Privacy Policy

1. Who we are

NeuroInclusive.UK Ltd is registered in England and Wales. Our registered address is in Hampshire, UK. Contact: admin@neuroinclusive.uk.

We are the data controller for the personal data we collect through this website and our services. We take data protection seriously — particularly because some of the data we handle relates to neurodivergent individuals and their environments.

2. What data we collect

We collect the following categories of personal data:

• Account information: name, email address, market type (school/business/parent), and password (securely hashed)
• Assessment data: your responses to self-audit questions, scores, domain breakdowns, and band results
• Purchase and payment information: processed securely via Stripe — we never see or store card details
• Organisation data: organisation name, type, address, and role (for school and business users)
• Evidence vault uploads: documents, photos, and files you upload for accreditation or SEND advocacy
• Module progress: which modules you've started, completed, and quiz scores
• Technical data: anonymised page views via Plausible Analytics (no cookies, no personal tracking)
• Consent records: when you gave or withdrew consent for each processing type

3. Special category data

Some of the data we process may constitute special category data under UK GDPR Article 9 — specifically information relating to health or disability. This applies when:

• Assessment responses reveal or imply neurodivergent conditions (e.g. a workplace environmental audit that identifies sensory processing challenges)
• Parent assessments describe a child's environment in ways that relate to their neurodivergent needs
• Evidence vault uploads contain professional reports, EHCP documents, or occupational health assessments

We process special category data only with your explicit consent, which we capture separately at signup and before each relevant processing activity.

4. Children's data

Our parent market involves data about the environments of neurodivergent children. We take additional precautions:

• We do not collect personal data directly from children — all parent assessments are completed by parents/carers about their home environment
• We ask for specific consent before processing child-related data
• When AI-generated reports reference children's environments, no child-identifying information is sent to the AI provider
• Evidence vault files flagged as involving children receive enhanced security and stricter retention
• Child-related data is excluded from any benchmarking or aggregation unless fully anonymised

We comply with the UK Age Appropriate Design Code (the "Children's Code") where applicable to our services.

5. How we use your data

We use your data to:

• Provide your assessment results, personalised reports, and recommendations
• Deliver purchased products (units, training, accreditation, support sessions)
• Generate AI-assisted reports using your assessment scores and domain data (with your consent — see Section 6)
• Process payments and manage your account
• Send email nurture sequences after assessments (with your consent)
• Produce anonymised benchmarks for peer comparison ("your school scored 52% — average for UK primaries is 41%")
• Map your organisation's compliance against regulatory frameworks
• Respond to support requests

6. AI-generated content

We use AI (currently Anthropic's Claude) to generate personalised assessment reports. When we do:

• We send your assessment scores, domain breakdowns, and market type to the AI provider — not your name, email, or other identifying information
• For parent assessments, we never send child-identifying information to the AI provider
• Every AI-generated report is clearly labelled as AI-generated
• We log which AI model generated each output, what data was sent, and when (in our AI generation log)
• AI-generated reports are recommendations, not professional advice — they should be reviewed in context
• You can request a human review of any AI-generated report by contacting admin@neuroinclusive.uk

We use version-controlled prompt templates and do not allow the AI model to access any data beyond what is explicitly sent for each generation.

7. Legal basis for processing

We process your data under the following legal bases (UK GDPR):

• Consent — for marketing emails, AI report generation, child data processing, and non-essential analytics
• Contract — to provide services you have purchased (units, training, accreditation, support)
• Legitimate interest — for anonymised benchmarking and service improvement (balanced against your privacy rights)
• Legal obligation — for financial records (7 years, HMRC requirement)

For special category data (health/disability), we rely on your explicit consent (Article 9(2)(a)).

8. Who we share data with

We do not sell your personal data. We share data with the following processors:

• Supabase — database and authentication hosting (EU-hosted, Standard Contractual Clauses in place)
• Stripe — payment processing (PCI DSS Level 1 compliant, US/EU)
• Anthropic — AI report generation (US-based, Standard Contractual Clauses in place). Only assessment scores and domain data are sent — never names, emails, or child-identifying information
• Cloudflare — website hosting and security (global CDN)
• Plausible Analytics — privacy-friendly web analytics (EU-hosted, no cookies, no personal data collected)
• SendGrid/Resend — email delivery (only if you consent to marketing emails)

For organisations (schools and businesses), we provide a Data Processing Agreement (DPA) on request — many schools will require this before procurement.

9. Campaign assessments

When an organisation runs a campaign assessment (whole-staff or whole-workforce audit):

• Responses are anonymous by default — the organisation sees only aggregated results
• Named responses are only visible to the organisation if the respondent explicitly opts in
• Individual responses are never shared with the organisation without explicit consent
• Department-level breakdowns are only shown when there are enough respondents to prevent identification

10. Data retention

• Account data: retained while your account is active, anonymised 12 months after deletion request
• Assessment data: retained while account is active + 24 months after deletion (anonymised scores retained for benchmarks)
• Evidence vault files: deleted within 30 days of account deletion
• AI-generated reports: retained while account is active + 12 months after deletion
• Purchase records: 7 years (HMRC legal requirement)
• Consent records: 7 years (proof of consent)
• Audit log: 7 years (regulatory compliance)
• Anonymous benchmark data: retained indefinitely (contains no personal data)

11. Your rights

Under UK GDPR, you have the right to:

• Access your personal data (we will provide a copy within 30 days)
• Rectify inaccurate data
• Erase your data (right to be forgotten — we will anonymise your records)
• Restrict or object to processing
• Data portability (receive your data in a machine-readable format)
• Withdraw consent at any time (this does not affect the lawfulness of processing before withdrawal)
• Object to automated decision-making — our AI reports are recommendations, not automated decisions with legal effect. You can request human review of any AI-generated content.

To exercise any of these rights, contact admin@neuroinclusive.uk. We will respond within 30 days.

12. Data protection impact assessments

We have completed Data Protection Impact Assessments (DPIAs) for:

• AI-generated assessment reports (data sent to Anthropic)
• Parent assessments involving child-related data
• AI-generated reports referencing children's environments

These are available on request to regulators.

13. Cookies and analytics

We use Plausible Analytics, a privacy-friendly analytics tool that does not use cookies and does not collect personal data. No consent is required for Plausible. We use essential cookies only for authentication (session management). No advertising or tracking cookies are used on this site.

14. Data breaches

In the event of a personal data breach, we will notify the Information Commissioner's Office (ICO) within 72 hours where required, and notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights.

15. Changes to this policy

We may update this policy from time to time. Changes will be posted on this page with an updated version number and date. For significant changes, we will notify account holders by email and may request renewed consent where the changes affect how we process your data.

16. Contact and complaints

For any privacy questions, data requests, or concerns: admin@neuroinclusive.uk.

You have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk if you believe your data has been handled unlawfully.