Legal

Privacy

Last updated 21 April 2026

Crestio is a tool for independent tutors and small tutoring businesses to run their operations. This page describes what personal information we hold, why we hold it, and what we do with it. It is written plainly on purpose.

Who we are

Crestio is operated as a sole trader from Sydney, Australia. Contact: hello@crestio.ai.

What we collect from you, the tutor

When you sign up for and use Crestio, we collect:

  • Your email and password (password is stored hashed — we never see it)
  • Your business name, owner name, phone number, and default hourly rate
  • Information you put into the app yourself: students, tutors, sessions, invoices, lesson plans
  • Basic technical data automatically collected on page loads: browser user-agent, approximate location derived from IP address, pages visited. We use this to detect abuse and to see which features get used.

What you put into Crestio about third parties

Crestio lets you store information about your students and their parents: names, year levels, schools, email addresses, phone numbers, notes, rates, and session history. Some of this may relate to minors.

You — the tutor — are responsible for the lawful basis on which you collect that information from families, and for notifying families that their details are held in our system. Practically, this means telling parents during enrolment something like: "I use a tool called Crestio to keep records of our sessions and send invoices. Your contact details are stored there." If a parent asks you to remove their or their child's information, you can delete it from the app at any time.

Why we hold it

To run the service you signed up for: showing you your data, generating invoices, scheduling sessions. That's the only primary purpose.

Where it lives

Your data is stored in a Supabase-hosted Postgres database. The database sits in a Supabase region chosen when the project was created. Supabase is a US company; database infrastructure runs on AWS. If lesson plans are generated with AI, the prompt (subject, topic, year level) is sent to Anthropic's API, which is also US-based. Sessions of the web app run on Vercel's edge network.

If you're in Australia, this means your data is transferred overseas. By using Crestio, you consent to that transfer. We only use providers that have equivalent-to-Australian security and privacy standards.

Who else sees your data

No one we sell it to. We don't sell data to anyone. We don't share it with advertisers. We don't run ads.

Third parties that necessarily process it in the course of providing Crestio to you:

  • Supabase — database and authentication
  • Vercel — hosting the website
  • Anthropic — only if you use the AI lesson plan feature; only the subject/topic/year level is sent, not student names or other data
  • Vercel Analytics — privacy-respecting, aggregated, no cookies, no personal identifiers

We'd only disclose your data to anyone else if required by a valid Australian court order.

How long we keep it

For as long as you have an account. If you delete your account, your data is deleted from the database within 30 days. Backups are rotated out within 90 days.

Your rights

You have the right to:

  • Access the data we hold about you — it's all already visible inside the app
  • Correct it — edit it inside the app, or email us
  • Delete your account — email us from your account address and we'll do it within 7 days, or wait until the in-app delete button ships
  • Complain to the Office of the Australian Information Commissioner (oaic.gov.au) if you think we've handled your data badly

Security

Passwords are hashed. All traffic is HTTPS. Database access is restricted by Row Level Security — you can only read and write your own rows. We don't have a "view all users" admin panel. If we suffer a data breach that could cause you harm, we'll notify you and the OAIC, as required by Australian law.

Cookies

We use one thing that stores data on your device: your login session, kept in your browser's local storage so you don't have to sign in every time. We don't use tracking cookies. We don't use third-party advertising cookies.

Children

Crestio is intended for tutors and business owners — adults. We don't knowingly collect personal information directly from children under 16. Information about minor students stored by a tutor sits in that tutor's account, under that tutor's control.

Changes to this policy

If this policy changes in a way that meaningfully affects you, we'll email registered users before the change takes effect. Smaller edits update the date at the top of this page.

Contact

Questions, requests, complaints: hello@crestio.ai. We reply within 5 business days.

See also: Terms of service