Data Protection FAQ for Schools
This document answers the most common data protection questions schools ask about Sense Path.
What personal data does Sense Path collect?
School Account Data
- School/institution name
- Contact person name and email
- Password (stored as encrypted hash — we never see your password)
- Subscription and billing details (processed by Stripe — we don't store card numbers)
- Technical data (IP addresses, login times, browser type)
Children's Assessment Data
- Child identifier — your school chooses what to use. This can be a full name, first name, initials, student ID, pseudonym, or any other identifier
- Assessment responses — 60 true/false questions across 6 sensory categories (Visual, Auditory, Tactile, Olfactory, Proprioception, Vestibular)
- Assessment dates and which staff member completed the assessment
- Generated results — sensory profiles, recommended plans, and interventions
- Optional notes added by school staff
What we do NOT collect
- Date of birth or age
- Photographs or images
- Home addresses
- Medical diagnoses
- Family information
- Ethnic origin
Where is data stored?
All data is stored in the European Economic Area (EEA), specifically in Belgium (Google Cloud region europe-west1).
No personal data is transferred outside the UK or EEA. If this were ever to change, we would:
- Notify all schools at least 30 days in advance
- Obtain explicit written consent before proceeding
- Implement appropriate safeguards (e.g., Standard Contractual Clauses)
Who is the Data Controller?
- For school account data (staff names, emails, billing): Sense Path Ltd is the Data Controller
- For children's assessment data: Your school is the Data Controller, and Sense Path Ltd is the Data Processor
This means your school has primary responsibility for ensuring lawful processing of children's data, including obtaining consents from parents/guardians.
Do we need parental consent?
Your school must establish an appropriate lawful basis under UK GDPR for processing children's data. Common lawful bases used by schools include:
- Consent from parents/guardians
- Public task (where the school is performing statutory education functions)
- Legitimate interests (where appropriate and balanced against children's rights)
Your school is responsible for determining and documenting the appropriate lawful basis.
Can we use pseudonyms instead of real names?
Yes. Sense Path does not require full names or any specific personal identifier. Schools have full flexibility to use:
- First names only
- Initials
- Student ID numbers
- Pseudonyms
- Any other identifier
This supports data minimisation and allows schools to implement pseudonymisation strategies.
Are Sense Path employees bound by confidentiality?
Yes. All Sense Path staff and contractors:
- Sign contractual confidentiality agreements
- Receive data protection training on joining and annual refresher training
- Access personal data only on a need-to-know basis via role-based access controls
- Are subject to internal data protection, security, and acceptable use policies
Breach of confidentiality is grounds for immediate termination.
What security certifications does Sense Path hold?
Sense Path Ltd does not currently hold ISO 27001 or Cyber Essentials certification, though we are actively pursuing Cyber Essentials (target: Q3 2026).
Our infrastructure provider, Google Cloud Platform (Firebase), holds:
- ISO 27001, ISO 27017, ISO 27018
- SOC 2 Type II, SOC 3
- PCI DSS Level 1
- And numerous other certifications
Our own security measures include:
- Encryption in transit (TLS 1.2+) and at rest (AES-256)
- Role-based access controls
- Daily encrypted backups (6-month retention)
- Security monitoring, audit logging, and incident response procedures
Full details are in Schedule 1 of our Data Processing Agreement.
What happens if there is a data breach?
We will:
- Notify your school within 24 hours of becoming aware of a breach
- Provide details including what happened, who was affected, likely consequences, and remedial measures
- Cooperate fully with any ICO notifications you need to make
- Maintain records of all breaches for inspection
Your school is responsible for determining whether to notify the ICO (within 72 hours) and affected parents/guardians.
Can we audit Sense Path?
Yes. Schools have the right to:
- Conduct audits or inspections of our data processing (once per year, 14 days' notice)
- Appoint third-party auditors
- Request copies of security documentation, policies, and sub-processor agreements
As alternative evidence, we can provide Google Cloud's certification documentation, completed security questionnaires, and relevant policy documents.
What sub-processors does Sense Path use?
| Sub-processor | Service | Location | Certifications |
|---|---|---|---|
| Google Ireland Limited (Firebase) | Cloud hosting, database, authentication | Belgium (EEA) | ISO 27001, SOC 2 |
| Google Ireland Limited (Workspace) | Email communications | EEA | ISO 27001, SOC 2 |
| Stripe Payments Europe, Ltd | Payment processing | EEA | PCI DSS Level 1 |
Not sub-processors (no personal data processed):
- Sentry — error tracking (technical data only)
- Umami — anonymous usage analytics
We will provide 30 days' written notice before engaging any new sub-processor that will process personal data. Schools have 14 days to object.
How long is data retained?
| Scenario | Retention | School Control |
|---|---|---|
| Child leaves school | Until school deletes the record | Delete via the app |
| School stops using Sense Path | Until account deletion requested | Contact us to delete |
| Account deleted | Removed from production within 30 days | Request data export first |
| Backups | Purged within 6 months of deletion | Automatic |
We do not retain data for analytics, research, or any other purpose after deletion.
Can we export our data?
Yes. Contact us to request a data export. We provide data in CSV or JSON format.
Does Sense Path have insurance?
Yes. We hold cyber and data insurance:
- Provider: Hiscox (CyberClear)
- Coverage: £250,000
- Policy Period: 29 January 2026 to 28 January 2027
Certificate of insurance available on request.
Does Sense Path provide an indemnity?
Yes. Under our Data Processing Agreement, we indemnify schools against costs arising from our breach of the DPA — except where the issue arose from the school's own instructions or breach.
How do we get the full DPA?
Contact us. We provide:
- A comprehensive Data Processing Agreement
- Privacy Policy
- Terms and Conditions
- This FAQ document
We can also work with your local authority's standard DPA if preferred.
Contact
Contact us for any data protection queries.
Postal Address: Sense Path Ltd, 20 Shaw Road, Newhey, Rochdale, England, OL16 4LT
Company Number: 15785318
Last updated: March 2026