Privacy Policy

1. Introduction

BiTree ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains what personal information we collect, how we use and share it, and the choices you have. It applies to all users of the BiTree platform (the "Service").

2. Information We Collect

Account information: name, email address, hashed password.
Google sign-in profile (if you use it): name, email, profile picture; password is not stored.
Multi-factor authentication codes: 6-digit codes hashed before storage; codes expire after 10 minutes.
Usage data: lessons completed, assessment attempts, sessions booked, progress markers.
Payment information: processed by Stripe; we receive transaction metadata (amount, status, last 4 digits of card) but do not store full card numbers.
Tutor application data: written experience, certifications, optional LinkedIn or GitHub URL, and the proctored competency assessment recording (webcam + screen capture).
Virtual meeting recordings: when you participate in a live tutoring session, the tutor's screen and audio are recorded. The recording is uploaded to BiTree storage when the meeting ends.
Security telemetry: IP address, user agent, sign-in timestamps, failed login attempts. Used for brute-force protection, rate limiting, and to alert you to logins from new IP addresses.
Reports and warnings: if you file or receive a report, we store the report details and any administrator review notes.
Communications: messages you send to [email protected] for support, bug reports, or appeals.

3. How We Use Your Information

To provide the Service: authenticate you, deliver lessons, schedule and run live sessions, process payments.
To run the tutor application and assessment process, including automated AI evaluation of the written application and human review of the recording.
To enforce safety: review meeting recordings when a report is filed, suspend or ban accounts for violations, maintain a record of moderation actions.
To detect and prevent abuse: rate-limiting, brute-force lockout, suspicious IP review, IP banning.
To send transactional emails: registration verification, password reset, MFA codes, booking confirmations, report notifications, account moderation notices.
To improve the Service through aggregated analytics. We do not sell your personal information.

4. Third Parties We Share Information With

We share data with vendors and service providers only as necessary to operate the Service. Each of the following processes data under its own privacy policy:

Stripe, payment processing.
Resend, transactional email delivery.
Cloudflare, CDN, DDoS protection, and Turnstile CAPTCHA on auth forms.
Vercel, application hosting and Vercel Blob storage for assessment and meeting recordings.
Neon, managed PostgreSQL database hosting.
Anthropic, AI evaluator that scores tutor applications. The application text is sent to Anthropic only when an administrator clicks the manual Run AI Review button.
Jitsi Meet (meet.jit.si), third-party video conferencing for live tutoring sessions. The participant's display name is shared with Jitsi to label them in the room.
Google, only if you choose to sign in with Google.

5. Recording Retention

Proctored assessment recordings and live meeting recordings are stored on BiTree storage for up to 12 months from the date of capture, after which they are deleted unless retained longer as part of an open moderation case, legal hold, or your express written consent. Recordings are accessible only to BiTree administrators and the user who created them; we do not share recordings publicly.

6. Cookies and Local Storage

BiTree uses a single session cookie (HttpOnly, SameSite=Lax, Secure in production) to keep you signed in. We do not use third-party advertising cookies. Cloudflare may set additional cookies for security and performance.

7. Data Security

Passwords are hashed with bcrypt at cost 12.
All traffic is encrypted in transit with TLS; HSTS is preloaded.
Database connections are encrypted; database backups are managed by Neon.
We use brute-force protection (escalating lockouts), rate limiting, IP banning, and admin audit logging.
Multi-factor authentication is available for all users and required for accounts with administrative or tutor privileges as recommended.

8. Your Rights and Choices

Access and update: view and edit your name and email in Profile settings.
Email changes: require confirmation via a link sent to both your old and new addresses.
Password changes: sign out all other sessions when applied.
MFA: opt in or out at any time from your profile.
Login history: view your last 10 sign-in attempts in your profile.
Account deletion: write to [email protected] to request deletion. We will confirm and remove your account; certain records (financial, legal, abuse reports) may be retained as required by law.
Appeal a suspension or ban: one written appeal per account from your dashboard.
Data export: contact [email protected] to request a portable copy of your data.

9. Children Under 13

BiTree is intended for users 13 years of age and older. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with information, contact [email protected] and we will delete it. Users between 13 and 18 should obtain parental consent before using the Service.

10. International Users

BiTree is operated from the United States. By using the Service you consent to the transfer of your information to the United States, which may have different data protection laws than your country.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email or by notice in the Service. Continued use after the changes take effect constitutes acceptance of the updated Policy.

12. Contact

Privacy questions, data export requests, deletion requests, bug reports, or any other concerns, write to [email protected].