Privacy Policy

EduTrack · Last updated April 20, 2026

This policy explains what information we collect, why, and what you can ask us to do with it. It’s written to meet the General Data Protection Regulation (GDPR) as a baseline — this is the strictest privacy law we know of, so meeting it means meeting most others.

1. Who’s responsible (the data controller)

The data controller for personal information collected through EduTrack is EduTrack. For any data-protection question, email our contact form.

2. What data we collect

When you use EduTrack, we collect:

  • Account data — your name, email, phone number, password (stored as a one-way hash), your timezone and (optionally) your photo.
  • Relationship data — who your teacher is, which classes you’re in, attendance, progress notes and test scores.
  • Payment data — your Stripe Customer ID and the last 4 digits of your card (both held by Stripe, not us). We never store full card details.
  • Communication data — emails we’ve sent you, and basic delivery / open tracking so we know our emails actually reach you.
  • Technical data — your IP address, browser user-agent and timestamps for security and debugging.

3. Why we use it (lawful bases under GDPR Article 6)

Under GDPR, every use of your personal data needs a legal reason. Here are ours, in plain English:

What we do Lawful basis
Deliver lessons and bill you for them Performance of a contract — you’ve booked lessons from us
Send reminders, confirmations and service notifications Performance of contract + legitimate interest in running the service well
Security logging and fraud prevention Legitimate interest in keeping EduTrack safe
Keep tax and accounting records Legal obligation under England and Wales tax law

4. Who we share with (sub-processors)

To run EduTrack we use a small number of named providers:

  • Stripe (payment processing) — Ireland / United States.
  • Stalwart mail server (email delivery) — self-hosted by us on a server in London.
  • Server hosting — United Kingdom.
We do not sell your data. We do not share it with advertisers. We do not use analytics trackers, third-party cookies or fingerprinting.

5. International transfers

Your data may cross borders. For example: you might be in Vietnam, our servers are in the UK, Stripe is in Ireland and the US. We only use providers who follow GDPR-equivalent protection (through adequacy decisions or standard contractual clauses).

6. How long we keep it

  • While your account is active: we keep your data for as long as you’re a EduTrack student.
  • After you close your account: we delete within 30 days, except for (a) financial records, which we keep for 6 years to meet tax law in England and Wales, and (b) anonymised lesson statistics that no longer identify you.
  • Communication logs: kept for up to 1 year, then deleted.

7. Your rights

Under GDPR you have the following rights. You can exercise any of them by emailing our contact form.

  • See your data (access). Get a copy of what we hold about you.
  • Correct it (rectification). Ask us to fix anything that’s wrong.
  • Delete it (right to be forgotten). Ask us to delete your data, subject to legal retention rules.
  • Export it (data portability). We’ll send you a JSON export of your data that you can take elsewhere.
  • Object or restrict. Ask us to pause or stop specific uses of your data.
  • Withdraw consent. Where we rely on your consent, you can change your mind any time.
  • Complain to your local data protection authority — for example the UK’s ICO, France’s CNIL, or Vietnam’s Ministry of Information and Communications (MIC).

8. Children & under-18s

We don’t knowingly process the personal data of anyone under 13 without verified parental consent.

For students aged between 13 and 17, a parent or legal guardian should be aware of the account, review this policy, and agree to it on the student’s behalf. We rely on that consent as the lawful basis for processing a minor’s personal data in connection with their lessons.

If you think a child under the minimum age has given us personal data without consent, or if you’re a parent who wants to review or remove a minor’s data, send a message through our contact form and we’ll act promptly.

For how we keep younger students safe during lessons, see our Safeguarding Policy.

9. Security

We use TLS (HTTPS) for everything in transit, hash passwords with industry-standard algorithms, offer optional two-factor authentication on admin accounts, and run role-based access so staff only see what they need. EduTrack follows the least-privilege principle on every service it talks to.

10. Cookies

EduTrack uses a single session cookie to keep you signed in. No tracking cookies. No advertising cookies. No analytics cookies. No third-party scripts. Under ePrivacy rules, the session cookie falls under the strictly-necessary exemption and does not require a consent banner.

11. Changes to this policy

The current effective date is April 20, 2026. For major updates, we’ll email you at the address on your account. We’ll always keep this page up to date — the date at the top changes whenever the policy does.

12. How to exercise your rights

Email our contact form from the address on your EduTrack account, and tell us what you want us to do. We respond within 30 days. If we need more information to verify it’s really you, we’ll ask before acting.

Back to home