1. Who we are and how to contact us
SNAhelper is an AI-powered chat service that provides practical behavioural support guidance to Special Needs Assistants (SNAs) working in Irish educational settings.
SNAhelper is operated by Sebastian Holewa, sole trader, trading as SNAhelper, based in Ireland.
Data controller: Sebastian Holewa, t/a SNAhelper
Address: 28 Derrylea, Oakpark, Tralee, Co. Kerry, Ireland
Email: hello@snahelper.ie
For data protection enquiries specifically, please email: hello@snahelper.ie
We have assessed our processing activities and determined that we are not required to appoint a Data Protection Officer under GDPR Article 37. For all data protection matters, please use the contact details above.
2. What this policy covers
This policy explains how we collect, use, store, and protect your personal data when you use the SNAhelper app at app.snahelper.ie and related services.
This service is designed exclusively for adult professionals. It is not intended for children and must not be used by anyone under the age of 18.
We process all personal data in accordance with the General Data Protection Regulation (GDPR) and the Irish Data Protection Act 2018.
3. What personal data we collect and how we use it
3.1 Account creation and authentication
When you create an account, we collect your email address and, if you use Google sign-in, your name and Google profile information. This data is processed by our authentication provider, Clerk.
- Lawful basis: Performance of our contract with you (GDPR Art. 6(1)(b)) — we need this data to create and manage your account.
- Retention: For the duration of your active subscription, plus 30 days after account closure.
3.2 Subscription and payment processing
When you subscribe, your payment details are collected and processed directly by Stripe. We do not see or store your full card details. Stripe shares with us your billing status, subscription details, and a customer identifier so we can manage your access to the service.
- Lawful basis: Performance of our contract with you (GDPR Art. 6(1)(b)) — payment processing is necessary to provide the subscription service.
- Retention: Transaction records are retained for 6 years after the transaction, as required by Irish tax and accounting law (GDPR Art. 6(1)(c) — legal obligation).
3.3 Providing AI-generated behavioural guidance
When you submit a message in the chat, your message is sent to OpenAI's API (GPT-4.1 Mini model) to generate a response. Processing your message to generate a response is the core of the service you have subscribed to.
- Lawful basis: Performance of our contract with you (GDPR Art. 6(1)(b)).
- Retention: See Chat Data & Retention (Section 4) below.
3.4 Chat data retention for service quality evaluation
During the Early Access Period, we retain your chat messages and AI responses for a maximum of 30 days from 23 March 2026. This retention is necessary for service quality evaluation — specifically:
- evaluating whether AI-generated guidance is appropriate and accurate for the types of queries submitted by SNAs;
- assessing whether queries are correctly categorised and directed to the appropriate guidance framework (prompt routing evaluation);
- evaluating the effectiveness of our safeguarding keyword detection system, which flags potential child protection concerns;
- understanding aggregate patterns in the types of questions asked, to improve the range and relevance of guidance provided.
We analyse aggregate patterns and routing effectiveness only. We do not routinely review individual conversations.
- Lawful basis: Our legitimate interest (GDPR Art. 6(1)(f)) — specifically, our interest in ensuring our AI service provides accurate, safe, and relevant guidance during the initial launch period. We consider this proportionate given the time-limited nature of the retention (maximum 30 days), the professional context, and the importance of service quality in an educational support setting.
- Your right to object: You have the right to object to this processing at any time (see Section 10 — Your Rights).
3.5 Safeguarding keyword detection
Our system monitors chat messages for keywords or patterns that may indicate a child protection concern. This operates in real time as part of service delivery. If a potential concern is detected, the AI response will direct you to follow your school's safeguarding procedures, contact your Designated Liaison Person (DLP), and where appropriate, contact Tusla. We do not log the specific content that triggers safeguarding detection.
- Lawful basis: Our legitimate interest (GDPR Art. 6(1)(f)) — specifically, our compelling interest in child safety and ensuring that potential safeguarding concerns are appropriately flagged.
3.6 Security and abuse prevention
We maintain server logs and use rate limiting to protect the service from abuse, detect security threats, and ensure fair usage. Production server logs do not contain your chat message content.
- Lawful basis: Our legitimate interest (GDPR Art. 6(1)(f)) — maintaining the security and integrity of our service.
- Retention: Rate-limiting data expires automatically (within seconds via sliding window). Monthly message quota counters expire at the end of each calendar month.
3.7 Email communications
If you subscribe to our mailing list or receive service-related emails, we process your email address and name through MailerLite.
- Lawful basis: Performance of our contract (Art. 6(1)(b)) for service-related communications (e.g., account confirmations, important service updates). Consent (Art. 6(1)(a)) for marketing communications. You can unsubscribe from marketing emails at any time.
3.8 What we do NOT collect
- We do not collect location data, device fingerprints, or browsing behaviour.
