Kip McGrath Education Centers Ltd Privacy Policy

Purpose of policy

Commitment to Privacy: The Group, encompassing Kip McGrath Education Centers Limited and its subsidiary legal entities (the group - as listed below in 2.3), is committed to protecting the privacy of individuals. We adhere to the Australian Privacy Principles set out in the Privacy Act 1988 (Cth); the United Kingdom General Data Protection Regulation; the Children's Online Privacy Protection Act (COPPA) in the United States; state-specific privacy laws such as the California Consumer Privacy Act (CCPA), the Virginia Consumer Data Protection Act (VCDPA), and others; the Privacy Act 2020 in New Zealand; the Protection of Personal Information Act (POPIA) in South Africa; and other applicable data privacy and protection laws globally. This Privacy Policy outlines our practices for collecting, using, disclosing, and managing personal information, emphasizing our commitment to complying with both global and local data protection standards, including those specifically protecting children's privacy.

Data Controllers and Processors: For the purpose of the General Data Protection Regulation, Kip McGrath Education Centers Limited and its subsidiary legal entities are generally the data controllers. In specific contexts, such as when offering business intelligence services to our corporate affiliates, we act as data processors.


About Kip McGrath Education Centers Limited

Kip McGrath Education Centers Limited is an Australian listed company. Kip McGrath Education Centers Limited is incorporated and registered in Australia with Australian company number 003 415 889 and has its registered office at Newcastle East, NSW 2300. The Group operates tutoring service centers in Queensland, New South Wales, Victoria, Tasmania, Western Australia, the Australian Capital Territory, New Zealand, the United States and the United Kingdom.The Group operates as a franchisor in Australia, New Zealand, United Kingdom, South Africa, Kenya and the United Arab Emirates, where centers are operated by franchisees. It also provides tutoring services in the United States through the subsidiary company Tutorfly Holdings Inc.

This Privacy Policy applies to the Group and its privacy practices in Australia (including privacy practices concerning European Economic Area and United Kingdom based website visitors), the United States, New Zealand and other countries the Group has a presence in unless a separate privacy policy applies to a particular Group business. Our separate privacy policies applicable to different businesses within the Group are:

  1. Service Centers in Australia (Kip McGrath Direct Pty Ltd)
  2. Franchises in Australia (Kip McGrath Education Australia Pty Ltd)
  3. Service Centers in NZ (Kip McGrath Education New Zealand Limited)
  4. Franchises in NZ (Kip McGrath Education New Zealand Limited)
  5. Service Centers in UK (Kip McGrath Education United Kingdom Ltd)
  6. Franchises in UK (Kip McGrath Global Pty Limited)
  7. Operations in the US (Tutorfly Holdings, Inc.)
  8. Service Centers in the US (Kip McGrath Inc.)
  9. Franchises in other international locations (Kip McGrath Global Pty Limited)


Name, Country of incorporation, percentage ownership

Company Name Country Ownership Percentage
Kip McGrath Education Australia Pty Ltd Australia 100%
Kip McGrath Global Pty Limited Australia 100%
Kip McGrath Direct Pty Ltd Australia 100%
Kip McGrath Education United Kingdom Ltd United Kingdom 100%
Kip McGrath Education New Zealand Limited New Zealand 100%
Tutorfly Holdings, Inc. United States of America 100%
Kip McGrath Inc. United States of America 100%


Collection: The kinds of personal information we collect and hold

We collect and hold personal information about you depending on your interaction with us. This includes, but is not limited to, Identity Data, Contact Data, Marketing and Communications Data, and Usage Data. We have clarified the types of personal data we collect and the context in which we collect them to avoid any ambiguity.


Type of personal data


Identity Data

Data which identifies you (including name, username, title, school year, date of birth and gender)

Contact Data

Contact details (including postal address, telephone number and email address)

Marketing and Communications Data

Data which we capture when you sign up to newsletters, including your communication preferences

Usage Data

Information about how you use this site and our services, including how you navigate this site and if you encounter any problems

Educational Data

Information about you or your child’s education history and academic cycle that you submit on this site when you book a free assessment or which you may provide to us when you make an enquiry

Social Media Data

When you connect with us or like or follow our social media accounts we may have access to your personal data through the social media platform, including your social media handle, photograph, date of birth, location, occupation, interests and other information and content you make available via your social media accounts

Technical Data

Electronic information which is automatically logged/stored by processing equipment, including internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this site.

We may also collect, use and share aggregated data such as statistical or demographic data for any purpose.

Aggregated data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific feature of this site. However, if we combine or connect aggregated data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this Privacy Policy.

We do not collect special categories of personal data about you through the use of our websites. This includes details about your race or ethnicity, religious or philosophical beliefs, political opinions, information about your health and genetic and biometric data. Nor do we collect any information about criminal convictions and offenses.

