top of page

EXPLOREBUDDY

DATA PROTECTION POLICY

Last updated: September 2025

ExploreBuddy (“we,” “us,” “our”) is committed to protecting the privacy and security of personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This Policy covers all personal data processing carried out by ExploreBuddy in the context of:

  • Individual support sessions (children, adolescents, adults)

  • Parental coaching and development programmes

  • Neuro Series group courses

  • Neurodiversity accessibility audits

  • Employee support services

  • Professional consultations, training and digital resources

This Policy applies to data relating to clients, their families, organisational employees, website visitors, job applicants, contractors and our own staff.

1. Data Protection Principles

We adhere to the six UK GDPR principles (Article 5), ensuring that personal data are:

  1. Processed lawfully, fairly and transparently.

  2. Collected for specified, explicit and legitimate purposes.

  3. Adequate, relevant and limited to what is necessary.

  4. Accurate and kept up to date.

  5. Retained only as long as required for the purposes and legal obligations.

  6. Processed in a manner that ensures appropriate security and confidentiality.

2. Roles & Responsibilities

Data Controller ExploreBuddy determines the purposes and means of processing all personal data under this Policy.

Data Protection Officer (DPO) We have appointed a DPO to oversee compliance and act as your point of contact: Email: dpo@explorebuddy.co.uk

Staff & Sub-Processors All employees, contractors and authorised sub-processors are bound by contractual confidentiality and data-protection obligations.

3. Personal Data We Collect

Depending on the Service, we may collect:

  • Identifiers: name, date of birth, address, email, phone number

  • Session and case notes: assessments, observations, wellbeing scores

  • Employment details: role, department, employer contacts (for employee support)

  • Accessibility audit data: site plans, user surveys, assistive-technology requirements

  • Financial and billing information: payment records, invoices, bank details

  • Website usage and cookies: IP address, device type, consent preferences

  • Equality, diversity and health data: disability status, access needs (optional, for lawful monitoring)

4. Lawful Bases for Processing

We rely on one or more of the following lawful bases (Article 6 UK GDPR):

  • Contractual Necessity: to perform the Services you have requested.

  • Legal Obligation: to comply with safeguarding, health & safety, or financial record-keeping laws.

  • Vital Interests: to protect someone’s life in emergencies.

  • Legitimate Interests: to improve Services, conduct audits, or prevent fraud, balanced against your rights.

  • Consent: for optional marketing communications, diversity monitoring or cookies, withdrawable at any time.

For special category data (e.g. health status, disability), we rely on explicit consent or legal obligations in a healthcare/support context (Article 9 UK GDPR).

5. How We Use Personal Data

We use personal data to:

  • Plan, deliver and review support sessions, audits and training.

  • Communicate appointments, reports, recommendations and resources.

  • Conduct neurodiversity accessibility audits and compile audit reports.

  • Provide employee support services, including case management and wellbeing referrals.

  • Manage billing, invoicing and statutory record-keeping.

  • Analyse service performance and conduct quality-and-risk audits.

  • Send newsletters, event invitations or marketing materials (where consented).

6. Data Sharing and Disclosure

We do not sell personal data. We may share data with:

  • Referring or commissioning bodies (schools, employers, local authorities) under instruction or consent.

  • Safeguarding or regulatory authorities when legally required to protect individuals at risk.

  • HR or occupational-health teams of client organisations (for employee support) with your authorisation.

  • Professional advisers (accountants, legal counsel) under confidentiality agreements.

  • Sub-processors providing hosting, analytics, IT or printing services, always under a Data Processing Addendum.

7. Data Retention

We retain personal data only as long as necessary to:

  • Fulfil contractual, legal, safeguarding or audit requirements (generally up to seven years post-engagement).

  • Defend or pursue legal claims.

After the retention period, data are securely deleted or irreversibly anonymised.

8. Data Subject Rights

Under UK GDPR, you have the right to:

  • Access your personal data and receive a copy.

  • Rectify inaccurate or incomplete data.

  • Erase data where no lawful basis exists to retain it.

  • Restrict or object to processing based on legitimate interests.

  • Port data you have provided in a structured, machine-readable format.

  • Withdraw consent at any time for processing based solely on consent.

To exercise any of these rights, contact dpo@explorebuddy.co.uk. We will respond within one month.

9. Security Measures

We implement appropriate technical and organisational safeguards:

  • Encryption of data at rest and in transit.

  • Pseudonymisation of personal identifiers where feasible.

  • Role-based access controls and unique user credentials.

  • Regular encrypted backups and secure off-site storage.

  • Firewalls, antivirus protection and vulnerability management.

  • Annual staff training in data security and protection.

  • Periodic internal and third-party security audits.

10. Breach Notification

In the event of a personal data breach, we will:

  1. Notify the Information Commissioner’s Office (ICO) and affected data subjects without undue delay, and within 72 hours if required.

  2. Provide details of the breach, likely impacts and mitigation steps.

  3. Implement corrective actions to prevent recurrence.

11. Data Protection Impact Assessments (DPIAs)

Where a DPIA is required (e.g., new processing of sensitive data or large-scale profiling), we will provide the Controller with all necessary information and assistance to complete their assessment under UK GDPR.

12. Monitoring and Review

We review this Policy annually or as required by changes in law, technology or our service offering. The “Last updated” date will reflect each revision. We encourage you to revisit this page periodically.

13. Contact Us

If you have any questions, requests or complaints about this Policy or our data practices, please contact:

Data Protection Officer Email: dpo@explorebuddy.co.uk

General Enquiries ExploreBuddy

Website:www.explorebuddy.co.uk

Email: contact@explorebuddy.co.uk

If we cannot resolve your concern, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at https://ico.org.uk.

bottom of page