PRIVACY POLICY – GEORGE HALL TUITION
Version 1.0 | Effective 12 July 2025
──────────────────────────────────────────
1 Introduction
I, George Hall, trade as George Hall Tuition and deliver one-to-one and small-group teaching, primarily online but occasionally in person. Because I operate as a sole trader, I alone decide why and how your personal information is processed, and I also act as the Data Protection Officer who oversees compliance. You may reach me at george@georgehalltuition.com; I will provide my business telephone number and postal correspondence address within two working days of any written request. I am registered with the UK Information Commissioner’s Office under reference ZB546559, and I follow the UK GDPR and the Data Protection Act 2018. By visiting my websites, enrolling a learner or continuing to use my teaching platforms once an update banner is shown, you accept the practices explained in this document. If any part of this Policy is unclear or causes concern, I ask you to contact me so that I can clarify, adjust or, if legally possible, pause processing.
2 Definitions
In this Policy, the word “learner” means any person—child, teenager or adult—who receives tuition from me, while “parent” means the adult who holds legal responsibility for a learner. The term “services” covers every lesson, resource, website, portal, video meeting or support channel that I own or control. “Processing” includes every task I perform with personal data, whether collecting, recording, storing, analysing, sharing or deleting it. “Special-category data” refers to sensitive details such as health records, SEND information, ethnicity or religious belief, which deserve extra protection under data-protection law. Whenever I mention a “platform”, I am referring to TutorBird, Microsoft 365, Moodle, LetsMeet, Speakr, Google services, Plagiarismcheck.org or any other named tool that I integrate into my teaching workflow.
3 Scope of this Policy
This Policy applies to you if you are a learner, a parent, a website visitor, a prospective client or an individual whose voice or image appears in a recorded lesson. It governs personal data that I handle through my main site (georgehalltuition.com), my self-hosted Moodle learning-management system (lms.georgehalltuition.com), my self-hosted LetsMeet lesson rooms and any email or chat exchange that I initiate or receive. The Policy does not apply to third-party websites that only link out from my pages; such sites publish their own privacy notices and may follow different rules. Because I teach children, my safeguarding duties sometimes override preferences that you might otherwise exercise under data-protection law. If a legal or safeguarding requirement conflicts with this Policy, I must follow the law first and then notify you when it is safe and lawful to do so.
4 What Data I Collect
I collect identity and contact data, which includes full legal names, preferred names, pronouns, dates of birth and parent email addresses or phone numbers so that I can identify each learner unambiguously. I compile educational and pastoral records, covering lesson objectives, teacher notes, assessment scores, behaviour logs and safeguarding concerns, because these records let me track progress and meet professional obligations. I store audio-visual media, notably high-definition video recordings of every lesson, still images of student work and profile photos that learners upload to Moodle, as these files protect both parties and create revision material. I gather technical and usage data—such as IP addresses, device types, browser versions, time-zone settings and interaction heat-maps—using analytics scripts so that I can secure my platforms and improve their usability. I also receive payment data (payer name, reference text, amount and date) via Revolut or PayPal in order to match invoices to receipts, although full card numbers never reach my servers. Finally, I handle special-category data only when a parent supplies it voluntarily or when it is essential to protect a learner’s health, deliver reasonable adjustments or comply with safeguarding law.
5 How I Collect Data
Most information reaches me directly: parents fill in online enrolment forms, send emails, upload homework or speak during lessons, and I record whatever is necessary to teach effectively. Some information is collected automatically: essential cookies authenticate you and keep sessions secure, while optional analytics cookies (accepted through my banner) log how visitors navigate my public site. I record every online or face-to-face lesson in LetsMeet, and the recording banner and red icon confirm that capture is active for the entire session. When learners sign in with Microsoft 365 or Google Workspace, those services pass identity tokens, files and chat transcripts back to storage that I control; I treat those items exactly like data supplied directly by you. Written work that a learner submits through Moodle is forwarded to Plagiarismcheck.org, whose European servers compare the text against internet sources and AI models so I can uphold academic integrity. Finally, payment platforms synchronise invoice status with TutorBird, allowing me to see payer names and references while keeping sensitive card or bank details out of my reach.
