Privacy Policy

1. Introduction

NeuroPathway Ecosystem ("we", "our", "us") is committed to protecting the privacy and security of your personal information. This Privacy Policy explains how we collect, use, share, and protect information about users of our digital health platform designed to support neurodevelopmental assessment and youth mental wellbeing.

This policy applies to all users including young people (ages 8-17), parents/carers, healthcare professionals, educational staff, and social care workers.

We are registered as a Data Controller under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Information We Collect

2.1 Young People (Safe Space App)

• Age and basic profile information (no full name required)
• Daily emotional check-ins (mood, stress, energy, sleep quality)
• Journal entries and personal reflections
• Interactions with AI assistant (anonymized)
• Crisis support access logs (for safeguarding)
• Consent preferences for data sharing with parents/professionals

2.2 Parents and Carers

• Name, email address, phone number
• Relationship to young person
• Family observations and behavioral notes
• EHCP documentation and assessment evidence
• Communication with professionals via the platform

2.3 Healthcare and Education Professionals

• Professional credentials and registration numbers
• Organization and role information
• Clinical assessments and observations
• Referral decisions and recommendations
• Multi-agency collaboration notes
• Access logs to patient/student records

2.4 Technical Information

• IP address and device information
• Browser type and version
• Usage patterns and feature interactions
• Error logs and performance data

3. How We Use Your Information

3.1 Primary Purposes

• Clinical Care: Support neurodevelopmental assessments, EHCP processes, and mental health monitoring
• Pattern Detection: AI analysis of emotional trends to identify concerning patterns (with consent)
• Multi-Agency Collaboration: Enable secure information sharing between CAMHS, schools, and social care
• Safeguarding: Detect and respond to crisis situations or risk indicators
• Service Improvement: Analyze anonymized data to enhance platform features and effectiveness

3.2 Legal Bases for Processing

We process your information under the following legal bases:

• Consent: For young people's emotional data and data sharing preferences
• Legitimate Interests: For platform security, fraud prevention, and service improvement
• Legal Obligation: For safeguarding reporting and regulatory compliance
• Vital Interests: In emergency situations to protect life and wellbeing
• Public Task: For NHS healthcare delivery and statutory education services

4. Data Sharing and Disclosure

4.1 Young People's Control

Young people have granular control over who can see their Safe Space data:

• Mood trends can be shared with parents, schools, CAMHS, or social care (individually controlled)
• Private journal entries are NEVER shared and remain PIN-locked
• Crisis support interactions are only shared if safeguarding risk is identified
• Consent can be withdrawn at any time via app settings

4.2 Professional Data Sharing

We share information with authorized professionals only when:

• The young person/parent has given explicit consent
• It's necessary for coordinated care (NHS National Data Opt-Out respected)
• Required by law (safeguarding concerns, court orders)
• The professional has verified credentials and role-based access permissions

4.3 Third-Party Services

We use the following trusted service providers:

• Supabase: Secure database hosting (ISO 27001 certified, UK data centers)
• Vercel: Platform hosting and deployment
• AI Providers: Anonymous data for AI assistant and pattern detection (no personal identifiers)
• Email/SMS Services: Notification delivery (SendGrid, Twilio - when implemented)

All third-party processors are bound by Data Processing Agreements and meet NHS Data Security and Protection Toolkit standards.

5. Data Security

We implement industry-leading security measures including:

• Encryption: All data encrypted in transit (TLS 1.3) and at rest (AES-256)
• Access Controls: Role-based access with multi-factor authentication for professionals
• Audit Logging: Complete audit trail of all data access and modifications
• PIN Protection: Young people's private folders secured with personal PIN codes
• Security Monitoring: 24/7 intrusion detection and vulnerability scanning
• Regular Testing: Annual penetration testing and security audits
• Incident Response: Documented procedures for data breach notification (within 72 hours to ICO)

6. Your Rights

Under UK GDPR, you have the following rights:

• Right to Access: Request a copy of your personal data (Subject Access Request)
• Right to Rectification: Correct inaccurate or incomplete information
• Right to Erasure: Request deletion of your data ("right to be forgotten")
• Right to Restrict Processing: Limit how we use your data
• Right to Data Portability: Receive your data in a machine-readable format
• Right to Object: Object to processing based on legitimate interests
• Right to Withdraw Consent: Withdraw consent at any time for consent-based processing

Important: Some data may need to be retained for legal or safeguarding reasons even after a deletion request.

To exercise your rights, contact our Data Protection Officer at: dpo@neuropathwayecosystem.co.uk

7. Children's Privacy

We take extra precautions to protect children's privacy:

• Young people aged 8-17 can use Safe Space with parental awareness
• Age-appropriate language and privacy controls throughout the app
• Parents can request access to their child's data (balanced with the child's right to privacy)
• Safeguarding team reviews all crisis interactions
• No marketing or advertising to children
• Compliance with ICO Children's Code and Age Appropriate Design Code

8. Data Retention

We retain your information for the following periods:

• Clinical Records: 8 years after last interaction (NHS Records Management Code of Practice)
• Child Records: Until 25th birthday or 8 years after last interaction (whichever is longer)
• Safeguarding Records: Until 75th birthday or as required by local authority
• Audit Logs: 6 years for compliance purposes
• Marketing Consent: Until consent withdrawn or 2 years of inactivity

After retention periods expire, data is securely deleted or anonymized for research purposes.

9. International Transfers

Your data is stored in UK-based data centers. We do not transfer personal data outside the UK except:

• With your explicit consent
• To cloud providers with UK data residency commitments
• Where necessary for safeguarding and protected by appropriate safeguards (Standard Contractual Clauses)

10. Cookies and Tracking

We use essential cookies for platform functionality:

• Essential Cookies: Session management, authentication, security
• Analytics Cookies: Anonymous usage statistics to improve the platform (can be disabled)
• No Third-Party Tracking: We do not use advertising cookies or sell data to third parties

11. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. We will:

• Notify registered users via email of significant changes
• Update the "Last updated" date at the top of this policy
• Maintain an archive of previous versions
• Seek renewed consent where required by law

12. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices: