Neurodiversity training Neurodiversity in education About Learning Hub
Contact

Differing Minds Privacy Policy

At Differing Minds CIC, we are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, store, and protect your personal data when you interact with our services, visit our website, or otherwise engage with us.

This policy should be read in conjunction with our Terms and Conditions (www.differingminds.co.uk/termsandconditions), which govern the provision of our services. By using our services or visiting our website, you acknowledge that you have read and understood this Privacy Policy.

Differing Minds CIC is a Community Interest Company (CIC) that provides consulting and training services to help businesses recruit, retain, and support neurodivergent talent. We understand the sensitive nature of information relating to neurodiversity and handle all personal data with the highest standards of care and confidentiality.

1. Data controller details

For the purposes of data protection law, Differing Minds CIC is the 'data controller' of your personal information. This means we determine how and why your personal data is processed.

Organisation: Differing Minds CIC

Website: www.differingminds.co.uk

Email: [email protected]

Data protection contact: Data Management

2. What personal data we collect

We collect and process different types of personal data depending on how you interact with us. Personal data means any information that identifies you or can be used to identify you.

Contact information:

  • Name
  • Email address
  • Telephone number
  • Postal address
  • Job title and company name

Account and service information:

  • Client account details
  • Service bookings and registrations
  • Training programme participation
  • Payment and billing information
  • Feedback and survey responses
  • Communication preferences

Communications:

  • Email correspondence
  • Form submissions through our website
  • Consultation notes and meeting records
  • Support queries and responses

Technical information:

  • IP address
  • Browser type and version
  • Device information
  • Operating system
  • Referral source
  • Pages visited and time spent on pages
  • Cookies and similar tracking technologies (see Section 11)

Special category data (sensitive personal information):

In the course of providing our neurodiversity consulting and training services, we may process 'special category' personal data, which includes information about:

  • Health information (including neurodivergent conditions such as autism, ADHD, dyslexia, dyspraxia, etc.)
  • Disability-related information
  • Workplace adjustments and accommodations

We only process special category data where:

  • You have given us your explicit consent; or
  • It is necessary for reasons of substantial public interest (promoting equality and diversity in employment); or
  • You have clearly made the information public yourself

See Section 5 for more details about how we handle special category data.

3. How we collect your personal data

We collect personal data through various means:

Directly from you when you:

  • Fill out forms on our website (contact forms, consultation requests, programme registration)
  • Purchase or enquire about our services
  • Sign up for our newsletter or mailing list
  • Attend our training programmes or events
  • Contact us by email, phone, or post
  • Engage with us on social media
  • Provide feedback or complete surveys

Automatically when you:

  • Visit our website (through cookies and similar technologies)
  • Use our online platforms
  • Interact with our emails (open rates, click-through rates)

From third parties:

  • Organisations that book our services on behalf of their employees
  • Professional referrals
  • Public sources (company websites, LinkedIn)

4. How and why we use your personal data

We only use your personal data when the law allows us to. We process your data for specific purposes and rely on lawful bases as set out in UK data protection law.

To provide our services to you (contractual necessity)

When you engage our services, we process your data to:

  • Deliver training programmes and consulting services
  • Manage your account and bookings
  • Communicate with you about services
  • Process payments and maintain financial records
  • Provide customer support
  • Issue certificates and training materials

When we provide services to business clients, we process data in accordance with our Terms and Conditions (www.differingminds.co.uk/termsandconditions), which set out the contractual relationship and data processing responsibilities.

For our legitimate business interests

We may process your data where it is necessary for our legitimate interests, provided these interests do not override your rights. This includes:

  • Improving and developing our services
  • Understanding how our website is used and optimising user experience
  • Managing our business operations efficiently
  • Preventing fraud and ensuring security
  • Maintaining records for accountability
  • Analysing and improving service quality
  • Research and statistical analysis (using anonymised data where possible)

Where we rely on legitimate interests, we carefully balance our business needs against your privacy rights.

With your consent

We will ask for your specific consent to:

  • Send you marketing communications about our services, events, and resources
  • Use cookies and similar technologies (see Section 11)
  • Process special category data (see Section 5)
  • Record training sessions (where applicable)

You can withdraw your consent at any time by contacting us or using the unsubscribe link in our emails. Withdrawing consent does not affect the lawfulness of processing before withdrawal.

To comply with legal obligations

We process data where required by law, including:

  • Tax and accounting obligations (HMRC requirements)
  • Responding to lawful requests from authorities
  • Compliance with court orders
  • Meeting regulatory requirements

5. Special category data (sensitive personal information)

Given the nature of our work supporting neurodivergent talent, we recognise that we may process special category personal data. We treat this information with additional care and security.

When we process special category data:

  • When you voluntarily disclose neurodivergent conditions in consultation requests
  • During training delivery where participants share personal experiences
  • In case studies and testimonials (with explicit consent and anonymisation)
  • When providing workplace adjustment recommendations to employers
  • In survey responses and feedback forms where you choose to share such information

Legal basis for processing:

We process special category data only where:

  • Explicit consent: You have given clear, informed consent (e.g., ticking a consent box, signing a consent form)
  • Substantial public interest: Processing is necessary for promoting equality of opportunity (Schedule 1, Part 2, Paragraph 8 of the Data Protection Act 2018)
  • Made public by you: You have clearly chosen to make the information public

Additional safeguards:

  • We only collect special category data when strictly necessary
  • Access is restricted to authorised personnel only
  • All special category data is encrypted and stored securely
  • We anonymise or pseudonymise data wherever possible
  • We never sell or share special category data with third parties for marketing
  • Retention periods are strictly enforced

Your rights:

You have the right to:

  • Withdraw consent for processing special category data at any time
  • Request deletion of special category data
  • Object to processing
  • Request details of how we process your special category data

6. How long we keep your data

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, including legal, accounting, or reporting requirements.

Our retention schedule:

  • Client records and contracts: 7 years after contract ends (for legal and tax purposes)
  • Financial records and invoices: 7 years (HMRC requirement)
  • Training attendance records: 7 years
  • Email correspondence: 3 years after last contact
  • Marketing data: Until consent withdrawn or 3 years of inactivity
  • Website analytics: 26 months
  • CCTV footage (if applicable): 30 days
  • Job applications: 6 months after recruitment process
  • Data protection complaints: 7 years after closure

When retention periods expire, we securely delete or anonymise your data. In some cases, we may retain data for longer where required by law or for legal proceedings.

7. Who we share your data with

We do not sell your personal data to third parties. We only share your data where necessary to provide our services or where required by law.

Service providers (data processors):

We use carefully selected third-party service providers to support our operations:

  • Website hosting and platform: Kajabi (www.kajabi.com) - stores client data, handles payments, and hosts our online platform. Data may be stored on secure servers in the United States with appropriate safeguards.
  • Email and communication service providers: Kajabi, Beehiiv, and Google - for sending newsletters, communications, and managing email services
  • Payment processors: Kajabi, Stripe, and Quaderno - for processing transactions and managing invoicing
  • Accounting software: Xero - for financial management and bookkeeping
  • Cloud storage: Google - for secure document storage and collaboration

All service providers are bound by data processing agreements and required to implement appropriate security measures. Our contractual arrangements with clients include data processing provisions as detailed in Clause 11 of our Terms and Conditions (www.differingminds.co.uk/termsandconditions).

Business clients:

When we provide training or consulting services to organisations, we may share:

  • Attendance records with the hiring organisation
  • Training completion certificates
  • Anonymised feedback and evaluation results
  • Aggregated statistics (never identifying individuals without consent)

Legal requirements:

We may disclose your data if required by law or in response to:

  • Court orders or legal processes
  • Requests from law enforcement or regulatory authorities
  • Protection of our legal rights
  • Prevention of fraud or crime

Business transfers:

If Differing Minds CIC is involved in a merger, acquisition, or sale of assets, your data may be transferred to the new owner. We will notify you of any such change and ensure continued protection of your data.

8. Data protection complaints procedure

We are committed to handling your personal data lawfully and transparently. If you have concerns about how we have processed your personal data, we want to hear from you.

