Privacy Policy
Last updated: March 18, 2026
1. Introduction
Student Portal ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains what information we collect, how we use, store, and protect your personal data when you use the studentportalua.com platform.
By using our service, you agree to the terms of this Privacy Policy. If you do not agree, please do not use the platform.
2. Information We Collect
2.1. Information You Provide
- Full name
- Email address
- Phone number (optional)
- Profile photo (optional)
- Google account data when signing in with Google
- Schedule, lesson, assignment, and payment data
- Chat messages between students and teachers
2.2. Automatically Collected Information
- IP address and device type
- Browser type and operating system
- Date and time of actions on the platform
- Pages you visit
- UI theme and language preferences
- Technical error reports (via Sentry)
2.3. Google Calendar Data
If you connect Google Calendar, we access and process:
- Your calendar event list (for lesson import)
- Event titles, dates, times, and descriptions
- OAuth access and refresh tokens (stored encrypted)
We do not permanently store calendar event data — events are only read upon explicit import request or to sync lesson changes. You can revoke Google Calendar access at any time via the platform settings or directly at myaccount.google.com/permissions.
Use of Google Calendar data is limited to providing and improving schedule sync features. We do not share Google Calendar data with third parties and do not use it for advertising.
3. How We Use Your Information
- Providing and improving the service
- Creating and managing your account
- Organizing lesson schedule and syncing with Google Calendar
- Sending email notifications about lessons, assignments, and schedule changes
- Tracking financial settlements between students and teachers
- Diagnosing technical errors and improving stability
- Protection against fraud and unauthorized access
- Compliance with legal obligations
4. Legal Basis for Processing (GDPR)
For users in the EU and UK, we process data on the following legal bases:
- Contract performance: providing platform features, account management
- Legitimate interest: security, error diagnostics, service improvement
- Consent: marketing communications, optional features (Google Calendar)
- Legal obligation: compliance with applicable laws
5. How We Store Your Information
Your data is stored on secure Supabase (PostgreSQL) servers. We apply the following security measures:
- Data encryption in transit (SSL/TLS)
- Encryption of sensitive data at rest (Google Calendar tokens)
- Row Level Security (RLS) — each user sees only their own data
- Regular automated backups
- Two-factor authentication for administrative access
5.1. Data Retention
- Account data — for the duration of the account + 30 days after deletion
- Lesson and financial data — 3 years (for accounting purposes)
- Google Calendar tokens — deleted upon Calendar disconnection or account deletion
- Technical logs and errors (Sentry) — 90 days
- Chat messages — for the duration of both participants' accounts
6. Third Parties and Sub-processors
We do not sell your data. We share limited data with the following services to operate the platform:
| Service | Purpose | Data |
|---|---|---|
| Supabase | Database and authentication | All account data |
| Vercel | Platform hosting | IP, request logs |
| OAuth authentication and Calendar | Email, name, Calendar (if connected) | |
| Resend | Sending email notifications | Email address, name |
| Sentry | Error monitoring | Technical data (anonymized) |
All sub-processors are required to maintain data protection standards equal to or exceeding GDPR requirements.
7. Cookies
We use the following types of cookies:
- Essential: authentication session, CSRF protection (cannot be disabled)
- Preferences: theme, interface language
- Analytics: anonymous usage statistics (Vercel Analytics)
8. Your Rights
Under GDPR and applicable law, you have the right to:
- Access: obtain a copy of your data
- Rectification: correct inaccurate or outdated information
- Erasure: delete your personal data ("right to be forgotten")
- Restriction: restrict processing of your data
- Portability: receive your data in a machine-readable format
- Objection: object to certain types of processing
- Withdraw consent: withdraw previously given consent at any time
To exercise these rights, contact us: support@studentportalua.com. We will respond within 30 days.
9. Children's Privacy
Student Portal may be used by students of any age. For students under 16, registration requires parental or guardian consent. If you learn that a child under 16 has provided us with personal data without parental consent, please contact us — we will delete that data.
10. International Data Transfers
Your data may be stored and processed in countries outside Ukraine and the EU, including the US (Supabase, Vercel, Google, Sentry, Resend). These transfers are conducted under EU Standard Contractual Clauses (SCCs) or equivalent frameworks (EU-US Data Privacy Framework). All our sub-processors maintain an adequate level of data protection.
11. Changes to This Policy
We may update this Privacy Policy. For significant changes, we will notify you by email or platform notification at least 14 days in advance. The last updated date is always shown at the top of this document. Continued use of the service after changes take effect constitutes your acceptance of the updated Policy.
12. Contact Information
For privacy questions or to exercise your rights, contact us:
Email: support@studentportalua.com
Website: studentportalua.com
Response time: within 30 business days
If you believe your rights have been violated, you have the right to lodge a complaint with the data protection authority in your country.
© 2026 Student Portal. All rights reserved.