GDPR Compliance
Last updated: 2 April 2026
Smash Your Tutoring is committed to protecting the privacy and security of personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), and the Data Protection Act 2018. This page outlines the technical and organisational measures we have in place.
1. Data Isolation
Smash Your Tutoring is a multi-tenant platform. Each tutoring agency's data is logically isolated at the database level using row-level security policies. This means:
- Agency administrators can only access data belonging to their own organisation.
- Tutors can only view students and lessons assigned to them within their agency.
- Parents can only access records for their own children.
- No agency can view, modify, or access another agency's data under any circumstances.
2. Encryption
We employ encryption at multiple levels to protect your data:
In Transit
All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher. All API communications between our platform and third-party sub-processors are also encrypted in transit.
At Rest
All data stored in our database is encrypted at rest using AES-256 encryption. Database backups are also encrypted. Sensitive fields such as DBS certificate numbers receive additional application-level encryption.
3. Right to Be Forgotten
We support the right to erasure as defined in Article 17 of the GDPR. When a deletion request is received:
- We verify the identity of the requestor to prevent unauthorised deletion.
- Personal profile data (name, email, phone number) is permanently deleted or irreversibly anonymised within 30 days.
- Financial records required for legal compliance (invoices, payment records) are retained for 6 years in accordance with HMRC requirements, then permanently deleted.
- The deletion is propagated to all sub-processors where technically feasible.
- A confirmation of deletion is sent to the requestor.
4. Data Portability
In accordance with Article 20 of the GDPR, you have the right to receive your personal data in a structured, commonly used, and machine-readable format. We support data export in CSV format, covering:
- Student records and lesson history
- Tutor profiles and availability data
- Invoicing and payment records
- Communication logs
Agency administrators can request a full data export from their account settings or by contacting us directly.
5. Data Processing Agreement
We offer a Data Processing Agreement (DPA) to all agency customers. The DPA sets out the terms under which we process personal data on behalf of the agency, including:
- The scope and purpose of data processing
- Security measures and confidentiality obligations
- Sub-processor management and approval processes
- Data breach notification procedures
- Data return and deletion upon contract termination
To request a copy of our DPA, please contact privacy@smashyourtutoring.com.
6. Sub-Processors
We use the following sub-processors to deliver our services. Each has been vetted for GDPR compliance and is bound by a data processing agreement:
| Sub-Processor | Purpose | Location |
|---|---|---|
| Supabase | Database hosting, authentication, and storage | EU (Frankfurt) |
| Stripe | Payment processing and invoicing | US / EU |
| Vercel | Application hosting and edge delivery | Global (US primary) |
| Resend | Transactional email delivery | US |
| Twilio | WhatsApp and SMS notifications | US |
Where sub-processors are located outside the UK/EEA, transfers are protected by Standard Contractual Clauses (SCCs) or the EU-US Data Privacy Framework as appropriate. We will notify agency customers before adding or replacing any sub-processor.
7. Breach Notification
In the event of a personal data breach, we follow a strict notification process in compliance with Article 33 and Article 34 of the GDPR:
- Detection and containment: Upon discovering a potential breach, our team immediately works to contain the incident and assess its scope.
- Authority notification (within 72 hours):If the breach is likely to result in a risk to individuals' rights and freedoms, we notify the relevant supervisory authority (the ICO in the UK) within 72 hours of becoming aware of the breach.
- Affected party notification: If the breach poses a high risk to individuals, we notify affected users directly without undue delay, providing details of the breach and recommended protective measures.
- Agency notification: We notify affected tutoring agencies promptly so they can fulfil their own controller obligations.
- Post-incident review: We conduct a thorough investigation and implement measures to prevent recurrence.
8. Data Protection Officer
For all data protection queries, requests, or concerns, please contact our Data Protection Officer:
- Email: dpo@smashyourtutoring.com
The DPO is responsible for overseeing our data protection strategy and ensuring compliance with applicable regulations.
9. Security Audits
We conduct regular security assessments to maintain the integrity and confidentiality of personal data:
- Regular vulnerability scanning and penetration testing of our infrastructure.
- Periodic review of access controls and authentication mechanisms.
- Annual review of sub-processor compliance and data processing agreements.
- Ongoing monitoring of platform logs for suspicious activity.
- Staff training on data protection best practices and incident response.
10. Your Rights
For a full overview of your data protection rights, including how to exercise them, please see our Privacy Policy.
If you are unsatisfied with our response to a data protection request, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) in the UK or your local supervisory authority in the EU.