Privacy Policy (GDPR-Compliant)
Effective from: 15 April 2025
Last updated: 17th September 2025
This Privacy Policy explains how NeuroBright Tutoring (operated by Kat Dulfer) collects, uses, stores, and protects personal data in line with the UK General Data Protection Regulation (UK GDPR).
1. Who We Are
NeuroBright Tutoring is a sole trader service run by Kat Dulfer, providing personalised tutoring support to students. We are committed to safeguarding your privacy and personal data.
2. Contact Information
If you have questions about this policy or how your data is handled, please contact:
Email: hello@neurobrighttutoring.co.uk
Website: neurobrighttutoring.co.uk
Phone: 07397 861226
3. What Data We Collect
We may collect:
· Student’s name, date of birth, home address, diagnosis, educational needs, academic history, goals, test results, hobbies/interests
· Work completed in sessions, worksheets, homework, progress notes
· Parent/guardian’s name, email, phone number, home address, Zoom details, and consent forms
· Relevant medical information, diagnoses, or disability-related adjustments (with consent)
Special category data (e.g., health/medical information, diagnoses, disability-related adjustments, allergy details) is only collected with explicit consent.
4. How Data is Collected
Data may be gathered via:
· Email (preferred channel for any special category information)
· WhatsApp or text/SMS (for arranging sessions only; see Section 13b)
· Phone or Zoom calls
· Online forms, consent forms, and contracts
· Tutoring session notes
· Homework, worksheets, test results, or other submissions
5. Early Sharing of Sensitive Information
Parents/guardians may share sensitive info (e.g., diagnosis, medical conditions, or academic background) during initial enquiries—before formal onboarding or written consent. This information is:
· Used only to assess if tutoring is appropriate
· Transferred from email into an encrypted local file for temporary storage (up to 30 days)
· Deleted within 30 days if no tutoring relationship is established
Formal consent is requested for any ongoing collection, storage, or use of special category data during onboarding.
6. Purpose of Data Collection
We use personal data solely to:
· Deliver high-quality, tailored tutoring support (including determining the student’s school year, providing age-appropriate learning, and confirming lesson locations/safeguarding via home address)
· Monitor progress and communicate effectively with parents/guardians
· Ensure tutor safety (e.g., keeping a trusted person informed of session times/locations)
7. Legal Basis for Processing
We process your data based on:
· Contract – to fulfil the tutoring agreement
· Legitimate Interests – to support students’ academic and wellbeing needs, and to ensure tutor safety
· Consent – for any sensitive (special category) information
8. Consent
Written parental consent is required before collecting or storing special category data (e.g., diagnoses, health information). Consent is collected prior to beginning tutoring sessions.
9. Data Storage & Security
Your data is kept securely via:
· Password-protected devices
· Quarterly password rotation (devices and email passwords are changed every 3 months)
· Encrypted files for any special category data, stored on a password-protected laptop
· The encrypted file containing special category data is stored locally on the laptop and is not synced to iCloud or any other cloud service
· Special category data is not created or stored in Word Online/OneDrive. It is written and saved directly into the encrypted local file on the laptop.
· Locked paper file storage (if used)
· Secure online platforms used for sessions/communication (e.g., Zoom; WhatsApp for scheduling only)
Backups follow the same security measures and retention periods. Access is strictly limited to the tutor.
10. Who Has Access
Only Kat Dulfer (the tutor) has direct access to personal data. One trusted individual is informed of session times and addresses for safety but is not given access to sensitive info.
Session notes and observations support lesson planning and progress monitoring. These notes remain confidential and are not automatically shared with parents/guardians unless necessary for safeguarding or upon request.
A summary of what was covered in sessions is normally shared with parents/guardians weekly by email.
Parents/guardians are the primary contact regarding student data; students are not contacted outside tutoring sessions.
11. Data Retention
Data is kept for up to 1 year after tutoring ends unless deletion is requested earlier. After this period, data is reviewed and securely deleted or destroyed.
Emails containing special category information are deleted after processing and the relevant information is stored in an encrypted file for future reference (see Section 9).
12. Sharing of Data
We do not share personal data unless:
· Required by law or safeguarding
· Explicit consent is given by the parent/guardian
13. Tools and Platforms We Use
13a. Email (for special category data)
Special category data should only be shared via hello@neurobrighttutoring.co.uk. This inbox is protected by strong passwords (rotated every 3 months) and device security controls. Emails containing special category data are deleted after processing, with necessary information moved to an encrypted file on a password-protected laptop (see Section 9).
13b. WhatsApp and Text/SMS (arranging sessions only)
WhatsApp and text/SMS is used only for arranging or confirming session dates/times. Special category data should not be sent via WhatsApp or text/SMS. If such information is received, we will request it be resent via email (Section 13a) and will delete the WhatsApp message or text/SMS.
13c. Zoom (for online sessions)
· Sessions are not recorded
· Meetings are password-protected and locked
· Chat messages may be saved for reference
· Zoom may collect basic technical data (e.g., IP address)
· Parents/guardians are responsible for Zoom setup and may attend sessions
13d. Cloud Services (Microsoft, Google & Apple)
NeuroBright Tutoring uses Microsoft Office (desktop) and Gmail for communication and administration. While platforms such as iCloud, OneDrive, and GoogleDrive may be linked to devices and could process some data as part of their services, special category data is not intentionally stored in any cloud service.
· Special category data is created and stored directly in an encrypted local file on a password-protected laptop.
· Emails containing special category data are deleted after processing and moved to this encrypted file.
· Incidental processing by Microsoft, Google, or Apple may occur through their services, but strict minimisation practices are applied.
If reliance on cloud storage changes in the future, this policy will be updated to specify the platform, data stored, and applicable security measures.
14. International Data Transfers
Some data processed by Microsoft and Google may be transferred outside the UK. Both providers apply safeguards such as Standard Contractual Clauses and comply with UK GDPR requirements to ensure your data remains protected when transferred internationally.
15. Your Rights
Parents/guardians (or students aged 13+) have the right to:
· Access, correct, or delete their data
· Withdraw consent
· Object to processing
· Request data portability
To exercise your rights, contact Kat Dulfer using the details above.
16. Complaints
If concerned about data handling, you can complain to the Information Commissioner’s Office (ICO): www.ico.org.uk
You may raise any concerns, including safeguarding, data privacy, or service-related complaints, directly with Kat Dulfer at hello@neurobrighttutoring.co.uk or phone 07397 861226. We take all such matters seriously and respond promptly.
17. Data Breach Procedure
In the event of a data breach:
· Affected individuals are notified promptly
· Systems are secured and exposure minimised
· ICO is notified within 72 hours if rights or privacy are at risk
· The incident and outcome are recorded securely