Privacy Policy
Introduction and Purpose
Maintaining robust data protection practices is essential to providing high-quality neurodivergent-affirming coaching, support, training, consultation and related services and maintaining trust with those who use our services (referred to as clients) and those who work for or alongside us (referred to as employees or self-employed professionals).
Therefore, at Flourish with Neurodiversity, we are committed to protecting the personal data of our clients in line with the Data Protection Act 2018, the UK GDPR and all other data protection legislation currently in force.
This policy outlines how we process and protect personal information, sensitive personal information or criminal records data, to ensure it is handled lawfully, fairly, and transparently.
By following this policy, we ensure that data is kept secure, used only for its intended purpose, and shared appropriately, respecting the privacy and rights of individuals.
Who and What This Policy Applies To
This policy applies to all those working for or on behalf of Flourish with Neurodiversity and to any personal (or sensitive personal) information and criminal records information processed by Flourish with Neurodiversity.
Definitions
Controller
A controller is a natural or legal person, public authority, agency, or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Data Subject
Means the individual to whom the personal information relates.
Personal Information
Sometimes known as personal data means information relating to an individual who can be identified (directly or indirectly) from that information.
Processing Information
Means obtaining, recording, organising, storing, amending, retrieving, disclosing and/or destroying information, or using or doing anything with it.
Processor
The UK GDPR defines a processor as a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Pseudonymised
This is the process by which personal information (or sensitive personal information) is processed in such a way that it cannot be used to identify an individual without the use of additional information, which is kept separately and subject to technical and organisational measures to ensure that the personal information cannot be attributed to an identifiable individual.
Sensitive Personal Information
Sometimes known as 'special categories of personal data' or 'sensitive personal data', means personal information about an individual's race, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership (or non-membership), genetics information, biometric information (where used to identify an individual) and information concerning an individual's health, sex life or sexual orientation.
Privacy Policy
Data Protection Principles
Flourish with Neurodiversity endorses fully and adheres to the Data Protection Principles listed below. When processing data, we will ensure that it is:
⦁ processed lawfully, fairly and in a transparent way
⦁ processed no further than the legitimate purposes for which that data was collected
⦁ limited to what is necessary in relation to the purpose
⦁ accurate and kept up-to-date
⦁ kept in a form which permits identification of the data subject for no longer than is necessary
⦁ processed in a manner that ensures the security of that personal data and protects against unauthorised or unlawful processing and accidental loss, destruction, or damage
⦁ processed by a controller who can demonstrate compliance with the principles
These principles must be observed at all times when processing or using personal information.
The Basis for Processing Personal Information
Concerning any processing activity, we will, before the processing starts for the first time, and then regularly while it continues:
⦁ Review the purposes of the processing activity and select the most appropriate lawful basis (or bases) for that processing, for example:
⦁ That the data subject has consented to the processing;
⦁ That the processing is necessary for the performance of a contract to which the data subject is a party;
⦁ To take steps at the request of the data subject before entering into a contract;
⦁ That the processing is necessary for compliance with a legal obligation to which Flourish with Neurodiversity is subject;
⦁ That the processing is necessary for the protection of the vital interests of the data subject or another natural person;
⦁ That the processing is necessary for the performance of a task carried out in the public interest or exercise of official authority; or
⦁ That the processing is necessary for the legitimate interests of Flourish with Neurodiversity or a third party, except where those interests are overridden by the interests of fundamental rights and freedoms of the Data Subject.
⦁ Document our decision as to which lawful basis applies to help demonstrate our compliance with the data protection principles.
⦁ Include information about both the purposes of the processing and the lawful basis for it in our relevant privacy notice(s).
⦁ Where criminal offence information is processed, also identify a lawful condition for processing that information and document it.
⦁ If processing is based on legitimate interests, determine whether Flourish with Neurodiversity's legitimate interests are the most appropriate basis for lawful processing, and:
⦁ Conduct a Legitimate Interest Assessment (LIA) and keep a record of it to ensure that we can justify our decision;
⦁ If the LIA identifies a significant privacy impact, consider whether we also need to conduct a data protection impact assessment (DPIA);
⦁ Keep the LIA under review and repeat it if circumstances change; and
⦁ Include information about our legitimate interests in our relevant privacy notice(s).
