The Neurodevelopmental Clinic Privacy Policy
Last updated: 07.04.2025
The Neurodevelopmental Clinic (“we,” “us,” “our”) is committed to protecting and respecting your privacy. This Privacy Policy, together with our Cookie Policy and Website Terms and Conditions, explains how we collect, use, disclose, and safeguard your information when you visit our website (neurodevelopmental.co.uk) and use our services.
By submitting personal data to us and continuing to use this website, you are consenting to its processing as outlined below.
If you have any questions about this policy or any of our clinics privacy practices, please contact our Data Protection Officer by email at privacy@neurodevelopmental.co.uk
GDPR Compliance Statement
We are committed to full compliance with the General Data Protection Regulation (GDPR) (EU) 2016/679 and the UK GDPR.
This means we:
Process personal data lawfully, fairly, and transparently, ensuring it is collected for specified and legitimate purposes.
Limit data collection to what is necessary for the services provided.
Maintain accurate and up-to-date data with mechanisms for individuals to request corrections.
Ensure data integrity and confidentiality through security measures, including encryption and access controls.
Support data subject rights as outlined under the GDPR, including the rights of access, rectification, erasure, restriction, and portability.
Conduct Data Protection Impact Assessments (DPIAs) where necessary to assess and mitigate risks to data privacy.
Appoint a Data Protection Officer (DPO) or designate a responsible officer to oversee GDPR compliance.
Cooperate with the Information Commissioner’s Office (ICO), the UK’s data protection authority, for any regulatory obligations.
If you have any questions regarding your rights under GDPR, you can contact us at privacy@neurodevelopmental.co.uk.
Personal Data and Information We Collect
Personal data refers to any information that can be used to identify you. This includes your name, address, date of birth, device details, and information about how you use our website and services. We collect data for specific, explicit, and legitimate purposes, ensuring it is adequate, relevant, and limited to its intended use.
What is Personal Data?
You may provide us with information through online forms, psychometric tests, newsletter subscriptions, reporting website issues, or interacting via email, phone, or social media.
This may include:
- Name, address, email, phone number
- Payment information
- Medical and healthcare records
- Descriptions of personal circumstances
Information You Provide to Us
We may collect details about your interactions with our website and services, such as:
- Pages visited,
- Language preferences
- Page interaction behaviours (scrolling, clicking)
- Visit duration and navigation paths
- Page load and response times
Usage Information
We may collect:
- Device type,
- Browser settings,
- IP address
- Login information,
- Time zone settings
- Operating system details and performance data
- Information from Page Tags
Technical Information
We may receive information from healthcare professionals, business partners, educational institutions, analytics providers, and technical service associates.
Data from Other Sources
Read more
We take extra precautions when processing children’s personal data. For those under 16, consent for data processing must be provided by a parent or legal guardian. We ensure children’s data is handled securely and only shared where necessary for their care and wellbeing under the strict provision of the working contractual agreement.
What about children’s data?
How and why we use your data
Data protection law means that we can only use your data for certain reasons and where we have a legal basis to do so. Here are the reasons for which we process your data:
How We Use Your Data:
Information You Provide to Us
To fulfil contractual obligations related to clinical services
To provide requested information and services
To notify you of relevant services and updates
To communicate service changes
To optimise website display based on your device settings
To conduct anonymised service audits and evaluations
Information We Collect About You
To operate and secure our website
To conduct internal operations (e.g., troubleshooting, analysis, research, testing)
To evaluate marketing effectiveness and deliver relevant content
To provide recommendations on relevant services
Information Collected from Other Sources
To supplement our existing records for the above purposes
Legal Basis for Processing Data
We process your personal data under the following legal bases:
Consent – When you provide explicit consent (e.g., subscribing to newsletters)
Contract – When processing is necessary for fulfilling contractual obligations
Legal Obligation – When compliance with legal requirements is required
Legitimate Interests – When processing is necessary for clinic operations, subject to data protection laws
Processing of Special Category Data
As a healthcare provider, we process special category data (e.g., health information) under Article 9(2)(h) of the UK GDPR, which permits processing for the provision of health or social care.
Your privacy choices and rights
Under UK and EU data protection law, you have the right to:
Request a copy of your personal data. However, we reserve the right to refuse requests that are unfounded, or excessive.
