Last updated: June 2022
It explains what information we collect about you, the lawful basis and purpose for which we collect the information, how we use your information and protect its privacy and under what circumstances we disclose it. This notice also provides further information on your rights under GDPR and the actions you can take to address any concerns you may have. Please read it carefully. If we update this policy, we will post any changes on our website.
Who are we?
In this policy, “we”, “our” or “us” refers to Bright Heart Education Ltd and Bright Heart Education Consulting LLP. The legal information for which is:
Bright Heart Education Ltd, registered in England and Wales under company number 11179043, registered office 20 – 22 Wenlock Rd, London, N1 7GU and Bright Heart Education Consulting LLP, registered in England and Wales under company number OC434055, registered office 20 – 22 Wenlock Rd, London, N1 7GU. Our website is at https://www.brightheart.co.uk/.
We introduce self-employed tutors to clients as an agent (clients and tutors enter into a separate contract) through Bright Heart Education Ltd, and provide tuition services to certain clients as a principal (using our own employees) through Bright Heart Education Consulting LLP.
For the purposes of the GDPR Regulations, we are the data controller. We are registered on the Information Commissioner’s Office (ICO) data protection register (as a data controller) with entry URL https://ico.org.uk/ESDWebPages/Entry/ZA788776.
Note that for tutoring under the National Tutoring Programme (“NTP”), the programme administrator (Randstad) is the controller of personal data, and we are the processors of this data for GDPR purposes.
What information do we collect about you?
We collect personal data about students, their parents, legal guardians or other persons that arrange for tuition on their behalf (i.e. clients), tutors that wish to provide tuition on our behalf, and our staff. The information collected may include:
Information typically collected:
Note that the GDPR Regulations have additional requirements in place that must be met in order to store personal data relating to criminal records background checks (specifically in our case, an Enhanced Disclosure & Barring Service (DBS) Certificate). We are entitled to request and store this personal data as we are supplying tuition services to children and, in certain cases, to vulnerable adults with special educational needs (SEN). We also require our tutors to register for the DBS update service and provide us with permission to use the update service to check that their Enhanced DBS Certificates remain valid.
How do we collect this information?
We may collect and process information you give us (or certain third party service providers), for instance by filling in online forms, by contacting us by phone (calls made to and from our business phone line are recorded for internal monitoring purposes), email, online chat or otherwise, by providing us with information during a consultation, or by filling in your details and feedback on tuition using our secure management information system, TutorCruncher.
In the event that you apply for a job with us or to represent us as a tutor, we will require detailed information about you in order to make sure that you are suitable for the role and to comply with our Safeguarding and Child Protection Policy – information will be gathered by way of a face-to-face interview, provided by you, and, with your permission, provided by third parties..
In addition, when you visit our website we may automatically collect technical information including the Internet Protocol (IP) address used to connect your computer to the internet, and information about your site visit. Please refer to our separate Cookies Policy for further information.
On what basis do we use your information?
Our lawful basis for processing your data is contractual. We use the information we collect from you for a variety of purposes, including to provide you with the tuition services or with an introduction to provide tuition services (or to provide you with a consultation in connection with providing you with such services), to provide you with information by post, email, telephone, SMS or otherwise about those services and to notify you about changes to our services. We also process personal information to maintain our accounts and records and to support and manage our employees and the tutors that agree to represent us as independent self-employed tutors under a Contract for Services.
We may also use your information to notify you about news, events and other updates we consider may be of interest to you where you have opted in to receive such communications (and have not notified us of your intention to withdraw your consent).
Where we store your personal data
Your financial information (where applicable, for example with respect to clients, if you are a direct debit client), together with most other client and tutor personal information is stored using our secure management information system, TutorCruncher. TutorCruncher’s systems are hosted with Heroku on Amazon AWS, which is used globally by companies of all sizes. The data centre operations have been accredited under:
More information on Heroku and AWS can be found at https://www.heroku.com/policy/security and https://aws.amazon.com/security/. Passwords provided to our clients and tutors through TutorCruncher are hashed using PBKDF2, with a 256-bit SHA (secure hash algorithm), to ensure a high degree of data security. If you have any questions about TutorCruncher’s security, please email them using email@example.com or alternatively, let us know and we will follow up directly on your behalf. Tutors cannot see the personal details of the clients or students and clients cannot see the personal details of tutors.
All personal data not stored in the TutorCruncher management information system is stored using Microsoft Office 365’s OneDrive for Businss secure cloud-based server, with two-step verification required to access our server and protection provided by Microsoft’s stringent security measures, which includes advanced encryption of the data in transit and data at rest.
