Privacy Policy and Data Protection - Your Trust Matters

Privacy Policy

Unlock your potential. 

NEUROVERIFY PRIVACY POLICY

Version 1.0 | Effective Date: 2026 | Review Date: 2027

This policy explains how NeuroVerify collects, uses, stores, and protects your personal information.

1. Who We Are

NeuroVerify is a neurodiversity screening service registered in England and Wales. We provide clinically validated neurodiversity screening for individuals aged 12 and above across three tiers — adult (18+), young adult (16–17), and adolescent (12–15).

Data Controller: NeuroVerify [Registered address] [Company registration number] [ICO registration number]

Data Protection contact: [Name] [Email address for data protection enquiries]

If you have any questions about how we handle your personal data, please contact us at the address above before raising a complaint with the Information Commissioner's Office (ICO). We will always try to resolve concerns directly.

2. Our Commitment to Your Privacy

We understand that the information you share with NeuroVerify is sensitive. It includes details about your health, your mental wellbeing, and your personal history. We treat this information with the utmost care and respect.

We will never sell your data. We will never share it for advertising purposes. We will never use it in ways you have not been told about and have not agreed to.

We process your data only to deliver the service you have asked for, to keep you safe, and to improve the quality of our service over time.

3. What Data We Collect

3.1 Registration and application data

When you register with NeuroVerify we collect:

  • Your name and date of birth
  • Your contact details — email address, phone number, and home address
  • Details of the person being screened where you are registering on behalf of a child
  • Parent or guardian details where applicable
  • Your selected package and payment method
  • How you heard about NeuroVerify
  • Your responses to questions about your reasons for seeking screening

3.2 Health and screening data

As part of the screening process we collect:

  • Your responses to validated screening questionnaires — including the ASRS, AQ-10, RAADS-14, CAT-Q, BAPQ, BRIEF-A, GAD-7, PHQ-9, and other age-appropriate tools
  • Information shared during the clinical interview — including developmental history, educational history, social experience, sensory processing, attention, executive functioning, emotional regulation, mental health, and family history
  • Clinical notes and observations made by your clinician during the interview
  • Your feedback session notes
  • Your written report
  • Any collateral information you choose to provide — such as a parent's developmental history form or previous clinical reports

This information is classified as special category data under UK GDPR because it relates to your health and mental wellbeing. It is subject to the highest level of protection we apply.

3.3 Payment data

We collect payment information to process your purchase. We do not store full card details — payments are processed through a PCI DSS-compliant third-party payment provider. We retain a record of the transaction amount, date, and package purchased.

3.4 Technical data

When you use the NeuroVerify website or online platform we may collect:

  • Your IP address
  • Browser type and version
  • Device type
  • Pages visited and time spent
  • Cookies — see our Cookie Policy at neuroverify.co.uk/cookies

3.5 Communications data

If you contact us by email, telephone, or through our website we retain a record of that communication and our response.

4. How We Use Your Data

We use your data for the following purposes:

4.1 Delivering your screening pathway

We use your registration and health data to:

  • Set up your account and manage your screening pathway
  • Send you your Stage 1 screening questionnaires
  • Provide your clinician with your results before your interview
  • Conduct your clinical interview and produce your clinical formulation
  • Deliver your feedback session
  • Produce and issue your written report
  • Arrange your coaching session where applicable

Legal basis: Performance of a contract — Article 6(1)(b) UK GDPR. For health data: explicit consent — Article 9(2)(a) UK GDPR.

4.2 Safeguarding

We use your data to identify and respond to safeguarding concerns in accordance with our Safeguarding Policy. In safeguarding situations we may process your data without your consent where this is necessary to protect your life or the life of another person.

Legal basis: Vital interests — Article 6(1)(d) UK GDPR. For health data: vital interests — Article 9(2)(c) UK GDPR.

4.3 Clinical governance and quality assurance

We use anonymised or pseudonymised data to review and improve the quality of our clinical service — including reviewing a sample of reports, monitoring outcomes, and improving our screening tools and processes.