Sensitive Personal Information
Flourish with Neurodiversity may need to process sensitive personal information. We will only process sensitive personal information if:
⦁ We have a lawful basis for doing so set out above; and
⦁ One of the special conditions for processing sensitive personal information applies, for example:
⦁ The data subject has given explicit consent so that Flourish with Neurodiversity can provide its services.
⦁ The processing is necessary for exercising the employment law rights or obligations of Flourish with Neurodiversity or the data subject.
⦁ The processing is necessary to protect the data subject's vital interests, and the data subject is physically incapable of giving consent.
⦁ The processing relates to personal data, which is manifestly made public by the data subject.
⦁ The processing is necessary for the establishment, exercise, or defence of legal claims; or
⦁ The processing is necessary for reasons of substantial public interest.
⦁ The individual has been properly informed of the nature of the processing, the purposes for which it is being carried out, and the legal basis for it.
Data Protection Impact Assessments (DPIAs)
Before any new form of technology is introduced, and where data processing is likely to result in a high risk to an individual's data protection rights, we will, before commencing the processing, carry out a DPIA to assess:
⦁ Whether the processing is necessary and proportionate concerning its purpose.
⦁ The risks to individuals.
⦁ What measures can be put in place to address those risks and protect personal information.
During any DPIA, we will seek appropriate advice from data protection experts and/or the relevant governing bodies/authorities (for example, the ICO).
Documentation and Records
We will keep records of processing activities, including:
⦁ A description of the categories of individuals and categories of personal data;
⦁ Categories of recipients of personal data;
⦁ The purposes of the processing;
⦁ Where relevant, details of transfers to third countries, including documentation of the transfer mechanism safeguards in place;
⦁ Where possible, retention schedules; and
⦁ Where possible, a description of technical and organisational security measures.
As part of our record of processing activities, we document, or link to documentation, on:
⦁ Records of consent.
⦁ Controller-processor contracts.
⦁ The location of personal information.
⦁ DPIAs; and
⦁ Records of data breaches.
If we process sensitive personal information or criminal records information, we will keep written records of:
⦁ The relevant purpose(s) for which the processing takes place, including (where required) why it is necessary for that purpose;
⦁ The lawful basis for our processing; and
⦁ Whether we retain and erase the personal information following our policy document, and, if not, the reasons for not following our policy.
We will regularly review the personal information we process and update our documentation accordingly. This may include:
⦁ Carrying out information audits to find out what personal information Flourish with Neurodiversity holds and how we process it.
⦁ Reviewing our policies, procedures, contracts, and agreements to address areas such as retention, security, and data sharing.
Privacy Notices
Flourish with Neurodiversity will issue privacy notices from time to time, informing individuals about the personal information that we collect and hold relating to them, how they can expect their personal information to be used and for what purposes.
We will take appropriate measures to provide information in privacy notices in a concise, transparent, intelligible, and easily accessible form, using clear and plain language.
Individual Rights
Individuals have the following rights concerning their personal information:
⦁ The right to access personal data held about them (the right of subject access);
⦁ The right to be informed about how and why their data is used - and you must give them privacy information;
⦁ The rights to have their data rectified, erased or restricted;
⦁ The right to object;
⦁ The right to portability of their data; and
⦁ The right not to be subject to a decision based solely on automated processing.
Note: Some exemptions and restrictions can, in some circumstances, be legitimately applied to exempt or qualify the right of individuals to exercise their rights.
For example:
⦁ If fulfilling the request would undermine the prevention, investigation, detection, or prosecution of criminal offences.
⦁ If the processing of personal data is necessary for the establishment, exercise, or defence of legal claims.
⦁ If fulfilling them would infringe upon the rights and freedoms of others, including trade secrets or intellectual property.
Individual Obligations
Training
All employees and self-employed professionals are required to read this and other relevant Data Protection/IT Security Policies.
Updating Personal Information
All employees and self-employed professionals are responsible for helping Flourish with Neurodiversity keep their personal information up to date and must let us know if the information they have provided to us changes, for example, if they move to a new house or change their bank account.
