Built like a bank. Used like a notebook.

All data in transit is TLS 1.2+ over HTTPS. No HTTP fallback — if your browser doesn't support modern TLS, the site refuses to load.

All data at rest is AES-256 encrypted by Supabase. Database backups are encrypted with separate keys and stored in a different region.

Every table has row-level security at the database. The query "show me everyone's invoices" cannot succeed even if a code path forgets to filter by organization. The database refuses.

Tutor private notes are column-level: even within your own organization, only you can read them. Session notes shared with parents are a separate column with separate policy.

Admin access at Crestio is one person — Lenin, the founder. Production database access is logged to a separate audit stream and rate-limited. As the team grows, two-person review will be required before this changes.

Australian Privacy Act 1988 (we collect minimum necessary data; we honour access and deletion requests).

GDPR for European customers (legitimate interest for service operation; lawful basis recorded; data export and erasure built into the product, not a support ticket).

We don't sell data. We don't share with marketing partners. There are no marketing partners.

Every file view by a parent or student writes a row to file_views with the IP and user agent. Tutors see view counts and the last viewer in the file detail.

Every data export is logged with the requesting user, scope, and time. Tutors can see their own organization's export history.

You can delete your account from the app. The 30-day grace period lets you change your mind.

Before the cascade runs, we email you a full export of every byte: students, sessions, polished notes, invoices, files. ZIP archive, downloadable for 30 days.

After deletion, we keep encrypted backups for 90 days for catastrophic-restore purposes. After that, the keys are destroyed and the data is gone.

If something is wrong, we tell you fast. The status page is updated within 5 minutes of detection. Tutors with active sessions during an incident get a direct email.

Found a vulnerability? Email security@crestio.ai. We respond within 24 hours.

We don't run a bug bounty yet — too small. We do send a hand-written thank-you to every responsible disclosure.

Supabase (hosted in ap-southeast-2, Sydney) — database, storage, auth.

Stripe — payments. We never see card numbers.

Vercel — application hosting and edge.

Anthropic — the AI that polishes session notes. Their commercial terms mean training is opt-out and we are opted out.

Resend — email delivery to parents.