If you apply to work with us, we will for the purpose of assessing and progressing your employment application collect the details that you include in your application and during any interview process with us.  This collection of data is limited to the scope of information in which we have a legitimate interest as your potential future employer, e.g. your name, contact details and information about your education and employment history.  If we decide not to employ you, we will delete your personal information: (i) upon your request; or (ii) after a transition period of three months after the employment decision, unless we have a legitimate interest in keeping your personal information for a longer period.


How we collect and hold personal information

4.1 Direct interactions:

The Group collects personal data from you in a number of different ways.  We may collect personal information directly from you (or someone on your behalf) or in the course of our dealings with you, for example when you:

  1. browse or use our Websites (including via cookies and other information collection technologies);
  2. book a free assessment;
  3. subscribe to receiving marketing communications;
  4. reserve a place at one of our franchise information sessions;
  5. complete a survey;
  6. connect with us, follow us or ‘like’ us on social media;
  7. apply to work with us; or
  8. contact and correspond with us, for example to ask for information or make a complaint.


Automated technologies or interactions:


4.3 Third parties:

We engage with various third-party sources to collect personal data, enhancing our services and ensuring a tailored user experience. Below are the categories and types of third parties from which we may receive personal data:

  1. Social Media Platforms: We obtain Social Media Data from platforms like Facebook, Instagram, LinkedIn, Twitter, and Google+. This data, which may include your interactions with our social media content or ads, helps us understand your preferences and improve our engagement strategies. These platforms may be located both within and outside the EU, adhering to their respective privacy policies.
  2. Technical Data Providers:
    1. Analytics Providers: Tools such as Google Analytics and Facebook pixel tags offer insights into user behavior on our website, aiding us in refining our content and service offerings.
    2. Advertising Networks: We collaborate with advertising networks to present relevant advertisements to you, utilizing data to ensure the ads align with your interests.
    3. Search Information Providers: Data from providers that offer insights based on search engine usage helps us optimize our online presence and content relevance.
  3. Publicly Available Sources: We may access publicly available information, including data available on social media platforms or public registries, to better understand market trends and to validate or enrich the information we hold.
  4. Franchisee Data Sharing: Our franchisees play a crucial role in service delivery. We may receive information from them to facilitate the provision of requested services, ensuring a consistent and seamless user experience across our network.
  5. Data Usage: Information received from these third parties will be utilized in accordance with this Privacy Policy, respecting your privacy preferences and adhering to applicable data protection laws.
  6. Transparency and Control: We are committed to transparency regarding the third-party sources we engage with. You have the right to know how your data is being collected and used and to exercise control over your personal information.


How and why we use personal data

We will only collect and process your personal data where we have a legal basis to do so. This legal basis will vary depending on the manner and purpose for which we are collecting your personal information. The circumstances in which we may use your personal data are as follows:

  1. Where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract;
  2. Where it is necessary to comply with a legal or regulatory obligation that we are subject to;
  3. Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests; or
  4. Where we have your consent to do so, subject to your right to withdraw consent (further details provided in the section headed “Your rights” below).

We have set out in the table below a description of all the ways we plan to use your personal data, and which of the above legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.

Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you require further detail about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below.


What we use your personal information for

Type of data

Lawful basis for processing

Basis of legitimate interest (where applicable)

To manage our relationship with you, this will include notifying you about changes to our terms or Privacy Policy.




Social Media

Marketing and Communications


Necessary to comply with a legal obligation

Necessary for our legitimate interests


To conduct our business and to keep our records updated

To administer and protect our business and systems, including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data






Necessary to comply with a legal obligation

Necessary for our legitimate interests


For running of our business, provision of administration and IT services, network security and to prevent fraud

To set up, manage access to, and maintain the security of, your online account for the Student Portal and Parent Portal






Consent – given at the time of registering an online account for the Student Portal and Parent Portal

Necessary for our legitimate interests

Necessary for the performance of a contract with you

To conduct our business – to be able to perform our contracts with students and conduct our business

To deliver relevant website content and advertisements to you based upon your preferences.





Marketing and Communications

Consent - given at time of enrolment


To let you know about promotions or products that may be of interest to you

To use data analytics to improve our websites and our services, marketing, customer relationships and experiences





Necessary for our legitimate interests

To define our customer base, to keep our websites and services updated and relevant, to inform our product and marketing strategy to grow our business

To deal with and respond to queries submitted to us via this site, social media accounts, by post, email or by telephone



Social Media


Marketing and Communications

Consent – given at the time of contact

Necessary for our legitimate interests

To conduct our business and improve our services and keep our records up-to-date

To assess and progress your employment application, including conducting reference checks and any psychometric or other testing used as part of the recruitment process



Necessary for our legitimate interests

To assess job suitability and protect company assets and employees by hiring appropriate candidates.

