Go Back

Privacy Policy

Effective Date: March 2026 — Last Updated: April 10, 2026

JCollierTutoring ("we", "us", "our") is the Data Controller for all personal data processed through this platform. We are committed to protecting your privacy in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Data Controller Contact Details

Controller: Joshua Collier, trading as JCollierTutoring
Email: admin@jcolliertutoring.com
Website: jcolliertutoring.com

2. Personal Data We Collect

  • Parents / Guardians: Name, email address. The registered parent email address is also used to verify identity for the Parent Portal (email-on-demand access — no password stored).
  • Students: Name, email address (optional — stored for reference and used when the tutor chooses to send a direct email, copy the student on assignment notifications, or resend an assignment brief directly to the student), subjects studied, session history, assignment records, exam records, predicted and actual grades.
  • Financial Records: Lesson fees, payment history, account balance, transaction records.
  • Contract Records: Digital contract signatures, signer name and email, signing date and IP-derived timestamp.
  • Tutors: Name, email, phone number, bank details (sort code and account number, used solely to facilitate payment by parents), and DBS self-certification status (a boolean record of the tutor's own confirmation that they hold a valid DBS certificate — this is a platform Terms of Service declaration only and does not constitute verification by JCollierTutoring). DBS self-certification data relates to criminal record status and is processed as criminal convictions data under Article 10 UK GDPR. See Section 3a below.

We collect only what is necessary to provide the tutoring service.

3. Lawful Basis for Processing

  • Contract performance (Article 6(1)(b)): Processing student profiles, sessions, contracts, and payment records is necessary to deliver the tutoring service you have engaged us to provide.
  • Legal obligation (Article 6(1)(c)): Financial transaction records are retained to comply with HMRC requirements under the Taxes Management Act 1970.
  • Legitimate interests (Article 6(1)(f)): Sending automated lesson reports, low-balance alerts, and session cancellation notices is in the legitimate interests of both the tutor and the parent. These communications are directly related to the contracted service and are not used for marketing.
  • Consent (Article 6(1)(a)): Where lesson recordings are made, separate written consent is obtained before each recording.

3a. Criminal Record Data (Article 10 UK GDPR)

DBS self-certification status is data that reveals criminal record status and is therefore subject to the heightened requirements of Article 10 UK GDPR and Schedule 1 of the Data Protection Act 2018.

We rely on Schedule 1, Part 2, Paragraph 18 (Safeguarding of children and individuals at risk) as the Schedule 1 condition authorising this processing. We work exclusively with students who are minors in an educational setting, and recording a tutor's confirmation that they hold a valid DBS certificate is necessary to protect the welfare of those children. The applicable Article 6 lawful basis is Article 6(1)(b) (contract performance — safeguarding compliance is a contractual requirement of the tutoring agreement). A Record of Processing Activity (ROPA) entry is maintained for this processing activity.

Only the boolean self-declaration is stored ("I confirm I hold a valid DBS certificate"). The DBS certificate number, disclosure date, and certificate contents are not collected or stored by this platform.

4. Children’s Data

Many of our students are under 18. We process student data solely to deliver the tutoring service. We do not share children's data with any third party except as described in Section 5, and we do not use it for profiling, advertising, or any purpose beyond educational administration. Parental or guardian consent is obtained via the Client Service Agreement before any student data is processed.

5. Third-Party Data Processors

We use the following processors, each bound by a Data Processing Agreement (DPA):

  • Google Firebase / Google Cloud — Database, authentication, and hosting. Data is stored in the europe-west2 (London) region. Covered by Google's standard DPA.
  • Resend — Transactional email delivery. Used to send welcome emails, receipts, and alerts. Covered by Resend's DPA.
  • EmailJS — Client-side contact form delivery from the public website. Used only for enquiry submission routing and operational responses.

We do not sell, rent, or share personal data with any other third party except where required by law.

6. Data Retention

  • Student profiles, sessions, assignments, and exam records: Retained while the student is active. Deleted promptly when the tutor removes the student from the platform, or on a verified erasure request (see Section 7).
  • Financial transaction records: Retained for 7 years from the date of the transaction, as required by HMRC under the Taxes Management Act 1970. This overrides any erasure request for these specific records.
  • Signed contract records: Retained for 6 years following the end of the tutoring relationship, in accordance with the Limitation Act 1980.
  • Email delivery logs: Retained for 30 days.
  • Parent portal access tokens: Single-use tokens expire after 30 minutes and are permanently deleted during the weekly cleanup job (every Sunday). No portal session data is retained after the token is used.

7. Your Rights Under UK GDPR

You have the following rights:

  • Access (Art. 15): Request a copy of the data we hold about you.
  • Rectification (Art. 16): Ask us to correct inaccurate data.
  • Erasure (Art. 17): Ask us to delete your data. We will comply within 30 days except where retention is legally required (see Section 6).
  • Restriction (Art. 18): Ask us to pause processing while a dispute is resolved.
  • Portability (Art. 20): Request your data in a structured, machine-readable format.
  • Object (Art. 21): Object to processing based on legitimate interests.

To exercise any right, email admin@jcolliertutoring.com. We will respond within 30 days. There is no charge for reasonable requests.

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO): ico.org.uk — 0303 123 1113.

8. Data Security

All data is stored on Google Firebase in the London (europe-west2) region. We employ authentication, role-based access controls, encrypted transmission (HTTPS/TLS), Content-Security-Policy headers, and input validation at multiple layers. Tutor bank details are readable only by the account holder and are never exported or transmitted to parents beyond the payment information included in welcome emails.

9. International Transfers

Data is stored and processed in the UK / EEA (Google europe-west2). Any incidental transfer outside the UK is covered by Google's Standard Contractual Clauses under their DPA.

10. Changes to This Policy

We may update this policy as the platform changes. The “Last Updated” date at the top of this page will reflect any changes. Continued use of the service after a material change constitutes acceptance of the updated policy.

11. Cookies & Browser Storage

This website does not use advertising cookies, analytics cookies, or any third-party tracking technology.

The Tutor Portal uses Firebase Authentication, which stores your session credentials in your browser’s IndexedDB / localStorage (not a traditional HTTP cookie). This storage is strictly necessary to keep you signed in across page loads. It is automatically cleared when you sign out, or if you clear your browser data.

A small cookie notice is displayed on first visit to inform you of this. Dismissing the notice stores a single acknowledgement flag in localStorage so the notice is not repeated on subsequent visits. No personal data is held in that flag.

Because all browser storage on this site is strictly necessary for the operation of the service, no consent banner is required under the UK Privacy and Electronic Communications Regulations (PECR). If we ever introduce non-essential cookies (e.g. analytics), this policy will be updated and a consent mechanism will be added before those cookies are set.

Contact Us:
admin@jcolliertutoring.com