Privacy Policy

Effective date: 1st May 2026
Last reviewed: 11th July 2026

1. Who we are

This privacy policy explains how Jude Morrow, trading as Jude Morrow Neurodiversity Advice & Diagnostics, collects, uses, stores and protects personal information.

Data controller: Jude Morrow trading as Jude Morrow Neurodiversity Advice & Diagnostics
Email: jude@judemorrow.co
Website: www.judemorrow.co
Trading address: Health Hub Professionals, 1 Hyde Business Park, Derry. BT480LU
ICO registration number: ZC170077

In this policy, “we”, “us” and “our” refer to Jude Morrow Neurodiversity Advice & Diagnostics.

This policy applies to information collected through:

  • This website
  • Website contact forms
  • WooCommerce orders and checkouts
  • Autism and ADHD assessment deposit bookings
  • Advice and support appointments
  • Telephone, email, Zoom and in-person contact
  • Support-letter and professional-advice services
  • Speaking, training and media enquiries
  • Assessment onboarding and related administration
  • Social media messages where used for business enquiries

2. Autism Services Group

Private Autism, ADHD and combined Autism and ADHD diagnostic assessment pathways are delivered clinically in partnership with Autism Services Group, referred to in this policy as ASG.

For information collected directly by us for website bookings, deposits, initial advice, administration and onboarding, Jude Morrow Neurodiversity Advice & Diagnostics is the data controller.

ASG is responsible for the clinical assessment pathway and may act as a separate data controller for the information it collects and uses for:

  • Clinical assessment
  • Clinical appointments
  • Multidisciplinary review
  • Diagnostic decision-making
  • Report preparation
  • Clinical governance
  • Complaints concerning clinical work
  • The remaining assessment balance paid directly to ASG

ASG may provide its own privacy notice, consent documentation and clinical-data information. Where ASG collects or controls the information, its privacy policy will apply.

Information may be shared securely between us and ASG where this is necessary to arrange, administer and deliver the assessment pathway.

3. Information we may collect

The information collected depends on the service you use.

Identity and contact information

This may include:

  • Full name
  • Previous names where relevant
  • Postal address
  • Email address
  • Telephone number
  • Date of birth
  • Country of residence
  • Preferred method of contact

Information about a person being assessed

This may include:

  • Full name
  • Date of birth
  • Age
  • Whether the assessment is for an adult or child
  • Parent or guardian details
  • The purchaser’s relationship to the person being assessed
  • Information about parental responsibility or lawful authority
  • Relevant consent information

Health and neurodevelopmental information

This may include information about:

  • Autism and ADHD traits
  • Physical or mental health
  • Developmental history
  • Communication
  • Sensory experiences
  • Attention, impulsivity and executive functioning
  • Emotional regulation
  • Learning and education
  • Behaviour and daily functioning
  • Previous diagnoses or assessments
  • Medication
  • Disability and support needs
  • Family, school, workplace or social circumstances
  • Safeguarding concerns
  • Reports or letters from other professionals

Health information is treated as special-category personal data and receives additional protection under data-protection law.

Booking and payment information

This may include:

  • The service or assessment pathway selected
  • Booking-deposit amount
  • Transaction status
  • Payment reference
  • Billing details
  • Date and time of payment
  • Refund or cancellation information
  • WooCommerce order details

Debit and credit card information is normally processed directly by the relevant payment provider, such as Revolut or Stripe. We do not ordinarily receive or store your complete card number or card security code.

Appointment information

This may include:

  • Appointment date and time
  • Appointment format
  • Attendance information
  • Notes relevant to the advice provided
  • Correspondence before and after the appointment
  • Agreed recommendations or next steps
  • Letters or documents requested

Website and technical information

This may include:

  • Internet Protocol address
  • Browser and device type
  • Pages visited
  • Approximate location
  • Referral source
  • Cookie identifiers
  • Website activity
  • Security and error logs

Communications

We may retain:

  • Emails
  • Contact-form submissions
  • Text or telephone records
  • Social media business enquiries
  • Complaint correspondence
  • Feedback
  • Records of consent and preferences

Please do not send extensive medical or highly sensitive information through an ordinary website contact form unless requested. Secure onboarding processes will be used where more detailed information is required.

