Last updated: 22nd September, 2025

Effective date: 22nd September, 2025

The words of which the initial letter is capitalised have meanings defined under the following conditions. The following definitions shall have the same meaning regardless of whether they appear in singular or in plural.

For the purposes of this Privacy Policy:

• Me (also "I" and "My"): Damian James Eastwood, IČO: 51798476, Pernek 354, 90053 Pernek, Slovakia.

• Cookies: small files that are placed on a device by a website.

• Country: Slovak Republic

• Device: any device that can access the Website.

• Personal Data: any information that relates to an identified or identifiable natural person.

• Service: English language tutoring and related services, including this Website.

• Service Provider: a third party processing Personal Data on written instructions (processor).

• Usage Data: data collected automatically by the Website (e.g., pages visited, timestamps).

• You (also "Your"):  an individual using the Service, or an organisation on whose behalf an individual uses the Service.

I am Damian James Eastwood, the data controller for Personal Data processed under this policy (except where stated otherwise). Services are provided directly to adult learners and to companies, schools, and other organisations that engage me to provide services to their stakeholders. Services are primarily for adults; in limited cases, lessons for a minor are arranged by and delivered under contract with a parent or guardian, with only minimal information about the minor processed where strictly necessary.

Processing occurs only where a specific purpose and lawful basis apply.

Communicating and providing requested services: contact and identity details to respond to enquiries and deliver lessons. Lawful basis: performance of a contract; legitimate interests (efficient client communications).

Planning, scheduling, delivery, and feedback: CEFR level, schedule, attendance, assessment results, and relevant communications. Lawful basis: performance of a contract; legitimate interests (service provision and support).

Invoicing and payment: billing details and related financial administration, including debt recovery where necessary. Lawful basis: performance of a contract; legitimate interests (ensuring payment); legal claims.

Client learning support: development of learning plans and recommendations. Lawful basis: performance of a contract; legitimate interests (service delivery).

Newsletter and marketing: sent only with valid consent or (where legally permitted) under a limited soft opt-in to existing clients for similar services, with an unsubscribe link in every message. Lawful basis: consent; legitimate interest (only where permitted and documented). Consent can be withdrawn at any time without affecting service delivery.

Legal and regulatory compliance: disclosures or records required by law (e.g., tax). Lawful basis: legal obligation; legitimate interest (cooperating with public authorities where appropriate).

Vendor communications: where a supplier provides goods/services or is being assessed for suitability. Lawful basis: performance of contract; legitimate interests (business administration).

Usage Data is collected to operate the Website, maintain security, and improve content. This may include IP address, browser and device information, pages visited, timestamps, and referrers. Lawful basis: legitimate interests (operate a secure, functional website); performance of a contract (serve requested pages).

I do not use public social media for service delivery. For direct communication with some clients, Signal and Apple iMessage may be used. Content is end-to-end encrypted; limited metadata may be processed by the providers, potentially outside the EU/EEA depending on provider policies and settings. Lawful basis: performance of a contract; legitimate interests (timely communication). Use of these messaging services is optional (an email alternative is available).

Service providers (processors): e.g., Zoho One (CRM/invoicing/hosting) under a written data processing agreement and subject to confidentiality/security obligations. Role: processor.

Professional advisers (independent controllers): external accountant for bookkeeping and tax compliance, acting as a separate controller with its own legal obligations and retention. Role: controller-to-controller disclosure.

Payers that require confirmation: where a company or school pays for lessons, necessary attendance/delivery confirmations may be shared to administer payment. Role: controller-to-controller disclosure.

Legal obligations and claims: disclosure required by law or necessary to establish, exercise, or defend legal claims.

Data location: Administrative records (e.g., scheduling, invoicing) are stored in EU data centres via Zoho.eu.

Zoom: Remote lessons may be conducted via Zoom. EU routing is enabled where available; however, routing/support may involve international transfers. Such transfers rely on recognised safeguards (e.g., an EU adequacy decision, the EU-US Data Privacy Framework where applicable, or the European Commission's Standard Clauses with any necessary supplementary measures). Copies of relevant safeguards are available on request.

If a meeting recording is created, storage and processing may involve Zoom systems that can route or store data outside the EEA under recognised safeguards.

Messaging apps transfers: When using Signal or Apple iMessage, message content is end-to-end encrypted; however, the providers may process limited account identifiers and metadata (e.g., phone numbers, timestamps, IP information) on infrastructure outside the EEA under their own safeguards.

Personal Data is protected with appropriate technical and organisational measures, including device and account access controls, encryption in transit and at rest where supported, regular software updates, least-privilege access, and secure backups. Third-party providers are vetted and bound by written terms. While no method of transmission or storage is entirely risk-free, safeguards are reviewed periodically and any incidents are handled in line with legal obligations.

Zoom usage: Zoom meeting recordings are disabled by default; any recording would occur only with prior notice and the Zoom recording consent prompt, and only where a suitable lawful basis applies.

Services are primarily for adults. In limited cases, lessons for minors are arranged by and provided under contract with a parent/guardian. No accounts are created for minors and no marketing is directed to them. Only minimal information strictly necessary for lesson delivery (e.g., first name and lesson time) is processed, and reasonable steps are taken to verify parental responsibility. Any Personal Data about a minor provided without parental authorisation will be deleted upon notice.

The Website includes a read-only blog section used to share learning resources and links to third-party sites (e.g., YouTube, Quizlet, Wordwall), and lesson materials, newsletters, emails, and other messages may also contain external links. The Website does not host user-generated content or comments. Linked websites and resources are operated by independent providers with their own privacy policies; following a link takes the visitor to the third party's site, and responsibility for their content and data handling rests with the respective provider.

Law enforcement and public authorities: Personal data may be disclosed to courts, police, or other public authorities only where required by law or where necessary and proportionate to respond to a valid legal request. Lawful basis: typically legal obligation or, where appropriate, legitimate interests; only the minimum necessary information will be shared.

Other legal requirements: Disclosure may occur to establish, exercise, or defend legal claims; to protect the rights, property, and safety of individuals; or to prevent or investigate suspected wrongdoing, where a relevant legal basis applies and sharing is necessary and proportionate.

Under the GDPR and Slovak Act No. 18/2018 Coll., individuals have rights subject to legal limitations and exemptions: access, rectification, erasure, restriction, objection, data portability, and the right not to be subject to decisions based solely on automated processing (including profiling). Requests are normally answered within one month of verifying identity; this may be extended by up to two further months where necessary due to complexity or number of request, with notice of the extension provided.

Requests can be made using the following contact details: dataprotection@eastwoodenglish.com. Identification may be requested to verify entitlement. Requests are free of charge; a reasonable fee may be charged or a request refused if manifestly unfounded or excessive. If a request is refused, reasons will be provided along with information about available remedies. Objections to direct marketing are honoured at any time.

Material changes will be posted on this page and the "Last updated" date will be adjusted. Where appropriate, a prominent notice or email will be used prior to changes taking effect. Please review this policy periodically.

Questions about this Privacy Policy, can be sent via the contact form using the contact form on the Contact Me page of this Website or by email (dataprotection@eastwoodenglish.com), or by post to the address provided above.