Privacy Policy

Who We Are:

Business Name: Reach Online Tutoring & Learning Limited
Registered Office: 6 Garden Road, Woolmer Green, Knebworth, Hertfordshire, England, SG3 6JZ
Contact Details: Lindsey@reachonlinetutoring.co.uk
Data Protection Contact: Lindsey Fekete

What Information We Collect and Why

Information Types Collected:

  • Names, addresses and general contact data
  • Financial information to make and receive payments
  • Records of meetings and general communications
  • Customer or client account and transaction records
  • Analytics to track website usage and optimise user experience
  • Children’s data (under 18s): Educational needs, learning objectives, session records, progress assessments
  • Parental/guardian information: Contact details, consent records, billing information

Purposes for Processing:

  • Providing goods and services (tutoring, data protection consultancy, business services)
  • Managing customer accounts, guarantees, and relationships
  • Financial management (invoicing, payments, accounting, processing transactions)
  • Legal compliance obligations (including safeguarding requirements)
  • Service updates and marketing communications (with consent)
  • Service improvement, analytics, and website optimisation
  • Recruitment and human resources management
  • Business development and partnership management
  • Managing enquiries and customer relationships
  • Contract management and administration
  • Children’s tutoring services: Educational assessment, progress tracking, lesson planning, safeguarding monitoring
  • Parental communication: Progress reports, scheduling, billing, consent management

Lawful Bases for Processing

We process personal data under the following lawful bases:

Contract: Processing data to meet agreed contractual terms and service delivery obligations Legal Obligation: Compliance with statutory or regulatory requirements including tax, accounting, and safeguarding obligations under the Children Act 2004 and other child protection legislation

Consent: Processing data for marketing activities, newsletters, instances where data is shared, and parental consent for children’s tutoring services (always withdrawable)

Legitimate Interests: Managing client relationships, data security, business development, and

educational progress monitoring (balanced against individual privacy rights)

Vital Interests: Child protection and safeguarding situations where immediate action is required

Data Sources

  • We collect the minimum data required to run this business
  • We only collect data directly from individuals and do not purchase, rent or buy from data brokers
  • Parental/guardian consent and information for children under 18
  • Referrals from partner organisations (name and contact details only)
  • Educational institutions (with appropriate consent)

Data Sharing and Third Parties

Service Providers We Use:

  • CRM Systems: Airtable
  • Communication Tools: Microsoft 365, Google Business, ActiveCampaign
  • Financial Processing: GoCardless, Stripe, Xero, ThriveCart
  • Educational Platforms: TutorBird
  • Video Conferencing: Zoom (for online tutoring sessions)
  • Onboarding Tutor System: TutorOnBoarder

Outsourced Team Members and Contractors:

  • Freelance tutors and educational specialists (UK and international)
  • Administrative support staff (may include international virtual assistants)
  • IT support and technical specialists

All team members sign comprehensive confidentiality agreements and receive GDPR training. International team members are subject to appropriate data transfer safeguards.

All processors are GDPR compliant with appropriate data processing agreements

Other Sharing:

  • Professional advisors and legal representatives
  • Safeguarding authorities and child protection services (when legally required)
  • Regulatory authorities (when legally required)
  • Educational institutions (with appropriate consent)
  • Service suppliers (under confidentiality agreements)

We do not share, sell or exchange data with organisations external to our business.

We have a stringent selection process for software and systems to ensure that we use products with high security standards and meet UK data protection legislation.

Our suppliers and service providers are contracted with confidentiality and NDA clauses in place. We carefully select our suppliers and service providers following a defined process to assess their security and privacy standards.

International Data Transfers

Where necessary, we may transfer personal information outside of the UK. As a business selecting mainstream software, personal data is often hosted globally which is outside our control. When doing so, we comply with the UK data protection regulations to establish that appropriate safeguards and security are in place.