To carry out our business and franchisor functions and activities, including meeting our legal and regulatory obligations.




Necessary for compliance with a legal obligation or our legitimate interests

To comply with legislation and comply with requests of competent authorities or orders

To administer our share registry, including communications with our shareholders and receiving tax file number notifications from the Australian Tax Office. 



Necessary for our legitimate interests

To process for legitimate interests of administering our share registry



Marketing communications from us: We may send you marketing communications if you:

  1. are a student or a student’s parent/guardian and you have not opted out of receiving marketing communications from us;
  2. have booked an assessment and you have consented to receive marketing communications from us; or
  3. have otherwise consented to receive marketing communications from us.

Third party marketing:

  1. we will only share your personal data with another company for marketing purposes if you have expressly consented to us doing so.

Opting out: You can ask us and our franchisees to stop sending you marketing communications at any time, by:

  1. clicking the unsubscribe link in the footer of any marketing email from us;
  2. contacting us in accordance with section 18.


Children's Personal Data in the UK

We are dedicated to safeguarding the personal data of all our users, especially children, and are committed to complying with all applicable laws and regulations concerning children's data protection in the UK.


Children's Personal Data in the United States


In compliance with the Children's Online Privacy Protection Act (COPPA), our organization is committed to protecting the privacy of children in the United States. This section outlines our practices concerning the collection, use, and disclosure of personal information from children under the age of 13.

By adhering to these principles, we ensure our compliance with COPPA and demonstrate our commitment to protecting the privacy of children in the United States.


Change of purpose

We will only use your personal data for the purposes for which we originally collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we wish to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

We may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.


If you fail to provide personal data

If we are not able to collect personal data about you we may not be able to provide you with products, services and assistance to the extent that they require us to collect, use or disclose your personal data.  For example, we will be unable to progress your employment application if you cannot provide us with details of your employment history.


Information collection technologies (including cookies)

Our websites use cookies and other technologies such as internet tags and navigational data collection, which passively collect information (which means it is collected without you actively providing it).  The technologies we use collect information such as your IP address, your device’s unique identifier number, date, time and duration of your visit and the web address of the website that you visited before you arrived at our Website.  

We use Google Analytics to help analyze use of our websites. This analytical tool uses “Cookies” which are small text files placed on your computer to collect standard internet log information and visitor behavior information.

Our websites use cookies for a number of purposes, for instance to enable us to identify which pages are being used, analyze data about web page traffic, build a demographic profile and improve our sites in order to tailor it to customer needs. Overall, cookies help us to provide you with a better site, by enabling us to monitor which pages you find useful and which you do not.

You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies (and the above websites tell you how to do this). If you disable or refuse cookies, please note that some parts of our sites may become inaccessible or not function properly. For more information about the cookies we use and the reasons why we use them, please see our Cookies Policy on our website.



We may have to share your personal data with third parties, including third party service providers and other group companies.

We require third parties to respect the security of your data, keep it confidential, and to treat it in accordance with the law.

We will share your personal information with third parties where required by law, where it is necessary to perform a contract with you (if you are a student, an employee or a franchisee) or where we have another legitimate interest in doing so.

We may share your personal data with the third parties set out below:

We require all our data processors to respect the security of your personal data and to treat it in accordance with the law. We do not allow our data processors to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions as set out in our data sharing agreements.

In some instances where we share data with third parties, those third parties will also be controllers of your data. We shall not be responsible or liable for the way in which other data controllers hold or process your personal data. Please contact those third parties for further information regarding how they will use your data. We shall only share your personal data with third parties in accordance with this Privacy Policy.

Our websites may contain links to the websites of our partner networks, advertisers and affiliates, which are outside of our control and are not covered by this Privacy Policy. If you access other sites using the links provided, the operators of these sites may collect information from you which will be used by them in accordance with their own privacy policies. We would encourage you to read the privacy policies on the other websites you visit.

Some of the third parties to whom we disclose your personal data may be located outside Australia. See section 12.

If we need to use or disclose your personal information for any other purpose, we will obtain your consent first, unless we are required or authorized by law (including the Data Protection Laws) to do so.  This exception will often cover our dealings with law enforcement authorities.

Where the processing activities rely upon your consent, you have the right to withdraw that consent at any time.  You may do so by contacting us in accordance with section 18. 


Data Security

We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed (including appropriate firewalls, encryption technology such as HTTPS, and passwords). Unfortunately, however, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our websites; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorized access.

