Bobbin Privacy Policy May 26

Bobbin Privacy Policy

Below is Bobbin’s Privacy Policy. To see information on how we process information with regards to AI and machine learning, go to section 4.

Framework: UK GDPR (UK General Data Protection Regulation and Data Protection Act 2018).

Last updated: 05 May 2026

Field — Value

Processor legal name — TutorCruncher Ltd

Registered address — The Food Exchange, New Covent Garden Market, Nine Elms, London SW8 5EL

Privacy / data protection contact — [email protected]

1. Who this information is for

This notice describes how personal data is processed when your tutoring organisation uses the Bobbin platform and related services. It is relevant to organisation administrators, tutors, students, clients, and others whose data is processed through the platform.

Controller and processor

• Data controller: The tutoring organisation that has engaged you (or your child, where applicable) and that uses Bobbin to deliver its services. That organisation decides why and how your personal data is used for its tutoring activities and is responsible for responding to your UK GDPR rights requests in the first instance.
• Data processor: TutorCruncher Ltd (“we”, “us”, “TutorCruncher AI”) processes personal data only on documented instructions from the organisation (our customer), except where UK law requires otherwise.

If you wish to exercise your data protection rights, contact your organisation in the first instance. We will assist our customers, as processor, in line with our contractual and legal obligations.

2. Categories of personal data

Depending on how the organisation uses the platform, we process personal data in broad categories below. Organisation administrators can request a structured data export for a user if they need a fuller, record-level breakdown.

Category — What this covers (summary)

Account and profile — Name, email, role, timezone, organisation membership, sign-in credentials (stored securely, not as plain-text passwords), and identifiers from linked TutorCruncher accounts where the organisation uses that integration

Tutoring activity — Lessons, courses, attendance where used, tutor notes; online sessions via LessonSpace (including timings, recordings where applicable, and transcripts)

AI features and feedback — AI-generated plans, summaries, and reports; feedback you submit on generated content

Reports — Lesson and progress reports

Billing — Subscription and payment-related information where paid plans are used

Compliance, support, and analytics — Records such as privacy-policy acceptance; support identity tokens where used; usage analytics via Mixpanel and Amplitude (web/app and server); session replay / UX analytics via Microsoft Clarity where deployed; website and marketing measurement via Google Analytics, Google Ads, and Microsoft Advertising (Bing Ads) where deployed; client-side observability (for example Logfire browser SDK, Sentry in the web app)

Special category data under UK GDPR is not intentionally collected as a default product requirement; organisations should not use the platform to supply unnecessary amounts of it. If you believe such data has been included (for example in free-text notes or transcripts), contact your organisation.

We may receive personal data directly from users, from the organisation that uses Bobbin, or through integrations and third-party services that the organisation enables (for example tutoring, classroom, payment, support, or analytics tools).

What is special category data?

Special category data is personal data that UK GDPR classifies as particularly sensitive, so it needs extra protection and a stricter lawful basis. Examples include data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data (where used to identify someone), health, sex life, or sexual orientation. The official UK regulator publishes a clear overview here: ICO — What is special category data?.

3. Purposes of processing (controller-led)

Your organisation determines the purposes of processing. Bobbin processes data to provide the service they have subscribed to, which typically includes:

• Operating accounts, authentication, and access control for the organisation’s users
• Managing lessons, courses, participants, and related tutoring workflows
• Providing online lesson spaces, recordings (where used), and transcripts via integrated classroom services
• Generating and storing AI-assisted content (for example lesson or course plans, summaries, engagement or teaching insights, reports) from lesson and transcript-related inputs as configured
• Delivering transactional communications (for example notifications and data-export delivery) via email infrastructure
• Billing and usage accounting where the organisation uses paid plans (including payment service processing)
• Security, integrity, and troubleshooting (for example Sentry error reporting and Logfire observability on server and web client, and Microsoft Clarity for UX diagnostics where enabled)
• Product analytics (for example usage and feature events, client- and server-side, and periodic user-property sync) via Mixpanel and Amplitude
• Website and advertising measurement (for example traffic, campaigns, and conversions) via Google Analytics, Google Ads, and Microsoft Advertising (Bing Ads) where deployed
• Integrations the organisation enables (for example TutorCruncher, LessonSpace, payment, email, observability)

Lawful basis

The lawful basis for processing (for example contract, legitimate interests, legal obligation, or consent where required) is chosen and documented by the data controller (your organisation). As processor, we act on their instructions. For questions about why your data is processed, contact your organisation.

