Privacy Policy

Last Updated: 11 May 2026

1. Introduction

Sense Path is a web application developed by Sense Path Ltd, a company registered in the United Kingdom (Company Number: 15785318), designed to assess and understand child sensory needs for schools, educational institutions, and approved family users.

This Privacy Policy explains how Sense Path Ltd ("we", "us", "our") collects, uses, stores, and protects personal data when schools, educational institutions, and other approved customers ("you", "your") use the Sense Path application ("the Service").

Sense Path Ltd is committed to complying with:

• The UK General Data Protection Regulation (UK GDPR)
• The Data Protection Act 2018 (DPA 2018)
• All other applicable data protection legislation

Important Note about Data Controller Relationships:

• For school account data: Sense Path Ltd is the Data Controller
• For children's assessment data: The school or educational institution is the Data Controller, and Sense Path Ltd is the Data Processor

This means that for children's data, schools have primary responsibility for data protection compliance, including obtaining appropriate consents from parents and guardians. Our role is to process this data only in accordance with the school's instructions and to provide appropriate security and support.

Our Data Processing Agreement (DPA) sets out in detail how we process children's data on behalf of schools. The DPA is incorporated into our Terms and Conditions and is available on request — email contact@sensepath.org for the current version.

2. Data We Collect

We collect different types of data depending on the purpose:

A. User Account and Workspace Data (Sense Path Ltd as Data Controller)

Contact and Account Information:

• School/institution name
• Contact person name (administrator)
• Email address
• Password (stored as encrypted hash only)
• Subscription tier, status, source (stripe / manual / free), and trial end date per workspace
• Billing information (processed securely by Stripe): billing name, billing email, billing address, payment card details (tokenized)
• Invoice and payment records
• Staff user names and email addresses
• Workspace name and identifier (one or more per user account)
• Workspace member list and per-workspace role (Owner / Admin / Member)
• Workspace billing email (separate from the user's authentication email)
• Workspace PO number, where set
• Legal acceptance state (legalAccepted, legalAcceptedAt, legalVersion) per user account
• Dismissed in-application announcements per user account
• Accessibility preferences per user account: font size, OpenDyslexic font toggle, simplified view, reduced motion, colour scheme (warm or high-contrast), colourblind palette (red-green or tritanopia), spacing preference
• Avatar selection (DiceBear seed and style; bundled in the application, not retrieved from any third party)

Technical and Usage Data:

• IP addresses
• Device information (browser type, operating system)
• Login timestamps
• Aggregate, anonymous application usage patterns (page views, feature usage) collected via cookieless Umami analytics -- not linked to individual user accounts
• Error reports collected via Sentry (technical context only -- stack traces, user-agent, route -- with personal identifiers redacted at source)
• Session data

Communication Records:

• Email correspondence with our support team
• Support tickets and inquiries
• Support tokens generated for impersonation (audit log of operator, target user, and timestamp -- retained for support / security purposes)

Purpose: To provide and manage your account, deliver the Service, provide customer support, and fulfill our contractual obligations.

Lawful Basis: Contract (necessary to provide the Service) and Legitimate Interests (to improve our Service and provide support).

B. Children's Assessment Data (School as Data Controller, Sense Path Ltd as Processor)

For this data, we process it on your behalf according to your instructions and our Data Processing Agreement.

Child Identifier:

• Child identifier as determined by the school (which may be full name, first name, pseudonym, student ID, or any other identifier the school chooses to use)
• Note: We do not require schools to use identifiable information. Schools may implement pseudonymisation strategies.

Assessment Data:

• Responses to the SPD assessment (60 sensory behaviour questions across six senses, true/false). Other assessment types may be added in future and will be documented here
• Assessment completion dates and timestamps
• Generated sensory profile results
• Recommended goals and interventions (automatically generated)
• Optional notes and comments added by school staff
• Assessment targets selected by staff (up to two focus areas per assessment)
• Generated plans (12, 16, and 20 minute durations), including any staff-applied activity swaps
• Sensory circuits saved against profiles, including type, duration, activity selection, and linked profile IDs
• Environmental adjustments toggled per profile against a curated catalogue
• Profile lifecycle metadata: archived state, archive timestamp, slug
• Assessment draft data is auto-saved to the user's browser localStorage (not transmitted to our servers) until submitted, at which point it is stored in Cloud Firestore

Staff Attribution:

• Name/email of staff member who conducted each assessment
• Where applicable, an impersonatedBy field on writes performed during a support session

Data We Do NOT Collect:

• Date of birth or age
• Photographs or images of children
• Address information
• Medical diagnoses (other than as inferred from sensory assessments)
• Family information
• Ethnic origin

Purpose: To enable schools to assess and understand children's sensory needs and generate insights and recommendations.

