Privacy Policy
Who runs SoloCogs: SoloCogs is the brand name for the online learning platform operated by Portsdown Tuition, a sole-trader business based in Portsmouth, England. Throughout this policy, "Portsdown Tuition", "we", "us", and "our" refer to the operator and legal entity. "SoloCogs" refers to the platform, service, and brand we provide to families, schools, and tutors. The data controller for personal data processed through SoloCogs is Portsdown Tuition.
Contact: hello@solocogs.co.uk
1. Who We Are
Data Controller: Portsdown Tuition (sole trader), trading as SoloCogs, Portsmouth, England.
ICO Registration: ZB916444 - searchable on the ICO public register.
If you have any questions about how we handle your personal data, please contact us via the contact page.
2. What Data We Collect
Account holders (parents/carers)
- First name, last name, email address
- Account credentials (password stored as a secure hash - never in plain text)
- Subscription status and billing tier
How we use your email address: we use it for (1) account login + password reset; (2) essential service emails such as billing receipts, subscription renewals, and safeguarding referrals where applicable; (3) limited service announcements about platform changes that materially affect you. We do NOT use your email for marketing without explicit opt-in, do not sell it, and do not share it with third parties except the strictly-necessary processors listed in section 5.
Student accounts
- First name, year group, generated anonymous username
- Learning progress data (quiz scores, resource completion, confidence ratings)
- Emotional wellbeing check-in data (Zones of Regulation entries, including any notes left voluntarily)
- Optional recovery email - only if a parent / carer or school admin explicitly opts in (see the section below)
Student password recovery email (optional)
To let a student reset their own password without waiting for an adult, a parent / carer or school admin can add a recovery email address for that specific student. This is usually the child's own school email or a family-shared address. It is opt-in, off by default, and can be cleared at any time from the parent-settings page on SoloCogs.
Purpose limitation - what we use it for:
- Sending a one-time confirmation email so we know the address is real and the right person controls it.
- If the student forgets their password and self-recovery is on, sending them a password reset link.
- Sending the parent / carer a notification email each time a reset is requested.
What we never use it for:
- Marketing of any kind. We never email the recovery address with offers, newsletters, or anything outside the three purposes above.
- Profiling, advertising, or analytics. The address is not shared with Google Analytics or any third party.
- Sharing or selling. We do not pass the address to any other organisation.
Retention: the recovery email is stored only as long as it is needed for the purpose above. It is deleted within 30 days of:
- The parent / carer or admin clearing the field in parent-settings, OR
- The student account being deleted, OR
- The parent / carer turning the recovery toggle off without setting a new address.
Lawful basis: contract performance (article 6(1)(b) UK GDPR) - the recovery email exists only because the parent / carer or school admin chose to set it up to fulfil our agreed service of getting their child back into their account quickly.
All users
- Login timestamps and session data
- Browser-stored preferences (background colour, mute settings) held in your browser's local storage - not on our servers
Analytics data - only if you accept the cookie banner
If you accept analytics via the cookie banner, we use Google Analytics 4 (loaded via Google Tag Manager) to collect anonymised usage signals - which pages get viewed, where users come from, what device or browser is used, and which features get clicked. We do not pass your name, email, account ID, or any other personally identifying field to Google Analytics. The data is held by Google as an independent processor and is restricted to anonymised page-view and event-level signals.
If you reject the cookie banner, no analytics cookies are set and no analytics events are sent. See the Cookie Policy for the full list of GA4 cookies.
Payment information
We never see or store your card details. All payment processing is handled by PayPal (PayPal (Europe) S.a r.l. et Cie, S.C.A.), a separately accredited payment provider under PCI DSS. PayPal acts as an independent data controller for the financial data you give them. When you pay, your browser hands the payment information directly to PayPal; we receive only a confirmation that the payment succeeded plus the subscription tier you bought - no card number, no expiry date, no CVV. You can read PayPal's own privacy notice at paypal.com/uk/legalhub/privacy-full.
If PayPal sends you transactional emails (receipts, dispute notifications, etc.) those are sent by PayPal under their own terms, not by us.
3. How We Use Your Data
We collect and process personal data only for the following purposes:
- To provide the service - account management, access to resources and tools, progress tracking
- To safeguard students - wellbeing check-ins and flagged entries are reviewed by the DSL to identify students who may need support
- To improve the platform - aggregated, anonymised usage patterns may inform future development
- To communicate with you - account-related emails (password reset, subscription updates). We do not send marketing emails without your explicit consent.
