
Warm & welcoming personalised support with an OT who "just gets it"
Navigate Neurodiversity Occupational Therapy privacy notice
This privacy notice tells you what to expect us to do with your personal information.
• Contact details
• What information we collect, use, and why
• Lawful bases and data protection rights
• Where we get personal information from
• How long we keep information
• Who we share information with
• Sharing information outside the UK
• How to complain
Contact details
1. Post: 23 Windsor Drive, Wingerworth, CHESTERFIELD, Derbyshire, S42 6TG, GB
2. Telephone: 07572 261731
3. Email: alex@navigateneurodiversityot.com
What information we collect, use, and why
We collect or use the following information to provide patient care, services, products and other goods:
• Name, address and contact details
• Gender
• Pronoun preferences
• Date of birth
• Next of Kin details including any support networks
• Emergency contact details
• Health information (including medical conditions, allergies, medical requirements and medical history)
• Information about care needs (including disabilities, home conditions, medication and dietary requirements and general care provisions)
• Test results (including psychological evaluations, scans, bloods, x-rays, tissue tests and genetic tests)
• Payment details (including card or bank information for transfers and direct debits)
• Records of meetings and decisions
• Call recordings
• Information about income and financial needs for funding or personal budget support
• Your relationships with others
• Employment information
• Sexual orientation
• Social media handles
We also collect the following information to provide patient care, services, products and other goods:
• Health information
We collect or use the following personal information to comply with legal requirements:
• Name
• Contact information
• Safeguarding information
We also collect the following information to comply with legal requirements:
• Health information
We collect or use the following personal information for information updates, marketing or market research purposes:
• Names and contact details
We collect or use the following personal information for dealing with queries, complaints or claims:
• Names and contact details
We also collect the following information for dealing with queries, complaints or claims:
• Health information
Lawful bases and data protection rights
Under UK data protection law, we must have a “lawful basis” for collecting and using your personal information. There is a list of possible lawful bases in the UK GDPR. You can find out more about lawful bases on the ICO’s website.
Which lawful basis we rely on may affect your data protection rights which are in brief set out below. You can find out more about your data protection rights and the exemptions which may apply on the ICO’s website:
• Your right of access - You have the right to ask us for copies of your personal information. You can request other information such as details about where we get personal information from and who we share personal information with. There are some exemptions which means you may not receive all the information you ask for.
• Your right to rectification - You have the right to ask us to correct or delete personal information you think is inaccurate or incomplete.
• Your right to erasure - You have the right to ask us to delete your personal information.
• Your right to restriction of processing - You have the right to ask us to limit how we can use your personal information.
• Your right to object to processing - You have the right to object to the processing of your personal data. You can read more about this right here.
• Your right to data portability - You have the right to ask that we transfer the personal information you gave us to another organisation, or to you.
• Your right to withdraw consent – When we use consent as our lawful basis you have the right to withdraw your consent at any time.
You can read more about your rights here:
https://ico.org.uk/for-organisations/advice-for-small-organisations/create-your-own-privacy-notice/your-data-protection-rights/
If you make a request, we must respond to you without undue delay and in any event within one month.
To make a data protection rights request, please contact us using the contact details at the top of this privacy notice.
Our lawful bases for the collection and use of your data
Our lawful bases for collecting or using personal information to provide patient care, services, products and other goods are:
• Consent - we have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.
• Contract – we have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.
• Legal obligation – we have to collect or use your information so we can comply with the law. All of your data protection rights may apply, except the right to erasure, the right to object and the right to data portability. We have a legal obligation to keep your data for 8 years to meet insurance requirements (see the section on data retention for details).
• Legitimate interest – we’re collecting or using the information because it benefits the person, our organisation or someone else, without causing an undue risk of harm to anyone.
When medical professionals contact us via email we use legitimate interest to retain their email.
Our lawful bases for collecting or using personal information to comply with legal requirements are:
• Consent - we have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.
• Contract – we have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.
• Legal obligation – we have to collect or use your information so we can comply with the law. All of your data protection rights may apply, except the right to erasure, the right to object and the right to data portability.
