GDPR Compliance Statement

At GCSEWriting, we are committed to full compliance with the General Data Protection Regulation (GDPR) (EU 2016/679) and the UK GDPR. This statement outlines the steps we take to protect your data and ensure transparency, fairness, and lawfulness in our processing practices.

1. Data Controller

GCSEWriting acts as the data controller of your personal data. If you have any questions about how we handle your information or wish to exercise your rights, please contact us at: hello@gcsewriting.com

2. Lawful Basis for Processing

We only collect and process personal data when we have a lawful basis to do so. This includes:

• Your consent (e.g., for communication preferences)
• Contractual necessity (e.g., to provide services you request)
• Legal obligation (e.g., tax recordkeeping)
• Legitimate interests (e.g., maintaining platform security)

3. Data Minimisation and Security

We collect only the data necessary to provide our services and meet legal obligations. To protect your data, we implement secure storage, strict access controls, and responsible handling practices.

All of our teachers are DBS-checked and do not have access to full student names, providing an added layer of privacy protection.

An integral part of our service is sharing anonymised student essays and feedback with other students to support learning and improve educational outcomes. We never share any student names or personally identifying information in these materials.

We continually review and update our practices to ensure the highest standards of data security and privacy.

4. Data Retention and Erasure

We retain personal data only as long as necessary to fulfil the purposes for which it was collected, including legal or regulatory obligations. Generally, this means retaining customer and transactional data for up to six years in accordance with accounting and tax laws.

When personal data is no longer required, we securely delete or anonymize it to protect your privacy.

5. Data Breach Notification Procedure

We have procedures in place to detect, report, and investigate personal data breaches. In the unlikely event of a breach posing a risk to your rights and freedoms, we will:

• Assess the impact promptly
• Notify the relevant data protection authority within 72 hours if required by law
• Inform affected individuals without undue delay if there is a high risk to their rights
• Take remedial action to prevent future breaches

6. Subject Access Requests (SAR) and Your Rights

You have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate or incomplete data
• Request deletion of your data ("right to be forgotten") where applicable
• Restrict or object to certain processing
• Receive your data in a portable format
• Withdraw consent where processing is based on consent

To exercise your rights, please contact us at hello@gcsewriting.com. We aim to respond to all valid requests within one month, as required by law.

7. Third-Party Processing and Processor Agreements

We do not sell or trade your personal data. Your information is only shared with trusted third parties as necessary to provide our services, such as Stripe for payment processing.

We maintain agreements with all third-party processors to ensure they comply with GDPR and process your data only as instructed.

8. International Data Transfers

If personal data is transferred outside the UK or EU, we ensure appropriate safeguards are in place, including:

• Adequacy decisions by the European Commission
• Standard contractual clauses (SCCs)

9. Information Security & Organisational Measures

We implement appropriate technical and organisational security measures to protect your personal data from unauthorized or unlawful processing and accidental loss, destruction, or damage. These include restricted access to data, encrypted storage, and regular security reviews.

10. Complaints

If you believe your data has been mishandled, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at www.ico.org.uk.