Accessing Others' Data
As an employee or self-employed professional, you may have access to personal information (e.g., of our clients, colleagues, etc.) during your employment or engagement.
If you have access to personal information, you must:
⦁ Only access the personal information that you have the authority to access, and only for authorised purposes.
⦁ Only allow others to access personal information if they have appropriate authorisation from the business owner to do so.
⦁ Keep personal information secure, for example, by complying with rules on computer access, password protection, secure file storage and destruction, etc.
⦁ Not store personal information on personal devices.
You should contact the business owner (Natasha Wakeling) if you are concerned or suspect that this policy has been breached or if you suspect or are made aware of a data breach (as set out below).
Information Security
Flourish with Neurodiversity will use appropriate technical and organisational measures to keep personal information secure and to protect against unauthorised or unlawful processing and accidental loss, destruction, or damage.
Where Flourish with Neurodiversity uses external organisations, systems or service providers to process personal information on its behalf, appropriate due diligence and contractual safeguards will be put in place to protect that information. This may include providers of operational systems, cloud storage, CRM platforms, accounting services, administrative support, associate practitioners, AI-enabled tools, transcription services, or other professional support services.
Where required, Flourish with Neurodiversity will ensure that appropriate data processing agreements or contractual clauses are in place, and that providers are only permitted to process personal information in line with Flourish with Neurodiversity’s instructions, applicable data protection law, and appropriate confidentiality and security requirements.
⦁ The organisation may act only on the written instructions of Flourish with Neurodiversity;
⦁ Those processing the data are subject to a duty of confidence;
⦁ Appropriate measures are taken to ensure the security of processing;
⦁ Sub-contractors are only engaged with the prior consent of Flourish with Neurodiversity and under a written contract;
⦁ The organisation will assist Flourish with Neurodiversity in providing subject access and allowing individuals to exercise their rights under the GDPR;
⦁ The organisation will assist Flourish with Neurodiversity in meeting its GDPR obligations concerning the security of processing, the notification of data breaches and data protection impact assessments;
⦁ The organisation will delete or return all personal information to Flourish with Neurodiversity as requested at the end of the contract; and
⦁ The organisation will submit to audits and inspections and provide Flourish with Neurodiversity with whatever information it needs to ensure that they are both meeting their data protection obligations.
Pseudonymisation
Where appropriate, we will apply pseudonymisation to personal data to enhance privacy and data protection. Examples of when pseudonymisation may be used include:
⦁ When preparing anonymised success stories or training examples
⦁ When tracking progress across groups (e.g., Number of coaching sessions attended vs. improvement in daily living skills)
Please note that pseudonymisation may be used in combination with other security measures such as encryption and access restriction.
Storage and Retention of Personal Information
Personal information (and sensitive personal information) will be kept securely following the principles below:
⦁ Personal information (and sensitive personal information) should not be retained any longer than necessary. The length of time over which data should be retained will depend upon the circumstances, including the reasons why the personal information was obtained.
⦁ Personal information (and sensitive personal information) that is no longer required will be deleted permanently from our information systems, and any hard copies will be destroyed securely.
Raw transcripts, recordings, draft notes or detailed AI-generated notes will not usually be kept for longer than necessary. Where appropriate, they will be replaced with shorter, factual summaries and securely deleted, unless there is a clear lawful reason to retain them, such as safeguarding, complaints, legal, insurance or service quality purposes.
Data Breaches
A data breach may take many different forms, for example:
⦁ Loss or theft of data or equipment on which personal information is stored;
⦁ Loss of data resulting from an equipment or system failure;
⦁ Human error, such as accidental deletion or alteration of data;
⦁ Unforeseen circumstances, such as a fire or flood;
⦁ Deliberate attacks on IT systems; and
⦁ 'Blagging' offences, where information is obtained by deceiving the organisation which holds it.
In the event of a Data Breach, Flourish with Neurodiversity will:
⦁ Immediately take such steps as are necessary to minimise the risk to clients, any employees or self-employed professions we engage, and the organisation.
