Pathways Tutoring: Privacy and Data Protection Policy

Introduction

Pathways Tutoring is committed to protecting the privacy and security of the personal data we process. As a provider of tutoring services to children, we take our responsibilities under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 very seriously.

This policy explains what personal data we collect, how we use it, how we secure it, and your rights regarding your information.

1. Who We Are (Data Controller)

Pathways Tutoring is the Data Controller for the personal data covered by this policy.

Contact Details:

  • Name of Business: Pathways Tutoring

  • Designated Contact: Hayley Hyatt

  • Email: info@pathwaystutoring.uk

2. The Data We Collect

We collect and process various types of personal data about you and your child to provide our services. This data falls into the following categories:

Data Category & Examples of Data Collected

  • Identity & Contact Data Parent/Guardian's name, email address, phone number, home address, and child's name, age, year group (Key Stage 1, 2, 11+).

  • Academic & Special Needs Data Learning goals, prior attainment, school reports, areas of difficulty, assessment results, and any diagnosed Special Educational Needs/Disabilities (SEND).

  • Financial DataPayment history, bank details (if paying by transfer), and invoice details. (We do not store full payment card details.)

  • Safeguarding Data (Sensitive) Records relating to safeguarding concerns or incidents, in line with our Safeguarding Policy.

  • Technical Data Information collected via our website (e.g., Squarespace analytics, IP address, browser type).

3. How and Why We Use Your Data (Lawful Basis)

Under GDPR, we must have a lawful basis to process your data. The primary bases we rely on are:

  • Contractual Necessity To deliver the tutoring services you have booked, including scheduling and administering lessons.Contact Data, Academic Data, Financial Data, Booking History.

  • Legal Obligation To comply with UK laws, such as financial record-keeping (HMRC) and our statutory duties under Child Protection and Safeguarding legislation. Financial Data, Safeguarding Data.

  • Legitimate Interest To manage and improve our business operations, such as dealing with complaints, reviewing tutor performance, and marketing relevant services. Identity Data, Testimonial Data (with consent).

  • Consent For specific, non-essential purposes, such as sending marketing newsletters or publicly sharing a testimonial. Marketing Preferences, Testimonial Data.

4. How We Collect and Store Data

  • Direct Interaction: Data is collected when you complete a website contact form, book a consultation, email us, or provide information verbally.

  • Third Parties: We may receive limited data from payment processors to confirm a transaction.

Storage and Security

We take security seriously. All personal data is stored securely in Google Drive via Workspace and encrypted cloud storage. Access to data is restricted to the founders and the assigned tutor on a strict "need-to-know" basis.

Data Retention

We only retain personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. Generally:

  • Academic and Contract Data is retained for the duration of the tutoring relationship plus seven years to comply with financial auditing requirements.

  • Safeguarding Records are retained in line with statutory guidance.

5. Who We Share Your Data With

We will not sell your personal data. We may share your information with trusted third parties only when necessary:

  • Tutors: The assigned tutor receives the necessary Identity and Academic Data to deliver personalised instruction.

  • Payment Processors: Used to handle payments securely (e.g., Stripe or banking services).

  • Statutory Authorities: If required by law, we will share relevant data with law enforcement or Children's Social Care (Safeguarding) agencies.

  • IT Providers: Services like Squarespace, Google Workspace, and website analytics providers.

6. Your Rights Under UK GDPR

As a data subject, you have the right to:

  • Request Access to your personal data (a "Subject Access Request").

  • Request Correction of the personal data that we hold about you.

  • Request Erasure of your personal data where there is no good reason for us to continue processing it.

  • Object to Processing where we are relying on a legitimate interest and you feel it impacts your rights.

  • Request Restriction of processing your personal data.

  • Withdraw Consent at any time where we are relying on consent to process your personal data (e.g., for marketing).

To exercise any of these rights, please contact the Data Controller using the details in Section 1.

7. Concerns and Complaints

If you have any concerns about how we handle your data, please contact us first so we can try to resolve the issue. If you are not satisfied with our response, you have the right to make a complaint to the UK supervisory authority for data protection: