Privacy Policy

Last updated: 25 May 2026

This policy explains how we collect, use, store, and protect your personal data and your child’s personal data.

1. Who we are

Clearmark Tutoring is a specialist English tutoring service operated by Clearmark Tutoring Ltd, a company registered in England and Wales (company number 17234360).

For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, we are the data controller. This means we are responsible for deciding how and why your personal data is processed.

Data Protection Contact: Connor O’Donnell, info@clearmarktutoring.co.uk

ICO Registration Number: to be completed on registration.

2. What personal data we collect

We collect the following categories of personal data.

2.1 Parent / carer data

  • Full name
  • Email address
  • Phone number
  • Home address (for in-person sessions and invoicing)
  • Payment information (processed securely via Stripe or GoCardless — we do not store card details)

2.2 Student data

  • Full name
  • Date of birth and age
  • School name and year group
  • Academic records relevant to tutoring (current grades, target grades, exam board)
  • Special educational needs and/or disability (SEND) information, where provided by you
  • EHCP details, where relevant
  • Medical conditions or allergies that may affect session delivery
  • Session notes, progress records, and assessment results created during tutoring
  • Learning plans and progress reports

2.3 Safeguarding data

  • Safeguarding concern records (if a concern arises)
  • Session recordings (video/audio) where consent has been given
  • DBS certificate details for staff and contractors

2.4 Website and marketing data

  • IP address and device information (collected via cookies and analytics)
  • Pages visited and interactions on our website (Google Analytics 4)
  • Email address (if you subscribe to our mailing list or download a resource)
  • Enquiry form submissions (name, email, phone, child’s year group, nature of enquiry)

3. Lawful basis for processing

Under the UK GDPR, we must have a lawful basis for processing your personal data. We rely on the following:

  • Delivering tutoring services (session notes, learning plans, progress reports): Performance of a contract (Art. 6(1)(b)).
  • Processing payments and invoicing: Performance of a contract (Art. 6(1)(b)).
  • SEND / medical information about the student: Performance of a contract (Art. 6(1)(b)) and explicit consent (Art. 9(2)(a)).
  • Safeguarding and child protection: Legal obligation (Art. 6(1)(c)) and vital interests of the child (Art. 6(1)(d)); substantial public interest — safeguarding of children (Art. 9(2)(g)).
  • Session recordings for safeguarding: Legitimate interests (Art. 6(1)(f)) — protecting the child and the tutor; explicit consent (Art. 9(2)(a)).
  • Marketing emails and newsletters: Consent (Art. 6(1)(a)).
  • Website analytics (Google Analytics 4): Consent (cookies) (Art. 6(1)(a)).
  • Responding to enquiries: Legitimate interests (Art. 6(1)(f)).
  • Complying with legal and regulatory obligations (e.g. tax records): Legal obligation (Art. 6(1)(c)).

4. Children’s data

We recognise that much of the data we process relates to children under 18. We take the following additional steps to protect children’s data:

  • We collect only the minimum data necessary to deliver our services safely and effectively.
  • We obtain consent for data processing from the parent or carer, not from the child. Under the UK GDPR, parental consent is required for children under 13; we apply this standard to all students under 18 as a precaution.
  • Children’s data is never used for marketing purposes.
  • Children’s data is never shared with third parties for marketing purposes.
  • Children’s data is stored with the same or higher security standards as adult data.
  • We will always consider the best interests of the child when making decisions about data processing.

5. How we use your data

We use personal data for the following purposes:

  • Delivering tutoring sessions and creating personalised learning plans
  • Carrying out diagnostic assessments and tracking academic progress
  • Producing progress reports for parents/carers
  • Processing payments and issuing invoices
  • Communicating with you about sessions, scheduling, and your child’s progress
  • Fulfilling our safeguarding obligations
  • Recording sessions for safeguarding purposes (with consent)
  • Responding to enquiries and providing information about our services
  • Sending marketing communications (only with your explicit consent, and only to parents/carers — never to students)
  • Improving our website and services through analytics
  • Complying with legal and regulatory obligations

6. Who we share data with

We will never sell your data or your child’s data to any third party. We may share data with the following categories of recipients, only to the extent necessary:

  • Local authority children’s services, police, LADO — safeguarding information shared to meet our legal obligation to protect children.
  • Stripe / GoCardless — payment details (name, amount, transaction) shared to process payments securely.
  • Google (Google Analytics 4, Google Workspace) — anonymised website analytics, email and document storage for business operations.
  • Video conferencing provider (Zoom / Google Meet) — session content (video, audio, screen share) used to deliver online sessions.
  • HMRC — financial records shared for tax compliance.
  • Our accountant — financial records and invoices shared for accounts preparation and tax filing.
  • Insurance provider — details relevant to a claim or complaint, for professional indemnity and public liability cover.
  • ICO (Information Commissioner’s Office) — if required in connection with a complaint or investigation.

