Privacy Policy
Effective date: 11 May 2026 Last updated: 11 May 2026
This Privacy Policy describes how My Tijarah Ltd ("My Tijarah", "we", "us", "our") collects, uses, and protects your personal data when you use mytijarah.co.uk and the services offered through it (the "Service").
We are the data controller for the personal data described in this Policy.
- Registered name: My Tijarah Ltd
- Company number: 17210223
- Registered office: 20 Wenlock Road, London N1 7GU, United Kingdom
- Contact: support@mytijarah.co.uk
- ICO registration number: [to be added once received]
1. Personal data we collect
1.1 Information you give us
- Account data: name, email address, password (hashed), date of birth, country, language.
- Profile data: for Teachers — biography, photo, languages spoken, subjects taught, qualifications, hourly rate, time zone; for Students — preferred subjects and goals.
- Identity verification data (Teachers only): government-issued ID, proof of address, bank account details, tax residence country.
- Booking data: Lessons booked, times, parties involved, messages exchanged.
- Communications data: messages with our support team, feedback, and reviews.
1.2 Information we collect automatically
- Payment data: payment method type, last four digits of card, billing country, and transaction status. Full card details are collected directly by our payment processor (Stripe) and never reach our servers.
- Usage data: pages visited, features used, click events, referrer URL.
- Device data: IP address, browser type and version, operating system, device type, screen size, time zone.
- Cookies: see our Cookie Policy.
1.3 Information from third parties
- Sub-processors (Stripe, Wise) provide us with transaction status updates.
- If you sign in with a third-party identity provider (where available), we receive your name and email from that provider.
2. How we use personal data, and the lawful basis
| Purpose | Personal data used | Lawful basis (UK GDPR) |
|---|---|---|
| Provide and operate the Service | Account, profile, booking, communications | Contract performance |
| Process payments and payouts | Payment, identity, bank account | Contract performance |
| Verify Teacher identity, run sanctions and AML checks | Identity verification | Legal obligation; legitimate interest |
| Send service emails (booking confirmations, payout notifications, password resets) | Account, booking | Contract performance |
| Send marketing emails | Account | Consent (you can withdraw at any time) |
| Detect fraud and abuse | Usage, device, payment | Legitimate interest (protecting our business and users) |
| Analyse and improve the Service | Usage, device | Legitimate interest |
| Respond to support requests | Communications, account | Contract performance |
| Comply with tax, accounting, and regulatory obligations | Booking, payment, identity | Legal obligation |
| Defend legal claims | As required | Legitimate interest |
We do not sell personal data and we do not use it to make solely automated decisions that have significant effects on you.
3. Who we share personal data with
We share personal data with the following categories of recipients.
3.1 Service providers (data processors)
- Stripe Payments UK, Ltd — payment processing (UK; some processing in the US under SCCs).
- Wise Payments Ltd — teacher payouts (UK; some processing in the EU and globally for transfer execution).
- Supabase, Inc. — database hosting and authentication (EU/US).
- Vercel Inc. — application hosting (EU/US under SCCs).
- Sentry (Functional Software, Inc.) — error and performance monitoring (US under SCCs).
- [Transactional email provider] — service emails (e.g. booking confirmations, password resets).
- [Product analytics provider] — anonymous usage analytics, loaded only after cookie consent.
3.2 Other users
- Teachers see the basic profile information of Students who book them, including name and lesson context.
- Students see the public profile information of Teachers.
3.3 Authorities
We may disclose personal data to regulators, courts, law enforcement, or other government authorities where we are legally required to do so, or where we believe in good faith that disclosure is necessary to comply with the law or to protect our rights, property, or the safety of any person.
3.4 Corporate transactions
If we are involved in a merger, acquisition, or sale of assets, personal data may be transferred to the relevant party, subject to the protections in this Policy.
4. International transfers
Some of our processors are located outside the UK. Where this is the case, we rely on:
- the UK's data-transfer adequacy decisions (where they apply);
- the UK International Data Transfer Agreement (IDTA); or
- the EU Standard Contractual Clauses with the UK Addendum,
to ensure transfers receive an equivalent level of protection. Copies of the relevant safeguards are available on request at support@mytijarah.co.uk.
5. How long we keep personal data
| Category | Retention |
|---|---|
| Account data | While the account is active, plus 6 years after closure for legal-claim defence |
| Booking and payment data | 7 years (to meet UK accounting and tax-record obligations) |
| Teacher identity-verification data | 5 years after account closure (to meet UK anti-money-laundering obligations) |
| Communications with support | 3 years after the matter is closed |
| Cookie and analytics data | Up to 24 months |
| Marketing preferences | Until you withdraw consent |
We may keep data longer where the law requires it or where it is needed to defend or pursue a legal claim.
6. Your rights
Under UK GDPR you have the right to:
- Access the personal data we hold about you and receive a copy of it.
- Rectify inaccurate or incomplete data.
- Erase your data, in some circumstances.
- Restrict processing, in some circumstances.
- Object to processing based on legitimate interest, including for marketing.
- Portability — receive your data in a structured, machine-readable format.
- Withdraw consent where processing is based on consent.
- Complain to the Information Commissioner's Office (ICO) at ico.org.uk or 0303 123 1113. We would appreciate the chance to address your concern first, but you can complain to the ICO at any time.
To exercise any of these rights, contact us at support@mytijarah.co.uk. We respond within one month.
7. Children's data
The Service is intended for users aged 16 and over.
If a user is under 18, a parent or legal guardian must agree to our Terms on their behalf and supervise their use of the Service. We do not knowingly collect personal data from children under 16 without verifiable parental consent. If you believe a child under 16 has provided us with personal data, contact us at support@mytijarah.co.uk and we will delete it promptly.
8. Security
We protect personal data using technical and organisational measures including:
- TLS encryption in transit;
- encryption at rest for sensitive data;
- access control and authentication on internal systems;
- ongoing review and patching of dependencies;
- monitoring for anomalous activity.
No security is perfect. If we become aware of a personal-data breach that is likely to result in risk to your rights and freedoms, we will notify you and the ICO as required by UK GDPR.
9. Cookies
See our Cookie Policy for details on what cookies we use and how to manage them.
10. Changes to this Policy
We may update this Policy from time to time. The "Last updated" date at the top reflects the most recent change. Material changes will be notified to active users by email or via the Service.
11. Contact
My Tijarah Ltd 20 Wenlock Road London N1 7GU United Kingdom support@mytijarah.co.uk Company number: 17210223