Privacy Policy

Steve Hoca (“we”, “us”, “our”) is an English language tutor and SELT exam preparation specialist based in London, United Kingdom. We are the data controller responsible for your personal data when you interact with this website or enrol in a course. If you have any questions about this policy or your personal data, you can contact us at stevehocaenglish@gmail.com.

We only collect the data we genuinely need to deliver our services: • Identity data — your full name and (optionally) your phone number. • Contact data — your email address and any phone or WhatsApp number you choose to share. • Enquiry data — the subject and message you send via the contact form. • Transaction data — when you purchase a course, the payment is processed by Stripe. We receive limited transaction details (e.g. course purchased, amount, currency, payment status and a Stripe Payment Intent ID), but we never see or store your full card details. • Technical data — minimal server logs (IP address, timestamps, basic request data) used for security and to prevent abuse of the contact form (rate limiting). We do not knowingly collect personal data from children under 16. Our courses are aimed at adult learners.

We process your personal data only for clearly defined purposes: • To respond to your enquiry (lawful basis: legitimate interest and, where you contact us, your consent). • To deliver courses you have purchased and provide customer support (lawful basis: performance of a contract). • To process payments via Stripe (lawful basis: performance of a contract). • To prevent fraud, abuse and ensure website security (lawful basis: legitimate interest). • To comply with our legal obligations such as accounting and tax record-keeping (lawful basis: legal obligation). We will never sell your personal data, and we will not send you marketing messages unless you explicitly opt in.

All online payments on this website are processed by Stripe Payments Europe, Limited and its UK affiliate. When you pay for a course you are redirected to Stripe’s secure, PCI-DSS Level 1 compliant checkout. We never see, store or have access to your full card number, CVC or other sensitive card data. Stripe acts as an independent data controller for the payment data it processes. Their privacy policy is available at https://stripe.com/privacy.

Transactional emails (such as the confirmation of your purchase and the contact form notifications sent to Steve) are delivered through Resend (resend.com), a service used as our data processor. We may also use trusted infrastructure providers such as Vercel (hosting) and Stripe (payments). These providers act under written agreements and only process your data on our behalf and on our instructions.

Some of our service providers (Stripe, Resend, Vercel) may store or process data outside the United Kingdom and the European Economic Area, including in the United States. Where this happens we rely on appropriate safeguards such as the UK International Data Transfer Addendum and the EU Standard Contractual Clauses to ensure your data is protected to a comparable standard.

We keep your personal data only for as long as necessary for the purposes set out above: • Contact form enquiries: up to 24 months after our last contact with you. • Course purchase records: up to 7 years to comply with UK accounting and tax legislation. • Technical logs: a few weeks, then automatically deleted. After these periods data is either deleted or anonymised.

Under the UK GDPR you have the right to: • Access the personal data we hold about you. • Ask us to correct any inaccurate data. • Ask us to erase your data where there is no good reason for us to keep it. • Object to or restrict our processing of your data. • Receive a copy of your data in a portable format. • Withdraw your consent at any time, where consent is the lawful basis. You can exercise any of these rights by emailing stevehocaenglish@gmail.com. We will respond within one month. You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO) at ico.org.uk.

This website uses only the strictly necessary technical cookies required to operate the site (for example, session and security cookies). We do not use third-party advertising or behavioural tracking cookies. We use Vercel Analytics, a privacy-friendly, cookieless analytics tool, to understand aggregate, anonymous traffic patterns (such as page views and overall performance). It does not use cookies, does not track you across other websites and does not collect personally identifiable information.

We may update this Privacy Policy from time to time. The latest version will always be available at this URL with the “Last updated” date at the top. For any significant changes we will let you know via the website. If you have any questions or concerns, please contact us at stevehocaenglish@gmail.com.