This policy explains what data we collect, why we collect it, how we use it, who we share it with, and your rights. It covers our website at sen.help and the services on it: the SEND Rights Quiz, the Get Matched service, our briefing and resource downloads, our checkout, and our professional directory.
We follow UK GDPR (the UK General Data Protection Regulation), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR). The service is offered to parents and carers in England, because special educational needs and disability (SEND) law is specific to England. The data-protection rules above are UK-wide, and we meet them on that basis. So the service is scoped to England, but the data-protection obligations apply across the UK.
Who we are
SEN Help is the data controller for the personal data described in this policy. That means we decide what data we collect and why.
- Company: SEN Help Network Ltd
- Company number: 17277924 (registered in England and Wales)
- Registered office: 167-169 Great Portland Street, 5th Floor, London, W1W 5PF
- Trading name: SEN Help (sen.help)
- ICO registration number: ZC181865
- General contact: hello@sen.help
- Data-protection contact: privacy@sen.help (or hello@sen.help with "Data protection" in the subject line)
When this policy says "we", "us" or "our", it means SEN Help Network Ltd.
We are a small company and have not appointed a statutory Data Protection Officer (we are not required to). Data-protection accountability sits with our Designated Safeguarding Lead, who is also our data-protection point of contact. You can reach that role at the data-protection contact above.
What we collect
We try to collect as little as possible. Here is exactly what we collect and when.
If you are a parent
SEND Rights Quiz. When you take the quiz we collect:
- your email address (this is how we send your results)
- your Local Authority (the LA you are dealing with)
- your Yes / No answers about how the Local Authority has acted
Get Matched (our intake form). When you ask to be matched with a professional we collect:
- your name
- your email address
- the type of expert you need
- how urgent your situation is
- a short free-text description of your situation, capped at 200 characters
Briefing and resource downloads. When you download a briefing or guide we collect your email address so we can send it to you.
Checkout. When you buy a digital product we collect your email address and take payment through Stripe. We do not see or store your card number. Stripe handles the card details.
If you are a professional applying to the directory
When you apply to be listed, we collect:
- your name, email address and phone number
- your business name
- your HCPC or SRA registration number
- the areas you cover and your specialisms
- your website or LinkedIn address
- your years of experience
- your professional bio
- your declaration that you hold Professional Indemnity Insurance and an Enhanced DBS check
Website and technical data
- IP address. When you visit the site or submit a form, we collect your IP address. We use it for spam prevention and security.
- Cookies and analytics. If you accept analytics cookies, we collect usage data through Google Analytics. See the Cookies section below.
Data we create about you
When you take the quiz or use Get Matched, we create tags and segments about you based on your answers (for example, which Local Authority you are dealing with, and where you are in the SEND process). These tags help us send you the right help. Because they are based on what your answers reveal, we treat them with the same care as the rest of your special category data (see below). You can ask to see the tags we hold about you.
Special category data: the honest position
This is important, so we are going to be plain about it.
We do not ask for sensitive details about your child. We do not ask for your child's name, their diagnosis, their medical records, or their school. We cap the Get Matched description at 200 characters so you are not asked to write a case file.
But the law looks at what your data reveals, not just what we ask. When you take a SEND quiz or ask to be matched with a SEN professional, the answers reveal, by inference, that your child likely has special educational needs or a disability. In this context that reveals information about your child's health. Under UK GDPR Article 9, information that reveals a person's health, including by inference, is "special category data". It gets extra protection. We think it is more honest to tell you that this is how the law treats your data than to pretend the data is ordinary.
So here is what we rely on.
- We minimise. We keep what we ask to the smallest amount that lets us help you.
- We ask for your explicit consent under Article 9(2)(a) before you take the quiz or submit a Get Matched request. That is the condition the law requires for special category data.
- We also rely on consent as our lawful basis under Article 6(1)(a). The law needs both: a lawful basis under Article 6 and a separate condition under Article 9. For these flows, both are your consent.
What "explicit consent" means in practice. Before you take the quiz or use Get Matched, we show you a clear, separate statement and you actively agree to it. The thing that makes the consent "explicit" is the statement you confirm, not the tick on its own. The statement says, in plain words, that by continuing you agree we may handle information that can reveal your child likely has special educational needs or a disability (which in this context counts as health, a special category of data), so that we can give you your results or match you with a professional. You confirm that statement by ticking a box that starts unticked. It is not buried in a general "I accept the privacy policy" tick.
