Smash Your TutoringSmash Your Tutoring
Log InStart Free Trial

Privacy Policy

Last updated: 2 April 2026

1. Data controller

Smash Your Tutoring (“we”, “us”, “our”) is the data controller for personal data processed through this platform. We provide a software-as-a-service platform that enables tutoring agencies to manage their operations, including tutor scheduling, student records, invoicing, and communications.

Where we process personal data on behalf of a tutoring agency (for example, student names and lesson records), the agency is the data controller and we act as a data processor under their instructions.

2. Data we collect

We collect and process the following categories of personal data, depending on your role within the platform:

Agency administrators

Full name, email address, phone number, business name and address, payment and billing information (processed via Stripe), and account credentials (passwords are hashed and never stored in plain text).

Tutors

Full name, email address, phone number, DBS certificate numbers, subjects, qualifications, availability, lesson records, attendance data, and payment records.

Parents and guardians

Full name, email address, phone number, billing and payment information (processed via Stripe), and communication records.

Students

Full name, year group, subjects, lesson records, and progress notes.

3. How we use your data

We use personal data for the following purposes:

  • Operating and maintaining the platform
  • Processing payments and generating invoices
  • Sending transactional notifications (lesson reminders, payment confirmations)
  • Facilitating communication between agencies, tutors, and parents
  • Providing customer support
  • Improving our services through aggregated, anonymised analytics
  • Complying with legal and regulatory obligations

4. Legal basis for processing

We process personal data under the following legal bases as defined by the UK GDPR, EU GDPR, and applicable data protection legislation:

  • Contract performance: Processing necessary to provide the platform services you have subscribed to.
  • Legitimate interest: Improving the platform, preventing fraud, and ensuring security.
  • Consent: Where required, we obtain explicit consent (e.g. optional marketing). You may withdraw consent at any time.
  • Legal obligation: Processing necessary to comply with applicable laws, such as financial record-keeping and safeguarding.

5. Data sharing

We do not sell your personal data. We share data only with the following service providers, solely for the purposes of operating the platform:

  • Stripe: Payment processing (acts as an independent data controller for payment data).
  • Resend: Transactional email delivery (lesson reminders, invoices, notifications).
  • Twilio: WhatsApp and SMS notifications for lesson reminders and urgent communications.

Each sub-processor is bound by data processing agreements and processes data only as necessary.

6. Data retention

We retain personal data for as long as your account remains active. Upon account deletion:

  • Personal profile data is deleted or anonymised within 30 days.
  • Financial records are retained for 6 years as required by UK tax regulations (HMRC).
  • Anonymised, aggregated analytics data may be retained indefinitely.

7. Your rights

Under the UK GDPR, EU GDPR, and applicable data protection laws, you have the following rights:

  • Right of access: Request a copy of the personal data we hold about you.
  • Right to rectification: Request correction of inaccurate or incomplete data.
  • Right to erasure: Request deletion of your personal data, subject to legal retention requirements.
  • Right to data portability: Request your data in a structured, machine-readable format (CSV).
  • Right to restriction: Request that we limit processing in certain circumstances.
  • Right to object: Object to processing based on legitimate interest or for direct marketing.

To exercise any of these rights, please contact us at privacy@smashyourtutoring.com. We will respond within 30 days.

8. Cookies

We use only essential cookies that are strictly necessary for the platform to function:

  • Session cookies: To maintain your authenticated session.
  • Authentication cookies: To securely identify you across page requests.

We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

9. International transfers

Some of our sub-processors (including Stripe, Resend, and Twilio) may process data in the United States. Where personal data is transferred outside the UK or the EEA, we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission and the UK ICO.
  • The EU-US Data Privacy Framework, where applicable.

10. DBS and criminal records data

DBS certificate data is classified as sensitive criminal records data under UK data protection law and is subject to additional protections.

Storage and access

DBS certificate reference numbers, dates of issue, and check levels are stored in encrypted form. Access is restricted to Agency Administrators and is logged.

Retention

In line with ICO guidance, we do not store full DBS certificates. We retain only the certificate reference number, date of issue, check level, and outcome. This data is retained for as long as the tutor’s account is active, plus 6 months after closure.

DBS Update Service

Where a tutor has subscribed to the DBS Update Service, the platform stores the subscription status and last verification date. Agencies are responsible for performing periodic re-checks.

11. Children’s data

The platform processes personal data relating to children (students) as part of its core functionality, including first names, year groups, subjects, lesson attendance, and progress information. Children’s data is only accessible to the Agency Administrator, the assigned tutor (limited to first name and lesson-relevant information), and the child’s parent or guardian. We do not use children’s data for marketing, profiling, or any purpose other than delivering the tutoring management service.

12. California residents (CCPA)

If you are a resident of California, you have additional rights under the CCPA:

  • Right to know: Request details about the personal information we have collected.
  • Right to delete: Request deletion of your personal information, subject to exceptions.
  • Right to non-discrimination: We will not discriminate against you for exercising your rights.
  • No sale of data: We do not sell personal information to third parties.

13. Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through a prominent notice on the platform with at least 30 days’ notice.

14. Contact us

If you have any questions about this Privacy Policy or wish to exercise your data protection rights, please contact us:

Email: privacy@smashyourtutoring.com

Website: smashyourtutoring.com

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO) in the UK, or your national data protection authority in the EU.