Privacy Policy

Last updated: 2 May 2026
Version: 2.0

Child-friendly version →

A plain-language summary written for younger users.

Our sub-processors →

Companies we use to run the platform, with country and transfer mechanism.

1. Introduction

Red Robin Learning Ltd ("we", "our", "us" or "Red Robin Learning") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, share and protect personal data when you use our website and online tutoring services (the "Services").

We act as the data controller under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Our company number is 13675815.

For privacy-related questions or to exercise your rights, contact us at privacy@redrobinlearning.com.

2. Children and the Children's Code

Our Services are designed to be used by children aged 8–18 with the involvement of a parent or legal guardian. We follow the Information Commissioner's Office (ICO) Age Appropriate Design Code (the "Children's Code").

Account holders are 18+. Direct accounts for children under 13 are not knowingly created.
Parental involvement: Parents act as the data subject for their child's account in matters of consent, access and rights, until the child reaches the age at which they can exercise those rights themselves.
High-privacy defaults: child-facing features default to the most privacy-protective settings. We do not use nudge techniques to encourage children to share more data than they need to.
Profiling: we do not use children's data for advertising profiling. Our automated tutor-matching system uses limited profile data to suggest a suitable tutor; matches are reviewed by a human admin before they take effect for under-18s.
DPIA: we have completed a Data Protection Impact Assessment for child-facing features. A redacted summary is available on request from privacy@redrobinlearning.com.

A plain-language summary written for younger users is also available.

3. Information We Collect Automatically

When you use our Platform we automatically collect certain information so we can provide and improve our Services.

How you use the Platform: pages you visit, tutors you search for, bookings you make, messages you send.
Technical information: device, browser, IP address, visit timestamps, error reports.
Cookies and similar technologies: see our Cookie Policy. We obtain prior consent for non-essential cookies.
Approximate location: derived from your IP address, used to suggest nearby resources and detect fraud. We do not collect precise GPS location for child users.

4. Information You Provide to Us

Account information: name, email, phone, address, year group / academic level, payment method.
Tutor verification: identification documents (for example, passport or driving licence), right-to-work evidence, references and banking details.
DBS and criminal-record information: enhanced DBS certificates and any subsequent disclosures, processed under separate conditions described in section 6.
Communications: messages sent through the Platform and to our team, including WhatsApp messages routed through Twilio.
Lesson Recordings: audio and video of online Lessons (see section 7).
Files you upload: homework, essays and other learning artefacts.

5. How We Use Your Information

Delivering the Services: matching tutors to students, processing bookings and payments, supporting Parents and Tutors.
Verification and onboarding: confirming Tutor identity, qualifications and DBS status.
Safeguarding: monitoring concerns, retaining Recordings, and acting on disclosures.
AI-assisted features: generating session reports, practice questions, tutor coaching prompts and message triage (see section 8).
Communications: service emails, WhatsApp transactional messages (booking confirmations, session reports via approved Twilio templates), and — with your prior consent or under PECR soft opt-in for existing customers — marketing.
Tax and regulatory compliance: sharing limited data with HMRC and other authorities where required.
Security and fraud prevention: detecting misuse, unauthorised access and prohibited content.
Service improvement: aggregated, de-identified analytics about how the Platform is used.

You can opt out of marketing at any time via the unsubscribe link in the email or by contacting privacy@redrobinlearning.com. Opting out of marketing does not stop transactional or safeguarding messages that you must receive while you have an Account.

6. Lawful Basis for Processing

Under UK GDPR we must have a lawful basis for processing your personal data. The table below shows the data we collect, the purposes, and our lawful basis. Where we process special-category or criminal-conviction data we cite the additional condition under the Data Protection Act 2018.

Category of personal data	Purpose	Lawful basis
Personal details (name, contact, year group)	To register you as a customer, deliver the Services, and send transactional notifications.	Article 6(1)(b) — performance of a contract. Article 6(1)(f) — legitimate interests in running and growing our business.
Identity-verification documents (Tutors)	To verify Tutor identity and right to work in the UK.	Article 6(1)(b) — contract. Article 6(1)(c) — legal obligation (right-to-work checks).
Criminal-record information (Tutor DBS)	To safeguard the children we serve and confirm Tutor suitability.	Article 10 UK GDPR processed under DPA 2018, Schedule 1, Part 2 paragraph 18 (safeguarding of children and individuals at risk) and paragraph 12 (preventing or detecting unlawful acts). We hold an Appropriate Policy Document.
Lesson Recordings (safeguarding purpose)	To enable us to investigate concerns and protect the welfare of children attending Lessons.	Article 6(1)(f) — legitimate interest in safeguarding, with substantial public interest under DPA 2018, Schedule 1, Part 2 paragraph 18 where any special-category data is incidentally captured. We do not use Recordings for biometric identification.
Lesson Recordings and transcripts (AI processing)	To generate session reports, practice questions and tutor coaching prompts. Reviewed by a human before delivery.	Article 6(1)(b) — performance of a contract for the Services. You can opt out of AI processing at any time without affecting the safeguarding Recording.
Payment details	To process Lesson Fees and Subscription billing.	Article 6(1)(b) — contract.
Communications (in-app messages, WhatsApp)	To deliver the Services, support customers, triage messages, and resolve disputes.	Article 6(1)(b) — contract. Article 6(1)(f) — legitimate interests in service improvement and fraud prevention.
Marketing data	To send marketing emails and run advertising.	Article 6(1)(a) — consent (new contacts). PECR Regulation 22(3) soft opt-in (existing customers, with opt-out in every message).
Cookies and analytics	Strictly-necessary cookies to run the Platform. Optional cookies for analytics and advertising (with consent).	PECR Regulation 6(4) — strictly necessary for the service you have requested (essential cookies). Article 6(1)(a) UK GDPR — consent for non-essential cookies, obtained via the consent banner.

