Skip to main content
EdPsych Connect
Back to Home

Privacy Policy

Last updated: January 2026

Decision Support

Review the data categories, then use the rights section to request access or changes.

Focus: data categories, rights, contact.

1. Introduction

EdPsych Connect Limited ("we", "our", "us") is committed to protecting the privacy and security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our educational psychology platform.

As a provider of services to educational institutions and professionals in the UK, we adhere to the highest standards of data protection, including compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and relevant education sector guidance.

2. Information We Collect

2.1 Information You Provide Directly

  • Account Information: Name, email address, organisation, role, and professional credentials
  • Assessment Data: ECCA assessment responses, observations, and results for students/clients
  • EHCP Information: Education Health and Care Plan content, amendments, and reviews
  • Case Management Data: Student information, intervention plans, progress notes
  • Training Records: Course enrollments, completion data, CPD hours, certificates
  • Payment Information: Billing address and payment details (processed securely through Stripe)

2.2 Information Collected Automatically

  • Usage Data: Features accessed, time spent, actions taken within the platform
  • Technical Data: IP address, browser type, device information, operating system
  • Analytics Data: Platform usage patterns, feature engagement, performance metrics

3. How We Use Your Information

3.1 Primary Purposes

  • Providing and improving our educational psychology services
  • Conducting ECCA cognitive assessments and generating professional reports
  • Managing EHCP workflows, tracking amendments and reviews
  • Delivering training courses and tracking CPD hours
  • Facilitating intervention planning and progress monitoring
  • Processing payments and managing subscriptions
  • Providing customer support and responding to inquiries

3.2 Legal Basis for Processing (UK GDPR)

  • Contract Performance: Processing necessary to provide our services
  • Legal Obligation: Compliance with UK education and data protection laws
  • Legitimate Interests: Platform improvement, security, fraud prevention
  • Consent: Marketing communications and optional features (where required)

4. Special Category Data (Sensitive Personal Information)

We process special category data, including information about children's health, special educational needs, and disabilities. This processing is necessary for:

  • Provision of health or social care services (GDPR Article 9(2)(h))
  • Purposes of safeguarding (DPA 2018 Schedule 1, Part 2)
  • Compliance with legal obligations in the education sector

We implement appropriate safeguards including encryption, access controls, and staff training to protect this sensitive information.

5. Data Sharing and Disclosure

5.1 Within Your Organisation

For institutional subscriptions, data is shared with authorised users within your local authority or school as configured by your administrator.

5.2 Third-Party Service Providers

We use carefully selected third-party service providers (subprocessors). Some are always required to deliver the service, while others are optional and depend on tenant configuration or feature enablement.

Active (Core Service)

  • Hosting/Edge Runtime: Vercel (region configured per deployment)
  • Database: Neon (PostgreSQL)
  • Payment Processing: Stripe (PCI DSS compliant)
  • Email Delivery: Twilio SendGrid (transactional email)
  • Media Delivery: Cloudinary (video storage/CDN)

Optional/Conditional (Feature-Dependent)

  • AI Assistance: Anthropic Claude, OpenAI, Google Gemini, xAI (only if enabled)
  • Video Generation: HeyGen (only if enabled)
  • Caching/Rate Limiting: Upstash/Vercel KV or Redis (only if configured)
  • Monitoring/Analytics: AWS CloudWatch, Sentry, Google Analytics (only if enabled)

We maintain a subprocessor register and will provide details on request. All active subprocessors are bound by data processing agreements and are required to meet UK GDPR obligations.

5.3 Legal Requirements

We may disclose information when required by law, court order, or to protect the rights, safety, and security of individuals, particularly in safeguarding contexts.

6. Data Retention

  • Assessment Records: Retained for 7 years after last access (aligned with professional guidelines)
  • EHCP Documents: Retained as per local authority retention schedules
  • Training Records: Retained for 7 years for CPD verification purposes
  • Account Data: Retained for duration of active subscription plus 2 years
  • Marketing Data: Until consent is withdrawn or 3 years of inactivity

7. Your Rights Under UK GDPR

You have the following rights:

  • Right to Access: Request copies of your personal data
  • Right to Rectification: Correct inaccurate or incomplete data
  • Right to Erasure: Request deletion (subject to legal retention requirements)
  • Right to Restrict Processing: Limit how we use your data
  • Right to Data Portability: Receive data in a structured format
  • Right to Object: Object to processing based on legitimate interests
  • Rights Related to Automated Decision-Making: Challenge AI-assisted assessments

To exercise these rights, contact us at privacy@edpsychconnect.com

8. Security Measures

  • End-to-end encryption for data in transit (TLS 1.3)
  • Encryption at rest for all database storage
  • Multi-factor authentication options
  • Regular security audits and penetration testing
  • Staff training on data protection and confidentiality
  • Role-based access controls
  • Audit logging of all data access

9. Children's Privacy

Our platform is designed for use by educational professionals, not directly by children under 13. When professionals use our platform to assess or support children, they must obtain appropriate consent from parents/guardians and comply with relevant safeguarding policies.

10. International Data Transfers

Some service providers may process data outside the UK/EEA. Where international transfers occur, we use appropriate safeguards such as the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, as applicable. Details of safeguards and the current subprocessor list are available on request.

11. Cookies and Tracking Technologies

We use essential cookies for platform functionality and optional cookies for analytics. You can manage cookie preferences through your browser settings. For detailed information, see our Cookie Policy.

12. Changes to This Policy

We may update this Privacy Policy periodically. Significant changes will be communicated via email and platform notifications. Continued use after changes indicates acceptance of the updated policy.

13. Contact Us

For privacy-related questions or to exercise your rights:

  • Email: privacy@edpsychconnect.com
  • Data Protection Officer: Dr Scott Ighavongbe-Patrick
  • Address: EdPsych Connect Limited, 38 Buckingham View, Chesham, Buckinghamshire, HP5 3HA
  • Company Number: 14989115 (Registered in England and Wales)

14. Regulatory Authority

You have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's supervisory authority for data protection:

Professional Standards: As HCPC registered professionals, we adhere to the Standards of Conduct, Performance and Ethics, including specific requirements around confidentiality and information governance. All data handling complies with BPS Code of Ethics and Conduct.

Terms of Service >Back to Home >