You can withdraw your consent at any time. It is as easy to withdraw as it was to give. Email the data-protection contact above and ask us to stop and to delete your data, or click "unsubscribe" in any email to stop marketing. Withdrawing does not undo anything we did lawfully before you withdrew, but it stops further processing and we will delete the special-category-by-inference data we hold for you, on the same timetable as unsubscribing (see "How long we keep it"), unless we have to keep some of it by law (for example, a payment record for HMRC) or for safeguarding (see below).
Why we collect it, and our lawful bases
| What we do | Why | Lawful basis (Article 6) | Article 9 condition |
|---|---|---|---|
| Send your quiz results and Local Authority information | So you get the answer you came for | Consent, Art 6(1)(a) | Explicit consent, Art 9(2)(a) |
| Match you with up to 3 verified professionals (Get Matched) | So a real expert can help you | Consent, Art 6(1)(a) | Explicit consent, Art 9(2)(a) |
| Send you the briefing or resource you asked for | To deliver what you requested | Consent, Art 6(1)(a) | Not applicable |
| Send you marketing emails, only if you opt in | To keep you informed | Consent, Art 6(1)(a) | n/a |
| Take payment for a product | To complete your purchase | Contract, Art 6(1)(b) | n/a |
| Keep payment records | Because UK tax law requires it | Legal obligation, Art 6(1)(c) | n/a |
| Verify a professional's HCPC or SRA registration | To keep the directory trustworthy | Legitimate interests, Art 6(1)(f), and contract once they list | n/a |
| List a verified professional in the directory | To run the directory they signed up to | Contract, Art 6(1)(b) | n/a |
| Spam prevention and site security | To protect the site and your data | Legitimate interests, Art 6(1)(f) | n/a |
| Review answers flagged by our safeguarding filter, and act on a safeguarding concern | To keep a child or adult at risk safe | Safeguarding grounds: a recognised legitimate interest (safeguarding vulnerable individuals, Art 6(1)(ea), added by the Data (Use and Access) Act 2025), or our legitimate interests, Art 6(1)(f); plus vital interests, Art 6(1)(d), in an emergency; and legal obligation, Art 6(1)(c), where the law itself requires us to share, for example a lawful information request from safeguarding partners or a court order | The safeguarding condition, Art 9(2)(g) with paragraph 18 of Schedule 1 to the Data Protection Act 2018; plus vital interests, Art 9(2)(c), in an emergency |
The safeguarding row is explained in plain English under "Safeguarding: when a human reads your answers" below. We do not rely on your consent for safeguarding, because that flow has to work even when acting on a concern is not what you would choose. It runs on the safeguarding grounds the law provides for exactly this situation, which we explain in plain terms below.
Safeguarding: when a human reads your answers
We run a service for families of children who may be at risk, so we have a safeguarding duty.
Your quiz and Get Matched answers, including the free-text description, pass through an automated safeguarding filter. If something you write suggests a child or adult may be at risk of harm, the filter flags it, and a person (our Designated Safeguarding Lead) reads that flagged item and decides what to do. They aim to review a flagged item within one working day.
Where a child or adult appears to be at risk, we may share information with the people who can help: your Local Authority children's services, the police, the Local Authority Designated Officer (LADO), or another statutory agency. We do not need, and do not ask for, your consent to do this, because safeguarding has to work even when sharing is not what you would choose. The law allows this: it recognises the safeguarding of children and adults at risk as a lawful reason to use and share information without consent, and it sets strict conditions when we do. We meet those conditions, we share only what is needed with the people who can help, and we record every decision. Our full approach is set out in our Safeguarding Policy.
This is the one situation where we may choose to pass your information to a public body; separately, we comply where a court or the law itself compels a disclosure. Outside those cases, we do not share your data with Local Authorities or any government body for any other purpose, and we never sell it.
Who we share it with
We do not sell your data. We do not share it with advertisers. The only time we share with a Local Authority or government body is a safeguarding concern, as set out above.
We use a small set of trusted providers (processors) to run the service. We share only what each one needs.
- Stripe processes payments. We do not store your card number; Stripe does. (stripe.com/privacy)
- FluentCRM holds our email list and sends our emails. It is self-hosted on our own server, so your email and tags stay on infrastructure we control.
