Simplex Tutoring Privacy Policy
This Privacy Policy explains how Simplex Tutoring (“we”, “us”, or “our”) collects, uses, and protects your personal information when you visit our website or use our tutoring services. We are committed to transparency and to handling your data with care and respect, in accordance with UK GDPR and the Data Protection Act 2018.
1. Who We Are
Simplex Tutoring is an online tutoring service specialising in Mathematics, Computer Science and Programming for students in Years 7–13, including GCSE, A Level, and IB programmes in the United Kingdom.
Website: https://simplextutoring.com
Contact Email: info@simplextutoring.com
For data protection matters, you may contact Alex Dent at the same email address.
If you have any questions about this policy or how we handle your data, please contact us.
2. What Data We Collect and Why
We collect only the personal data necessary to provide our tutoring services. This includes:
| Data Type | Examples | Lawful Basis (UK GDPR) |
|---|---|---|
| Parent’s full name | For billing, communication, and sending homework/reading materials | Contract performance with the parent |
| Student’s full name | To identify the student for sessions | Contract performance with the parent |
| Student’s educational information | Year group, subjects studied, GCSE/A Level/IB programme | Contract performance with the parent (necessary to tailor lessons to the correct syllabus) |
| Contact details | Email address (required for correspondence, sending homework, and electronic signing of documents); phone number (required for initial onboarding identity verification and for urgent service communications such as last‑minute tutor illness or session cancellation; parents may choose to use the phone number only for these essential purposes) | Contract performance with the parent – both email and phone number are necessary to complete the onboarding verification process and to deliver the service reliably |
| Session records | Attendance, progress notes, feedback | Legitimate interests – to maintain teaching continuity and quality. Our balancing test concluded that this processing does not override parents’ or student’s rights because records are limited to attendance and progress notes, are not used for automated decisions, and are not shared with third parties. |
Our legitimate interests assessment concluded that the benefits to teaching quality and student progress outweigh the minimal privacy impact, because session notes are kept confidential, not used for profiling, and not shared with third parties.
We do not collect or store payment card details directly – payments are processed through our third party tutoring platform, TutorCruncher, which uses Stripe and GoCardless.
We do not use automated decision making or profiling that produces legal or similarly significant effects concerning you or your student.
3. Student’s Data
Our services are specifically directed at students aged 11–18 (Years 7–13). We take our obligations regarding students’ data seriously.
Parental consent for students under 13: We obtain verifiable parental consent before collecting or processing any personal data of a student under 13. Our verification process consists of two steps:
-
E‑signature via BoldSign – We send a combined consent document (incorporating this Privacy Policy, our Safeguarding Policy, and our Terms & Conditions) to the parent’s email address. The parent signs the document using BoldSign, an electronic signature platform that is GDPR‑compliant and holds SOC 2® Type 2, GDPR, HIPAA, and PCI DSS certifications. BoldSign provides an audit trail (timestamp, IP address, and email confirmation). All documents and related data signed through BoldSign are stored and processed within BoldSign’s European data centre, hosted in the Netherlands, ensuring that data remains within the EU for UK GDPR purposes.
-
Verified phone call – Within 48 hours of receiving the e‑signature, we call the parent on the phone number provided during enrolment. We confirm the parent’s identity by asking a simple verification question (e.g., student’s date of birth or a recent booking reference). We log the date, time, and outcome of the call.
No tutoring will begin until both steps are completed. We retain the signed document, the BoldSign audit trail, and the phone call log as proof of consent.
Students aged 13–15: For students aged 13 to 15, we rely on contract performance with the parent (no separate consent required, though parents may withdraw their student at any time).
Ages 16–18 (young people): For students aged 16 to 18, we recognise their increasing capacity to make decisions about their own data. While our contract is with the parent or guardian, we will treat the student’s continued engagement with our tutoring services (e.g., attending sessions, receiving homework, communicating with tutors) as an indication that they do not object to the processing described in this policy. If a student aged 16–18 wishes to exercise their own data protection rights (e.g., access, erasure) independently of their parent, we will respect that request provided we can verify the student’s identity and age. Parents remain entitled to exercise rights on behalf of their student until the student turns 18.
Limited collection: We collect only the minimum information needed to deliver tutoring sessions (as listed in Section 2).
No marketing: We do not use student’s data for marketing purposes or share it with third parties for advertising.
Parental rights: Parents and guardians may exercise the data rights in Section 9 on behalf of their student.
Withdrawal of consent: Parents may withdraw consent at any time by emailing info@simplextutoring.com. Withdrawal will not affect the lawfulness of processing before withdrawal but may mean we can no longer provide tutoring services. If consent is withdrawn, we will delete your student’s session notes and progress data within 30 days. However, if we reasonably need to retain session notes or progress data for the establishment, exercise, or defence of legal claims (for example, a parent alleging that tutoring was not provided as agreed), we will restrict processing of that data – meaning we will keep it but not use it for any active purpose – until the applicable limitation period has expired. We will inform you if this exception applies. We may retain billing records for up to 6 years as required by law.
