Thena

Privacy Policy

1. INTRODUCTION

At Thena, we are committed to keeping your data safe. We ask that you read this Privacy Policy carefully as it contains important information on who we are, how and why we collect, store, use and share personal information through your use of this website or in relation to the services we provide to schools, your rights in relation to your personal information and on how to contact us if you want to change how your data is being used and also supervisory authorities in the event you have a complaint. This policy covers personal information collected through (1) our Website, and our Web-Based App and/or our Mobile App as well as our Thena AI Bot (‘the Bot’) (collectively ‘the App’) and (2) the software that we provide (“Platform Software”). The Platform Software and the App are collectively referred to as the ‘Services’.

What does this Privacy Policy cover?

Specifically, this Privacy Policy covers personal information we collect: (1) in connection with the Services we provide to you, (2) when you download and use the App, (3) when you visit our website at https://thenalaw.com (“Website”), and (4) when you utilise the Platform Software.

We also use subdomains, including hello@thenalaw.com, to process forms, support and other website functions. Personal data provided on the main domain or any subdomains is processed in accordance with this Privacy Policy.

You must read this Privacy Policy together with any other privacy notice or fair processing notice we may provide on specific occasions when we are collecting or processing personal information about you, so that you are fully aware of how and why we are using your data. This Privacy Policy supplements the other notices and is not intended to override them.

Who collects information about you?

We collect, uses and is responsible for certain personal information about you. When we do so, we are responsible as the ‘data controller’ of that personal information.

Please Note: When we refer to “Thena”, “we”, “us” or “the Company” in this Privacy Policy, we are referring to LB Tech Group Limited trading as ‘Thena’ (company number 15739777). For details of how to get in touch, please see the “Contact Us” Section of this Privacy Policy.

Useful Terms.

“Visitors” means individuals who visit our Website and/or other Services and who may opt to provide us with personal information to request a trial or to receive marketing communications from us.

“Personal information” (or “personal data”) means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (i.e. anonymous data).

THE DATA WE COLLECT ABOUT YOU

We may collect, use, store and transfer different kinds of personal information about you, which we have grouped as follows:

Identity Data includes first name, last name, Mobile Device Identifiers (for App authentication), and offline usage metadata.

Contact Data includes business email address, and telephone numbers (work and/or mobile).

Technical Data includes internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our Website and our App.

Usage Data includes information about how you use the Services, including our Website and the App and the Platform Software.

Marketing and Communications Data includes your preferences in receiving marketing or other communications from us.

We also collect and use Aggregated Data, such as statistical or demographic data, for any purpose. Aggregated Data may be derived from your personal information, but is not considered personal information in law, as this data does not directly or indirectly reveal your identity.

What personal information do we collect?

We collect Marketing and Communications Data when you receive such communications from us such as our newsletter, and we also collect Technical Data and Usage Data when you interact with the Services. This information is aggregated for purposes such as reporting on usability, performance and effectiveness.

Website or App Visitors

If you are a Website Visitor, we may collect Identity Data and Contact Data about you when you submit web forms on our Website or App, such as when you request a free trial on our Website or sign up to receive free content via our App. We will also collect Marketing and Communications Data when you sign up to join our newsletter.

Mobile-Specific Information When you use our mobile App, we may also collect:

Device Identifiers: Unique IDs used to link your device to your school’s subscription.
Offline Usage Data: Records of "Experiences" downloaded and played while offline, which sync when you next connect to Wi-Fi.
Hardware Permissions: To function with our wireless headphones and transmitters, the App may request access to Bluetooth and Local Network settings. We do not use these permissions to track your location or access other files.

We will also automatically collect Technical Data and Usage Data about you through our and our technology partners’ use of cookies and similar technologies. For more information about this, please see our Cookie Policy.

If we collect data through the Website or the App or the Services which does not personally identify anybody, then this is ‘Business Data’ which we do not require consent to collect or process.

How do we collect personal information about you?

We may collect information from the following sources:

Directly from you: This is the information you give us during the course of requesting a free trial and/or subscribing for the Services or registering an account/free demo or full access on the App. It also includes any information you provide to us when you interact with us at an event or correspond with us in person, by phone, email, web form or otherwise.

Third-party sources: This will include information about you that is available through publicly available sources, such as professional networking sites (including LinkedIn) and general market research.

