Legal

Privacy Policy

Last updated: 2026-05-20

DRAFT — requires legal review. This document is provisional and must be validated by qualified counsel before public launch.
About this notice

Kadensy (the “Service”) operates an online tutoring marketplace. This notice explains, in accordance with Articles 13 and 14 of the EU General Data Protection Regulation (GDPR), what personal data we collect, why we collect it, who we share it with, how long we keep it, and what rights you have over it.

1. Identity of the controller

Kadensy is the data controller for the personal data processed via the Service. Our registered name and address will be published in the Imprint section once the legal entity is finalised.

Contact for privacy questions: privacy@kadensy.com (placeholder — to be confirmed). A Data Protection Officer (DPO) will be designated before public launch where Article 37 thresholds apply.

2. Categories of personal data & lawful bases

We process the following categories of personal data. Each category is processed on the lawful basis indicated:

  • Account data (first name, last name, email, date of birth, hashed password, locale, timezone, optional avatar) — performance of contract, Art. 6(1)(b).
  • Tutor profile data (headline, bio, intro video, country of residence, languages, hourly rate) — performance of contract, Art. 6(1)(b); legitimate interest in marketplace moderation snapshots, Art. 6(1)(f).
  • Identity verification & tax data (KYC documents, tax profile) — legal obligation under AML and tax regulations, Art. 6(1)(c).
  • Lesson and booking data (scheduling, status, billing ticks, credit reservations) — performance of contract, Art. 6(1)(b).
  • Payment and payout data (Stripe customer/account IDs, charge references, payout requests, tax breakdown) — performance of contract, Art. 6(1)(b); legal obligation, Art. 6(1)(c).
  • Messages & lesson reviews (message body, ratings, comments) — performance of contract, Art. 6(1)(b); legitimate interest in marketplace trust, Art. 6(1)(f).
  • Real-time lesson media (audio/video tracks, optional recordings, whiteboard snapshots) — performance of contract, Art. 6(1)(b); explicit consent for recordings, Art. 6(1)(a).
  • Technical & security data (device sessions, IP, user-agent, passkey credentials, 2FA secret, error reports) — legitimate interest in security and abuse prevention, Art. 6(1)(f).
  • Trust & Safety reports (lesson reports, evidence paths) — legitimate interest in safe marketplace operation, Art. 6(1)(f).

3. Purposes of processing

  • Account creation, authentication and account lifecycle management.
  • Operating the tutoring marketplace (listings, booking, messaging, lesson delivery).
  • Processing payments, calculating commission, paying tutors via Stripe Connect Express.
  • Meeting accounting, tax and anti-money-laundering obligations.
  • Trust & Safety triage, moderation and dispute resolution.
  • Detecting and preventing fraud, abuse and unauthorised access.
  • Service operation, error monitoring and capacity planning.

4. Recipients & sub-processors

We share personal data with the following processors strictly to the extent necessary to operate the Service. Each is bound by an Article 28 data processing agreement (DPA).

  • Stripe Payments Europe (IE) — payments, KYC, Connect payouts.
  • LiveKit Cloud (EU region) — real-time audio/video transport.
  • Hetzner Cloud (Falkenstein / Nuremberg, DE) — application and database hosting.
  • Sentry (EU) — error monitoring; payloads are scrubbed of direct identifiers before transmission.
  • AWS S3 (EU regions) — object storage for recordings, intro videos and uploads.
  • DeepL (DE) — in-lesson translation when invoked from the whiteboard.
  • MessageBird (NL) — SMS one-time-passcode delivery.
  • Google (Socialite / OAuth) — optional identity federation (login only).

A complete and current list, including regions and the relevant DPA references, is maintained in our internal Record of Processing Activities (ROPA) and made available to supervisory authorities on request.

5. Retention periods

We keep personal data only for as long as necessary for the purposes above. Indicative retention periods (full table in ROPA):

  • Active account data: for the lifetime of the account.
  • Financial records (payments, payouts, wallet transactions, tax data, lessons): 10 years as required by accounting, tax and AML obligations.
  • Off-lesson messages: 18 months from last activity, then purged.
  • Device sessions / login telemetry: 12 months.
  • Trust & Safety reports: 36 months from resolution.
  • Lesson recordings: 30 days by default unless explicitly retained for dispute resolution.

Upon account closure or anonymisation, directly identifying fields are scrubbed; financial linkage rows are retained to honour our legal obligations.

6. Your rights

Subject to the conditions of the GDPR, you have the right to:

  • Access a copy of your personal data (Art. 15).
  • Rectify inaccurate or incomplete data (Art. 16).
  • Erasure of your personal data, subject to legal retention obligations (Art. 17).
  • Restrict certain processing (Art. 18).
  • Portability — receive your data in a structured, commonly used, machine-readable format (Art. 20).
  • Object to processing based on legitimate interest (Art. 21).
  • Withdraw consent at any time without affecting the lawfulness of past processing (Art. 7).

Requests can be sent to privacy@kadensy.com. We answer without undue delay and at the latest within one month of receipt.

7. Supervisory authority

You have the right to lodge a complaint with a supervisory authority — in particular in the Member State of your residence, place of work, or place of the alleged infringement.

Our default supervisory authority is the Commission Nationale de l’Informatique et des Libertés (CNIL), 3 Place de Fontenoy, 75007 Paris, France — www.cnil.fr.

8. International transfers

We host the Service in the European Union and select EU-based sub-processors wherever possible. When data must reach a non-EEA processor, the transfer is framed by Standard Contractual Clauses and additional safeguards as required by Chapter V of the GDPR.

9. Automated decision-making

We do not make decisions with legal or similarly significant effect based solely on automated processing within the meaning of Article 22 GDPR. Fraud-prevention signals may be used to flag accounts for human review.

10. Changes to this notice

We may update this notice from time to time. Material changes will be announced in-app at least 30 days before they take effect. The “Last updated” date at the top of this page indicates when the document was last revised.

11. Related documents

See also our Terms of Service and Cookie Policy.