⦁ Assess the situation and determine what steps need to be taken.
⦁ Make the required report of a data breach to the Information Commissioner's Office without undue delay and, where possible, within 72 hours of becoming aware of it if it is likely to result in a risk to the rights and freedoms of individuals;
⦁ Notify the affected individuals if a data breach is likely to result in a high risk to their rights and freedoms, and notification is required by law.
⦁ Take steps as necessary to ensure that similar breaches cannot happen again.
International Transfer of Data
Whilst Flourish with Neurodiversity does not intend to transfer personal information outside the U.K. (United Kingdom) and E.U. (European Union), some of the software used by Flourish with Neurodiversity may be hosted outside of the U.K. and E.U.
However, we have determined that this data is secure on the basis that the country, territory or organisation is designated as having an adequate level of protection and has provided adequate safeguards by way of acceptable data protection clauses.
Selling Data
At Flourish with Neurodiversity, we are committed to upholding the highest standards of data protection and privacy and want to assure all individuals that we will never sell or trade personal data to any third parties.
Data Processing: Client Data
This list details the specific data types that may be collected, the reason the data is processed, the legal/legitimate reason, and the expected retention period.
Information Type
Client Data
Data Stored
⦁ Personal Contact Details. E.g., name, home address, telephone number(s), and personal email address
⦁ Emergency Contact Details
⦁ Date of Birth
⦁ Health Data
⦁ Healthcare Registration Details (GP registration)
⦁ Payment Details
Processing Reason
⦁ Providing Tailored Services
⦁ Health and Safety Compliance
⦁ Legal Obligations
⦁ Emergency Situations
Legal Interest/Legitimate Reason
⦁ Consent.
⦁ Contract.
⦁ Legal Obligation.
⦁ Legitimate Interests.
Retention Policy
Flourish with Neurodiversity will retain personal information only for as long as necessary for the purpose for which it was collected, including to provide services, meet legal and regulatory obligations, respond to queries or complaints, and protect the rights and interests of clients and the organisation.
As a general guide:
⦁ Client records and case notes will usually be retained for 7 years after the end of the service relationship, unless a longer retention period is required.
⦁ Safeguarding-related records may be retained for longer where necessary, in line with safeguarding guidance, legal obligations, insurance requirements, or where there is an ongoing risk or concern.
⦁ Financial, invoice and payment records will usually be retained for 6 years after the end of the relevant financial year, in line with tax and accounting requirements.
⦁ Contact enquiries that do not become clients will usually be retained for up to 12 months after the last contact, unless there is a lawful reason to keep them longer.
⦁ Assessment, Access to Work, employer or funding-related records will usually be retained for 7 years after the end of the relevant service or funding arrangement, unless a longer period is required by contract, law, safeguarding or complaint-handling needs.
⦁ Complaints, incidents and disputes will usually be retained for 7 years after the matter is closed, or longer where necessary for legal, insurance or safeguarding reasons.
⦁ Marketing consent records will be retained while consent remains valid and for a reasonable period afterwards to evidence consent or withdrawal.
⦁ Pseudonymised or anonymised data may be retained for longer, including indefinitely, where individuals can no longer be identified or where appropriate safeguards are in place.
At the end of the relevant retention period, personal information will be securely deleted, anonymised or destroyed unless there is a lawful reason to retain it for longer.
Client Records, CRM and Authorised Access
Flourish with Neurodiversity uses Omni CRM and other secure systems to manage enquiries, bookings, client records, communications, service delivery, invoices and relevant coaching or support notes.
Client records may include contact details, enquiry information, service history, consent records, matching information, session summaries, agreed actions, safeguarding or risk information where relevant, Access to Work information, invoices, communications and service administration records.
Access to Omni CRM and client records is limited to authorised people who need access for their role, such as Flourish team members, assigned associates, administrative support, CRM administrators or technical support providers. Access should be limited to what is necessary for the person’s role.
Flourish with Neurodiversity aims to keep records factual, relevant and proportionate. Long-form notes, raw transcripts or unnecessary sensitive details should not be kept in Omni CRM unless there is a clear reason.
