Last updated 5 May 2026

Privacy Policy

How Heyelsi Ltd handles personal information on the Elsi platform and on heyelsi.co.

1. About this policy

This privacy policy explains how Heyelsi Ltd ("Heyelsi", "we", "us", "our") collects and uses personal information when you visit our website or use the Elsi app. It applies to both heyelsi.co and the Elsi mobile application distributed through Apple's App Store.

If you have any questions about this policy or how we handle personal information, please contact us at hello@heyelsi.co.

2. Who we are

Heyelsi Ltd is a company registered in England and Wales. We build Elsi, a platform that helps schools support children with special educational needs and disabilities (SEND).

When schools use Elsi, the school is the data controller for information about its pupils and staff. Heyelsi acts as a data processor on the school's behalf, under a written Data Processing Agreement.

When you visit our website or contact us directly, Heyelsi is the data controller for that interaction.

3. What information we collect

When you visit our website (heyelsi.co)

Our website does not use cookies, analytics, advertising trackers, or any third-party scripts. We do not collect personal information when you browse our site.

If you contact us through the website (for example by emailing us), we will hold your message and contact details for the purpose of responding.

When you use the Elsi app

The Elsi app is only available to school staff invited by their school administrator. We do not allow public sign-up.

When school staff use Elsi, the following types of information may be processed:

  • Account information: name, email address, role, and the school the user belongs to.
  • Authentication information: encrypted password and multi-factor authentication enrolment.
  • Pupil information (entered by the school): pupil name, year group, primary areas of need, EHCP and IEP content, professional reports (e.g. OT, SLT, EP), parent contributions, and staff observations.
  • Audit information: records of which user accessed which pupil profile, when, and what action was taken. These records do not contain pupil information — only the action.

Pupil information is special category data under UK GDPR. We process it on behalf of the school, and only on the school's documented instructions.

4. Children's data

The Elsi app is not used by children directly. Children do not have accounts and cannot interact with the platform.

Information about children is recorded by school staff in the course of providing SEND support, and is processed in accordance with the school's statutory duties under the Children and Families Act 2014 and the SEND Code of Practice.

We follow the principles of the ICO's Age Appropriate Design Code ("Children's Code") in how we design and operate the platform, including data minimisation, secure handling, and no profiling that would have legal or similarly significant effects on a child.

5. Why we hold this information

We process information for the following purposes:

  • To provide the Elsi service to schools. This is the core purpose — recording observations, surfacing strategy suggestions from a curated library, and helping staff understand and support each pupil's needs.
  • To keep the platform secure. Authentication, audit logging, and incident response.
  • To improve the platform. We use aggregated and anonymised usage information to understand what works and what doesn't. We do not use any pupil information for product development without explicit instruction from the school.
  • To respond to enquiries. If you contact us, we use your details to reply.

6. Lawful basis

We rely on the following lawful bases under UK GDPR:

  • Schools processing pupil information through Elsi: the school's own lawful basis — typically public task (Article 6(1)(e)) and, for special category data, the conditions in Article 9(2)(g) (substantial public interest, supported by the Data Protection Act 2018 Schedule 1).
  • Heyelsi processing pupil information on the school's behalf: the written Data Processing Agreement with the school.
  • Website enquiries and general business contact: legitimate interest in responding to people who contact us (Article 6(1)(f)).

7. How we use AI

Elsi uses artificial intelligence in three limited ways, all within the platform:

  • Matching staff observations to a curated library of SEND strategies authored by SEND specialists, so relevant suggestions can be surfaced at the point of need. The AI does not invent strategies.
  • Producing written summaries when staff ask questions about a pupil, drawing only on information already in the pupil's profile.
  • Identifying simple patterns across observations (for example, recurring triggers or strategies that appear to be helping) so staff can review them.

Before any pupil information is sent to our AI service, it is automatically processed to remove personal identifiers (surnames, dates of birth, NHS numbers, UPNs, school names, addresses, phone numbers, and email addresses). Only first names are retained, on advice that this is necessary for the AI's responses to be useful and is proportionate to the purpose.