Legal basis: Legitimate interests — Article 6(1)(f) UK GDPR. We have conducted a legitimate interests assessment and concluded that our legitimate interest in maintaining clinical quality is balanced with your interests and rights.

4.4 Legal compliance

We may process your data where we are required to do so by law — for example in response to a court order, a statutory safeguarding referral, or a request from a regulatory authority.

Legal basis: Legal obligation — Article 6(1)(c) UK GDPR.

4.5 Marketing communications

Where you have given your explicit consent, we may send you occasional updates about neurodiversity, our services, and relevant resources. You can withdraw this consent at any time by clicking unsubscribe in any email or contacting us directly.

Legal basis: Consent — Article 6(1)(a) UK GDPR.

5. Who We Share Your Data With

We do not sell your data. We do not share your data with advertisers. We share your data only in the following circumstances:

5.1 Within the NeuroVerify clinical team

Your data is shared within the NeuroVerify clinical team — including your allocated clinician, the clinical lead who reviews your report, and the safeguarding lead where a safeguarding concern is identified. All team members are bound by confidentiality obligations and data protection training requirements.

5.2 Third-party service providers

We use a small number of carefully selected third-party providers to deliver our service. These providers process your data only on our instructions and are bound by data processing agreements:

  • Online platform provider — hosts the screening questionnaires and client portal
  • Secure video platform — used for clinical interviews and feedback sessions where conducted online
  • Payment processor — processes payments securely
  • Secure email provider — used for clinical correspondence
  • Cloud storage provider — stores encrypted clinical records

We will update this list as our provider arrangements change. A full list of processors is available on request.

5.3 Sharing with consent

We will share your report or any other information with any person or organisation you explicitly consent to — such as your GP, your employer, your school, or a diagnostic service. We will ask for your consent in writing before sharing.

5.4 Safeguarding and legal obligations

We may share information without your consent where:

  • There is a risk to your life or the life of another person
  • A child is at risk of harm
  • We are required to do so by law — such as a court order or statutory safeguarding referral
  • We are required to share with a regulatory authority in connection with a complaint or investigation

We will document all such sharing decisions in accordance with our Safeguarding Policy.

5.5 Professional indemnity and legal

In the event of a complaint or legal claim, we may share relevant information with our legal advisers, insurers, or regulatory bodies.

6. International Data Transfers

We aim to keep all data within the United Kingdom or the European Economic Area. Where we use third-party providers who transfer data outside these areas, we ensure that appropriate safeguards are in place — including Standard Contractual Clauses or adequacy decisions — in accordance with UK GDPR requirements.

7. How Long We Keep Your Data

We retain data for the following periods:

Data type

Retention period

Clinical records — adult clients

7 years from the date of last contact

Clinical records — clients who were under 18

Until the client's 25th birthday or 7 years from last contact, whichever is longer

Safeguarding records

7 years minimum from the date of the incident, or as directed by law

Payment records

7 years for tax and accounting purposes

Application and registration data

Duration of the client relationship plus 3 years

Marketing contact data

Until consent is withdrawn or 3 years of inactivity

Technical and usage data

13 months

Communications data

3 years

After the retention period ends, data is securely deleted or anonymised in accordance with our data disposal procedure.

Where a client requests deletion of their data before the standard retention period ends, we will comply unless we are legally required to retain the data — for example for safeguarding records or financial records required by HMRC.

8. How We Keep Your Data Safe

We take the security of your data seriously. The measures we have in place include:

  • All clinical data is encrypted at rest and in transit using industry-standard encryption
  • Access to clinical records is restricted to authorised personnel on a need-to-know basis
  • All staff and contractors with access to personal data complete data protection training
  • Our third-party providers are assessed for security compliance before we use them
  • We maintain an incident response plan for data breaches
  • We conduct regular reviews of our security measures

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and notify affected individuals without undue delay in accordance with our legal obligations.

9. Your Rights

Under UK GDPR you have the following rights in relation to your personal data:

Right to access — You have the right to request a copy of the personal data we hold about you. We will respond within one month. We may request proof of identity before releasing data.

