TutorFlow (accessible via Telegram Mini App and Telegram Bot) Last updated: February 7, 2026 Effective date: February 7, 2026
1. Introduction
This Privacy Policy explains how TutorFlow ("we", "us", "our", the "Service") collects, uses, stores, and protects your personal data when you use our Telegram Mini App and Telegram Bot for managing tutoring activities.
We are committed to protecting your privacy in compliance with:
- General Data Protection Regulation (GDPR) — Regulation (EU) 2016/679
- Federal Law No. 152-FZ "On Personal Data" (Russian Federation)
- Telegram Bot API Terms of Service
By using TutorFlow, you agree to the collection and use of information in accordance with this policy.
2. Data Controller
Service: TutorFlow Website: https://fitvia.net Contact email: admin@fitvia.net
3. Data We Collect
3.1 Data Obtained from Telegram
When you log in through Telegram, we automatically receive and store:
| Data | Purpose | Legal Basis |
|---|---|---|
| Telegram User ID | Account identification | Legitimate interest / Contract performance |
| First name | Display in the application | Contract performance |
| Last name | Display in the application | Contract performance |
| Username | Display and communication | Contract performance |
| Language preference | Interface localization | Contract performance |
We do NOT collect: email addresses, phone numbers, physical addresses, passwords, or any data beyond what Telegram provides through its WebApp API.
3.2 Data You Provide
As a teacher using the Service, you may enter the following data about your students:
- Student names
- Free-form notes about students
- Lesson balance and pricing information
- Student Telegram usernames (for linking accounts)
- Schedule information (days, times, duration of lessons)
- Group names and membership
- Payment records (number of lessons, confirmation status)
Important: We do not process real financial transactions for lesson payments. The Service only tracks payment status between teachers and students. Actual money transfers happen outside the application.
3.3 Subscription Payment Data
If you subscribe to the Pro plan, payment is processed through Tribute (tribute.tg), a third-party payment provider. We receive and store from Tribute:
- Transaction identifier
- Subscription amount and currency
- Subscription period and expiration date
- Payment status
We do NOT receive or store: credit card numbers, bank account details, or any other direct financial instruments. All payment processing is handled by Tribute under their own privacy policy.
3.4 Analytics Data
We collect anonymized usage analytics to improve the Service:
- Product events: page views, feature usage (e.g., "lesson created", "student added") — stored in our own database without personally identifiable information tied to external parties
- Self-hosted web analytics (Umami): page views and custom events; Umami is self-hosted on our servers, no data is sent to third parties; Telegram-specific parameters are stripped from URLs before tracking
- Error tracking (Sentry): application error reports; Personally Identifiable Information (PII) is disabled in our Sentry configuration; only technical error details are transmitted
3.5 Technical Data
- JWT authentication tokens (stored in your browser's localStorage)
- Request timestamps and IP addresses in server logs (retained for security purposes)
4. How We Use Your Data
We use collected data exclusively for:
| Purpose | Legal Basis (GDPR) |
|---|---|
| Providing the Service (schedule management, student tracking) | Art. 6(1)(b) — Contract performance |
| User authentication via Telegram | Art. 6(1)(b) — Contract performance |
| Sending lesson reminders and notifications via Telegram Bot | Art. 6(1)(b) — Contract performance |
| Processing subscription payments through Tribute | Art. 6(1)(b) — Contract performance |
| Application error monitoring and debugging | Art. 6(1)(f) — Legitimate interest |
| Usage analytics to improve the Service | Art. 6(1)(f) — Legitimate interest |
| Ensuring security and preventing abuse (rate limiting, fraud prevention) | Art. 6(1)(f) — Legitimate interest |
We do NOT:
- Sell your data to third parties
- Use your data for advertising or profiling
- Share individual-level data with third parties for marketing purposes
- Make automated decisions that produce legal effects concerning you
5. Third-Party Services
We use the following third-party services:
| Service | Purpose | Data Shared | Privacy Policy |
|---|---|---|---|
| Telegram Bot API | Authentication, notifications, Mini App hosting | Telegram ID, name, username | https://telegram.org/privacy |
| Tribute (tribute.tg) | Pro subscription payment processing | Telegram user ID, payment amounts | Tribute's privacy policy |
| Sentry | Error tracking (PII disabled) | Error stack traces only, no personal data | https://sentry.io/privacy/ |
We also use self-hosted analytics tools that run on our own server — no data is sent to third parties through them.
6. Data Storage and Security
6.1 Storage
- All data is stored on a single dedicated server within the EU
6.2 Security Measures
- Encryption in transit: All connections are encrypted via TLS/SSL
- Authentication: Telegram WebApp signature verification + JWT tokens
- Network security: Firewall, intrusion prevention, database accessible only locally
- Rate limiting: Per-user request rate limiting to prevent abuse
7. Data Retention
- Active accounts: Data is retained for as long as your account is active
- Inactive accounts: Accounts with no activity for 180 days (6 months) are automatically eligible for deletion through our data retention system
- Server logs: Retained for security and debugging purposes, automatically rotated
- Analytics events: Retained for product improvement purposes for the lifetime of the service
You may request earlier deletion of your data at any time (see Section 9).
8. International Data Transfers
Our server is hosted by Hetzner, a German company. Your data may be stored and processed within the European Union. We do not intentionally transfer personal data outside the EU/EEA, except:
- Telegram Bot API: Telegram servers may be located in various jurisdictions. By using Telegram, you are subject to Telegram's privacy policy.
- Sentry: Error reports (without PII) may be processed by Sentry's servers. See Sentry's privacy policy.
9. Your Rights
Under GDPR (EU residents)
You have the right to:
- Access — Request a copy of your personal data (Art. 15)
- Rectification — Request correction of inaccurate data (Art. 16)
- Erasure ("Right to be forgotten") — Request deletion of your data (Art. 17)
- Restriction — Request restriction of processing (Art. 18)
- Data portability — Receive your data in a structured, machine-readable format (Art. 20)
- Objection — Object to processing based on legitimate interest (Art. 21)
- Lodge a complaint with a supervisory authority
Under Federal Law No. 152-FZ (Russian residents)
You have the right to:
- Access your personal data and information about its processing
- Request correction, blocking, or deletion of your personal data
- Withdraw consent to personal data processing at any time
How to Exercise Your Rights
Contact us at admin@fitvia.net with your request. We will respond within 30 days (GDPR) or 30 days (152-FZ). We may ask you to verify your identity via your Telegram account.
To delete your account and all associated data, you may also use the in-app functionality or contact us directly.
10. Children's Privacy
TutorFlow is not intended for use by individuals under 16 years of age. We do not knowingly collect personal data from children under 16. If we become aware that a child under 16 has provided us with personal data, we will take steps to delete such data.
Teachers may store information about their students who may be minors. The teacher is responsible for ensuring they have appropriate authorization to store such data.
11. Cookies and Local Storage
TutorFlow does not use cookies. We use browser localStorage solely to store:
- Authentication token (JWT) for maintaining your session
- User interface preferences (e.g., demo data visibility)
Language preference is stored on the server as part of your account settings, not in localStorage.
This data is stored only on your device and is not transmitted to third parties.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. Changes will be indicated by updating the "Last updated" date at the top of this document. We encourage you to review this page periodically.
For significant changes, we may notify you via the Telegram Bot.
13. Contact Us
For any questions about this Privacy Policy or your personal data:
- Email: admin@fitvia.net
- Telegram Support Bot: @TeachersFlowSupportBot