GradeLift Privacy Policy 

Organisation: GradeLift Ltd (“we”, “us”, “our”)
Registered office: 2a Oaklands Avenue, Thornton Heath, Surrey, CR77PH
Company no.: [16678268] • ICO registration no.: [C1770309]
Contact (privacy): Anees Grant-Salih/ Director, dpo@gradelift.co.uk | 07852740733
Effective date: 11/09/2025 • Version: v1.0

1) Scope & who this covers

This policy explains how we handle personal data for:

  • Students (primarily under 18), parents/carers, and enquirers
  • Tutors/contractors and school partners
  • Visitors to our website and social channels

We follow UK GDPR and the Data Protection Act 2018.

2) Who we are (controller)

GradeLift Ltd is the data controller for tutoring services, enquiries, billing and marketing. For some tools we use trusted processors (e.g., video, payments). See Section 10.

3) What data we collect

A) Students & parents

  • Identity & contact: student first name, year group, school, exam board/tier; parent name, email, phone, postcode
  • Lesson data: bookings, attendance, lesson notes, homework links, progress summaries
  • Recordings (if applicable): lesson video/audio (see Section 7)
  • Support needs (optional): SEN, access arrangements, learning preferences (special category data—only with clear need & safeguards)
  • Payments: invoice history, method (cards handled by Stripe—we do not see full card numbers)

B) Tutors/contractors

  • Identity & contact, right-to-work, DBS, references, qualifications, availability, pay details, contracts, training records

C) Website/marketing

  • Technical & usage (cookies/analytics), enquiry form data, campaign responses; marketing preferences/consent

4) How we use data & legal bases

PurposeExamplesLegal basis
Provide tutoringscheduling, lessons, notes, homework, reportsContract (Art 6(1)(b))
Safeguarding & qualitycontact/incident logs, lesson recordings for QA/safetyLegitimate interests (6(1)(f)); Consent for routine recordings
Payments & accountsinvoices, refunds, accounting recordsLegal obligation (6(1)(c)); Contract
Communicationsservice emails/WhatsApp Business with Parent-in-ThreadLegitimate interests
Marketingupdates, offers (parents only)Consent (opt-in)
Tutor vettingDBS, refs, right-to-workLegal obligation / Legitimate interests
SEN/health info (optional)reasonable adjustmentsExplicit consent (Art 9(2)(a))

Children’s data: We collect student data via the parent/carer. For online services, we apply UK age 13 for consent; for under-18s we require parent involvement.

5) Communications & the Parent-in-Thread rule

  • We use GradeLift email and GradeLift WhatsApp Business (company number).
  • Under 18s: all out-of-lesson messages include the parent/carer (email CC or family WhatsApp group).
  • No tutor ↔ student 1:1 DMs outside lessons.

6) Data retention (how long we keep things)

We keep data only as long as needed for the purpose, legal duties, or to resolve disputes:

Record typeTypical retention
Enquiry emails & web forms (no purchase)12 months from last contact
Customer account (parent details)7 years after last transaction (HMRC)
Lesson notes & progress reports3 years after last lesson (education reference & safeguarding context)
Safeguarding recordsMinimum 7 years (or per statutory/local authority guidance)
Invoices & payment logs7 years (tax)
Lesson recordings (if used)90–180 days (QA/safeguarding), longer if part of an investigation; then securely deleted
Tutor HR/contract records6 years after engagement ends (claims limitation)
Marketing consent logsUntil withdrawn + 2 years audit trail

We may anonymise data for statistics and keep it indefinitely (non-identifiable).

7) Lesson recordings — who can access & why

Default: we do not record lessons.
When we may record:

  • Safeguarding review, serious incident evidence, limited quality assurance/coach­ing.
    Consent: routine recording requires parental consent; one-off incident recording may occur without prior consent where necessary for safety (parent informed promptly).

Access controls (need-to-know only):

  • DSL/Deputy DSL (safeguarding)
  • Operations lead/quality lead (QA/training)
  • Senior management if required for a complaint/legal matter
  • Tutor may view their own recording for QA/coaching if authorised by ops/DSL

Never shared with other families or posted publicly.
Storage: [Google Drive/SharePoint] (company account), encrypted at rest; access is logged & permissioned.
Retention: see Section 6; extended only while an active safeguarding/complaint process is ongoing.

8) Your rights

You (or your parent/carer for under-18s) can:

  • Access a copy of your data
  • Correct inaccurate data
  • Delete data (where we have no lawful need to keep it)
  • Restrict or object to certain processing
  • Portability (where processing is by consent or contract, technically feasible)
  • Withdraw consent at any time (e.g., marketing, routine recordings, SEN info)
    To exercise rights, email dpo@gradelift.co.uk. We respond within one month.

9) Security

  • Role-based access; MFA on email/CRM; encryption at rest where available
  • No student personal data stored on personal devices outside approved, secured apps
  • Staff/tutors trained on data protection & online safety
  • Data breach response aligned to UK GDPR (notify ICO within 72 hours where required; notify affected individuals when high risk)

10) Who we share data with (processors)

We use trusted providers under data-processing agreements. Typical categories:

  • Video & collaboration: Zoom / Google Meet (lesson delivery)
  • Productivity & storage: Google Workspace / Microsoft 365 (email, Drive/SharePoint)
  • Scheduling & CRM: Calendly; Airtable/Sheets (bookings, records)
  • Messaging: WhatsApp Business (Meta) for family group messages
  • Payments: Stripe (cards), GoCardless (direct debit) — we do not store card numbers
  • Analytics/website: [e.g., Google Analytics, cookie banner provider]

We do not sell personal data. We may disclose data if required by law or to protect vital interests (e.g., to police/children’s services in a safeguarding matter).

11) International transfers

Some providers store/process data outside the UK. Where they do, we rely on:

  • UK adequacy regulations (if applicable), or
  • UK IDTA / EU SCCs + UK Addendum with supplementary measures
    Details available on request.

12) Cookies & marketing

  • We use necessary cookies for site function, and (with consent) analytics/marketing cookies.
  • Marketing emails/SMS are opt-in; you can unsubscribe any time. Transactional/service messages will still be sent.

13) Special category data (SEN/health)

We only record limited SEN/health information to make reasonable adjustments, with explicit parental consent. Access is restricted, and you can withdraw consent (we may still retain minimal notes where required for safeguarding or legal reasons).

14) Complaints

If you’re unhappy with how we handle data, contact dpo@gradelift.co.uk.
You can also complain to the Information Commissioner’s Office (ICO): ico.org.uk / 0303 123 1113.

15) Changes to this policy

We may update this policy periodically. Significant changes will be communicated via email or our website. The version and effective date appear at the top.

16) Contact us

GradeLift Ltd • 2a Oaklands Avenue, Thornton Heath, Surrey, CR77PH • dpo@gradelift.co.uk • 07852740733

Scroll to Top