Lawful Basis (for the school): The school must establish an appropriate lawful basis under UK GDPR, typically:

• Consent from parents/guardians
• Public task (where the school is performing statutory education functions)
• Legitimate interests (where appropriate and balanced against children's rights)

Schools are responsible for determining and documenting their lawful basis for processing.

C. Workspace-Level Data

Workspace-level data ownership. All children's assessment data belongs to the workspace, not to the individual user who created it. When a user leaves a workspace, the data they created remains with the workspace. When a user account is deleted, solo-owned workspaces are archived (not deleted) until a new Owner is provisioned or the data retention period elapses.

3. How We Use Data

A. School Account Data

We use school account data to:

• Provide the Service: Enable account access, authentication, and core functionality
• Service Management: Manage subscriptions, billing, and account administration
• Communication: Send service-related emails (account notifications, system updates, security alerts)
• Customer Support: Respond to inquiries, troubleshoot issues, and provide assistance
• Service Improvement: Analyze usage patterns to improve functionality and user experience
• Security: Detect and prevent fraud, abuse, and security incidents
• Legal Compliance: Comply with legal obligations and protect our legal rights

We do NOT:

• Use school account data for marketing purposes without explicit consent
• Share school account data with third parties except as described in Section 6
• Use school account data for any purpose incompatible with the purposes above
• Use account or assessment data to train machine-learning models. Plans and recommendations are produced by deterministic algorithms operating on the immediate assessment input (not on aggregated data)

B. Children's Assessment Data

We process children's assessment data only on the instructions of the school to:

• Store assessment data securely
• Generate sensory profiles and recommendations
• Enable schools to view, export, and manage assessment data
• Provide data to schools in response to data subject access requests
• Support schools in exercising data subject rights (rectification, erasure, etc.)

We do NOT:

• Use children's assessment data for any purpose other than providing the Service to the school
• Share children's assessment data with third parties (except sub-processors as detailed in Section 6)
• Use children's assessment data for analytics, research, or product development
• Retain children's assessment data after the school requests deletion (except as required by law)

4. Data Storage and Security

A. Location of Data Processing

All personal data is stored and processed in the United Kingdom or European Economic Area:

• Primary database: Cloud Firestore (Belgium, europe-west1)
• Legacy database: Realtime Database (Belgium, europe-west1) -- in use during the v1-to-v2 migration; will be retired after migration is complete
• Background Cloud Functions (webhooks, sync): Belgium, europe-west1
• Web hosting, serverless functions, cache, and edge SSR: London, United Kingdom (Netlify eu-west-2)
• Infrastructure Providers: Google Ireland Limited (Firebase/Google Cloud Platform); Netlify, Inc. (web hosting)

The UK holds an adequacy decision from the European Commission, so transfers from the EEA to the UK do not require additional safeguards. Data transfer from the UK to the EEA is permitted under UK GDPR adequacy regulations.

We do not transfer personal data outside the United Kingdom or EEA. Our web hosting sub-processor (Netlify, Inc.) is incorporated in the United States; while all our data plane processing with Netlify happens in the UK, any controller-side processing by Netlify that may involve the United States is conducted under Standard Contractual Clauses as set out in their Data Processing Addendum.

