Privacy policy
This privacy notice tells you what to expect us to do with your personal information.
• Contact details
• What information we collect, use, and why
• Lawful bases and data protection rights
• Where we get personal information from
• How long we keep information
• Who we share information with
• Sharing information outside the UK
• How to complain
Contact details
2. Telephone: 07572 261731
3. Email: alex@navigateneurodiversityot.com
What information we collect, use, and why
We collect or use the following information to provide patient care, services, products and other goods:
• Name, address and contact details
• Gender
• Pronoun preferences
• Date of birth
• Next of Kin details including any support networks
• Emergency contact details
• Health information (including medical conditions, allergies, medical requirements and medical history)
• Information about care needs (including disabilities, home conditions, medication and dietary requirements and general care provisions)
• Test results (including psychological evaluations, scans, bloods, x-rays, tissue tests and genetic tests)
• Payment details (including card or bank information for transfers and direct debits)
• Records of meetings and decisions
• Call recordings
• Information about income and financial needs for funding or personal budget support
• Your relationships with others
• Employment information
• Sexual orientation
• Social media handles
We also collect the following for online resources:
Name and contact details
Payment details (processed via Stripe — we receive only a payment token, not your full card details)
Purchase records
We also collect the following information to provide patient care, services, products and other goods:
• Health information
We collect or use the following personal information to comply with legal requirements:
• Name
• Contact information
• Safeguarding information
We also collect the following information to comply with legal requirements:
• Health information
We collect or use the following personal information for information updates, marketing or market research purposes:
• Names and contact details
We collect or use the following personal information for dealing with queries, complaints or claims:
• Names and contact details
We also collect the following information for dealing with queries, complaints or claims:
• Health information
We also collect the following information to charge the stored card for unpaid invoices, missed sessions, products purchased from our website or recurring services. The token is a random string; it does not contain the actual card number, CVV, or expiry.
•To store a Stripe payment token.
We collect stripe payment tokens to provide you with online resources and to comply with our insurance.
Social group participants:
We collect and process personal information for participants in our social groups in the same way as for 1:1 OT clients. This includes all categories listed above under patient care. Attendance and content of the session is stored on Zanda and retained for 8 years before permanent deletion, in line with our legal obligation.
Lawful bases and data protection rights
Under UK data protection law, we must have a “lawful basis” for collecting and using your personal information. There is a list of possible lawful bases in the UK GDPR. You can find out more about lawful bases on the ICO’s website.
Which lawful basis we rely on may affect your data protection rights which are in brief set out below. You can find out more about your data protection rights and the exemptions which may apply on the ICO’s website:
• Your right of access - You have the right to ask us for copies of your personal information. You can request other information such as details about where we get personal information from and who we share personal information with. There are some exemptions which means you may not receive all the information you ask for.
• Your right to rectification - You have the right to ask us to correct or delete personal information you think is inaccurate or incomplete.
• Your right to erasure - You have the right to ask us to delete your personal information.
• Your right to restriction of processing - You have the right to ask us to limit how we can use your personal information.
• Your right to object to processing - You have the right to object to the processing of your personal data. You can read more about this right here.
• Your right to data portability - You have the right to ask that we transfer the personal information you gave us to another organisation, or to you.
• Your right to withdraw consent – When we use consent as our lawful basis you have the right to withdraw your consent at any time.
You can read more about your rights here:
If you make a request, we must respond to you without undue delay and in any event within one month.
To make a data protection rights request, please contact us using the contact details at the top of this privacy notice.
Our lawful bases for the collection and use of your data
Our lawful bases for collecting or using personal information to provide patient care, services, products and other goods are:
• Consent - we have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.
• Contract – we have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.
• Legal obligation – we have to collect or use your information so we can comply with the law. All of your data protection rights may apply, except the right to erasure, the right to object and the right to data portability. We have a legal obligation to keep your data for 8 years to meet insurance requirements (see the section on data retention for details).
• Legitimate interest – we’re collecting or using the information because it benefits the person, our organisation or someone else, without causing an undue risk of harm to anyone. To store a Stripe payment token to enable clients to purchase from our website
When medical professionals contact us via email we use legitimate interest to retain their email.
Our lawful bases for collecting or using personal information to comply with legal requirements are:
• Consent - we have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.
• Contract – we have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.
