← Back to Home

Privacy Policy

Last updated: 17 April 2026

School Compliance Documents

For Principals, DPOs, and school procurement reviews, the following supporting documents are available:

1. Who We Are

SENScribe Limited is a company registered in Ireland that develops and operates the SENScribe service.

Legal EntitySENScribe Limited (CRO 813862)
Registered AddressARKINS & COMPANY LIMITED, BLOCK 15, Galway Technology Park, Parkmore, Galway, GALWAY, Ireland, H91 AY0Y
Data Protection Contacthello@senscribe.ie

SENScribe Limited is the data controller responsible for your personal data when you use SENScribe.

2. Data We Collect

We collect the following categories of personal data:

2.1 Account Information

  • Email address: used for authentication and communication
  • Name: for personalisation (if provided)
  • School affiliation: to verify you are a teacher (during approval)

2.2 Usage Data

  • Session tokens: to keep you logged in
  • Usage count: to enforce fair use limits
  • Timestamps: when you access the service

2.3 Student Support Data

When using SENScribe, you may input information about students and save Student Support Files. This data is encrypted end-to-end on your device before being stored on our servers. We cannot read or decrypt your student data. See Section 5: AI Processing & Data Storage for details.

3. How We Use Your Data

We use your personal data for the following specific purposes:

PurposeData Used
Account creation & authenticationEmail, name, hashed password
Sending verification & password reset emailsEmail
Generating Student Support Plan draftsAnonymised text only (names redacted in your browser)
Enforcing fair use limitsUsage count
Product updates (with consent)Email
Website analytics & improvementAnonymised usage data via Google Analytics

5. AI Processing & Student Data

✓ End-to-End Encryption: We Cannot Read Your Student Data

SENScribe uses end-to-end encryption for all Student Support Files. Your data is encrypted on your device before being stored on our servers in Ireland. Only you hold the decryption key (derived from your data password). We cannot decrypt, read, or access your student data. For AI generation, student names and diagnoses are redacted in your browser before transmission - the AI only sees anonymous placeholders and generalised needs.

Read our Privacy Whitepaper for Principals & DPOs →

How AI Processing Works

  1. You enter student information into SENScribe
  2. Your browser detects and replaces all names with anonymous placeholders (e.g., "Seán" → [PERSON_1])
  3. Your browser generalises specific diagnoses to functional descriptions (e.g., "ADHD" → "attention regulation needs")
  4. Only the fully anonymised and generalised text is sent to our server and Azure OpenAI (GPT-4.1) within the European Union data zone
  5. The AI generates a draft using the anonymous placeholders and generalised needs
  6. Your browser restores the real names when displaying the result

How Data Storage Works

  1. You set a data password (separate from your login password) when you first save a student
  2. A unique encryption key is generated on your device and wrapped using your data password
  3. All Student Support Files (plans, reviews, logs, checklists) are encrypted on your device using AES-256-GCM before being sent to our servers
  4. Our servers store only encrypted data - we cannot decrypt it without your data password
  5. When you log in on a new device, you enter your data password to unlock your data
  6. A 24-word recovery key is provided at setup in case you forget your data password

GDPR & Special Category Data

Educational data linked to identifiable students may be considered Special Category Dataunder GDPR Article 9. SENScribe addresses this through two layers of protection:

  • AI generation: Student names and diagnoses are redacted and generalised in your browser before transmission - the AI never sees identifiable data
  • Data storage: All stored data is encrypted end-to-end with AES-256-GCM - our servers hold only ciphertext that we cannot decrypt
  • Encryption satisfies GDPR Article 32 security requirements and qualifies for breach notification exemption under Article 34(3)(a)
  • All data is stored in North Europe (Ireland) with no international transfers
  • We exceed GDPR Article 5(1)(c) data minimisation requirements

Your Responsibilities as a Teacher

As the user entering student data, you are responsible for ensuring you have appropriate authorisation from your school to use SENScribe for this purpose. We recommend:

  • Obtaining approval from your school's Data Protection Lead
  • Using only the minimum necessary student information
  • Not sharing generated drafts inappropriately

6. Who We Share Data With

We share your data with the following third-party service providers who act as data processors on our behalf:

ProviderPurposeData Shared
Microsoft Azure (Cosmos DB)Database hostingAccount data, sessions, encrypted Student Support Files (end-to-end encrypted - we cannot decrypt)
Microsoft Azure OpenAIAI generationAnonymised prompts only (student names replaced with [PERSON_N] placeholders in your browser before transmission)
Microsoft Azure Communication ServicesEmail delivery (primary)Email address
ResendEmail delivery (fallback)Email address
Google AnalyticsWebsite analyticsAnonymised usage data

We do not sell your personal data to third parties.