If we ever need to process data outside the UK or EEA, we will:

• Notify schools at least 30 days in advance
• Obtain explicit written consent from schools
• Implement appropriate safeguards (e.g., Standard Contractual Clauses)

B. Security Measures

We implement comprehensive technical and organizational security measures, including:

Technical Measures:

• Encryption in Transit: All data transmitted using TLS 1.2 or higher (HTTPS)
• Encryption at Rest: All data stored encrypted using AES-256 encryption
• Password Security: Passwords hashed using bcrypt, never stored in plain text
• Access Controls: Role-based access control (RBAC) ensuring schools can only access their own data
• Authentication: Secure authentication via Firebase with optional multi-factor authentication
• Network Security: Firewall rules, network segmentation, DDoS protection
• Monitoring: Security event monitoring, intrusion detection, automated alerts

Organizational Measures:

• Staff Training: All staff receive data protection training
• Confidentiality: All staff bound by confidentiality obligations
• Access Limitation: Access to personal data restricted to authorized personnel on need-to-know basis
• Incident Response: Incident response procedures in place with designated technical lead
• Audit Logging: All data access and modifications logged

Infrastructure Security:

• Google Cloud Platform holds ISO 27001, ISO 27017, ISO 27018, SOC 2 Type II, and other certifications
• Physical security of data centers managed by Google to industry-leading standards

Backups:

• Automated daily backups encrypted and stored securely
• Backup retention: 6 months (after which backups are permanently destroyed). Backups are encrypted at rest using AES-256 and access-controlled in line with production data.
• Backups access-controlled and subject to same security measures as production data

Limitation of Security: While we take extensive precautions to protect personal data, no method of electronic storage or transmission over the internet is 100% secure. We cannot guarantee absolute security, but we commit to:

• Maintaining industry-standard security measures
• Regularly reviewing and improving security practices
• Notifying schools promptly of any security incidents

A comprehensive list of our security measures is provided in Schedule 1 of our Data Processing Agreement.

5. Data Retention

A. School Account Data

We retain school account data:

• During Active Service: For as long as your account remains active
• After Account Closure (individual user): When a user account is deleted, the user's authentication record and per-user fields (accessibility preferences, legal acceptance, dismissed announcements) are deleted within 30 days. The user's link to any workspace's Stripe customer is severed before the auth record is removed, preserving billing continuity for any workspaces that remain. Solo-owned workspaces are archived (status: archived, with archivedAt, archivedReason: "owner-deleted-account", and archivedOwnerId recorded) so they can be restored if a new Owner is provisioned within the data retention window. Multi-member workspaces continue under the remaining Owners / Admins; the leaving user's membership is removed.
• After Workspace Closure: When a workspace is deleted (by the Owner) or its subscription lapses without resubscription, profile data is retained in a locked state for 90 days, then permanently deleted. Backups are removed within a further 6 months.
• Backups: Data in backups is retained for maximum 6 months, then permanently deleted
• Legal Requirements: We may retain certain data if required by law (e.g., financial records for tax purposes)

B. Children's Assessment Data

Retention is controlled by the school:

• During Service: Retained as long as the school's account is active
• Individual Records: Schools can delete individual children's records at any time through the application
• Subscription expiry (new regime workspaces): Workspaces transition to a locked state on trial expiry, payment failure, or cancellation. Members can sign in and switch workspaces but cannot view or modify data within the locked workspace. The locked state is retained for 90 days, during which resubscribing fully restores access. After this period, profile data is permanently deleted.
• Subscription expiry (grandfathered legacy workspaces): A small number of workspaces created before the v2 trial system are grandfathered onto a legacy free tier with a 2-profile cap. These workspaces remain accessible (read and limited write) without subscription. Subject to product decisions, this grandfathering may be retired in future, with reasonable notice.
• Account Closure: When a school requests account deletion, all children's data is deleted within 30 days
• Backups: Deleted data remains in secure backups for maximum 6 months, then permanently deleted

School Responsibility: Schools are responsible for:

• Determining retention periods for children's data in accordance with their own policies
• Deleting individual children's records when appropriate (e.g., when a child leaves the school)
• Requesting account deletion when no longer using the Service

We provide tools to enable schools to manage data retention in compliance with their obligations.

C. Certification of Deletion

Upon request, we will provide written certification that data has been deleted.

6. Data Sharing and Sub-processors

A. We Do Not Sell or Trade Personal Data

We do not sell, rent, or trade personal data to third parties for their marketing purposes.