This includes the right to ask us supplementary information about:
- The categories of data we’re processing
- The purposes of data processing
- The categories of third parties to whom the data may be disclosed
- How long the data will be stored (or the criteria used to determine that period)
- Your other rights regarding our use of your data
We will provide you with the information within one month of your request, unless doing so would adversely affect the rights and freedoms of other (e.g. another person’s confidentiality or intellectual property rights). We’ll tell you if we can’t meet your request for that reason.
You have the right to access information we hold about you
Suspend processing of your data in certain cases, for example if you want us to establish its accuracy or the reason for processing it
Some of The Neurodevelopmental Clinic’s processing activities may be based on your consent. In these situations, you have the right to withdraw your consent at any time.
Withdrawal of your consent will not affect the lawfulness of processing conducted prior to the withdrawal. If you withdraw your consent, The Neurodevelopmental Clinic and third parties involved in personal data processing will cease to process your personal data, unless and to the extent the continued processing or storage is permitted or required according to the applicable personal data legislation or other applicable laws and regulations. Please note that withdrawing your consent may affect our ability to fulfil your requests or provide services to you.
You have the right to object to processing of your personal data for direct marketing purposes. You can do so by unsubscribing from our marketing information by clicking on the unsubscribe link in the bottom of any marketing communication from The Neurodevelopmental Clinic.
Restriction of Processing
You may correct inaccurate or incomplete data. However, we may need to verify the accuracy of the new data you provide to us.
You have the right to make us correct any inaccurate personal data about you
We will give you a copy of your data in CSV or JSON so that you can provide it to another service. If you ask us and it is technically possible, we will directly transfer the data to the other service for you. We will not do so to the extent that this involves disclosing data about any other individual.
You have the right to port your data to another service
You may request deletion of personal data. Please note that we cannot erase any medical records as we have a statutory duty to keep them as per the Data Protection Act 2018. We are professionally and legally obliged not to alter any medical records. However, if you disagree with any information contained on your medical records, a note can be added to the relevant entry to explain to any future readers that the patient disagrees with this information, and you can add an explanation if you wish.
You have the right to be "forgotten" by us
If you are not satisfied with how we handle your data, you can lodge a complaint by sending an email to complaints@neurodevelopmental.co.uk. We will notify you in writing the outcome of your complaint, as well as provide any additional information for escalating complaints should you not be satisfied with the outcome.
You may refer your complaint to the Information Commissioner’s Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF at any time:
Website: www.ico.org.uk
Phone: 0303 123 1113
You have the right to lodge a complaint regarding our use of your data
How secure is the data we collect?
We implement appropriate technical and organisational measures to protect your data, including:
Secure storage on cloud-based medical records with two-factor authentication, and encrypted payment transactions using SSL technology.
No personal information is retained on paper and is securely shredded once it has been processed electronically.
Please note, whilst we will use all reasonable efforts to safeguard your personal information, transmission of information via the internet is not 100% secure; therefore, we cannot guarantee the security or integrity of any personal data transferred between you and us online. You are responsible to keep and maintain the security of any personal login information to access our site or specific third-party software to engage with our service (i.e., client/patient clinical portal, your own email and network providers, etc)
Once we have received or collected your personal information we will adhere to our strict procedures and security protocols to try to prevent unauthorised access.
Data Security Measures
We take the security of your personal data seriously and implement robust measures to safeguard it against unauthorised access, alteration, disclosure, or destruction.
These measures include:
Data Encryption: All sensitive data, including personal health information, is encrypted both in transit and at rest.
Access Controls: Only authorised personnel have access to personal data, with role-based permissions and two-factor authentication (2FA) required for access to sensitive records.
Security Audits: We conduct security assessments to identify and mitigate risks.
Data Anonymisation and Minimisation: Where possible, we anonymise or pseudonymise data to enhance security.
Secure Disposal: When personal data is no longer required, it is securely deleted or destroyed in accordance with our data retention policies.
Incident Response Plan: We have a structured process in place to respond to security incidents, including a breach notification procedure in compliance with GDPR.
Data Breach Notification
In the event of a data breach affecting personal data, we will assess the risk and, where necessary, notify the Information Commissioner’s Office (ICO) within 72 hours. If the breach poses a high risk to individuals’ rights and freedoms, we will also inform affected individuals promptly.