How to make a complaint:

If you believe we have not handled your personal data correctly, you can raise a complaint with us using either of these methods:

  1.  Online complaint form: https://forms.gle/jcKhBPgfaC2PU2Ak6

Complete our Data Protection Complaint Form with details of your concern. 

  1. Email: [email protected] - Send us an email with 'Data Protection Complaint' in the subject line. 
  2. Post: Data Protection Team, Differing Minds CIC, The Dock Hub, Wilbury Villas, BN3 6AH

Please provide:

  • Your name and contact details
  • Details of your complaint
  • What outcome you are seeking
  • Any relevant dates and documentation

What happens next:

  1. Acknowledgement: We will acknowledge your complaint within 30 days of receiving it, usually within 3-5 business days. 
  2. Investigation: We will investigate your concerns thoroughly, which may include: 
  • Reviewing relevant records and systems
  • Speaking with staff members involved
  • Assessing our compliance with data protection law 
  1. Updates: We will keep you informed of progress throughout the investigation. 
  2. Response: We aim to provide a full response within 1 month, though complex investigations may take up to 3 months. We will explain: 
  • Our findings 
  • Whether we uphold your complaint 
  • Any actions we have taken or will take 
  • Your right to escalate to the ICO if unsatisfied

Your rights if you remain unsatisfied:

If you are not satisfied with our response, or if you prefer not to complain to us directly, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's independent data protection regulator.

Information Commissioner's Office (ICO):

Website: www.ico.org.uk

Telephone: 0303 123 1113

Online complaint form: https://ico.org.uk/make-a-complaint/

Address: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF 

The ICO can investigate your complaint independently and has enforcement powers.

9. Your data protection rights

Under UK data protection law, you have important rights regarding your personal data. These rights are free to exercise and we will respond to requests within 1 month.

Right to be informed:

You have the right to clear, transparent information about how we use your data. This Privacy Policy fulfils that obligation.

Right of access (subject access request):

You can request a copy of the personal data we hold about you. We will provide:

  • Confirmation that we process your data
  • A copy of your personal data
  • Details of how we use it, who we share it with, and how long we keep it

To make a Subject Access Request, email [email protected] with 'Subject Access Request' in the subject line. We may need to verify your identity before responding.

Right to rectification:

You can ask us to correct inaccurate or incomplete personal data. We will update your information and notify any third parties we shared it with (where appropriate).

Right to erasure ('right to be forgotten'):

You can request deletion of your personal data in certain circumstances:

  • The data is no longer needed for its original purpose
  • You withdraw consent (where processing is based on consent)
  • You object to processing and there are no overriding legitimate grounds
  • The data has been unlawfully processed
  • Legal obligation requires deletion

Note: We may not be able to delete all data if we have a legal obligation to retain it (e.g., financial records for tax purposes).

Right to restrict processing:

You can ask us to limit how we use your data in certain situations:

  • You contest the accuracy of the data
  • Processing is unlawful but you don't want it deleted
  • We no longer need the data but you need it for legal claims
  • You have objected to processing and we're verifying whether our grounds override yours

Right to data portability:

Where technically feasible, you can request your data in a structured, commonly used, machine-readable format. This applies to data you provided to us based on consent or for a contract.

Right to object:

You can object to processing based on legitimate interests or for direct marketing:

  • Direct marketing: You have an absolute right to opt out at any time using the unsubscribe link in emails or contacting us.
  • Legitimate interests: We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests.

Right to withdraw consent:

Where we process your data based on consent, you can withdraw that consent at any time. This does not affect the lawfulness of processing before withdrawal.

How to exercise your rights:

To exercise any of these rights, contact us at:

Email: [email protected]

Subject line: Include the specific right you're exercising (e.g., 'Subject Access Request', 'Right to Erasure')

We will:

  • Respond within 1 month (extendable by 2 months for complex requests)
  • Verify your identity before processing requests
  • Explain any reasons if we cannot fulfil your request
  • Not charge a fee unless the request is manifestly unfounded or excessive

10. International data transfers

We primarily store and process your data within the United Kingdom. However, some of our service providers may store or process data outside the UK, including in the United States (e.g., Kajabi, Stripe, Google).