We comply with the UK Children’s Code (Age Appropriate Design Code) in the design of our services and communications.
4. Cookies, Analytics, and Website Tracking
Our website is built on WordPress. We use only essential cookies necessary for the website to function. We do not knowingly set any non‑essential cookies.
However, our website may include embedded content from third parties (e.g., YouTube or Vimeo videos, social media links). If you interact with such embedded content, those third parties may place their own cookies on your device, as described in their respective privacy policies. We do not control these cookies.
Our tutoring management platform, TutorCruncher, collects pseudonymised usage data (e.g., feature usage, page views). This data remains personal data under UK GDPR because TutorCruncher could re‑identify it. It is processed via Google Cloud Platform (BigQuery) in the EU and US.
Your choices: Most web browsers allow you to control cookies through browser settings. Disabling essential cookies may affect the functionality of certain parts of our website.
Note on non‑essential cookies: We currently set no non‑essential cookies intentionally. If we ever introduce non‑essential cookies or tracking, we will implement a compliant cookie banner and obtain your consent before doing so.
5. Who We Share Your Data With
We do not sell your personal data to third parties. We share your data only in the following limited circumstances:
| Recipient | Purpose | Data shared | Location of processing |
|---|---|---|---|
| TutorCruncher (tutoring management platform) | Client management, scheduling, billing, session records | Parent name, student name, contact details, educational info, session notes | Dublin, Ireland (Heroku) and EU (AWS) |
| BoldSign (electronic signature platform) | Parental consent verification for students under 13 | Parent’s full name, student’s full name, email address, IP address, audit trail data | Netherlands (EU) – GDPR‑compliant European data centre |
| Individual tutors | Delivering scheduled sessions | Student’s full name; parent’s full name; parent’s contact details (student’s contact details only if parent explicitly agrees) | All tutors are based in the United Kingdom. Tutors’ personal devices are UK‑based. |
| Stripe / GoCardless (payment processors) | Payment processing | Payment amount, parent name, billing identifier (no card details stored by us) | EU / US (safeguarded by UK International Data Transfer Agreement) |
| Legal/regulatory authorities | Compliance with law | As required | UK |
Additional information about BoldSign:
BoldSign is provided by Syncfusion, Inc., a GDPR‑compliant entity that maintains rigorous security and data protection measures to safeguard your privacy. BoldSign is certified with SOC 2® Type 2, GDPR, HIPAA, and PCI DSS.
BoldSign uses cookies and similar tracking technologies on its website for the following purposes:
- Storing and honouring your preferences and settings
- Enabling you to sign into your account
- Combating fraud
- Analysing how their products perform
- Fulfilling other legitimate purposes
For visitors from the EEA or the UK, BoldSign has a legal basis for using cookies as set out in its Cookie Policy. For more information, please refer to BoldSign’s Privacy Policy and Cookie Policy. BoldSign also maintains a Subprocessors page listing the third parties used to support secure processing. You can manage your cookie preferences directly on BoldSign’s website via its cookie management tools.
Important restrictions on tutors’ use of personal devices:
Tutors may hold limited contact information (student’s first name, parent email or phone number) solely for the purpose of delivering scheduled sessions.
All tutors are based in the United Kingdom.
All tutors sign a data processing agreement requiring them to:
- Use encrypted devices (full disk encryption, e.g., BitLocker or FileVault) and password protected storage.
- Access data only via secure methods (no plain text storage in unencrypted apps like standard SMS or WhatsApp).
- Delete all client data within 7 days of the tutoring relationship ending, or immediately upon your request.
We conduct periodic compliance checks and may terminate any tutor who violates these requirements.
A full, up‑to‑date list of all subprocessors used by TutorCruncher is available on request.
6. How Long We Retain Your Data
We retain your personal data only for as long as necessary to fulfil the purposes set out in this policy.
| Data type | Retention period |
|---|---|
| Active client profiles (names, contact details, educational info) | For as long as your account is active, plus 6 months of inactivity (no sessions booked and no login). Inactivity does not include periods where an advance booking or credit balance exists. After that, we delete this data. |
| Session and billing records | 6 years from the end of the tax year (HMRC requirement). After 6 years, we delete these records. If deletion is not possible for technical reasons, we will restrict processing (the data is retained but not used for any active purpose). |
| Consent records (signed BoldSign documents, audit logs, phone call verification logs) | For as long as your account is active, plus 6 years from the end of the tax year (to evidence consent in case of a dispute). |
| Tutor‑held data | Deleted within 7 days of the tutoring relationship ending, or immediately upon your request. |
7. Data Security
We take reasonable technical and organisational measures to protect your personal data, including:
- Using TutorCruncher (ISO27001 and Cyber Essentials Plus certified)
- Requiring multi‑factor authentication (MFA) for administrative access
- Using strong password hashing (bcrypt or equivalent)
- Binding all tutors and staff to confidentiality and data protection agreements
Despite these measures, no method of transmission over the internet is entirely secure. Please contact us immediately if you suspect any unauthorised access to your account.
