Privacy Policy | AuDHD Psychiatry
Last Updated: April 2026
1. Introduction
AuDHD Psychiatry is committed to protecting your privacy and handling your personal data with care. This Privacy Policy explains what data we collect, why we collect it, how we use it, and what rights you have in relation to it.
AuDHD Psychiatry is the trading name of ADHDDegree Ltd, a company registered in Scotland (Company No. SC822923), with a registered address at 3 Hill St, Edinburgh EH2 3JP, United Kingdom. We are the Data Controller for the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
If you have any questions about this policy or how we handle your data, please contact us at:
• Email: hello@audhdpsychiatry.co.uk
• Address: 3 Hill St, Edinburgh EH2 3JP, United Kingdom
This policy should be read alongside our Terms and Conditions and Cookie Policy.
2. Definitions
Term
Meaning
Data Controller
The organisation that decides how and why personal data is processed – in this case, ADHDDegree Ltd (trading as AuDHD Psychiatry).
Data Processor
A third party that processes data on our behalf, under our instruction.
Personal Data
Any information that identifies or could identify a living individual.
Special Category Data
A subset of personal data that receives extra legal protection under UK GDPR – this includes health and medical data.
UK GDPR
The UK General Data Protection Regulation, as retained in UK law following the EU exit.
3. Scope of This Policy
This policy covers data collected through:
• Our website at www.audhdpsychiatry.co.uk
• Our booking, payment, and clinical management platforms: Semble, Calendly, and Carebit
• Direct communications with our team by phone, email, or form
• WhatsApp for Business, which we use for certain patient and enquiry communications
It does not cover third-party websites you may reach via links from our site. We encourage you to read the privacy policies of those sites before sharing your data with them.
Please note that WhatsApp for Business is operated by Meta Platforms, Inc. Whilst we take care with what we share via this channel, you should be aware that messages sent through WhatsApp are subject to Meta’s own privacy terms. We recommend you do not send sensitive clinical information via WhatsApp.
4. The Data We Collect
4.1 Personal data
• Full name, date of birth, and gender
• Contact details: email address, phone number, and postal address
• GP details and surgery name
• Emergency contact information (where applicable)
4.2 Health and clinical data (special category data)
We collect and process health-related information as part of delivering our psychiatric assessment services. This includes:
• Medical and psychiatric history
• Assessment notes, diagnostic reports, and clinical correspondence
• Current and past medication details
• Referral letters from GPs, NHS clinics, or other practitioners
This category of data is subject to enhanced protections under UK GDPR Article 9. Please see Section 6 for how we lawfully process this data.
4.3 Payment data
• Debit or credit card details (processed securely via Stripe — we do not store your card details directly)
• Billing address and transaction history
4.4 Technical and usage data
• IP address, browser type, and device information
• Pages visited, time spent on site, and referral source (collected via analytics tools)
• Cookie preferences
4.5 Children’s data
Where assessments are requested for children under the age of 16, we collect data relating to the child — including clinical and health information — alongside the contact details of the parent or guardian acting as the responsible adult. Additional provisions apply; please see Section 11.
5. How We Collect Your Data
We collect data in the following ways:
• Directly from you – via booking forms, contact forms, intake questionnaires, and communications with our team.
• From third parties – including referrals from GPs, NHS clinics, schools, or other healthcare professionals.
• Automatically – via cookies and analytics tools when you visit our website (see Section 9)
• From our clinical platforms – booking and session data recorded in Semble and Carebit
6.1 Lawful bases under Article 6
Processing activity
Lawful basis
Delivering assessments and clinical services
Performance of a contract (Article 6(1)(b))
Processing payments
Performance of a contract (Article 6(1)(b))
Sending appointment reminders and clinical correspondence
Performance of a contract (Article 6(1)(b))
Sharing your information with your GP (with your agreement)
Legitimate interests (Article 6(1)(f)) and where required, Consent
Complying with legal and regulatory obligations (e.g. CQC, GMC)
Legal obligation (Article 6 (1)(c))
Improving our services through anonymised internal analysis
Legitimate interests (Article 6(1)(f))
Marketing communications (where you have opted in)
Consent (Article 6(1)(a))
6.2. Lawful basis for special category (health) data under Article 9
We process your health and clinical data under Article 9(2)(h) of the UK GDPR — that is, for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment, and the management of health or social care systems.
