Privacy Notice

Last updated: 21 April 2026

This Privacy Notice explains how The Session Data Company Ltd ("we", "us", "our") handles personal data when you visit sessiondata.ai, get in touch with us, or use the sessiondata.ai platform (the "Platform").

We take privacy seriously. This Notice is written in plain English. If anything is unclear, email us at hello@sessiondata.ai.


Who we are

The Session Data Company Ltd is a company registered in England & Wales. We are the controller of personal data covered by this Notice, unless stated otherwise below.


Quick summary — who this Notice is for

This Notice covers four groups of people. Use the section that fits you:

  1. Visitors to our website — you browsed sessiondata.ai or read our marketing content
  2. Prospects and leads — you got in touch with us about using sessiondata for your organisation
  3. Client administrators and users — your organisation uses sessiondata and you log in to manage or use it
  4. Participants — your organisation has invited you to give feedback through sessiondata

If you are a participant, an important note first: when your organisation runs a session or programme on sessiondata, they decide what data to collect and how it's used internally. In that context, your organisation is the data controller and we are the data processor acting on their instructions. Questions about why you've been asked, what they'll do with your responses, or how long they'll keep them should go to your organisation. Questions about the Platform itself (security, your data rights, anything technical) can come to us.


1. Website visitors

What we collect

When you visit sessiondata.ai, we collect:

  • Basic technical data — IP address, browser type, device type, pages visited, timestamps
  • Cookie data — see our Cookie section below

Why we use it

  • To keep the website running and secure
  • To understand broadly how people use it so we can improve it

Legal basis

Legitimate interest — running and improving our website. You can object at any time by contacting us.

How long we keep it

Server and analytics logs: typically 12 months. Cookies: see the Cookie section.


2. Prospects and leads

What we collect

If you contact us, request a demo, sign up for updates, or use one of our free tools (such as the Learning ROI calculator):

  • Name
  • Business email
  • Organisation name
  • Role / job title
  • Anything else you choose to share in your message
  • The figures you enter into a tool and the result it produces — kept only so we can email that result to you

Why we use it

  • To respond to your enquiry
  • To email you the result of a tool you asked us to send
  • To follow up about sessiondata where relevant
  • To send you occasional updates only if you've ticked the opt-in box

Legal basis

  • Legitimate interest — responding to enquiries and conducting reasonable business-to-business outreach
  • Consent — for any marketing emails you've opted into; you can withdraw consent at any time

How long we keep it

Up to 24 months from our last meaningful contact, then deleted or anonymised unless you become a client.


3. Client administrators and users

What we collect

When your organisation uses sessiondata and you have an account:

  • Name
  • Work email
  • Role / job title
  • Organisation
  • Login and access logs
  • Any content you create or upload (e.g. session configurations, notes)

Why we use it

  • To give you access to the Platform
  • To keep your account secure
  • To support you when you ask
  • To send essential service communications (for example, security or outage notices)

Legal basis

  • Contract — the agreement between us and your organisation
  • Legitimate interest — security, support, and running the Platform

How long we keep it

For the duration of your organisation's subscription, plus the retention windows set out in our Client Terms and DPA (typically data is exportable for 30 days after termination, deleted from active systems within 60 days, and purged from backups within 90 days).


4. Participants

What we collect

If you've been invited by an organisation to give feedback through sessiondata:

  • Your name and email (provided by the organisation that invited you)
  • Your role or job title (if provided)
  • Your responses to surveys and prompts
  • Any written reflections you share
  • Basic usage data (when you logged in, which sessions you took part in)

Who decides what happens with your data

The organisation that invited you is the data controller. They decide:

  • Which questions to ask
  • Who in their organisation sees your responses
  • How your feedback is used after the session
  • How long they keep it

We are the data processor. We handle your data on their instructions and in line with our Data Processing Agreement with them.

Legal basis

The organisation that invited you is responsible for having a lawful basis to process your data — usually legitimate interest (for professional development and programme feedback) or contract. If you want to understand the specific basis, ask the organisation directly.

How long we keep it

For as long as the organisation instructs us to. When their subscription ends or they ask us to delete, we follow the retention windows in our DPA (active deletion within 60 days, backups purged within 90 days).

Your rights

You have the full set of UK GDPR rights over your data (see "Your rights" below). Because the organisation is the controller, your rights request should go to them first. If you can't reach them or need help, email us at hello@sessiondata.ai and we'll help route it.


Cookies

sessiondata.ai uses a small number of cookies:

  • Essential cookies — needed for the website and Platform to work (for example, keeping you logged in). These can't be switched off.
  • Analytics cookies — help us understand how the site is used. These are optional and only set if you consent.

You can manage cookies through your browser settings or (when available) our cookie banner.


AI features and how we use data

Parts of the Platform use AI (including our assistant, Mira) to summarise and make sense of feedback.

A few important things:

  • AI outputs are generated by a large language model and may contain errors or miss nuance
  • AI outputs are decision support, not decision-makers
  • Our Client Terms prohibit organisations from using AI outputs from the Platform as the sole basis for decisions that materially affect you — including hiring, promotion, performance, or disciplinary decisions

We may use fully anonymised and aggregated data to improve the Platform and refine our AI models. This means data that cannot identify you or any individual. We do not sell personal data, and we do not allow our AI model provider to train their foundation models on identifiable client data.


Who we share data with

We share personal data only where necessary and only with:

  • Sub-processors who help us run the Platform — currently Supabase (database and authentication), Anthropic (the AI model behind Mira), Resend (transactional email), and AWS (cloud infrastructure). A current list is available on request.
  • Your organisation — where you're a participant, your responses go to the organisation that invited you, according to their configuration
  • Professional advisers (for example, our lawyers or accountants) where needed and under confidentiality
  • Authorities or regulators where we are legally required to disclose

We do not sell personal data to anyone, and we do not share it with third parties for their own marketing purposes.


International transfers

Personal data on the Platform is hosted in the United Kingdom (AWS London).

Some of our sub-processors are based outside the UK or EEA. Where that applies, we rely on appropriate safeguards under Article 46 UK GDPR — including the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses — so your data stays protected at a UK-equivalent standard.


Your rights

Under the UK GDPR, you have the right to:

  • Access — ask for a copy of the personal data we hold about you
  • Rectification — ask us to correct inaccurate data
  • Erasure — ask us to delete your data (where applicable)
  • Restriction — ask us to limit how we use your data
  • Portability — ask us to give you your data in a portable format
  • Object — object to processing based on legitimate interest, including direct marketing
  • Withdraw consent — where we rely on consent, you can withdraw it at any time

To exercise these rights:

  • If you're a visitor, prospect, or client user: email us at hello@sessiondata.ai
  • If you're a participant: contact the organisation that invited you first; we're happy to help route requests if needed

We'll respond within one month. If your request is complex, we may extend that by up to two further months and will tell you if so.


Complaints

If you're unhappy with how we handle your personal data, please tell us first at hello@sessiondata.ai — we'd like a chance to put it right.

You also have the right to complain to the Information Commissioner's Office (ICO), the UK's data protection regulator:


Changes to this Notice

We may update this Notice from time to time. If we make a material change, we'll let you know — by email if you're a client user or participant with an account, or through a notice on the website.

The date at the top shows when it was last updated.


Contact

The Session Data Company Ltd Email: hello@sessiondata.ai Platform: https://sessiondata.ai