• Legal obligation – we have to collect or use your information so we can comply with the law. All of your data protection rights may apply, except the right to erasure, the right to object and the right to data portability.
Our lawful bases for collecting or using personal information for information updates, marketing or market research purposes are:
• Consent - we have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.
Our lawful bases for collecting or using personal information for dealing with queries are:
• Consent - we have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.
Where we get personal information from
• Directly from you
• A professional who refers you
• A family member who refers you
• Someone you’ve asked to contact us on your behalf such as a P.A.
Stripe – when you enter card details on Stripe’s hosted page e.g on demand webianrs, Stripe returns a payment token (PaymentMethod ID).
How long we keep information
Client information:
1. Name, email address, phone number, postal address, date of birth, pronouns
Retention period: Archive client’s Zanda profile 6 months after last contact then permanently delete Zanda profile after 8 years
Where is it stored: Zanda
Reason: Consent/contract/legal
Method of deletion: Permanently delete from Zanda
3. Name on Kami
Retention period: Archive document to client’s Zanda profile 6 months after last contact then delete original. Permanently delete Zanda profile after 8 years
Where is it stored: Kami, Zanda
Reason: Consent/contract/legal
Method of deletion: Permanently delete from Kami. After 8 years delete archived copy from Zanda
3. Name on Canva
Retention period: Archive document to client’s Zanda profile 6 months after last contact then delete original. Permanently delete Zanda profile after 8 years
Where is it stored: Canva, Zanda
Reason: Consent/contract/legal
Method of deletion: Permanently delete from Canva. After 8 years delete archived copy from Zanda
4. Employment information including role and employer
Retention period: Archive to client’s Zanda profile 6 months after last contact then permanently delete Zanda profile after 8 years
Where is it stored: Zanda
Reason: Consent/contract/legal
Method of deletion: Permanently delete from Zanda
5. Information about your relationships
Retention period: Archive to client’s Zanda profile 6 months after last contact then permanently delete Zanda profile after 8 years
Where is it stored: Zanda
Reason: Consent/contract/legal
Method of deletion: Permanently delete from Zanda
Access to Work information:
1. Client Access to Work URN
Retention period: Archive to client’s Zanda profile 6 months after last contact then delete original. Permanently delete Zanda profile after 8 years
Where is it stored: Google Drive and associated emails in Gmail or Proton for Business
Reason: Consent/contract/legal
Method of deletion: Permanently delete from Google Drive, Gmail, Proton for Business. After 8 years delete archived copy from Zanda
2. Client Access to Work documents
Retention period: Archive to client’s Zanda profiles 6 months after last contact then delete original. Permanently delete Zanda profile after 8 years
Where is it stored: Google Drive and associated emails in Gmail or Proton for Business
Reason: Consent/contract/legal
Method of deletion: Permanently delete from Google Drive, Gmail, Proton for Business. After 8 years delete archived copy from Zanda
3. Client’s employer details for ATW confirmation including name, role, and email address
Retention period: Archive to client’s Zanda profiles 6 months after last contact then delete original. Permanently delete Zanda profile after 8 years
Where is it stored: Google Drive and associated emails in Gmail or Proton for Business
Reason: Consent/contract/legal
Method of deletion: Permanently delete from Google Drive, Gmail, Proton for Business. After 8 years delete archived copy from Zanda
Social media
1. Clients: Facebook, Instagram, TikTok handle shared via email
Retention period: If a client shares their social media handle in an email the email will be archived to the client’s Zanda profile within 5 months of the end of the email chain and the original will be deleted from Gmail / Proton for Business. Permanently delete Zanda profile after 8 years
Retention period: Archive to client’s Zanda profiles 6 months after last contact then delete original. Permanently delete Zanda profile after 8 years
Where is it stored: Gmail, Proton for Business, Zanda
Reason: Consent/contract/legal
Method of deletion: Permanently delete from Gmail, Proton for Business. After 8 years delete archived copy from Zanda
2. Clients: Facebook, Instagram, TikTok handle shared during a session
Retention period: If a client shares their social media handle during a session the notes from the will be archived in the client’s Zanda profile 6 months after last contact. Permanently delete Zanda profile after 8 years