7. International Data Transfers

Your data is processed within the European Economic Area (EEA):

  • Azure Cosmos DB: North Europe (Ireland)
  • Azure OpenAI: European Union data zone (DataZoneStandard deployment, resource in West Europe)
  • Azure Communication Services: Europe (primary email provider)

Some service providers (Google, Resend) may process data in the United States. Resend is used only as a fallback email provider if our primary provider (Azure Communication Services) is temporarily unavailable. Where US processing occurs, transfers are protected by:

  • EU-US Data Privacy Framework (for certified companies)
  • Standard Contractual Clauses (SCCs)

8. Data Retention

We retain your data for the following periods:

Data TypeRetention Period
User account data12 months after last activity, then automatically deleted
Session tokens30 days, then automatically expire
Encrypted Student Support FilesStored until manually deleted by you, explicitly requested for deletion upon account closure, or automatically and permanently destroyed after 12 months of continuous account inactivity, whichever occurs first. Encrypted end-to-end - we cannot read this data.
Student names (during AI generation)Redacted in your browser before sending to AI - never transmitted in identifiable form
Anonymised AI promptsNot stored by SENScribe (processed in-memory only)
Anonymised prompts (Azure abuse monitoring)Up to 30 days by Microsoft for abuse detection (see Azure documentation)

Note: Microsoft Azure OpenAI may retain anonymised prompts for up to 30 days for abuse monitoring purposes. Since student names are replaced with placeholders in your browser before transmission, this only affects anonymous text. Human review is conducted by EEA-based Microsoft employees for resources deployed in Europe.

9. Your Rights

Under GDPR, you have the following rights regarding your personal data:

  • Right of Access: Request a copy of the personal data we hold about you
  • Right to Rectification: Request correction of inaccurate data
  • Right to Erasure:Request deletion of your data ("right to be forgotten")
  • Right to Restrict Processing: Request we limit how we use your data
  • Right to Object: Object to processing based on legitimate interests
  • Right to Data Portability: Receive your data in a portable format
  • Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent

To exercise any of these rights, email us at hello@senscribe.ie. We will respond within one month as required by GDPR.

10. Cookies & Analytics

We use the following cookies:

Cookie TypePurposeConsent Required
Strictly NecessaryAuthentication, session managementNo (essential)
Analytics (Google Analytics)Understanding how visitors use our siteYes

For more details, see our Cookie Policy.

11. Security Measures

We protect your data using industry-standard security measures:

  • Encryption in transit: All data is transmitted over HTTPS/TLS 1.2+
  • Encryption at rest: Database encryption provided by Azure (AES-256)
  • Secure password storage: Passwords hashed with scrypt (never stored in plaintext)
  • Access controls: Limited access to production systems
  • EU data residency: Data stored in North Europe (Ireland) and processed within the European Union data zone

12. Children's Data

SENScribe is designed for use by teachers aged 18 and over only. We do not knowingly collect personal data directly from children.

When teachers use SENScribe to generate Student Support Plan drafts, they may enter information about students. As described in Section 5, this information is encrypted end-to-end on the teacher's device before being stored on our servers. We cannot decrypt or access this data.

Teachers are responsible for ensuring they have appropriate authorisation to process student data through SENScribe.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

  • Update the "Last updated" date at the top of this page
  • Notify registered users by email for significant changes

We encourage you to review this page periodically for the latest information.

14. Contact Us

If you have any questions about this Privacy Policy or how we handle your data, please contact us:

SENScribe Limited

Email: hello@senscribe.ie

Address: ARKINS & COMPANY LIMITED, BLOCK 15, Galway Technology Park, Parkmore, Galway, GALWAY, Ireland, H91 AY0Y

15. Complaints

If you are not satisfied with our response to a data protection concern, you have the right to lodge a complaint with the Irish Data Protection Commission:

Data Protection Commission

21 Fitzwilliam Square South

Dublin 2, D02 RD28

Ireland

Website: www.dataprotection.ie

Email: info@dataprotection.ie