GDPR & Data Residency
A school-friendly one-pager. For the long form, see the Data Protection Policy and the Privacy Policy.
Who runs SoloCogs: SoloCogs is the brand name for the online learning platform operated by Portsdown Tuition, a sole-trader business based in Portsmouth, England. Throughout this policy, "Portsdown Tuition", "we", "us", and "our" refer to the operator and legal entity. "SoloCogs" refers to the platform, service, and brand we provide to families, schools, and tutors. The data controller for personal data processed through SoloCogs is Portsdown Tuition.
Contact: hello@solocogs.co.uk
1. Who we are
SoloCogs is a UK-registered education service trading as Portsdown Tuition. We act as a data controller for the personal data we collect from learners and the adults who oversee them. Our registered contact for data matters is hello@solocogs.co.uk.
2. Lawful basis
We process personal data under the UK GDPR using these lawful bases:
- Contract - to deliver the learning service the parent / school has paid for.
- Consent - for analytics and non-essential cookies (a banner offers a clear opt-in).
- Legitimate interest - to make the service work reliably (account login, fraud prevention, error logging).
- Vital interest - if a safeguarding disclosure has to be acted on.
3. What we collect
| Who | What | Why |
|---|---|---|
| Adult (parent / tutor / school staff) | Name, email, role, billing details (handled by PayPal for B2C and Stripe for B2B, never stored by us) | Account, billing, support |
| Learner | First name (or display name only), age band, optional school, the answers they give, their RAG self-ratings, time on task, scientists they have discovered | Personalised learning, progress reports for the parent |
| Everyone | Anonymised page usage (GA4 with IP truncation) | Improving the platform - opt-in only |
We do not collect biometrics, ethnic origin, religion, health data, sexual orientation, location, or political opinions. We do not share data with advertisers.
4. Where the data lives
- Database: Supabase (PostgreSQL) hosted in West Europe (London, eu-west-2). UK data residency.
- File storage: Supabase Storage in the same UK region.
- Email: handled by a transactional provider hosted in the UK or EU.
- Payments: processed by PayPal (for family / home-educator subscriptions) and Stripe (for school, MAT, and Local Authority invoicing). Both are separately accredited under PCI DSS. We never see or store card details.
- Backups: daily database snapshots, retained 30 days, encrypted at rest, in the same UK region.
No personal data is transferred outside the UK or the EU.
5. How long we keep it
- Active accounts: for the duration of the subscription, plus 60 days grace after cancellation.
- Closed accounts: personal data is deleted within 90 days unless we are required to retain it for legal reasons (e.g. financial records, which we keep for 6 years per HMRC rules).
- Anonymised analytics: retained indefinitely.
- Safeguarding disclosures: retained as long as is necessary, in line with statutory guidance.
6. Student data isolation (technical)
Every row of student data in our database carries the student's owner ID and is protected by row-level security (RLS). RLS policies are enforced by the database itself - meaning even a bug in our application code cannot allow one parent or one school to see another's data. Students cannot read other students' progress; parents only see their own children; teachers only see students linked to their school.
7. Your rights
Under UK GDPR you have the right to:
- Access a copy of the personal data we hold about you or your child.
- Correct anything that is wrong.
- Delete your data (subject to legal retention requirements).
- Restrict or object to certain types of processing.
- Withdraw consent for analytics at any time via the cookie controls.
- Take a complaint to the UK Information Commissioner's Office - ico.org.uk, 0303 123 1113.
Send any rights request to hello@solocogs.co.uk. We respond within 1 calendar month.
8. Data Processing Agreement (DPA)
Schools and tutoring providers can request a signed Data Processing Agreement to satisfy their own GDPR obligations. Email hello@solocogs.co.uk with subject "DPA request" - we will return a signed copy within 3 working days.
9. Sub-processors
The third parties that process data on our behalf. A full, dated, versioned list lives at policy-sub-processors.html for procurement records.
- Supabase (database, authentication, file storage - West Europe / London, eu-west-2) - privacy notice
- Cloudflare (website hosting, CDN, DDoS protection) - privacy notice
- PayPal (B2C payment processing for family and home-educator subscriptions) - privacy notice
- Stripe (B2B payment processing for school, MAT, and Local Authority invoicing) - privacy notice
- Google Tag Manager (tag deployment and consent gating - no analytics data sent until consent is granted) - privacy notice
- Google Analytics 4 (anonymised page / event usage, opt-in via cookie banner, IP truncation enabled) - privacy notice
Wonde (UK MIS aggregator) will be added when school-roster sync goes live; schools will be notified 30 days in advance.
We notify customers of any change to this list at least 30 days in advance.
10. Breach notification
If a personal data breach occurs and is likely to result in a risk to your rights, we notify the ICO within 72 hours and any affected users without undue delay. Our breach log is kept whether or not external notification is needed.
11. Data Protection Impact Assessment (DPIA)
Because SoloCogs processes children's personal data (Article 8 special-category context under UK GDPR), we maintain a published DPIA. It identifies the risks to learners arising from each kind of processing we do, the safeguards in place, and the residual risk score after those safeguards. Schools attaching SoloCogs to their own information register can use our DPIA as evidence that an impact assessment has been done at the supplier level.
- Public summary: Read the DPIA summary →
- Full DPIA (with risk matrix): email hello@solocogs.co.uk with subject "DPIA request" - signed PDF returned within 3 working days.
- Reviewed: annually, or earlier if processing changes materially.
Data protection contact: hello@solocogs.co.uk. Requests for our signed DPA, subject-access copies, or breach details are all welcome.