Where the service is used for lesson recordings, transcripts, or related AI-generated outputs, the organisation as controller is responsible for ensuring it has identified and documented the appropriate lawful basis for that processing and for providing any required transparency to the people concerned. If the organisation instructs processing involving special category data or data about children, it is also responsible for meeting any additional legal requirements that apply.

Bobbin may be used by organisations in contexts involving children’s data. Where that is the case, the organisation as controller is responsible for ensuring appropriate transparency, lawful basis, and any additional legal requirements that apply to that use.

Automated decision-making

We do not use personal data for solely automated decision-making or profiling that produces legal or similarly significant effects on individuals through this service. AI features in Bobbin are used to generate assistive content such as plans, summaries, and reports, and the organisation decides how to use that output.

4. Automated processing and artificial intelligence

The platform uses machine learning / AI services to generate content from prompts and context. In particular:

• Lesson and transcript text (and related lesson or course context) may be sent to an AI provider to produce outputs such as summaries, plans, strengths or teaching feedback, and reports.
• Speaker attribution in transcripts may be formatted in different ways depending on product configuration. Some processing paths may include participant names and role labels in the material sent to the AI; other paths may use generic labels (for example “Tutor” / “Student”) to reduce direct identification in the prompt. The organisation’s use of features determines what is processed.

Outputs are stored as generated content associated with the relevant lessons, courses, or users as designed.

Model training and storage: Data and content sent to our AI provider(s) for inference (to produce the outputs you request) are not used to train, retrain, or improve those providers’ general or foundation models, and are not stored by those AI services. Processing is limited to delivering the requested AI features, consistent with our agreements with those providers.

Feedback: We may use feedback you submit about generated content (for example ratings or comments collected in the product) to improve our own service, such as product quality, reliability, and features. That feedback is separate from training third-party AI models on lesson or transcript content.

Organisations should ensure their own transparency and lawful basis cover AI processing they instruct.

If an organisation later wishes to use recordings, transcripts, or related outputs for a new purpose that is materially different from the purpose originally explained to users, it should first reassess whether that use is permitted under applicable law, update its transparency information, and obtain any additional consent or other permission required before that new use begins.

5. Subprocessors

This section is the subprocessor register for Bobbin. We will update this section and the public copy of this privacy policy at least 30 days before a material new subprocessor starts processing personal data, or before a material replacement takes effect, unless a shorter period is required for urgent security reasons. Where we hold an organization's contact email, we will also aim to notify that contact directly.

Subprocessor / service — Role — Typical processing — Current region / transfer note

Salesforce (Heroku) — Application hosting and data stores — Dynos (web and background workers), Heroku Postgres, and Redis for queueing / caching — Europe for the Heroku app and Heroku Postgres. Redis region still to be confirmed in production.

Amazon Web Services (S3) — File storage — Temporary storage of data export files and time-limited download links for organisation administrators — EU West (eu-west / eu-west-2) based on current configuration.

OpenAI — AI inference — Processes prompts and context (which may include transcript and lesson text) to generate outputs — Contracting entity / DPA position being checked against OpenAI Ireland documentation. Processing may occur in the EU and/or US depending the applicable OpenAI service terms.

Logfire (Pydantic) — Observability — Backend: traces for API, database, Celery, HTTP clients, and AI. Web app: browser SDK sends traces via the API to Logfire — US.

Sentry — Error monitoring — Backend (for example Celery) and web application: error reports and stack traces that may include contextual data from failing operations — EU.

Stripe — Payments — Payment processing, customers, subscriptions, invoices, and related billing events where used — European contracting entity may apply, but processing may occur in the EU and/or US under Stripe’s DPA and transfer terms.

LessonSpace — Virtual classroom — Online sessions, recordings where applicable, transcripts — Assumed EU and/or US depending provider configuration and support operations.

TutorCruncher (the business management platform) — Integration — Account linkage, webhooks, and related synchronisation with the TutorCruncher ecosystem — Assumed UK / EU unless product configuration or vendor support requires otherwise.

Morpheus / Mandrill (Mailchimp transactional) — Email delivery — Sending transactional email on behalf of the organisation’s configured sender settings — US for Mandrill / Mailchimp.