Where do we store the data?
The personal data we collect is primarily stored in the United Kingdom. Your personal information may be processed both within and outside of the EEA, depending on the tools and services used to operate our clinic.
We work with secure third-party service providers to deliver our services effectively. These include Pabau (our clinical management platform), Stripe (payment processing), Microsoft (email and cloud services), and others as necessary to ensure secure and efficient service delivery. In some cases, data may also be accessed or processed by staff operating outside the UK/EEA under contractual agreement with the clinic.
We take data protection seriously and ensure that all transfers of personal data outside the UK/EEA are carried out in compliance with the UK GDPR and applicable legislation. This includes implementing appropriate safeguards such as Standard Contractual Clauses (SCCs), data processing agreements, adherence to relevant international privacy frameworks, and working only with providers who maintain high standards of data security and privacy.
A full list of data processors and their privacy policies is available upon request.
By using our services and submitting your personal information, you acknowledge and consent to any applicable transfers, storage, and processing. We take all reasonable steps to ensure your data remains secure, encrypted, and handled in accordance with this Privacy Policy and all relevant legal requirements.
How long do we store your data?
We retain personal data only as long as necessary for legal, regulatory, insurance, and reporting requirements.
Mental health records are retained for 20 years after the last contact or 10 years after death (for adults) and until age 25 (for children, or age 26 if treatment ended at 17).
Inactive patient records are securely stored until the required retention period expires.
Direct marketing data is retained for three years from your last engagement.
Sharing Your Data
We may share your data with:
- Healthcare professionals involved in your care
- Third-party vendors supporting services (e.g., billing, IT, analytics, marketing)
- Payment processors (We use Stripe for our payment processing via our electronic management platform, Pabau).
Privacy information for Pabau can be viewed here:
https://pabau.com/privacy-policy/.
Privacy information for Stripe can be viewed here:
https://stripe.com/gb/privacy.
-Legal or indemnity organisations for clinic-related claims
- Third parties as required by law (e.g., courts, regulatory bodies)
- Where there is a significant risk to your health, we may share information with:
- Family members, GPs, NHS mental health services, or crisis teams (where appropriate and necessary)
Your data is shared only when strictly necessary and according to the safeguards and good practices detailed in this Privacy Policy.
Third Party Websites and Links
Please note that in the event our site contains links to third-party sites and services, please be aware that those sites and services have their own privacy policies. Clicking on any third-party link should be done at your own risk, and we strongly encourage you to reach their posted privacy policy information about how they collect and use personal information.
Cookies
Our website uses cookies and similar technologies (e.g., pixels, tags) to enhance user experience, analyse site usage, and personalise marketing efforts.
Cookies are small text files transferred from a web server to your computer or mobile device when you visit a site, which allow us to recognise your computer, store your preferences and settings, understand your activity on our site, enhance user experience on our site, perform searches and analytics, and assist in security and administrative processes.
If your browser is set to accept cookies, they might be stored on your web browser, hard drive, or flash technologies until the expiration date is met, or you delete the cookies yourself.
You can manage or disable cookies via your browser settings; however, this may impact website functionality.
How can I block cookies?
You can also delete cookies through your browser settings. If you use your browser settings to disable, reject, or block cookies (including essential cookies), certain parts of our website will not function fully. In some cases, our website may not be accessible at all. Please note that where third parties use cookies we have no control over how those third parties use those cookies.
Supporting Your Rights
Please note, under our obligations to protect the confidentiality of your information, we will ask you to verify your identity before proceeding with any request you make under this privacy notice. If you have asked someone else to submit a request on your behalf, we will ask them to prove they have your permission to act.
We will acknowledge receipt of your request within five business days, and will act on any requests within one month from when we have received the request. If the request is complex or requires additional time, we shall notify you in writing, with any reasons for this delay.
We will generally submit any personal or special category data to you electronically using secure encrypted email. We may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
Policy Updates
We may update this Privacy Policy periodically to reflect changes in data protection practices or legal requirements. Please check this page regularly for updates.
.svg)
.png)
Newsletter
Receive clinic news, exclusive offers, resources and more!
Clinic news, exclusive offers, resources and more.
You have subscribed to the newsletter.
Please enter a valid e-mail address.