Privacy Policy
Effective date: 2026-05-17 · Last updated: 2026-05-17
Draft notice. This policy is in draft pending final review by counsel. The substantive content below is accurate as of the effective date and reflects how Oustaad handles personal data today; minor language refinements may follow lawyer review. For questions about this draft, contact
privacy@oustaad.com.
1. Who we are
Oustaad ("Oustaad," "we," "us," "our") is a tutoring marketplace operated by UMGAR LLC, a New York limited liability company. UMGAR LLC is the data controller for the personal data described in this policy. Our website is at oustaad.com and our mobile app is published on the Apple App Store.
2. Data we collect
We collect personal data in three ways: directly from you (when you create an account or update your profile), automatically (when you use the app), and from third parties acting on our behalf (our subprocessors — see §5).
2.1 From you, directly
- Account identifiers. Email address, display name, and the stable identifier from your OAuth provider (Apple Sign In or Google Sign In) when you create an account. You choose which provider to use; we only see what you authorize that provider to share.
- Profile content. For tutors: bio, headline, service-area ZIP, education, hourly rate, subjects taught, weekly availability, optional profile photo. For parents: optional profile photo and optional free-text notes when booking.
- Booking details. The session time, subject, location preference (online or in-person), and any free-text notes you write when booking. We store payment confirmation IDs and amounts (not card data — see §2.3).
- Messages. Text and any media you send through our in-app messaging.
2.2 Automatically, from the app
- Location. If you grant the system permission, the app reads your device's approximate location to show tutors near you. You can decline and enter a ZIP code instead; we never collect location in the background.
- Device identifiers. An Expo push notification token (one per device) so we can send booking reminders and chat-arrival notifications. The token does not identify you personally; it identifies your install of the Oustaad app on your device.
- Diagnostic data. Our backend logs request paths, HTTP status codes, your IP address (for rate-limiting and abuse prevention), and the timestamps of your requests. We do not run analytics, advertising, or cross-app tracking SDKs on the device.
2.3 From third parties processing data on our behalf
- Payment details are collected by Stripe inside the Stripe-provided checkout sheet that opens in the Oustaad app; Oustaad servers never see card numbers, CVCs, or banking details. Stripe returns to us only a payment-intent ID and the final charge amount.
- Background-check data for tutors (legal name, date of birth, SSN, current and prior addresses, government-issued ID) is collected by Checkr through a Checkr-hosted invitation flow. Oustaad receives only the candidate ID and the aggregated status (clear, consider, etc.) — never the underlying report contents.
3. How we use your data
We use the data we collect to operate the marketplace — that means showing you tutors near you, processing your bookings and payments, delivering messages and push notifications, and protecting the platform from abuse. We do not sell personal data and we do not use it for advertising or behavioral profiling.
4. Lawful bases (for users in jurisdictions that require one)
For users in the EU/EEA, UK, or other jurisdictions with a lawful-basis requirement, we process personal data on the bases of (a) contract — to provide the service you signed up for; (b) legitimate interests — to keep the platform safe, prevent fraud, and improve reliability; and (c) consent — for optional categories like push notifications and precise location. Note: Oustaad is currently launching in the United States only; this section applies if and when we onboard users in those jurisdictions.
5. Who else processes your data (subprocessors)
We work with carefully selected service providers who process personal data on our behalf. Each is bound by a data-processing agreement.
- Cloudflare, Inc. (US) — hosts our API, the avatar CDN, this website, and inbound email routing.
- Neon, Inc. (US) — managed Postgres database storing accounts, profiles, bookings, ratings, and availability.
- Stripe, Inc. (US) — payment processing, tutor KYC and payouts via Stripe Connect Express.
- Checkr, Inc. (US) — tutor background checks.
- Stream.io, Inc. (US) — in-app messaging between parents and tutors.
- Resend, Inc. (US) — transactional email (booking confirmations, payout notifications).
- Sentry, GmbH (US region) — server-side error monitoring; receives stack traces and your Oustaad user UUID only (no email or name).
- Expo (650 Industries, Inc.) (US) — push notification relay between our backend and Apple Push Notification service.
- Apple Inc. and Google LLC — OAuth identity providers; receive only the data you authorize when signing in.
- Daily.co (Pluot, Inc.) (US) — real-time audio/video transport for in-app tutoring sessions; processes camera and microphone streams in transit during a session. No recording, no transcript, and no AI processing. (Their own subprocessors: AWS, Oracle Cloud, Stripe, Sentry.)
If we add or remove a subprocessor, we will update this list and, if you have an active account, notify you at the email on file at least 30 days before the change takes effect.
6. Where your data is stored
All subprocessors above store data in the United States. We do not currently offer the service outside the United States.
7. How long we keep your data
- Active accounts: for as long as your account exists.
- Deleted accounts: when you delete your account, we anonymize your personal identifiers (name, email, phone, profile photo, OAuth subject) within 7 days. Booking and payment records are retained in anonymized form for tax and audit purposes for the retention period required by applicable law (typically 7 years for financial records in the United States).
- Background-check records: retained by Checkr per their own retention schedule, independent of your Oustaad account.
- Diagnostic logs: retained for up to 30 days, then rotated out.
8. Your rights
You have the right to access, correct, or delete the personal data we hold about you. The fastest way to exercise these rights is in the app: Profile → Edit profile for corrections, or Profile → Delete account for deletion. You can also email privacy@oustaad.com for any request we can't fulfill in-app.
Depending on where you live, you may also have the right to receive a copy of your data in a portable format and to object to certain types of processing. Email privacy@oustaad.com and we will respond within 30 days.
9. Children's privacy
Oustaad's service is for users aged 13 and older. We do not knowingly collect personal data directly from children under 13. Parents may book tutoring sessions on behalf of their minor children using their own Oustaad account; we collect the parent's identifying information, not the child's. If you believe a child under 13 has provided us with personal data, please email privacy@oustaad.com and we will delete it promptly.
10. Security
We use industry-standard transport-layer encryption (TLS) for all data in transit. Our backend runs on Cloudflare's edge network with HTTPS-only access; passwords are never stored (we use OAuth-only authentication via Apple and Google). Webhooks from payment and background-check providers are verified by cryptographic signature. No system can be guaranteed perfectly secure, but we take reasonable measures and update them as the threat landscape evolves.
11. Changes to this policy
We may update this policy from time to time. The "Last updated" date at the top of the page reflects the most recent change. Material changes will be announced in the app or by email to the address on file.
12. Contact
Privacy questions, requests, or complaints: privacy@oustaad.com.
UMGAR LLC
A New York limited liability company
privacy@oustaad.com
© 2026 UMGAR LLC. All rights reserved.