Privacy Charter
Alongside SEND: Your Data, Your Control
Last updated: June 2026 | Version 2.1
Our Privacy Promise
We will never:
- ❌ Store your conversations in our database
- ❌ Sell your data to third parties
- ❌ Use your health information for advertising
- ❌ Share your data without your explicit consent (except where legally required)
We will always:
- ✅ Keep your conversations private (held in your browser only)
- ✅ Encrypt all data in transit (HTTPS/TLS)
- ✅ Give you control over your data (deletion, access, portability)
- ✅ Be transparent about who processes your data and why
What We Collect
When You Register for Free Access
- Email address (to send you your access link and for support purposes)
When You Use an Agent
Metadata only:
- Timestamp of each message (when you used the service)
- Message count (to enforce rate limit: 30 messages/hour)
- Which agent you used (Asha, etc.)
- Your access token (a random code, not linked to your name)
What We Do NOT Collect
- ❌ Conversation content - Your messages to the agent are NOT stored by us
- ❌ Your name (unless you include it in your email address)
- ❌ Your location (IP addresses logged by hosting provider for security only)
- ❌ Browsing history (no tracking cookies or analytics)
Where Your Data Goes
Your Conversations (In Transit Only)
When you send a message to an agent:
- Your browser → Holds full conversation (localStorage)
- Our server (Netlify Functions) → Routes message to Anthropic
- Anthropic (Claude AI) → Processes message, generates response
- Our server → Passes response back to your browser
- Your browser → Displays response
Your Metadata (Stored)
Supabase (PostgreSQL database, US-based):
- Access token
- Email address
- Message counts
- Timestamps
- Retention: 90 days after access expires, then deleted
- Safeguards: Standard Contractual Clauses (SCC) for GDPR compliance
Your Donation Data (If You Choose to Donate)
Asha is completely free to use. If you choose to make a voluntary donation:
- Stripe (payment processor) handles all donation data
- We receive confirmation that a donation was made (amount and timestamp)
- We do NOT see your card details (Stripe encrypts this)
- Donation records retained for 7 years (UK accounting law requirement)
Third-Party Processors
We only share data with processors who act on our instructions:
| Processor | Purpose | Location | Safeguards |
|---|---|---|---|
| Anthropic | AI message processing (Claude API) | USA | Standard Contractual Clauses (SCC) |
| Supabase | Metadata storage (access tokens, timestamps) | USA | Standard Contractual Clauses (SCC) |
| Netlify | Website hosting (server logs only) | USA | Standard Contractual Clauses (SCC) |
| Stripe | Donation processing (voluntary donations only) | USA | PCI-DSS compliant + Standard Contractual Clauses (SCC) |
Special Category Data (Your Health Information)
What is "Special Category Data"?
Under UK GDPR, health information is given extra protection. This includes:
- Medical conditions (cancer, stroke, diabetes, etc.)
- Symptoms or treatment experiences
- Mental health information
- SEND diagnosis or ADHD details (for Asha)
- Documents you share (GP letters, test results, etc.)
Why We Can Process It
Legal basis: Explicit consent (UK GDPR Article 9(2)(a))
When you register for free access, you explicitly consent to:
- Sharing health information with the agent (processed by Anthropic)
- Us logging metadata about your usage (timestamps, message counts)
- Anthropic processing your messages to generate responses
You can withdraw consent at any time by emailing hello@alongsidesend.co.uk - but this means you can no longer use the service.
Your Data Rights
Under UK data protection law, you have:
✅ Right of Access
Request a copy of data we hold about you.
What you'll receive:
- Your email address
- Access token ID
- Registration date
- Message count and timestamps
- ❌ NOT your conversation content (we don't store it)
✅ Right to Erasure ("Right to be Forgotten")
Ask us to delete your data.
We will delete:
- Your email address
- Access token (disabling your access)
- All metadata (message counts, timestamps)
✅ Right to Rectification
Correct inaccurate data.
Example: If your email address is wrong, we can update it.
✅ Right to Data Portability
Get your data in a machine-readable format.
We'll send you a JSON file containing:
- Email address
- Registration date
- Message counts and timestamps
✅ Right to Object
Object to processing based on legitimate interests.
You can object to us logging metadata (but this means we can't enforce rate limits, so access would be suspended).
✅ Right to Withdraw Consent
Change your mind about processing special category health data.