In addition, the personal information you provide to us is only available to authorized personnel of the KIP MCGRATHC group who need access to the information to fulfill their duties. They will only process your personal information on our instructions and they shall be subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

Once we no longer require your personal information, we will take reasonable steps to destroy it or anonymize it in a secure manner.


Data storage

We are committed to ensuring the security and integrity of your personal information. Our data storage solutions exclusively utilize Amazon Web Services (AWS) and Microsoft Azure, industry-leading cloud service providers known for their robust security measures and global compliance standards.

  1. Cloud Storage: All personal data collected by us is stored securely on AWS and Azure cloud servers. These platforms provide advanced security features that ensure your data is protected against unauthorized access, disclosure, alteration, and destruction.
  2. Data Location: While AWS and Azure operate data centers globally, we predominantly use servers located in the regions that best align with our operational requirements and compliance with data protection laws. This approach helps in minimizing latency, ensuring data resilience, and complying with jurisdictional legal requirements.
  3. Data Encryption: We implement encryption in transit and at rest to protect your personal data. AWS and Azure offer built-in encryption features that secure your data as it is stored and when it is transmitted across networks.
  4. Data Access: Access to data stored on AWS and Azure is strictly controlled and monitored. Only authorized personnel within our organization have access to this data, and such access is based on the principle of least privilege, ensuring that individuals only have access to the information necessary for their role.
  5. Compliance and Certifications: AWS and Azure comply with a comprehensive set of international and industry-specific compliance standards, such as GDPR, HIPAA, and ISO 27001, among others. We leverage these compliance frameworks to ensure that our data storage practices meet or exceed industry standards and regulatory requirements.
  6. Data Retention: We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, as detailed in our policy, or as required by law. Following this period, personal data is securely deleted or anonymized.
  7. Data Resilience: AWS and Azure provide robust data backup and disaster recovery solutions, ensuring that personal data is protected against loss, corruption, and other potential risks. Our use of these platforms ensures that we can quickly restore data in the event of an incident.

By utilizing AWS and Azure, we ensure that your personal data is stored on secure, compliant, and reliable platforms, reflecting our commitment to protecting your privacy and data security.


Overseas disclosures

In our commitment to transparency and protecting your personal data, we acknowledge that, due to our exclusive use of Amazon Web Services (AWS) and Microsoft Azure, your data may be stored and processed globally. Additionally, we disclose how third parties may access data where necessary for business operations.

Global Data Storage: Your personal information may be stored and processed on servers provided by AWS and Azure, which are located in various countries around the world. The choice of data center locations is influenced by operational needs, data center capabilities, and compliance with applicable data protection laws.

  1. Third-Party Access: In the course of doing business, certain third-party service providers may have limited access to your data. These parties include but are not limited to:
    • IT support and maintenance providers
    • Data analytics and business intelligence services
    • Customer service platforms and support tools
    • Payment processing services
    • Marketing and communication service providers
  2. All third parties with access to personal data are rigorously vetted and bound by contractual obligations to ensure data confidentiality and compliance with relevant data protection laws.
  3. Legal Compliance and Data Transfer Mechanisms: We ensure all international data transfers comply with applicable legal requirements, using mechanisms like Standard Contractual Clauses or adherence to recognized frameworks like the EU-US Privacy Shield, where applicable.
  4. User Rights and Transparency: We remain committed to ensuring your rights are protected, regardless of where your data is processed. Our policy includes provisions for you to exercise rights over your personal data, including access, rectification, erasure, and objection to processing.
  5. Review and Oversight: Our data transfer and storage practices are regularly reviewed to ensure they align with legal standards and best practices in data security and privacy.

By utilizing the global infrastructure of AWS and Azure and engaging with third-party service providers where necessary, we aim to offer secure and efficient services while upholding our commitment to data protection and user privacy.


Accessing and correcting the information we keep about you and other rights


Notifiable data breaches scheme


How to lodge a complaint

Region Address Contact
Australia Office of the Australian Information Commissioner (OAIC)
GPO Box 5288, Sydney NSW 2001
Tel: 1300 363 992
United Kingdom United Kingdom Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow SK9 5AF
Tel: 0303 123 1113
United States COPPA mailbox Email:

Continuous Improvement: We are committed to continuously improving our privacy practices based on the feedback and concerns raised by our users and stakeholders.


Accuracy and Updating of your data


Revisions to this Privacy Policy


Contact us

Region Address Contact
Australia and New Zealand Kip McGrath Education Centers Global Head Office
7 Bond Street
Newcastle East, NSW 2300
Phone: +61 2 4929 6711
United Kingdom Kip McGrath Education Centers UK Head Office
Railway House
Bruton Way
Telephone: 01452 382282
United States of America Tutorfly Holdings Inc.
Attn: Privacy Officer
4925 Marcus Ave Apt 3204
Addison TX 75001