When data is transferred internationally, we ensure appropriate safeguards are in place:

  • Standard Contractual Clauses approved by the UK ICO
  • Adequacy decisions (where the destination country has been deemed to provide adequate protection)
  • Additional security measures as required

We do not transfer special category data outside the UK without your explicit consent and additional safeguards.

11. Cookies and similar technologies

Our website uses cookies and similar technologies to enhance your experience and understand how our site is used.

What are cookies?

Cookies are small text files stored on your device when you visit a website. They help websites remember your preferences and improve functionality.

Types of cookies we use:

  • Essential cookies: Necessary for the website to function (e.g., remembering items in your cart, maintaining your session)
  • Performance cookies: Help us understand how visitors use our website (e.g., Google Analytics)
  • Functionality cookies: Remember your preferences and provide enhanced features
  • Marketing cookies: Track your activity to deliver relevant advertising (only with your consent)

Managing cookies:

You can control cookies through:

  • Our cookie consent banner (appears on first visit)
  • Your browser settings (most browsers allow you to block or delete cookies)
  • Opt-out tools for specific services (e.g., Google Analytics: https://tools.google.com/dlpage/gaoptout)

Note: Blocking certain cookies may affect website functionality.

For more detailed information about cookies, visit www.allaboutcookies.org

12. Security of your data

We take the security of your personal data seriously and have implemented appropriate technical and organisational measures to protect it from unauthorised access, loss, misuse, or disclosure.

Security measures:

  • Encryption: All data transmitted to and from our website is encrypted using SSL/TLS technology
  • Access controls: Only authorised personnel have access to personal data, on a need-to-know basis
  • Secure storage: Data is stored on secure servers with firewalls and intrusion detection systems
  • Regular backups: We maintain secure backups to prevent data loss
  • Staff training: All personnel handling personal data receive data protection training
  • Vendor security: We require our service providers to implement appropriate security measures
  • Incident response: We have procedures in place to detect, report, and investigate data breaches

Data breaches:

In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will:

  • Notify the ICO within 72 hours of becoming aware
  • Inform affected individuals without undue delay
  • Take immediate steps to contain and remedy the breach
  • Document the incident and our response

Whilst we implement robust security measures, no method of transmission or storage is 100% secure. If you have concerns about the security of your data, please contact us.

13. Links to other websites

Our website may contain links to third-party websites, including social media platforms, partner organisations, and resource providers. This Privacy Policy applies only to our website.

When you click on a link to another website:

  • You will be subject to that website's privacy policy
  • We are not responsible for their privacy practices
  • We recommend reviewing their privacy policies before providing personal data

We do not endorse or take responsibility for the content or practices of third-party websites.

14. Changes to this privacy policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or business operations.

How we notify you:

  • Material changes: We will notify you by email or prominent notice on our website
  • Minor updates: We will update the 'Last updated' date at the top of this policy

Your continued use:

Your continued use of our services after changes are made constitutes acceptance of the updated policy. If you disagree with changes, please stop using our services and contact us to discuss your data.  We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data.

15. How to contact us

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your personal data, please contact us:

General enquiries:

Email: [email protected]

Website: www.differingminds.co.uk

Data protection enquiries:

Email: [email protected]

Subject: Include 'Data Protection' in the subject line 

Data protection complaints: See Section 8 for our full complaints procedure 

Post: Differing Minds CIC, The Dock Hub, Wilbury Villas, Hove, BN3 6AH

We aim to respond to all enquiries within 5 business days.

16. Your right to complain to the ICO

You have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe we have not handled your personal data properly.

Information Commissioner's Office (ICO):

Website: www.ico.org.uk

Telephone: 0303 123 1113

Online complaint form: https://ico.org.uk/make-a-complaint/

Post: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF 

We would appreciate the opportunity to address your concerns before you contact the ICO, but you have the right to contact them at any time.

---

This Privacy Policy was last updated on October 2025 and is compliant with:

  • UK General Data Protection Regulation (UK GDPR)
  • Data Protection Act 2018
  • Data (Use and Access) Act 2025
  • Privacy and Electronic Communications Regulations 2003

Last updated: October 2025