Levitutor Legal

Privacy Policy

Effective: 1 June 2026• Levitutor AI Tutoring Platform

Your privacy matters. This policy explains what data we collect, why we collect it, how it is protected, and your rights under Malaysian law (PDPA 2010) and applicable international standards (GDPR, COPPA).

1. Who This Policy Applies To

This Privacy Policy applies to all users of the Levitutor platform, including:

  • Students — who use AI tutoring via class codes.
  • Teachers — who create classes and upload curriculum materials.
  • Owners— who manage an institute’s Levitutor subscription.

The platform operates as white-label software: end users interact with their institute’s branded version (e.g. trilingo.levitutor.top), and the underlying provider, Levitutor Sdn. Bhd., processes data on behalf of each institute.

2. Data We Collect

We collect only what is necessary to provide the service. Here is a full breakdown:

Data CategoryExamplesPurposeRetention
Account IdentityGoogle account name, email address, profile photo URL, Google OAuth sub IDAuthentication, personalisation, teacher invitation flowFor the life of the account
Chat MessagesStudent-typed messages, AI tutor responses, topic tags, token countsDelivering AI tutoring, storing conversation history for continuityIndefinitely (full text); daily aggregates pruned after 30 days
Learning AnalyticsDaily message counts (no message text), topic engagement counts, last-active timestampTeacher and owner dashboards, progress trackingDaily counts pruned to rolling 30 days; aggregates retained for account lifetime
Curriculum ResourcesTeacher-uploaded files (PDFs, text), extracted text, vector embeddingsRAG (retrieval-augmented generation) — providing curriculum context to the AIUntil teacher deletes the resource
API Usage LogsAI model name, input/output token counts, cost (USD), latency, success/failurePlatform cost management, billing, performance monitoring12 months from creation
Invite RecordsTarget email, invite status, expiry timestamp, who sent itTeacher onboarding workflow90 days after acceptance or expiry
Session TokensEncrypted JWT session cookie (HttpOnly, Secure, SameSite=Lax)Maintaining your authenticated session for 90 days90-day session lifetime, or until sign-out

We do not collect: payment card data, real-time location data, device fingerprints, or any sensitive personal data categories defined by the PDPA.

3. How We Use Your Data

We use your personal data only for the following purposes:

  • Providing the tutoring service: Your chat messages are sent to the Google Gemini API to generate personalised AI responses.
  • Analytics and dashboards: Aggregated, anonymised engagement data is shown to teachers and owners to help them track student progress. Individual message content is never shown to teachers or owners.
  • Curriculum retrieval (RAG): Teacher-uploaded documents are embedded into vector representations so the AI can reference curriculum material in its responses.
  • Platform operations: API usage logs are used for cost management and billing. We use session data to keep you securely signed in.
  • Service communications: We send invitation emails to teachers via Resend. We do not send marketing emails without explicit opt-in.

4. Google Gemini AI — Data Processing Disclosure

Important disclosure:When you send a message to your AI tutor, that message is transmitted to Google’s Gemini API for processing.

This means:

  • Student messages are processed by Google LLC in accordance with Google’s Privacy Policy and Gemini API Terms of Service.
  • We use the Google AI API under commercial terms. Under these terms, Google does not use API input/output to train its models by default.
  • No student names, profile photos, or account identifiers are sent to Google Gemini. Only the text content of the conversation and anonymised class context are transmitted.

5. Children's Privacy (KIDS Mode & Under-13 Users)

For institutes using Levitutor with children under 13:This section applies to you and your students’ parents or guardians.

Levitutor is designed to be used with parental or institutional consent for users under 13 (or the applicable age of digital consent in your jurisdiction). Specifically:

  • Students are onboarded exclusively through institute-controlled class codes, not through public self-registration.
  • Student chat messages are stored only for tutoring continuity and are never visible to teachers, parents, or owners.
  • KIDS mode (“Ages 3–12”) configures the AI to use simplified language and encourages age-appropriate content only. The system prompt explicitly prohibits harmful or adult content.
  • If you are a parent who believes your child’s data has been collected without proper consent, please contact us immediately at hello@levitutor.top. We will delete the data within 30 days.

