โ† Back to Nuranee

Privacy Policy

Last updated: 20 March 2026 ย ยทย  Effective: 20 March 2026

1. Who We Are

Tulip Tech Ltd ("Nuranee", "we", "us", "our") is the data controller for personal data collected through the Nuranee platform. We are registered in England and Wales.

This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you use nuranee.com (the "Platform"). It applies to all users worldwide and complies with:

  • UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018;
  • EU General Data Protection Regulation (GDPR) 2016/679 for EU-based users;
  • California Consumer Privacy Act (CCPA) / CPRA for California residents;
  • Children's Online Privacy Protection Act (COPPA) for US-based users under 13;
  • Australian Privacy Act 1988 for Australian users;
  • Canada's PIPEDA for Canadian users.

2. Data Protection Contact

For all privacy-related enquiries, requests, or complaints, contact our Data Protection contact at: privacy@nuranee.com. We aim to respond within 30 days (or sooner as required by applicable law).

3. Data We Collect

We collect the following categories of personal data:

3.1 Data you provide directly

  • Account data: full name, email address, password (stored in hashed form only), role (Student/Tutor/Parent);
  • Profile data: profile photo, biography, subjects, languages, qualifications, DBS/background check documents (Tutors), availability;
  • Child profiles: name, date of birth, Quran level, gender (collected only with parental consent, only used to match children with suitable Tutors);
  • Communications: messages sent via the in-platform messaging system;
  • Reviews and feedback: ratings and written reviews submitted after lessons.

3.2 Data collected automatically

  • Usage data: pages visited, features used, search queries, time spent on pages;
  • Device and technical data: IP address, browser type, operating system, device identifiers;
  • Analytics: we use Vercel Analytics (privacy-preserving, no cross-site tracking) to understand usage patterns.

3.3 Payment data

All payments are processed by Stripe. We do not store card numbers, CVV codes, or full payment details. We receive and store only: transaction ID, amount, date, payout status, and Stripe customer/account reference. Stripe is a data processor acting on our behalf โ€” see Stripe's Privacy Policy.

4. How We Use Your Data

PurposeLawful Basis (UK/EU GDPR)
Provide and operate the PlatformContract performance
Process payments and payoutsContract performance
Verify Tutor identity and qualificationsLegal obligation / Legitimate interests (safeguarding)
Send transactional emails (booking confirmations, reminders)Contract performance
Send platform updates and policy changesLegal obligation / Legitimate interests
Marketing emails (new features, promotions)Consent โ€” you may opt out at any time
Fraud prevention and securityLegitimate interests / Legal obligation
Improve the Platform via analyticsLegitimate interests
Comply with legal obligationsLegal obligation
Respond to support requestsContract performance / Legitimate interests

5. Who We Share Your Data With

We do not sell your personal data. We share data only as necessary:

  • Stripe โ€” payment processing (data processor);
  • Supabase โ€” cloud database and authentication hosting (data processor, EU/US data centres with Standard Contractual Clauses);
  • Vercel โ€” platform hosting (data processor, EU data centre options);
  • Resend โ€” transactional email delivery (data processor);
  • Between Students and Tutors โ€” name, profile, and booking details are shared to enable lessons;
  • Law enforcement and regulators โ€” where required by law or court order, including safeguarding disclosures.

6. International Data Transfers

Some of our third-party processors (e.g. Supabase, Vercel, Stripe) may process data outside the UK and EEA. Where this occurs, we ensure appropriate safeguards are in place, including:

  • UK adequacy decisions where available;
  • UK International Data Transfer Agreements (IDTAs) or EU Standard Contractual Clauses (SCCs);
  • Binding Corporate Rules where applicable.

7. Data Retention

  • Active accounts: data retained while account is active;
  • Closed accounts: personal profile data deleted within 90 days of account closure;
  • Payment records: retained for 7 years to comply with UK financial/tax law;
  • Child profiles: deleted upon parental request or account closure, whichever is sooner;
  • Tutor verification documents: retained for 3 years from end of active Tutor status to comply with safeguarding best practice;
  • Communications and messages: retained for 2 years then deleted.

8. Your Rights

Under UK/EU GDPR you have the following rights. To exercise any of them, email privacy@nuranee.com:

  • Right of access โ€” request a copy of the personal data we hold about you;
  • Right to rectification โ€” request correction of inaccurate data;
  • Right to erasure โ€” request deletion of your data (subject to legal retention obligations);
  • Right to restrict processing โ€” request we limit how we use your data;
  • Right to data portability โ€” receive your data in a structured, machine-readable format;
  • Right to object โ€” object to processing based on legitimate interests or for direct marketing;
  • Rights related to automated decision-making โ€” we do not make solely automated decisions that significantly affect you.

You have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.

9. Children's Privacy

We take children's privacy seriously. Child profile data (name, age, Quran level) is collected only with explicit parental or guardian consent and is used solely to facilitate lesson matching.

COPPA (US): We do not knowingly collect personal information from children under 13 without verifiable parental consent. If you believe we have collected such information, contact privacy@nuranee.com and we will delete it promptly.

Parents and guardians may request deletion of their child's data at any time.

10. Cookies and Tracking

We use cookies and similar technologies as described in our Cookie Policy. In summary:

  • Strictly necessary cookies: required for authentication and security โ€” cannot be disabled;
  • Analytics cookies: privacy-preserving analytics via Vercel Analytics โ€” no cross-site tracking;
  • Preference cookies: remember your language and cookie consent choices.

11. California Residents (CCPA/CPRA)

California residents have the right to:

  • Know what personal information we collect, use, disclose, and sell;
  • Delete personal information (subject to exceptions);
  • Opt-out of the sale of personal information โ€” we do not sell personal information;
  • Non-discrimination for exercising CCPA rights.

To exercise your rights, email privacy@nuranee.com with subject line "CCPA Request".

12. Security

We implement appropriate technical and organisational security measures including: encrypted data transmission (TLS), hashed passwords, row-level security on our database, and restricted staff access to personal data. No system is completely secure โ€” if you suspect a security breach, contact security@nuranee.com immediately.

13. Changes to This Policy

We may update this Privacy Policy periodically. For material changes, we will notify you by email at least 14 days in advance. The current version will always be available at nuranee.com/legal/privacy.

14. Contact Us

Data protection enquiries: privacy@nuranee.com
General support: support@nuranee.com
Safeguarding: safeguarding@nuranee.com
Legal: legal@nuranee.com

See also: Terms of Service ย ยทย  Cookie Policy