Privacy Policy

Last updated: 6 April 2026

This Privacy Policy explains how Gloucester Maths Academy ("we", "us", "our") collects, uses, stores, and shares personal data when you use our website, parent portal, and tutoring administration services. This policy is written for UK users and is intended to align with the UK GDPR, the Data Protection Act 2018, and PECR where applicable.

1. Data Controller and Contact

Gloucester Maths Academy is the controller for personal data covered by this policy.

• Email: [email protected]
• Address: 6 Ampney Drive, Kingsway, Quedgeley, Gloucester, GL2 2HR
• For privacy requests, please use the website contact form and include "Privacy Request" in your message.

2. Who This Policy Applies To

• Website visitors who submit the contact form.
• Parents/guardians who create and use portal accounts.
• Tutor account holders using the portal to manage sessions, students, and payment workflows.
• Student records managed as part of tutoring delivery and payment administration.

3. Personal Data We Collect

Depending on use of the service, we may collect and process:

• Identity and contact data: parent/guardian name, student name, email address, telephone number, and address details shared by you.
• Enquiry data: year group and message content submitted via the contact form.
• Account and authentication data: login email, account role, accepted policy metadata, session information, 2FA code records, and password reset token records.
• Tutoring records: session title, subject, date/time, status, notes, and pricing/rate information.
• Payment administration data: pending/paid amounts, transfer reference, account name used for transfer, sent date, parent note, tutor note, and verification timestamps.
• Technical and security data: IP-derived anti-abuse/rate-limiting events, access-control logs, and security headers/session protection signals needed to keep the service safe.

4. How We Collect Data

• Directly from you when you submit forms, register, log in, submit payment confirmations, or contact us.
• Automatically through essential session and security mechanisms when you use the portal.
• From tutor-side workflow actions needed to provide and administer lessons.

5. Purposes and Lawful Bases (UK GDPR)

We rely on one or more lawful bases depending on context:

• Contract: creating and managing accounts, scheduling sessions, operating the parent/tutor portal, and maintaining payment records linked to tutoring services.
• Legitimate interests: securing accounts, preventing abuse/fraud, and operating communications required to run the service effectively.
• Legal obligation: maintaining records where required by law.
• Consent or pre-contract contact: handling inbound enquiries you choose to send through the contact form.

6. Children’s Data

Our service involves school-age students. Parents/guardians are responsible for ensuring they are authorised to provide student data and to act on the student’s behalf where required.

7. Data Sharing and Processors

We do not sell personal data. We share data only where necessary to operate the service, including:

• Supabase (authentication and database hosting).
• Email delivery/SMTP providers used for 2FA, password reset, and operational notifications.
• Infrastructure/security providers involved in hosting, transport protection, or reverse-proxy/CDN operation.

Where required, processor relationships are governed by contractual safeguards.

8. International Transfers

Some processors may process data outside the UK. Where this happens, we rely on appropriate safeguards recognised by UK data protection law, such as adequacy regulations or approved transfer mechanisms.

9. Data Retention

We keep data only as long as needed for service delivery and legal/compliance purposes. Typical retention approach:

• Enquiry messages: retained for service follow-up and administration, then removed when no longer needed.
• Account, student, session, and payment records: retained during active service and for a reasonable post-service period to meet accounting/legal requirements (commonly up to 6 years where applicable).
• 2FA and reset-security records: designed to expire quickly (for example 2FA around 10 minutes, reset tokens around 30 minutes) and marked used/expired once consumed.

10. Security Measures

We use technical and organisational measures appropriate to the risks, including access controls, role separation, secure session settings, CSRF controls, HTTPS-oriented configuration, rate limiting, and security-focused authentication workflows.

11. Your Rights

Depending on the circumstances, you may have rights to:

• Request access to your personal data.
• Request correction of inaccurate data.
• Request deletion in certain circumstances.
• Object to or restrict certain processing.
• Request portability of data you provided to us.
• Withdraw consent where processing depends on consent.

You can also complain to the UK Information Commissioner’s Office (ICO) via ico.org.uk/make-a-complaint.

12. Automated Decision-Making

We do not use solely automated decision-making that produces legal or similarly significant effects about you.

13. Cookies and Similar Technologies

We use essential cookies/session technologies required for secure portal operation. For more detail, see our Cookie Policy.

14. Changes to This Policy

We may update this policy from time to time. Material updates will be reflected by the "Last updated" date on this page.