Privacy, Terms & Data Protection

1. Who we are

Sencohaven is a web-based SEND review management platform designed for UK primary school SENCOs (Special Educational Needs Co-ordinators). It is operated by Mark Stevenson, trading as Sencohaven, based in the United Kingdom.

For data protection purposes, our contact is:

2. Data controller vs data processor

Under UK GDPR, it is important to be clear about who holds what responsibility for pupil data:

By using Sencohaven, your school agrees to act as data controller for all pupil records entered into the system, and to our processing that data on your behalf. We are in the process of publishing a formal Data Processing Agreement (DPA) — please contact us if you require one for your records before it is published.

3. What data we collect

Pupil data (entered by your school)

SEND data is special category data under Article 9 of UK GDPR because it relates to a child's health, disability, and educational needs. This is the highest protection tier and we treat it accordingly.

School staff account data

What we do NOT collect

• We do not collect payment card details (billing is handled via BACS bank transfer)
• We do not use advertising trackers or analytics services that share data with third parties
• We do not collect pupil photos or biometric data
• We do not use cookies for tracking — only an essential session cookie

4. Legal basis for processing

School staff data

We process staff account data under Article 6(1)(b) — processing necessary for the performance of a contract (your school's Sencohaven subscription).

Pupil data

As data processor, we process pupil data solely on your school's documented instruction. Your school as data controller should rely on one or more of the following:

• Legal obligation — Article 6(1)(c) combined with Article 9(2)(g): schools have a statutory duty to support pupils with SEND under the Children and Families Act 2014 and the SEND Code of Practice (2015)
• Vital interests — Article 9(2)(c) where necessary to protect a child's wellbeing
• Explicit consent — Article 9(2)(a) if obtained from parents/carers

We recommend schools document their lawful basis in their own privacy notice and SEND policy.

5. How we use your data

We use the data we hold only for the following purposes:

• Providing the Sencohaven service to your school (displaying, storing, and generating reports from pupil records)
• Sending review reminders and digest emails to staff at your school
• Account administration (password resets, system notifications)
• Investigating support requests you raise with us
• Complying with a legal obligation (e.g. a court order or regulatory requirement)

We will never:

• Sell, rent, or share pupil data with any third party for commercial purposes
• Use pupil data to train AI or machine learning systems
• Access pupil records except when investigating a support issue you have raised with us, and only with your knowledge
• Use school data for marketing

6. Storage and security

Where data is stored

All data is stored on servers physically located in the United Kingdom. We do not transfer personal data outside the UK or the European Economic Area.

Transmission security

All data in transit between your browser and our servers is encrypted using TLS 1.2 / 1.3 (HTTPS). HTTP connections are automatically redirected to HTTPS. Our SSL certificates are managed by Cloudflare.

Access controls

• Each school's data is strictly isolated — staff at one school cannot access another school's records under any circumstances
• New school accounts require manual approval before access is granted
• Staff can only join a school via an invite link generated by the school owner — no open self-registration to an existing school
• Passwords are hashed using bcrypt (cost factor 12) and are never stored in plain text
• All record changes are logged in a tamper-evident audit trail

Infrastructure security

• Database access is restricted to localhost — no external database connections are permitted
• Servers are kept up to date with security patches
• Firewall rules restrict access to essential ports only

Breach notification

In the event of a personal data breach that is likely to result in a risk to individuals, we will notify affected schools within 72 hours of becoming aware of it, in line with our obligations under UK GDPR Article 33. We will also notify the ICO where required.

7. Data retention

We retain data for as long as your school has an active Sencohaven subscription, plus a short period to allow for account recovery.

Schools are responsible for their own retention schedules under the DfE's Records Management and Retention Schedule. Sencohaven provides tools to delete pupil records at any time — contact us or use the admin panel.

8. Your rights under UK GDPR

Under UK GDPR, individuals (including parents/carers acting on behalf of children) have the following rights. Because schools are the data controller for pupil data, subject access requests from parents should be directed to the school in the first instance. Schools can then contact us to assist with the response.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk/concerns or by calling 0303 123 1113.

9. Sub-processors and third parties

We use a small number of carefully selected sub-processors to operate the service. All sub-processors are contractually bound to handle data in compliance with UK GDPR.

We do not use Google Analytics, Facebook Pixel, or any third-party advertising or behavioural tracking on the Sencohaven platform.

10. Children's data

Sencohaven processes data about children as part of its core function — supporting schools in managing SEND reviews. We take the following additional steps to protect children's data:

• Pupil data is accessible only to authenticated staff at the child's school — no one else, including Sencohaven staff, has routine access
• Pupil data is never used for any purpose other than supporting the school's SEND management process
• Children's records are identified in our system by an internal reference only — records are not indexed by any public search engine
• SEND data (disability, health, educational needs) is treated as special category data under Article 9 UK GDPR throughout our systems
• We do not build profiles of children, use their data for research, or share it with any third party without the explicit instruction of the school as data controller

Sencohaven does not offer services directly to children. Only authenticated school staff may access pupil records.

11. Terms of service

Acceptance

By creating a Sencohaven account, the school owner agrees to these terms on behalf of their school. Schools may not use the service if they do not accept these terms.

Permitted use

• Sencohaven may be used only by UK schools and educational settings for the purpose of managing SEND reviews, provisions, and associated pupil records
• Accounts may not be shared between schools
• You must not attempt to access another school's data or circumvent the platform's access controls
• You must not enter personal data about individuals who are not pupils or staff at your school

Subscription and payment

Sencohaven is offered on an annual subscription basis (currently £249/year, paid by BACS bank transfer) with a monthly option at £29/month. Pricing may change with 30 days' notice to active subscribers. No refunds are offered for partial subscription periods unless required by law.

Trial period

New schools receive a 30-day free trial. No payment details are required to start a trial. At the end of the trial, access will be restricted unless a subscription is set up.

School responsibilities

• Schools are responsible for ensuring they have a lawful basis to enter pupil data into Sencohaven
• Schools must ensure their own privacy notices inform parents/carers that Sencohaven is used as a data processor
• Schools must notify us promptly of any suspected data breaches involving their Sencohaven account
• Schools are responsible for managing their own staff access — revoking accounts for staff who leave

Availability and support

We aim to maintain service availability of 99.5% on a monthly basis, excluding scheduled maintenance. We provide support by email at hello@sencohaven.co.uk. We do not guarantee response times but aim to reply to all enquiries within two working days.

Termination

Either party may terminate the subscription with 30 days' written notice. We reserve the right to suspend access immediately in cases of misuse, non-payment, or breach of these terms. On termination, all school data will be permanently deleted within 30 days.

Limitation of liability

Sencohaven is provided "as is". To the fullest extent permitted by law, we exclude liability for indirect or consequential losses. Our total liability in any 12-month period shall not exceed the subscription fees paid in that period. Nothing in these terms limits liability for death or personal injury caused by negligence, or for fraud.

Governing law

These terms are governed by the laws of England and Wales. Any disputes shall be subject to the exclusive jurisdiction of the courts of England and Wales.

Changes to these terms

We may update these terms and this privacy policy from time to time. We will notify active school accounts by email at least 14 days before any material changes take effect. Continued use of the service after that date constitutes acceptance of the updated terms.

12. Contact and data requests

For any data protection queries, subject access requests, or data deletion requests, please contact us:

If you are not satisfied with our response, you have the right to complain to the Information Commissioner's Office (ICO):

• Website: ico.org.uk/concerns
• Telephone: 0303 123 1113
• Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF