Privacy Policy

Last updated: February 2026

1. Who We Are

The SEN Advocate ("we", "our", "us") provides SEN advocacy services and an online portal for communication, documents, cases, and invoicing. This policy explains what personal data we process, why we process it, who we share it with, and your rights.

2. Data We Collect

We may collect and process the following categories of data:

Identity and contact data: name, email address, phone number, postal details, and account profile information.
Child and case data: information you provide about children, schooling, EHCP and SEND matters, and related case notes.
Communications data: contact form submissions, portal messages, forum posts/replies, moderation reports, and communication preferences.
Document data: files uploaded to the portal, file metadata, virus scan status, sharing status, and (if enabled) document summary/sync metadata.
Billing data: quote/invoice records, payment status, and related notes. We currently present invoices for bank transfer; historic or optional payment integrations may also process payment identifiers.
Technical and security data: IP address, user agent, session and authentication records, audit/security logs, captcha outcomes, and API request metadata.

3. How We Use Your Data

We use personal data to:

provide advocacy services and manage client accounts, cases, and communications;
process contact enquiries and send service communications;
manage documents, including malware scanning and sharing workflows;
manage quotes, invoices, and related billing administration;
operate forums and messaging features, including moderation and abuse prevention;
protect platform security through authentication, CSRF protection, rate limits, and logging;
monitor and improve performance and service quality.

4. Lawful Basis for Processing

Under UK GDPR, our lawful bases include:

Contract: where processing is necessary to deliver requested services.
Legitimate interests: for secure operation, fraud/abuse prevention, support, and service improvement.
Consent: where required, for example certain enquiry flows or optional features.
Legal obligation: where we must retain or disclose information under applicable law.

5. Automated Processing and Security Controls

We use automated systems to protect and operate the platform. These include captcha checks, rate limiting, malware scanning for uploaded documents, and session/token management. We may also use optional AI summarization features for documents where enabled by deployment settings. These processes support service delivery and security and are not intended to make legal decisions about your case without human oversight.

6. Sharing Your Data

We do not sell your personal data. We may share data with service providers and partners acting on our instructions, including:

hosting, database, cache, and object storage infrastructure;
email delivery services for account and message notifications;
Cloudflare Turnstile for anti-bot verification (where enabled);
Plausible analytics (where configured);
Microsoft 365 / SharePoint sync for documents (where enabled);
Google Gemini summarization for documents (where enabled);
error monitoring tools such as Sentry (where enabled);
payment provider integrations and webhook handling where configured.

We may also disclose information where required by law, regulation, court order, or to establish, exercise, or defend legal claims.

7. International Transfers

Some suppliers may process data outside the UK. Where this occurs, we use appropriate safeguards (such as contractual protections) to protect transferred data.

8. Retention

We keep data only for as long as needed for service delivery, compliance, and legitimate business purposes. Examples include active account records, communications history, invoices, and security logs. Authentication refresh tokens have expiry and cleanup routines. Client users can request data export and account erasure through portal GDPR functions.

9. Cookies and Similar Technologies

We use cookies and similar technologies for authentication, security, and user experience, plus optional analytics tooling where configured. We also store some preferences and client state in browser local storage. See our Cookie Policy for details.

10. Children's Data and Sensitive Information

Our services commonly involve information about children and SEND-related matters. Please only provide personal information where you have authority to do so. We treat this data with additional care due to its sensitivity.

11. Your Rights

You may have rights to:

access your personal data;
correct inaccurate data;
request deletion or restriction in certain circumstances;
object to certain processing;
request portability where applicable;
withdraw consent where processing is based on consent.

You can also raise concerns with the UK Information Commissioner's Office (ICO).

12. Changes to This Policy

We may update this policy from time to time. Updates are published on this page with a revised "Last updated" date.

13. Contact

If you have questions or want to exercise your rights, contact us:

Email: contact@thesenadvocate.com

Address: 38 High Haden Road, Cradley Heath, West Midlands