Our lawful bases for collecting or using personal information for information updates, marketing or market research purposes are:
• Consent - we have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.
Our lawful bases for collecting or using personal information for dealing with queries are:
• Consent - we have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.
Where we get personal information from
• Directly from you
• A professional who refers you
• A family member who refers you
• Someone you’ve asked to contact us on your behalf such as a P.A.
How long we keep information
Client information:
1. Name, email address, phone number, postal address, date of birth, pronouns
Retention period: Archive client’s Zanda profile 6 months after last contact then permanently delete Zanda profile after 8 years
Where is it stored: Zanda
Reason: Consent/contract/legal
Method of deletion: Permanently delete from Zanda
2. Name and email address on SubStack
Retention period: Archive to client’s Zanda profile 6 months after last contact then delete original. Permanently delete Zanda profile after 8 years
Where is it stored: SubStack, Zanda
Reason: Consent/contract/legal
Method of deletion: Permanently delete from SubStack. After 8 years delete archived copy from Zanda
3. Name on Kami
Retention period: Archive document to client’s Zanda profile 6 months after last contact then delete original. Permanently delete Zanda profile after 8 years
Where is it stored: Kami, Zanda
Reason: Consent/contract/legal
Method of deletion: Permanently delete from Kami. After 8 years delete archived copy from Zanda
4. Name on Canva
Retention period: Archive document to client’s Zanda profile 6 months after last contact then delete original. Permanently delete Zanda profile after 8 years
Where is it stored: Canva, Zanda
Reason: Consent/contract/legal
Method of deletion: Permanently delete from Canva. After 8 years delete archived copy from Zanda
5. Employment information including role and employer
Retention period: Archive to client’s Zanda profile 6 months after last contact then permanently delete Zanda profile after 8 years
Where is it stored: Zanda
Reason: Consent/contract/legal
Method of deletion: Permanently delete from Zanda
6. Information about your relationships
Retention period: Archive to client’s Zanda profile 6 months after last contact then permanently delete Zanda profile after 8 years
Where is it stored: Zanda
Reason: Consent/contract/legal
Method of deletion: Permanently delete from Zanda
Access to Work information:
1. Client Access to Work URN
Retention period: Archive to client’s Zanda profile 6 months after last contact then delete original. Permanently delete Zanda profile after 8 years
Where is it stored: Google Drive and associated emails in Gmail or Proton for Business
Reason: Consent/contract/legal
Method of deletion: Permanently delete from Google Drive, Gmail, Proton for Business. After 8 years delete archived copy from Zanda
2. Client Access to Work documents
Retention period: Archive to client’s Zanda profiles 6 months after last contact then delete original. Permanently delete Zanda profile after 8 years
Where is it stored: Google Drive and associated emails in Gmail or Proton for Business
Reason: Consent/contract/legal
Method of deletion: Permanently delete from Google Drive, Gmail, Proton for Business. After 8 years delete archived copy from Zanda
3. Client’s employer details for ATW confirmation including name, role, and email address
Retention period: Archive to client’s Zanda profiles 6 months after last contact then delete original. Permanently delete Zanda profile after 8 years
Where is it stored: Google Drive and associated emails in Gmail or Proton for Business
Reason: Consent/contract/legal
Method of deletion: Permanently delete from Google Drive, Gmail, Proton for Business. After 8 years delete archived copy from Zanda
Social media
1. Clients: Facebook, Instagram, TikTok handle shared via email
Retention period: If a client shares their social media handle in an email the email will be archived to the client’s Zanda profile within 5 months of the end of the email chain and the original will be deleted from Gmail / Proton for Business. Permanently delete Zanda profile after 8 years
Retention period: Archive to client’s Zanda profiles 6 months after last contact then delete original. Permanently delete Zanda profile after 8 years
Where is it stored: Gmail, Proton for Business, Zanda
Reason: Consent/contract/legal
Method of deletion: Permanently delete from Gmail, Proton for Business. After 8 years delete archived copy from Zanda
2. Clients: Facebook, Instagram, TikTok handle shared during a session
Retention period: If a client shares their social media handle during a session the notes from the will be archived in the client’s Zanda profile 6 months after last contact. Permanently delete Zanda profile after 8 years