4. How we obtain information

We may receive information:

  • Directly from you
  • From a parent, guardian or person with lawful authority
  • From the person being assessed
  • From ASG
  • From a partner, family member or informant
  • From a school, university, employer or professional, with an appropriate lawful basis
  • From questionnaires, reports and supporting records
  • Through payment, booking and website systems
  • From publicly available professional or business sources
  • From another service where you have authorised the disclosure or the disclosure is otherwise lawful

Where information is obtained from someone other than the person it concerns, appropriate privacy information will be provided within the period required by law.

5. Why we use personal information

We may use personal information to:

  • Respond to enquiries
  • Arrange advice and support appointments
  • Process assessment booking deposits
  • Confirm the identity of the person being assessed
  • Confirm parental responsibility or authority where appropriate
  • Assess initial suitability for a pathway
  • Reserve assessment capacity
  • Register and onboard clients
  • Communicate with ASG and relevant clinicians
  • Arrange assessment-related appointments
  • Issue consent forms and questionnaires
  • Provide professional advice and recommendations
  • Prepare support letters
  • Provide benefit, school or workplace guidance
  • Manage payments, invoices and refunds
  • Send appointment and service communications
  • Maintain professional, financial and administrative records
  • Address concerns and complaints
  • Protect clients, staff and the public
  • Meet safeguarding, legal, insurance, tax and regulatory duties
  • Operate, maintain and secure the website
  • Prevent fraud, misuse and unauthorised access
  • Improve our services
  • Send marketing communications where legally permitted

We do not sell personal or health information to advertisers.

6. Our lawful bases

The lawful basis depends on why the information is being used.

Contract

We may process information where this is necessary to:

  • Take steps at your request before entering into a contract
  • Process a booking
  • Provide an advice appointment
  • Reserve an assessment place
  • Complete onboarding
  • Provide an agreed letter or support service
  • Manage payment, cancellation or service administration

Legal obligation

We may process information where necessary to comply with:

  • Tax and accounting requirements
  • Consumer law
  • Data-protection law
  • Court orders
  • Safeguarding duties where applicable
  • Regulatory, insurance or professional obligations

Legitimate interests

We may use information where it is reasonably necessary for legitimate business purposes and those interests are not overridden by your rights.

This may include:

  • Responding to ordinary business enquiries
  • Managing service administration
  • Maintaining appropriate professional records
  • Protecting the website and business systems
  • Preventing fraud
  • Establishing, exercising or defending legal claims
  • Improving services
  • Communicating with previous clients about closely related services where legally permitted

Where legitimate interests are used, we consider whether the processing is necessary, proportionate and reasonably expected.

Consent

We may rely on consent for:

  • Optional email marketing
  • Certain information-sharing arrangements
  • Recording an appointment where specifically agreed
  • Optional testimonials
  • Certain uses of health information where explicit consent is the appropriate condition

You can withdraw consent at any time. Withdrawal does not affect processing that took place lawfully before consent was withdrawn.

Vital interests

In a serious emergency, information may be used or disclosed where necessary to protect someone’s life or physical safety.

The UK GDPR requires the lawful basis used for each purpose to be identified and explained.

7. Special-category information

Information concerning physical health, mental health, disability, Autism, ADHD and assessment services is special-category information.

Alongside an Article 6 lawful basis, we will rely on an appropriate condition under Article 9 of the UK GDPR. Depending on the purpose, this may include:

  • Explicit consent
  • Processing necessary for health or social-care purposes, assessment or diagnosis by, or under the responsibility of, professionals subject to confidentiality requirements
  • Processing necessary to establish, exercise or defend legal claims
  • Processing necessary for safeguarding or another substantial public-interest condition where legally applicable
  • Processing necessary to protect vital interests where a person cannot consent

Special-category information must have both an Article 6 lawful basis and a separate Article 9 condition.

8. Children’s information

We process children’s information where a parent, guardian or another person with lawful authority arranges an assessment, advice service or support intervention.

We take additional care when processing children’s information and will:

  • Collect only information reasonably required
  • Confirm parental responsibility or authority where appropriate
  • Consider the child’s age, understanding and wishes
  • Explain the use of information in age-appropriate language where appropriate
  • Limit disclosure to those who need the information
  • Consider the child’s best interests
  • Protect information using appropriate security measures

Children have data-protection rights in their own name, even where a parent or guardian arranged the service. Privacy information should be presented clearly and in a way children can understand where the service is provided directly to them.