Where is it stored: Zanda
Reason: Consent/contract/legal
Method of deletion: Permanently delete from Zanda
3. Prospective clients: Facebook, Instagram, TikTok handle shared via email
Retention period: Delete 5 months after final contact
Where is it stored: Gmail, Proton for Business
Reason: Consent/contract/legal
Method of deletion: Permanently delete from Gmail, Proton for Business
4. Clients: Messages sent on Facebook, Instagram, TikTok
Retention period: Archive to Zanda profile 6 months after final contact and delete original. Permanently delete Zanda profile after 8 years
Where is it stored: Facebook, Instagram, TikTok, Zanda
Reason: Consent/contract/legal
Method of deletion: Permanently delete from Facebook, Instagram, TikTok. After 8 years delete archived copy from Zanda
5. Prospective clients: Messages sent on Facebook, Instagram, TikTok
Retention period: Permanently delete 6 months after last contact
Where is it stored: Facebook, Instagram, TikTok
Reason: Consent/contract/legal
Method of deletion: Permanently delete from Facebook, Instagram, TikTok
Special category data:
1. Sexual orientation
Retention period: Archive client’s Zanda profile 6 months after last contact then permanently delete Zanda profile after 8 years
Where is it stored: Zanda
Reason: Consent/contract/legal
Method of deletion: Permanently delete from Zanda
2. Medical conditions, treatment, and investigations
Retention period: Archive client’s Zanda profile 6 months after last contact then permanently delete Zanda profile after 8 years
Where is it stored: Zanda
Reason: Consent/contract/legal
Method of deletion: Permanently delete from Zanda
3. Reports written by Alex Lawrence
Retention period: Archive client’s Zanda profile 6 months after last contact then permanently delete Zanda profile after 8 years
Where is it stored: Zanda
Reason: Consent/contract/legal
Method of deletion: Permanently delete from Zanda
4. Session notes, including AI transcribed notes
Retention period: Archive client’s Zanda profile 6 months after last contact then permanently delete Zanda profile after 8 years
Where is it stored: Zanda
Reason: Consent/contract/legal
Method of deletion: Permanently delete from Zanda
5. Documents uploaded to Grammarly for review
Retention period: When the document’s completed move to Trash. Trash is then automatically deleted after 30 days.
Where is it stored: Grammarly
Reason: Consent/contract/legal
Method of deletion: Permanently delete from Grammarly
6. Documents created in Grammarly
Retention period: When the document’s completed move to Trash. Trash is then automatically deleted after 30 days.
Where is it stored: Grammarly
Reason: Consent/contract/legal
Method of deletion: Permanently delete from Grammarly
7. Dictaphone recordings of sessions
Retention period: On the same day as the session upload the file to Heidi Health and delete permanently from the Dictaphone
Where is it stored: Dictaphone
Reason: Consent/contract/legal
Method of deletion: Permanently delete from the Dictaphone
8. Heidi Health recordings of sessions
Retention period: Add summary to session notes in client’s Zanda profile then permanently delete the recording. This will happen within 48 hours of the session Where is it stored: Heidi Health
Reason: Consent/contract/legal
Method of deletion: Permanently delete from Heidi Health
9. Voice notes from messaging sessions
Retention period: Transcribe as part of the client's session notes in their Zanda profile then permanently delete the recording. This will happen within 48 hours of the session
Where is it stored: Mobile phone
Reason: Consent/contract/legal
Method of deletion: Permanently delete from mobile phone
Client documents:
1. Documents created for clients
Retention period: Archive to client's Zanda profile 6 months after last contact then permanently delete Zanda profile after 8 years
Where is it stored: Zanda, Kami, Canva
Reason: Consent/contract/legal
Method of deletion: Permanently delete from Kami, and Canva. After 8 years delete archived copy from Zanda
2. Client documents uploaded to Grammarly for review
Retention period: When the document’s completed move to Trash. Trash is then automatically deleted after 30 days
Where is it stored: Grammarly
Reason: Consent/contract/legal
Method of deletion: Permanently delete from Grammarly
3. Client documents created in Grammarly
Retention period: When the document’s completed move to Trash. Trash is then automatically deleted after 30 days
Where is it stored: Grammarly
Reason: Consent/contract/legal
Method of deletion: Permanently delete from Grammarly
Invoices:
1. Client invoices
Retention period: Invoices are done through Zanda. Emails about invoices will be archived to a client’s Zanda profile 5 months after the end of the email trail and the original will be deleted. The client’s Zanda profile will be archived 6 months after last contact then permanently deleted after 8 years.