Where is it stored: Zanda
Reason: Consent/contract/legal
Method of deletion: Permanently delete from Zanda
3. Prospective clients: Facebook, Instagram, TikTok handle shared via email
Retention period: Delete 5 months after final contact
Where is it stored: Gmail, Proton for Business
Reason: Consent/contract/legal
Method of deletion: Permanently delete from Gmail, Proton for Business
4. Clients: Messages sent on Facebook, Instagram, TikTok
Retention period: Archive to Zanda profile 6 months after final contact and delete original. Permanently delete Zanda profile after 8 years
Where is it stored: Facebook, Instagram, TikTok, Zanda
Reason: Consent/contract/legal
Method of deletion: Permanently delete from Facebook, Instagram, TikTok. After 8 years delete archived copy from Zanda
5. Prospective clients: Messages sent on Facebook, Instagram, TikTok
Retention period: Permanently delete 6 months after last contact
Where is it stored: Facebook, Instagram, TikTok
Reason: Consent/contract/legal
Method of deletion: Permanently delete from Facebook, Instagram, TikTok
Special category data:
1. Sexual orientation
Retention period: Archive client’s Zanda profile 6 months after last contact then permanently delete Zanda profile after 8 years
Where is it stored: Zanda
Reason: Consent/contract/legal
Method of deletion: Permanently delete from Zanda
2. Medical conditions, treatment, and investigations
Retention period: Archive client’s Zanda profile 6 months after last contact then permanently delete Zanda profile after 8 years
Where is it stored: Zanda
Reason: Consent/contract/legal
Method of deletion: Permanently delete from Zanda
3. Reports written by Alex Lawrence
Retention period: Archive client’s Zanda profile 6 months after last contact then permanently delete Zanda profile after 8 years
Where is it stored: Zanda
Reason: Consent/contract/legal
Method of deletion: Permanently delete from Zanda
4. Session notes, including AI transcribed notes
Retention period: Archive client’s Zanda profile 6 months after last contact then permanently delete Zanda profile after 8 years
Where is it stored: Zanda
Reason: Consent/contract/legal
Method of deletion: Permanently delete from Zanda
5. Documents uploaded to Grammarly for review
Retention period: When the document’s completed move to Trash. Trash is then automatically deleted after 30 days.
Where is it stored: Grammarly
Reason: Consent/contract/legal
Method of deletion: Permanently delete from Grammarly
6. Documents created in Grammarly
Retention period: When the document’s completed move to Trash. Trash is then automatically deleted after 30 days.
Where is it stored: Grammarly
Reason: Consent/contract/legal
Method of deletion: Permanently delete from Grammarly
7. Dictaphone recordings of sessions
Retention period: On the same day as the session upload the file to Heidi Health and delete permanently from the Dictaphone
Where is it stored: Dictaphone
Reason: Consent/contract/legal
Method of deletion: Permanently delete from the Dictaphone
8. Heidi Health recordings of sessions
Retention period: Add summary to session notes in client’s Zanda profile then permanently delete the recording. This will happen within 48 hours of the session Where is it stored: Heidi Health
Reason: Consent/contract/legal
Method of deletion: Permanently delete from Heidi Health
9. Voice notes from messaging sessions
Retention period: Transcribe as part of the client's session notes in their Zanda profile then permanently delete the recording. This will happen within 48 hours of the session
Where is it stored: Mobile phone
Reason: Consent/contract/legal
Method of deletion: Permanently delete from mobile phone
Client documents:
1. Documents created for clients
Retention period: Archive to client's Zanda profile 6 months after last contact then permanently delete Zanda profile after 8 years
Where is it stored: Zanda, Kami, Canva
Reason: Consent/contract/legal
Method of deletion: Permanently delete from Kami, and Canva. After 8 years delete archived copy from Zanda
2. Client documents uploaded to Grammarly for review
Retention period: When the document’s completed move to Trash. Trash is then automatically deleted after 30 days
Where is it stored: Grammarly
Reason: Consent/contract/legal
Method of deletion: Permanently delete from Grammarly
3. Client documents created in Grammarly
Retention period: When the document’s completed move to Trash. Trash is then automatically deleted after 30 days
Where is it stored: Grammarly
Reason: Consent/contract/legal
Method of deletion: Permanently delete from Grammarly
Invoices:
1. Client invoices
Retention period: Invoices are done through Zanda. Emails about invoices will be archived to a client’s Zanda profile 5 months after the end of the email trail and the original will be deleted. The client’s Zanda profile will be archived 6 months after last contact then permanently deleted after 8 years.
