Privacy Policy
Last updated: 1 February 2026
1. Who We Are
SENScribe AI is a registered business name (No. 780366) of Celtic Convergence Limited, a company registered in Ireland.
| Trading As | SENScribe AI (Business Name No. 780366) |
| Legal Entity | Celtic Convergence Limited (CRO 781714) |
| Registered Address | 65 Strand View, Dublin 5, D05 H9K8, Ireland |
| Data Protection Contact | hello@senscribe.ie |
| Data Protection Officer | Yash Kumar (Founder) |
SENScribe AI is the data controller responsible for your personal data when you use SENScribe.
2. Data We Collect
We collect the following categories of personal data:
2.1 Account Information
- Email address: used for authentication and communication
- Name: for personalisation (if provided)
- School affiliation: to verify you are a teacher (during approval)
2.2 Usage Data
- Session tokens: to keep you logged in
- Usage count: to enforce fair use limits
- Timestamps: when you access the service
2.3 Data You Provide for AI Generation
When using SENScribe to generate Student Support File drafts, you may input information about students. We do not store this data. See Section 5: AI Processing for details.
3. How We Use Your Data
We use your personal data for the following specific purposes:
| Purpose | Data Used |
|---|---|
| Account creation & authentication | Email, name, hashed password |
| Sending verification & password reset emails | |
| Generating Student Support File drafts | Information you input (not stored) |
| Enforcing fair use limits | Usage count |
| Product updates (with consent) | |
| Website analytics & improvement | Anonymised usage data via Google Analytics |
4. Legal Basis for Processing
Under GDPR, we must have a lawful basis for processing your personal data. We rely on the following:
| Legal Basis | Applies To |
|---|---|
| Contract (GDPR Art. 6(1)(b)) | Account creation, authentication, providing the SENScribe service |
| Consent (GDPR Art. 6(1)(a)) | Marketing emails, product updates, analytics cookies |
| Legitimate Interest (GDPR Art. 6(1)(f)) | Service security, fraud prevention, service improvement |
5. AI Processing & Student Data
✓ Zero-Knowledge Architecture: We Never See Student Names or Diagnoses
SENScribe uses client-side PII redaction and condition generalisation - student names and specific diagnoses are detected and replaced entirely within your web browser before any data leaves your device. Names become anonymous placeholders like [PERSON_1], and conditions like "ADHD" become functional descriptions like "attention regulation needs". Our servers literally cannot see student names or specific diagnoses because they are replaced before transmission.
How AI Processing Works
- You enter student information into SENScribe
- Your browser detects and replaces all names with anonymous placeholders (e.g., "Seán" → [PERSON_1])
- Your browser generalises specific diagnoses to functional descriptions (e.g., "ADHD" → "attention regulation needs")
- The name-to-placeholder mapping is stored only in your browser's memory - never transmitted
- Only the fully anonymised and generalised text is sent to our server and Azure OpenAI (GPT-4.1) within the European Union data zone
- The AI generates a draft using the anonymous placeholders and generalised needs
- Your browser restores the real names from its local memory when displaying the result
- We never store any student information, the placeholder mapping, or the generated draft
Why This Matters (GDPR Article 9 Bypass)
Educational data linked to identifiable students is considered Special Category Dataunder GDPR Article 9, which has strict processing requirements. Our zero-knowledge architectureeliminates this concern entirely - because student names and specific diagnoses never leave your browser, our servers only process anonymous text with generalised functional descriptions that have no link to any identifiable person. This means:
- SENScribe never processes identifiable health-related educational data
- Specific diagnoses are replaced with functional categories that reduce re-identification risk
- GDPR Article 9 restrictions do not apply to our server-side processing
- We exceed GDPR Article 5(1)(c) data minimisation requirements
- This is the strongest possible privacy architecture for an AI writing tool
Your Responsibilities as a Teacher
As the user entering student data, you are responsible for ensuring you have appropriate authorisation from your school to use SENScribe for this purpose. We recommend:
- Obtaining approval from your school's Data Protection Lead
- Using only the minimum necessary student information
- Not sharing generated drafts inappropriately
6. Who We Share Data With
We share your data with the following third-party service providers who act as data processors on our behalf:
| Provider | Purpose | Data Shared |
|---|---|---|
| Microsoft Azure (Cosmos DB) | Database hosting | Account data, sessions |
| Microsoft Azure OpenAI | AI generation | Anonymised prompts only (student names replaced with [PERSON_N] placeholders in your browser before transmission) |
| Microsoft Azure Communication Services | Email delivery (primary) | Email address |
| Resend | Email delivery (fallback) | Email address |
| Google Analytics | Website analytics | Anonymised usage data |
We do not sell your personal data to third parties.