Data breach notification: We will notify the Information Commissioner’s Office (ICO) of any personal data breach within 72 hours unless the breach is unlikely to result in a risk to rights and freedoms. If the breach is likely to result in a high risk to your rights and freedoms, we will notify affected individuals directly without undue delay.
8. Your Rights (and How to Exercise Them)
Under UK GDPR and the Data Protection Act 2018, you have the following rights regarding your personal data:
| Right | What it means |
|---|---|
| Access | Request a copy of the personal data we hold about you. |
| Rectification | Correct inaccurate or incomplete data. |
| Erasure | Request deletion of your data (where not legally required to keep it). If you request erasure while we still have a legal obligation to retain billing records (e.g., for HMRC), we will restrict processing of those records (they will be retained but not used for any other purpose). |
| Restriction | Limit how we use your data in certain circumstances (e.g., while we verify accuracy or lawful basis). |
| Data portability | Receive an exported file of your data in a machine‑readable format. This right applies only to data you have provided to us and that we process by automated means. You may receive your core account data (your name, contact details, session dates, billing history). Session notes and progress records, which are our own observations created by tutors, are not subject to the portability right because they are not data you provided. However, you can still access them under your right of access. |
| Object | Object to processing based on legitimate interests (we will stop unless we have compelling legitimate grounds). |
To exercise any of these rights: Email info@simplextutoring.com with the subject line “Data Request”. We will verify your identity using information we already hold – for example, by asking you to confirm a recent session date, the name of your tutor, or a booking reference. We will not require a copy of your government‑issued ID. If we cannot verify your identity using the information we have, we may ask for additional details that are not excessive (such as confirming the email address or phone number you used when signing up).
Response time: We will respond within one calendar month. For complex or multiple requests, we may extend this by up to two months – we will inform you of any extension within the first month.
Right to complain: If you believe we have not handled your data appropriately, you have the right to lodge a complaint with the ICO (www.ico.org.uk).
Right to judicial remedy and compensation: You also have the right to seek a judicial remedy against us or to claim compensation for material or non‑material damage arising from a breach of this policy.
9. Where Your Data Is Sent (International Transfers)
Your data is processed and stored both inside and outside the UK. The table below shows where different categories of data go and the legal safeguard we apply.
| Data category | Storage location | Processing location | Legal safeguard |
|---|---|---|---|
| Core client data (names, contact details, session records) | Dublin, Ireland (Heroku) | Ireland (EU) | The UK has recognised the EU as providing an adequate level of data protection (Schedule 21, Data Protection Act 2018) |
| Files and documents | Dublin, Ireland (AWS) | Ireland (EU) | UK adequacy decision for the EU |
| BoldSign consent data (documents, audit trails) | Netherlands (EU) | Netherlands (EU) | UK adequacy decision for the EU |
| Payment data (Stripe / GoCardless) | EU / US | EU / US | UK International Data Transfer Agreement (IDTA) – copy available on request |
| Pseudonymised analytics (Google BigQuery) | EU / US | EU / US | IDTA – this data remains personal data (pseudonymised), and we apply the same safeguards |
| Tutor‑held client data | United Kingdom | United Kingdom | No international transfer (all tutors are UK‑based) |
Appropriate safeguards for transfers outside the UK:
Where we transfer your personal data to a country that is not covered by an adequacy decision (such as the United States), we rely on the UK International Data Transfer Agreement (IDTA) published by the Information Commissioner’s Office. You can view a copy of the IDTA here:
https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-agreement.pdf
For each of our US‑based processors (Stripe, GoCardless, Google Cloud Platform), we have entered into supplementary contracts incorporating the IDTA and completed a Transfer Risk Assessment. If you would like a copy of the relevant agreement (with commercial information redacted), please contact us at info@simplextutoring.com – we will provide it free of charge within 30 days.
In addition to the IDTA, we will provide, on request, a summary of our Transfer Risk Assessment (TRA) for each US‑based processor. The summary will describe the risks we assessed and the safeguards we put in place, redacted only to the extent necessary to protect security configurations or commercially sensitive information. Requests should be sent to info@simplextutoring.com, and we will respond within 30 days free of charge.
10. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will update the “Last updated” date and version number at the top.
If we make material changes that affect your rights or how we process your data, we will notify you directly (by email or via a notice on our website) before the changes take effect. For non‑material changes, a website notice is sufficient.
11. Contact Us
Email: info@simplextutoring.com
Website: https://simplextutoring.com
For data protection matters, you may contact Alex Dent (our data protection contact) at the same email address.