Papildoma.lt

Privacy Policy

Last updated: 2026-03-03

This privacy policy sets out the rules for the processing and protection of personal data when using the online platform "Papildoma" (hereinafter – the Platform).

1. General Provisions

The data controller of the Platform is Papildoma (hereinafter – the Controller or We). Contact email for data protection matters: infopapildoma@gmail.com. This policy has been prepared in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation, hereinafter – GDPR), the Law on Legal Protection of Personal Data of the Republic of Lithuania, and the Law on Electronic Communications of the Republic of Lithuania. By using the Platform, you confirm that you have read this policy and agree to the personal data processing conditions described herein.

2. What Personal Data We Collect

Depending on your use of the Platform, we may collect the following personal data:

Registration and account data:

  • First and last name
  • Email address
  • Password hash (encrypted form)
  • City
  • Phone number (optional)
  • Profile photo
  • Account type (student / tutor)

Tutor profile data:

  • Headline and description
  • Hourly rate
  • Experience (years)
  • Education (institution, degree type, field of study)
  • Subjects taught
  • Schedule
  • Lesson format (online / in-person)

Lesson data:

  • Lesson date, time and format
  • Selected subject
  • Lesson notes
  • Lesson status

Message content between students and tutors

Reviews and ratings (1–5 stars)

Automatically collected data:

  • IP address
  • Browser type and version
  • Session data (JWT tokens)
  • Cookie data
  • Last login date

When logging in via Google: first name, last name, email address, profile photo, account identifier.

3. Purposes and Legal Bases for Data Processing

We process your personal data for the following purposes:

  • Account creation and management – contract performance (GDPR Art. 6(1)(b))
  • Tutor search functionality – contract performance
  • Lesson booking and management – contract performance
  • Messaging between users – contract performance
  • Review system – legitimate interest (GDPR Art. 6(1)(f))
  • Platform security and error monitoring – legitimate interest
  • Authentication via Google – consent (GDPR Art. 6(1)(a))
  • Email notifications – contract performance

4. Data Retention Periods

We retain personal data only as long as necessary to achieve the stated purposes:

  • Account data – while the account is active + 1 year after deletion
  • Lesson data – 3 years from the lesson date
  • Message data – 2 years from the last message
  • Reviews – while the tutor's account is active
  • Error logs – 90 days
  • Email verification tokens – until expiry (24 hours)

5. Data Recipients and Transfers

We may transfer your personal data to the following service providers (data processors):

  • Supabase – file (photo) storage
  • Sentry (data processed on EU servers – de.sentry.io) – error monitoring
  • Vercel – website hosting
  • Google LLC – OAuth authentication
  • Email service provider – notification delivery

Some service providers are established outside the EU/EEA. In such cases, data transfer is ensured by applying the European Commission's Standard Contractual Clauses (SCCs) pursuant to GDPR Art. 46(2)(c).

Tutor profile data (name, photo, description, subjects, pricing, reviews) is publicly accessible to all Platform visitors.

6. Cookie Policy

The Platform uses cookies:

  • Essential cookies – session management, authentication, CSRF protection (session duration or up to 30 days)
  • Functional cookies – language preference (up to 1 year)

The Platform currently does not use analytics or advertising cookies. Essential cookies cannot be disabled as they are necessary for the Platform to function.

7. Your Rights

Under the GDPR, you have the following rights:

  • Right of access (GDPR Art. 15)
  • Right to rectification (GDPR Art. 16)
  • Right to erasure – "right to be forgotten" (GDPR Art. 17)
  • Right to restriction of processing (GDPR Art. 18)
  • Right to data portability (GDPR Art. 20)
  • Right to object (GDPR Art. 21)
  • Right to withdraw consent at any time

To exercise your rights, please contact us at infopapildoma@gmail.com. We process requests within 30 calendar days.

You also have the right to lodge a complaint with the State Data Protection Inspectorate (VDAI): L. Sapiegos g. 17, 10312 Vilnius, Lithuania, email ada@ada.lt, website https://vdai.lrv.lt.

8. Data Security

We implement appropriate technical and organizational measures to protect personal data:

  • Passwords are stored using bcrypt hashing algorithm
  • Data transmission is encrypted using HTTPS/TLS
  • Session management uses JWT tokens with limited validity
  • Login attempt limiting – maximum 5 attempts per 15 minutes
  • CSRF protection
  • Files are stored in a secure cloud environment

9. Minors' Data

The Platform is intended for persons aged 14 and over. Younger persons may use the Platform only with parental or guardian consent, in accordance with GDPR Article 8 and the Law on Legal Protection of Personal Data of the Republic of Lithuania.

10. Policy Changes

We reserve the right to update this policy at any time. The updated version will be published on the Platform with the update date. In the case of material changes, we will inform you by email or by a notification on the Platform.

11. Contact Information

If you have questions about this policy or wish to exercise your rights, please contact us at: infopapildoma@gmail.com. Supervisory authority: State Data Protection Inspectorate (VDAI), L. Sapiegos g. 17, 10312 Vilnius, Lithuania, https://vdai.lrv.lt, ada@ada.lt.