Where is it stored: Gmail, Proton for Business, Zanda
Reason: Consent/contract/legal
Method of deletion: Delete original from Gmail, Proton for Business. After 8 years permanently delete the client's Zanda profile.
2. Client employer invoices
Retention period: Invoices are done through Zanda. Emails about invoices will be archived to a client’s Zanda profile 5 months after the end of the email trail and the original will be deleted. The client’s Zanda profile will be archived 6 months after last contact then permanently deleted after 8 years.
Where is it stored: Gmail, Proton for Business, Zanda
Reason: Consent/contract/legal
Method of deletion: Archived then delete original from Gmail, Proton for Business. After 8 years permanently delete from Zanda.
Email records:
1. Email correspondence with clients
Retention period: Archive to client’s Zanda profile within 5 months of end of email chain then delete original from Gmail and Proton for Business. Permanently delete client’s Zanda profile after 8 years, As part of the archiving process Alex’s P.A. saves a copy locally on their computer which they permanently delete after the email’s archived .
Where is it stored: Gmail, Proton for Business, and Zanda
Reason: Consent/contract/ legal
Method of deletion: Permanently delete original from Gmail or Proton for Business. Permanently delete copy on P.A.s computer. After 8 years delete archived copy from Zanda
2. Email correspondence about clients with a third party e.g., family member, partner, referring practitioner, P.A., employer
Retention period: Archive to client’s Zanda profile within 5 months of end of email chain then delete original from Gmail and Proton for Business. Permanently delete client’s Zanda profile after 8 years. As part of the archiving process Alex’s P.A. saves a copy locally on their computer which they permanently delete after the email’s archived
Where is it stored: Gmail, Proton for Business, and Zanda
Reason: Consent/contract/legal
Method of deletion: Permanently delete original from Gmail or Proton for Business. Permanently delete copy on P.A.s computer. After 8 years delete archived copy from Zanda
3. Email correspondence with prospective clients
Retention period: Delete 5 months after final contact
Where is it stored: Gmail, Proton for Business, and Zanda
Reason: Consent/contract/legal
Method of deletion: Permanently delete from Gmail or Proton for Business
4. Email correspondence with other professionals which isn’t about clients
Retention period: Keep in Gmail or Proton for Business account for up to 8 years after last contact then permanently delete
Where is it stored: Gmail and Proton for Business
Reason: Legitimate interest
Method of deletion: Permanently delete from Gmail or Proton for Business
Group bookings:
1. Attendance list
Retention period: Archive on Zanda 6 months after session, after 8 years permanently delete from Zanda
Where is it stored: Zanda
Reason: Consent/contract/legal
Method of deletion: Permanently delete from Zanda
Portal log in information:
1. Clients: Email address and password
Retention period: Delete from Zanda 6 months after final contact.
Where is it stored: Zanda
Reason: Consent/contract/legal
Method of deletion: Permanently delete from Zanda
2. Prospective clients: Email address and password
Retention period: Delete from Zanda 5 months after final contact.