Where is it stored: Gmail, Proton for Business, Zanda
Reason: Consent/contract/legal
Method of deletion: Delete original from Gmail, Proton for Business. After 8 years permanently delete the client's Zanda profile.
2. Client employer invoices
Retention period: Invoices are done through Zanda. Emails about invoices will be archived to a client’s Zanda profile 5 months after the end of the email trail and the original will be deleted. The client’s Zanda profile will be archived 6 months after last contact then permanently deleted after 8 years.
Where is it stored: Gmail, Proton for Business, Zanda
Reason: Consent/contract/legal
Method of deletion: Archive then delete original from Gmail, Proton for Business. After 8 years permanently delete from Zanda.
3.Payment token / PaymentMethod ID
Retention period: If used for the purchase of goods on the website, via a Stripe payment portal. Stripe holds the data In accordance with financial regulations in the UK, transactional records may be kept for up to 7 years to comply with anti-money laundering and tax obligations.
Where is it stored: Stripe
Reason: Consent/contract/legal
Method of deletion: Permanently delete from Stripe
Email records:
1. Email correspondence with clients
Retention period: Archive to client’s Zanda profile within 5 months of end of email chain then delete original from Gmail and Proton for Business. Permanently delete client’s Zanda profile after 8 years, As part of the archiving process Alex’s P.A. saves a copy locally on their computer which they permanently delete after the email’s archived .
Where is it stored: Gmail, Proton for Business, and Zanda
Reason: Consent/contract/ legal
Method of deletion: Permanently delete original from Gmail or Proton for Business. Permanently delete copy on P.A.s computer. After 8 years delete archived copy from Zanda
2. Email correspondence about clients with a third party e.g., family member, partner, referring practitioner, P.A., employer
Retention period: Archive to client’s Zanda profile within 5 months of end of email chain then delete original from Gmail and Proton for Business. Permanently delete client’s Zanda profile after 8 years. As part of the archiving process Alex’s P.A. saves a copy locally on their computer which they permanently delete after the email’s archived
Where is it stored: Gmail, Proton for Business, and Zanda
Reason: Consent/contract/legal
Method of deletion: Permanently delete original from Gmail or Proton for Business. Permanently delete copy on P.A.s computer. After 8 years delete archived copy from Zanda
3. Email correspondence with prospective clients
Retention period: Delete 5 months after final contact
Where is it stored: Gmail, Proton for Business, and Zanda
Reason: Consent/contract/legal
Method of deletion: Permanently delete from Gmail or Proton for Business
4. Email correspondence with other professionals which isn’t about clients
Retention period: Keep in Gmail or Proton for Business account for up to 8 years after last contact then permanently delete
Where is it stored: Gmail and Proton for Business
Reason: Legitimate interest
Method of deletion: Permanently delete from Gmail or Proton for Business
Group bookings:
1. Attendance list
Retention period: Archive on Zanda 6 months after session, after 8 years permanently delete from Zanda
Where is it stored: Zanda
Reason: Consent/contract/legal
Method of deletion: Permanently delete from Zanda
Portal log in information:
1. Clients: Email address and password
Retention period: Delete from Zanda 6 months after final contact.
Where is it stored: Zanda
Reason: Consent/contract/legal
Method of deletion: Permanently delete from Zanda
2. Prospective clients: Email address and password
Retention period: Delete from Zanda 5 months after final contact.