What we infer about you
To deliver the learning experience, SoloCogs derives a number of inferences from your data - things we work out about you that you did not type in. Per the ICO Children's Code (standard 12 on profiling), we list these here so you know exactly what we calculate:
- Mastery level per sub-unit - whether your recent answers suggest you have grasped a topic, are still building it, or need to revisit it. Used to recommend what to study next.
- Common misconceptions - patterns in your wrong answers that suggest a specific misunderstanding (e.g. confusing mitosis and meiosis). Used so the platform can offer a targeted explanation, and so a tutor or parent can see what to focus on.
- Confidence vs accuracy - you rate how confident you feel before each answer; we compare that to whether the answer was right. This produces a "calibration" pattern that helps surface where you are unsure even when you got the answer right.
- Engagement signals - daily login streak, time spent per session. Used to award XP and to alert a parent if a student stops engaging for a sustained period.
What these inferences are NEVER used for: targeted advertising; profiling for commercial decisions; gating access to content (you can always study anything you want, regardless of your "mastery"); sharing with third parties for any purpose other than the parent / tutor / school relationship the account was set up under; training third-party AI models.
Who can see your inferences: you, the parent on your account, any tutor your parent has invited, and a school's nominated data contact if your account was rostered from a school via Wonde. Nobody else, including other SoloCogs users.
Per UK GDPR Article 22, no decision with legal or similarly significant effects is made about you on a solely automated basis - all inferences are informational.
4. Legal Basis for Processing
- Contract - processing necessary to deliver the service you have signed up for (UK GDPR Art. 6(1)(b))
- Consent - analytics cookies and any optional marketing communications, only after you opt in via the cookie banner or marketing-preference toggle (UK GDPR Art. 6(1)(a)). You can withdraw consent at any time via the "Cookie settings" link in the footer.
- Legitimate interests - platform security monitoring and the fundamental operation of strictly-necessary functions (UK GDPR Art. 6(1)(f))
- Legal obligation - safeguarding records and referrals where required by law (UK GDPR Art. 6(1)(c))
- Vital interests - where processing is necessary to protect a child's life or safety (UK GDPR Art. 6(1)(d))
Where we process special category data (including data about a child's health or wellbeing), we rely on the substantial public interest condition under Schedule 1 of the Data Protection Act 2018, specifically in relation to safeguarding of children.
5. Who We Share Data With
We do not sell, rent, or trade personal data. We share data only with the following sub-processors, each under a written data processing agreement as required by UK GDPR Article 28. The full, dated, versioned list lives at policy-sub-processors.html for procurement records.
- Supabase Inc. - our secure database and authentication provider. Data processed in our chosen EU region. Supabase Data Processing Addendum requested and signed via Dashboard → Organization → Legal Documents in June 2026. Supabase privacy notice.
- Cloudflare, Inc. - our website hosting, content delivery network (CDN), and DDoS protection. Cloudflare handles connection-level metadata (IP address, request headers) but does not see personal data inside requests as the application layer is encrypted. Cloudflare DPA signed via Dashboard → Manage Account → Configurations. Cloudflare privacy notice.
- Google LLC (Google Cloud + Gemini API) - used for AI-assisted generation of teacher-side educational illustrations (no student data is ever sent to Google). Cloud Data Processing Addendum incorporated by reference into the Google Cloud Terms of Service, accepted at the time our Google Cloud project was created (June 2026). DPA text at cloud.google.com/terms/data-processing-addendum.
- Google LLC (Tag Manager) - manages which client-side tags fire and gates them on consent. No analytics data is sent until the cookie banner is accepted.
- Google LLC (Analytics) - only if you accept analytics via the cookie banner. Anonymised page-view and event signals only (no name, email, or account ID), with IP truncation enabled. Google acts as an independent data controller for the cookies it sets in your browser.
- PayPal (Europe) S.a r.l. et Cie, S.C.A. - the payment provider for B2C subscriptions (families and home educators). They receive the data they need to take payment (card / PayPal account details, transaction value, parent's billing email). They do NOT receive any child's data or learning data. They act as an independent data controller. PayPal privacy notice.
- Stripe Payments Europe Ltd. - the payment provider for B2B invoicing (schools, MATs, Local Authorities). They receive only the billing entity's invoicing details and transaction value. They do NOT receive any pupil's data or learning data. They act as an independent data controller. Stripe privacy notice.