Right to rectification — You have the right to ask us to correct any inaccurate personal data we hold about you.

Right to erasure — You have the right to ask us to delete your personal data in certain circumstances — for example where the data is no longer necessary for the purpose it was collected, or where you withdraw consent. This right is not absolute — we may retain data where we have a legal obligation to do so.

Right to restrict processing — You have the right to ask us to restrict how we process your data in certain circumstances — for example while we investigate a rectification request.

Right to data portability — Where we process your data on the basis of consent or contract, and processing is carried out by automated means, you have the right to receive your data in a structured, commonly used, and machine-readable format.

Right to object — You have the right to object to processing based on legitimate interests, including for direct marketing purposes. We will stop processing unless we can demonstrate compelling legitimate grounds.

Rights relating to automated decision-making — NeuroVerify does not make automated decisions that have legal or similarly significant effects on you. All clinical formulations are produced by qualified human clinicians.

Right to withdraw consent — Where we process your data on the basis of consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing before the withdrawal.

To exercise any of these rights, please contact us at [data protection email]. We will respond within one month. If we are unable to comply with a request we will explain why.

If you are not satisfied with our response you have the right to complain to the Information Commissioner's Office — ico.org.uk — or to seek a remedy through the courts.

10. Children and Young People

10.1 Adolescent clients (12–15)

For clients aged 12 to 15, the primary consent for data processing is provided by the parent or guardian. Where a young person is old enough and sufficiently mature to understand their rights, we will also explain their data rights to them in age-appropriate language.

We do not use the data of clients aged 12 to 15 for marketing purposes under any circumstances.

10.2 Young adult clients (16–17)

Clients aged 16 and 17 are treated as having capacity to understand their data rights. We explain these rights to the young person directly as well as to their parent or guardian. Where the young person and parent have different wishes regarding their data, the young person's wishes will be given significant weight in our decision-making, in accordance with their developing autonomy.

10.3 Data minimisation for young clients

We apply strict data minimisation principles for all under-18 clients — collecting only the information that is necessary for the screening pathway and retaining it only for as long as is required.

11. Cookies

We use cookies on the NeuroVerify website to make it work correctly and to understand how people use it. You can control cookie settings through our Cookie Preference Centre or through your browser settings.

Our full Cookie Policy is available at neuroverify.co.uk/cookies.

12. Changes to This Policy

We review this policy annually and following any significant change in our data practices or in the law. Where we make material changes we will notify registered clients by email and update the effective date on this page.

Previous versions of this policy are available on request.

13. How to Contact Us

For data protection enquiries and Subject Access Requests: [Data protection email]

For all other enquiries: [General contact email] neuroverify.co.uk/contact

Our registered address: NeuroVerify [Full registered address]

Information Commissioner's Office: ico.org.uk 0303 123 1113

NeuroVerify is registered with the Information Commissioner's Office. ICO registration number: [To be completed on registration] Company registration number: [To be completed on incorporation]

This policy was last reviewed in 2026 and is due for review in 2027.

Both documents are written to be legally grounded, practically useful, and written in plain English wherever possible without sacrificing legal precision. A few things to note before you publish them:

You will need to complete the bracketed fields — your registered address, company registration number, ICO registration number, DSL name and contact details, and your named third-party processors. You cannot register with the ICO until you are incorporated, and you cannot list specific processors until you have selected your platform, video, payment, and storage providers.

Both policies should be reviewed by a solicitor with data protection and health sector experience before going live. The legal framework is correct as of 2026 but the application to your specific business model, CQC status, and contractual arrangements with clinicians will need professional input.

The safeguarding policy in particular needs your DSL to be named and contactable before it is operational. A policy without a named DSL is not a functional safeguarding framework — it is a document. The person matters as much as the paper.

Information icon

We need your consent to load the translations

We use a third-party service to translate the website content that may collect data about your activity. Please review the details in the privacy policy and accept the service to view the translations.