Service Providers, Freelance Associates and Authorised Support Providers
Flourish with Neurodiversity uses trusted service providers, freelance associates and authorised support providers to help manage enquiries, bookings, client records, coaching notes, scheduling, communications, invoicing, Access to Work administration, CRM maintenance and service delivery.
Where necessary, these people or providers may access personal information, including client records or coaching notes, only for the purposes of providing, managing, administering, supporting or maintaining Flourish with Neurodiversity’s services. They are required to keep information confidential, follow data protection requirements, and must not use client information for their own purposes.
Some Flourish with Neurodiversity services may be delivered by independent freelance associates under the Flourish with Neurodiversity brand. Where an associate is matched with a client, Flourish with Neurodiversity may share relevant information from enquiries, discovery calls, screening forms, consent records, goals, support needs and communications so the associate can prepare for and deliver the agreed service.
AI, Transcription and Note-Taking Tools
Flourish with Neurodiversity may use approved digital tools to support administration, note-taking, transcription, summarising, accessibility, supervision, service quality or record keeping. We will only use tools involving identifiable client information where we consider it appropriate, secure and necessary, and where we have a lawful basis to do so.
Where AI transcription, AI summarising or similar tools are used for client sessions or sensitive client information, Flourish with Neurodiversity will tell clients and obtain consent where required. Clients can ask questions or object to the use of AI tools where applicable.
Raw transcripts, recordings or detailed AI-generated notes should not be kept for longer than necessary. Where appropriate, they will be replaced with shorter, factual summaries and securely deleted.
Children and Young People
Where Flourish with Neurodiversity provides services to children or young people, we will usually seek consent from a parent or carer where required, and will also seek the child or young person’s involvement and assent where appropriate, taking into account their age, understanding and circumstances.
We will explain confidentiality and its limits as clearly as possible. Information may need to be shared with parents, carers, schools, healthcare professionals, safeguarding teams or other relevant professionals where this is necessary to provide support, manage risk, meet safeguarding duties, or comply with legal or professional responsibilities.
Parent or carer updates will usually be limited to relevant information about support, progress, agreed actions, risks or practical arrangements, unless there is a lawful reason to share more detailed information.
Access to Work and Funded Support
Where services are funded or supported through Access to Work, Flourish with Neurodiversity may process relevant personal information to support applications, award letters, bookings, coaching or support delivery, invoices, progress updates, administration and reporting requirements.
Where relevant and lawful, information may be shared with the Department for Work and Pensions, Access to Work assessors, employers, workplace contacts, funders or other relevant parties where this is agreed, necessary for the funded support, required for invoicing or administration, or otherwise required by law.
Data Storage
Flourish with Neurodiversity uses secure digital systems to store and manage day-to-day operational and client information. These may include email, cloud storage, CRM systems, accounting systems, administrative tools and other approved service platforms.
Access to these systems is restricted to individuals who have a legitimate need to access the information for their role. Access controls are managed internally and reviewed where appropriate.
We seek to use providers that offer appropriate security, confidentiality and data protection safeguards. Where a provider processes personal information on our behalf, we will take reasonable steps to understand where data is stored, whether sub-processors are used, and what contractual and technical safeguards are in place.
The specific systems and providers used by Flourish with Neurodiversity may change over time. A current list of core systems, providers and relevant sub-processor information will be maintained internally and reviewed periodically.
Flourish with Neurodiversity does not routinely store physical client records. Where handwritten notes are taken during neurodivergent-affirming coaching, support, training, consultation or related services, they will be typed up where needed and the physical copies will be securely shredded as soon as they are no longer required. Any temporary digital drafts or duplicated notes will also be securely deleted once the final record has been created.
Data Sharing
Client data is only shared where there is a lawful basis and where it is necessary, proportionate and appropriate to do so. This may include sharing information with:
⦁ Associate practitioners, employees, contractors or authorised support providers involved in delivering or supporting services.
⦁ Supervisors, consultants or professional advisers, where needed for supervision, safeguarding, clinical/professional guidance, legal advice, accounting or business support.
⦁ CRM, IT, technical support, cloud storage, email, payment, transcription, AI-enabled tools or other service providers who process data on our behalf.
