2 Optional Cookies (Consent Required)
On our landing page (teachersflow.app), Google Ads may set conversion tracking cookies (e.g., _gcl_aw). These cookies are loaded only after you give explicit consent via the cookie consent banner. You may withdraw consent at any time by clearing your browser's localStorage entry tf_cookie_consent.
11.3 Local Storage
We use browser localStorage to store:
- Cookie consent preference (
tf_cookie_consent) - Last visit timestamp for retention analytics
- User interface preferences
Language preference is stored on the server as part of your account settings, not in localStorage.
localStorage data is stored only on your device and is not transmitted to third parties.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. Changes will be indicated by updating the "Last updated" date at the top of this document. We encourage you to review this page periodically.
For significant changes, we may notify you via email and in-app notifications.
13. Contact Us
For any questions about this Privacy Policy or your personal data:
- Email: [email protected]
- Support: [email protected]