ยง Privacy

Privacy Policy

Last updated: 25 May 2026

This Privacy Policy explains how Wordy Classroom collects, uses, stores and protects personal data when you visit our website, contact us, sign up to our newsletter or book tuition with us. It is written to comply with the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (Regulation (EU) 2016/679), the UK Data Protection Act 2018, the Irish Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR).

1. Who we are

Wordy Classroom is operated by Emma McEnroe, an independent sole trader providing online English tuition.

For the purposes of UK GDPR and EU GDPR, Emma McEnroe (trading as Wordy Classroom) is the data controller responsible for your personal data.

Email: [email protected]

2. The personal data we collect

We only collect the personal data we need to run our tuition service. The categories below describe what we collect, from whom, and how.

2.1 Information you give us directly

  • Contact and enquiry data: name, email address, telephone number (if you provide it) and the contents of any message you send us through our contact form, by email, or by WhatsApp.
  • Booking data: the name and year group of the child receiving tuition, parent or guardian contact details, scheduling preferences, and any learning needs you choose to share with us (for example, SEN or EAL information) so that we can teach effectively.
  • Newsletter data: the email address you provide when subscribing to our mailing list, and a record of when and how you subscribed.
  • Payment data: billing name, billing email, and transaction reference. Card details are entered directly into Stripe and are never seen or stored on our servers.

2.2 Information collected automatically

  • Technical data: IP address, browser type and version, device type, operating system, referring URL, and the pages you view on our website.
  • Analytics data: aggregated, mostly de-identified information about how visitors interact with the website (sessions, page paths, time on page, events).

2.3 Information from third parties

  • Stripe sends us a confirmation that a payment has succeeded or failed, including the last four digits of the card and the country of issue.
  • Our CRM and newsletter platform (HubSpot) sends us delivery and engagement data for emails you have agreed to receive (whether the email was delivered, opened, or clicked).

3. How we use your data and our lawful basis

UK GDPR and EU GDPR require us to identify a lawful basis under Article 6 (and, where relevant, Article 9) before we process your personal data. The list below sets out, for each purpose, what we do and why we are allowed to do it.

  • Responding to enquiries: we use your contact details and message to reply to you. Lawful basis: our legitimate interests in operating the business and answering people who get in touch (Art. 6(1)(f)), or steps taken at your request before entering into a contract (Art. 6(1)(b)).
  • Delivering tuition: we use booking and lesson-related data to schedule, prepare, deliver and follow up on lessons. Lawful basis: performance of a contract with you (Art. 6(1)(b)).
  • Taking payment: we share the minimum data needed for Stripe to process the transaction and we keep the resulting transaction records. Lawful basis: performance of a contract (Art. 6(1)(b)) and compliance with our legal obligations for tax and accounting (Art. 6(1)(c)).
  • Sending the newsletter: we send occasional emails about our services, free resources and exam tips to subscribers. Lawful basis: consent (Art. 6(1)(a)) and, where you are an existing customer being told about similar services, the PECR "soft opt-in". You can withdraw consent at any time using the unsubscribe link in any email, or by emailing us.
  • Website analytics: we use Google Analytics 4 to understand how the site is used and to improve it. Lawful basis: consent (Art. 6(1)(a) and PECR reg. 6). Analytics are only loaded after you accept analytics cookies.
  • Special category data (learning needs): where you choose to share information about SEN, EAL, dyslexia, or similar matters so we can teach your child effectively, we rely on your explicit consent (Art. 9(2)(a)).
  • Keeping records: we retain invoices, contracts and basic correspondence to meet tax, accounting and dispute-resolution obligations. Lawful basis: legal obligation (Art. 6(1)(c)) and legitimate interests (Art. 6(1)(f)).

4. Children's data and parental consent

Our tuition service is designed for school-age children, including primary-age children. We treat the privacy of children with particular care.

  • Bookings, payments and main-account communications must be made by a parent or legal guardian aged 18 or over.
  • Where we need consent to process a child's personal data (including special category data such as SEN or EAL information), we rely on the consent of the parent or guardian, in line with Article 8 UK GDPR and the Irish Data Protection Act 2018 (which sets the digital age of consent at 16 in Ireland; the UK sets it at 13).
  • We do not knowingly collect personal data directly from a child without parental involvement. If you believe a child has provided us with personal data without parental consent, please contact us and we will delete it.
  • We never use children's data for marketing, profiling, behavioural advertising, or automated decision-making.

5. Cookies and similar technologies

Our website uses cookies and similar technologies. Under PECR and UK GDPR / EU GDPR we ask for your consent before setting any cookie that is not strictly necessary.

  • Strictly necessary cookies: required for the site to function (for example, remembering your cookie choices). These do not require consent.
  • Analytics cookies (Google Analytics 4): set by Google to measure how the site is used.
  • CRM and marketing cookies (HubSpot): may be set if you interact with HubSpot-powered forms or tracking on our site. Set only with your consent.

