Privacy Policy

Last updated: 11 April 2026

1. Who we are

TESSA Training is an online continuing professional development platform for social care professionals, operated by Tessa Tools Ltd, a company registered in England and Wales under company number 16752016, with its registered office at 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ.

For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, Tessa Tools Ltd is the data controller of the personal data you provide to us through tessa-tools.co.uk.

This policy explains, in line with Articles 13 and 14 of the UK GDPR, what personal data we collect, why we collect it, what we do with it, how long we keep it, who we share it with, and the rights you have over it.

2. The personal data we collect

2.1 Data you give us directly

• Account identifiers: your email address (required for magic-link login), full name, job title, the sector you work in (local authority, NHS, charity or third sector, private care provider, independent or self-employed, or other), employing organisation (if you registered through an invite code), and professional track (adults or children's social care).
• Invite codes: if you register through an organisational invite, the invite code you used and your link to that organisation.
• Training records: which modules you have started, your quiz attempts (including your answers), module completion status, scores, and the CPD certificates generated from them.
• Support correspondence: the content of any messages you send us through email or contact forms.
• Accessibility preferences: if you adjust the display settings, your choices are stored in your browser's local storage so the site remembers them next time.

2.2 Data we collect automatically when you use the platform

• Authentication events: timestamps of logins and logouts, and the Supabase session identifier associated with your browser. This is strictly necessary to keep you signed in.
• Engagement events: when you view a module page, start a quiz, submit a quiz, or download a certificate, we record the event type, the module number, and the timestamp. We do this as first-party tracking only; no third-party analytics provider is involved. We use this to evidence CPD activity and to understand which parts of the platform are useful so we can improve them.
• Server-side request logs: our backend provider (Supabase) and hosting provider (Netlify) retain short-lived request logs that may include your IP address for security and abuse-prevention purposes. We do not combine these logs with your profile for behavioural profiling.

We do not use third-party advertising networks, retargeting pixels, social media trackers, Google Analytics, or any behavioural advertising technology on the training platform.

3. Why we process your data and our lawful bases

For each processing purpose, we rely on one of the lawful bases set out in Article 6 of the UK GDPR:

• Performing our contract with you (Article 6(1)(b)): creating and managing your account, sending you magic-link login emails, tracking your progress through modules, storing your quiz attempts, issuing your CPD certificates, and providing user support.
• Our legitimate interests (Article 6(1)(f)): understanding which modules and sections are used so we can improve the platform; keeping short-lived access logs for fraud, abuse, and security purposes; and providing aggregated completion reports to organisational customers who have purchased seats for their staff. We have balanced these interests against your rights and reasonable expectations and consider the impact on you minimal because the data is first-party, proportionate to the product, and never sold or shared for advertising.
• Legal obligation (Article 6(1)(c)): retaining evidence of CPD activity where this is required to support professional audit trails, and complying with our tax, accounting, and regulatory duties.
• Consent (Article 6(1)(a)): where we ever ask you to opt in to something that is not essential, such as future optional mailing lists, we rely on your explicit, freely given consent and you can withdraw it at any time without affecting your access to the training.

4. Who we share your data with

4.1 Processors we use

The following third parties act as data processors on our behalf. Each is bound by a written data processing agreement that meets the requirements of Article 28 of the UK GDPR.

• Supabase Inc. — our backend-as-a-service provider. Hosts the database that stores your profile, training progress, quiz attempts, and certificates. The training project runs in Supabase's eu-west-1 (Ireland) region on servers located in the European Union. Data is encrypted in transit (TLS 1.2 or higher) and at rest.
• Netlify, Inc. — hosting provider for the website's static pages and JavaScript. Netlify serves our pages to you and retains short-term request logs for security.
• Transactional email (magic-link delivery): Magic-link login emails are currently delivered through Supabase Inc.'s built-in transactional email service, which is operated by Supabase as part of the backend platform described above. We never send marketing through this channel, only the authentication email required to sign you in. We are planning to move transactional email to a dedicated UK/EU SMTP provider in the next iteration and will update this policy to name that provider before switching.

4.2 Sub-processors used indirectly

Supabase and Netlify each rely on their own infrastructure providers (for example, Amazon Web Services data centres in Ireland for Supabase's eu-west-1 region, and Netlify's own edge network). Supabase and Netlify maintain public lists of their sub-processors, which we review before onboarding and monitor for changes.

4.3 Organisational customers

If you registered through an organisational invite (for example, your employer purchased seats for their staff), the organisation that invited you is a separate data controller for the training records generated in the course of your employment. We share your name, track, module completion status, quiz scores, and certificate-issue dates with a nominated administrator at that organisation for the purpose of managing their team's training. We do not share your free-text answers, reflective notes, or login times. The legal basis for this sharing is the contract between the organisation and us, and the legitimate interest of the organisation in administering its own training programme.