Our website uses a SSL (Secure Sockets Layer) Certificate provided by Starlight Technologies LLC to help protect your data. This SSL uses SHA-2 256-bit encryption and a 2048-bit signing algorithm to encrypt the personal information that is submitted using our website.
Disclosure of your information
We share certain personal data about the student as well as the client’s contact information with the tutor(s) and / or staff that we think would be suitable for your assignment. Where information is considered sensitive, for example, information shared with us from a student’s Education, Health and Care Plan (EHCP), we will specifically seek your permission before sharing it with a tutor. In all other cases, we will share information that we feel is relevant to helping the tutor provide the tuition services, unless you request otherwise. Each tutor signs a Contract for Services (or NTP contract) with us which requires them to maintain the confidentiality and security of any information shared with them about the client and / or student and any information gathered by them in the course of providing tuition. Tutors agree not to disclose such information to a third party, other than as required by law, court order or any governmental or regulatory authority, or in terms of our Safeguarding and Child Protection Policy.
We also provide information about tutors and / or staff to clients to help them determine whether they would like to proceed with a particular tutor / staff member for tuition. Clients are required to maintain the confidentiality of this information in accordance with the terms and conditions that they agree to in using our services and not disclose the information to any third party, other than as required by law, court order or any governmental or regulatory authority, or in terms of our Safeguarding and Child Protection Policy.
For NTP tutoring, tutors’ personal data may be shared with Randstad and the Department for Education (“DfE”) for the purposes of auditing compliance with safer recruitment requirements.
For further information on how Randstad handles personal data, please see the NTP privacy notice here https://nationaltutoring.org.uk/legal/privacy-notice/. For more information about how the DfE handles personal data, please see the DfE’s personal information charter here https://www.gov.uk/government/organisations/department-for-education/about/personal-information-charter.
We will never sell, trade, or disclose any personal information to any third party (other than to any of our service providers, and only to the extent necessary to provide such service and in cases where we are satisfied with their privacy policies and procedures), other than as required by law, court order or any governmental or regulatory authority, or in terms of our Safeguarding and Child Protection Policy. Third party service providers also have in place their own privacy policies, which prevents them from selling, trading or renting your personal information to others. These can be read at:
We confirm that we do not transfer personal data outside of the European Union.
Our retention of your information
We retain client information for a period of 10 years after tuition services have ceased – this helps us to maintain a record of all client’s that have joined us as members and are therefore entitled to introductions to tutors at no further registration fee. We retain student information until the student turns 26 years’ old (this is to enable us to retain information on students that may be covered under the Special educational needs and disability code of practice: 0 to 25 years’). We retain tutor information for a period of 5 years after the tutor has ceased to tutor for us. We retain staff data for a period of 3 years after the staff member has ceased to work for us.
Your rights as a data subject
The GDPR Regulation’s provide data subjects certain rights relating to the processing of their personal data. Given the nature of personal data processed by us, and the lawful basis we have identified for doing so you have the following rights:
You can make a request expressing your rights by contacting us via email at firstname.lastname@example.org or you may write to us at our registered office address: Bright Heart Education Ltd, 20 – 22 Wenlock Rd, London, N1 7GU.
Please note that while we will endeavour to make the updates as promptly as possible, communications may be sent using the original details until the changes have been processed.
Further information about your data rights is provided at https://ico.org.uk/your-data-matters/.
Data protection insurance
We have in place cyber and data protection insurance with a reputable insurer (Hiscox Business Insurance), with £250,000 of annual cover. This insurance is designed to support and protect us from evolving cyber threats and risks associated with data. Through this policy, we have access to the Hiscox CyberClear® Academy, which is a GCHQ-certified, web-based training platform that assists us in the prevention of network, cyber and privacy losses.
Lodging a complaint with the Information Commissioner’s Office
If you feel that your personal data has been, or is being, processed in an inappropriate manner or you feel that your rights as described above have been infringed, you may lodge a complaint with the Information Commissioner’s Office (ICO). The ICO is the UK’s supervisory authority regarding data protection matters and has a responsibility to act on complaints made to it. You may lodge a complaint by visiting their website https://ico.org.uk/concerns/ or by calling the ICO’s helpline on 0303 123 1113.
Social media and other websites
Where we provide links to websites of other organisations, this privacy notice does not cover how that organisation processes personal information. We encourage you to read the privacy notices on the other websites you visit. We also encourage you to consult the guides provided on the ICO’s website with respect to protecting your privacy when using popular social media sites i.e.