Your data rights and how to use them
Who runs SoloCogs: SoloCogs is the brand name for the online learning platform operated by Portsdown Tuition, a sole-trader business based in Portsmouth, England. Throughout this page, "Portsdown Tuition", "we", "us", and "our" refer to the operator and legal entity. The data controller for personal data processed through SoloCogs is Portsdown Tuition.
Contact: hello@solocogs.co.uk
1. Your rights under UK GDPR
UK GDPR (the Data Protection Act 2018 and the retained EU GDPR) gives every person whose personal data we hold a set of rights. You can use any of them by emailing us. We never charge a fee for the first request, and we respond within one calendar month.
- Right of access (Article 15) - ask us for a copy of the personal data we hold about you, and how we use it.
- Right to rectification (Article 16) - ask us to fix data that is wrong or incomplete.
- Right to erasure (Article 17, "right to be forgotten") - ask us to delete your data when we no longer need it.
- Right to restrict processing (Article 18) - ask us to pause our use of your data while a dispute is resolved.
- Right to data portability (Article 20) - ask us for your data in a structured, machine-readable format so you can move it elsewhere.
- Right to object (Article 21) - ask us to stop using your data for a particular purpose where we have a legitimate-interest basis.
- Right not to be subject to a solely automated decision (Article 22) - SoloCogs does not make any solely-automated decisions about you. All progression and grading is informational, not consequential.
- Right to withdraw consent - where we rely on your consent (for example, analytics cookies), you can withdraw it at any time without affecting anything we did before.
- Right to complain to the ICO - if you are not happy with how we handle your request, you can complain to the Information Commissioner's Office at ico.org.uk or by calling 0303 123 1113.
2. How to make a request
Email hello@solocogs.co.uk with the subject line "Data rights request". Tell us:
- Which right you are using (access, deletion, rectification, etc. - or "I'm not sure, please advise").
- The name, email address, or account ID associated with the data. If you are a parent asking about your child's data, include the child's username.
- Any specific data you are particularly interested in (you do not have to narrow it - we will send everything by default).
You can also write to us at the postal address listed in the Privacy Policy, but email is faster.
3. Children making requests
UK GDPR gives children the same rights as adults. In practice, we follow this approach:
- Children aged 13+ may make their own request. We verify their identity via the email address registered on their account.
- Children under 13 should ask a parent or carer to make the request on their behalf. We verify the parent's identity via the parent account that holds the child's account.
- If a child under 13 contacts us directly with a request, we will help them, but we will normally tell the parent the request was made (unless doing so would put the child at risk - in which case the Designated Safeguarding Lead handles the situation under the Safeguarding Policy).
4. How we verify identity
Before releasing personal data we have to be sure we are giving it to the right person. We use the lightest verification that gives us reasonable confidence:
- Default - we email a confirmation link to the email address registered on the account, and ask you to click it from a signed-in session. This proves both the email and the account belong to you.
- If the registered email is no longer accessible - we ask for two of: account creation date, last subscription payment amount and date, the platform username of any child on the account, any answer to a security question on record.
- For schools - we verify the requester is the school's nominated data contact via the email domain and, if needed, a phone call to the school's main number.
If we cannot verify identity to a reasonable standard we will say so and ask for more information rather than release anything.
5. What we send for an access request
For a Subject Access Request (SAR), we send a CSV or JSON export of everything we hold about you, including:
- Account record (parent or student): name, email, year group, subscription tier, account creation date.
- Progression state: XP, level, completed sub-units, Atomic Vault unlocks, HoLL legend discoveries, login streak.
- Quiz attempts: every question, your answer, the time taken, the outcome.
- Broadcasts and inbox messages: every message you have sent or received.
- Safeguarding records: any flag SoloSpell or solo-safeguarding raised on text you typed.
- Audit log: sign-ins, password changes, role changes.
- Wonde rostering: if your account was linked from a school's Wonde data, the matched row and what was hydrated from it.
We do NOT send:
- Anonymised analytics signals (page views, button clicks) - these are not personal data and we cannot link them back to an account.
- Information about other users, except where they are inseparably involved (for example, a broadcast we sent to a tutor will contain the tutor's name).
- Information we never had access to in the first place (PayPal card details, etc.).
6. What erasure ("right to be forgotten") actually removes
When you ask us to delete your data we hard-delete the following from our database:
- The account row and all linked progression, quiz, broadcast, inbox, and safeguarding records.
- The Supabase Auth user record so the email cannot be used to sign in.
- Any rostering link to a Wonde mirror row (the mirror row itself stays, because the school still owns that data and it is refreshed from Wonde, but it is no longer linked to a SoloCogs account).
Some data is retained for a limited period for legal reasons, but only in narrowly-scoped form:
- Safeguarding records - retained for the period required by KCSiE statutory guidance, even after account deletion. These are not used for any other purpose and are not linkable to a live account.
- Financial records - subscription invoices retained for 6 years to meet HMRC requirements. These contain billing email and amount only, not learning data.
- Backups - encrypted Supabase backups retain a snapshot of your data until the backup is rotated out (typically 7-30 days depending on the backup tier).
7. Our internal timeline
| Step | Target |
|---|---|
| Acknowledge receipt | Within 3 working days |
| Verify identity | Within 7 working days |
| Complete the response | Within 1 calendar month of the original request |
| Extension (complex requests only) | +2 months, but only with written notice to you explaining why |
8. If we have to refuse a request
UK GDPR allows us to refuse a request only in narrow circumstances - for example, if it is "manifestly unfounded or excessive" (such as repeated identical requests), or where complying would expose another person's data. If we ever refuse, we will tell you in writing within one month, explain why, and remind you of your right to complain to the ICO.
9. Review
This page is reviewed annually. The version number and review date at the top of the page are updated each cycle.