Your privacy is important to us. This policy explains how we collect, use, and protect your personal information in compliance with the General Data Protection Regulation (GDPR).

1. Information We Collect

• Personal Details: We collect your name, email address, phone number, and other contact details when you interact with us.
• Special Category Data: We collect payment information, school information, and additional data such as financial and credit information if you are applying for the Opportunities Advancement Award. We also collect immigration data when necessary for specific programs.
• Examples:
  • For the Opportunities Advancement Award, we may collect details about your financial situation and credit history.
  • For safeguarding purposes, we may collect information regarding a child’s background, health, and other relevant details.
  • When participating in our programs, we might gather school performance data and immigration status information.
• Usage Data: We collect information on how you use our website and services.
• Lesson Recordings: We record lessons, which are encrypted and only available to the student, tutor, tutoring teams, and safeguarding team.
• Message Content: We collect and store all messages sent by you on our server.

2. How We Use Your Information

• To Provide Services: We use your information to offer and improve our educational programs.
• To Communicate: We may send you updates, newsletters, and other important information.
• To Ensure Safety: In line with Keeping Children Safe in Education (KCSIE) 2021 (paras 105 to 113) guidelines, we may share information with external organisations to protect children. This may happen without parental consent if it’s in the child’s best interest.
• Legal Basis for Processing: Our legal basis for collecting and using your personal data includes your consent, the performance of a contract, compliance with legal obligations, and our legitimate interests.

3. Sharing Your Information

• With External Organisations: We share data with trusted partners and organisations as part of our safeguarding duties.
• Legal Requirements: We may share your information if required by law or to protect our rights.
• Payment Providers: We use GoCardless and Stripe to process payments. You can view their privacy policies here:
  • GoCardless Privacy Policy
  • Stripe Privacy Policy
• Please note that our server, Stripe and GoCardless, adhere to PCI DSS compliance standards.
• No Google Sharing: We do not share your information with Google.
• No Selling of Data: We never sell your personal data to third parties.

4. Data Retention

• General Data: We retain your personal data only for as long as necessary to fulfill the purposes we collected it for, including satisfying any legal, accounting, or reporting requirements.
• Safeguarding Data: Retained in accordance with our safeguarding policy.
• Specific Records: Certain records, as specified by the Information and Records Management Society (IRMS) 2019, Department of Education 2016, and Department for Education (DfE) 2022 guidance, will be kept until the child is 25.

5. Your Privacy Rights

Under GDPR, you have the following rights:

• Access: You can request a copy of the information we hold about you.
• Correction: You can ask us to correct any inaccurate information.
• Deletion: You can request that we delete your information, though some data may need to be retained for legal reasons.
• Restriction: You can ask us to restrict the processing of your data in certain circumstances.
• Portability: You can request that we transfer your data to another organisation.
• Objection: You can object to the processing of your data where we rely on legitimate interests.

To Submit a Data Subject Access Request (DSAR):

• Process: Contact us at [email protected] or 0333 335 5825 with your request. Include your full name, contact details, and details of the information you are requesting.
• Timeframe: We will respond to your request within one month. If your request is complex or numerous, we may extend this period by up to two additional months, in which case you will be informed within the first month.

6. Security

We prioritise the security of your personal information and employ multiple safeguards to prevent unauthorised access. Our data is stored securely with Airtable, with servers located in the UK.

Additionally, our websites are hosted by Krystal Web Hosting in London, UK, with certain aspects of our online services also hosted in Nottingham, UK. Furthermore, anonymised lesson logs may be stored in Dublin, Ireland, managed by Celonis, Inc (trading as Make).

7. Data Tracking

• We Don’t Track You: We do not track your activities on our website.
• No IP Address Tracking: We do not track your IP address.
• Anonymous Cookies: Cookies used by us do not contain identifiable information.

8. Data Breach Procedures

In the event of a data breach, we will notify affected users and relevant authorities within 72 hours of becoming aware of the breach, as required by GDPR.

9. Obtaining Consent

We obtain consent from users through checkboxes on our forms to ensure clear and explicit consent for data collection and processing activities.

10. Data Protection Impact Assessment

We conduct Data Protection Impact Assessments (DPIAs) for processing children’s data to identify and mitigate risks. This includes assessing the potential impact on children’s rights and freedoms and implementing appropriate safeguards.

11. Contact Us

If you have any questions or concerns about our privacy policy, please contact our Data Protection Officer at:

• Email: [email protected]
• Phone: 0333 335 5825

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO) in the UK.