Legal

Privacy policy

Last updated: 2 May 2026 (sole-founder voice clarified)

Who we are

Crestio is a tutoring management platform run by Lenin Joaquin (sole founder), based in Sydney, Australia, serving tutors worldwide.

Questions about this policy or your data: email lenin@crestio.ai.

What Crestio collects and why

To run Crestio, the following information you add to the platform is stored:

  • Your account details — name, email, and a hashed password.
  • Your organisation's name.
  • The student records you choose to add — names, year level, subjects, parent contacts.
  • Session notes and lesson plans you create.
  • Messages you send through the in-app assistant.
  • Billing information, handled by Stripe. Crestio never stores or sees your full card number.

You stay in control. You can export, correct, or delete any of this at any time.

Crestio doesn't read your session notes, doesn't train AI models on your data, and doesn't sell data to anyone. The only reason Crestio stores what you enter is to show it back to you and the people you choose to share it with — like the parents of your students.

How Crestio uses your information

Crestio uses the information you provide to:

  • Provide the service you pay for.
  • Authenticate you and keep your account secure.
  • Send transactional emails — invitations you issue, billing receipts, password resets.
  • Respond when you contact support.
  • Investigate abuse and comply with legal obligations.

Crestio doesn't use your data to target advertising and doesn't use it for analytics that identify individuals.

Third-party service providers

Crestio relies on a small set of vetted providers to deliver the service. Data flows to them only when the specific feature they support is in use.

  • Supabase — authentication and database. Data is stored in Sydney, Australia.
  • Vercel — web hosting and application delivery.
  • Stripe — payment processing. Stripe sees your name, email, country, and card details; Crestio does not.
  • Anthropic (United States) — powers Polish notes, Generate lesson plan, and the in-app Assistant. Message content is sent only when you invoke these features; nothing is sent in the background. Anthropic is audited under SOC 2 Type II, and under their commercial terms customer prompts and outputs are not used to train their models.
  • Resend — transactional email delivery.

Where your data lives

Your data is stored on servers located in Sydney, Australia, operated by Supabase. Backups are encrypted at rest. Data sent to third parties is transmitted over encrypted connections (TLS 1.3).

How long Crestio keeps data

Crestio keeps your data for as long as your account is active. If you cancel or delete your account, all associated data is permanently removed within 30 days. Billing records are retained for 7 years as required by Australian tax law.

Files you upload (PDFs, images) are stored on Crestio's behalf by Supabase in Sydney, Australia. They are private — only you, tutors in your organisation, and parents you have explicitly linked to a student can view them. Files are deleted as part of the same 30-day account-deletion window. If your subscription is cancelled, your files remain intact for 60 days so you can re-subscribe without losing them; they are then permanently deleted.

Your rights

Under the Australian Privacy Act 1988 and equivalent laws in your country, you have the right to:

  • Access a copy of your data
  • Correct any errors
  • Request deletion
  • Object to certain processing
  • Request a portable export of your data

Email lenin@crestio.ai and Crestio will respond within 14 days.

Children's data

Crestio handles information about children (students). Only tutors and parents have administrative accounts. Tutors are responsible for obtaining appropriate consent from parents before adding a student's details to Crestio. Parents who join the parent portal are consenting to Crestio processing their child's tutoring information on their tutor's behalf.

Students under 18

Crestio offers an optional student portal at /student. Tutors can opt individual students in. Students do not sign up by themselves — there is no public student signup. The portal collects only what is needed for the student to see their own sessions: email, full name, date of birth (for age verification), and which homework items they've marked done.

Data minimization. Students never see other students, never see invoices or payments, never see internal tutor notes, and never see marketing of any kind. Crestio never sends students promotional email.

Parental consent under 16. When a tutor enables portal access for a student under 16, the invitation routes to the student's parent first. The student's account is not created until the parent explicitly approves. Parents can revoke access at any time from the parent portal — revocation immediately deactivates the student's sign-in.

Tutor-only data control. All student-portal data lives within the tutor's organisation. Crestio does not share student data with third parties beyond the infrastructure providers needed to operate the service (covered in Third parties). Crestio does not sell student data or use it for training third-party models.

Marketing. Crestio sends students no marketing email, no "tips and tricks" series, and no newsletters. Operational email — invitation, welcome, new note, new homework — is sent only when triggered by the tutor. Crestio never sends students promotional content of any kind.

Deletion when access ends. When a tutor or parent disables a student's portal access, the student's authentication is revoked immediately. The student's tutoring records remain with the tutor's organisation so the tutor can continue teaching the student. If the tutor's organisation is deleted, all student-portal accounts are deleted within 30 days, with 30 days' notice by email.

Account ownership at 18. When a student turns 18, their data status flips to "self-managed adult". They are notified by email and can choose to take ownership of their account or delete it.

Compliance. Where applicable, Crestio follows the GDPR Article 8 standard for processing children's data, the Australian Privacy Principles, and the U.S. Children's Online Privacy Protection Act (COPPA). Under-13 students require additional verifiable parental consent before access can be enabled — captured by the parent's signed consent action in the parent portal.

If something feels wrong. Students can email lenin@crestio.ai directly, or speak to a parent or another adult they trust.

Cookies and tracking

Crestio uses only essential cookies needed to keep you signed in. Crestio does not use advertising cookies, tracking pixels, or analytics that identify individuals.

Security

Crestio uses industry-standard security practices including encrypted connections, encrypted data storage, and regular security reviews. No system is perfectly secure, but Crestio takes the responsibility seriously. If you believe you've found a security issue, email lenin@crestio.ai.

Changes to this policy

If Crestio makes material changes to this policy, you'll be emailed at least 14 days before the change takes effect.

Contact

Questions or requests: lenin@crestio.ai.