The AI service we use (Microsoft Azure OpenAI) operates under a Data Processing Agreement that prohibits secondary use, training on customer data, and onward sharing.

All AI outputs are advisory. They are presented to staff as information to consider — they do not make decisions, do not directly affect a pupil, and do not have legal or similarly significant effects on any individual. Decisions about pupil support are always made by school staff.

8. Who we share information with

We share information only as necessary to operate Elsi.

Sub-processors (third parties acting on our instructions):

Sub-processor Purpose Location
Microsoft Corporation
Azure OpenAI & Azure AI Language		 AI features and personal-identifier redaction Sweden, EU
Supabase Inc.
Running on Amazon Web Services		 Database, authentication, serverless functions UK (London)

Both sub-processors operate under formal Data Processing Agreements that include UK GDPR and UK Data Protection Act 2018 commitments. The DPA with each sub-processor prohibits use of customer data for any purpose other than providing the contracted service. We will notify schools in advance of any change to sub-processors.

We do not sell personal information. We do not share personal information with advertisers, data brokers, or any party not listed above. We do not allow third parties to use Elsi data for their own purposes.

9. Where information is held

All personal information processed through Elsi is held in UK and EEA jurisdictions only:

  • Database, authentication, and serverless functions: UK (London region), via Supabase running on Amazon Web Services.
  • AI services: EU (Sweden), via Microsoft Azure.

Both jurisdictions are covered by UK GDPR adequacy. Information is not transferred to any other country.

10. How we protect information

We take security seriously. The technical and organisational measures we have in place include:

  • Encryption of all data in transit (TLS 1.2 or higher) and at rest (AES-256).
  • Role-based access controls so users only see information appropriate to their role.
  • Multi-factor authentication mandatory for all users — this cannot be skipped or disabled.
  • Audit logging of every action involving pupil information, with logs reviewable by school administrators.
  • Automatic session timeout after 15 minutes of inactivity, to protect shared classroom devices.
  • Daily backups of all pupil data by our cloud providers.
  • A documented breach response process — we will inform the affected school without undue delay and within UK GDPR timeframes.

Heyelsi does not currently hold ISO 27001 or Cyber Essentials certification — this is on our post-pilot roadmap. Our underlying cloud providers (Microsoft Azure and Amazon Web Services) hold ISO 27001 certification, and Microsoft Azure additionally holds ISO 27018 and appears on the UK Government G-Cloud framework.

11. How long we keep information

Pupil information is retained for as long as the school instructs us to retain it, in line with the school's own SEND retention schedule and statutory requirements. When a pupil leaves the school, or when the school's contract with Heyelsi ends, the school's data is deleted in accordance with the agreed retention terms.

Audit logs are retained for the duration of the school's use of Elsi and for a reasonable period afterwards to support breach investigation, then deleted.

Information from website enquiries is retained only for as long as needed to respond and then for a short period afterwards.

12. Your rights

Under UK GDPR you have the right to:

  • Access the personal information we hold about you.
  • Rectify information that is inaccurate or incomplete.
  • Erase information ("right to be forgotten"), in certain circumstances.
  • Restrict how we use your information.
  • Object to certain types of processing.
  • Data portability — receive information you have given us in a structured, commonly used, machine-readable format.

Because pupil information in Elsi is controlled by the school (not by Heyelsi directly), requests about a pupil's information should be made to the school in the first instance. We will support the school in responding to your request.

For information about your own use of Elsi (as a staff member) or about a website enquiry you have made, you can contact us directly at hello@heyelsi.co.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at any time. Their website is ico.org.uk.

13. Changes to this policy

We may update this policy from time to time. The "last updated" date at the top will reflect any changes. Material changes will be communicated to schools through the Data Processing Agreement variation process. Material changes affecting website visitors will be reflected in the published version of this policy.

14. Contact

Heyelsi Ltd
Email: hello@heyelsi.co
Web: heyelsi.co