Utility Page

Privacy Policy

SENFLOW Terms of Service, Privacy Policy & Data Processing Agreement

Last updated: January 2026

1. Introduction

Welcome to SENFLOW ("we", "us", "our"). These Terms govern your use of our platform and services. By using SENFLOW, you confirm that you have read, understood, and agree to these Terms, including our Privacy and Data Processing provisions.

If you do not agree, you must not use the platform.

2. Service Availability

  • We strive to provide reliable service availability, though occasional maintenance or updates may cause temporary interruptions.
  • We will provide reasonable notice for planned maintenance whenever possible.
  • While we work to ensure platform stability, we cannot guarantee 100% uptime and provide the service "as is".

3. User Responsibilities

  • You agree to use SENFLOW only for lawful school purposes.
  • You are responsible for ensuring that data entered into SENFLOW is accurate and appropriate.
  • Access credentials must be kept secure and not shared outside authorised staff.

4. Intellectual Property

All intellectual property in SENFLOW remains our exclusive property. Your access is a limited, revocable licence to use the platform for school purposes only.

5. Limitation of Liability

We are not liable for:

  • any indirect, incidental, or consequential loss,
  • any data loss or unauthorised access beyond our reasonable control,
  • downtime or service interruptions.

Our total liability is limited to the fees paid by your school in the preceding 12 months, or £1,000, whichever is lower.

6. Privacy Policy

We are committed to protecting personal data under the UK GDPR and Data Protection Act 2018.

Legal basis for processing:

We process personal data under the following lawful bases as defined in Article 6(1) of the UK GDPR:

  • Article 6(1)(b) - Contract: Processing is necessary for the performance of a contract between SENFLOW and your school
  • Article 6(1)(e) - Public task: Processing is necessary for schools to perform their statutory duties under the Children and Families Act 2014 and related SEN legislation
  • Article 9(2)(g) - Special category data: Processing of special category data (SEN information) is necessary for reasons of substantial public interest on the basis of UK law

Data we process:

  • Student records (name, date of birth, UPN, SEN details, interventions, EHCP/IEP tracking)
  • Staff user accounts (name, email, role, year group assignments)
  • Parent/guardian details (where logged in records)
  • Usage data (login history, activity logs, audit trails)
  • Special category data: SEN status, medical needs, educational requirements

How we use data:

  • To provide the SENFLOW service, support, and reporting
  • To enable schools to meet their statutory SEN obligations
  • To improve platform functionality and user experience
  • To notify you of important updates, reviews, or security matters
  • To provide customer support and troubleshooting

Technical and organisational safeguards:

  • Infrastructure: Hosted on secure UK/EU servers (Supabase/AWS EU-West-2 London)
  • Encryption: TLS 1.3 for data in transit, AES-256 encryption at rest
  • Access control: Role-based permissions (RBAC) with school-level data isolation
  • Database security: Row Level Security (RLS) policies ensure users only access their school's data
  • Authentication: Multi-factor authentication (MFA) support for enhanced security
  • Audit logging: Comprehensive activity logs for all data access and modifications
  • Network security: Firewalls, DDoS protection, and intrusion detection systems
  • Staff access: SENFLOW staff access is strictly controlled, logged, and only granted when necessary for support purposes
  • Regular security audits: Ongoing vulnerability assessments and penetration testing

International data transfers:

All personal data is hosted within the United Kingdom and/or the European Economic Area (AWS EU-West-2 London).

Authorised SENFLOW personnel may access personal data remotely where necessary to provide support, maintenance, and platform services.

Where such remote access occurs from outside the United Kingdom and constitutes a restricted transfer under UK GDPR, SENFLOW ensures that appropriate safeguards are in place in accordance with Article 46 UK GDPR, including the incorporation of the UK International Data Transfer Agreement (IDTA) where required.