Where is it stored: Zanda
Reason: Consent/contract/legal
Method of deletion: Permanently delete from Zanda
Electronic messages:
1. WhatsApp
Retention period: Delete within 6 months of last contact
Where is it stored: WhatsApp
Reason: Consent/contract/legal
Method of deletion: Permanently delete from WhatsApp
2. Mobile SMS
Retention period: Delete 6 months after last contact
Where is it stored: Mobile phone
Reason: Consent/contract/legal
Method of deletion: Permanently delete from mobile phone
Customer details:
1. Name, email address, phone number, postal address
Retention period: Permanently delete after 8 years
Where is it stored: PayHip
Reason: Consent/contract/legal
Method of deletion: Permanently delete from PayHip
2. Redacted card details
Retention period: Permanently delete after 8 years
Where is it stored: PayHip
Reason: Consent/contract/legal
Method of deletion: Permanently delete from PayHip
Commercial contracts:
1. Contracts with suppliers
Retention period: Permanently delete 8 years after last action
Where is it stored: Google Drive and associated emails in Gmail or Proton for Business
Reason: Contract/legal
Method of deletion: Permanently delete from Google Drive and all associated emails in Gmail or Proton for Business
2. Supplier invoices
Retention period: Permanently delete 8 years after last action
Where is it stored: Zanda and associated emails in Gmail or Proton for Business
Reason: Contract/legal
Method of deletion: Permanently delete from Zanda and all associated emails in Gmail or Proton for Business
Who we share information with
Data processors
1. Gmail
This data processor does the following activities for us: We use Gmail for email.
2. Google Drive
This data processor does the following activities for us: We use Google Drive to store documents.
3. Proton for Business
This data processor does the following activities for us: We use Proton Mail Business for email.
4. Heidi Health
This data processor does the following activities for us: We use Heidi Health to transcribe and summarise client sessions using AI.
5. Zanda
This data processor does the following activities for us: We use Zanda as practice management software. This includes video calls and transcribing and summarising client sessions using AI.
6. Payhip
This data processor does the following activities for us: We use Payhip to sell electronic documents.
7. Wix
This data processor does the following activities for us: We use Wix for our website.
8. Substack
This data processor does the following activities for us: We use Substack as a newsletter to manage our waiting list.
9. Canva
This data processor does the following activities for us: We use Canva to design documents for clients.
10. Access to Work
This data processor does the following activities for us: We use Access to Work to apply for funding, renew funding, and invoice from existing funding.
11. WhatsApp
This data processor does the following activities for us: We use WhatsApp to message clients.
12. Kami
This data processor does the following activities for us: We use Kami to create education tools for our clients
13. O2
This data processor does the following activities for us: We use O2 as the network provider for our mobile phone for texting clients.
14. Instagram
This data processor does the following activities for us: We use Instagram to contact clients.
15. Facebook
This data processor does the following activities for us: We use Facebook to contact clients.
16. TikTok
This data processor does the following activities for us: We use TikTok to contact clients.
17. Grammarly
This data processor does the following activities for us: We use Grammarly to review reports and documents for clients. We either upload documents to Grammarly or use the Chrome extension. The Chrome extension doesn’t save any details about the text.
18. Amazon
This data processor does the following activities for us: We are part of the Amazon Affiliate marketing scheme, if website users click an Amazon link on our site Amazon may add a cookie to their browser.
Others we share personal information with
• Other health providers (e.g., GPs and consultants)
• Organisations we need to share information with for safeguarding reasons (e.g., social care, police)
• Anyone who is legally necessary (e.g., government, council, legal aid)
• Emergency services
• Other relevant third parties:
o Access to Work: We may share information with Access to Work to apply for funding, renew funding, and invoice from existing funding.
o Alex’s P.A. Helen Brown: We may share information with Helen. Helen is registered with ICO, she uses Microsoft Business to work with us with servers based in the EU and permanently deletes any client data she uses immediately.
