Skip to main content

Privacy Policy

Draft — pending legal review
Last updated:

1. Scope and applicable law

Ricotti Sisters Limited is a company registered in England and Wales (no. 16089144) operating an online language school for customers worldwide. When we handle your personal data we comply with the UK General Data Protection Regulation and the Data Protection Act 2018 as a UK-established business, and with the EU General Data Protection Regulation (Regulation 2016/679) under its Article 3(2) because we offer our services to customers in the European Union — including Italy, where we follow the Italian Personal Data Protection Code (D.lgs. 196/2003).

For your purchase contract, English law governs our Terms & Conditions, but if you are a consumer resident in the EU or UK you keep all mandatory consumer-protection rights granted by the law of your country of habitual residence (Rome I Regulation Art. 6) — including the Italian Consumer Code for Italian residents and the Consumer Rights Act 2015 for UK residents.

2. Who we are

This privacy notice describes how Ricotti Sisters Limited ("OLL", "we", "us", "our") collects and uses your personal data. We trade as Online Language Lessons at onlinelanguagelessons.uk.

  • Legal form: Private limited company registered in England and Wales
  • Company number: 16089144
  • Registered office: 34b Worple Road, Isleworth, England, TW7 7AP
  • VAT registration: GB 490 7948 42
  • Contact (including for any privacy or data-protection question): info@onlinelanguagelessons.uk

We are the controller of personal data we collect from you for the purposes set out below.

3. The personal data we collect

We collect only the data needed to deliver the service you've asked for. Each purpose below sets out what we collect, why, and on what lawful basis.

Provide language lessons (1-to-1, group, packages)

  • Personal data: name, email, phone, level-test result, lesson history, billing address.
  • Lawful basis: (b) performance of contract.
  • Retention: duration of the relationship + 6 years (UK Limitation Act 1980).

Process payment

  • Personal data: billing name, address, last 4 digits of card. We do not see full card details — Stripe processes those.
  • Lawful basis: (b) performance of contract.
  • Retention: 7 years (UK tax-record retention).

Issue invoices and comply with VAT / tax obligations

  • Personal data: name, address, VAT number where applicable, payment history.
  • Lawful basis: (c) legal obligation (UK Companies Act 2006 s.386; VAT Act 1994).
  • Retention: 7 years.

Record group lessons for classmates' catch-up and teacher feedback reports

  • Personal data: name, video, voice — only during scheduled group lessons.
  • Lawful basis: (f) legitimate interest. See §4 for the balancing assessment.
  • Retention: maximum 1 month from the lesson date, then automatically deleted.

Service updates and marketing

  • Personal data: email, first name.
  • Lawful basis: (a) consent. You can withdraw at any time using the unsubscribe link or by emailing us.
  • Retention: until you withdraw consent or 24 months of inactivity.

Defend or pursue legal claims

  • Personal data: all categories above.
  • Lawful basis: (f) legitimate interest.
  • Retention: up to 6 years (limitation period).

Recruit teachers and admin staff

  • Personal data: name, email, phone, CV, references, qualifications.
  • Lawful basis: (b) performance of contract — or (a) consent for unsolicited CVs.
  • Retention: 12 months after the role is closed, or until you ask us to delete.

Why we don't rely on "legitimate interest" for our main service. Providing the lessons you've paid for is a contract between you and us. The correct lawful basis for that is Article 6(1)(b), not legitimate interest.

4. Lesson recordings — legitimate-interests assessment

Group lessons are recorded as a standard, service-essential feature so that students who miss a session can catch up, and so that teachers can produce personalised feedback reports. We rely on Article 6(1)(f) UK/EU GDPR (legitimate interest). Our balancing assessment is:

  • Purpose: review for absent/late students; revision for all participants; teacher-generated feedback reports.
  • Necessity: in a shared group setting, partial recording is not workable; live-only delivery would deny revision and feedback to the whole cohort. Recording is necessary, not merely convenient.
  • Balance: access is restricted to enrolled classmates and authorised School staff under confidentiality; recordings are retained for a maximum of 1 month and then deleted automatically; no third-party disclosure, no marketing, no AI training, no profiling. Participants retain Art. 15 (access), Art. 17 (erasure) and Art. 21 (object) rights.

At the time of booking a group class, we ask you to tick an acknowledgment that recording will take place and that retention is capped at 1 month. The acknowledgment is logged with timestamp, IP and the version of this Notice in force at the time.

1-to-1 lessons are not recorded.

We do not deliberately collect special-category data (Article 9 GDPR). Lesson recordings may incidentally capture data revealing health, accent or other personal characteristics; we treat all recordings as confidential under the same access, retention and rights regime above. We do not use recordings for AI training, marketing, or external promotion.

If you cannot agree to group-lesson recording, please contact us before enrolling — we can usually arrange an equivalent 1-to-1 path.

5. Children's data

We accept enrolments only from individuals aged 18 or over. If a parent or legal guardian books lessons for a child, the parent or guardian is our contracting party, not the child. By placing a paid order, the parent or guardian:

  • confirms they hold parental responsibility for the child;
  • provides verifiable parental consent for our processing of the child's personal data, as required by Article 8 of the UK GDPR (United Kingdom: age 13), Article 8 of the EU GDPR (default age 16), and the Italian Personal Data Protection Code Art. 2-quinquies (Italy: age 14);
  • acknowledges this Privacy Notice in the version in force at the time of purchase.

