Last updated: April 2026
EHCP Expert is operated by Creative Sauce Ltd (company number 12582512), registered in England and Wales. We are the data controller for the personal data you provide through www.ehcpexpert.co.uk. You can contact our data protection lead at hello@ehcpexpert.co.uk.
| Data type | When collected | Why |
|---|---|---|
| Name, email address | When you sign up, download the free PDF, or create an account | To provide the service and send you EHCP tips (you can unsubscribe any time) |
| Case information (child's needs, LA correspondence, letters) | When you use the case tracker and letter generator | To provide AI-generated letters and case tracking |
| Payment information | When you purchase access | Payment is processed by Stripe - we do not store your card details |
| Usage data (pages visited, features used) | Automatically when you use the site | To improve the service and fix issues |
We process your data under the following legal bases as defined by UK GDPR: contract performance (to provide the service you have paid for or signed up to), legitimate interest (to improve the service, send relevant EHCP tips, and protect against fraud), and consent (for marketing emails, which you can withdraw at any time by clicking "unsubscribe" in any email).
We use your data to provide the EHCP Expert service, generate letters and case analysis, send you relevant EHCP updates and tips (if you have opted in), process payments, and improve the service. We never sell your data to third parties. We do not use your case data to train AI models.
We share data only with the following processors, all of whom have appropriate data processing agreements in place: Supabase (database hosting, EU servers), Stripe (payment processing), and Vercel (website hosting). We do not share your personal data with any other third parties unless required by law.
All data is transmitted over HTTPS. Case data and personal information are stored in a Supabase PostgreSQL database with row-level security (RLS) enabled, meaning users can only access their own data. Payment data is handled entirely by Stripe and never touches our servers.
Account and case data is retained for as long as your account is active. If you request account deletion, all your data will be permanently deleted within 30 days. Email subscriber data (name and email from PDF downloads) is retained until you unsubscribe, after which it is deleted within 30 days.
You have the right to access your personal data, rectify inaccurate data, erase your data ("right to be forgotten"), restrict or object to processing, data portability (receive your data in a structured format), and withdraw consent at any time. To exercise any of these rights, email hello@ehcpexpert.co.uk. We will respond within 30 days.
EHCP Expert uses only essential cookies required for the service to function (authentication tokens, session management). We do not use advertising cookies or third-party tracking cookies. No cookie consent banner is required because we only use strictly necessary cookies.
EHCP Expert is used by parents and carers on behalf of their children. We understand the sensitivity of SEND-related information. Case data about children is treated with the highest level of care and is only accessible to the account holder. We comply with all UK data protection requirements relating to children's data.
Your data is primarily processed within the EU/UK. Where data is transferred outside the EU/UK (for example, to US-based processors like Stripe and Vercel), appropriate safeguards are in place including Standard Contractual Clauses.
EHCP Expert takes safeguarding extremely seriously. Our AI chatbot and letter generator are designed exclusively for EHCP and SEND law guidance. They will not engage in casual conversation, provide medical advice, discuss medications or prescriptions, or offer mental health counselling.
We implement multiple layers of safeguarding: a pre-flight content filter that intercepts crisis-related messages before they reach the AI, strict topic boundaries within the AI system itself, and clear signposting to appropriate support services. If our system detects that a user may be experiencing a mental health crisis, it will immediately pause the EHCP conversation and provide contact details for the Samaritans (116 123), NHS 111, and emergency services (999).
No conversation data flagged by our safeguarding system is sent to the AI for processing. Crisis responses are handled at the server level before any AI interaction occurs.
If you are concerned about a child's immediate safety or welfare, please contact your local authority children's services, call the NSPCC helpline on 0808 800 5000, or call 999 in an emergency.
We may update this privacy policy from time to time. Significant changes will be communicated via the email address associated with your account. The "last updated" date at the top of this page will always reflect the most recent version.
If you are unhappy with how we handle your data, please contact us first at hello@ehcpexpert.co.uk. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.