Where is it stored: Zanda
Reason: Consent/contract/legal
Method of deletion: Permanently delete from Zanda
Electronic messages:
1. WhatsApp
Retention period: Delete within 6 months of last contact
Where is it stored: WhatsApp
Reason: Consent/contract/legal
Method of deletion: Permanently delete from WhatsApp
2. Mobile SMS
Retention period: Delete 6 months after last contact
Where is it stored: Mobile phone
Reason: Consent/contract/legal
Method of deletion: Permanently delete from mobile phone
Customer details:
1. Name, email address, phone number, postal address
Retention period: Permanently delete after 8 years
Where is it stored: PayHip & Stripe
Reason: Consent/contract/legal
Method of deletion: Permanently delete from PayHip & Stripe
2. Redacted card details
Retention period: Permanently delete after 8 years
Where is it stored: PayHip & Stripe
Reason: Consent/contract/legal
Method of deletion: Permanently delete from PayHip and Stripe
Commercial contracts:
1. Contracts with suppliers
Retention period: Permanently delete 8 years after last action
Where is it stored: Google Drive and associated emails in Gmail or Proton for Business
Reason: Contract/legal
Method of deletion: Permanently delete from Google Drive and all associated emails in Gmail or Proton for Business
2. Supplier invoices
Retention period: Permanently delete 8 years after last action
Where is it stored: Zanda and associated emails in Gmail or Proton for Business
Reason: Contract/legal
Method of deletion: Permanently delete from Zanda and all associated emails in Gmail or Proton for Business
Online resource and webinar purchases
Name, email address, phone number, postal address
Retention period: Permanently delete after 8 years
Where is it stored: Payhip & Stripe
Reason: Consent/contract/legal
Method of deletion: Permanently delete from Payhip & Stripe
Redacted card details
Retention period: Permanently delete after 8 years
Where is it stored: Payhip & Stripe
Reason: Consent/contract/legal
Method of deletion: Permanently delete from Payhip & Stripe
Stripe payment token (PaymentMethod ID)
Retention period: Permanently delete 8 years after last action
Deleted immediately when consent is withdrawn or no further billing is expected
Where is it stored: Stripe
Reason: Legitimate interest/contract
Method of deletion: Permanently delete from Stripe
Data processors
1. Gmail
This data processor does the following activities for us: We use Gmail for email.
2. Google Drive
This data processor does the following activities for us: We use Google Drive to store documents.
3. Proton for Business
This data processor does the following activities for us: We use Proton Mail Business for email.
4. Heidi Health
This data processor does the following activities for us: We use Heidi Health to transcribe and summarise client sessions.
5. Zanda
This data processor does the following activities for us: We use Zanda as practice management software. This includes video calls. Token (passed through Zanda), minimal client identifier for routing. Provide the technical integration between our site and Stripe.
6. Payhip
This data processor does the following activities for us: We use Payhip to sell electronic documents.
8. Substack
This data processor does the following activities for us: We use Substack as a newsletter to manage our waiting list.
9. Canva
This data processor does the following activities for us: We use Canva to design documents for clients.
10. Access to Work
This data processor does the following activities for us: We use Access to Work to apply for funding, renew funding, and invoice from existing funding.
11. WhatsApp
This data processor does the following activities for us: We use WhatsApp to message clients.
12. Kami
This data processor does the following activities for us: We use Kami to create education tools for our clients
13. O2
This data processor does the following activities for us: We use O2 as the network provider for our mobile phone for texting clients.
14. Instagram
This data processor does the following activities for us: We use Instagram to contact clients.
15. Facebook
This data processor does the following activities for us: We use Facebook to contact clients.
16. TikTok
This data processor does the following activities for us: We use TikTok to contact clients.
17. Grammarly
This data processor does the following activities for us: We use Grammarly to review reports and documents for clients. We either upload documents to Grammarly or use the Chrome extension. The Chrome extension doesn’t save any details about the text.
18. Amazon
This data processor does the following activities for us: We are part of the Amazon Affiliate marketing scheme, if website users click an Amazon link on our site Amazon may add a cookie to their browser.
19. Tea Powered Projects
This data processor does the following activities for us: We use Tea Powered for our website.
20.Stripe Ltd. (Ireland):Payment token / PaymentMethod ID; billing name & address (only for verification).This data processor process payments, store card data securely, enable future charges, and for customers to purchase from our website
21.HM Revenue & Customs (HMRC):Financial records (invoices, receipts) when required for tax compliance.
Others we share personal information with
• Other health providers (e.g., GPs and consultants)
• Organisations we need to share information with for safeguarding reasons (e.g., social care, police)
• Anyone who is legally necessary (e.g., government, council, legal aid)
• Emergency services
• Other relevant third parties:
o Access to Work: We may share information with Access to Work to apply for funding, renew funding, and invoice from existing funding.
o Alex’s P.A. Helen Brown: We may share information with Helen. Helen is registered with ICO, she uses Microsoft Business to work with us with servers based in the EU and permanently deletes any client data she uses immediately.
