Sendo

Privacy Policy

VERSION: v1.00|UPDATED: NOV 2025

At Sendo, a service provided by Sidekick Digital Limited, we take your privacy—and the privacy of your child's sensitive educational and health information—extremely seriously. This Privacy Policy explains how we collect, use, store, and protect your data in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Who We Are (Data Controller)

The Data Controller responsible for your personal data is:

Sidekick Digital Limited
Unit A, James Carter Road
Bury St Edmunds
Suffolk
IP28 7DE
United Kingdom

Company No: 08897147

Privacy contact: hello@sidekickdigital.co.uk

We are not required to appoint a formal Data Protection Officer; however, you may contact our privacy lead at the email above with any questions or requests.

2. The Data We Collect

We collect the following categories of personal data:

2.1. Account Data

  • Name (if provided)
  • Email address
  • Encrypted password
  • Payment records (provided via Stripe; we do not store card details)
  • Support messages
  • Login logs, IP address, device information, and security metadata

2.2. Special Category Data (Children's Data)

Documents you upload may include:

  • EHCPs
  • Educational Psychology Reports
  • Medical reports
  • Diagnostic reports (ASD/ADHD/SLT/OT)
  • Behaviour logs
  • School assessments

These documents may contain highly sensitive health, developmental, behavioural, educational, or genetic information belonging to a child.

2.3. Cookies & Session Data

  • Essential session cookies (used only to keep you logged in)
  • No advertising cookies
  • No third-party tracking cookies

3. Our Legal Bases for Processing

Processing ActivityData TypeLegal Basis (UK GDPR)
Creating and managing your accountAccount DataArticle 6(1)(b) – Contract
Providing the Sendo serviceAccount Data / Special Category DataContract (Art 6(1)(b)) + Explicit Consent (Art 9(2)(a))
AI processing of uploaded reportsSpecial Category DataExplicit Consent (Art 9(2)(a))
Payments via StripeAccount Data / Billing DataLegitimate Interests (fraud prevention) + Contract
System security, logs, backupsAccount Data / MetadataLegitimate Interests (security & fraud prevention)
Customer supportAccount & Uploaded DataLegitimate Interests (service delivery)
Communications (password resets, service emails)Account DataContract

You may withdraw consent at any time by deleting the documents from your Vault or closing your account.

4. How We Use AI & Third-Party Sub-Processors

To provide our services, we use carefully selected and vetted sub-processors. We conduct Data Protection Impact Assessments (DPIAs) for all AI-related processing.

4.1. Supabase (EU/UK)

  • Secure hosting and encrypted database storage.
  • AES-256 encryption at rest.
  • TLS in transit.
  • Row-Level Security ensuring only you can view your files.

4.2. OpenAI (United States)

We send document content to the OpenAI API for analysis.

Important protections:

  • We have opted out of all model training.
  • OpenAI retains data for a maximum of 30 days for abuse-monitoring only.
  • After 30 days, OpenAI permanently deletes the data.
  • Transfer mechanism: ICO-approved International Data Transfer Addendum to the EU SCCs (Standard Contractual Clauses).
  • Only the minimum necessary text is sent for analysis.

4.3. Stripe (Global)

  • Handles payments securely.
  • We never see or store your card details.
  • Stripe is PCI-DSS compliant.

5. Data Retention

5.1. Uploaded Documents

  • Automatically deleted 30 days after your audit is generated.
  • You may manually delete them sooner.

5.2. Generated Reports

Retained in your account until you delete them or close your account.

5.3. Account Data

Stored while your account remains active. Deleted 30 days after account closure.

5.4. Payment and Financial Records

Retained for 6 years as required by HMRC.

5.5. Logs and Backups

  • Security logs retained for up to 90 days.
  • Encrypted backups retained for up to 30 days, then overwritten.

6. Security Measures

We use multiple layers of enterprise-grade security:

  • AES-256 encryption at rest
  • TLS/SSL encryption in transit
  • Role-Based and Row-Level Security
  • Password hashing using industry-standard algorithms
  • Regular penetration testing and security audit reviews
  • Principle of least privilege for all internal systems

Although no online service can guarantee absolute security, we take all reasonable steps to protect your data.

7. Your Rights

Under the UK GDPR, you have the following rights:

  • Right of Access – Request a copy of the data we hold.
  • Right to Rectification – Correct inaccurate data.
  • Right to Erasure ("Right to be Forgotten") – Delete your account and all associated data.
  • Right to Restrict Processing – Limit how your data is used.
  • Right to Data Portability – Request your data in a machine-readable format.
  • Right to Object – Object to processing based on Legitimate Interests.
  • Right to Withdraw Consent – Withdraw explicit consent for uploaded documents.
  • Rights relating to Automated Decision-Making – We do not carry out automated decisions producing legal or significant effects.

To exercise any of these rights, contact us at hello@sidekickdigital.co.uk.

You also have the right to lodge a complaint with:

Information Commissioner's Office (ICO)
ico.org.uk

8. Children's Data

Sendo is used by adults (parents and professionals). Children must not create accounts.

Parents/legal guardians are responsible for ensuring they have lawful authority to upload a child's documents.

We apply enhanced safeguards to children's data including:

  • Encryption
  • Strict retention limits
  • DPIAs
  • Isolation of user data

9. Cookies

We use only essential cookies to maintain account sessions and provide the Service.

  • No advertising cookies
  • No behavioural tracking
  • No analytics cookies unless explicitly stated

Because we only use strictly necessary cookies, a cookie banner is not required under PECR.

10. International Data Transfers

Where data is transferred outside the UK (e.g., to OpenAI in the US), we rely on:

  • UK International Data Transfer Addendum
  • EU Standard Contractual Clauses
  • Additional technical and organisational safeguards

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or dashboard notification.

12. Contact Us

If you have any questions or concerns about how we process your personal data, contact:

hello@sidekickdigital.co.uk