- Google Workspace runs our business email (hello@sen.help and safeguarding@sen.help) and our file storage. Our Google Sheets sit within Google Workspace. (policies.google.com/privacy)
- Google Analytics 4 gives us usage statistics, and only loads if you accept analytics cookies. If you do not accept them, Google Analytics does not run at all on your visit.
- Discord receives internal staff notifications. When you submit a quiz, a Get Matched request or a purchase, our system posts an alert to a private staff channel so a human can act on it quickly. That alert can include your name, email and your short description. It is an internal operations message, not a public post, and it is not used for marketing.
- Google Sheets (within Google Workspace) holds attribution and performance metadata so we can see which pages and campaigns work. This tracker is meant to carry only non-identifying metadata, not your personal details.
- Verified professionals (Get Matched only). When verified professionals are listed and you submit a Get Matched request, and only with your explicit consent at that point, we will share your name, email and short description with up to 3 verified professionals who cover your Local Authority, so they can contact you to help. Those professionals are independent of us. Once we pass your details to them, each professional becomes responsible, as a separate data controller, for how they use your data, so please read the professional's own privacy terms before you engage them. At the time of writing, no professionals are yet listed, so this share is not active.
International transfers
Some of our providers are based in, or store data in, the United States. That includes Stripe, Google (Workspace, Google Sheets and Analytics) and Discord. When your data goes to a provider outside the UK, we rely on appropriate safeguards so it stays protected to UK standards.
Depending on the provider, that means either the UK Extension to the EU-US Data Privacy Framework (the "data bridge"), where the provider is certified under it, or the standard contractual protections the UK recognises (the UK International Data Transfer Agreement, or the EU Standard Contractual Clauses with the UK Addendum), backed by a transfer risk assessment.
Our own server, which holds the email list and the Get Matched records, is in the UK, so no overseas transfer arises for those.
How long we keep it
We keep your data only as long as we need it, then we delete it.
| What | How long we keep it | Why |
|---|---|---|
| Quiz email, Local Authority and answers | While you stay on our email list. Deleted within 30 days of you unsubscribing, withdrawing consent, or asking us to delete it. | To keep sending you relevant help while you want it |
| Get Matched request (name, email, description) | 12 months, then deleted, unless you have an ongoing relationship with a professional you found through us | To support the introduction while it is live |
| Segmentation tags we create about you | Same as the record they relate to, deleted with it | To send you the right help while you are on the list |
| Briefing / download email | While you stay on our email list. Deleted within 30 days of unsubscribing. | To send what you asked for and stay in touch if you opt in |
| Internal staff alerts (Discord) | Short-lived operations messages, cleared regularly; not a long-term store | So a human can act quickly, then it is no longer needed |
| Consent records (proof you consented, and to what) | Kept for as long as we rely on that consent, then deleted within a reasonable period | To show we obtained valid consent if asked |
| Professional profile | While the listing is active. Deleted within 30 days of the account closing. | To run the directory the professional signed up to |
| Payment records | 6 years | Required by UK tax law (HMRC) |
| Safeguarding records (where a concern was raised) | 7 years | Statutory retention norm for safeguarding records (see our Safeguarding Policy) |
| IP addresses (spam prevention) | Deleted after 30 days | Short-term security only |
The 7-year safeguarding period overrides the shorter quiz and Get Matched periods, but only for the specific records tied to a safeguarding concern. If a concern is raised about your case, we keep the records of that concern for 7 years even after the rest of your data is deleted, because we are required to.
When you pass your details to a matched professional, that professional keeps your data under their own retention rules, which we do not control. The periods above are for the data we hold.
If you withdraw consent or ask us to delete your data, we will, except where the law requires us to keep a specific record (such as a payment record for HMRC) or where a safeguarding duty applies.
Your rights
Under UK GDPR you have the right to:
- Be informed about how we use your data (that is what this policy is for).
- Access your data and get a copy of it, including any tags or segments we have created about you.
- Rectify data that is wrong or incomplete.
- Erase your data (the "right to be forgotten").
- Restrict how we use your data.
- Data portability: get your data in a machine-readable format.
- Object to us using your data, including for marketing.
- Withdraw consent at any time, as easily as you gave it. Consent is the main basis we rely on, including for the core quiz and Get Matched processing, not only for marketing. So you can withdraw your consent to the quiz and Get Matched processing as well as to marketing emails.
- Complain to the Information Commissioner's Office (the ICO). See Complaints below.