B. Sub-processors (Service Providers)

We engage the following sub-processors to provide the Service:

Other Services (Not Sub-processors):

• Sentry: Error monitoring - NO personal data transmitted (technical error data only)
• Umami Analytics: Anonymous usage analytics - NO personal data collected
• Business Tools: We may use other business tools (project management, accounting, design, development tools) that do not access or process your personal data
• DiceBear avatars: profile avatar images are generated from a bundled local copy of the DiceBear library (no third-party CDN call). No personal data is transmitted.
• Stripe BACS / VBAN: for BACS bank transfers, Stripe issues a virtual bank account number used to allocate inbound payments to Customer accounts. Stripe is the data processor for these payments; Sense Path receives only the matched payment metadata.

Sub-processor Changes:

• We will notify schools at least 30 days before engaging any new sub-processor
• Schools have the right to object to new sub-processors on data protection grounds
• If objections cannot be resolved, schools may terminate the Service without penalty

C. Legal Disclosures

We may disclose personal data if required to do so by law or in response to:

• Valid legal processes (e.g., court orders, warrants)
• Requests from law enforcement or regulatory authorities
• Protection of our legal rights, property, or safety, or that of others
• Emergency situations involving danger of death or serious physical injury

Where legally permitted, we will notify schools before disclosing their data.

D. Business Transfers

If Sense Path Ltd is involved in a merger, acquisition, or sale of assets, personal data may be transferred to the new organization. We will notify schools before their data is transferred and becomes subject to a different privacy policy.

7. UK GDPR Rights

A. Rights for School Contact Persons (Sense Path Ltd as Controller)

As an individual whose data we control (e.g., school administrator or staff user), you have the following rights:

Right to Access: Request a copy of the personal data we hold about you

Right to Rectification: Request correction of inaccurate or incomplete personal data

Right to Erasure: Request deletion of your personal data (subject to legal retention requirements)

Right to Restrict Processing: Request that we limit how we process your personal data

Right to Data Portability: Request your personal data in a structured, machine-readable format

Right to Object: Object to processing based on legitimate interests

Rights Related to Automated Decision-Making: We do not use automated decision-making or profiling for school account data

How to Exercise These Rights:

• Self-service PDF export: Account-controller data subjects can export profile, assessment, plan, and circuit data as PDFs directly from the application without making a formal access request. We will respond to formal access requests for data not covered by self-service export within one month, as required by UK GDPR.
• Email us at: contact@sensepath.org
• We will respond within one month as required by UK GDPR

B. Rights for Data Subjects in Children's Data (School as Controller)

For children's assessment data, the school is the Data Controller and is responsible for responding to data subject rights requests from parents/guardians or children.

We will assist schools in fulfilling these requests by:

If a data subject contacts us directly:

• We will forward the request to the school within 2 working days
• We will not respond directly except on the school's instructions

Schools' Responsibility: Schools must have processes in place to:

• Receive and respond to data subject requests from parents/guardians
• Verify the identity of requestors
• Provide responses within the one-month UK GDPR timeframe
• Instruct us to assist with technical aspects of fulfilling requests

Support Access (Impersonation)

To investigate technical issues or respond to support requests, authorised Sense Path staff may sign in to your workspace as a user via a one-time, time-limited support token (Firebase custom token, expires after one hour).

• Initiated only by Sense Path admin staff, not self-service for other users
• Each session is logged in our admin systems with the operator, the target user, the timestamp, and the workspace
• Support staff are bound by the confidentiality obligations described in our Terms and Conditions
• Where reasonably practicable, we will notify the workspace Owner before using impersonation for non-trivial support work
• Customers can opt out of impersonation by emailing contact@sensepath.org; in that case we will only diagnose support issues using information you provide

This is the only mechanism by which Sense Path staff sign in as a non-Sense-Path user. Direct database access by engineering staff is restricted to authorised personnel for narrowly-scoped maintenance and is not a routine support tool.

8. Children's Privacy

The Sense Path application is designed to be used by schools, teachers, professionals, and educational staff to assess children's sensory needs.

Age of Children: The Service is typically used to assess children aged 3-16 years, though schools may use it for children of any age.