We are subject to a common law duty of confidentiality. However, there are circumstances where we will share relevant health and care information. These are where:
• you’ve provided us with your consent (we have taken it as implied to provide you with care, or you have given it explicitly for other uses);
• we have a legal requirement (including court orders) to collect, share or use the data;
• on a case-by-case basis, the public interest to collect, share and use the data overrides the public interest served by protecting the duty of confidentiality (for example sharing information with the police to support the detection or prevention of serious crime);
• If in England or Wales – the requirements of The Health Service (Control of Patient Information) Regulations 2002 are satisfied; or
• If in Scotland – we have the authority to share provided by the Chief Medical Officer for Scotland, the Chief Executive of NHS Scotland, the Public Benefit and Privacy Panel for Health and Social Care or other similar governance and scrutiny process.
Sharing information outside the UK
Where necessary, our data processors may share personal information outside of the UK. When doing so, they comply with the UK GDPR, making sure appropriate safeguards are in place.
For further information or to obtain a copy of the appropriate safeguard for any of the transfers below, please contact us using the contact information provided above.
1. Organisation name: Gmail
Category of recipient: Email provider
Country the personal information is sent to: Multiple
How the transfer complies with UK data protection law: The country or sector has a UK data bridge (also known as Adequacy Regulations)
2. Organisation name: Google Drive
Category of recipient: Storage provider
Country the personal information is sent to: Multiple
How the transfer complies with UK data protection law: The country or sector has a UK data bridge (also known as Adequacy Regulations)
3. Organisation name: Proton for Business
Category of recipient: Email provider
Country the personal information is sent to: Switzerland
How the transfer complies with UK data protection law: Transfers to the EEA are allowed.
Please note, Proton shares data internationally for customer support and payment:
Country the personal information is sent to: Macedonia, Taiwan, United States, Singapore, European Union
How the transfer complies with UK data protection law:
a. Addendum to the EU Standard Contractual Clauses (SCCs)
b. The country or sector has a UK data bridge (also known as Adequacy Regulations)
c. Other:
i. Binding Corporate Rules
ii. Certifications
iii. Data Processing Agreement
4. Organisation name: Heidi Health
Category of recipient: AI transcription
Country the personal information is sent to: N/A servers are located in the UK.
How the transfer complies with UK data protection law: N/A
5. Organisation name: Zanda
Category of recipient: Practice management software including video calls via Zoom
Country the personal information is sent to: Multiple
How the transfer complies with UK data protection law:
Other:
Transfers outside of the EEA – When we transfer your personal information outside the EEA, we do so following the terms of this Privacy Notice and the requirements of the GDPR and other applicable data protection laws.
Please note: Zanda video calls are integrated with Zoom. The calls stay on the users' browsers and don't pass through Zanda's servers. They pass through minimal third-party servers and are encrypted so no one can access the call. For more details see: https://support.zandahealth.com/telehealth-security-privacy-and-compliance
6. Organisation name: Zanda
Category of recipient: AI transcription
Country the personal information is sent to: Multiple
How the transfer complies with UK data protection law:
Other:
a. Transfers outside of the EEA – When we transfer your personal information outside the EEA, we do so following the terms of this Privacy Notice and the requirements of the GDPR and other applicable data protection laws.
b. We stream the audio to our transcription service, who returns the transcription text to us for processing in real time. There is no storage of the audio for the recorded session, and we only store the text based transcription output which is double encrypted in our database.
7. Organisation name: Payhip
Category of recipient: Sales platform
Country the personal information is sent to: Multiple
How the transfer complies with UK data protection law:
Other:
Countries outside the EEA do not have the same data protection laws as the United Kingdom and EEA and we have therefore ensured that any of our suppliers who may transfer your personal data outside the EEA has put in place appropriate measures to protect your data, either by being a member of the US-EU Privacy Shield, or by entering into a European Commission approved contract (as permitted under Article 46(5) of the General Data Protection Regulation).
8. Organisation name: Substack
Category of recipient: Newsletter platform
Country the personal information is sent to: Multiple
How the transfer complies with UK data protection law:
Other:
a. EU-U.S. Data Privacy Framework (EU-U.S. DPF)
b. UK Extension to the EU-U.S. DPF
c. Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF)
9. Organisation name: Canva
Category of recipient: Content design platform
Country the personal information is sent to: United States, Australia, Singapore, European Union, United Kingdom, Philippines and New Zealand and any other country in which Canva or its subsidiaries, affiliates or service providers maintain facilities or employ staff or contractors.
