Privacy Policy
Effective Date: April 2026 · Version 1.0
Our Commitment
SENSA is built on a foundation of data trust. We understand that schools hold some of the most sensitive data in existence — data about children. We will never sell, share, or monetise it. This policy explains exactly what data we collect, why, and what your rights are.
| Legal entity | Sensa Technology Ltd (incorporated in England and Wales) |
| ICO registration | ZC113781 |
| Data protection contact | contact@sensatech.co.uk |
| Governing law | UK GDPR and Data Protection Act 2018 |
| Companion documents | Terms & Conditions · AI & Data Policy · Cookie Policy |
1 Who We Are and Our Role
1.1 SENSA is the data controller for personal data collected directly via our website and registration forms. For data uploaded by schools during Platform use (including Pupil Data), the school acts as data controller and SENSA acts as data processor, as defined in UK GDPR Article 4(7) and (8).
1.2 The relationship between SENSA and each school is governed by a separate Data Processing Agreement (DPA), which forms part of the overall contractual framework. Schools must not upload any Pupil Data before a DPA is in place. To request a DPA, contact contact@sensatech.co.uk.
1.3 Where required, Sensa Technology has appointed a Data Protection Officer (DPO). Contact: contact@sensatech.co.uk.
1.4 SENSA is registered with the Information Commissioner's Office (ICO). ICO registration number: ZC113781.
2 What Personal Data We Collect
2.1 Data collected directly from users (website visitors, account registrants, and pilot applicants):
| Category | Examples & Purpose |
|---|---|
| Contact & identity data | Name, email address, job title, school name. Used to manage your account and communicate with you. |
| Professional data | Role, subject area, school type, years of experience. Used to personalise the Platform. |
| Usage data | Log-in times, features used, session duration, error reports. Used for security, platform improvement, and billing. |
| Communications | Emails, support tickets, feedback forms. Retained to manage our relationship and improve services. |
| Cookie and analytics data | IP address (anonymised), browser type, pages visited. See our Cookie Policy. |
2.2 Data processed by SENSA as processor on behalf of schools:
| Category | Examples & Purpose |
|---|---|
| Pupil Data | Unique reference codes (not names or UPNs), year group, need-type signal patterns, classroom work samples. Used to generate Observe watchlists and Adapt outputs. |
| Teacher-generated Content | Lesson resources, curriculum materials, worksheets uploaded for adaptation. Processed to generate Output only. |
| EHCP-related data | Intervention records, progress data, need-signal history. Used by SENSA Evidence to generate draft EHCP packs. |
| MIS integration data | Structured class and timetable data (where MIS integration is active). Used to organise Pupil Data by class. |
No Pupil PII in AI Models
SENSA's architecture ensures that no personally identifiable pupil information — including names, dates of birth, UPN, home address, medical records, or NHS numbers — is ever passed to any external AI model or third-party API. Pupil Data is pseudonymised at ingestion. Schools must not upload raw PII to AI processing fields. This is a hard technical and contractual requirement.
3 Legal Bases for Processing
3.1 SENSA processes personal data in accordance with UK GDPR. The applicable lawful bases are as follows:
| Data Type | Lawful Basis |
|---|---|
| Account and registration data | Contract (Article 6(1)(b)) — necessary to provide the service you have requested. |
| Marketing communications | Consent (Article 6(1)(a)) — you may withdraw at any time by emailing contact@sensatech.co.uk. |
| Platform improvement and analytics | Legitimate interests (Article 6(1)(f)) — improving our product, balanced against user rights. |
| Pupil Data (as processor) | Performance of a task in the public interest / legal obligation — on behalf of the school as controller (Article 6(1)(e)). |
| Special category data (where applicable) | Substantial public interest in the provision of educational support (Article 9(2)(g)), subject to SENSA's Data Protection Policy schedules. |
3.2 Where we rely on legitimate interests, schools and users have the right to object. We will cease processing unless we can demonstrate compelling legitimate grounds. Please write to contact@sensatech.co.uk to object.
4 How We Use Your Data
4.1 We use personal data only for the specific purposes for which it was collected. We do not sell personal data. We do not use personal data for advertising. SENSA is a professional services product, not an advertising platform.
