OMNIAInclusion

Privacy policy

Last updated · 1 June 2026Version 1.1OMNIA Inclusion Ltd · Co. no. 17228173
Ask a question

Privacy policy

Last updated: 1 June 2026 Version: 1.1 (founding-schools draft — solicitor review pending before first paying contract)

Plain-English summary (not legally binding — the sections below are.)

  • Who we are: OMNIA Inclusion Ltd, a UK company building a SEND platform for schools.
  • What we collect: pupil + staff data the school chooses to put in OMNIA; technical logs; account contacts.
  • Why: to deliver the service the school has commissioned.
  • Our role: processor for pupil data (the school is controller); controller only for our own account contacts.
  • Where the data lives: EEA (Ireland, AWS eu-west-1). See sub-processors.
  • How long we keep it: see retention schedule.
  • Your rights: access, correction, deletion, portability, objection. Email privacy@omnia-inclusion.com — 30-day SLA.

1. Who we are

OMNIA Inclusion Ltd ("OMNIA", "we", "us") is a SEND-platform provider registered in England & Wales (company no. 17228173). Our registered contact for privacy matters is:

  • Privacy Lead: Tom Stear (founder)
  • Email: privacy@omnia-inclusion.com
  • Post: OMNIA Inclusion Ltd, 169 High Street, Marske-by-the-Sea, Redcar & Cleveland, TS11 7LN, United Kingdom (registered office)
  • ICO registration: no. 00014144622 (UK Information Commissioner's Office)

Other contacts:

If we cannot resolve a complaint to your satisfaction, you have the right to escalate to the UK Information Commissioner's Office at https://ico.org.uk/make-a-complaint/.

We are not required under UK GDPR Art. 37 to appoint a Data Protection Officer; the founder acts as the named Privacy Lead and is the first point of contact for all data-protection enquiries.

2. Our role under UK GDPR

In almost all cases OMNIA acts as a data processor on behalf of the school, who is the data controller for pupil, parent and staff personal data they enter into the platform. The school determines what is recorded and why; we process it on their documented instructions, set out in the Data Processing Agreement (DPA) signed at onboarding.

We act as a data controller only for:

  • our own marketing list (people who register interest on this website)
  • our own staff and contractors
  • prospect / customer contact information for billing and support

3. What personal data we process (as processor, on behalf of schools)

  • Pupil identity: name, date of birth, year group, photo (optional), UPN, ULN, gender, language, SEND category, EHCP status
  • Pupil records: inclusion plans, PEEPs, access arrangements, parental consent, voice responses, intervention notes, assessment scores
  • Pupil-linked staff: keyworker, class teacher, SENCo allocations
  • Staff identity: name, work email, job title, role within the school
  • Parent contact: name, email, phone (only when entered for parent-voice or comms)
  • Audit logs: who read, exported or shared what, when

We avoid collecting special-category data beyond what is operationally necessary for SEND planning (e.g. health and disability information that the school already lawfully holds for safeguarding and inclusion).

4. What personal data we process as controller

  • Marketing-list: name, email, school, role, free-text message
  • Billing: invoicing contact name, email, school billing address
  • Support: contents of any email or in-app message you send us

5. Lawful basis

ProcessingBasis
Pupil and staff data (on behalf of school)School's basis under UK GDPR Art. 6(1)(e) public task, with Art. 9(2)(g) substantial public interest for special-category data
Marketing listConsent (Art. 6(1)(a)) — you opt in on this website
Billing / contract adminContract performance (Art. 6(1)(b))
Service security and abuse-prevention logsLegitimate interest (Art. 6(1)(f))

6. Where data is stored

All personal data processed by OMNIA is stored within the European Economic Area (EEA) on Supabase infrastructure at AWS eu-west-1 (Ireland). Transfers from the United Kingdom to Ireland are covered by the UK Government's adequacy regulations for the EEA. No additional safeguards or Standard Contractual Clauses are required for this transfer.

For schools in the UAE: the Republic of Ireland is on the UAE Data Office's accepted list for cross-border transfers. No additional safeguards are required for UAE school data stored in Ireland.

OMNIA does not store personal data in any country outside the EEA.

Operational detail:

  • Database and storage: AWS eu-west-1 (Ireland), via Lovable Cloud (Supabase). Encrypted at rest (AES-256) and in transit (TLS 1.2+).
  • Application runtime: Cloudflare Workers (edge). No pupil data is persisted at the edge; request bodies pass through in memory only.
  • AI calls (standard mode): Lovable AI Gateway, which routes to Google (Gemini) and OpenAI. Outbound prompts are passed through a server-side PII scrubber before they leave our infrastructure. See /legal/sub-processors.
  • AI calls (BYOK mode, Connected tier opt-in): routed to the school's own Anthropic or Azure OpenAI account in the school's chosen region (e.g. UAE North, UK South). That region may be outside the UK and EEA — the school chooses and accepts that residency decision under its own DPA with the provider. The school's API key is AES-256-GCM encrypted at rest and never returned to the browser.
  • Specialist Support Prompts: read only data the school has already documented in OMNIA; surface professionally-framed prompts to qualified staff; never visible to parents or pupils; never make clinical claims; every accept / reject logged in the audit trail.
  • Email: transactional email is sent via the school's own Microsoft 365 tenant where the Microsoft Graph integration is enabled, or via our transactional provider.

7. How long we keep it

For pupil data we follow the school's retention instructions; our default retention rules are documented at /legal/retention. Headline:

  • Pupil record: on roll + 7 years
  • Plan share-link views: 180 days
  • Audit log: 730 days
  • Marketing list: until you unsubscribe, or 24 months of inactivity

8. Your rights

If you are a data subject whose data is held in OMNIA on behalf of a school, please contact your school first — they are the controller. We will support the school in fulfilling any rights request (access, rectification, erasure, restriction, portability, objection). The platform includes a Download data pack and Erase pupil record action for SENCo / admin users.

For data we hold as controller (marketing, billing), email privacy@omnia-inclusion.com.

You have the right to complain to the UK Information Commissioner's Office (https://ico.org.uk) at any time.

9. Security

A summary of our technical and organisational measures is at /legal/security. Highlights: Row-Level Security per school, mandatory MFA for admin roles, hashed PINs for public links, tamper-evident audit log, secret rotation policy, and a published DPIA.

10. Cookies

We use only essential cookies — see /legal/cookies.

11. Changes to this policy

We will email schools at least 14 days before any material change to this policy. The current version and changelog live at this URL.

Version history

VersionDateChange
1.018 May 2026Initial publication.
1.11 June 2026Added BYOK (Anthropic / Azure OpenAI) AI routing and region disclosure; added Specialist Support Prompts disclosure.

Questions, corrections or a formal data-protection request? Email hello@omnia-inclusion.com. We aim to respond within 5 working days; statutory rights requests are answered within 30 days.

Back to all policies

© 2026 OMNIA Inclusion Ltd. Registered in England & Wales · Company no. 17228173 · 169 High Street, Marske-by-the-Sea, Redcar & Cleveland, TS11 7LN, United Kingdom.