You can change or withdraw your cookie consent at any time by clearing cookies for our site in your browser, or by using the cookie controls if available on the page. Most browsers also let you block or delete cookies through their settings.

6. Who we share your data with

We do not sell your personal data and we do not share it with third parties for their own marketing. We share data only with the service providers we need to run the business, and only to the extent necessary. Each of the providers below acts as our processor under Article 28 UK GDPR / EU GDPR and is bound by a data processing agreement.

  • Stripe (payments): processes card payments and provides fraud prevention.
  • Google (Analytics): processes website-usage data via Google Analytics 4.
  • HubSpot (CRM and newsletter): stores contact records and sends newsletter emails to subscribers.
  • Zoom, Google Meet and Microsoft Teams: used to deliver live online lessons. The platform actually used is the one agreed with the family.
  • Google Classroom: used to share lesson materials, assignments and feedback with pupils and parents who choose to use it.
  • WhatsApp (Meta): used, where the parent or guardian has chosen it, for informal lesson-related messages such as scheduling reminders. WhatsApp messages are end-to-end encrypted, but Meta receives metadata (such as phone numbers and timing). WhatsApp is only ever used to communicate with a parent or guardian, never directly with a child.
  • Email and hosting providers: used to host the website and operate our email inbox.
  • Professional advisers: for example an accountant or legal adviser, where they are under a duty of confidentiality.
  • Public authorities: where we are required to disclose information by law (for example HMRC, the Revenue Commissioners, a court order, or a safeguarding referral).

7. International transfers

Some of our service providers (notably Stripe, Google, HubSpot and WhatsApp/Meta) are based in or process data in the United States or other countries outside the UK and EEA. Where we transfer personal data outside the UK or EEA, we rely on one of the following safeguards required by Chapter V UK GDPR / EU GDPR:

  • An adequacy decision by the European Commission or the UK Government (for example, the EU-US Data Privacy Framework and its UK Extension, for providers certified under them).
  • Standard Contractual Clauses approved by the European Commission, together with the UK International Data Transfer Addendum or the UK International Data Transfer Agreement, plus additional technical and organisational safeguards where needed.

You can ask us for a copy of the safeguards in place for any transfer by emailing the address above.

8. How long we keep your data

We only keep your personal data for as long as we need it for the purpose we collected it. After that we delete it or fully anonymise it.

  • Enquiry correspondence that does not lead to a booking: up to 12 months.
  • Active customer records (parent and pupil details, lesson notes): for the duration of the tuition relationship and up to 24 months after the last lesson, so we can answer questions and provide continuity if you return.
  • Invoices, payment records and tax-related documents: 6 years from the end of the relevant tax year (HMRC) or 7 years (Revenue Commissioners) where Irish tax law applies.
  • Newsletter subscribers: until you unsubscribe, then we keep only a minimal suppression record so we do not email you again by mistake.
  • Website analytics: Google Analytics 4 data is retained for the default 14-month period and then automatically deleted.

9. Your rights

Under UK GDPR and EU GDPR you have the following rights in relation to your personal data:

  • Right of access: to ask for a copy of the personal data we hold about you.
  • Right to rectification: to ask us to correct inaccurate or incomplete data.
  • Right to erasure ("right to be forgotten"): to ask us to delete your data in certain circumstances.
  • Right to restrict processing: to ask us to pause processing while a concern is resolved.
  • Right to data portability: to receive your data in a structured, commonly used format.
  • Right to object: to object to processing based on our legitimate interests, and an absolute right to object to direct marketing.
  • Right to withdraw consent: where we rely on consent (newsletter, analytics cookies, special category data) you can withdraw it at any time, without affecting the lawfulness of processing carried out before withdrawal.
  • Rights in relation to automated decision-making: we do not carry out any automated decision-making or profiling that produces legal or similarly significant effects.

To exercise any of these rights, email [email protected]. We will respond within one month and we will not charge a fee in the vast majority of cases.

10. How to complain

If you are unhappy with how we handle your personal data, please contact us first and we will do our best to put it right. You also have the right to lodge a complaint with a supervisory authority:

  • In the UK: the Information Commissioner's Office (ICO), ico.org.uk.
  • In Ireland: the Data Protection Commission (DPC), dataprotection.ie.
  • If you are in another EU or EEA country, you can also complain to your local supervisory authority.

11. Security

We use appropriate technical and organisational measures to protect your personal data, including TLS encryption in transit, access controls, strong unique passwords and reputable third-party services with their own security accreditations. No system is ever 100% secure, but we keep our security measures under regular review.

12. Changes to this Privacy Policy

We may update this policy from time to time, for example to reflect changes to our services, our processors, or the law. The "Last updated" date at the top of the page shows when the current version came into effect. Material changes will be brought to your attention through our website or, where appropriate, by email.

13. Contact us

If you have any questions about this policy or how we handle your personal data, please contact:

Emma McEnroe, trading as Wordy Classroom
[email protected]