- Statutory agencies - police, social services, NSPCC, ICO - where we have a safeguarding obligation or legal requirement to share. Not a routine sub-processor; engaged only when triggered by an incident or legal request.
Wonde (UK MIS aggregator) will be added when school-roster sync goes live; affected customers will be notified at least 30 days in advance.
6. Data Retention
- Active accounts: Data is retained for the duration of the account
- Closed accounts: Non-safeguarding data is deleted within 90 days of account closure
- Safeguarding records: Retained for a minimum of 7 years, or until the student reaches age 25, whichever is later - in line with statutory guidance
- Learning data: Retained for up to 3 years after last login to allow re-engagement
- Student recovery email (optional): Deleted within 30 days of being cleared in parent-settings, the recovery toggle being turned off, or the student account being closed. See the Student password recovery email section above for what it is used for.
- Password reset audit log: The internal log of password reset attempts (who requested, when, succeeded) is retained for 1 year for safeguarding + abuse-detection purposes. Rate-limit and audit only; not used for marketing or profiling.
7. Your Rights Under UK GDPR
You have the right to:
- Access - request a copy of the personal data we hold about you
- Rectification - ask us to correct inaccurate data
- Erasure - ask us to delete your data (subject to legal retention obligations)
- Restriction - ask us to limit how we use your data
- Portability - receive your data in a structured, machine-readable format
- Object - object to processing based on legitimate interests
To exercise any of these rights, please contact us via the contact page. We will respond within 30 days.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.
8. Data Security
We take appropriate technical and organisational measures to protect personal data, including:
- All data in transit encrypted via HTTPS/TLS
- Database access controlled via Row-Level Security policies
- Passwords never stored in plain text - hashed by Supabase Auth
- Access to student safeguarding data restricted to the DSL only
9. Children's Data
A significant proportion of our users are under 18. We take additional care with children's data:
- Student accounts are created by or with the consent of a parent/carer
- Students do not need to provide a real email address - accounts use an internal identifier
- We do not use children's data for advertising or profiling
- Wellbeing data is used only for pastoral and safeguarding purposes
9.1 If you are under 18 and want to access or remove your data
You still have all the rights listed in Section 7 above - but the way you exercise them is a little different to make sure you're properly supported and that any safeguarding considerations are taken into account.
First step - speak to a trusted adult. If you have questions about your data, want to see what we hold (a Subject Access Request), or want to ask for it to be deleted, please speak to one of the following first:
- The parent, carer or guardian who holds your account - they can submit the request on your behalf through their Cognition Overview, or by contacting us directly.
- Your school's data protection lead if your account is set up through a school - they have a process for handling data requests for students.
If you would prefer to contact us yourself, you absolutely can - email hello@solocogs.co.uk and we'll work with you and your parent/carer to make sure the request is handled properly.
9.2 Why we may keep some data even if you ask us to delete it
In some circumstances, the law requires (or strongly encourages) us to keep certain data even if you ask for it to be erased. The main reasons are:
- Safeguarding - if a wellbeing check-in or referral has been made to a statutory agency, we are required to keep that record for a minimum of 7 years, or until the student turns 25, whichever is later. This is in line with the Department for Education's statutory guidance on safeguarding.
- Educational records - where data forms part of a school's educational record, the school is the data controller for that information and may have its own retention obligations.
- Legal disputes or unresolved complaints - data may need to be retained while a dispute or complaint is open.
Where we cannot delete data for one of the reasons above, we will tell you which reason applies and how long we expect to keep it.
9.3 If you are 18 or over
You can exercise any of your data rights directly. Email hello@solocogs.co.uk and we will respond within 30 days as set out in Section 7.
10. Cookies and Local Storage
SoloCogs uses strictly-necessary cookies (for sign-in and security), browser local storage (for preferences and progress), and - only if you opt in via the cookie banner - Google Analytics 4 cookies for anonymised usage analytics. See our separate Cookie Policy for the full list of cookies, what each one does, and how to change your consent decision.
11. Changes to This Policy
We will notify registered users of any material changes to this policy via email and by updating the version number and review date above. Continued use of the platform after notification constitutes acceptance of the updated policy.
Data protection questions? Contact us via the contact page. For complaints, you can also contact the ICO at ico.org.uk.