Privacy Notice
Last updated: 21 April 2026
This Privacy Notice explains how The Session Data Company Ltd ("we", "us", "our") handles personal data when you visit sessiondata.ai, get in touch with us, or use the sessiondata.ai platform (the "Platform").
We take privacy seriously. This Notice is written in plain English. If anything is unclear, email us at hello@sessiondata.ai.
Who we are
The Session Data Company Ltd is a company registered in England & Wales. We are the controller of personal data covered by this Notice, unless stated otherwise below.
- Email: hello@sessiondata.ai
- Website: https://sessiondata.ai
Quick summary — who this Notice is for
This Notice covers four groups of people. Use the section that fits you:
- Visitors to our website — you browsed sessiondata.ai or read our marketing content
- Prospects and leads — you got in touch with us about using sessiondata for your organisation
- Client administrators and users — your organisation uses sessiondata and you log in to manage or use it
- Participants — your organisation has invited you to give feedback through sessiondata
If you are a participant, an important note first: when your organisation runs a session or programme on sessiondata, they decide what data to collect and how it's used internally. In that context, your organisation is the data controller and we are the data processor acting on their instructions. Questions about why you've been asked, what they'll do with your responses, or how long they'll keep them should go to your organisation. Questions about the Platform itself (security, your data rights, anything technical) can come to us.
1. Website visitors
What we collect
When you visit sessiondata.ai, we collect:
- Basic technical data — IP address, browser type, device type, pages visited, timestamps
- Cookie data — see our Cookie section below
Why we use it
- To keep the website running and secure
- To understand broadly how people use it so we can improve it
Legal basis
Legitimate interest — running and improving our website. You can object at any time by contacting us.
How long we keep it
Server and analytics logs: typically 12 months. Cookies: see the Cookie section.
2. Prospects and leads
What we collect
If you contact us, request a demo, sign up for updates, or use one of our free tools (such as the Learning ROI calculator):
- Name
- Business email
- Organisation name
- Role / job title
- Anything else you choose to share in your message
- The figures you enter into a tool and the result it produces — kept only so we can email that result to you
Why we use it
- To respond to your enquiry
- To email you the result of a tool you asked us to send
- To follow up about sessiondata where relevant
- To send you occasional updates only if you've ticked the opt-in box
Legal basis
- Legitimate interest — responding to enquiries and conducting reasonable business-to-business outreach
- Consent — for any marketing emails you've opted into; you can withdraw consent at any time
How long we keep it
Up to 24 months from our last meaningful contact, then deleted or anonymised unless you become a client.
3. Client administrators and users
What we collect
When your organisation uses sessiondata and you have an account:
- Name
- Work email
- Role / job title
- Organisation
- Login and access logs
- Any content you create or upload (e.g. session configurations, notes)
Why we use it
- To give you access to the Platform
- To keep your account secure
- To support you when you ask
- To send essential service communications (for example, security or outage notices)
Legal basis
- Contract — the agreement between us and your organisation
- Legitimate interest — security, support, and running the Platform
How long we keep it
For the duration of your organisation's subscription, plus the retention windows set out in our Client Terms and DPA (typically data is exportable for 30 days after termination, deleted from active systems within 60 days, and purged from backups within 90 days).
4. Participants
What we collect
If you've been invited by an organisation to give feedback through sessiondata:
- Your name and email (provided by the organisation that invited you)
- Your role or job title (if provided)
- Your responses to surveys and prompts
- Any written reflections you share
- Basic usage data (when you logged in, which sessions you took part in)
Who decides what happens with your data
The organisation that invited you is the data controller. They decide:
- Which questions to ask
- Who in their organisation sees your responses
- How your feedback is used after the session
- How long they keep it
We are the data processor. We handle your data on their instructions and in line with our Data Processing Agreement with them.
Legal basis
The organisation that invited you is responsible for having a lawful basis to process your data — usually legitimate interest (for professional development and programme feedback) or contract. If you want to understand the specific basis, ask the organisation directly.
How long we keep it
For as long as the organisation instructs us to. When their subscription ends or they ask us to delete, we follow the retention windows in our DPA (active deletion within 60 days, backups purged within 90 days).
Your rights
You have the full set of UK GDPR rights over your data (see "Your rights" below). Because the organisation is the controller, your rights request should go to them first. If you can't reach them or need help, email us at hello@sessiondata.ai and we'll help route it.
Cookies
sessiondata.ai uses a small number of cookies:
- Essential cookies — needed for the website and Platform to work (for example, keeping you logged in). These can't be switched off.
- Analytics cookies — help us understand how the site is used. These are optional and only set if you consent.
You can manage cookies through your browser settings or (when available) our cookie banner.
AI features and how we use data
Parts of the Platform use AI (including our assistant, Mira) to summarise and make sense of feedback.
A few important things:
- AI outputs are generated by a large language model and may contain errors or miss nuance
- AI outputs are decision support, not decision-makers
- Our Client Terms prohibit organisations from using AI outputs from the Platform as the sole basis for decisions that materially affect you — including hiring, promotion, performance, or disciplinary decisions
We may use fully anonymised and aggregated data to improve the Platform and refine our AI models. This means data that cannot identify you or any individual. We do not sell personal data, and we do not allow our AI model provider to train their foundation models on identifiable client data.
Who we share data with
We share personal data only where necessary and only with:
- Sub-processors who help us run the Platform — currently Supabase (database and authentication), Anthropic (the AI model behind Mira), Resend (transactional email), and AWS (cloud infrastructure). A current list is available on request.
- Your organisation — where you're a participant, your responses go to the organisation that invited you, according to their configuration
- Professional advisers (for example, our lawyers or accountants) where needed and under confidentiality
- Authorities or regulators where we are legally required to disclose
We do not sell personal data to anyone, and we do not share it with third parties for their own marketing purposes.
International transfers
Personal data on the Platform is hosted in the United Kingdom (AWS London).
Some of our sub-processors are based outside the UK or EEA. Where that applies, we rely on appropriate safeguards under Article 46 UK GDPR — including the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses — so your data stays protected at a UK-equivalent standard.
Your rights
Under the UK GDPR, you have the right to:
- Access — ask for a copy of the personal data we hold about you
- Rectification — ask us to correct inaccurate data
- Erasure — ask us to delete your data (where applicable)
- Restriction — ask us to limit how we use your data
- Portability — ask us to give you your data in a portable format
- Object — object to processing based on legitimate interest, including direct marketing
- Withdraw consent — where we rely on consent, you can withdraw it at any time
To exercise these rights:
- If you're a visitor, prospect, or client user: email us at hello@sessiondata.ai
- If you're a participant: contact the organisation that invited you first; we're happy to help route requests if needed
We'll respond within one month. If your request is complex, we may extend that by up to two further months and will tell you if so.
Complaints
If you're unhappy with how we handle your personal data, please tell us first at hello@sessiondata.ai — we'd like a chance to put it right.
You also have the right to complain to the Information Commissioner's Office (ICO), the UK's data protection regulator:
- Website: https://ico.org.uk
- Helpline: 0303 123 1113
Changes to this Notice
We may update this Notice from time to time. If we make a material change, we'll let you know — by email if you're a client user or participant with an account, or through a notice on the website.
The date at the top shows when it was last updated.
Contact
The Session Data Company Ltd Email: hello@sessiondata.ai Platform: https://sessiondata.ai