The combination of (a) a paid order on a payment instrument in the parent's name and (b) an active checkout consent step gives us a verifiable record of parental authority — timestamp, IP, Notice version and order ID are logged against the child's account.

For each child we will:

  • collect only the first name, age and language level — never the child's contact details unless the parent specifically requests we email lesson handouts directly to the child;
  • never use the child's data for marketing;
  • delete the child's data within 12 months after the last lesson, or sooner on parental request.

Parents and guardians may exercise all of the rights in §10 on behalf of the child. To do so, email info@onlinelanguagelessons.uk. If you believe we hold a child's data without parental authority, please contact us and we will delete it without delay.

6. Who we share your data with

We use the following processors to deliver the service. Each is bound by a written data-processing agreement and processes your data only on our instructions.

  • Stripe Payments Europe Ltd — payment processing for EU/UK customers. Location: Ireland (EU).
  • WooCommerce (self-hosted on our WordPress server) — e-commerce platform on our own infrastructure. Location: United Kingdom.
  • Vercel Inc. — website hosting and Vercel Blob media storage. Location: EU regions (Frankfurt / Dublin).
  • Zoom Video Communications, Inc. — live group-lesson video delivery and recording. Location: United States (EU data-residency add-on enabled for our account).
  • {{EMAIL_PROVIDER}} — transactional email. Location: {{country}}.
  • Self-employed language teachers — lesson delivery. Location: UK and EEA (Italy, Spain, etc.).

A copy of any data-processing agreement is available on request at info@onlinelanguagelessons.uk.

7. International transfers

Your personal data is processed within the United Kingdom and the European Economic Area (EEA). Both jurisdictions provide equivalent protection under the UK GDPR and the EU GDPR respectively, and the UK Government has issued an adequacy regulation in favour of the EEA — so transfers between the UK and the EEA do not require additional safeguards.

The single exception is Zoom, which provides the video infrastructure for our live group lessons. Zoom is a US company; we have enabled Zoom's EU data-residency add-on so that meeting content (video, audio, chat, recordings) is processed in EU data centres, but a small amount of operational metadata may still flow to Zoom's US systems. That transfer is covered by the UK Extension to the EU–US Data Privacy Framework (Zoom is on the active DPF list) and, as a fallback, the UK Addendum to the European Commission's Standard Contractual Clauses.

If, in future, we adopt any other processor based outside the UK / EEA, we will update this notice and put the appropriate safeguard in place. You can request a copy of any safeguard at info@onlinelanguagelessons.uk.

8. Cookies and similar technologies

We use a small number of essential cookies that are necessary for the website to work (session, cart, login). These do not need your consent.

We also use non-essential cookies — for analytics (Google Analytics 4 via Google Tag Manager) and to remember your preferences. These only fire after you have given consent via the cookie banner. You can change your choice at any time using the "Cookie settings" link in the footer.

For the full list, see our Cookie Notice.

9. How long we keep your data

See the retention column in §3. In summary:

  • Tax/financial records: 7 years (HMRC requirements; UK Companies Act 2006 s.386).
  • Contract data (booking history, level): 6 years after our relationship ends (UK Limitation Act 1980).
  • Group-lesson recordings: maximum 1 month from the lesson date.
  • Marketing consent: until you withdraw or 24 months of inactivity.
  • Recruitment data: 12 months after the role is closed, unless you ask us to delete sooner.

10. Your rights

Under UK and EU GDPR you have the right to:

  • Access the personal data we hold about you;
  • Rectify data that is inaccurate or incomplete;
  • Erase ("right to be forgotten") personal data in certain circumstances;
  • Restrict how we process your data;
  • Object to processing based on legitimate interest or direct marketing;
  • Portability — receive your data in a structured, machine-readable format;
  • Withdraw consent at any time, where consent is our lawful basis;
  • Not be subject to a decision based solely on automated processing that significantly affects you (we do not currently use such automated decision-making).

To exercise any of these rights, email info@onlinelanguagelessons.uk. We will respond within one calendar month (extendable by a further 2 months for complex requests, in which case we will tell you why). We may ask you for proof of identity before responding.

There is no fee for a rights request, unless it is "manifestly unfounded or excessive" (in which case we will tell you).

11. How to complain

If you are unhappy with how we have handled your data, please contact us first — we will try to resolve it.

If you remain unhappy, you have the right to complain to a supervisory authority:

  • United Kingdom: Information Commissioner's Office (ICO) — Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF · 0303 123 1113 · ico.org.uk/make-a-complaint.
  • Italy: Garante per la protezione dei dati personali — Piazza Venezia, 11, 00187 Roma · garanteprivacy.it.
  • Other EEA countries: your national data-protection authority.

12. Changes to this notice

We review this notice at least once a year. The "last updated" date shown at the top of this page tells you the current version. Material changes will be notified by email to customers with an active account.