All third-party processors we use are bound by data processing agreements and are required to process data in accordance with the UK GDPR. We do not transfer personal data outside the UK unless adequate safeguards are in place (e.g. Standard Contractual Clauses for US-based processors).

7. Data storage and security

We take the security of your data seriously. The following measures are in place:

  • All electronic data is stored on encrypted, password-protected platforms.
  • Access to student data is restricted to the tutor delivering sessions and the business directors (Jack Powell and Connor O’Donnell).
  • Safeguarding records are stored separately from general student records and are accessible only to the Designated Safeguarding Lead and Deputy.
  • Two-factor authentication (2FA) is enabled on all administrative accounts.
  • We use a password manager to generate and store unique, strong passwords for all business systems.
  • Session recordings are stored on an encrypted platform and automatically deleted after 30 days unless required for a safeguarding matter.
  • We do not store payment card details. Payments are processed securely through Stripe or GoCardless.
  • Physical documents (if any) are stored in a locked cabinet accessible only to the directors.
  • We conduct regular reviews of our data security measures.

8. Data retention

We retain personal data only for as long as necessary for the purpose for which it was collected, or as required by law. Our retention periods are as follows:

  • Student academic records: duration of tutoring relationship + 3 years (contract performance; reasonable period for potential follow-up or re-engagement).
  • Parent/carer contact details: duration of tutoring relationship + 3 years (contract performance; reasonable period for potential follow-up).
  • Payment and invoicing records: 6 years from the end of the financial year (HMRC legal requirement, Taxes Management Act 1970).
  • Safeguarding records: duration of involvement + 25 years, or until the child reaches age 25, whichever is longer (IRMS guidance; statutory child protection obligations).
  • Session recordings: 30 days, unless needed for a safeguarding investigation (safeguarding purposes).
  • Marketing consent records: duration of consent + 2 years (evidence of consent under UK GDPR).
  • Website analytics data: 26 months (Google Analytics default; legitimate interests).
  • Enquiry form data (non-converting): 12 months (legitimate interests).
  • DBS and recruitment records (for staff/contractors): duration of engagement + 6 months (safer recruitment obligations).

At the end of the retention period, data will be securely deleted or anonymised.

9. Your rights

Under the UK GDPR, you have the following rights in relation to your personal data and your child’s personal data:

  • Right of access: You can request a copy of the personal data we hold about you or your child (a Subject Access Request). We will respond within one calendar month.
  • Right to rectification: You can ask us to correct any inaccurate or incomplete data.
  • Right to erasure (‘right to be forgotten’): You can ask us to delete your data, subject to our legal obligations (e.g. we cannot delete safeguarding records or financial records required by HMRC).
  • Right to restrict processing: You can ask us to limit how we use your data in certain circumstances.
  • Right to data portability: You can request that we provide your data in a structured, commonly used, machine-readable format.
  • Right to object: You can object to processing based on legitimate interests. We will stop unless we can demonstrate compelling legitimate grounds.
  • Right to withdraw consent: Where we rely on consent (e.g. marketing emails, session recordings), you can withdraw consent at any time. This does not affect the lawfulness of processing before withdrawal.
  • Rights related to automated decision-making: We do not use automated decision-making or profiling that produces legal or similarly significant effects.

To exercise any of these rights, contact Connor O’Donnell at info@clearmarktutoring.co.uk. We will respond within one calendar month. There is no fee for making a request, except in cases of manifestly unfounded or excessive requests, where we may charge a reasonable fee or refuse to act.

10. Cookies

Our website uses cookies to improve your experience and to collect anonymous analytics data. Cookies are small text files placed on your device when you visit our website.

We use the following types of cookies:

  • Strictly necessary cookies: Required for the website to function (e.g. session cookies). These do not require consent.
  • Analytics cookies (Google Analytics 4): Used to understand how visitors interact with our website. Data is anonymised. These require your consent, which you can give or withdraw via the cookie banner on our website.
  • Marketing cookies: If we run paid advertising campaigns, we may use tracking pixels (e.g. Facebook Pixel, Google Ads). These require your consent.

You can manage cookie preferences at any time via your browser settings or via the cookie consent tool on our website.

11. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or regulatory guidance. If we make material changes, we will notify you by email (if we hold your email address) and update the “Last updated” date at the top of this document. We encourage you to review this policy periodically.

12. Complaints

If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO):

Information Commissioner’s Office
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Telephone: 0303 123 1113
Website: ico.org.uk

We would appreciate the opportunity to address your concerns before you contact the ICO. Please contact Connor O’Donnell at info@clearmarktutoring.co.uk in the first instance.

13. Contact us

For any questions about this Privacy Policy or to exercise your data protection rights, contact:

Connor O’Donnell — Data Protection Lead
Clearmark Tutoring
Email: info@clearmarktutoring.co.uk
Website: clearmarktutoring.co.uk