Duty of confidentiality
We are subject to a common law duty of confidentiality. However, there are circumstances where we will share relevant health and care information. These are where:
• you’ve provided us with your consent (we have taken it as implied to provide you with care, or you have given it explicitly for other uses);
• we have a legal requirement (including court orders) to collect, share or use the data;
• on a case-by-case basis, the public interest to collect, share and use the data overrides the public interest served by protecting the duty of confidentiality (for example sharing information with the police to support the detection or prevention of serious crime);
• If in England or Wales – the requirements of The Health Service (Control of Patient Information) Regulations 2002 are satisfied; or
• If in Scotland – we have the authority to share provided by the Chief Medical Officer for Scotland, the Chief Executive of NHS Scotland, the Public Benefit and Privacy Panel for Health and Social Care or other similar governance and scrutiny process.
Sharing information outside the UK
Where necessary, our data processors may share personal information outside of the UK. When doing so, they comply with the UK GDPR, making sure appropriate safeguards are in place.
For further information or to obtain a copy of the appropriate safeguard for any of the transfers below, please contact us using the contact information provided above.
1. Organisation name: Gmail
Category of recipient: Email provider
Country the personal information is sent to: Multiple
How the transfer complies with UK data protection law: The country or sector has a UK data bridge (also known as Adequacy Regulations)
2. Organisation name: Google Drive
Category of recipient: Storage provider
Country the personal information is sent to: Multiple
How the transfer complies with UK data protection law: The country or sector has a UK data bridge (also known as Adequacy Regulations)
3. Organisation name: Proton for Business
Category of recipient: Email provider
Country the personal information is sent to: Switzerland
How the transfer complies with UK data protection law: Transfers to the EEA are allowed.
Please note, Proton shares data internationally for customer support and payment:
Country the personal information is sent to: Macedonia, Taiwan, United States, Singapore, European Union
How the transfer complies with UK data protection law:
a. Addendum to the EU Standard Contractual Clauses (SCCs)
b. The country or sector has a UK data bridge (also known as Adequacy Regulations)
c. Other:
i. Binding Corporate Rules
ii. Certifications
iii. Data Processing Agreement
4. Organisation name: Heidi Health
Category of recipient: AI transcription
Country the personal information is sent to: N/A servers are located in the UK.
How the transfer complies with UK data protection law: N/A
5. Organisation name: Zanda
Category of recipient: Practice management software including video calls
Country the personal information is sent to: Multiple
How the transfer complies with UK data protection law:
Other:
Transfers outside of the EEA – When we transfer your personal information outside the EEA, we do so following the terms of this Privacy Notice and the requirements of the GDPR and other applicable data protection laws.
Please note: Zanda video calls are integrated with Zoom. The calls stay on the users' browsers and don't pass through Zanda's servers. They pass through minimal third-party servers and are encrypted so no one can access the call. For more details see: https://support.zandahealth.com/telehealth-security-privacy-and-compliance
6. Organisation name: Zanda
Category of recipient: AI transcription
Country the personal information is sent to: Multiple
How the transfer complies with UK data protection law:
Other:
a. Transfers outside of the EEA – When we transfer your personal information outside the EEA, we do so following the terms of this Privacy Notice and the requirements of the GDPR and other applicable data protection laws.
b. We stream the audio to our transcription service, who returns the transcription text to us for processing in real time. There is no storage of the audio for the recorded session, and we only store the text based transcription output which is double encrypted in our database.
7. Organisation name: Payhip
Category of recipient: Sales platform
Country the personal information is sent to: Multiple
How the transfer complies with UK data protection law:
Other:
Countries outside the EEA do not have the same data protection laws as the United Kingdom and EEA and we have therefore ensured that any of our suppliers who may transfer your personal data outside the EEA has put in place appropriate measures to protect your data, either by being a member of the US-EU Privacy Shield, or by entering into a European Commission approved contract (as permitted under Article 46(5) of the General Data Protection Regulation).
8. Organisation name: Wix
Category of recipient: Website builder
Country the personal information is sent to: Multiple
How the transfer complies with UK data protection law: Addendum to the EU Standard Contractual Clauses (SCCs)
9. Organisation name: Substack
Category of recipient: Newsletter platform
Country the personal information is sent to: Multiple
How the transfer complies with UK data protection law:
Other:
a. EU-U.S. Data Privacy Framework (EU-U.S. DPF)
b. UK Extension to the EU-U.S. DPF
c. Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF)
10. Organisation name: Canva
Category of recipient: Content design platform
Country the personal information is sent to: United States, Australia, Singapore, European Union, United Kingdom, Philippines and New Zealand and any other country in which Canva or its subsidiaries, affiliates or service providers maintain facilities or employ staff or contractors.
