Skip to main content

Privacy Policy

Last updated: May 20, 2026

Plain-language summary

I am Ali Jabbary, a sole proprietor based in Canada who provides 1-on-1 online tutoring. This policy explains what data I collect when you visit alijabbary.com or book a session with me, who the third-party services are that I use to run the site and bill for sessions, how long I keep the data, and how you can ask me to access, correct, or delete it. If you ever have a question, email [email protected].

1. Who I am

Ali Jabbary Tutoring is a sole proprietorship operated personally by Ali Jabbary in Canada. There is no separate incorporated entity. I am the data controller for any personal information collected through alijabbary.com.

2. What I collect

Information you give me directly

  • Name and email address when you create an account, book a session, request the newsletter, or contact me through the site.
  • Optional profile fields you choose to fill in (subject, learning goals, time zone, phone number).
  • Messages you send me through the contact form, the in-app messaging, or by email.
  • Session notes and progress summaries I write up during or after a tutoring session.

Information collected automatically

  • Authentication session tokens and CSRF tokens (essential — required to keep you logged in and to protect form submissions).
  • IP address, hashed for spam-prevention and rate-limiting on contact and lead-capture endpoints.
  • Aggregate usage data: pages viewed, referrer, approximate region, device and browser type, page-load timing. This is used to fix bugs and improve the site.

Payment metadata

I do not see or store your full credit-card number. Card and bank details are handled by Stripe or PayPal directly. What I store on my side is the amount, currency, status, the processor transaction ID, and the line items purchased (which package or session). That information is what I need to issue receipts and handle refunds.

3. How I use it

  • Provide the service. Schedule sessions, deliver the live tutoring, send recap emails, and keep your account history.
  • Bill and refund. Charge for paid sessions through Stripe or PayPal and handle refund requests.
  • Communicate with you. Send booking confirmations, reminders, recap emails, and (only if you opt in) the newsletter.
  • Prevent abuse. Rate-limit contact and signup endpoints, detect spam, and protect against fraudulent payments.
  • Improve the site. Review aggregate analytics to fix usability problems and decide which topics to write about.
  • Meet legal obligations. Retain tax-relevant payment records and respond to lawful requests.

4. Third-party processors I use

I do not sell your personal information. To actually run the site I rely on the following services. Each of them processes a narrow slice of data on my behalf:

  • Vercel — hosts the website and runs the serverless functions. Vercel logs request metadata (IP, user-agent, path) for operational and security reasons.
  • Supabase — stores accounts, bookings, session notes, messages, and lead-capture entries. Supabase data is held in the US region.
  • Stripe — processes card payments and refunds. Stripe receives card data directly from your browser; I never see the full number.
  • PayPal — alternative payment method. PayPal receives payment details directly.
  • Resend — sends transactional email (booking confirmations, recap emails, password and OAuth notices, newsletter delivery).
  • Google — used for OAuth sign-in (Google account login). If you grant the optional Drive or Meet scopes I use them to attach a session folder or generate a meeting link on your behalf; those scopes are off by default.
  • Cloudflare — content-delivery network and DNS. Caches static assets close to you and logs request metadata for DDoS protection.
  • Google Analytics 4 — only loaded if theNEXT_PUBLIC_GA_ID environment variable is configured. Drops a measurement cookie to count visits and report aggregate behaviour.

I may also share information when required by law, to enforce these terms, or with your explicit consent.

5. Cookies and tracking

The site uses a small number of cookies and similar storage. You can clear or block them through your browser; doing so may sign you out or break parts of the site.

  • Essential. Auth session cookie (NextAuth), CSRF token, and a small amount of local storage that remembers your selected currency and time zone. These are required for the site to work and cannot be turned off.
  • Analytics. If Google Analytics 4 is enabled, it sets a measurement cookie to count unique visits and aggregate behaviour.
  • Preferences. Lightweight cookies that remember UI choices (theme, accepted notifications prompt).

6. Data security

I use commercially reasonable security measures, including secure third-party providers (Vercel, Supabase, Stripe, PayPal, Cloudflare), encrypted connections (HTTPS/TLS) where available, server-side row-level security on sensitive Supabase tables, and limited access controls. No internet service can be guaranteed to be completely secure; I do not claim end-to-end encryption or formal security certifications I have not undergone.

7. Data retention

  • Active accounts: retained for as long as the account exists.
  • Session notes and recap emails: retained while your account is active so we can refer back to prior work. You can ask me to delete specific notes at any time.
  • Payment and tax records: retained for the period required by Canadian tax law (currently six years).
  • Lead-capture / newsletter signups: retained until you unsubscribe or request deletion.
  • Closed accounts: personal profile data is deleted within 30 days of an account-deletion request, except for records I must keep to meet legal or accounting obligations.

8. Your rights

You can ask me to:

  • Access the personal data I hold about you.
  • Correct anything inaccurate.
  • Delete your account and associated personal data, subject to the retention rules above.
  • Export a copy of your data in a portable format.
  • Object to a specific use or withdraw consent (for example, unsubscribe from the newsletter — every newsletter email has a one-click unsubscribe link).

To exercise any of these, email [email protected] from the address tied to your account. I respond within 30 days.

9. International transfers

I operate from Canada. The processors above are based in or store data in the United States (Vercel, Supabase, Stripe, Resend, Google, Cloudflare). If you are visiting from the EU, UK, or another region, your data will be transferred to and processed in those countries under the providers' standard contractual safeguards.

10. Children's privacy

Tutoring sessions are intended for adult learners. If a student is under 18, a parent or guardian must be the one who creates the account, books the session, and provides any personal information. I do not knowingly collect personal information from anyone under 13. If you believe a child has provided information without parental consent, email me and I will delete it.

11. Changes to this policy

I may update this policy from time to time. The “Last updated” date at the top reflects the most recent revision. Material changes will be announced by email to active users or by a notice on the site at least 30 days before they take effect.

12. Contact

Privacy questions, requests to access or delete your data, and anything else about this policy:

Email: [email protected]

Operator: Ali Jabbary, sole proprietor, Canada

Response time: within 30 days

← Back to Home
Book a free callMessage Ali