How the transfer complies with UK data protection law:
Other:
a. EU Model Clauses
b. UK International Data Transfer Addendum
c. EU-U.S. Data Privacy Framework (EU-U.S. DPF)
d. UK Extension to the EU-U.S. DPF
e. Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF)
10. Organisation name: Access to Work
Category of recipient: Funding provider
Country the personal information is sent to: N/A servers in the UK.
How the transfer complies with UK data protection law: N/A.
11. Organisation name: WhatsApp
Category of recipient: Messaging platform
Country the personal information is sent to: Multiple
How the transfer complies with UK data protection law:
a. The country or sector has a UK data bridge (also known as Adequacy Regulations)
b. Addendum to the EU Standard Contractual Clauses (SCCs)
12. Organisation name: Kami
Category of recipient: Educational materials platform
Country the personal information is sent to: Multiple
How the transfer complies with UK data protection law: Addendum to the EU Standard Contractual Clauses (SCCs)
13. Organisation name: O2
Category of recipient: Mobile phone network provider
Country the personal information is sent to: Multiple
How the transfer complies with UK data protection law:
a. The country or sector has a UK data bridge (also known as Adequacy Regulations
b. Addendum to the EU Standard Contractual Clauses (SCCs)
14. Organisation name: Instagram
Category of recipient: Social media company
Country the personal information is sent to: Multiple
How the transfer complies with UK data protection law:
a. The country or sector has a UK data bridge (also known as Adequacy Regulations)
b. Addendum to the EU Standard Contractual Clauses (SCCs)
15. Organisation name: Facebook
Category of recipient: Social media company
Country the personal information is sent to: We transfer the information we collect from the UK from Meta Platforms, Inc., to countries such as member states of the European Economic Area, Argentina, Israel, Japan, New Zealand, Switzerland and where the decision is applicable, Canada, based on the adequacy decisions.
How the transfer complies with UK data protection law:
a. The country or sector has a UK data bridge (also known as Adequacy Regulations)
b. Other: In other circumstances, we use the UK standard contractual transfer mechanisms approved by the UK Parliament (the International Data Transfer Agreement and the International Data Transfer Addendum) or rely on derogations provided for under applicable law to transfer information to a third country
16. Organisation name: TikTok
Category of recipient: Social media company
Country the personal information is sent to: Multiple
How the transfer complies with UK data protection law:
a. The country or sector has a UK data bridge (also known as Adequacy Regulations)
b. Addendum to the EU Standard Contractual Clauses (SCCs)Other: Article 49 GDPR
17: Organisation name: Grammarly
Category of recipient: Word processing tool
Country the personal information is sent to: United States, EEA, and worldwide
How the transfer complies with UK data protection law:
a. Addendum to the EU Standard Contractual Clauses (SCCs)
b. Other: Performing data protection assessments of data transfer arrangements as appropriate.
c. Other: We comply with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework as set forth by the U.S. Department of Commerce.
18: Organisation name: Amazon
Category of recipient: Affiliate marketing
Country the personal information is sent to: Various, but only if a user decides to an Amazon link on our site, we do not share data with Amazon.
How the transfer complies with UK data protection law:
a. The country or sector has a UK data bridge (also known as Adequacy Regulations)
b. Other: Contracts with standard safeguards published by the European Commission
c. Other: Similar measures under UK laws for such transfers
19. Organisation name: Tea Powered Projects
Category of recipient: Website hosting and management provider
Country the personal information is sent to: UK
How the transfer complies with UK data protection law: N/A.
20. Organisation name: Stripe
Category of recipient: Payment processor (stores and processes card‑holder data on behalf of the therapist).
Country the personal information is sent to:Ireland (European Union) – primary data‑centre for Stripe’s core payment platform.
United States – selected sub‑processors used for ancillary services (e.g., fraud‑detection, reporting).
How the transfer complies with UK data protection law:
All transfers to Stripe are governed by Standard Contractual Clauses (SCCs) that Stripe has entered into with us, providing the contractual safeguards required under the UK GDPR.
For transfers to Stripe’s U.S. sub‑processors, Stripe additionally relies on the EU‑U.S. Data‑Privacy Framework (the successor to the former “Privacy Shield”) to ensure an adequate level of protection for personal data.