6 Why I Process Data and Legal Bases
I rely on contractual necessity to plan lessons, mark homework, deliver feedback and issue invoices, because none of those tasks is possible without processing basic personal data. I invoke legitimate interest when I record lessons for quality assurance, troubleshoot technical faults or analyse usage patterns, since these actions help me maintain a safe, effective service without unduly harming privacy. I am bound by legal obligation when I keep financial records for HMRC audits or share information with child-protection authorities, and by vital interest when a disclosure is required to protect a learner from harm. Whenever no other lawful ground applies—such as using a learner’s testimonial on my website—I seek explicit consent, which you may withdraw at any time by emailing me. Should your preferences conflict with a safeguarding duty or statutory audit requirement, the legal duty prevails, but I will explain my actions as soon as I lawfully can.
7 Your Privacy Rights and How to Exercise Them
You have the right of access, meaning you may ask me for a copy of every item of personal data I hold about you or your child. I will acknowledge any such request within one calendar month and, because video archives are large, I may lawfully take up to a further month to compile the full response. You can require me to correct inaccuracies, and I must do so promptly where you show a record is wrong. You may request erasure of data that I no longer need, although I may refuse if the information is required for safeguarding or tax. You can ask me to restrict processing or to object when I rely on legitimate interest, and you can request data portability for items you personally provided. To make any request, email george@georgehalltuition.com with the learner’s portal name and date of birth and attach ID: adults provide a passport or driving-licence scan, whereas parents acting for under-18s provide their own ID plus proof of parental responsibility.
8 Platforms and Places Where I Store or Share Data
I keep lesson schedules and invoices in TutorBird (Canadian-hosted, protected by Standard Contractual Clauses). I run my Moodle learning-management system on a self-hosted IONOS server located in the EU, so teaching files stay within European data-centres under an IONOS data-processing agreement. Online lessons take place in LetsMeet, which I host on a Contabo server physically located in the UK, giving me full control of call data and recordings. AI thread reviews and advanced feedback take place in Speakr, also self-hosted on Contabo UK; no third-party vendor has routine access. I use Microsoft 365 EU tenants for email, OneDrive and Teams, Google Meet for occasional calls, and Plagiarismcheck.org EU servers for originality checks. I never sell personal data, and I share it externally only with payment processors, analytics providers or statutory bodies that meet UK GDPR safeguards such as Standard Contractual Clauses or UK adequacy regulations.
9 International Transfers and Safeguards
Because some of my analytics scripts (for example, Google Analytics 4 and HubSpot) operate from United States infrastructures, limited pseudonymised technical data may leave the UK. Whenever that happens, I rely on Standard Contractual Clauses approved by the UK Information Commissioner, and I enable IP-anonymisation or hashing where each vendor allows. Microsoft hosts my tenancy in the EU, and IONOS hosts Moodle in Germany, so learner coursework does not ordinarily leave Europe. LetsMeet and Speakr remain on UK soil at all times, because Contabo provides UK data-centre locations. If a data processor relocates outside an adequate jurisdiction, I will suspend transfers until a lawful mechanism—such as an updated SCC or a UK extension of the EU-US Data Privacy Framework—protects the information.
10 Data Security Measures
I protect every website and portal, where possible, with 2FA and TLS 1.3 encryption so that data in transit cannot be read by unauthorised parties. All recordings, homework files and safeguarding notes are encrypted at rest using AES-256 on servers that I administer directly or through reputable EU data-centres. I enforce strong, unique passwords and multi-factor authentication for every administrator account (where possible), and I grant each assistant or contractor the minimum access required for the task in hand. I schedule weekly security patches on my Linux servers, and I commission an external penetration-test firm once per year to probe for vulnerabilities in Moodle, LetsMeet and Speakr. I keep encrypted off-site backups for disaster-recovery purposes, deleting them no later than ninety days after the live data is removed.
11 Data Retention and Deletion
Lesson recordings remain on secure storage for seven years after the date of the session, because that time-frame aligns with insurance advice and safeguarding guidance. Complaint files stay for five years after the lesson they concern, allowing me to respond properly if a dispute is escalated. Coursework, contact details and safeguarding logs remain for a minimum of two years after tuition ends; I then review them annually and erase anything no longer required for reference or legal defence. Financial records are retained indefinitely, as UK tax legislation empowers HMRC to revisit older audits in rare cases of suspected fraud. When I delete personal data, I overwrite or cryptographically erase the live copy, then allow encrypted backups to age out within a maximum of ninety days.
