Privacy Policy

Last updated: 5 March 2026

1. Who We Are

The Crescent College (“we”, “our”, “us”) is the data controller responsible for your personal data. We are an educational consultancy specialising in Oxbridge and university admissions preparation.

If you have any questions about this policy or how we handle your data, contact our data protection lead at [email protected].

2. Information We Collect

Information you provide directly

  • Name, email address, and phone number (via our contact and booking forms)
  • Student details: school, year group, subject interests, target university
  • Enquiry and consultation messages
  • Payment information (processed securely by our payment provider; we do not store card details)

Information collected automatically

  • IP address, browser type, device type, and operating system
  • Pages visited, time spent on pages, and referring URLs
  • Cookies and similar technologies (see Section 7 below)

Information from third parties

We may receive information when you interact with our social media accounts (such as TikTok, Instagram, or LinkedIn), limited to publicly available profile information and interaction data provided by those platforms.

3. Lawful Basis for Processing

Under UK GDPR, we process your personal data on the following legal bases:

  • Contract: to deliver the tutoring and consultancy services you have purchased or enquired about (Article 6(1)(b)).
  • Legitimate interests: to respond to enquiries, improve our services, and market our educational programmes, where these interests do not override your rights (Article 6(1)(f)).
  • Consent: where you have opted in to receive marketing communications. You may withdraw consent at any time (Article 6(1)(a)).
  • Legal obligation: to comply with applicable laws, such as tax and accounting requirements (Article 6(1)(c)).

4. How We Use Your Information

  • To respond to your enquiries and arrange consultations
  • To deliver tutoring, mentoring, and admissions support services
  • To process payments and issue invoices
  • To send service-related communications (session confirmations, schedule changes)
  • To send marketing communications where you have consented or where we have a legitimate interest (you can opt out at any time)
  • To analyse website usage and improve our services
  • To comply with legal and regulatory obligations

We will never sell your personal data to third parties.

5. Who We Share Your Data With

We share your data only with trusted third-party service providers who process it on our behalf, under written contracts that comply with UK GDPR:

  • Cloudflare: website hosting, security, and content delivery
  • Formspree: contact form processing
  • Payment processors: secure payment handling (no card data is stored by us)
  • Email service providers: for service and marketing communications
  • Social media platforms: TikTok, Instagram, and LinkedIn for content distribution

We do not share your personal data with any other third parties unless required by law.

6. International Data Transfers

Some of our third-party service providers are based outside the UK. Where personal data is transferred internationally, we ensure appropriate safeguards are in place, including:

  • Transfers to countries with an adequacy decision from the UK Secretary of State
  • Standard contractual clauses approved by the ICO
  • Other appropriate safeguards under UK GDPR Article 46

7. Cookies and Tracking Technologies

Our website uses the following types of cookies:

  • Strictly necessary cookies: required for the website to function (e.g. security cookies from Cloudflare). These do not require consent.
  • Analytics cookies: to understand how visitors use our site and improve the user experience. These are only set with your consent.

You can control cookies through your browser settings. Disabling certain cookies may affect website functionality.

8. How Long We Keep Your Data

  • Enquiry data: 2 years from your last interaction, unless you become a client
  • Client records: 6 years after your last service, in line with UK tax and accounting requirements
  • Marketing preferences: until you withdraw consent or unsubscribe
  • Website analytics: 26 months (aggregated and anonymised)

After these periods, your data is securely deleted or anonymised.

9. Children and Young People

Our services are designed for students aged 15 and above, many of whom are under 18. We take the following additional measures:

  • For students under 16, we require parental or guardian consent before collecting personal data
  • For students aged 16 and 17, we accept their own consent but encourage parental involvement
  • We present privacy information in clear, age-appropriate language
  • We collect only the minimum data necessary to deliver our services
  • Parents and guardians may exercise data rights on behalf of their children at any time

10. Your Rights Under UK GDPR

You have the following rights regarding your personal data:

  • Right of access: request a copy of the personal data we hold about you
  • Right to rectification: ask us to correct inaccurate or incomplete data
  • Right to erasure: ask us to delete your personal data (subject to legal retention requirements)
  • Right to restrict processing: ask us to limit how we use your data
  • Right to data portability: receive your data in a structured, machine-readable format
  • Right to object: object to processing based on legitimate interests or for direct marketing
  • Right to withdraw consent: where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing

To exercise any of these rights, email [email protected]. We will respond within one month.

11. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

  • HTTPS encryption on all pages
  • Secure, access-controlled storage of personal data
  • Regular review of data processing practices
  • Staff awareness of data protection responsibilities

12. Data Breaches

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Information Commissioner's Office (ICO) within 72 hours and inform affected individuals without undue delay, as required by UK GDPR Articles 33 and 34.

13. Complaints

If you are unhappy with how we have handled your data, you have the right to lodge a complaint with the Information Commissioner's Office:

We would appreciate the opportunity to resolve any concerns before you contact the ICO. Please email us at [email protected] first.

14. Changes to This Policy

We may update this privacy policy from time to time. Any changes will be posted on this page with an updated revision date. We encourage you to review this page periodically.