Stripe’s own privacy‑policy confirms that it implements these mechanisms and that it will only process the data in accordance with our instructions and the applicable data‑protection standards.
How to complain
If you have any concerns about our use of your personal data, you can make a complaint to us using the contact details at the top of this privacy notice.
If you remain unhappy with how we’ve used your data after raising a complaint with us, you can also complain to the ICO.
The ICO’s address:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Helpline number: 0303 123 1113
Website: https://www.ico.org.uk/make-a-complaint
Last updated
26 March 2025
Terms of Use for Online Products Last updated: 29 April 2026
Please read these Terms of Use carefully before purchasing or accessing a webinar. By completing your purchase, you confirm that you have read, understood, and agreed to these terms in full. If you do not agree, please do not proceed with your purchase.
1. Who We Are This webinar is provided by Alexandra Lawrence, trading as Navigate Neurodiversity OT ("we", "us", "our"). If you have any questions about these terms, please contact us at Alex@NavigateNeurodiversityOT.com
2. Who This Webinar Is For This webinar is intended for adults aged 18 and over who are seeking general educational and informational content for their own personal use.
This webinar is not suitable for, and must not be purchased or used by, healthcare professionals, therapists, psychologists, counsellors, social workers, coaches, occupational therapists, or any other regulated, allied health, or helping professionals — whether for personal professional development, client work, training delivery, or any other professional purpose.
If you are a professional in any of the above fields, please do not purchase this product. By purchasing, you confirm that you are not doing so in a professional capacity.
This webinar is intended for your own personal use only. It is not suitable for purchase by someone acting on behalf of another person, including as a parent, carer, or personal assistant, without our prior written agreement. If you are unsure whether this applies to you, please contact us before purchasing.
3. Geographic Restrictions Due to insurance requirements, this webinar is not available to residents of the United States or Canada. By purchasing, you confirm that you are not based in either of these countries. We reserve the right to withdraw access and issue a refund if we have reason to believe this restriction has been breached.
4. Educational Purposes Only The content of this webinar is provided for general educational and informational purposes only. It does not constitute, and must not be used as a substitute for, medical, psychological, psychiatric, or clinical advice, assessment, diagnosis, or treatment.
Nothing in this webinar creates a therapeutic, clinical, or professional relationship between you and us. If you have any concerns about your physical or mental health or wellbeing, please seek guidance from a suitably qualified healthcare professional.
5. Access and Licence Upon purchasing this webinar, we grant you a limited, personal, non-transferable, non-exclusive licence to access and view the content for your own private use only. This licence does not permit you to:
Share, distribute, or transfer access to any other person
Record, screenshot, or capture any part of the content in any format
Reproduce, copy, or republish any part of the content
Use the content for training, teaching, group facilitation, or professional development purposes
Use the content for any commercial purpose
All intellectual property rights in the webinar and its content remain with Alexandra Lawrence.
6. Refunds and Access When you complete your purchase, you will be deemed to have consented to immediate access to this digital product, and that you understand this means you waive your 14-day right to cancel under the Consumer Contracts Regulations 2013. Once access has been granted, we are unable to offer a refund except where required by applicable consumer law.
If you experience a technical issue preventing you from accessing the content, please contact us at Alex@NavigateNeurodiversityOT.com and we will do our best to help.
If you have not yet accessed the content, you may request a cancellation within 14 days of purchase by contacting us at the email above.
7. Limitation of Liability To the fullest extent permitted by law, we exclude all liability for any loss or damage arising from your use of, or reliance on, the content of this webinar. This includes, without limitation, any decisions you make based on information contained in the webinar.
Nothing in these terms limits our liability for death or personal injury caused by our negligence, fraud, or any other matter that cannot be excluded by law.
8. Privacy By purchasing this webinar, you agree to our Privacy Notice, which sets out how we collect, use, and store your personal data. Please read it before completing your purchase. A copy is available above.
9. Changes to These Terms We may update these Terms of Use from time to time. The version in place at the time of your purchase will apply to that transaction. We will update the "last updated" date at the top of this page when changes are made.
10. Governing Law These Terms of Use are governed by the laws of England and Wales. Any disputes arising from these terms or your use of this webinar will be subject to the exclusive jurisdiction of the courts of England and Wales.
Contact Alex
Address:Derby, England
Email: Send me a message
By submitting this form you are agreeing to our privacy policy.