This processing is carried out by, or under the responsibility of, qualified health professionals who are bound by obligations of professional secrecy.
Where we rely on your consent for any specific use of your health data beyond direct clinical care (for example, use in case studies or testimonials), we will ask for this separately and you may withdraw it at any time.
7. How We Use Your Data
We use your data to:
• Carry out ADHD, autism, and AuDHD assessments and deliver associated clinical services
• Manage your bookings, appointments, and clinical correspondence
• Process payments securely through Stripe
• Share relevant clinical information with your GP or other treating clinicians, where appropriate and with your awareness
• Respond to enquiries and provide customer support
• Meet our legal and regulatory obligations as a healthcare provider
• Improve our services through anonymised internal review
We do not use your data for automated decision-making or profiling that produces legal or similarly significant effects. No decisions about your care or your assessment outcome are made by automated means.
8. Sharing Your Data
We do not sell your personal data. we may share your data with the following parties:
8.1 Healthcare professionals
With your knowledge, we may share relevant clinical information with your GP, NHS services, or other treating clinicians to support continuity of care. We will tell you when we do this.
8.2 Data processors acting on our behalf
We use the following third-party platforms to deliver our services. Each is engaged under a Data Processing Agreement and is only permitted to process your data in accordance with our Instructions:
Processor
Purpose
Location
Semble
Scheduling, clinical records management and payment processing
UK
Carebit
Appointment booking, clinical records management and payment processing
UK
Calendly
Scheduling and payment processing
USA (Standard Contractual Clauses apply – see Section 12)
WhatsApp for Business (Meta)
Patient and enquiry communications
USA (Standard Contractual Clauses apply – see Section 12)
Stripe
Secure payment processing (via Calendly)
USA (Standard Contractual Clauses apply – see Section 12)
8.3 Legal and regulatory authorities
We may disclose your data where required to do so by law – for example, to the Care Quality Commission (CQC), the General Medical Council (GMC), or law enforcement agencies in connection with the prevention or investigation of crime.
8.4 Professional advisers
We may share data with our solicitors, insurers, or accountants where strictly necessary and subject to confidentiality obligations.
9. Cookies
We use cookies to make our website function correctly and to understand how it is used. A cookie is a small text file stored on your device when you visit a website.
Cookie Type
Purpose
Essential
Required for the site to work – e.g. session management and booking functionality. These cannot be turned off.
Analytics
Help us understand how visitors use our site so we can improve it. Data is collected anonymously (e.g. via Google Analytics)
Preference
Remember your setting and choices for a more personalised experience.
Advertising & Insights
Help us understand how people find our service and measure the effectiveness of our communications.
You can manage your cookie preferences at any time using the cookie consent tool on our website, or via your browser settings. For further guidance, visit www.aboutcookies.org.
10. Data Retention
We retain your personal data only for as long as is necessary for the purposes for which it was collected, or as required by law. Our standard retention periods are:
Data type
Retention period
Adult clinical and assessment records
8 years from the date of last contact, in line with NHS and GMC guidance
Children’s clinical and assessment records
Until the individual’s 25th birthday (or 26th if they were aged 17 at the time of last treatment), in line with NHS guidance
Financial and payment records
7 years from the date of transaction, for HMRC compliance
Website enquiry and contact form data
2 years from the date of enquiry
Marketing consent records
Until consent is withdrawn, plus 1 year
Cookie and analytics data
As per the retention settings of each platform (typically 13-26 months)
When data is no longer required, it is securely deleted or anonymised.
