Data Protection Policy
Who runs SoloCogs: SoloCogs is the brand name for the online learning platform operated by Portsdown Tuition, a sole-trader business based in Portsmouth, England. Throughout this policy, "Portsdown Tuition", "we", "us", and "our" refer to the operator and legal entity. "SoloCogs" refers to the platform, service, and brand we provide to families, schools, and tutors. The data controller for personal data processed through SoloCogs is Portsdown Tuition.
Contact: hello@solocogs.co.uk
1. Purpose and Scope
This policy sets out how Portsdown Tuition (the operator of SoloCogs, Portsmouth) complies with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. It applies to all personal data processed through SoloCogs, regardless of format.
2. Data Protection Principles
All personal data processed by SoloCogs must comply with the following principles (UK GDPR Article 5):
- Lawfulness, fairness and transparency - data is processed lawfully and transparently
- Purpose limitation - data is collected for specified, explicit, and legitimate purposes and not processed in a manner incompatible with those purposes
- Data minimisation - data collected is adequate, relevant, and limited to what is necessary
- Accuracy - data is accurate and kept up to date
- Storage limitation - data is kept no longer than necessary for its purpose
- Integrity and confidentiality - data is processed securely, protecting against unauthorised access, loss, or destruction
- Accountability - the data controller (Portsdown Tuition) is responsible for and able to demonstrate compliance
3. Data Controller
Portsdown Tuition (sole-trader operator of SoloCogs) is the data controller for all personal data processed through this platform. As a small organisation, a Data Protection Officer (DPO) is not legally required; however, data protection responsibility rests with Portsdown Tuition directly.
4. Categories of Data Processed
Standard personal data
- Names, email addresses, year groups
- Account credentials (hashed passwords)
- Subscription and billing information
- Login and session timestamps
Special category data
- Student emotional wellbeing data (Zones of Regulation check-ins, including written notes)
- Safeguarding records, including disclosures
- Learning data that may reflect educational needs or neurodivergent profiles
Special category data is processed only where there is a lawful basis to do so, including safeguarding obligations under the Children Act and Schedule 1 of the Data Protection Act 2018.
5. Lawful Bases for Processing
SoloCogs processes data on the following lawful bases:
- Contract (Art. 6(1)(b)): to deliver the platform and tuition services
- Legal obligation (Art. 6(1)(c)): safeguarding disclosures, statutory reporting
- Legitimate interests (Art. 6(1)(f)): platform security, fraud prevention, service improvement
- Vital interests (Art. 6(1)(d)): where a child's safety requires immediate action
6. Data Security Measures
SoloCogs implements the following technical and organisational security measures:
- All data transmitted over HTTPS using TLS encryption
- Database hosted on Supabase with Row-Level Security (RLS) policies restricting data access to authorised users only
- Passwords hashed using industry-standard algorithms; plain-text passwords are never stored
- Safeguarding and wellbeing data accessible only to the DSL
- Regular review of access controls and third-party processor agreements
7. Third-Party Processors
SoloCogs uses the following third-party processors who may process personal data on our behalf:
- Supabase Inc. - database, authentication, and storage platform. Data processed within the EU. Supabase maintains a GDPR-compliant data processing agreement.
Any future third-party processors will be assessed for GDPR compliance before engagement, and a Data Processing Agreement (DPA) will be in place before any personal data is shared.
8. International Transfers
Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place (such as Standard Contractual Clauses or adequacy decisions). Supabase EU data centres are used where possible to minimise international transfers.
9. Data Retention Schedule
- Account data (active): Retained for the life of the account
- Account data (closed): Deleted within 90 days of closure
- Learning and progress data: Up to 3 years after last login
- Safeguarding records: Minimum 7 years, or until the data subject reaches age 25
- Financial/billing records: 7 years (statutory requirement)
10. Data Breach Response
In the event of a personal data breach, SoloCogs will:
- Contain and assess the breach as quickly as possible
- Determine whether notification to the ICO is required (required within 72 hours where the breach is likely to result in risk to individuals' rights and freedoms)
- Notify affected individuals where there is a high risk to their rights and freedoms
- Document the breach, its effects, and the remedial action taken
To report a suspected data breach, contact Jazz immediately via the contact page.
11. Data Subject Rights
Individuals whose data we process have the following rights under UK GDPR. Requests will be responded to within one calendar month:
- Right of access (Subject Access Request)
- Right to rectification
- Right to erasure ("right to be forgotten"), subject to legal retention requirements
- Right to restriction of processing
- Right to data portability
- Right to object
- Rights related to automated decision-making (SoloCogs does not make solely automated decisions with legal or significant effect)
12. Policy Review
This policy is reviewed annually and updated following any significant change to legislation, platform processing activities, or data breach incidents.
Data protection enquiries: Contact Jazz via the contact page. You also have the right to complain to the ICO at ico.org.uk or 0303 123 1113.