4.4 Legal and safeguarding disclosures

We may disclose your personal data where we are legally compelled to do so (for example, a court order or a valid ICO request), or where disclosure is necessary to protect the vital interests of a person at risk under our safeguarding duties.

4.5 We do not sell your data

We do not sell, rent, trade, or otherwise monetise your personal data, and we do not share it with advertising networks, data brokers, or any third party for marketing purposes.

5. International transfers

Tessa Tools Ltd is a UK controller. Your personal data is stored and processed in the European Economic Area (the Republic of Ireland) by Supabase. UK-to-EEA transfers are covered by the UK Government's adequacy decision for the European Economic Area, so no additional transfer safeguards are required for this route.

If at any point a processor we use routes support or diagnostic access through a country that is not covered by a UK adequacy decision, we will apply appropriate safeguards under Article 46 of the UK GDPR, typically the International Data Transfer Agreement (UK IDTA) or the UK Addendum to the EU Standard Contractual Clauses, supported by a documented Transfer Risk Assessment.

6. How long we keep your data

• Active account data (profile, progress, quiz attempts): retained for as long as your account is active.
• Dormant accounts: if you do not sign in for 24 consecutive months we will notify you by email and then delete your account and associated records within 30 days unless you ask us to keep it open.
• CPD certificates and the quiz records that support them: retained for seven years from the date of issue to support professional audit trails, in line with general CPD good practice. After seven years the records are deleted.
• Support correspondence: retained for 24 months after the matter is closed, then deleted.
• Server-side access and authentication logs: retained for 30 days, then deleted.
• Accounts you actively ask us to close: deleted within 30 days of your request, except for any information we are legally required to retain (for example, invoicing records).

You can ask us to delete your account sooner by emailing compliance@tessa-tools.org.

7. Security

We take the security of your data seriously and have implemented the following technical and organisational measures in line with Article 32 of the UK GDPR:

• TLS 1.2 or higher for all data in transit between your browser and our backend.
• Encryption at rest on the Supabase database volumes.
• Row-level security policies on every database table so users can only read and write their own records.
• Magic-link authentication only — we never store passwords.
• Self-hosted fonts and scripts, so visiting the training platform does not cause your IP address to be shared with third-party CDNs.
• Regular review of access permissions, supplier sub-processor lists, and software dependencies.

If you think your account has been compromised, please email us immediately at compliance@tessa-tools.org.

8. Your rights

Under the UK GDPR you have the following rights in respect of personal data we hold about you:

• The right to be informed (which this policy is part of).
• The right of access — to receive a copy of the personal data we hold about you.
• The right to rectification of inaccurate or incomplete data.
• The right to erasure (the "right to be forgotten").
• The right to restrict our processing of your data.
• The right to data portability — to receive your data in a structured, commonly used, machine-readable format.
• The right to object to processing that is based on our legitimate interests.
• The right to withdraw consent at any time where we are relying on consent as our lawful basis.
• Rights relating to automated decision-making and profiling (we do not carry out any automated decision-making of the kind that produces legal or similarly significant effects on you).

To exercise any of these rights, email compliance@tessa-tools.org. We will respond within one calendar month of receiving a valid request. There is no fee for exercising your rights in most cases.

9. How to complain

If you are unhappy with how we have handled your personal data, please tell us first so we can try to put things right. You also have the right to complain directly to the UK supervisory authority:

• Information Commissioner's Office (ICO)
• Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
• Helpline: 0303 123 1113
• Website: ico.org.uk

10. Professionals only, 18 and over

TESSA Training is intended for registered and working social care professionals aged 18 or over. We do not knowingly collect data from children, and we ask all users to confirm at sign-up that they meet this eligibility criterion. If you believe a minor has signed up, please contact us and we will delete the account.

11. Browser privacy signals (Global Privacy Control)

We respect the Global Privacy Control (GPC) browser signal. Because we do not run any behavioural advertising, retargeting, or third-party analytics on the training platform, the effect of GPC is that our first-party engagement tracking described in section 2.2 will not be recorded for the duration of your session. Strictly necessary authentication and progress records will still be stored because they are required to deliver the training service you have asked for.

We do not rely on the legacy "Do Not Track" (DNT) header, which is no longer consistently sent by modern browsers.

12. Changes to this policy

When we make material changes to this policy we will update the "Last updated" date at the top and, where the change is significant, notify active learners by email. Minor clarifications may be made without notice. Previous versions are available on request.

13. Contact us

• Data protection matters: compliance@tessa-tools.org
• General enquiries: hello@tessa-tools.org
• Postal address: Tessa Tools Ltd, 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