How the transfer complies with UK data protection law:
Other:
a. EU Model Clauses
b. UK International Data Transfer Addendum
c. EU-U.S. Data Privacy Framework (EU-U.S. DPF)
d. UK Extension to the EU-U.S. DPF
e. Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF)
11. Organisation name: Access to Work
Category of recipient: Funding provider
Country the personal information is sent to: N/A servers in the UK.
How the transfer complies with UK data protection law: N/A.
12. Organisation name: WhatsApp
Category of recipient: Messaging platform
Country the personal information is sent to: Multiple
How the transfer complies with UK data protection law:
a. The country or sector has a UK data bridge (also known as Adequacy Regulations)
b. Addendum to the EU Standard Contractual Clauses (SCCs)
13. Organisation name: Kami
Category of recipient: Educational materials platform
Country the personal information is sent to: Multiple
How the transfer complies with UK data protection law: Addendum to the EU Standard Contractual Clauses (SCCs)
14. Organisation name: O2
Category of recipient: Mobile phone network provider
Country the personal information is sent to: Multiple
How the transfer complies with UK data protection law:
a. The country or sector has a UK data bridge (also known as Adequacy Regulations
b. Addendum to the EU Standard Contractual Clauses (SCCs)
15. Organisation name: Instagram
Category of recipient: Social media company
Country the personal information is sent to: Multiple
How the transfer complies with UK data protection law:
a. The country or sector has a UK data bridge (also known as Adequacy Regulations)
b. Addendum to the EU Standard Contractual Clauses (SCCs)
16. Organisation name: Facebook
Category of recipient: Social media company
Country the personal information is sent to: We transfer the information we collect from the UK from Meta Platforms, Inc., to countries such as member states of the European Economic Area, Argentina, Israel, Japan, New Zealand, Switzerland and where the decision is applicable, Canada, based on the adequacy decisions.
How the transfer complies with UK data protection law:
a. The country or sector has a UK data bridge (also known as Adequacy Regulations)
b. Other: In other circumstances, we use the UK standard contractual transfer mechanisms approved by the UK Parliament (the International Data Transfer Agreement and the International Data Transfer Addendum) or rely on derogations provided for under applicable law to transfer information to a third country
17. Organisation name: TikTok
Category of recipient: Social media company
Country the personal information is sent to: Multiple
How the transfer complies with UK data protection law:
a. The country or sector has a UK data bridge (also known as Adequacy Regulations)
b. Addendum to the EU Standard Contractual Clauses (SCCs)Other: Article 49 GDPR
18: Organisation name: Grammarly
Category of recipient: Word processing tool
Country the personal information is sent to: United States, EEA, and worldwide
How the transfer complies with UK data protection law:
a. Addendum to the EU Standard Contractual Clauses (SCCs)
b. Other: Performing data protection assessments of data transfer arrangements as appropriate.
c. Other: We comply with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework as set forth by the U.S. Department of Commerce.
19: Organisation name: Amazon
Category of recipient: Affiliate marketing
Country the personal information is sent to: Various, but only if a user decides to an Amazon link on our site, we do not share data with Amazon.
How the transfer complies with UK data protection law:
a. The country or sector has a UK data bridge (also known as Adequacy Regulations)
b. Other: Contracts with standard safeguards published by the European Commission
c. Other: Similar measures under UK laws for such transfers
How to complain
If you have any concerns about our use of your personal data, you can make a complaint to us using the contact details at the top of this privacy notice.
If you remain unhappy with how we’ve used your data after raising a complaint with us, you can also complain to the ICO.
The ICO’s address:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Helpline number: 0303 123 1113
Website: https://www.ico.org.uk/make-a-complaint