Data sharing:

  • We only share data with essential sub-processors (detailed in Section 7 below)
  • We do not sell or transfer data for marketing purposes
  • We do not share data with third parties except as required by law or with your explicit consent
  • All sub-processors are bound by GDPR-compliant Data Processing Agreements

Data retention periods:

We retain personal data in accordance with education sector best practices and legal requirements:

  • Student records: Retained for the duration of your subscription, then archived for 7 years after the student leaves the school (in line with IRMS Information Management Toolkit for Schools)
  • Staff user accounts: Retained while the staff member has an active account, then deleted 30 days after account deactivation
  • Audit logs: Retained for 6 years for compliance and security purposes
  • Trial period data: If trial is not converted to full subscription, all data is deleted within 30 days of trial expiry
  • Upon service termination: All personal data will be securely deleted or returned to you within 30 days, unless legal obligations require longer retention

You may request early deletion of data at any time by contacting info@senflow.app

Data breach notification:

In the event of a personal data breach, we will:

  • Notify your school within 72 hours of becoming aware of the breach
  • Provide details of the nature of the breach, affected data, and likely consequences
  • Describe measures taken or proposed to address the breach
  • Assist you in meeting your obligation to notify the ICO and affected data subjects where required
  • Maintain detailed records of all breaches for regulatory compliance

Your data subject rights:

Under UK GDPR, you and your data subjects have the right to:

  • Right of access: Obtain confirmation of data processing and access to personal data
  • Right to rectification: Correct inaccurate or incomplete data
  • Right to erasure: Request deletion of personal data (subject to legal obligations)
  • Right to restrict processing: Limit how we use data in certain circumstances
  • Right to data portability: Receive data in CSV or JSON format for transfer to another system
  • Right to object: Object to processing in certain circumstances
  • Rights related to automated decision making: We do not use automated decision-making or profiling
  • Right to lodge a complaint: Contact the Information Commissioner's Office (ICO) at ico.org.uk

We will respond to data subject rights requests within 30 days.

Trial period data handling:

During trial periods:

  • You may provide us with a list of student names and basic SEN information to evaluate the platform
  • All trial data is subject to the same security safeguards and GDPR protections as full subscriptions
  • Trial data is isolated to your school only - no other schools can access it
  • If you choose not to proceed with a full subscription, all trial data will be permanently deleted within 30 days
  • You may request immediate deletion of trial data at any time by contacting info@senflow.app

Contact for data requests: info@senflow.app

We aim to respond to all data protection enquiries within 2 business days.

7. Data Processing Agreement (DPA)

This Data Processing Agreement forms part of the contract between your school (the "Data Controller") and SENFLOW (the "Data Processor") and complies with Article 28 of the UK GDPR.

Definitions and interpretation:

  • Data Controller: Your school, responsible for determining the purposes and means of processing personal data
  • Data Processor: SENFLOW, processing personal data on behalf of the Controller
  • Personal Data: Any information relating to identified or identifiable pupils, parents, or staff
  • Processing: Any operation performed on personal data, including collection, storage, use, disclosure, or deletion

Scope of processing:

  • Subject matter: SEN, EHCP, IEP records, intervention tracking, assessment data, and related pupil information
  • Duration: From account creation through service termination, plus 30 days for data return/deletion
  • Nature and purpose: Storage, organisation, retrieval, consultation, use, and reporting of SEN-related records to enable schools to meet statutory obligations
  • Categories of data subjects: Pupils with SEN, parents/guardians, school staff (SENCOs, teachers, TAs, administrators)
  • Types of personal data: Names, dates of birth, UPN, SEN status, medical information, assessment results, intervention records, contact details
  • Special category data: Health data, information about disabilities, educational needs assessments

Data Processor obligations (Article 28(3) UK GDPR):

SENFLOW undertakes to:

  • Process only on instructions: Process personal data only on documented instructions from your school, including regarding international transfers
  • Confidentiality: Ensure all persons authorized to process data are subject to confidentiality obligations
  • Security measures: Implement appropriate technical and organisational measures as detailed in Section 6 (encryption, access controls, RLS, MFA, audit logging)
  • Sub-processor management: Only engage sub-processors with your general authorization and ensure they meet equivalent GDPR obligations
  • Data subject rights assistance: Assist you in responding to data subject requests (access, rectification, erasure, portability) within reasonable timeframes
  • Compliance assistance: Assist you in ensuring compliance with Articles 32-36 UK GDPR (security, breach notification, impact assessments)
  • Data deletion or return: Delete or return all personal data at the end of service provision, unless UK law requires continued storage
  • Audit and inspection: Make available all information necessary to demonstrate compliance and allow for audits by you or an authorized auditor
  • Breach notification: Notify you without undue delay (within 72 hours) upon becoming aware of a personal data breach

