Back home# Privacy policy
**Last updated:** 18 May 2026
**Version:** 1.0 (founding-schools draft — solicitor review pending before first paying contract)
> **Plain-English summary** *(not legally binding — the sections below
> are.)*
>
> - **Who we are:** OMNIA Inclusion Ltd, a UK company building a SEND
> platform for schools.
> - **What we collect:** pupil + staff data the school chooses to put
> in OMNIA; technical logs; account contacts.
> - **Why:** to deliver the service the school has commissioned.
> - **Our role:** *processor* for pupil data (the school is
> controller); *controller* only for our own account contacts.
> - **Where the data lives:** EEA (Ireland, AWS eu-west-1). See
> [sub-processors](/legal/sub-processors).
> - **How long we keep it:** see [retention schedule](/legal/retention).
> - **Your rights:** access, correction, deletion, portability,
> objection. Email privacy@omnia-inclusion.com — 30-day SLA.
## 1. Who we are
OMNIA Inclusion Ltd ("OMNIA", "we", "us") is a SEND-platform provider
registered in England & Wales (company no. 17228173). Our
registered contact for privacy matters is:
- **Privacy Lead:** Tom Stear (founder)
- **Email:** privacy@omnia-inclusion.com
- **Post:** OMNIA Inclusion Ltd, 169 High Street, Marske-by-the-Sea, Redcar & Cleveland, TS11 7LN, United Kingdom (registered office)
- **ICO registration:** no. ZC151647 (UK Information Commissioner's Office)
**Other contacts:**
- **dpo@omnia-inclusion.com** — data-subject rights (access, rectification, erasure, portability)
- **security@omnia-inclusion.com** — vulnerability disclosure / security researchers (see also `/.well-known/security.txt`)
- **complaints@omnia-inclusion.com** — formal complaints about how we've handled your data or service
- **legal@omnia-inclusion.com** — legal notices, contract queries, regulatory correspondence
- **omnia.abuse@omnia-inclusion.com** — misuse, spam complaints, takedown requests
If we cannot resolve a complaint to your satisfaction, you have the right
to escalate to the UK Information Commissioner's Office at
https://ico.org.uk/make-a-complaint/.
We are **not** required under UK GDPR Art. 37 to appoint a Data Protection
Officer; the founder acts as the named Privacy Lead and is the first
point of contact for all data-protection enquiries.
## 2. Our role under UK GDPR
In almost all cases OMNIA acts as a **data processor** on behalf of the
school, who is the **data controller** for pupil, parent and staff
personal data they enter into the platform. The school determines what is
recorded and why; we process it on their documented instructions, set out
in the Data Processing Agreement (DPA) signed at onboarding.
We act as a **data controller** only for:
- our own marketing list (people who register interest on this website)
- our own staff and contractors
- prospect / customer contact information for billing and support
## 3. What personal data we process (as processor, on behalf of schools)
- Pupil identity: name, date of birth, year group, photo (optional), UPN,
ULN, gender, language, SEND category, EHCP status
- Pupil records: inclusion plans, PEEPs, access arrangements, parental
consent, voice responses, intervention notes, assessment scores
- Pupil-linked staff: keyworker, class teacher, SENCo allocations
- Staff identity: name, work email, job title, role within the school
- Parent contact: name, email, phone (only when entered for parent-voice
or comms)
- Audit logs: who read, exported or shared what, when
We avoid collecting special-category data beyond what is operationally
necessary for SEND planning (e.g. health and disability information that
the school already lawfully holds for safeguarding and inclusion).
## 4. What personal data we process as controller
- Marketing-list: name, email, school, role, free-text message
- Billing: invoicing contact name, email, school billing address
- Support: contents of any email or in-app message you send us
## 5. Lawful basis
| Processing | Basis |
|---|---|
| Pupil and staff data (on behalf of school) | School's basis under UK GDPR Art. 6(1)(e) public task, with Art. 9(2)(g) substantial public interest for special-category data |
| Marketing list | Consent (Art. 6(1)(a)) — you opt in on this website |
| Billing / contract admin | Contract performance (Art. 6(1)(b)) |
| Service security and abuse-prevention logs | Legitimate interest (Art. 6(1)(f)) |
## 6. Where data is stored
All personal data processed by OMNIA is stored within the European
Economic Area (EEA) on Supabase infrastructure at **AWS eu-west-1
(Ireland)**. Transfers from the United Kingdom to Ireland are covered by
the UK Government's adequacy regulations for the EEA. **No additional
safeguards or Standard Contractual Clauses are required for this
transfer.**
For schools in the UAE: the Republic of Ireland is on the UAE Data
Office's accepted list for cross-border transfers. No additional
safeguards are required for UAE school data stored in Ireland.
**OMNIA does not store personal data in any country outside the EEA.**
Operational detail:
- **Database and storage:** AWS eu-west-1 (Ireland), via Lovable Cloud
(Supabase). Encrypted at rest (AES-256) and in transit (TLS 1.2+).
- **Application runtime:** Cloudflare Workers (edge). No pupil data is
persisted at the edge; request bodies pass through in memory only.
- **AI calls:** Lovable AI Gateway, which routes to Google (Gemini) and
OpenAI. Outbound prompts are passed through a server-side PII scrubber
before they leave our infrastructure. See `/legal/sub-processors`.
- **Email:** transactional email is sent via the school's own Microsoft 365
tenant where the Microsoft Graph integration is enabled, or via our
transactional provider.
## 7. How long we keep it
For pupil data we follow the school's retention instructions; our default
retention rules are documented at `/legal/retention`. Headline:
- Pupil record: on roll + 7 years
- Plan share-link views: 180 days
- Audit log: 730 days
- Marketing list: until you unsubscribe, or 24 months of inactivity
## 8. Your rights
If you are a data subject whose data is held in OMNIA on behalf of a
school, please contact your school first — they are the controller. We
will support the school in fulfilling any rights request (access,
rectification, erasure, restriction, portability, objection). The platform
includes a **Download data pack** and **Erase pupil record** action for
SENCo / admin users.
For data we hold as controller (marketing, billing), email
**privacy@omnia-inclusion.com**.
You have the right to complain to the UK Information Commissioner's
Office (https://ico.org.uk) at any time.
## 9. Security
A summary of our technical and organisational measures is at
`/legal/security`. Highlights: Row-Level Security per school, mandatory
MFA for admin roles, hashed PINs for public links, tamper-evident audit
log, secret rotation policy, and a published DPIA.
## 10. Cookies
We use only essential cookies — see `/legal/cookies`.
## 11. Changes to this policy
We will email schools at least 14 days before any material change to this
policy. The current version and changelog live at this URL.
---
## Version history
| Version | Date | Change |
| --- | --- | --- |
| 1.0 | 18 May 2026 | Initial publication. |
OMNIA AssistantBeta · here to help
Hi, I'm the OMNIA Assistant. Ask me about plans, pupils, or how to use the app.