Privacy & Data Protection Policy

1. Introduction

Mathos Tutors Ltd ("Mathos", "we", "us", "our") is committed to protecting your personal data and handling it in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

This policy applies to parents, tutors, students (children registered by parents), and website visitors.

2. Company Details

Data Controller: Mathos Tutors Ltd
Registered in England and Wales
Company Number: 17040069
ICO Registration: ZC096121
Registered Office: 94 Wordsworth Avenue, Penarth, Wales, CF64 2RP
Privacy Contact Email: max_pratt@mathostutors.co.uk

3. The Data We Collect

Parent Data

When a parent creates an account, we collect full name, email address, phone number, billing address, Stripe customer ID, subscription details, login credentials (passwords stored securely in hashed form), and account activity logs.

Tutor Data

We collect tutor full name, email address, phone number, city/location, biography, education and qualifications, work experience, subjects offered, hourly rate, DBS certificate number and expiry date, insurance status and expiry date, Stripe payout account details, profile image URL, and session and earnings records.

Student (Child) Data

Parents create child profiles which may include first and last name, date of birth, year group, exam board, tier (Foundation or Higher), learning goals, topics struggling, target grade, Additional Learning Needs (ALN), and access arrangements.

Parents control whether ALN and access arrangements are shared with tutors.

Session and Booking Data

We collect session dates and times, session status, tutor and student association, Microsoft Teams meeting links, curriculum topics covered, tutor notes, assignment records, and marks awarded.

Messaging Data

Messages between parents and tutors are visible within the platform for 24 hours. They are retained for up to 90 days for safeguarding and compliance purposes and may be accessed by admin where necessary.

Financial Data

We process Stripe Customer ID, Subscription ID, Payment Intent ID, Refund ID, and transaction timestamps and amounts. Financial records also include associated personal identifiers such as parent name, parent email address, tutor name, tutor email address, and student name, to enable reconciliation, audit, and HMRC compliance.

We do not store full card details. Payment processing is handled securely by Stripe.

Safeguarding Records

Where safeguarding concerns are logged, we may process incident date, category, severity, description, action taken, referral details, and outcome. Safeguarding records are retained permanently in line with UK safeguarding compliance expectations.

Audit and Security Data

We collect IP addresses, login timestamps, account change history, administrative audit logs, and token creation and revocation logs.

Automatically Collected Data

When you use the platform, we may automatically collect technical information including your IP address, browser type and version, device information, operating system, pages visited, time spent on pages, and referring URLs. This information is used to maintain platform security, monitor performance, and improve usability. We do not use this data to identify you personally unless combined with your account information for security purposes.

Cookies

The platform uses strictly necessary cookies to manage your login session and authentication. These cookies are essential for the platform to function and cannot be disabled. We do not use advertising, analytics, or tracking cookies. Third-party services such as Stripe may set their own functional cookies during payment processing.

4. How We Use Personal Data

We use personal data to:

• Provide access to the platform
• Facilitate bookings between parents and tutors
• Process payments and subscriptions
• Generate assignments and track progress
• Send session reminders
• Maintain safeguarding compliance
• Prevent fraud or misuse
• Comply with legal obligations
• Contact you via your registered email address regarding onboarding, account matters, bookings, billing, platform updates, safeguarding, and policy changes

You are responsible for keeping your registered email address up to date. Mathos is not liable for communications missed due to an outdated or incorrect email address.

5. Legal Bases for Processing

We rely on the following lawful bases under UK GDPR:

• Contractual necessity — to provide tutoring marketplace services.
• Legal obligation — to retain financial records for at least 7 years under HMRC requirements.
• Legitimate interests — for platform security, fraud prevention, safeguarding monitoring, and service improvement.
• Consent — where optional student data such as ALN sharing is provided.

6. Data Sharing

We share data only where necessary.