Your obligations as Data Controller:

  • Ensure you have a lawful basis for processing personal data through SENFLOW
  • Provide clear, documented instructions for data processing activities
  • Ensure you have appropriate consents or legal bases for special category data
  • Maintain your own privacy notices to parents, pupils, and staff
  • Notify us immediately if you receive a data subject rights request relating to SENFLOW data

Sub-processors (with contact details):

We currently use the following sub-processors, all located within the UK/EU and bound by GDPR-compliant agreements:

  • Supabase Inc. (Database & Authentication)
    Location: EU-West-2 (London), UK | Purpose: Database hosting, authentication services | Security: AES-256 encryption, SOC 2 Type II certified
  • Amazon Web Services (AWS)
    Location: EU-West-2 (London), UK | Purpose: Infrastructure hosting | Security: ISO 27001, SOC 1/2/3 certified
  • Resend (Email Delivery)
    Location: EU | Purpose: Transactional email delivery (notifications, password resets) | Data processed: Email addresses only, no student data

We will notify you of any changes to sub-processors with at least 30 days notice. You may object to new sub-processors, and if we cannot accommodate your objection, you may terminate the service without penalty.

We remain fully liable for the acts and omissions of any sub-processor to the same extent as if we had performed the processing ourselves.

Data security measures (Article 32 UK GDPR):

We have implemented the following technical and organisational measures:

  • Pseudonymisation: Database identifiers use UUIDs, not personally identifiable information
  • Encryption: TLS 1.3 in transit, AES-256 at rest
  • Confidentiality: Role-based access control (RBAC) and Row Level Security (RLS) policies
  • Integrity: Audit logs, database backups, version control
  • Availability: 99.9% uptime SLA, redundant infrastructure, automated backups
  • Resilience: Daily automated backups retained for 30 days, disaster recovery procedures
  • Testing: Regular security audits, penetration testing, vulnerability assessments
  • Restoration: Point-in-time recovery capabilities, tested backup restoration procedures

Data return and deletion:

Upon termination of services or at your request:

  • We will provide all personal data in CSV or JSON format within 14 days
  • After data return, we will securely delete all personal data within 30 days
  • Deletion will include all backups and archived copies, except where retention is required by UK law
  • We will provide written certification of deletion upon request

Audit rights:

You have the right to:

  • Request information about our data processing activities and security measures
  • Request copies of relevant policies, procedures, and certifications
  • Conduct audits or inspections (with reasonable notice and during business hours)
  • Appoint a third-party auditor to assess our compliance

We will cooperate fully with any audit and provide requested documentation within 14 days.

Liability and indemnity:

  • Each party is liable for its own breaches of data protection law
  • We are fully liable for the acts of our sub-processors
  • We maintain professional indemnity insurance covering data protection liabilities
  • We will indemnify you against fines or penalties resulting from our breach of this DPA

For DPA queries or to exercise your audit rights, contact: info@senflow.app

8. Termination

Either party may terminate this agreement with 30 days' written notice. We may suspend access immediately for breach of these terms or non-payment. You may stop using SENFLOW at any time by providing written notice.

9. Governing Law

These Terms are governed by English law, and disputes shall be subject to the exclusive jurisdiction of the English courts.

10. Contact

For any questions about these Terms or data protection, please contact:

SENFLOW
Email: info@senflow.app

Start your 30 day trial

See how Senflow streamlines SEND processes, saves hours each week, and keeps everything your school needs in one organised, easy-to-use platform.

Pages
Latest NewsReviewsContact Us
Resources
Privacy PolicyTerms & Conditions
Location

Brookfield Court, Selby Road, Garforth, LS25 4LG

Contact Us
info@senflow.co.uk
© 2026 Senflow Limited
Site by Envy Digital Studio.