11. Children’s Data
Where we carry out assessments for children under the age of 16, the parent or legal guardian must provide consent on the child’s behalf and will serve as our primary point of contact.
We collect only the data necessary to carry out the requested assessment and support the child’s care. Children’s clinical records are retained until the individual’s 25th birthday (or 26th if they were aged 17 at last contact), consistent with NHS records management guidance.
We will never use a child’s data for marketing purposes.
Where a young person is aged 16 or 17, we will consider their capacity to consent on a case-by-case basis, taking into account relevant clinical and legal guidance.
12. International Data Transfers
Some of our third-party processors are based outside the United Kingdom. Where your data is transferred outside the UK, we ensure appropriate safeguards are in place to protect it, in accordance with UK GDPR Chapter V.
For transfers to processors based in the United States (including Calendly and Stripe), we rely on UK-approved Standard Contractual Clauses (SCCs) or the UK-US Data Bridge, as applicable.
You can request further information about the specific transfer mechanisms we use by contacting us at hello@audhdpsychiatry.co.uk.
13. Data Security
We take the security of your data seriously and have implemented technical and organisational measures appropriate to the nature of the data we handle. These include:
• Encrypted data storage
• Secure, SSL-protected transmission of data
• Role-based access controls limiting who can access clinical records
• Regular review of access permissions and security practices
• Data Processing Agreements with all third-party processors
If you become aware of any security concern relating to our services, please contact us immediately at hello@audhdpsychiatry.co.uk.
14. Your Rights
Under UK GDPR, you have the following rights in relation to your personal data:
Right
What it means
Right of access
You can request a copy of the personal data we hold about you (a Subject Access Request).
Right to rectification
You can ask us to correct inaccurate or incomplete data.
Right to erasure
You can ask us to delete your data, subject to our legal and clinical obligations to retain records.
Right to restriction
You can ask us to limit how we use your data in certain circumstances.
Right to data portability
You can request your data in a structured, machine0readble format for transfer to another provider.
Right to object
You can object to processing based on legitimate interests, including for direct marketing.
Right to withdraw consent
Where we rely on your consent to process data, you can withdraw it at any time. This will not affect the lawfulness of processing that took place before your withdrawal.
To exercise any of these rights, please contact us at hello@audhdpsychiatry.co.uk. We will respond within one calendar month, We may need to verify your identity before fulfilling a request.
15. Automated Decision-Making and Profiling
We do not make any decisions about you – including decisions about your assessments, diagnosis, or care – using solely automated means. All clinical decisions are made by qualified healthcare professionals.
We do not carry out profiling that produces legal or similarly significant effects on individuals.
16. Data Protection Officer
AuDHD psychiatry does not currently meet the threshold requiring mandatory appointment of a Data Protection Officer (DPO) under UK GDPR Article 37. However, we are committed to responsible data governance and our data-related queries are handled by our clinical operations team.
If you have concerns about how your data is handled, please contact us at hello@audhdpsychiatry.co.uk
17. Complaints
If you are dissatisfied with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK’s data protection supervisory authority.
• Website: ico.org.uk
• Helpline: 0303 123 1113
We would, however, appreciate the opportunity to address your concerns directly before you contact the ICO. Please reach out to us first at hello@audhdpsychiatry.co.uk.
18. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our services, legal obligations, or best practice. When we make material changes, we will notify you by email (if we hold your contact details) or by posting a prominent notice on our website.
The date at the top of this page indicates when the policy was last updated. We encourage you to review it periodically.
Continued use of our website does not constitute acceptance of any updated policy. Where a change affects how we process your data in a way that requires your consent, we will ask for this separately
AuDHD Psychiatry is the trading name of ADHDDegree Ltd, registered in Scotland (No. SC822923). Registered address: 3 Hill St, Edinburgh EH2 3JP, United Kingdom.