7. Lesson Recordings

Online Lessons are recorded for two distinct purposes, each handled differently:

Safeguarding: a copy of each recording is held securely for 90 days for child-protection purposes. Access is restricted to our safeguarding lead and authorised admins, and is logged.
AI-assisted features: short transcript extracts are sent to our AI providers (see section 8) to generate session reports and practice content. AI outputs are reviewed by a human before being shared with Parents or Students. You may opt out at any time by emailing privacy@redrobinlearning.com. Opting out prevents future AI processing; transcript extracts already shared with our AI providers cannot be recalled but those providers are contractually prohibited from retaining or re-using them beyond their data-processing agreement with us. Opting out does not affect the safeguarding Recording.

You must not record Lessons yourself or share Recordings without our prior written consent.

8. AI Processing and Automated Decisions

We use third-party artificial-intelligence services to power features such as session reports, practice generation, message triage, and recording transcription. We have data-processing agreements with each provider and rely on their published API terms — which prohibit training on customer data — together with the additional contractual protections set out in those agreements.

Anthropic (Claude) — generates draft reports, practice content, tutor coaching prompts and message triage. Data is processed in the United States.
OpenAI — transcribes selected lesson recordings into text for further processing. Data is processed in the United States.
Human review: AI-generated reports and practice content are reviewed and approved by an admin before being sent to Parents or Students. Tutor coaching prompts (visible only to the Tutor) may be auto-published.
No solely automated decisions: we do not make decisions about you that produce legal or similarly significant effects without meaningful human involvement. You retain the rights set out in Article 22 UK GDPR.

A full list of sub-processors and the countries to which data is transferred is at /legal/sub-processors.

9. Sharing Your Information

Tutors: we share necessary contact and Lesson information with the Tutor delivering the Lesson.
Sub-processors: trusted third parties who help run the Platform, including hosting (Vercel), database (Neon), authentication (Clerk), payments (Stripe), email (Resend), messaging (Twilio), AI providers (Anthropic, OpenAI), CMS (Sanity), rate limiting (Upstash) and Google Workspace. See /legal/sub-processors.
Public authorities: HMRC for tax compliance, police and the Local Authority Designated Officer where required for safeguarding.
Professional advisers: lawyers, auditors and insurers under confidentiality.
Business transfers: a successor in title if we sell or restructure the business; we will require equivalent data protection.

We do not sell personal data to third parties for their own marketing.

10. International Transfers

Some sub-processors are based outside the UK and the European Economic Area. Where we transfer personal data outside the UK we rely on one of the following safeguards:

UK adequacy regulations for the EEA and the UK Extension to the EU-US Data Privacy Framework (the "UK-US Data Bridge") for certified US providers.
Standard Contractual Clauses (SCCs) together with the UK International Data Transfer Addendum (IDTA), with a transfer-risk assessment as required.
Article 49 derogations only in narrow, documented cases.

Country and transfer mechanism per provider is listed at /legal/sub-processors.

11. How We Protect Your Information

Security measures: encryption in transit (TLS 1.2 or above), encryption at rest for the database and Recordings, role-based access control, audit logging, and least-privilege secrets management.
Incident response: we will report personal-data breaches to the ICO within 72 hours where required, and notify affected individuals where the breach poses a high risk.
Privacy by design: we run a DPIA before launching features that materially change how we process children's data.

12. How Long We Keep Your Information

Account data: 7 years from your last activity, then deleted or anonymised.
Lesson Recordings: 90 days, then deleted, except where retained for a specific safeguarding investigation.
DBS certificates: physical certificates not retained beyond 6 months; verification metadata kept for the duration of the engagement plus 6 years.
Financial records: 6 years to meet HMRC requirements.
Marketing preferences: until you opt out, then a suppression list is kept indefinitely so we do not contact you again.

13. Your Rights

Under UK GDPR you have the right to:

Access: ask for a copy of the personal data we hold about you.
Rectification: ask us to correct inaccurate or incomplete data.
Erasure: ask us to delete your data in certain circumstances.
Restriction: ask us to limit our processing while we resolve an issue.
Object: object to processing based on legitimate interests, or to direct marketing at any time.
Portability: receive your data in a portable format.
Withdraw consent: withdraw any consent you have given (without affecting prior lawful processing).
Automated decision-making: ask for human review of significant automated decisions.

To exercise these rights, email privacy@redrobinlearning.com. We may need to verify your identity. We respond within one month; complex requests may take up to three months and we will keep you informed.

You can also complain to the UK Information Commissioner's Office at ico.org.uk.

14. Cookies

Our use of cookies and similar technologies is described in the Cookie Policy. Non-essential cookies are set only with your prior consent; you can withdraw consent at any time via your browser settings or the consent control on the Platform.

15. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email and posted on the Platform before they take effect. Continued use of the Services after the effective date means you accept the updated policy.

16. Contact Us

Red Robin Learning Ltd
Privacy enquiries: privacy@redrobinlearning.com
Safeguarding: safeguarding@redrobinlearning.com
General support: support@redrobinlearning.com