Privacy Policy
Teachors is committed to protecting your personal data. This Privacy Policy explains what information we collect, why we collect it, how we use it, and your rights with respect to your data. We comply with Thailand's Personal Data Protection Act B.E. 2562 (PDPA) and, where applicable, the EU General Data Protection Regulation (GDPR).
01 Introduction
Teachors Co., Ltd. ("Teachors," "we," "us," or "our") operates the online tutoring marketplace available at teachors.com. We are incorporated in Thailand and operate our platform globally, connecting students with qualified tutors across technology-related subjects.
This Privacy Policy applies to all users of the Teachors platform — including students, tutors, and visitors — and governs how we handle personal data collected through our website, mobile applications, and related services (collectively, the "Platform").
Legal Basis: For users in Thailand, we comply with the Personal Data Protection Act B.E. 2562 (PDPA). For users in the European Economic Area (EEA) or the United Kingdom, we comply with the General Data Protection Regulation (GDPR). For other jurisdictions, we apply the higher of local standards or our baseline practices described here.
By creating an account or otherwise using the Platform, you acknowledge that you have read and understood this Privacy Policy. If you do not agree to these practices, please do not use the Platform.
02 Data We Collect
We collect the minimum data necessary to operate the Platform safely and effectively. The categories of personal data we collect depend on your role (student, tutor, or visitor).
Account Data
- Full name — used to personalize your experience and display on bookings
- Email address — used for authentication, notifications, and support
- Role — whether you are registering as a student or a tutor
- Password — stored as a hashed value; we never store plaintext passwords
Profile Data (Tutors)
- Biography and teaching philosophy
- Subject specializations and experience level
- Profile photo (publicly visible on your tutor listing)
- Hourly rate and availability
- Student ratings and written reviews
Verification Data (Tutors Only)
- Government-issued ID (passport, national ID card)
- Academic certificates, degrees, or professional credentials
Important: Verification documents are encrypted at rest, accessible only to authorized Teachors administrators during the verification review process, and never made publicly visible. They are deleted after verification is complete plus a 30-day grace period. See Section 5 for our full data retention policy.
Payment Data
- Wallet top-up amounts and transaction history
- Payout records (for tutors)
- Transaction timestamps and reference IDs
We do not store raw card numbers, CVV codes, or banking credentials. All payment processing is handled by our third-party payment processor (Xendit). Only tokenized payment references are retained by Teachors.
Session Data
- Booking history (tutor, student, subject, time)
- Session completion status and duration
- Materials uploaded or shared during sessions
Communication Data
- In-platform messages between students and tutors
Communications are monitored for safety and policy compliance as described in our Terms of Service. We do not read messages except when investigating a reported safety concern, a Terms of Service violation, or when required by law.
Usage Data
- Pages visited and features used
- Session timestamps (login/logout)
- Search queries within the Platform
- Clicks and interactions with tutors/listings
Device & Technical Data
- Browser type and version
- IP address (used only for security, fraud detection, and rate-limiting)
- Operating system
- Referrer URL
03 How We Use Your Data
We use your personal data only for the following purposes, grounded in a lawful basis under PDPA/GDPR:
| Purpose | Lawful Basis |
|---|---|
| Creating and managing your account | Contractual necessity |
| Verifying tutor identity and credentials | Contractual necessity / Legitimate interest |
| Facilitating session bookings and payments | Contractual necessity |
| Safety monitoring of in-platform messages | Legitimate interest (user safety) |
| Sending transactional notifications (booking confirmations, receipts) | Contractual necessity |
| Sending product updates or promotional emails | Consent (you may opt out at any time) |
| Platform analytics to improve features | Legitimate interest / Consent (for analytics cookies) |
| Fraud prevention and security | Legitimate interest / Legal obligation |
| Compliance with legal obligations | Legal obligation |
We do not use your data for automated decision-making that produces significant legal effects without human review.
04 Data Sharing
We do not sell, rent, or trade your personal data to any third party for marketing purposes.
We share personal data only in the following limited circumstances:
Service Providers (Data Processors)
- Xendit — payment processing. Receives billing information necessary to execute transactions. Subject to Xendit's own privacy policy and PCI-DSS compliance.
- Supabase / AWS — cloud database and storage infrastructure, hosted on AWS. Data is encrypted at rest and in transit. Supabase acts as a data processor under a Data Processing Agreement.
- Video conferencing providers — if applicable, session metadata (session ID, participant count, duration) may be shared to facilitate live video sessions. No session recordings are shared without explicit user consent.
- Email service provider — your email address is shared to deliver transactional and (with consent) marketing emails.
Public Profile Information
Information that tutors or students explicitly choose to make public on their profiles (e.g., tutor bio, photo, subject listing, ratings) is visible to all visitors of the Platform. You control what appears in your public profile through your account settings.
Business Transfers
In the event of a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity. We will notify you by email and/or a prominent notice on the Platform at least 30 days before your data becomes subject to a different privacy policy.
Legal Requirements
We may disclose your data to law enforcement, regulatory authorities, or courts where we are legally required to do so, or where we have a good-faith belief that disclosure is necessary to protect the safety of any person or to prevent illegal activity. We will notify you of such disclosures where legally permitted.
