Login
Find a Tutor

Data Protection and Privacy Policy

Effective from: 08/10/2025

1. Introduction

At Twoition Ltd (“we”, “our”, “us”), we are committed to protecting the privacy and personal data of our clients, including learners and their parents or guardians.

This policy explains how we collect, use, store, and protect personal information in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

We only collect personal data when we have a lawful reason to do so and process it solely for legitimate purposes connected to the delivery and management of our tutoring services.

2. Information We Collect

We only collect information that is necessary to provide our services effectively and responsibly.

2a. From Learners and Parents/Guardians

We may collect the following personal information:

  • Name of learner and/or parent/guardian

  • Contact details (email, phone number, address)

  • Age or date of birth (if relevant)

  • Pronouns (optional)

  • Educational background or school details

  • Learning needs or goals, including target grades

  • Notes from sessions (e.g., progress tracking, lesson content)

  • Special educational needs (if disclosed)

  • Emergency contact details (if applicable)

2b. From Website or Online Contact Forms

We may collect the following data via our website or online forms:

  • Name

  • Email address

  • Phone number

  • Enquiry details

  • IP address (if web analytics are used)

Note: We do not intentionally collect more data than necessary.

We do not collect payment card details directly. For clients paying via BACS or secure invoicing platforms, we may process minimal financial information required to complete transactions (e.g., name, sort code, account number).

3. Why We Collect and Use Personal Data

We use personal data for the following purposes:

  • To deliver personalised tutoring services

  • To communicate with parents/guardians or adult learners about sessions

  • To monitor learner progress and adapt teaching approaches

  • To manage bookings, payments, and scheduling

  • To maintain records for safeguarding and quality assurance

  • To respond to enquiries and provide customer support

  • To fulfil legal, tax, or safeguarding obligations
3a. Online Publicity and Social Media Posts

With explicit consent, Twoition Ltd may post limited learner information (such as first name, progress achievements, grades, or photographs) on our website or social media platforms for promotional purposes.

  • Consent is entirely optional and may be withdrawn at any time by contacting contact@twoition.co.uk

  • Upon withdrawal of consent, we will remove any content under our control wherever reasonably possible

  • We cannot guarantee removal of content that has already been shared or reshared by third parties, but we will take reasonable steps to limit further exposure

  • Such content will be retained only as long as necessary for the stated purpose (typically up to 1–2 years), after which it will be deleted or anonymised

4. Legal Bases for Processing Data

We process personal data under one or more of the following lawful bases under UK GDPR:

  • Contract: To provide tutoring services and manage bookings

  • Consent: For optional uses such as testimonials, publicity, or marketing (consent may be withdrawn at any time)

  • Legal Obligation: To comply with safeguarding, tax, or other legal duties

  • Legitimate Interests: To manage, improve, and protect our services, where these interests do not override individual rights

5. How We Store and Protect Your Data

We take appropriate technical and organisational measures to protect personal data, including:

  • Password-protected and encrypted devices and platforms

  • Secure cloud storage with restricted access

  • Confidential disposal of paper records

Access to learner data is limited to authorised personnel and tutors — including any employees, directors, or contractors acting in a tutoring capacity — who require it to perform their duties. All such individuals are bound by confidentiality and data protection obligations under this policy. All tutors are individually responsible for maintaining data confidentiality and are required to report any suspected data breaches immediately to the Company’s Data Controller.

6. Data Retention

We retain personal data only for as long as necessary:

  • Learner records – up to 5 years after tuition ends, unless a longer retention period is required for legal or safeguarding reasons

  • Safeguarding-related records – retained until the learner reaches age 25

  • Financial and invoicing records – retained for 6 years (HMRC compliance)

  • Lesson recordings and progress notes – deleted once no longer required, or within 1 year of recording

You may request deletion of your data at any time, subject to legal or contractual obligations.

7. Data Sharing and International Transfers

We never sell personal data.

We may share data only when necessary and appropriate, with the following third parties:

  • Online lesson platforms (e.g., Zoom, Google Meet)

  • Cloud service providers (e.g., Google Workspace, Microsoft 365)

  • Secure payment processors (e.g., Stripe, PayPal)

  • HMRC or legal authorities (where required by law)

To ensure compliance with Article 28 of the UK GDPR, Twoition Ltd maintains Data Processing Agreements (DPAs) or equivalent data sharing terms with all third-party service providers who process personal data on our behalf (for example, Zoom, Google Workspace, or payment processors).

These agreements confirm that each provider:

  • Implements appropriate technical and organisational measures to protect personal data;

  • Processes data only under our written instructions; and

  • Transfers data outside the UK only where appropriate safeguards are in place, such as adequacy decisions or Standard Contractual Clauses (SCCs).

We review these agreements periodically to ensure continued compliance and to uphold the rights and freedoms of our learners and clients.

8. Your Rights Under UK GDPR

Under the UK GDPR, you have the right to:

  • Access the personal data we hold about you

  • Request correction of inaccurate or incomplete data

  • Request deletion of your data (“right to be forgotten”)

  • Object to or restrict certain types of processing

  • Withdraw consent at any time (for uses based on consent)

  • Request the transfer of your data to another provider

  • Lodge a complaint with the Information Commissioner’s Office (ICO)

To exercise any of these rights, contact: contact@twoition.co.uk.

You also have the right to complain to the Information Commissioner’s Office (ICO) if you believe your personal data has been misused or that your privacy rights have been infringed.

The ICO can be contacted at www.ico.org.uk, by calling 0303 123 1113, or by writing to the Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

8a. Subject Access Requests (SARs)

Individuals have the right to request access to the personal data that Twoition Ltd holds about them. This is known as a Subject Access Request (SAR) under Article 15 of the UK General Data Protection Regulation (UK GDPR).

To make a SAR, please email contact@twoition.co.uk with the subject line “Subject Access Request.”
 We will:

  • Confirm receipt of your request within 5 working days;

  • Verify your identity before disclosing any personal data; and

  • Provide the information requested within one calendar month, unless the request is unusually complex (in which case, we may extend the response time by up to two further months, and we will notify you if this is necessary).

We do not charge a fee for processing SARs unless the request is manifestly unfounded or excessive, in which case a reasonable administrative fee may be applied.

9. Children’s Data and Parental Consent

For learners under the age of 18, we require parental or guardian consent to collect and process their data.

Consent is obtained during registration and may be withdrawn at any time. All data is managed in line with safeguarding best practices and in the best interests of the learner.

10. Changes to This Policy

We may update this policy periodically. Any changes will be posted on our website and, where appropriate, communicated directly to clients.

11. Monitoring, Evaluation, and Review

This policy will be reviewed annually or following any legislative change.

Data Protection and Privacy Policy v1.0
Policy reviewed by: Matthew Jones, Data Controller/ Owner
Date of last review: 08/10/2025
Next review due: 08/10/2026

12. Contact Us

Data Controller: Matthew Jones
mattjones@twoition.co.uk
07344 142864
www.twoition.co.uk 
ICO Registration Number: ZC013524

Useful Links

Subjects

Students

Tutors

Useful Links

Follow us for news and updates

Facebook Instagram

Copyright 2023 © Twoition Ltd. All Rights Reserved. Website Design by Bemunchie Online. Data Protection and Privacy Policy | Safeguarding and Child Protection Policy | Terms and Conditions