Why transfers occur:

  • Third-party services hosted outside the UK (mainstream business software)
  • Outsourced team members and contractors based internationally
  • Cloud storage and processing services
  • Global hosting of business applications

Safeguards in place:

  • Adequacy decisions where available
  • Standard Contractual Clauses (SCCs) for non-adequate countries
  • Enhanced due diligence for international team members
  • Binding corporate rules for multinational service providers
  • Regular review of transfer risk assessments
  • Compliance with UK data protection regulations for all transfers

Countries involved:

  • EEA countries (adequacy decision)
  • USA (adequacy framework where applicable)
  • Other countries with appropriate safeguards including Canada, Australia
  • Carefully selected contractors in other jurisdictions subject to enhanced protections and contractual safeguards

We regularly review all international transfer arrangements to ensure ongoing compliance with UK data protection legislation.

Your Rights Under UK GDPR

Right of Access: Request copies of your personal data with explanation of processing

Right of Rectification: Correction of inaccurate or incomplete information

Right to Erasure: Request deletion of personal data (subject to legal obligations)

Right to Restrict Processing: Limit how we process your data in specific circumstances

Right to Object: Object to processing based on legitimate interests

Right to Data Portability: Transfer your data to another organisation

Right to Withdraw Consent: Remove consent for marketing or optional processing

To exercise rights: Contact us using the details above. We respond within one calendar month (extendable for complex requests).

Data Retention Periods

Data management and retention

UK GDPR and the DPA 2018 require us to actively manage data and ensure it is retained for the minimum period possible.

Financial Records: Our legal obligations require us to retain financial data for 7 years for audit purposes

Client/Customer Data: Retained for the life of the business relationship and subject to the retention periods above

Prospect Data: Our relationships with customers and prospects are managed over many years with some prospects becoming customers years after initial discussions or enquiries. On this basis we have chosen to retain all prospect and contact data for 10 years

Marketing Data: Relationships with prospective clients may exist for some years via our marketing channels and email marketing systems. Options to unsubscribe from communications are always provided

Tax/Finance Related Data: 6 years after relevant tax year submission deadline

Children’s Educational Records: Retained for duration of tutoring relationship plus 6 years, or until age 25 (whichever is longer) for safeguarding purposes

Safeguarding Records: Retained indefinitely where serious concerns identified, otherwise 6 years after child reaches 18

Special Provisions for Children’s Data (Under 18s) Parental Consent Requirements:

  • Parental consent required for all children under 13
  • Children aged 13-17: We assess capacity to consent independently, but generally seek parental involvement
  • Consent verification: We use appropriate age verification and parental confirmation processes

Enhanced Protections:

  • Data minimisation: We collect only essential information for educational purposes
  • Privacy by design: Child-friendly privacy settings and restricted data sharing
  • Regular consent review: Annual review of consent for ongoing services
  • Withdrawal rights: Both child and parent can withdraw consent at any time

Safeguarding Obligations:

  • Mandatory reporting: Legal obligation to report child protection concerns to appropriate authorities
  • Record keeping: Detailed records maintained for safeguarding purposes
  • Information sharing: May share information without consent where child welfare is at risk
  • Staff training: All staff receive regular safeguarding and child protection training

Educational Data:

  • Progress tracking limited to educational necessity
  • No profiling or automated decision-making affecting children
  • Age-appropriate communication about data processing
  • Special consideration for children with additional needs

Data Security

We implement appropriate technical and organisational measures including:

  • Secure software selection processes
  • Confidentiality and NDA agreements with all suppliers and team members
  • Enhanced vetting for team members working with children’s data
  • Secure video conferencing with child-safe settings
  • Regular security assessments of third-party processors
  • International team member security training and compliance monitoring
  • Access controls and data minimisation principles
  • Encrypted communication channels for sensitive data transfers
  • Regular security audits of outsourced arrangements

Complaints Process

Step: Contact us directly using the details above

Regulatory Complaint: Information Commissioner’s Office

  • Phone: 0303 123 1113
  • Address: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
  • Website: org.uk/make-a-complaint
  • Email: Available via ICO website

Updates to This Notice

This privacy notice is reviewed regularly and may be updated. Please check periodically for changes.

Last Updated: 30.8.2025

Next Review: 30.8.2026