With Your Consent
We will share your data with any other third party only with your explicit, informed consent.
05 Data Retention
| Data Category | Retention Period |
|---|---|
| Active account data | Retained for the duration your account is active |
| Closed account data | 90 days after closure, then anonymized or deleted |
| Financial / transaction records | 7 years from transaction date (Thai Revenue Code requirement) |
| Verification documents (IDs, certificates) | Deleted after successful verification + 30 days |
| In-platform messages | 12 months from message date, then deleted |
| Usage / analytics data | 13 months from collection (aggregated thereafter) |
| Security logs (IP, access logs) | 90 days |
When data is no longer required for its original purpose and no legal obligation requires us to retain it, we securely delete or anonymize it so it can no longer be linked to an individual.
06 Your Rights (PDPA / GDPR)
Depending on your country of residence, you may have the following rights regarding your personal data. We honor these rights for all users, regardless of jurisdiction.
- Right of Access — You may request a copy of the personal data we hold about you.
- Right to Rectification — You may request correction of inaccurate or incomplete personal data.
- Right to Erasure ("Right to be Forgotten") — You may request deletion of your personal data. This right is subject to legal retention obligations (e.g., financial records).
- Right to Data Portability — You may request your data in a structured, machine-readable format (JSON or CSV) to transfer to another service.
- Right to Withdraw Consent — Where we process data based on your consent (e.g., marketing emails, analytics cookies), you may withdraw consent at any time without affecting the lawfulness of prior processing.
- Right to Restrict Processing — You may request that we restrict processing of your data in certain circumstances (e.g., while a dispute is being resolved).
- Right to Object — You may object to processing based on legitimate interests, including profiling.
- Right to Complain — You have the right to lodge a complaint with the relevant supervisory authority (Thailand: the PDPC; EU: your national DPA).
To exercise any of these rights, email us at privacy@teachors.com. We will respond within 30 days for PDPA requests and within 30 days for GDPR requests (extendable by 2 months for complex cases with notice). We may ask you to verify your identity before processing the request.
07 Cookies
We use cookies and similar tracking technologies to operate the Platform and, with your consent, to understand how it is used. For full details, please see our Cookie Policy.
Cookie Categories
- Essential Cookies — Required for the Platform to function (authentication, security, session management). These are always active and cannot be disabled.
- Analytics Cookies — Help us understand how users interact with the Platform. Only activated with your explicit consent via our cookie banner.
- Functional Cookies — Remember your preferences (e.g., language, display settings). Activated with your consent.
We do not use third-party advertising or retargeting cookies. We do not share your browsing data with ad networks.
You can manage or withdraw your cookie consent at any time through your browser settings or by clicking "Cookie Settings" in the footer of any page.
08 Children's Privacy
The Teachors Platform is designed for users aged 13 and above. Users under 18 years of age must have verifiable parental or guardian consent to create an account. Tutors must be at least 18 years old.
We do not knowingly collect personal data from children under 13. If we learn that we have inadvertently collected data from a child under 13 without appropriate consent, we will promptly delete that data and close the associated account. If you believe a child under 13 has registered on our Platform, please contact us immediately at privacy@teachors.com.
Parents or guardians wishing to review, correct, or delete the personal data of a minor in their care may contact us at the same address with verification of their relationship to the child.
09 Security
We implement robust technical and organizational measures to protect your personal data against unauthorized access, disclosure, alteration, or destruction.
Technical Measures
- Encryption in transit: All data transmitted between your browser and our servers is encrypted using SSL/TLS (minimum TLS 1.2).
- Encryption at rest: All data stored in our database (Supabase on AWS) is encrypted at rest using AES-256.
- Row-Level Security (RLS): Our database uses Supabase's row-level security to ensure users can only access data they are authorized to see.
- Authentication: Passwords are hashed using bcrypt. Multi-factor authentication is available for all accounts.
- Verification document handling: ID documents and certificates are stored in an isolated, access-controlled storage bucket with additional encryption.
Organizational Measures
- Access to personal data is restricted to employees and contractors who need it to perform their job functions.
- All staff with data access undergo privacy and security training.
- Regular security audits and vulnerability assessments are conducted.
- A data breach response plan is maintained and tested annually.
Data Breach Notification
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify affected users and the relevant supervisory authority within 72 hours of becoming aware of the breach, in accordance with PDPA and GDPR requirements.
Despite these measures, no system is 100% secure. You are responsible for maintaining the confidentiality of your account credentials. Please notify us immediately at privacy@teachors.com if you suspect unauthorized access to your account.
10 Contact & Complaints
If you have questions, concerns, or requests regarding this Privacy Policy or the way we handle your personal data, please contact our Privacy team:
Email: privacy@teachors.com
General legal inquiries: legal@teachors.com
Company: Teachors Co., Ltd., Thailand
Response time: Within 30 days of receipt
If you are an EU/EEA resident and are not satisfied with our response, you have the right to lodge a complaint with your national Data Protection Authority. If you are in Thailand, you may contact the Personal Data Protection Committee (PDPC).
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or by posting a prominent notice on the Platform at least 30 days before the changes take effect. Continued use of the Platform after the effective date constitutes acceptance of the updated policy.