- We do not use analytics, tracking pixels, or advertising cookies.
- We do not sell your personal data to anyone.
- We do not share your data with advertisers.
4. Chat data & retention
When you use SNAhelper, your conversation messages and AI responses are stored securely in our EU-hosted database (see Sub-Processors in Section 7).
During the Early Access Period, chats are retained for a maximum of 30 days from the date of each message. This retention is necessary for service quality evaluation, as described in Section 3.4 above. We analyse aggregate patterns and routing effectiveness only; we do not routinely review individual conversations for any other purpose.
Important: SNAhelper is not designed to collect information about children. You must not include a child's name, school name, or any details that could identify a specific child in your messages. Please also avoid entering other personal identifiers such as dates of birth, addresses, Eircodes, PPS numbers, or any combination of details that would allow a child or other individual to be identified.
Your right to deletion. You have the right to request deletion of your chat data at any time. To do so, contact us at hello@snahelper.ie with the subject line "Data Deletion Request". We will permanently delete your conversation data within 72 hours of receiving your request.
After the Early Access Period. Once the Early Access Period concludes, we intend to either introduce in-app chat history with self-service deletion, or disable chat storage entirely. You will be notified of any change to this approach before it takes effect.
5. How our AI works
You are interacting with an AI system, not a human. When you use the SNAhelper chat, your messages are processed by an artificial intelligence model (OpenAI GPT-4.1 Mini) to generate behavioural support guidance.
What this means for your data:
Your chat messages are sent to OpenAI's API to generate a response. OpenAI acts as our data processor under a Data Processing Agreement. Under OpenAI's current API terms:
- Model training: Disabled. OpenAI does not use API data to train or improve its models for our account.
- Data sharing: Disabled. Inputs and outputs are not shared with OpenAI beyond what is necessary for processing.
- Retention: OpenAI may retain API inputs and outputs for up to 30 days for abuse and misuse monitoring, as required by their terms of service. After this period, data is deleted.
Advisory guidance only. The guidance provided by SNAhelper is generated by AI and is intended to support your professional practice. It is not a substitute for professional training, formal advice from your school, the NCSE, or Tusla, or your own professional judgment. The AI does not make any decisions about you, the children you work with, or any other person. No automated decision-making with legal or similarly significant effects occurs within our service (GDPR Article 22).
6. Children's data and special category data
Our service is for adult professionals only. We do not knowingly collect personal data from children. Children do not and should not use SNAhelper.
Important guidance for users. When describing workplace situations in the chat, you must not include any information that could identify a specific child. This includes:
- children's names or initials
- school names or class identifiers
- dates of birth or ages combined with other identifying details
- addresses, Eircodes, or PPS numbers
- any combination of details that would allow a specific child to be identified
Where your descriptions of behavioural situations do not identify or allow identification of any specific child, the information does not constitute personal data under the GDPR.
If identifiable information is submitted. If you inadvertently include information that identifies or could identify a specific child — particularly information about health conditions, disabilities, behavioural diagnoses, or special educational needs — this may constitute special category data under GDPR Article 9. Our service is designed to operate without such data. If we become aware that identifiable special category data has been submitted, we will take steps to delete it promptly.
Child protection. If information submitted through our service gives rise to a child protection concern, we may disclose relevant information to Tusla (the Child and Family Agency) or An Garda Síochána as permitted or required by Irish law, including the Children First Act 2015. The lawful basis for any such disclosure is GDPR Art. 6(1)(c) (legal obligation) or Art. 6(1)(d) (vital interests of the child).
7. Who we share your data with (sub-processors)
We share your personal data only with service providers ("processors") who process it on our behalf under written data processing agreements, and where otherwise required by law.
| Provider | Purpose | Data Shared | Location |
|---|---|---|---|
| OpenAI | AI response generation | Chat messages, AI responses | Ireland (contracting entity), United States (processing) |
| Clerk | Authentication and login | Email, name, Google profile data | United States |
| Stripe | Payment and subscription processing | Payment details, billing information | Ireland, United States |
| Vercel | App hosting and delivery | IP addresses, request metadata | United States (global CDN with EU caching) |
| Neon | Database hosting | Account data, chat data (encrypted) | EU (AWS Frankfurt) |
| Upstash | Rate limiting and quota management | User identifiers, request counts | EU region |
| MailerLite | Email communications | Email address, name | EU (Germany) |
8. International data transfers
Some of our service providers are based in the United States or process data there. When your personal data is transferred outside the European Economic Area, we ensure appropriate safeguards are in place:
EU-US Data Privacy Framework (DPF). Clerk, Vercel, Stripe, Neon, and Upstash are certified under the EU-US Data Privacy Framework, which has been recognised by the European Commission as providing adequate protection for personal data (Adequacy Decision of 10 July 2023). We also maintain Standard Contractual Clauses (SCCs) with these providers as supplementary safeguards.