9. Who we may share information with

Where necessary and lawful, information may be shared with:

  • Autism Services Group
  • Clinicians involved in the assessment pathway
  • Psychology, social work, speech and language therapy, occupational therapy, nursing or other relevant professionals
  • Parents, guardians or authorised informants
  • Schools, universities or employers, where authorised or otherwise lawful
  • GPs, healthcare professionals or public services, where authorised or otherwise lawful
  • Payment providers such as Revolut and Stripe
  • Booking providers such as Calendly
  • Website, hosting and e-commerce providers, including IONOS, WordPress and WooCommerce
  • Email and document-service providers
  • Accountants, bookkeepers and Xero
  • Professional advisers, insurers and legal representatives
  • IT, cybersecurity and technical-support providers
  • Regulators, courts, law-enforcement bodies or public authorities where legally required
  • Safeguarding authorities where disclosure is necessary and lawful
  • A purchaser or successor if the business is transferred, subject to appropriate protections

We only share information that is reasonably necessary for the relevant purpose.

We do not guarantee that a third party will accept a report or act on a recommendation merely because information has been shared with them.

10. Payment information

Payments may be processed through third-party providers such as:

  • Revolut
  • Stripe
  • WooCommerce payment gateways
  • Calendly-integrated payment services

These providers collect and process payment information under their own privacy policies and security arrangements.

We ordinarily receive confirmation that a payment succeeded or failed, together with transaction details. We do not ordinarily store full card numbers or card security codes.

The remaining balance for a diagnostic assessment is paid directly to ASG and is processed under ASG’s own payment and privacy arrangements.

11. Website hosting, cookies and analytics

The website uses WordPress and is hosted through IONOS.

Cookies and similar technologies may be used to:

  • Operate essential website functions
  • Remember checkout and basket information
  • Maintain security
  • Process payments
  • Measure website use
  • Understand how visitors found the website
  • Improve performance
  • Support embedded content or social-media features

Non-essential analytics, advertising or marketing cookies should only be set after the required consent has been obtained.

Further details should be provided in a separate Cookie Policy, and visitors should be given access to cookie controls through the website’s consent banner.

12. Email marketing

We may send marketing messages where:

  • You have given consent; or
  • The law otherwise permits communication about closely related services.

Marketing consent is optional and is not a condition of receiving assessment or advice services.

Every marketing email will provide a method to unsubscribe. You may also unsubscribe by contacting jude@judemorrow.co.

We may retain limited information on a suppression list to ensure that a person who has opted out is not inadvertently contacted again.

13. International transfers

Some technology, email, payment, booking, website or cloud-service providers may store or access information outside the United Kingdom.

Where personal information is transferred internationally, we will use a lawful transfer mechanism, which may include:

  • A country covered by UK adequacy regulations
  • The UK International Data Transfer Agreement
  • The UK Addendum to approved standard contractual clauses
  • Another legally permitted safeguard
  • A limited statutory exception where applicable

Where an appropriate safeguard is used, we will take reasonable steps to assess the protection available and obtain further information from the provider where required. ICO guidance confirms that restricted transfers require an applicable transfer mechanism and, where relevant, appropriate safeguards and risk assessment.

You may request information about the relevant safeguards by contacting us.

14. Republic of Ireland and EU data protection

Where services are specifically offered to individuals in the Republic of Ireland, the EU GDPR may also apply depending on the circumstances.

Individuals in the Republic of Ireland may have the right to raise concerns with the Irish Data Protection Commission or another relevant European supervisory authority.

EU representative, where required:
[Insert appointed EU representative’s name, address and contact details, or remove this section only after obtaining advice that an EU representative is not required.]

Because the business offers services to people in the Republic of Ireland and may process health information, professional advice should be obtained on whether an EU representative is required under Article 27 of the EU GDPR. EDPB guidance confirms that non-EU organisations targeting individuals in the EU may fall within the EU GDPR’s territorial scope and may be required to appoint an EU representative.

15. How long we keep information

We do not retain personal information for longer than is reasonably necessary.

Retention depends on:

  • The type of service
  • Whether the person is an adult or child
  • Professional and clinical-governance requirements
  • Safeguarding considerations
  • Insurance requirements
  • Complaints or legal claims
  • Tax and accounting duties
  • Whether ASG is the controller of the clinical record

Our general approach is:

Unsuccessful or general enquiries

General enquiries that do not result in a service will normally be retained for up to 12 months, unless there is a valid reason to retain them longer.

Booking and payment records

Order, invoice, payment and accounting records will be retained for the period required by tax and accounting law.

