Privacy Policy

1. Who we are

SENCO AI is a product of TM Advocacy Ltd, a company registered in England and Wales. We are the data controller for the personal data processed through the SENCO AI platform.

Contact: contact@sencoai.co.uk

2. What data we collect

We collect and process the following categories of personal data:

• - Account data: names and email addresses of school staff who use the platform, authenticated via Microsoft single sign-on (SSO).
• - School profile data: school name, type, URN, GIAS data, staffing information, and SEND provision details.
• - Consultation documents: EHCP documents, consultation letters, and supporting evidence uploaded by school staff. These may contain children's names, dates of birth, special educational needs, and health information.
• - Usage data: feature usage, consultation response history, and platform interaction data.
• - Payment data: billing details processed by Stripe. We do not store card numbers or financial details on our servers.

3. Lawful basis for processing

We process personal data under the following lawful bases:

• - Contract: processing account and payment data is necessary to provide the SENCO AI subscription service.
• - Legitimate interests: processing consultation documents and school data to provide AI-powered analysis and consultation response generation. Our legitimate interest is delivering the core product functionality that schools have engaged us for.

Where consultation documents contain special category data (health information, SEN data), we process this under Article 9(2)(g) UK GDPR — processing necessary for reasons of substantial public interest, specifically the provision of education services in accordance with the Children and Families Act 2014.

4. How we use your data

We use your data to:

• - Provide AI-powered consultation analysis and response generation
• - Authenticate your identity and manage your account
• - Process subscription payments
• - Improve the platform and develop new features
• - Communicate with you about your account and the service

We do not sell your data. We do not use your consultation documents or children's data to train AI models.

5. How we protect child data

Consultation documents may contain sensitive information about children, including names, dates of birth, and special educational needs. We take specific measures to protect this data at every stage of processing.

• - PII Guard: before any document is sent for AI analysis, children's names and dates of birth are replaced with anonymous placeholders (e.g. "[Child-1]"). Anthropic never receives identifiable child information. Real names are restored only within our secure infrastructure before the response is shown to the school.
• - Three-tier data architecture: operational data (with names) is held in the secure Bronze tier. Analytics data uses irreversible pseudonymisation for aggregate insights. No child PII is included in any external-facing tier.
• - Safety net detection: an automated detection layer scans for any personal information that may have been missed by explicit masking, and logs these for review without blocking the request.
• - Audit logging: every AI call logs the count of entities masked (e.g. "1 child name, 1 date of birth") without recording the actual data, providing a verifiable audit trail.

6. Third-party processors

We share data with the following third-party processors, all of whom are bound by data processing agreements:

• - Google Cloud Platform: infrastructure hosting, data storage, and AI services. Data is stored in the europe-west2 (London) region.
• - Anthropic: AI language model provider for consultation analysis. Children's names and dates of birth are replaced with placeholders before any data is sent to Anthropic. Documents are processed in real-time and are not retained by Anthropic for training purposes.
• - Microsoft: single sign-on authentication via Microsoft Entra ID.
• - Stripe: payment processing for subscriptions. Stripe's privacy policy applies to payment data.

7. Data retention

We retain your data for as long as your subscription is active. After cancellation, we retain account data and consultation documents for 12 months to allow for reactivation, after which they are permanently deleted.

Payment records are retained for 7 years in accordance with UK tax and accounting obligations.

You may request earlier deletion at any time by contacting us.

8. Your rights

Under UK GDPR, you have the right to:

• - Access the personal data we hold about you
• - Rectify inaccurate data
• - Erase your data (subject to legal retention obligations)
• - Restrict processing in certain circumstances
• - Port your data to another provider
• - Object to processing based on legitimate interests

To exercise any of these rights, contact us at contact@sencoai.co.uk. We will respond within 30 days.

9. Data security

We implement appropriate technical and organisational measures to protect your data, including encryption in transit (TLS 1.3) and at rest, access controls, and regular security reviews. All data is hosted within the United Kingdom (Google Cloud europe-west2).

10. International transfers

Your data is primarily processed within the UK and EEA. Where data is transferred to Anthropic (United States) for AI processing, this is covered by Standard Contractual Clauses and the UK International Data Transfer Agreement. Children's names and dates of birth are removed before transfer. Data is sent for processing only and is not stored by Anthropic.

11. Cookies

The SENCO AI website uses Plausible Analytics, which does not use cookies and does not collect personal data. The application uses essential cookies only for session management and authentication. We do not use advertising or tracking cookies.

12. Complaints

If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

13. Changes to this policy

We may update this policy from time to time. We will notify subscribers of material changes by email. The latest version is always available at this page.