Email us at any time - we'll delete your data within 30 days (subject to legal retention).
How We Protect Your Data
Technical Security
- Encryption in transit: HTTPS/TLS for all connections
- Token-based authentication: No passwords (stateless access via URL fragment)
- Content Security Policy: Prevents code injection attacks
- No persistent cookies: We don't track you across sessions
- Rate limiting: Prevents abuse (30 messages/hour)
Organisational Security
- Access controls: Only founder (Judith Reece) can access database
- No data sharing: We have no commercial data-sharing partnerships
- Annual review: Security posture reviewed yearly
Limitations
No internet service is 100% secure. If you have concerns about a specific security issue, please contact hello@alongsidesend.co.uk immediately.
Data Retention
| Data Type | How Long We Keep It | Why |
|---|---|---|
| Conversation content | Never stored | Privacy by design |
| Email address + access token | 90 days after access expires | Allow renewal, then auto-delete |
| Message counts + timestamps | 90 days after access expires | Usage analytics, then auto-delete |
| Donation records (Stripe) | 7 years | UK accounting law (legal obligation) |
| Server logs (Netlify) | 30 days | Security monitoring (Netlify policy) |
International Data Transfers
Why Your Data Leaves the UK
All our third-party processors are based in the United States. The UK does not have an "adequacy decision" for the US (meaning the UK government doesn't automatically trust US data protection laws).
How We Protect International Transfers
Standard Contractual Clauses (SCCs):
- Legally binding contracts approved by UK GDPR
- Require US processors to apply UK-equivalent protections
- Give you enforceable rights
Processors covered by SCCs:
- Anthropic (AI processing)
- Supabase (metadata storage)
- Netlify (hosting)
- Stripe (donation processing - also has own compliance framework)
Children and Vulnerable Users
Asha (SEND Agent)
Designed for parent/carer use, not direct use by children.
Safeguarding measures:
- Keyword detection for child protection concerns ("hitting", "scared of", "not safe")
- Agent prompts trained to recognise harm disclosure
- Metadata alerts logged (founder reviews within 24 hours)
- Signposting to NSPCC (0808 800 5000) and local safeguarding teams
Cookies and Tracking
We Do NOT Use:
- ❌ Google Analytics or similar tracking
- ❌ Advertising cookies
- ❌ Third-party tracking pixels
- ❌ Social media embeds (that track you)
What We Use:
- ✅ localStorage (browser-side only): Stores your conversation in your browser, never sent to our server
- ✅ Session storage (temporary): Holds access token during use, deleted when you close tab
You can clear this anytime: Browser settings → Clear site data for alongsidesend.co.uk
Changes to This Charter
When We Update It
- Legal requirements change (e.g., new UK GDPR guidance)
- We add new features (e.g., new agent launch)
- User feedback suggests clarity improvements
- ORCHA assessment recommendations
How You'll Know
- "Last updated" date at top of this page
- Material changes (e.g., new data sharing): We'll email you 30 days before
- Minor changes (e.g., typo fixes): No notification
Current version: 2.1 (June 2026)
Regulatory Compliance
ICO Registration
- Registration number: ZC132813
- Data controller: Reece Advisory Ltd
- Registered address: Lynton House, 7-12 Tavistock Square, London WC1H 9BQ
Legal Framework
- UK GDPR (General Data Protection Regulation)
- Data Protection Act 2018
- Privacy and Electronic Communications Regulations (PECR)
Right to Complain
Unhappy with how we handle your data?
- Contact us first: hello@alongsidesend.co.uk (we want to fix it!)
- Complain to ICO:
- Website: ico.org.uk
- Phone: 0303 123 1113
- Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow SK9 5AF
Contact Us
Questions about your data?
- Email: hello@alongsidesend.co.uk (monitored daily)
- Post: Reece Advisory Ltd, Lynton House, 7-12 Tavistock Square, London WC1H 9BQ
- Response time: Within 30 days (usually much faster)
Data requests: Please specify which right you're exercising (access, erasure, etc.) and include your email address (to verify identity).
Our Commitment
"We built Alongside SEND because we believe every parent deserves compassionate support when navigating the SEND system. Your trust is the foundation of that mission. We will never compromise your privacy for profit."
— Judith Reece, Founder
This Privacy Charter sits alongside our full Privacy Policy (legal document at alongsidesend.co.uk/privacy).