How we handle your school's data, your rights under UK GDPR, and our commitments to you.
Last updated: April 2026Sencohaven is a web-based SEND review management platform designed for UK school SENCOs (Special Educational Needs Co-ordinators). Trading as Sencohaven, based in the United Kingdom.
For data protection purposes, our contact is:
Under UK GDPR, it is important to be clear about who holds what responsibility for pupil data:
By using Sencohaven, your school agrees to act as data controller for all pupil records entered into the system, and to our processing that data on your behalf. We are in the process of publishing a formal Data Processing Agreement (DPA). Please contact us if you require one for your records before it is published.
| Data type | Examples | Sensitivity |
|---|---|---|
| Pupil identity | First name, last name, year group, date of birth | Personal data |
| SEND status & needs | SEN support level, EHCP status, primary need category | Special category |
| Reviews | Review dates, outcomes, chair, notes | Special category |
| Provisions | Interventions, strategies, outcomes | Special category |
| Notes & actions | Free-text case notes, action items | Special category |
| Agency referrals | External agency names, referral details | Personal data |
SEND data is special category data under Article 9 of UK GDPR because it relates to a child's health, disability, and educational needs. This is the highest protection tier and we treat it accordingly.
| Data type | Purpose |
|---|---|
| Name, work email address | Account identity, login, notifications |
| Job role | Display within the system |
| Session cookies | Keeping you logged in (PHP session, not tracking) |
| Audit log entries | Record of who made changes to pupil records |
We process staff account data under Article 6(1)(b), processing necessary for the performance of a contract (your school's Sencohaven subscription).
As data processor, we process pupil data solely on your school's documented instruction. Your school as data controller should rely on one or more of the following:
We recommend schools document their lawful basis in their own privacy notice and SEND policy.
We use the data we hold only for the following purposes:
We will never:
All data is stored on servers physically located in the United Kingdom. We do not transfer personal data outside the UK or the European Economic Area.
All data in transit between your browser and our servers is encrypted using TLS 1.2 / 1.3 (HTTPS). HTTP connections are automatically redirected to HTTPS. Our SSL certificates are issued by Let's Encrypt, a free and open certificate authority.
In the event of a personal data breach that is likely to result in a risk to individuals, we will notify affected schools within 72 hours of becoming aware of it, in line with our obligations under UK GDPR Article 33. We will also notify the ICO where required.
We retain data for as long as your school has an active Sencohaven subscription, plus a short period to allow for account recovery.
| Data type | Retention period |
|---|---|
| Pupil records (while school is active) | Held until deleted by the school or account closed |
| Pupil records (after account closure) | Permanently deleted within 30 days of account closure |
| Staff account data | Deleted within 30 days of account removal or school closure |
| Audit logs | Retained for 1 year from creation, then deleted |
| Transactional emails (SES) | Not stored - AWS SES delivers and discards |
| Server access logs | Retained for 14 days via automated log rotation, then deleted |
Schools are responsible for their own retention schedules under the DfE's Records Management and Retention Schedule. Sencohaven provides tools to delete pupil records at any time. Contact us or use the admin panel.
Under UK GDPR, individuals (including parents/carers acting on behalf of children) have the following rights. Because schools are the data controller for pupil data, subject access requests from parents should be directed to the school in the first instance. Schools can then contact us to assist with the response.
| Right | What it means | How to exercise it |
|---|---|---|
| Right of access | Request a copy of the personal data held about you or your child | Contact your school (data controller), who will contact us if needed |
| Right to rectification | Request correction of inaccurate data | School staff can edit records directly, or contact us |
| Right to erasure | Request deletion of personal data ("right to be forgotten") | School can delete pupil records directly; full account deletion via privacy@sencohaven.co.uk |
| Right to restriction | Request we restrict processing while a dispute is resolved | Contact privacy@sencohaven.co.uk |
| Right to portability | Receive your data in a machine-readable format | Contact us. We can export school data as CSV/PDF on request |
| Right to object | Object to processing in certain circumstances | Contact privacy@sencohaven.co.uk |
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk/concerns or by calling 0303 123 1113.
We use a small number of carefully selected sub-processors to operate the service. All sub-processors are contractually bound to handle data in compliance with UK GDPR.
| Sub-processor | Purpose | Data location |
|---|---|---|
| Amazon Web Services (SES) | Transactional email delivery (review reminders, account emails). Email content is not stored by AWS - SES delivers and discards. | EU (Ireland) region, covered by AWS Data Processing Addendum |
| Hosting provider | Physical server infrastructure | United Kingdom |
| Google Analytics (gtag.js) | Visit counts and page views on our public marketing pages only. No personal data, no pupil data, and not present anywhere in the logged-in application. | Google LLC - covered by Google's standard data processing terms. Analytics data collected is limited to anonymised traffic metrics (pages visited, visit counts, browser type). |
We do not use Facebook Pixel or any advertising or behavioural tracking tools. Google Analytics is used solely on our public marketing pages to understand how visitors find and use our website - it has no access to school data or the Sencohaven application.
Sencohaven processes data about children as part of its core function, supporting schools in managing SEND reviews. We take the following additional steps to protect children's data:
Sencohaven does not offer services directly to children. Only authenticated school staff may access pupil records.
By creating a Sencohaven account, the school owner agrees to these terms on behalf of their school. Schools may not use the service if they do not accept these terms.
Sencohaven is currently in beta. Access is free during the beta period. When paid plans are introduced, pricing will be published on the website with at least 30 days' notice before any charge is applied to existing users. No refunds are offered for partial subscription periods unless required by law.
New schools receive a 30-day free trial. No payment details are required to start a trial. At the end of the trial, access will be restricted unless a subscription is set up.
We aim to maintain service availability of 99.5% on a monthly basis, excluding scheduled maintenance. We provide support by email at hello@sencohaven.co.uk. We do not guarantee response times but aim to reply to all enquiries within two working days.
Either party may terminate the subscription with 30 days' written notice. We reserve the right to suspend access immediately in cases of misuse, non-payment, or breach of these terms. On termination, all school data will be permanently deleted within 30 days.
Sencohaven is provided "as is". To the fullest extent permitted by law, we exclude liability for indirect or consequential losses. Our total liability in any 12-month period shall not exceed the subscription fees paid in that period. Nothing in these terms limits liability for death or personal injury caused by negligence, or for fraud.
These terms are governed by the laws of England and Wales. Any disputes shall be subject to the exclusive jurisdiction of the courts of England and Wales.
We may update these terms and this privacy policy from time to time. We will notify active school accounts by email at least 14 days before any material changes take effect. Continued use of the service after that date constitutes acceptance of the updated terms.
For any data protection queries, subject access requests, or data deletion requests, please contact us:
Email: privacy@sencohaven.co.uk
We aim to respond to all data protection enquiries within 5 working days.
For formal Subject Access Requests, we will respond within the statutory 30-day period.
If you are not satisfied with our response, you have the right to complain to the Information Commissioner's Office (ICO):