Intercom — Support (where used) — Messenger SDK in the web app for eligible users; JWT from the API for identity; further processing occurs in Intercom — EU workspace configuration, though some operational or billing metadata may still be handled outside the EU under Intercom’s terms.

Mixpanel — Product analytics — Frontend (SDK) and backend events and People profile data — EU data residency.

Amplitude — Product analytics — Frontend (SDK) and backend events and Identify / user-property data — EU.

Google Analytics — Website and product measurement — Usage, traffic, and engagement data (often via cookies or similar on web properties); may include device/browser information and online identifiers — EU and/or US depending Google configuration and Google’s infrastructure.

Google Ads — Advertising and conversion measurement — Conversion tracking and campaign measurement (often via tags, cookies, or pixels) — EU and/or US depending Google configuration and Google’s infrastructure.

Microsoft Advertising (Bing Ads) — Advertising and conversion measurement — Search and audience advertising, conversion and campaign tracking where used (often via Universal Event Tag (UET) and similar technologies) — EU and/or US depending Microsoft configuration and service routing.

Microsoft Clarity — UX and session analytics — Where a project ID is configured in the web app: session replay, heatmaps, and related behavioural diagnostics (often via cookies / scripts from clarity.ms) — EU and/or US depending Microsoft configuration and service routing.

Open Exchange Rates — Currency rates — Exchange-rate data for billing or display; typically no personal data — Typically not material for personal-data transfers.

Analytics, advertising, and UX diagnostics: Mixpanel and Amplitude are used on the web or app frontend and from the backend for product analytics. Google Analytics 4 (GA4) and Google Ads conversion tracking may be used for measurement and advertising. Microsoft Clarity and Microsoft Advertising (Bing Ads) may be used in the web app for session replay, heatmaps, and advertising / conversion tracking. Cookies, local storage, pixels, or similar technologies may be used as described in the cookie notice and applicable consent rules (for example PECR in the UK). The organisation’s or product’s cookie materials should sit alongside this notice where required.

6. International transfers

Some subprocessors may process data outside the United Kingdom. Where that occurs, we (and/or the controller’s arrangements) aim to ensure appropriate UK GDPR safeguards, for example, the UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU Standard Contractual Clauses, or other mechanisms recognised under UK law, as updated from time to time. Which mechanism applies to each transfer is set out in our Data Processing Agreement with customers and in our vendor contracts (and can be aligned with subprocessors’ own transfer documentation).

7. Sharing and disclosure

We share personal data only where necessary to provide the service, follow the organisation’s instructions, or comply with law. This may include:

• The organisation that uses Bobbin as controller of the relevant user data.
• Subprocessors and service providers listed in section 5, such as hosting, classroom, payment, email, support, observability, and analytics providers.
• Where the organisation uses recorded lessons, transcripts, or AI features, relevant content may be shared with service providers needed to deliver those features, including LessonSpace for virtual classroom services and OpenAI for AI inference, as described in sections 4 and 5.
• Professional advisers, regulators, courts, law enforcement, or other authorities where required by law or where necessary to establish, exercise, or defend legal claims.
• Corporate transactions such as a merger, acquisition, financing, reorganisation, or sale of all or part of the business, where lawful and appropriate safeguards are applied.
• Aggregated or de-identified information, where it no longer identifies an individual.

8. Retention

Retention is driven by the organization’s use of the service, contractual terms, and legal obligations (for example tax or billing records).

• Data is generally retained while the organisation’s account is active and as needed to provide the service.
• Current product behaviour includes billing-related lifecycle automation. Based on the current configuration, unpaid invoices may move an account into arrears after 14 days; prolonged arrears may lead to cancellation, and a cancelled organisation may then be scheduled for deletion 7 days later. Trial organisations that expire without billing setup may be cancelled 14 days after trial expiry and then scheduled for deletion 7 days later. These timings reflect the current product configuration and may change if the service configuration changes.
• We may retain certain billing, accounting, tax, and legal records for longer where required by applicable law, regulation, or for the establishment, exercise, or defence of legal claims.
• Data exports on S3 are intended to be short-lived (access via time-limited URLs); organisations should download and handle exports under their own policies.

