Back to home
Enterprise-Grade Security

Your child's data stays in the UK.
Protected by UK law, owned by you.

Hosted in a UK-region database, encrypted with the same AES-256 standard used by UK online banking, and protected by 7 layers of safeguards under UK GDPR and the Data Protection Act 2018.

Get StartedRead Privacy Policy
๐Ÿ”’ The first question every parent asks

Before any data reaches the AI โ€” we strip every identifier.

Parents are right to be cautious. Dropping an EHCP into ChatGPT puts your child's name, NHS number, address, school and clinicians straight into a third-party AI system you don't control โ€” and you can't pull it back. That isn't how WeaveONE works. Every AI call runs through our 5-layer PII filter first. The model only ever sees anonymised tokens. The real names come back in the response, decoded locally, just for you.

What gets redacted, every time

  • โœ“Your child's name
  • โœ“Date of birth
  • โœ“NHS number
  • โœ“UPN (school pupil number)
  • โœ“Home address + postcode
  • โœ“School name
  • โœ“Parents' and carers' names
  • โœ“Siblings' names
  • โœ“LA caseworker name
  • โœ“Phone numbers + emails
  • โœ“Clinician + professional names
  • โœ“EHCP reference numbers

How it looks in practice

What the EHCP says

Sophie Taylor (NHS 943-476-5919),
aged 8, attends Redwood Academy.
Her caseworker is Angela Thompson.

What the AI receives

[CHILD] ([NHS_NUMBER]), aged 8,
attends [SCHOOL]. Her caseworker
is [CASEWORKER].

When the response comes back, tokens are swapped for the real names locally โ€” in your browser, not on the AI provider's servers โ€” so you read "Sophie", not "[CHILD]". The provider never sees Sophie.

The 5 layers, in order

LAYER 1

Regex

Phones, emails, postcodes, NINOs โ€” deterministic patterns removed first.

LAYER 2

EHCP-specific

Dates, NHS numbers, UPNs, addresses and EHCP/ULN references.

LAYER 3

Local names

Names extracted from the document itself โ€” catches the uncommon ones.

LAYER 4

Known data

Parents, siblings, contacts, clinicians โ€” everything on the child record.

LAYER 5

AI-assisted

A secondary pass: the filter checks its own work before sending.

Nothing is sold or shared

No third-party access, no ad networks, no training datasets.

Zero-retention AI

Anthropic's Claude API is contractually zero-retention: no logs of your prompts, no training on your data.

You can delete anytime

Wipe your account and every record โ€” including backups โ€” within 30 days.

0

Data Breaches Ever

100%

Tables with RLS

< 4hrs

Incident Response

99.9%

Uptime Guarantee

SOC 2 Type II

Via Supabase

GDPR Compliant

EU Standards

COPPA Compliant

US Standards

DPA 2018

UK Standards

7 Layers of Protection

Multiple Layers Working Together
To Keep You Safe

We don't rely on just one security measure. Your data is protected by 7 different layers of security, all working together 24/7.

1

Bank-Level Encryption (AES-256)

The same standard used by UK online banking and GOV.UK

Your family's information is encrypted with AES-256 โ€” the same encryption standard trusted by UK online banking, GOV.UK and the NHS. Data is scrambled into unreadable code both when stored on disk and when transmitted across the network.

The encryption standard you already trust with your money
  • AES-256 encryption at rest
  • TLS 1.3 encryption in transit
  • Encrypted backups
  • Zero-knowledge architecture for child PINs
2

Row Level Security

Your private family room in our database

Think of it as having your own locked room that only your family can enter. Every piece of data is tagged with your family ID, and the database automatically ensures no other family can ever access it.

Database-enforced privacy - not just software promises
  • Automatic family-level isolation
  • Database-level access control
  • Zero cross-family data leakage
  • Protected even if app is compromised
3

Smart Authentication

Multiple ways to keep accounts secure

We verify everyone is who they say they are. Parents use secure magic-link authentication, children use fun emoji PINs, and family members get invitation-only access with specific permissions you control.

Every person authenticated, every time
  • Secure magic-link authentication
  • Child-friendly emoji PIN system
  • Invitation-only family member access
  • Automatic session timeouts
4

COPPA & GDPR Compliant

Following strict international privacy laws

We don't just meet legal requirements โ€” we exceed them. Your children's data is protected under UK DPA 2018, EU GDPR, and US COPPA laws, with enhanced protections built in.

Legal protection + ethical responsibility
  • UK DPA 2018 compliant (age 16+)
  • US COPPA compliant (age 13+)
  • EU GDPR full compliance
  • No advertising to children
5

24/7 Security Monitoring

Constant vigilance for your protection

Our systems never sleep. We continuously monitor for suspicious activity, unauthorized access attempts, and potential security threats, with automatic blocking of known threats.

Always watching, always protecting
  • Real-time threat detection
  • Automated security alerts
  • Failed login attempt blocking
  • Suspicious activity monitoring
6

Automated Backups

Your data is safe even if disaster strikes

We back up all your data daily to multiple secure locations. Even in the worst-case scenario, your family's information is protected and recoverable.

Your memories and data are never lost
  • Daily automated backups
  • Multi-region storage
  • Encrypted backup files
  • 30-day backup retention
Your Legal Rights

You're In Complete Control
Of Your Data

Your data belongs to YOU, not us. You have full control and can exercise your rights at any time.