Parental Consent:

• We do not collect personal data directly from children
• Schools are responsible for obtaining appropriate consents from parents or guardians before using the Service
• Schools must ensure they have a lawful basis for processing children's data under UK GDPR

Data Minimization:

• We designed the system to minimize personal data collection
• Schools can use pseudonymous identifiers rather than children's full names
• We do not require dates of birth, photographs, addresses, or other unnecessary personal data
• Where the workspace is a family rather than a school, the data subjects are still children -- the same minimisation guidance applies (use first names or pseudonyms where reasonable).

If you are a parent or guardian:

• Contact your child's school to exercise data subject rights (access, rectification, erasure, etc.)
• The school is responsible for managing your child's data
• If you believe data has been collected without appropriate consent, contact the school and also contact us at contact@sensepath.org

9. Personal Data Breaches

Our Commitment:

If we become aware of a personal data breach that affects your data, we will:

• Notify schools within 24 hours for children's assessment data
• Provide detailed information including:
• Nature of the breach
• Categories and approximate number of data subjects affected
• Likely consequences
• Measures taken to address the breach and mitigate harm

School Responsibilities:

Schools are responsible for:

• Assessing whether the breach requires notification to the ICO (Information Commissioner's Office)
• Notifying the ICO within 72 hours if required by UK GDPR
• Notifying affected parents/guardians if the breach is likely to result in high risk to their rights and freedoms

We will provide full cooperation and assistance to schools in responding to breaches.

Breach Prevention:

We maintain comprehensive security measures and incident response procedures to prevent and respond to breaches. See Section 4 for details.

10. International Transfers

Current Position:

All personal data is stored and processed in the United Kingdom or European Economic Area: database storage and Cloud Functions in Belgium (Google Cloud europe-west1), and web hosting, serverless functions, cache, and edge in London, United Kingdom (Netlify eu-west-2).

No personal data is transferred outside the United Kingdom or EEA. Our web hosting sub-processor (Netlify, Inc.) is a US-incorporated entity that operates EU/UK data centres for our deployment; any controller-side processing is conducted under Standard Contractual Clauses as detailed in Section 9.B.

If This Changes:

If we ever need to transfer or process personal data outside the UK or EEA:

• We will notify schools at least 30 days in advance
• We will obtain explicit written consent from schools before proceeding
• We will implement appropriate safeguards such as:
• Standard Contractual Clauses approved by the ICO
• Adequacy decisions
• Binding Corporate Rules
• Other mechanisms approved under Chapter V of UK GDPR

Schools may object to international transfers and terminate the Service if they do not consent.

11. Cookies and Local Storage

Sense Path uses a small number of strictly necessary cookies and browser localStorage entries to operate the Service. We do not use any tracking, advertising, or analytics cookies.

Essential session cookies:

• Firebase Authentication session cookies (issued by Firebase Auth, used to maintain a signed-in session)
• A custom session cookie issued by our server-side authentication layer (Firebase Admin SDK), used to validate sign-in across server-rendered pages

First-party preference and draft storage (browser localStorage on the user's device):

• Accessibility preferences (font size, OpenDyslexic, simplified view, reduced motion, colour scheme, colourblind palette) -- mirrored from your account so preferences load instantly on next visit
• Assessment drafts (auto-saved while you complete an assessment, cleared when submitted or discarded)
• Dismissed announcement IDs (so dismissed in-application banners do not reappear)
• Development overrides backup (development environment only; never present in production)

Third-party content:

Our Service does not embed third-party content that places cookies. Profile avatars (DiceBear) are bundled with the application -- no third-party CDN call. Anonymous usage analytics (Umami) are cookieless.

Why no banner? All of the above are strictly necessary to provide the Service or first-party preference storage that you have set explicitly. UK PECR / ICO guidance does not require a consent banner for strictly necessary cookies. We will revisit this if we ever add non-essential tracking.

12. Third-Party Services and Links

Sub-processors:

Our Service relies on Google Cloud Platform (Firebase, including Firestore, Realtime Database, Cloud Functions, and Authentication) for infrastructure, Stripe Payments Europe for billing and payment processing, Netlify for web hosting, Zoho Desk for customer support ticketing, and (currently) Google Workspace for some internal email. These services have their own privacy policies:

• Google Cloud Privacy Policy: https://cloud.google.com/terms/cloud-privacy-notice
• Google Workspace Privacy Policy: https://workspace.google.com/terms/user_privacy_notice.html
• Stripe Privacy Policy: https://stripe.com/privacy
• Netlify Privacy Policy: https://www.netlify.com/privacy/
• Zoho Privacy Policy: https://www.zoho.com/privacy.html

We have Data Processing Agreements in place with Google that comply with UK GDPR.

