top of page

GDPR Policy

The General Data Protection Regulation (GDPR), effective from 25th May 2018, requires all businesses to issue a privacy notice outlining how personal data is collected, used, and protected.

​

This policy explains our data handling practices, both online and in person. It is available on our website or upon request during your visit. Please review it carefully. Any updates will be reflected on our website.

​

Data Controller

Sara Lewis (Founder & Tutor of Inclusion at Heart) is the designated Data Controller responsible for safeguarding and managing your personal data.

​​

Data Collection

We collect personal information directly from parents and students.

​​

This includes:

  • Information provided via our website contact form or direct communication (email, phone, text, messaging platforms like WhatsApp).

  • Details shared on the registration form:

    • Name, age, school year, school attended

    • Session details

    • Phone numbers, email addresses, emergency contacts

    • Home address

    • Relevant educational, medical or special needs information

  • Session data (online and face-to-face)

  • Invoice and payment records

  • Access credentials for online platforms (e.g., Google Classroom, Zoom, Microsoft Teams)

  • Academic information, such as progress tracking, objectives, lesson plans, and marked work (if requested)

​

We only collect data essential to deliver the tutoring services you have requested. This information is used for scheduling, invoicing, communication, and record keeping.

​

Use of Data

Your data will never be shared with third parties unless legally required. It is used solely for:

  • Delivering educational services

  • Maintaining communication

  • Invoicing and financial administration

​

Your Rights

You have the right to request the deletion of your personal data at any time.


Please note: if data is deleted, we cannot continue tuition due to safeguarding requirements. Cancellation terms will still apply.

​

Unless deletion is requested, personal data will be retained for:

  • 2 years after tuition ends (for client records)

  • 7 years for financial records (to comply with tax obligations)

​

Upon expiry of the retention period:

  • Paper records will be shredded

  • Digital records will be anonymised or permanently deleted

  • Phone and email data will be permanently removed

​

Marketing & Communication

We will only contact you with marketing or newsletters if you have opted in by ticking the relevant box or subscribing via our website.

​

You may unsubscribe at any time using the link provided in emails.

 

Communication regarding bookings, tuition updates, and invoicing will be via email, with occasional phone or text communication. Parental consent is required before tuition begins and includes permission to hold necessary data and to conduct sessions via online platforms.

​

Consent

By completing the registration form and tuition agreement, you consent to the collection and secure storage of your data and your child’s data until two years after tuition ends. You also consent to the use of online platforms (e.g., Zoom, Google Meet) for lessons.

​

Photography & Social Media

We occasionally photograph students' work or activities for our website and social media. Students' faces or names will never be shown. Any shared work will be approved by parents in advance.

​

A specific consent form regarding photography and social media will be completed during registration.

​​

Data Storage & Security

We take all reasonable steps to ensure your data is stored securely:

  • Paper records are stored in a locked cabinet on-site.

  • Electronic data is stored in encrypted documents via Google Workspace on a password-protected computer.

  • Contact details are saved securely on password- or passcode-protected devices (computer and mobile phone).

No paper documents containing personal information are left unattended or in view of others.

​

Data Breaches

In accordance with GDPR, any data breach that may pose a risk to individuals’ rights or freedoms (e.g., potential financial loss, identity theft, or damage to reputation) will be reported to the Information Commissioner’s Office (ICO) and, if necessary, to affected individuals.

​

We are registered with the Information Commissioner Office - registration number ZB971415

​​

If you have any concerns or questions about how your data is used, please contact:
inclusionatheartbristol@gmail.com

​

Policy updated: 30 August 2025

bottom of page