Standard Contractual Clauses (SCCs). For OpenAI, which is not currently DPF-certified, we rely on Standard Contractual Clauses approved by the European Commission (Decision 2021/914) as the transfer mechanism. EEA customers contract with OpenAI Ireland Ltd, and SCCs are incorporated in OpenAI's Data Processing Addendum.
MailerLite is an Irish-registered company that processes data in the EU only, so no international transfer mechanism is required.
You may request a copy of the relevant transfer safeguards by contacting us at hello@snahelper.ie.
9. How long we keep your data
| Data Category | Retention Period |
|---|---|
| Account data (email, name, login credentials) | Duration of subscription + 30 days after account closure |
| Chat messages and AI responses (Early Access Period) | Maximum 30 days from each message, then permanently deleted |
| Chat messages processed by OpenAI | Up to 30 days (OpenAI abuse monitoring), then deleted by OpenAI |
| Payment and transaction records | 6 years (Irish tax and accounting requirements) |
| Email communication records | Duration of subscription + 12 months |
| Rate-limiting data | Expires automatically within seconds |
| Quota counters | Expire automatically at end of each calendar month |
After the applicable retention period, data is permanently deleted.
10. Your data protection rights
Under GDPR, you have the following rights regarding your personal data:
Right of access (Art. 15) — You can request a copy of the personal data we hold about you.
Right to rectification (Art. 16) — You can ask us to correct inaccurate personal data.
Right to erasure (Art. 17) — You can ask us to delete your personal data. We will delete your account, chat history, and associated records. Some data may be retained where we have a legal obligation (e.g., tax records retained for 6 years).
Right to restriction (Art. 18) — You can ask us to restrict processing of your data in certain circumstances.
Right to data portability (Art. 20) — You can request your data in a structured, commonly used, machine-readable format.
Right to object (Art. 21) — You have the right to object to processing based on our legitimate interests. This includes our processing of chat data for service quality evaluation during the Early Access Period, safeguarding detection, and security monitoring. If you object, we will stop this processing unless we can demonstrate compelling legitimate grounds that override your interests.
Right to withdraw consent — Where we process data based on your consent (e.g., marketing emails), you can withdraw consent at any time without affecting the lawfulness of prior processing.
How to exercise your rights. Contact us at hello@snahelper.ie. We will respond within one month as required by GDPR. If your request is complex, we may extend this by a further two months, but we will inform you of any extension within the first month.
Right to complain to the supervisory authority. If you are not satisfied with our response, you have the right to lodge a complaint with:
Data Protection Commission
21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland
Website: www.dataprotection.ie
Phone: +353 (0)1 765 0100 / 1800 437 737
11. Cookies and similar technologies
SNAhelper uses only cookies and similar technologies that are strictly necessary to provide the service you have requested:
- Authentication cookie set by our login provider (Clerk) to keep you securely signed in during your session.
- Session management tokens used to maintain your active session and ensure the app functions correctly.
We do not use analytics cookies, advertising cookies, tracking pixels, or any third-party marketing cookies. Because these cookies are strictly necessary for the service you have requested, consent is not required under Irish ePrivacy law (SI 336/2011, Regulation 5(5)).
12. How we protect your data
We implement appropriate technical and organisational measures to protect your personal data, including:
- Encryption in transit: All data transmitted between your device and our servers is encrypted using TLS with HSTS enforcement.
- Encryption at rest: Data stored in our database is encrypted.
- Access controls: Access to personal data is restricted to authorised personnel on a need-to-know basis.
- HTTP security headers: Including X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy.
- Rate limiting: Server-side rate limiting and quota enforcement to prevent abuse.
- Payment security: Stripe webhook signature verification for all payment events.
- Minimal logging: Chat content and sensitive keywords are not logged in production server logs. API keys are stored server-side only, never exposed to the browser.
No method of electronic transmission or storage is completely secure. While we implement appropriate measures to protect your data, we cannot guarantee absolute security. If you become aware of a security vulnerability, please contact us immediately at hello@snahelper.ie.
Data breach notification. In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the Data Protection Commission within 72 hours in accordance with GDPR Article 33. Where a breach is likely to result in a high risk to you, we will inform you directly without undue delay in accordance with GDPR Article 34.
13. Changes to this policy
We may update this policy from time to time. If we make material changes — particularly changes to how we process your data, the purposes of processing, or the categories of recipients — we will notify you by email and/or through an in-app notification before the changes take effect. The current version of this policy is always available at https://www.snahelper.ie/pp/.
14. Contact us
For any questions, concerns, or data protection requests:
Email: hello@snahelper.ie
Data Protection Supervisory Authority:
Data Protection Commission
21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland
Website: www.dataprotection.ie
SNAhelper is proudly Irish-made. We believe privacy is a right, not a feature.