Last updated 29 June 2026
This page explains how Adversio Group Limited, which operates the Hapio platform, approaches data protection for the information held in the platform on behalf of alternative provisions. It is a summary for the people who assess us during procurement. The binding terms are set out in our data processing agreement and customer agreement.
When an alternative provision uses Hapio, the provision is the data controller and decides why and how the information is used. Adversio Group Limited is the data processor and acts only on the provision's documented instructions, under a written data processing agreement that meets the requirements of UK data protection law. A copy of our data processing agreement is available on request.
We process the information a provision records to support a young person through alternative provision, which can include their record, attendance, assessments, progress, information relevant to keeping them safe, and the reports built from it. Some of this information relates to young people under 18, whose personal data carries additional protection under UK data protection law, and we handle it accordingly. The lawful basis for processing sits with the provision as the controller.
Access is role based, across nine roles, and scoped by area and site, so people see only what their role needs. Sign-in is protected by multi-factor authentication. Every change and sign-off is recorded in a full audit trail. Information is encrypted in transit and at rest. We follow the principle of data minimisation, holding information because it helps a young person move forward, not for its own sake.
Platform data is hosted in the European Union, in Ireland.
We keep the list of providers who process data on a setting's behalf short: our hosting and backend provider, our email provider (Resend) for system emails, and an AI provider used only to draft the prose of monthly reports. A full and current list of sub-processors is available on request.
We use AI only to turn recorded evidence into the readable prose of a monthly report. Every number, score, level and recommendation is calculated by the platform and is fully auditable. A person reviews and edits the draft, and a leader signs it off, before it is shared. Before any of a young person's data reaches an AI model it is anonymised, and it is not used to train the model.
Hosting is in the European Union, which is an adequate jurisdiction under UK data protection law. Where a sub-processor processes data outside the UK or the EEA, the transfer is protected by appropriate safeguards, such as the International Data Transfer Agreement or standard contractual clauses, and our use of anonymisation and data minimisation limits what is involved.
We support settings with their own data protection responsibilities. We assist with responding to requests from individuals, we can provide the information you need for a data protection impact assessment, and we will complete your due diligence and security questionnaires.
We have a process to detect, investigate and respond to personal data breaches, and we will notify an affected setting without undue delay so they can meet their own obligations.
We keep data for as long as the data processing agreement and the setting's instructions require, and we return or delete it at the end of the relationship.
Adversio Group Limited is registered with the ICO [ICO REGISTRATION NUMBER TO BE ADDED]. For any data protection question, contact privacy@adversio.group.