Privacy Policy

Effective Date: 4 December 2024

Last Updated: 7 June 2026

1. Introduction

SENResource is operated by MycoBloom Ltd (“we”, “us”, “our”), a company registered in England and Wales. We are committed to protecting your personal data and handling it transparently, lawfully, and securely in accordance with:

• UK General Data Protection Regulation (UK GDPR)
• Data Protection Act 2018
• Privacy and Electronic Communications Regulations 2003 (PECR)
• ICO (Information Commissioner's Office) guidance

This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, and your rights in relation to it.

Data Controller: MycoBloom Ltd, senresource.com

Contact: charlotte@mycobloom.co.uk

If you have a complaint about how we handle your data, you have the right to contact the ICO at ico.org.uk or by phone on 0303 123 1113.

2. Personal Data We Collect

2.1 Data You Provide Directly

• Email address – collected when you create an account (via Auth0), use the Contact Us form, or subscribe to our newsletter.
• Shipping address – only if you choose to save it in connection with a purchase. You may request deletion at any time.
• Contact messages – content you submit via the Contact Us form, including your name (if provided) and email address.
• User-generated content – any information you provide when creating or submitting resources, form fields, or other contributions to the platform. This is stored in our database as submitted.
• Order information – if you make a purchase, order details (including email and shipping address if provided) are stored in our database. Payment data is handled solely by Stripe (see Section 6).

2.2 Data Collected Automatically

When you visit the Service, the following data may be collected automatically:

• IP address
• Device type, operating system, and browser
• Approximate geographic location (derived from IP address; not precise)
• Pages visited, time on page, and navigation paths
• Referral source (how you arrived at the site)
• Cookie consent preferences

This data is used for security, analytics, and improving the Service. It is processed by Vercel (our hosting and analytics provider) and, where applicable, by advertising services.

2.3 Children's Data

The Service is intended for adults (teachers, parents, carers, and professionals) and is not directed at children under 13. We do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

Users must be at least 16 years old to create an account, consistent with our Terms and Conditions.

3. Cookies and Tracking Technologies

We use cookies and similar technologies as described in our Cookie Policy. In summary:

• Essential cookies – required for login, security, and core site functionality. Cannot be disabled.
• Analytics cookies – help us understand how visitors use the site (e.g. via Vercel Analytics). Require your consent.
• Advertising cookies – used by Google AdSense to serve contextual or personalised advertisements. Require your explicit consent.

You may withdraw cookie consent at any time via the cookie settings link in the site footer.

4. How We Use Your Personal Data

The table below sets out each purpose for which we process your personal data and the legal basis we rely on under UK GDPR Article 6:

• Account creation and management – Contract (Art. 6(1)(b))
• Authentication via Auth0 – Contract (Art. 6(1)(b))
• Responding to contact form enquiries – Legitimate interests (Art. 6(1)(f))
• Processing orders and payments – Contract (Art. 6(1)(b))
• Sending newsletters (where opted in) – Consent (Art. 6(1)(a))
• Analytics and site improvement – Legitimate interests (Art. 6(1)(f))
• Displaying advertisements (AdSense) – Consent (Art. 6(1)(a)) via cookie banner
• Security and fraud prevention – Legitimate interests (Art. 6(1)(f))
• Legal and regulatory compliance – Legal obligation (Art. 6(1)(c))

We do not sell, rent, or trade your personal data to any third party.

5. Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by law. Our general retention periods are:

• Account data – retained for the life of your account plus up to 2 years after account deletion, unless a longer period is required by law.
• Contact form messages – retained for up to 2 years.
• Order records – retained for 7 years in accordance with UK tax and accounting obligations.
• Newsletter subscriptions – retained until you unsubscribe. Unsubscribe requests are processed within 24 hours.
• Analytics data – aggregated and anonymised data may be retained indefinitely.

You may request deletion of your personal data at any time (see Section 9).

6. How We Store and Protect Your Data

We use the following third-party infrastructure providers. Each is contractually obligated to protect your data and complies with UK GDPR (or equivalent standards):

• Auth0 (Okta, Inc.) – user authentication and account management. Auth0 is certified under GDPR-compliant frameworks and enters into Data Processing Agreements (DPAs).
• MongoDB Atlas – database hosting for user data, contact form submissions, orders, and user-generated content. Data is stored in EU/UK regions where configured.
• Backblaze B2 – image and file storage. Backblaze enters into DPAs and stores data in regions specified at configuration.
• Stripe, Inc. – payment processing. Stripe is PCI-DSS Level 1 compliant and processes payment data under its own privacy policy. We do not store full card details.
• Vercel, Inc. – website hosting, deployment, and analytics. Vercel processes request logs and analytics data and enters into DPAs compliant with GDPR.
• GitHub, Inc. – source code hosting and version control. No user personal data is intentionally stored in our code repositories.
• Google AdSense – advertising platform (not currently active). When enabled, Google may process data for ad targeting subject to your cookie consent and Google's privacy policy.

We implement appropriate technical and organisational measures including encrypted connections (HTTPS/TLS), access controls, and industry-standard security practices.

7. International Data Transfers

Some of our third-party providers operate outside the UK or European Economic Area (EEA). Where your personal data is transferred internationally, we ensure appropriate safeguards are in place, which may include:

• UK Adequacy Regulations (for countries deemed adequate by the UK government);
• International Data Transfer Agreements (IDTAs) or Standard Contractual Clauses (SCCs) approved by the ICO; or
• The provider's binding corporate rules or equivalent mechanism.

Specific examples: Vercel and Auth0 are US-based but rely on SCCs/IDTAs for UK transfers. Stripe is also US-based and certified under equivalent mechanisms.

8. Sharing Your Data

We share personal data only with:

• Service providers (listed in Section 6) – solely to the extent necessary to operate the Service.
• Legal authorities – where required by law, court order, or regulatory authority.
• Business transfers – in the event of a merger, acquisition, or sale of our business, your data may be transferred as part of that transaction. We will notify affected users in advance.

We do not share your data with advertisers directly. Google AdSense processes data independently based on your cookie consent.

9. Your Rights Under UK GDPR

You have the following rights regarding your personal data:

• Right of access – request a copy of the personal data we hold about you.
• Right to rectification – ask us to correct inaccurate or incomplete data.
• Right to erasure (“right to be forgotten”) – request deletion of your personal data, subject to legal retention obligations.
• Right to restriction – ask us to limit how we process your data in certain circumstances.
• Right to data portability – receive your data in a structured, machine-readable format.
• Right to object – object to processing based on legitimate interests, including for direct marketing.
• Right to withdraw consent – where processing is based on consent (e.g. cookies, newsletter), you may withdraw at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at charlotte@mycobloom.co.uk. We will respond within one calendar month. There is no charge for exercising your rights unless requests are manifestly unfounded or excessive.

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

• Website: ico.org.uk
• Phone: 0303 123 1113

10. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours of becoming aware of the breach, as required by UK GDPR Article 33. Where the breach is likely to result in a high risk to individuals, we will also notify affected users directly without undue delay.

11. Updates to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email (if you have an account) or by a notice on the website, and will update the “Last Updated” date above. Continued use of the Service after changes constitutes acceptance.

12. Contact Us

SENResource by MycoBloom Ltd
✉ Email: charlotte@mycobloom.co.uk
🌐 Website: https://senresource.com

A contact form is also available via the footer of the website.