⦁ Access to Work, the Department for Work and Pensions, employers, assessors or funding bodies, where relevant to funding, assessments, workplace support or reporting requirements.
⦁ Other healthcare professionals, emergency services or relevant professionals, where needed in an emergency or to protect someone’s vital interests.
⦁ Local Authority departments, Safeguarding Teams, Social Services, or other statutory services, where there is a safeguarding concern or legal duty to share information.
⦁ The Police, courts, regulators or other public authorities, where required by law, for the prevention or detection of crime, or to protect the rights, safety or wellbeing of individuals.
⦁ Our accountant, bookkeeper, insurers or other professional service providers, where needed for financial, insurance, legal or regulatory purposes.
We will not share more personal information than is necessary for the relevant purpose, and where providers process personal information on our behalf, appropriate confidentiality, security and data protection safeguards will be used.
Subject Access Requests and Data Rights
Data subjects have the right to access any personal data that is being kept about them by Flourish with Neurodiversity. To do this, the data subject must make a 'subject access request'.
To make a subject access request, the data subject should contact Natasha Wakeling:
⦁ Email: [email protected]
⦁ Telephone: 07355929709
Flourish with Neurodiversity aims to deal with the subject access request as quickly as possible, and all requests will be completed within 30 days unless defined as complex. If the time exceeds 30 days, the requester will be notified in writing.
Subject Access Requests coming directly from the data subject will be free. However, we can charge a fee if requests become unfounded or excessive. Alternatively, we can refuse to comply with the request, for example, if the request is manifestly unfounded or manifestly excessive.
Please Note:
Some of the rights under the GDPR may be limited where we have an overriding interest or legal obligation to continue to process the data, or where data may be exempt from disclosure by law.
We sometimes need to request specific information from a requester to help us confirm their identity and ensure their right to access the information (or to exercise any of their other rights). This is an appropriate security measure to ensure that personal information is not disclosed to anyone without the right to receive it.
Where a subject access request includes session notes, coaching notes, safeguarding records, communications or other detailed records, Flourish with Neurodiversity will review the information carefully before disclosure. Some information may need to be withheld, redacted or handled separately where it includes third-party information, safeguarding concerns, legal privilege, confidential references, risk information, or where another exemption or restriction applies under data protection law.
Requests will be considered on a case-by-case basis in line with applicable data protection law.
Non-Compliance
Flourish with Neurodiversity takes compliance with this policy very seriously. Failure to comply with the policy:
⦁ Puts data subjects at risk.
⦁ Carries the risk of significant civil and criminal sanctions for the individual and Flourish with Neurodiversity.
⦁ May, in some circumstances, amount to a criminal offence by the individual.
Because of the importance of this policy, failure to comply will usually be treated as gross misconduct and will result in a working agreement/contract being terminated without notice.
If you have any questions or concerns about this policy, do not hesitate to contact us.
Monitoring and Reviewing
Flourish with Neurodiversity is committed to ensuring our policies are effective and up-to-date. To do this, we have a process for regularly monitoring and reviewing them.
The business owner and founder is responsible for this process and will review this policy at least once a year or more frequently if needed due to changes in laws or our practices.
Version Control
Author: Policy Pros
Issue Number: 1
Approved Date: 02/09/2025
Approved By: Natasha Wakeling
Disclaimer
The information, coaching and membership services provided on this website are for educational and support purposes only and are not intended to diagnose, treat, or cure any medical or mental health condition, including neurodivergent conditions such as ADHD or autism. Information about our services is provided for general guidance only. Coaching is not a substitute for professional medical, psychological, or psychiatric care. Always consult a licensed healthcare or mental health provider for diagnosis or treatment of any condition. By using this website, you acknowledge and accept full responsibility for your health and well-being.
Crisis and urgent support
Flourish with Neurodiversity is not a crisis service. If you or someone else is in immediate danger, call 999 or go to A&E. For urgent mental health support, contact NHS 111, your GP, your local crisis team, or Samaritans on 116 123.
Copyright 2024 - 2026. Flourish with Neurodiversity. All Rights Reserved.
Website designed by South Coast Design