Right to Access

View all data we have about your family anytime.

Export your data instantly

Right to Portability

Download everything in a portable format.

Get your data in JSON format

Right to Deletion

Delete your account and all data permanently.

Complete deletion in 30 days

Right to Correction

Fix any incorrect information we hold.

Edit data anytime

What Happens If You Delete Your Account?

When you delete your account, ALL your data is permanently deleted within 30 days. This includes backups. This action cannot be undone.

We may keep minimal transaction records for legal/tax requirements, but without personal details.

Full Transparency

What Data We Collect
(And Why)

We believe in complete transparency. Here's exactly what we collect, in plain English.

Account Information

  • Email address
  • Name
  • Secure password (encrypted)

โ†’ To create and maintain your account

Child Information

  • Name and age
  • Developmental information
  • Health passport data (optional)

โ†’ To personalise their experience

Usage Data

  • Feature usage
  • Session times
  • Error logs

โ†’ To improve the app and fix bugs

Never Collected

  • Precise GPS location
  • Contact lists
  • Microphone/camera (unless you grant permission)

โ†’ We respect your privacy

What We NEVER Do

  • Never sell your data
  • Never advertise to children
  • Never share with third parties
  • Never use for marketing

Extra Protection for Children

Children's data gets special treatment with additional security layers, parental controls, and strict legal compliance.

Encrypted PINs

Child PINs are never stored as plain text โ€” always encrypted with a zero-knowledge approach.

Parent Oversight

Full parental control and monitoring. Parents approve access and can review all activity.

No Tracking

Zero behavioural tracking for advertising. We never profile children or build advertising audiences.

Enterprise Infrastructure

Built on Trusted,
Certified Infrastructure

Supabase

SOC 2 Type II certified database infrastructure (UK region)

GDPRISO 27001

Vercel

Enterprise-grade hosting with edge security

DDoS ProtectionWAF

Stripe

PCI DSS Level 1 payment processing

PCI DSS3D Secure

Anthropic (Claude)

AI document analysis under signed DPA โ€” PII stripped before every call, zero-retention API, no training on your data

DPA SignedZero RetentionGDPR
AI Privacy

How AI Features
Protect Your Data

Pathway uses AI to analyse EHCPs, draft letters, and answer legal questions. Here's exactly how we keep your family's data safe throughout.

๐Ÿ”’

Automatic PII Redaction (5 layers)

See the top of this page for the full list of fields we redact and the before/after example. In short: no name, date of birth, NHS number, UPN, address, school, sibling, parent or caseworker ever reaches the AI โ€” they are replaced with tokens before transmission and decoded back locally in your browser.

๐Ÿ“œ

Signed Data Processing Agreement

We have a signed Data Processing Agreement (DPA) in place with Anthropic, governing how data sent via the Claude API is handled. The DPA includes Standard Contractual Clauses for international transfers and binds Anthropic to UK GDPR-equivalent obligations as our processor.

๐Ÿ—‘๏ธ

Zero Data Retention by AI Provider

Under our DPA, Anthropic's Claude API operates on a zero-retention basis. Prompts and responses are not stored on Anthropic's servers after processing โ€” data is processed in memory only and discarded immediately.

๐Ÿšซ

No Model Training on Your Data

Anthropic is contractually prohibited from using any data sent via the API to train, fine-tune, or improve their AI models. Your child's information never becomes part of any AI training dataset.

๐Ÿ‡ฌ๐Ÿ‡ง

UK-Hosted Database

All your data is stored in a UK-region Supabase (PostgreSQL) database, encrypted at rest with AES-256. Your documents, evidence, and EHCP files never leave UK infrastructure.

Common Security Questions

Can WeaveONE staff see my data?

Only with your explicit permission when you request support. Our staff cannot browse user data.

What if there's a data breach?

We'll notify you within 72 hours, explain what happened, and provide steps to protect yourself. We have zero breaches to date.

Can I export my data?

Yes! Contact us at privacy@weaveone.co.uk to request a complete data export. You'll receive it in JSON format within 24 hours.

How long do you keep my data?

As long as your account is active. After deletion, all data is permanently removed within 30 days. Encrypted backups are purged within 6 months during regular backup rotation.

Does the AI remember my child's data?

No. Every AI call is stateless โ€” your data is processed in memory, then discarded. Anthropic operates a zero-retention API policy. We also strip all personal details before sending anything to the AI.

Where is my data stored?

All data is stored in a UK-region Supabase (PostgreSQL) database with UK-region encrypted storage for documents and files. The only routine transfer outside the UK is redacted (PII-stripped) text sent to Anthropic's Claude API for AI processing, which is governed by a signed Data Processing Agreement with Standard Contractual Clauses, zero retention, and no model training.

Security Contact

For security concerns, vulnerability reports, or data-related enquiries, please contact our team:

Email: privacy@weaveone.co.uk

Company: WEAVEONE LIMITED

Address: 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ

Company Number: 17111255

Your Family's Data Deserves
The Best Protection

Join families who trust WeaveONE to keep their children's information safe. GDPR compliant, UK-registered, and built from the ground up for neurodivergent families.

Get StartedRead Full Privacy Policy

UK-registered ยท GDPR & DPA 2018 compliant ยท Company No. 17111255