External Links:

Our Service may contain links to external websites or resources. We are not responsible for the privacy practices of third-party websites. We encourage you to review the privacy policies of any external sites you visit.

13. Data Protection Impact Assessments (DPIAs)

Schools' Obligations:

Schools should conduct a Data Protection Impact Assessment (DPIA) before using the Sense Path Service if:

• The use is likely to result in high risk to children's rights and freedoms
• The use involves systematic and extensive profiling
• The use involves large-scale processing of special category data

Sensory needs assessments may involve processing data relating to health or disability, which may require a DPIA.

Our Assistance:

We will assist schools in conducting DPIAs by providing:

• Information about our technical and organizational security measures
• Information about sub-processors and their processing activities
• Documentation of data flows and processing purposes
• Risk mitigation strategies we have implemented
• Participation in meetings or discussions about DPIA findings

Contact us at contact@sensepath.org for DPIA assistance.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect:

• Changes in our practices
• Changes in legal requirements
• Changes in the Service
• Changes in sub-processors or infrastructure

Notification of Changes:

• We will notify schools of any material changes via email or through the application
• We will update the "Last Updated" date at the top of this policy
• For significant changes, we may require schools to review and accept the updated policy
• We will require schools to review and accept material updates to this Privacy Policy via an in-application acceptance gate, recorded against your user account (legalAccepted, legalAcceptedAt, legalVersion).

Your Continued Use:

Continued use of the Service after changes take effect constitutes acceptance of the updated Privacy Policy. If you do not agree with changes, you may terminate your account.

Archive of Previous Versions:

We will maintain an archive of previous versions of this Privacy Policy, available upon request.

15. Your Rights to Complain

If you have concerns about how we handle personal data, please contact us first at contact@sensepath.org. We will investigate and respond to your concerns.

Supervisory Authority:

You have the right to lodge a complaint with the UK's supervisory authority:

Information Commissioner's Office (ICO)
Website: https://ico.org.uk
Telephone: 0303 123 1113
Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

For Schools:

If a parent or guardian complains to you about how their child's data is processed, you are responsible for responding as the Data Controller. We will assist you as needed.

16. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data protection practices, please contact us:

Email: contact@sensepath.org

Postal Address:
Sense Path Ltd
20 Shaw Road, Newhey, Rochdale, England, OL16 4LT
United Kingdom

Data Protection Contact:
For data protection inquiries: contact@sensepath.org

Response Time:
We aim to respond to all inquiries within 5 working days and will respond to data subject rights requests within one month as required by UK GDPR.

17. Legal Information

Data Controller (for school account data):
Sense Path Ltd
Company Registration Number: 15785318
Registered in England and Wales

Data Processor (for children's assessment data):
Sense Path Ltd processes children's data on behalf of schools under the terms of our Data Processing Agreement.

Governing Law:
This Privacy Policy and our data processing practices are governed by the laws of England and Wales.

Summary for Parents and Guardians

If you are a parent or guardian whose child's data is processed through Sense Path:

1. Your child's school is responsible for managing your child's data, not Sense Path Ltd directly
2. Contact your child's school to exercise data subject rights (access, rectification, erasure, etc.)
3. We provide technical services to the school and process data only on the school's instructions
4. We implement strong security to protect your child's data
5. Data stays in the UK/EEA - we do not transfer data internationally
6. Schools can use pseudonyms - full names are not required
7. If you have concerns, contact the school first, or contact us at contact@sensepath.org
8. Some Sense Path users are families -- if you are a parent, foster carer, kinship carer, legal guardian, or other family member using Sense Path with a child at home, you are the workspace Owner for your own data. The school-specific guidance above does not apply; contact us directly at contact@sensepath.org with any questions
9. You can export PDFs of your child's profile, assessments, plans, and circuits at any time from within the application

Last Updated: 13 May 2026
Version: 2.0 (B2B School Edition)