Sendix is an EHCP compliance platform built for SENCOs and special educational needs professionals in England. We help verify that Section F provisions in Education, Health and Care Plans meet the specificity requirements of the Children and Families Act 2014.
The data controller is Sendix AI Ltd. For data protection queries, contact privacy@sendix.ai.
Sendix is designed from the ground up to minimise the personal data it handles. Here is exactly what we process and why:
| Data | Purpose | Retention |
|---|---|---|
| Your name and work email address | Account creation and authentication | Until account deletion |
| Section F text from uploaded EHCPs | SVE compliance analysis | 90 days, then automatically deleted |
| Drafted provision text | Storing your work in progress | 30 days after you delete it |
| Audit trail events | Legal record of verification steps | Linked to document; deleted with it |
| Student first name (Draft Door only) | Personalising drafted provisions | In-memory only; never stored |
When you upload a PDF or DOCX to the Audit Door, the file bytes are held in memory only for the duration of the parsing step — typically under one second. The raw file is immediately discarded. We store only the extracted, PII-scrubbed Section F text, which has structured identifiers (NHS numbers, UPNs, dates of birth, postcodes) automatically removed before anything is written to our database.
Sendix uses Azure Foundry models hosted exclusively in the UK South region. Before any text is sent to an AI model, our redaction layer removes the student's name and replaces it with a placeholder token. Structured identifiers (NHS numbers, UPNs, postcodes, dates of birth) are removed by a separate PII scrubber. The AI model never sees a child's real name or identifying numbers.
Azure Foundry does not use customer data to train its models. Prompts and completions may be retained by Microsoft for up to 30 days for abuse monitoring purposes. Sendix has applied to opt out of this retention for its production resource deployments.
We process your account data and EHCP text on the basis of legitimate interests(Article 6(1)(f) UK GDPR) — specifically, providing the compliance verification service you have signed up for. Section F text is Special Category data (Article 9) relating to a child's health and educational needs; we process it under Article 9(2)(g) (substantial public interest) and the Education (Special Educational Needs and Disability) (SEND) framework obligations.
Each school must sign a Data Processing Agreement (DPA) with Sendix before any live child data is processed. Contact privacy@sendix.ai to request your school's DPA.
Under UK GDPR you have the right to access, rectify, or erase your personal data, to restrict processing, and to data portability. You also have the right to object to processing based on legitimate interests.
To exercise any of these rights, email privacy@sendix.ai. We will respond within 30 days. If you are unsatisfied with our response you may lodge a complaint with the Information Commissioner's Office (ICO).
Sendix uses the minimum number of cookies necessary to operate the service:
| Cookie | Type | Purpose |
|---|---|---|
| next-auth.session-token | Session · HttpOnly · Secure | Keeps you logged in during your browser session |
| next-auth.csrf-token | Session · HttpOnly · Secure | Prevents cross-site request forgery |
We do not use tracking cookies, advertising cookies, or any third-party analytics that set cookies. Sentry (our error monitoring service) operates without cookies.
We will notify registered users by email of any material changes to this policy at least 14 days before they take effect. The version date at the top of this page reflects when the policy was last updated.