9. Security (high level)

We implement appropriate technical and organisational measures appropriate to the risk, including:

• Encryption in transit for network communications (industry-standard TLS for web APIs)
• Access controls and authentication (for example signed session tokens with defined expiry)
• Password hashing using modern one-way algorithms (not storing plaintext passwords)

Details may be provided to organisations under confidentiality as part of security or procurement review.

10. Cookies and similar technologies

The web or app frontend may use cookies or local storage for authentication, preferences, product analytics (Mixpanel, Amplitude), website analytics and advertising (Google Analytics 4, Google Ads conversion tracking, Microsoft Advertising / Bing Ads), UX diagnostics (Microsoft Clarity), and other features. The backend API typically relies on tokens (for example bearer tokens) rather than setting its own browser cookies. Third-party embeds (for example classroom or support tools) may use their own technologies.

Where required, we or the organisation will seek consent for non-essential cookies and similar technologies in line with applicable rules (for example PECR in the UK). A separate cookie notice or preference tool may describe the categories of cookies used, such as required, functional, analytics, or advertising technologies, and how to manage your choices.

Consent:

• Prior consent is obtained for all non-essential cookies in accordance with UK GDPR and PECR.
• You can manage or opt out via browser settings or the Cookie Preferences link or by emailing [email protected].
• Behavioural advertising opt-out guidance is available via the Network Advertising Initiative.
• Where we rely on consent for marketing, this is obtained via an unticked opt-in checkbox at the point of registration or account creation. We maintain a record of each consent, including the date it was given, the channel through which it was collected, and the wording presented at the time. Consent is never bundled with acceptance of our Terms of Service.
• Where you are an existing customer, we may contact you about products and services similar to those you have already purchased, relying on the 'soft opt-in' under UK PECR Regulation 22. You can opt out of these communications at any time.

11. Your UK GDPR rights and how they relate to this platform

Your organisation (controller) is responsible for handling rights requests. As processor, we help our customers fulfil their obligations where required.

Right (summary) — Practical notes in this platform

Access — Organisation administrators may request a structured export of personal data held about a user. Subject access requests may cover personal data held in multiple forms through the service, including recordings, transcripts, summaries, reports, and stored AI-generated content where applicable. The export is produced as a CSV covering the categories described in section 2, made available via a secure, time-limited link, and sent to the requesting administrator (with attachment where configured for testing).

Rectification — Contact your organisation to correct inaccurate data. We update the platform on their instructions.

Erasure — Requests are handled by the controller. Erasure or anonymisation requests may need to be applied across multiple forms of personal data held through the service, including recordings, transcripts, summaries, reports, and stored AI-generated content where applicable. The platform supports anonymisation of a user record in certain flows (replacing direct identifiers and removing associated AI content, reports, and the data subject’s transcript segments while preserving lesson structure for other participants where applicable). Erasure vs anonymisation and legal exceptions are for the controller to assess.

Restriction / objection — Directed to the controller; we assist as instructed.

Portability — The CSV export may assist with portability for data processed in the platform; format and scope are product-defined.

Automated decision-making — The organisation should explain any meaningful solely automated decisions affecting you. AI features generate assistive content; the organisation determines how that is used.

Privacy policy acceptance: A user record may store a privacy policy acceptance timestamp. In the current product behaviour, students and clients are automatically stamped on their first successful login, while administrators and tutors are not automatically stamped and must use the explicit acceptance action if required by the product experience.

12. Complaints

If you have concerns about how your personal data is handled, you should first contact your organisation as controller. You may also contact Bobbin using the details below.

You also have the right to complain to the Information Commissioner's Office (ICO) in the UK:

• Website: ico.org.uk
• Casework: [email protected]
• Telephone: 0303 123 1113

13. Changes to this notice

We may update this document to reflect changes in the service, subprocessors, or legal requirements. The last updated date at the top will be revised when we publish an update. Where required, organisations will be informed through the product, by email, or through updated contractual or policy materials.

14. Contact

Processor (TutorCruncher): [email protected]

Your organisation (controller): Use the contact details provided by the organisation that provides your tutoring services.

14. Contact

Processor (TutorCruncher): [email protected]

Your organisation (controller): Use the contact details provided by the organisation that provides your tutoring services.

Data Processing Agreement (customers): Organisation customers can access Bobbin's standard Article 28-style Data Processing Agreement template at bobbin.tutorcruncher.com/dpa.[a]

[a]Update to new link for DPA template