Privacy Policy

Last updated: May 2026

This policy explains how SENguru collects, uses and protects your personal data. It is written to comply with UK law, specifically the UK GDPR and the Data Protection Act 2018 and follows the guidance issued by the Information Commissioner's Office (ICO).

Who we are

SENguru is a tool that helps families navigate the Education, Health and Care Plan (EHCP) process in England. It is not a substitute for personalised legal advice.

The data controller is SENguru CIC, a community interest company registered in England and Wales. You can contact us at info@senguru.co.uk for any privacy-related question, including subject-access requests.

What data we collect

  • Account information: your name and email address from Google OAuth sign-in.
  • Case data you provide: contact logs, documents you upload, deadlines, checklist progress, and settings (child name, local authority name).
  • AI-generated data: summaries, key points, and action items produced by AI analysis of your contacts and documents. This is generated in private, does not leave the service, and is never used to train any models.
  • Technical data: minimal request logs (IP address, user-agent, timestamps) used to diagnose errors and protect against abuse. Logs are kept no longer than 30 days.

Why we process your data — and the lawful basis for each purpose

Under UK GDPR Article 6 we have to point each processing activity at a lawful basis. Ours are:

  • Performance of a contract: running the service you signed up to: storing your case, calculating deadlines, displaying your data back to you, and keeping you logged in.
  • Consent: running AI analysis (summaries, key points, draft EHCP review, chat responses) on the contacts and documents you provide. You can withdraw consent at any time by deleting the relevant content or your account. Nothing will be retained or used to train any models.
  • Legitimate interests short-term technical logs and security monitoring needed to keep the service working and safe. We have balanced this against your privacy rights and only retain logs for 30 days.
  • Legal obligation: keeping limited records where law (e.g. tax, anti-fraud) requires us to.
  • Vulnerable data: processing children's data as a special category of sensitive data, and applying the same rights and protections to it as we do to the account holder's own data.
  • Support: we may access your child's case data with your explicit consent, to help you with technical issues. When doing so, we take safeguards to avoid any unnecessary access to Personally Identifiable Information (PII) or Special Category Data (SCD) and all such access is logged and audited.

How we use your data

  • To provide the SENguru service: displaying your case data, calculating deadlines, running AI analysis you have asked for.
  • AI analysis is performed by managed inference providers listed under "Sub-processors" below. Your data is sent to those providers only to generate the requested output and is not used to train any model.
  • We do not sell your personal data, ever. And never will.
  • We do not share your data with third parties for advertising or marketing.
  • We will never share it with a new third party without your explicit consent, except where compelled by law. Even if compelled by law, we will seek legal advice before providing your child's data to any third party, and will strongly resist any attempt to extract this data.

Where your data is stored

  • The application runs on Google Cloud (GCP) in a UK data centre.
  • AI analysis is performed by Google Cloud Vertex AI (Gemini) where possible in UK, or otherwise in the Netherlands (this is due to limited data centre availability in the UK).
  • Your child's core data is stored in a private, isolated database running in a UK data centre, and is never shared with any third party.
  • Your uploaded documents are also stored in a Google Cloud storage bucket in a UK data centre. Only you and SENguru support staff can access these documents.
  • We will endevaour to run all our services in the UK wherever possible, and will not knowingly transfer data to a country outside the EEA. Where that happens without our knowledge because of technical limitations, we rely on the UK ICO's approved transfer mechanisms (UK International Data Transfer Addendum to the EU Standard Contractual Clauses) plus the relevant adequacy decision where one applies.
  • Data is encrypted in transit (TLS) and at rest. Each child's case data is isolated at the database level and you cannot see another user's data unless you have explicit consent to do so (e.g between two parents).

Sub-processors (current data processors)

The following organisations process personal data on our behalf. Each is bound by a written data-processing agreement that requires them to use your data only for the purposes we set.

  • Google Cloud Platform: hosting (Cloud Run), object storage, and Cloud Logging. Region: EEA / UK where configurable.
  • Google Cloud Vertex AI (Gemini): AI analysis of case data. This is used to generate summaries, key points, and action items. It is never used for training models, and is private to your case.
  • Google (Identity): Google OAuth 2.0 for sign-in. We receive your name and email; Google's privacy policy applies to their end of the connection.
  • Public CDNs: (Cloudflare, jsDelivr, unpkg) - serve static assets like images and fonts to your browser. They may log access metadata but receive no application data.

If we add or change a sub-processor we will update this list and, where the change is material, notify account holders before the change takes effect.

How long we keep your data — retention

  • Account, case, contact and document data is retained for as long as your account exists.
  • If you delete your account, all associated case data (contacts, documents, deadlines, checklist progress, embeddings, AI-generated summaries) is permanently deleted within 30 days.
  • Backup snapshots may persist for up to 35 days after deletion before they expire on their normal rotation.
  • Technical logs are retained for no more than 30 days.

Your rights under UK GDPR

You have the right to:

  • Be informed about how your data is used (this policy).
  • Access: request a copy of all data we hold about you.
  • Rectification: correct inaccurate data via the Settings page or by contacting us.
  • Erasure: request deletion of your account and all associated data.
  • Portability: request your data in a machine-readable format.
  • Restrict or object to processing, and the right to withdraw any consent you have given.
  • Not be subject to a solely automated decision that has a legal effect on you.

To exercise any of these rights, email info@senguru.co.uk. If you are unhappy with how we have handled your data you can complain to the Information Commissioner's Office (ICO) at ico.org.uk.

Cookies

SENguru uses a single session cookie (senguru_session) to keep you logged in. This is a strictly-necessary functional cookie required for the service to work — under PECR / UK GDPR it does not require an opt-in banner. We do not use tracking cookies, analytics cookies, or third-party advertising cookies.

Children's data

SENguru is designed for parents and carers, not children. Any information about children is provided by, and controlled by, the parent or carer. We treat that information as a special category of sensitive data and apply the same rights and protections to it as we do to the account holder's own data.

You assume responibility for the data you provide, and we will not be held responsible for misuse of data, or for any data that you do not have legal authority to provide.

Security

We use TLS for all network traffic, encrypt data at rest, isolate case data at the database level, store secrets in a managed secret manager, and limit administrative access on a need-to-know basis. Administrative access to user data is logged.

Changes to this policy

We may update this privacy policy from time to time. The "last updated" date at the top of this page will be changed accordingly. Material changes (for example, adding a new sub-processor or a new processing purpose) will be communicated to account holders via email before they take effect.

Contact

For privacy-related questions or to exercise your UK GDPR rights, please email: info@senguru.co.uk