As a sole trader, business records generally need to be retained for at least five years after the 31 January Self Assessment submission deadline for the relevant tax year.

Advice and support records

Appointment notes, correspondence, support letters and related professional records will be retained according to our documented retention schedule, professional requirements, insurance conditions, safeguarding needs and limitation periods.

Assessment administration

Deposit, onboarding and assessment-administration records held by us will be retained only for as long as necessary for:

  • Delivery of the pathway
  • Communication with ASG
  • Complaints and queries
  • Financial records
  • Professional accountability
  • Legal or insurance purposes

ASG will determine retention of the clinical assessment record it controls under its own retention policy.

Marketing records

Marketing information will be retained until consent is withdrawn or the information is no longer required. A minimal suppression record may be retained after opt-out.

We maintain retention criteria and periodically review information for secure deletion or anonymisation. The ICO recommends documented retention periods or criteria for each type of information.

16. How we protect information

We use appropriate technical and organisational measures, which may include:

  • Password-protected systems
  • Multi-factor authentication where available
  • Access controls
  • Secure hosting
  • Encryption in transit
  • Secure payment providers
  • Device protection
  • Backups
  • Staff and contractor confidentiality
  • Data minimisation
  • Secure disposal
  • Incident-response procedures
  • Review of third-party service providers

No internet or email system can be guaranteed to be completely secure. Clients should avoid sending highly sensitive information through ordinary email unless requested and appropriate safeguards are in place.

Cookies

Our website uses cookies and similar technologies to operate essential functions, maintain security, remember basket and checkout information and process payments.

Some cookies are strictly necessary for the website and WooCommerce checkout to function and cannot be switched off through our systems.

We may also use optional analytics or marketing cookies to understand how visitors use the website and improve our services. These cookies will only be used where the required consent has been provided.

You can manage or withdraw your cookie choices through the cookie settings available on the website. You may also control cookies through your browser settings, although blocking essential cookies may affect how the website functions.

17. Data breaches

Where a personal-data breach occurs, we will investigate and take appropriate action.

Where legally required, we will notify the Information Commissioner’s Office and affected individuals within the applicable timescales.

We may also need to notify ASG, a payment provider, insurer, professional adviser or other relevant organisation.

18. Your rights

Depending on the circumstances, you may have the right to:

  • Be informed about how information is used
  • Request access to personal information
  • Ask for inaccurate information to be corrected
  • Ask for information to be erased
  • Request restriction of processing
  • Object to processing
  • Receive certain information in a portable format
  • Withdraw consent
  • Object to direct marketing
  • Complain to a supervisory authority

These rights are not absolute. A request may be restricted where another legal obligation, confidentiality requirement, safeguarding consideration or lawful exemption applies.

The ICO requires privacy information to explain the rights available to individuals, including access, rectification, erasure, restriction, objection and portability where applicable.

To exercise a right, email jude@judemorrow.co.

We may need to confirm your identity before releasing or changing information.

Where information is controlled by ASG, your request may need to be sent to ASG.

19. Automated decision-making

We do not use solely automated decision-making to determine whether a person receives an Autism or ADHD diagnosis.

Clinical outcomes are determined through professional assessment and clinical judgement.

Website analytics or administrative systems may automate routine actions, such as:

  • Sending booking confirmations
  • Flagging failed payments
  • Issuing appointment reminders
  • Routing contact forms

These routine processes do not determine a diagnostic outcome.

20. Complaints

Please contact us first if you have concerns about how your information has been handled:

Email: jude@judemorrow.co

We will aim to investigate the concern and respond within a reasonable period.

You also have the right to complain to the Information Commissioner’s Office, the UK supervisory authority for data protection.

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Telephone: 0303 123 1113

People based in the Republic of Ireland may also be entitled to contact the Irish Data Protection Commission where EU data-protection law applies.

The ICO recommends giving individuals the details of the supervisory authority most likely to handle their complaint.

21. Changes to this policy

We may update this policy where:

  • Services change
  • Technology or providers change
  • The ASG pathway changes
  • Legal or regulatory requirements change
  • New payment, booking or website tools are introduced

The current version will be published on this website with the effective date shown at the top.

Material changes may also be communicated directly where appropriate.

22. Contact

For questions, requests or complaints relating to this policy, contact:

Jude Morrow
Jude Morrow Neurodiversity Advice & Diagnostics
Email: jude@judemorrow.co
Address: Health Hub Professionals, 1 Hyde Business Park, Derry. BT480LU

.