• Tutors may see student name, year group, exam board, learning profile, and ALN or access arrangements if the parent chooses to share them.
• Tutors do not see parent billing details or data relating to other families.
• Payments are processed by Stripe, which acts as an independent data controller for payment data.
• Session links are generated through Microsoft Teams, and Microsoft processes meeting metadata in accordance with its own privacy policies.

Where required by law or safeguarding obligations, we may share relevant information with the Local Authority Designated Officer (LADO), Social Services, Police, or regulatory authorities.

We may share financial records — including associated personal identifiers such as names and email addresses of parents and tutors — with HMRC where required for tax compliance purposes.

Third-Party Sub-Processors

We use the following third-party providers to deliver our services:

• Microsoft Azure (UK West) — cloud hosting, database, and file storage.
• Stripe — payment processing and subscription billing.
• Microsoft 365 / Teams — online tutoring session video calls.
• SendGrid — transactional emails such as session reminders and password resets.
• Microsoft Entra ID — administrator authentication.

Each provider processes data in accordance with their own privacy policies and data processing agreements. Where data is processed outside the UK, appropriate safeguards are applied (see Section 11).

7. Data Retention

• Messages — soft-deleted after 24 hours and permanently deleted after 90 days.
• Financial records — retained for a minimum of 7 years in accordance with HMRC requirements.
• Audit logs — retained indefinitely for compliance and security purposes.
• Safeguarding records — retained permanently.
• Active account data — retained while the account remains active.

Where an account is deleted, personal identifiers are anonymised, but financial records — including associated names and email addresses — are retained as required by law.

8. Your Rights Under UK GDPR

You have the right to:

• Request access to your personal data
• Correct inaccurate data
• Request erasure (subject to legal limitations)
• Restrict processing
• Object to processing
• Request data portability

To exercise any of these rights, contact us at max_pratt@mathostutors.co.uk. We will respond to all valid requests within 30 days. You may also request a full data export via the platform.

If you submit a deletion request:

• Personal identifiers are anonymised
• The account is permanently locked
• Financial records are retained as required by law
• Safeguarding records remain permanently retained

9. Children's Data

In accordance with UK GDPR and the Age Appropriate Design Code, the age of digital consent in the UK is 13. Mathos does not allow children to create accounts or provide personal data directly. All student data is provided and managed by a parent or legal guardian, who is responsible for ensuring its accuracy and for consenting to its processing on their child's behalf.

Children do not have access to sign in to the platform. Parents control what information is shared with tutors, including whether to disclose Additional Learning Needs or access arrangements.

10. Data Security

We implement appropriate technical and organisational measures including:

• Encrypted HTTPS connections
• Secure password hashing
• Role-based access controls
• Administrative audit logging
• Automatic tutor deactivation upon DBS or insurance expiry
• Token revocation upon account deletion

11. Automated Decision-Making

We do not use automated decision-making or profiling that produces legal or similarly significant effects on any user. All decisions affecting your account or your child's education are made by people, not algorithms.

12. International Transfers

Your personal data is primarily stored and processed within the United Kingdom using Microsoft Azure (UK West region). However, some third-party providers may process data outside the UK:

• Stripe — may process payment data in the United States and EEA.
• SendGrid — may process email delivery data in the United States.
• Microsoft 365 — may process meeting and calendar data in various global regions.

Where data is transferred outside the UK, we ensure appropriate safeguards are in place, including UK adequacy decisions, standard contractual clauses, or equivalent mechanisms as required under UK GDPR.

13. Complaints

If you have concerns about how your data is handled, please contact max_pratt@mathostutors.co.uk.

You have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

14. Business Transfers

In the event that Mathos Tutors Ltd is sold, merged, or enters into a joint venture with another entity, your personal data may be transferred to the new owner or partner as part of the business assets. We will notify you of any such transfer and ensure that your data continues to be protected in accordance with this policy.

15. Changes to This Policy

We may update this policy from time to time. Where changes are material, we will notify you via email or platform notice before the changes take effect. If you do not agree with the updated policy, you may contact us to discuss your concerns or close your account.