6. Data Sharing & Third Parties

We share your data with the following third parties, and only to the extent necessary:

Third PartyData SharedPurpose
Google LLC (Gemini API)Chat message text, class contextAI tutoring response generation
Google LLC (OAuth)Google account email, name, photoAuthentication
Cloudflare (R2 Storage)Uploaded curriculum filesSecure file storage for RAG pipeline
Resend (Email Delivery)Recipient email address, invite email contentTeacher invitation delivery
Supabase / PostgreSQL hostAll database recordsData persistence

We do not sell, rent, or trade your personal data to any third party for marketing or advertising purposes.

7. Data Security

We implement the following security measures:

  • All data is transmitted over HTTPS/TLS.
  • Session tokens are encrypted, stored as HttpOnly cookies, and scoped per subdomain.
  • Database access is restricted via network-level firewall rules (no public DB access).
  • Invitation tokens are signed with HMAC-SHA256 and expire after 48 hours.
  • No plain-text passwords are stored (Google OAuth only).
  • Owner dashboards display only aggregated analytics — individual message content is architecturally segregated and never returned to owner-facing API endpoints.

Despite these measures, no method of internet transmission is 100% secure. In the event of a data breach affecting your personal data, we will notify affected parties within 72 hours as required by applicable law.

8. Your Rights (PDPA Malaysia & GDPR)

Under the Malaysian Personal Data Protection Act 2010 (PDPA) and, where applicable, the EU General Data Protection Regulation (GDPR), you have the following rights:

  • Right of access: Request a copy of the personal data we hold about you.
  • Right of correction: Request correction of inaccurate or incomplete data. (Your name and photo are synced from Google and can be updated there.)
  • Right to withdraw consent: You may withdraw consent for data processing at any time by requesting account deletion.
  • Right to erasure: Request deletion of your personal data. We will process deletion requests within 30 days.
  • Right to lodge a complaint:You may lodge a complaint with Malaysia’s Department of Personal Data Protection (JPDP) or, if you are an EU resident, your local data protection authority.

To exercise any of these rights, contact us at hello@levitutor.top with the subject line “Privacy Rights Request”.

9. Data Retention

We retain data only as long as necessary:

  • Account data: Retained for the lifetime of your active account. Deleted within 30 days of an account closure request.
  • Chat messages:Stored indefinitely to preserve tutoring continuity (a student’s learning history). Deleted upon account deletion.
  • Daily analytics counters: Automatically pruned to a rolling 30-day window by a nightly automated job.
  • API usage logs: Retained for 12 months from creation.
  • Curriculum resources: Retained until a teacher deletes them or the associated class is deleted.

10. Cookies

Levitutor uses only essential cookies required for the platform to function. We do not use tracking, advertising, or analytics cookies.

CookieTypePurposeLifetime
next-auth.session-tokenStrictly necessaryMaintains your authenticated session across all subdomains90 days
levitutor_privacy_notice_dismissedPreference (localStorage)Remembers that you have read the AI privacy notice in the chatPersistent (until cleared)

11. International Transfers

Your data is stored on servers located in Malaysia and/or Singapore (our primary database region). When your messages are processed by Google Gemini, data may be transferred to and processed in the United States or other countries where Google operates.

Google LLC participates in the EU-U.S. Data Privacy Framework and implements Standard Contractual Clauses where applicable, providing adequate safeguards for international data transfers.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the effective date and notify Owners by email. We encourage you to review this policy periodically.

Continued use of the platform after changes constitutes acceptance of the updated policy.

13. Contact & Data Protection Officer

For privacy-related queries, data access requests, or complaints, please contact us:

Levitutor Sdn. Bhd.

Email: hello@levitutor.top

Subject line: Privacy Rights Request

Response time: Within 14 business days

For complaints under PDPA Malaysia, you may also contact the Department of Personal Data Protection (JPDP): pdp.gov.my.

Last updated: 1 June 2026Terms of Service →