4.2 We will never use Pupil Data for any purpose other than to provide the school with the specific SENSA services they have requested. Pupil Data is never used to profile, score, or categorise pupils for any purpose other than SEN support delivery.
4.3 Aggregated and fully anonymised data (incapable of identifying any individual) may be used by SENSA for product research and development, sector reporting, and academic collaboration.
5 Data Sharing and Sub-Processors
5.1 SENSA does not share personal data with third parties except as set out below:
- AI model providers (sub-processors). Pupil Data passed to AI engines is pseudonymised. A current list of AI sub-processors is published at sensatech.co.uk/sub-processors. Schools will be notified of any change at least 30 days in advance.
- Infrastructure providers. Cloud hosting and storage services operating under appropriate data processing agreements within the UK or EU/EEA.
- Legal and regulatory. Where required by law, court order, or regulatory body (e.g. ICO).
- Professional advisors. Lawyers, accountants, and insurers, under confidentiality obligations.
5.2 All sub-processors are subject to contractual obligations no less protective than this Policy and our DPA.
5.3 SENSA does not transfer personal data outside the UK without ensuring that an adequacy decision, standard contractual clauses (UK SCCs), or equivalent mechanism is in place in accordance with Chapter V UK GDPR.
6 Data Retention
| Data Category | Retention Period |
|---|---|
| Account and registration data | Duration of account + 3 years post-closure, or as required by law. |
| Pupil Data (pilot) | Deleted within 30 days of pilot end, or earlier on written request. |
| Pupil Data (active subscription) | Retained for the contract term + 30 days. Export available on request within this window. |
| EHCP evidence packs | As directed by the school (data controller). Recommended: 25 years from the pupil's 18th birthday, in line with DfE guidance. Schools are responsible for defining their own retention schedule. |
| Server logs / security data | 90 days rolling. |
| Communications and support | 3 years from last interaction. |
7 Data Breach Notification
7.1 SENSA maintains a documented incident response procedure covering detection, containment, assessment, notification, and remediation of personal data breaches.
7.2 Where SENSA becomes aware of a personal data breach affecting Pupil Data or other data processed on behalf of a school, SENSA will notify the affected school (as data controller) without undue delay and in any event within 24 hours of becoming aware of the breach. The notification will include:
- A description of the nature of the breach, including the categories and approximate number of data subjects affected;
- The name and contact details of SENSA's data protection contact;
- A description of the likely consequences of the breach;
- A description of the measures taken or proposed to address the breach, including mitigation.
7.3 Where SENSA is the data controller (e.g. for account and registration data), SENSA will notify the Information Commissioner's Office within 72 hours of becoming aware of a breach that is likely to result in a risk to the rights and freedoms of individuals, in accordance with UK GDPR Article 33.
7.4 SENSA will cooperate fully with the school's own breach investigation and notification obligations, including providing reasonable assistance in notifying affected data subjects where required under UK GDPR Article 34.
7.5 SENSA maintains a breach register recording all incidents, their effects, and the remedial action taken. A summary is available to schools on request.
8 Your Rights
8.1 Under UK GDPR, you have the following rights regarding personal data for which SENSA is data controller:
- Right of access (Article 15) — to receive a copy of the personal data we hold about you.
- Right to rectification (Article 16) — to have inaccurate data corrected.
- Right to erasure (Article 17) — to have data deleted where there is no legitimate reason to retain it.
- Right to restriction of processing (Article 18).
- Right to data portability (Article 20).
- Right to object (Article 21) — particularly to processing based on legitimate interests.
- Rights relating to automated decision-making and profiling(Article 22). See SENSA's AI & Data Policy.
8.2 Where SENSA acts as processor (in relation to Pupil Data), rights requests from pupils, parents, or carers must be directed to the school as data controller in the first instance. SENSA will assist schools in responding to such requests as required under the DPA.
8.3 To exercise any right, write to: contact@sensatech.co.uk. SENSA will respond within one calendar month.
8.4 If you are dissatisfied with our response, you have the right to complain to the Information Commissioner's Office (ICO): ico.org.uk | 0303 123 1113.