SEN Tools← Back to home

Privacy Policy

Last updated: March 2026

1. Introduction

The Anthill Group (“we”, “our”, or “us”) is committed to protecting the privacy and personal data of all users, particularly the vulnerable children whose information may be processed through our services. This Privacy Policy explains how we collect, use, store, and protect your information when you use our SEN Tools platform.

Important: Source files you upload are stored securely and encrypted only while the tool is processing your request. Once your requested downloads are available, source files are automatically deleted. We do not retain source documents beyond the running of the tool.

2. Data Controller Information

For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, The Anthill Group is the data controller responsible for your personal data.

ICO Registration Number: ZB945587

3. Types of Data We Process

3.1 Personal Data (Account Holders Only)

  • Professional contact information (name, email, organisation)
  • Account preferences and settings
  • Usage history and saved documents (if applicable)

3.2 Temporary Processing Data (All Users)

  • Uploaded documents for immediate processing
  • Extracted text and analysis results
  • Session data for current processing only

3.3 Special Category Data

  • Information about children's health, education, and care needs
  • Special educational needs and disabilities (SEND) information
  • Medical and therapeutic information
  • Behavioural and psychological assessments

4. Legal Basis for Processing

We process your data based on the following legal grounds:

  • Legitimate Interest: Providing educational support tools to professionals
  • Contract Performance: Delivering the services you request
  • Legal Obligation: Complying with UK data protection laws
  • Vital Interests: Protecting the welfare of vulnerable children

For special category data (Article 9 UK GDPR), the applicable conditions are:

  • Article 9(2)(g): Substantial public interest, relying on Schedule 1, Paragraph 6 (statutory and government purposes) and Paragraph 18 (safeguarding of children and individuals at risk) of the Data Protection Act 2018
  • Article 9(2)(h): Health or social care purposes

5. How We Use Your Data

We use your data to:

  • Provide EHCP extraction and analysis services
  • Process uploaded documents and generate structured outputs
  • Improve our tools and services
  • Ensure security and prevent fraud
  • Comply with legal and regulatory requirements

6. Data Anonymisation (Anonymisation Bridge)

SEN Tools employs a server-side Anonymisation Bridge that automatically detects and tokenises all personally identifiable information (PII) before any document text is sent to AI providers. The categories of PII that are tokenised include:

  • Names (children, staff, family members, and other individuals)
  • Dates of birth and other date patterns
  • UK postcodes
  • Phone numbers
  • Email addresses
  • NHS numbers
  • Unique Pupil Numbers (UPNs)

Each piece of PII is replaced with a neutral token (for example, “Jayden” becomes “[NAME_1]” and “Mrs Thompson” becomes “[NAME_2]”). The AI provider only ever receives this tokenised, anonymised text and never sees real names or personal details. After the AI returns its response (still containing only tokens), our servers restore the real values from an in-memory vault that is immediately destroyed.

This means no personal data ever leaves our UK infrastructure, regardless of which underlying AI model we use.

7. Data Sharing and Third Parties

We do not sell, trade, or rent your personal data to third parties. We may share data only with:

  • AI service providers (e.g. OpenAI, Anthropic) for document processing — these providers only receive anonymised, tokenised text with all PII removed by our Anonymisation Bridge
  • Cloud infrastructure providers (Supabase, UK-hosted) for secure encrypted storage
  • Vercel for frontend hosting and serverless function execution (UK region for functions; global CDN for static assets only)
  • Legal authorities when required by law

A full sub-processor register is available on request by contacting privacy@theanthill.co.uk.

8. Data Security and Protection

We implement comprehensive security measures including:

  • End-to-end encryption for data in transit (HTTPS/TLS 1.2+) and at rest (AES-256 via Supabase)
  • Anonymisation Bridge ensuring no PII reaches third-party AI providers
  • Secure cloud infrastructure with UK data residency
  • Role-based access controls and authentication requirements
  • Data minimisation and purpose limitation

9. Data Retention and Deletion

We retain your data only as long as necessary:

  • Uploaded source files: Stored encrypted during processing; automatically deleted once requested downloads are available
  • Anonymisation vault: Held in server memory only; destroyed immediately after de-anonymisation
  • Processing data: Deleted immediately after processing completion
  • Session data: Deleted when browser session ends
  • Account information: Retained only for account holders while account is active; deleted within 30 days of account closure

10. Your Rights Under UK GDPR

You have the following rights:

  • Right of Access: Request a copy of your personal data
  • Right to Rectification: Correct inaccurate data
  • Right to Erasure: Request deletion of your data
  • Right to Restrict Processing: Limit how we use your data
  • Right to Data Portability: Receive your data in a portable format
  • Right to Object: Object to certain types of processing

11. Children's Data Protection

We recognise the sensitive nature of children's data and implement additional safeguards:

  • Anonymisation Bridge ensures no children's PII reaches third-party AI providers
  • Source files automatically deleted once requested downloads are available
  • No retention of source documents beyond the running of the tool
  • Immediate destruction of the in-memory anonymisation vault after each processing request

12. International Data Transfers

Document text sent to AI providers is first anonymised by our Anonymisation Bridge, which removes all personally identifiable information. Only tokenised, anonymous text is transmitted to AI providers, which may process it on infrastructure outside the UK. No real PII leaves our UK-based infrastructure. All personal data (uploaded files, account data, anonymisation vaults) remains on UK-hosted servers (Supabase UK — AWS eu-west-2, London).

13. Cookies and Tracking

We use essential cookies for security and functionality. We do not use tracking cookies or third-party analytics that could compromise the privacy of vulnerable children's data.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes via email or through our website. Continued use of our services constitutes acceptance of the updated policy.

15. Contact Information

If you have any questions about this Privacy Policy or wish to exercise your rights, please contact us:

Data Protection Officer

The Anthill Group

ICO Registration: ZB945587

Email: privacy@theanthill.co.uk

Address: 13a Park Street, Minehead, Somerset, United Kingdom, TA24 5NQ

16. Complaints

If you believe we have not handled your data appropriately, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Information Commissioner's Office

Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Website: ico.org.uk

Helpline: 0303 123 1113