1. Who We Are

Elevate & Co (‘we’, ‘us’, ‘our’) is an educational services provider operating in the United Kingdom. We deliver tutoring and educational support services to students, working in partnership with schools and educational institutions.

2. Scope of This Policy

This Privacy Policy applies to:

• All students whose data is provided to us by schools or directly by parents/guardians

• Parents, guardians, and carers of students

• School staff and contacts with whom we work

• Visitors to our website (www.elevateandco.uk)

This policy covers all personal data we process whether collected directly, through our website, via school referrals, or through our student management platform, TutorBird.

3. Our Legal Basis for Processing

Under the UK GDPR, we are required to identify and rely upon a lawful basis for each type of processing we carry out. We rely on the following lawful bases:

Where we process special category data (such as information about a student’s health, learning difficulties, or SEND needs), we rely additionally on Article 9(2)(g) (substantial public interest — education and safeguarding purposes) and/or explicit consent.

4. Personal Data We Collect

4.1 Student Data

When schools refer students to us or parents/guardians register directly, we may collect:

• Full name and date of birth

• Year group and school name

• Academic performance information and subject areas

• SEND (Special Educational Needs and Disabilities) information, where relevant and provided

• Medical or health information that may affect delivery of services (e.g., dyslexia, ADHD)

• Attendance and session records

• Progress notes and tutor observations

4.2 Parent / Guardian Data

• Full name and relationship to student

• Home address

• Email address and telephone number

• Payment and billing information (processed securely — see Section 8)

4.3 School Contact Data

• Name and job title of school contacts (e.g., SENCO, Head of Year)

• School name and address

• Work email address and telephone number

4.4 Website Data

• IP address and browser information (collected automatically via cookies)

• Pages visited and duration of visit

• Enquiry form submissions

5. How We Use Personal Data

We use personal data strictly for the following purposes:

We do not use student data for marketing purposes. We will never sell personal data to third parties.

6. TutorBird — Our Student Management Platform

6.1 What is TutorBird?

Elevate & Co uses TutorBird (operated by Port 443 Inc.) as our dedicated student management platform. TutorBird enables us to securely manage student profiles, session scheduling, attendance records, invoicing, and communication with parents and guardians.

TutorBird’s website is available at www.tutorbird.com. Under UK GDPR, TutorBird acts as a Data Processor on our behalf, processing data only in accordance with our documented instructions. Elevate & Co remains the Data Controller for all student and parent data held within TutorBird.

6.2 Data Held in TutorBird

The following categories of data relating to your students/children may be stored within TutorBird:

• Student name, contact details, and school information

• Parent/guardian name and contact details

• Session history, attendance records, and progress notes

• Invoice and payment records

• Any notes or documents uploaded by our tutors

6.3 TutorBird’s Data Protection Commitments

TutorBird operates in accordance with applicable data protection laws and maintains the following security measures:

TutorBird confirms that personal data is used solely to provide and maintain their service, and not for advertising or profiling purposes. TutorBird’s full privacy policy is available at: www.tutorbird.com/privacy-policy

6.4 International Data Transfers

TutorBird is operated by a Canadian company (Port 443 Inc.) and data may be processed in Canada and/or the United States. Under UK GDPR, transfers of personal data outside the UK require appropriate safeguards. We note that:

• Canada has been granted an adequacy decision by the UK for commercial organisations subject to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA).

• Where data is processed in the United States, TutorBird takes steps to ensure adequate contractual safeguards are in place.

If you have specific concerns about international data transfers in relation to your students’ data, please contact us to discuss further.

7. Sharing of Personal Data

7.1 Who We Share Data With

We do not share personal data with third parties except in the following limited circumstances:

We will never sell, rent, or trade personal data to any third party for commercial purposes.

8. Payment Information

All payment processing is handled by PCI-DSS compliant third-party processors (Stripe and/or PayPal Braintree). We do not store, process, or have access to full payment card details. When you make a payment:

• Your payment details are entered directly into the secure payment processor’s interface

• Card details are encrypted and handled entirely by the payment processor

• We retain only non-sensitive billing information (e.g., invoice amounts, payment confirmation) for accounting purposes

9. Data Retention

We retain personal data only for as long as is necessary for the purposes for which it was collected, or as required by law. Our retention periods are as follows:

Upon expiry of the retention period, personal data is securely deleted or anonymised. You may request earlier deletion of your data subject to our legal obligations (see Section 11 — Your Rights).

10. How We Protect Your Data

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, destruction, or alteration. Our measures include:

Technical Measures

• All data stored in TutorBird is protected by HTTPS (TLS) encryption in transit

• Access to TutorBird is protected by password authentication and role-based access controls

• Payment data is handled exclusively by PCI-DSS compliant processors — card data is never stored by Elevate & Co or TutorBird

• Regular software updates and security patches applied to all systems

Organisational Measures

• Staff access to personal data is limited to those with a legitimate need

• All team members are trained on data protection obligations

• We conduct periodic reviews of our data handling practices

• Incidents and potential breaches are documented and reported in accordance with ICO requirements

In the event of a personal data breach that is likely to result in a risk to individuals’ rights and freedoms, we will notify the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of the breach, in accordance with Article 33 of the UK GDPR. Where required, we will also notify affected individuals without undue delay.

11. Your Rights Under UK GDPR

Under the UK General Data Protection Regulation, individuals (including parents acting on behalf of their children) have the following rights:

To exercise any of these rights, please contact us using the details on our website (www.elevateandco.uk) or by email elevate@elevateandco.uk. We will respond within one calendar month. We may ask you to verify your identity before processing your request.

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO) if you believe we have not handled your data correctly. The ICO can be contacted at: www.ico.org.uk or by telephone: 0303 123 1113.

12. Children’s Data — Additional Protections

As an educational provider working directly with children and young people, we apply heightened protections to student data:

• We do not use student data for profiling, targeted advertising, or any commercial purpose beyond service delivery

• We only process the minimum amount of student data necessary to deliver our services (data minimisation principle)

• SEND information and other sensitive data is flagged, restricted, and accessible only to relevant staff

• We support schools in fulfilling their data protection obligations and can provide Data Processing Agreements upon request

• We take our safeguarding duties seriously and will always prioritise a child’s safety and welfare

13. Cookies and Website Analytics

Our website (www.elevateandco.uk) may use cookies to improve your experience. Cookies are small text files stored on your device. We may use:

• Session Cookies — required for the website to function correctly

• Preference Cookies — to remember your settings and preferences

• Analytics Cookies — to understand how visitors use our website (e.g., Google Analytics in anonymised form)

You can control cookie preferences through your browser settings. Disabling certain cookies may affect website functionality. A cookie consent notice is displayed upon your first visit to our website.

14. Information for Schools

We understand that schools share responsibility for the personal data of their pupils and must satisfy themselves that any third-party services they use are GDPR compliant. We confirm the following:

Schools wishing to enter into a Data Processing Agreement, carry out a due diligence review, or discuss our data protection practices in more detail are encouraged to contact us via our website.

15. Third-Party Links

Our website may contain links to external websites. We are not responsible for the privacy practices or content of those websites and encourage you to read their privacy policies. This policy applies only to Elevate & Co.

16. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or technology. When we make significant changes, we will:

• Update the ‘Effective Date’ at the top of this document

• Notify partner schools and registered users via email where appropriate

• Publish the updated policy on our website

We recommend reviewing this policy periodically. Continued use of our services after changes take effect constitutes acceptance of the updated policy.

17. Contact Us

If you have any questions, concerns, or requests relating to this Privacy Policy or our data handling practices, please contact us: