Skip to main content

    Privacy Policy

    Last updated: 17 April 2026

    1. Who we are

    Neurodiversity Global Limited ("NDG", "we", "us", "our") is a company registered in England and Wales. We are the data controller for the personal data described in this policy under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

    Company No.: 16013635
    ICO registration: ZC093855
    Registered address: 3 Holly Lane, Great Horkesley, Colchester, Essex, CO6 4AW
    Data protection contact: hello@neurodiversityglobal.com

    2. What data we collect

    We collect personal data through four surfaces on this website.

    • Contact form (/contact): name, email, organisation (optional), message (optional), and submission timestamp.
    • Package builder (/package-builder): name, email, company, phone, team size, budget range, timeline, selected needs, selected outcomes, additional notes, and the package we recommend based on your answers.
    • Newsletter signup: email address and the page you signed up from.
    • AI assistants (Ask Rich, Concierge, Workshop Finder, Blog Finder): a random session identifier generated in your browser, the assistant you used, the messages you send and receive, message count, your user agent, and the page you came from. The session identifier is cleared when you close the browser tab.

    3. Lawful basis under Article 6 UK GDPR

    • Legitimate interests — responding to contact form and package builder enquiries, and sending business-to-business marketing to named contacts at organisations that fit our services. You can object at any time.
    • Consent — newsletter subscriptions, non-essential cookies, and AI assistant interactions. You can withdraw consent at any time.
    • Contract — delivering paid engagements to client organisations and their nominated contacts.
    • Legal obligation — keeping financial records for tax and audit.

    4. How we use your data

    • Reply to your enquiry, send a quote, or book a discovery call.
    • Recommend a package based on your package builder answers.
    • Send you the newsletter you signed up for.
    • Generate AI assistant replies to your questions.
    • Improve our assistants and content by reviewing aggregate usage.
    • Meet our legal, tax, and contractual obligations.

    5. Who we share your data with

    We do not sell your personal data. We use the following processors:

    • Supabase Inc. — database, authentication, edge functions, and storage. Our project is hosted in the EU (Ireland). A Data Processing Agreement is in place.
    • Google LLC (Gemini 2.5 Flash API) — processes the prompts sent to our AI assistants server-side via Supabase edge functions. We use the paid tier; under Google's Gemini API terms, paid-tier prompts are not used to train Google's models. AI conversation logs are retained on our side for 90 days and then automatically deleted by a scheduled database job.
    • Resend — transactional and system email (for example, account confirmation emails), sent from info.neurodiversityglobal.com.
    • Vercel — static hosting and edge CDN for the website. Vercel holds standard HTTP request logs; no form submissions or account data are stored there.
    • Cal.com — the booking widget embedded at /contact#book-a-call (cal.eu/neurodiversityglobal/30min). Cal.com is an independent controller for the bookings you make through their interface; their privacy notice governs that data.

    We do not currently run website analytics. If we add an analytics tool, we will name it in the Cookie Policy before turning it on.

    We may also disclose data where required by law or to establish or defend legal claims.

    6. International transfers

    Supabase keeps our primary data in the EU (Ireland). Google (Gemini) and Cal.com process data in the United States. Vercel serves traffic from the nearest edge region. Where data leaves the UK or EEA, we rely on the UK–US Data Bridge or the EU–US Data Privacy Framework where the recipient is certified, with the UK International Data Transfer Addendum and Standard Contractual Clauses as a backstop.

    7. Data retention

    • Contact form and package builder enquiries: 24 months from last contact, then deleted.
    • Newsletter subscribers: until you unsubscribe, or 24 months of inactivity.
    • AI conversation logs: 90 days, enforced by a scheduled database job.
    • Client project records: duration of the engagement plus 6 years (UK tax and contract law).
    • Admin accounts: until the account is deleted.

    8. Cookies and similar technologies

    We set a small number of first-party cookies and browser storage items for essential functions: a Supabase auth session (admin areas only), your cookie consent choice (ndg-cookie-consent), your AI session identifier (ndg_session_id), and your accessibility preferences (ndg-a11y-settings). Full detail is in our Cookie Policy.

    9. Your rights under UK GDPR

    You have the right to:

    • Access — ask for a copy of the personal data we hold about you.
    • Rectification — ask us to correct data that is wrong or incomplete.
    • Erasure — ask us to delete your data.
    • Restriction — ask us to pause processing while a question is resolved.
    • Portability — receive your data in a structured, machine-readable format.
    • Object — object to processing based on legitimate interests or direct marketing.
    • Withdraw consent — at any time, where processing relies on consent.

    Email hello@neurodiversityglobal.com to exercise any of these rights. We will respond within one calendar month.

    10. Automated decision-making

    Our AI assistants generate suggestions, not decisions. We do not make decisions that produce legal or similarly significant effects about you based solely on automated processing, so Article 22 UK GDPR does not apply. For advice that affects your organisation, book a discovery call with a person on our team.

    11. Security

    Our database sits in the EU with Row Level Security on every public table. Service role keys stay server-side in Supabase edge functions and are never exposed to the browser. The site is served over HTTPS with a Content Security Policy. Access to admin surfaces requires authentication.

    12. Children

    Our services are aimed at organisations, not children. We do not knowingly collect personal data from anyone under 16. If you are under 16, please do not submit our forms. If you are a parent or guardian and believe your child has submitted data to us, email us and we will delete it.

    13. Changes to this policy

    We will update this page when our processing changes. The "last updated" date at the top shows when the current version took effect. Material changes will also be signposted on the site or by email to subscribers.

    14. Complaints

    If you are not satisfied with how we have handled your data, you can complain to the Information Commissioner's Office.

    Website: ico.org.uk
    Telephone: 0303 123 1113

    See also our Terms and Cookie Policy.