Information we collect automatically: When you visit our Website and/or use the App and/or the Services, we may collect certain Technical and Usage Data automatically from your device.

How do we use your personal information?

To provide the Services to you.

To deliver relevant content to you, and to measure and understand the effectiveness of the content we serve to you.

To administer and manage our business relationship with you, such as setting up your account, sending invoices, and responding to business-related communications and enquiries.

To send transactional messages, provide customer service and support, and to send you technical notices, updates and security alerts.

To administer and protect our Website and App and Platform Software (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data).

For other business purposes, such as research and analysis, business development and planning, determining the effectiveness of our Services, and improving the Services, eg by using data analytics to improve our Website and App, content, marketing and user experience.

To send you information which we think you may find interesting (such as details about our products and services, new features, market research, reports and other relevant content).

To comply with legal or regulatory requirements.

To create anonymised and aggregated datasets. These datasets are used to train, test, and improve our artificial intelligence systems and to generate automated responses to user queries.

To investigate and prevent fraudulent transactions, unauthorised access to the Services, and other illegal activities.

What is our legal basis for processing your personal information?

We process your information to administer and manage our business relationship with you, for other business purposes. We consider it necessary for our legitimate interests and that your interests and fundamental rights do not override those interests.

We process your personal information in connection with providing the Services, and we consider that this processing is necessary to perform the contract we have entered into with you.

We will rely on legal obligation if we are legally required to hold your personal information to comply with legal or regulatory requirements, such as disclosure to regulators and for purposes of disputes or legal proceedings affecting us. Under the DUAA 2025, we process certain data under the basis of "Recognised Legitimate Interests." This includes processing necessary for crime prevention (fraud detection), safeguarding individuals at risk, and responding to emergencies. For these specific purposes, we are not required to conduct a separate Legitimate Interests Assessment (LIA).

Where we process your personal information for the purposes of producing aggregated analysis to help us improve the Services and to help learn how to improve their use of the Services, we consider this is necessary for our legitimate interests and that your interests and fundamental rights do not override those interests.

Our lawful basis for anonymising your data is our legitimate interest in improving our Services and developing innovative AI technologies. We ensure that the anonymisation process is robust so that no individual can be re-identified from the resulting AI training sets.

Where we process your personal information for the purposes described above, we consider this is necessary for our legitimate interests and that your interests and fundamental rights do not override those interests.

We will process your personal information for marketing purposes where we have your consent to do so.

What happens if you fail to provide information?

If you do not provide us with certain requested personal information or object to the processing of your personal information, this may limit our ability to provide the Services or give you access to the Website or the App or the Platform Software.

You can still visit our Website and App and learn more about Thena without giving us your personal information, but we will need your contact details to administer and respond to any enquiries you submit via the Website and App or otherwise.

Who do we share your personal information with?

We may share and disclose your personal information with the following categories of third parties for the purposes described in this Privacy Policy:

Service providers. We use a number of service providers who perform functions on our behalf and/or help us in providing the Services, such as cloud-based software and hosting suppliers, email service providers and web analytics providers.

Our service providers are required to keep your personal information confidential and are not allowed to use it for any purpose other than to carry out the services they are performing for us.

Professional advisors. We may disclose personal information to our professional advisors, such as lawyers, auditors, and insurers, if necessary, as part of the professional services they provide us with.

Business transfers. We may share personal information with third parties to whom we choose to sell, transfer or merge part of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, the new owners may use your personal information in the same way as set out in this Privacy Policy.

Compliance with laws. We may be required to share some personal information as required to comply with the law.

INTERNATIONAL TRANSFERS, SECURITY AND RETENTION

International data transfers.

Where personal information is shared and disclosed as set out above, these parties may be established outside the United Kingdom or the European Economic Area (“EEA”). For example, some of the service providers we use to support our Services are based in the United States, and this would involve a transfer of your personal information to the United States. Whenever we transfer your personal information outside the United Kingdom or the EEA, we ensure that not materially lower protection is afforded to it by ensuring appropriate safeguards are implemented. This may include, where appropriate, signing up to Standard Contractual Clauses. To find out more information regarding the specific mechanism used by us when transferring your personal information outside the United Kingdom or the EEA, please contact us athello@thena.com.

Keeping your information secure.

We have appropriate security measures in place to prevent personal information from being accidentally lost or used, or accessed in an unauthorised way. We limit access to your personal information to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.