Some rights have limits. For example, where we must keep a payment record for HMRC, or a safeguarding record by law, we cannot delete it on request. We will always explain if a limit applies.
To use any of these rights, email the data-protection contact above. We will respond within one month. There is no charge in normal cases.
Children's data
SEN Help is built for parents and carers, not for children. We do not design the service for children to use, and we do not knowingly collect data directly from a child. If you are a young person aged 16 or over using the service about your own situation, the consent you give covers your own information, and this policy applies to you in the same way. The service does, however, process information that, by inference, concerns children, and we handle that under Article 9 as set out above. Our safeguarding scope covers under-18s who are reached through the service or through a listed professional.
The law gives children's data extra protection, and so do we. Under the Data (Use and Access) Act 2025, services that children are likely to use must build in higher protection for children by design (this duty came into force on 5 February 2026). Our service is about children's needs even though our users are adults, so we take that protection seriously: we minimise what we collect, we treat the data the quiz and Get Matched reveal as special category data, and we have assessed the risks in a data protection impact assessment.
Data breaches
No system is ever perfectly secure. If a personal data breach happens, we have a process to deal with it: we will detect and contain it, assess the risk to you, and keep a record of it.
Where the law requires it, we will report a breach to the ICO within 72 hours of becoming aware of it. Where a breach is likely to put you at high risk, we will tell you without undue delay, in plain language, and explain what you can do.
If you think your data may have been exposed, tell us at the data-protection contact above.
Cookies
Cookies are small text files stored on your device when you visit a site. They help a site work, remember your choices, and let the owner see how the site is used. Under PECR, we only set non-essential cookies after you agree to them.
sen.help uses cookies in three categories. You choose which categories you allow when you first visit, and you can change your mind at any time.
Strictly necessary
These are required for the site to work and cannot be turned off. They include:
- sen_cookie_consent: remembers your cookie choices for 12 months so we do not ask you on every page.
- WordPress session and security tokens: keep forms secure and remember you within a single visit.
- Stripe checkout cookies: when you go to checkout, Stripe may set its own cookies for payment security and fraud prevention.
Analytics
These help us understand how visitors use the site so we can improve it. We use Google Analytics 4. Analytics cookies load only after you accept them. When they load, GA4 sets identifiers and processes online identifiers (such as a randomly assigned ID and your IP address, handled under Google's terms). It is not fully anonymous: it uses identifiers to tell visits apart. The cookies are:
- _ga: tells unique users apart (expires after 2 years).
- _ga_1YGHDNQ45V: keeps Google Analytics session state (expires after 2 years).
If you do not accept analytics cookies, Google Analytics does not load at all on your visit.
Marketing
This category is for cookies that show relevant content and measure marketing. We do not currently set any marketing cookies.
Changing your preferences
You can change your cookie preferences at any time using the Cookie Preferences link on the site. Your choice is stored for 12 months. After that, or if you clear your browser cookies, we will ask again on your next visit. We do not use advertising cookies, tracking pixels, or retargeting cookies.
How we keep your data secure
We protect your data with:
- HTTPS encryption (SSL/TLS) on every page
- payment processing through Stripe, which is PCI DSS compliant, so card details never touch our servers
- access controls that limit who can see personal data
- regular encrypted backups, kept off the public web root
No system is ever perfectly secure, but we take reasonable steps to protect your data and we keep them under review.
Changes to this policy
We may update this policy from time to time. The "Last Updated" date at the top will always show the latest version. If we make a significant change, we will tell registered users by email.
Complaints
If you think we have got something wrong with your data, you have the right to complain directly to us, and we want you to. Email privacy@sen.help with “Complaint” in the subject line, or write to our registered office, and tell us what has gone wrong in your own words; there is no special form you have to use. We will acknowledge your complaint within 30 days (in practice much sooner), look into it properly, keep you updated on progress, and tell you the outcome without undue delay. This is your legal right under the Data Protection Act 2018 (section 164A), and using it never affects any other right you have.
You also have the right to complain to the Information Commissioner's Office (the ICO), the UK regulator for data protection.
- Our ICO registration number: ZC181865
- Website: ico.org.uk
- Phone: 0303 123 1113
Contact
For any question about your privacy or this policy, email our data-protection contact at privacy@sen.help (or hello@sen.help with "Data protection" in the subject line).
For a safeguarding concern, email safeguarding@sen.help.