1. Who controls the data
The controller's legal name, identification number, address and privacy contact email appear in the information panel on this page. These details must be completed before the website is launched publicly.
2. Data we collect
At the application stage, we collect the parent's name and phone number, the student's name and grade, selected subject, preferred time and an optional comment.
After enrolment and during portal use, we may process the student's date of birth, school and contact details, parent details, groups and schedule, attendance, grades, completed topics, teacher feedback, payments and account-security information.
The website processes session and security data required for operation. Optional analytics will not be activated without the required choice or consent.
- Do not include health, diagnosis or other sensitive data in the free-text field unless WeGrow specifically requests it through a secure channel.
- WeGrow does not collect more information about a child than is necessary for consultation and educational services.
3. Purposes and legal bases
We process data to respond to applications, assess a student's needs and suitable group, prepare and provide services, record progress, communicate with parents, administer payments and accounts, maintain security and meet legal obligations.
The legal basis may be consent, steps taken before entering a contract, performance of a contract, a legal obligation or WeGrow's legitimate interests where those interests are not overridden by the individual's rights.
- Direct marketing and optional analytics require the relevant choice or consent.
- Withdrawal does not affect processing that was lawful before withdrawal.
4. Children's data
Where processing relies on consent, data about a child under 16 requires consent from a parent or other legal representative, and WeGrow may take reasonable steps to verify that authority.
For students aged 16–18, WeGrow may still involve a parent where required by law, the nature of the service or the child's best interests. Special-category data will be processed only with appropriate written consent or another lawful basis.
- The child's best interests take priority over commercial or administrative convenience.
- Assessments and comments are available only to appropriately authorised users.
5. Recipients
Access is limited to staff and teachers who need the data for an educational or administrative function. Hosting, email, security, technical support and payment providers may process data on our behalf under appropriate contractual and confidentiality duties.
Data may be disclosed to an authorised public body only where the law requires or permits it. WeGrow does not sell student or parent data.
- International transfers will occur only with a lawful basis and appropriate safeguards.
- Specific hosting and analytics providers must be added to this policy before they are enabled.
- If Cloudflare Turnstile is enabled for bot protection, Cloudflare receives technical data needed for the security check (including the token and IP address) under its privacy terms.
6. Retention
An unsuccessful or cancelled initial application is generally retained for no more than 6 months unless longer retention is needed for a dispute, request or legal obligation.
Enrolled-student learning and account data is retained during the service and generally for up to 3 years after the relationship ends to manage possible claims. Financial records are retained for periods required by tax and accounting law. Security logs are kept only as long as needed to detect and investigate threats.
- After the applicable period, data is deleted, destroyed or anonymised.
- Data needed for a current dispute or legal claim may be blocked and retained for longer.
7. Your rights
Subject to applicable law, you may request information and access, a copy, correction or update, erasure and cessation, blocking, withdrawal of consent and, where applicable, portability.
Contact the privacy email shown on this page. We may request reasonable proof of identity and authority. You may also contact Georgia's competent supervisory authority or a court.
- We respond within the period required by law.
- Rights are normally exercised free of charge, subject to lawful exceptions for manifestly unfounded or excessive requests.
8. Security and incidents
We use role-based access, password hashing, HTTPS in production, backups, access logging and other organisational and technical controls. No system is absolutely secure, so controls must be reviewed and updated periodically.
If a personal-data incident occurs, we will follow applicable assessment, recording and notification requirements.
9. Changes and contact
We may update this policy when services, technology or law change. Material changes will be published and, where appropriate, communicated separately.
Use the privacy contact email for questions, withdrawal of consent or rights requests.