7. International Data Transfers
Your data is processed within the European Economic Area (EEA):
- Azure Cosmos DB: North Europe (Ireland)
- Azure OpenAI: European Union data zone (DataZoneStandard deployment, resource in West Europe)
- Azure Communication Services: Europe (primary email provider)
Some service providers (Google, Resend) may process data in the United States. Resend is used only as a fallback email provider if our primary provider (Azure Communication Services) is temporarily unavailable. Where US processing occurs, transfers are protected by:
- EU-US Data Privacy Framework (for certified companies)
- Standard Contractual Clauses (SCCs)
8. Data Retention
We retain your data for the following periods:
| Data Type | Retention Period |
|---|---|
| User account data | 12 months after last activity, then automatically deleted |
| Session tokens | 30 days, then automatically expire |
| AI-generated content | Not stored by SENScribe (streamed directly to your browser) |
| Student names | Never transmitted (redacted in your browser before sending) |
| Anonymised input text | Not stored by SENScribe (processed in-memory only) |
| Anonymised prompts (Azure abuse monitoring) | Up to 30 days by Microsoft for abuse detection (see Azure documentation) |
Note: Microsoft Azure OpenAI may retain anonymised prompts for up to 30 days for abuse monitoring purposes. Since student names are replaced with placeholders in your browser before transmission, this only affects anonymous text. Human review is conducted by EEA-based Microsoft employees for resources deployed in Europe.
9. Your Rights
Under GDPR, you have the following rights regarding your personal data:
- Right of Access: Request a copy of the personal data we hold about you
- Right to Rectification: Request correction of inaccurate data
- Right to Erasure: Request deletion of your data ("right to be forgotten")
- Right to Restrict Processing: Request we limit how we use your data
- Right to Object: Object to processing based on legitimate interests
- Right to Data Portability: Receive your data in a portable format
- Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent
To exercise any of these rights, email us at hello@senscribe.ie. We will respond within one month as required by GDPR.
11. Security Measures
We protect your data using industry-standard security measures:
- Encryption in transit: All data is transmitted over HTTPS/TLS 1.2+
- Encryption at rest: Database encryption provided by Azure (AES-256)
- Secure password storage: Passwords hashed with scrypt (never stored in plaintext)
- Access controls: Limited access to production systems
- EU data residency: Data stored in North Europe (Ireland) and processed within the European Union data zone
12. Children's Data
SENScribe is designed for use by teachers aged 18 and over only. We do not knowingly collect personal data directly from children.
When teachers use SENScribe to generate Student Support File drafts, they may enter information about students. As described in Section 5, this information is not stored by SENScribe.
Teachers are responsible for ensuring they have appropriate authorisation to process student data through SENScribe.
13. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Update the "Last updated" date at the top of this page
- Notify registered users by email for significant changes
We encourage you to review this page periodically for the latest information.
14. Contact Us
If you have any questions about this Privacy Policy or how we handle your data, please contact us:
SENScribe AI
Data Protection Officer: Yash Kumar
Email: hello@senscribe.ie
Address: 65 Strand View, Dublin 5, D05 H9K8, Ireland
15. Complaints
If you are not satisfied with our response to a data protection concern, you have the right to lodge a complaint with the Irish Data Protection Commission:
Data Protection Commission
21 Fitzwilliam Square South
Dublin 2, D02 RD28
Ireland
Website: www.dataprotection.ie
Email: info@dataprotection.ie