We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

You shall ensure that mobile devices used to access the App have appropriate OS-level security and that Authorised Users have granted necessary hardware permissions (e.g., Bluetooth) solely for Equipment synchronisation.

Technical Measures: We shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

Encryption: All Personal Data is encrypted at rest and in transit using industry-standard protocols (AES-256 or equivalent).

Access Control: Multi-Factor Authentication (MFA) is mandatory for all our staff accessing the Website and/or App backend.

Resilience: We maintain a Disaster Recovery and Business Continuity Plan, which is tested at least annually, to ensure service availability in the event of a cyber incident.

We shall notify you without undue delay, and in any event within 48 hours, of becoming aware of a Personal Data Breach. This allows us to fulfil our statutory 72-hour notification obligation to the ICO.

For how long do we keep your personal information?

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal information, we consider the amount, nature and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your personal information, and whether we can achieve those purposes through other means, and the applicable legal requirements.

YOUR RIGHTS

Subject to any exemptions provided by law, you may have the right to:

Request access to your personal information (commonly known as a “data subject access request”) and to certain other supplementary information that this Privacy Policy is already designed to address.

Request correction of the personal information we hold about you. This enables you to have any incomplete or inaccurate information that the data controller holds about you corrected.

Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).

Receive the personal information concerning you which you have provided to us in a structured, commonly used and machine-readable format and have the right to transmit that data to a third party in certain situations.

Object to the processing of your personal information at any time for direct marketing purposes.

Object to decisions being taken by automated means which produce legal effects concerning you or significantly affect you.

Object in certain other situations to our continued processing of your personal information.

Request the restriction of the processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.

Withdraw your consent to our processing of your personal information, where we have collected and processed it with your consent.

If you would like to exercise any of these rights, please email us at hello@thenalaw.com and let us have enough information to identify you. We may need to request specific information from you to help us confirm your identity. This is a security measure to ensure that personal information is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

In accordance with the 2025 DUAA Act, our searches will be "reasonable and proportionate." Note on Timelines: We will respond within one month. However, if your request is broad, we may ask for clarification. In such cases, we will "stop the clock" on the 30-day deadline until you provide the necessary details to fulfil your request.

We hope that we can resolve any query or concern that you raise about our use of your personal information.

You also have the right to make a complaint to your supervisory authority. In the UK, this is the Information Commissioner’s Office (www.ico.org.uk). If you are unhappy with how we handle your data, you have a statutory right to complain directly to us before escalating to the Information Commission.

How to Complain: Please email hello@thenalaw.com with the subject line "Data Protection Complaint" or use our [Online Complaint Form].
Our Process: We will formally acknowledge your complaint within 30 days. we will then investigate and provide a full response or update without undue delay (typically within 3 months).

MARKETING

You may receive marketing communications from us if you have requested information from us or subscribed to our Services and, in each case, you have not opted out of receiving that marketing. You may also receive our newsletter when you activate your App user account, register for free access to the App or sign up for our newsletter on our Website.

You can ask us to stop sending you marketing messages at any time by following the opt-out links in any marketing message sent to you or by contacting us at hello@thenalaw.com.

Please note that opting out of marketing communications does not opt you out of receiving important business communications, such as service announcements or security information.

COOKIES

We may use cookies and other information-gathering technologies to learn more about how you interact with our Website, App and access the Services. This includes the use of analytics, personalisation and advertising cookies, as well as similar technologies, on our website and subdomains. We use these in connection with third-party platforms such as Meta (Facebook), Google and other advertising and analytics providers. These technologies help us measure advertising effectiveness, improve user experience and personalise the content and advertising you see.

You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of our Website, App or Services may become inaccessible or not function properly. For more information about the cookies we use, please see our Cookie Policy.

Links to other websites.

This website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit.

CHANGES TO THE PRIVACY POLICY

This version was last updated on […March, 2026. We may change this Privacy Policy from time to time, and when we do, we will inform you by updating this section.

The personal information we hold about you must be accurate and current. Please keep us informed if your personal information changes during your relationship with us (see below for contact info).

CONTACT US

If you have any questions, comments or concerns about this Privacy Policy, please contact us at hello@thenalaw.com. Or you can write to us at:

LB Tech Group Ltd,

C4di At The Dock,

31-38 Queen Street,

Hull,

East Riding Of Yorkshire,

United Kingdom,

HU1 1UU