12 Children’s Data and Safeguarding
Before a learner under eighteen joins any platform, I require the parent to sign my Tuition Policies, which include consent for recordings, plagiarism checks and platform logins. Although parents are welcome to supervise lessons, I understand that many prefer not to sit beside the learner, and my recording policy ensures that a complete audit trail exists if questions arise. If I see evidence of abuse, or if a learner discloses harm, I may extract and store the relevant clip, notify the Local Authority Designated Officer and send any required report to the police or social services. I will inform parents of safeguarding referrals unless the law forbids me—for example, when parental involvement could increase the risk to the child. All safeguarding documentation is stored in a restricted area and is visible only to me and, when legally compelled, the statutory agency handling the case.
13 Cookies and Similar Technologies
My public website uses a privacy-by-default banner: you can refuse analytics cookies and still browse the pages that do not require login. Essential cookies remain active because they prevent cross-site request-forgery and keep your session tied to the correct account. On Moodle I place only technical cookies that handle authentication, session timeout and security tokens, and these fall under the “strictly necessary” exemption from consent banners. I document each analytics script—Microsoft Clarity, GA4, Tag Manager, Hotjar, Statcounter, Smartlook, Clicky, HubSpot, Woopra and Umami—in my technology inventory, and I configure anonymisation or IP hashing wherever the vendor offers it. You can clear cookies in any modern browser or install plug-ins that block analytics scripts; doing so will not affect recorded lessons but will prevent you from logging in to Moodle if the authentication cookie is blocked.
14 Automated Decision-Making and Profiling
My AI plagiarism workflow flags assignments that appear heavily machine-generated, but I never rely solely on an automated score to penalise or dismiss a learner. I manually review the flagged passages, compare them with earlier writing samples and discuss the findings with the learner before drawing any conclusion. My analytics dashboards group visitors by device or content interest, yet those profiles remain pseudonymised and influence only how I design website navigation, not how I grade work or set fees. No learner is denied tuition, charged a higher price or graded differently because of an algorithmic profile. If I ever introduce a new automated system that could significantly affect your rights or your child’s education, I will run a Data-Protection Impact Assessment and update this Policy before activation.
15 Compliance, Audits and Impact Assessments
I keep a detailed Record of Processing Activities that maps every data flow described here and explains its lawful basis. I carry out an annual self-audit against the UK GDPR, and I commission an independent data-protection consultant every two years to validate my controls. Whenever I add a major new tool—such as a different video platform—I complete a Data-Protection Impact Assessment that weighs risks and sets mitigation actions before any personal data enters that tool. I keep certificates of completion for my own safeguarding and data-protection training, renewing both every twelve months. If the Information Commissioner’s Office, a court or a safeguarding panel requests an inspection, I cooperate fully and share only the specific data that the legal order demands.
16 Changes to this Policy
The revision date at the top tells you when I last changed this document. When I publish a material change, I place a banner on the home page and on the Moodle login screen for at least thirty days, inviting you to read the new wording. I do not normally send mass emails or WhatsApp alerts, because the banner reaches every active user each time they log in. Archived versions of the Policy are available on request and are retained for reference in case of dispute. If a change reduces your privacy rights—for example, widening a processing purpose—I will ask for fresh consent or offer an opt-out where the law requires me to do so.
17 Contact, Queries and Complaints
You may contact me by emailing george@georgehalltuition.com for any privacy query or to exercise your statutory rights. I acknowledge privacy requests and complaints within one calendar month, and I aim to resolve routine matters inside that period; complex or voluminous requests may lawfully take up to two additional months while I retrieve lesson archives. If you are dissatisfied with my response, you have the right to complain to the Information Commissioner’s Office at www.ico.org.uk or by telephone on 0303 123 1113. I prefer that you approach me first so that I can try to correct any issue quickly and amicably. I take privacy seriously and welcome constructive feedback on how I can strengthen my practices.
──────────────────────────────────────────
End of Policy