1. Who We Are

Cognition Care Ltd (“Cognition Care”, “we”, “our”, “us”) is a company registered in England and Wales (Company No. 15824475). We provide healthcare assessment, diagnosis, treatment and support services relating to neurodevelopmental and mental health conditions.

Cognition Care Ltd acts as the Data Controller for personal data processed in connection with the services described in this Privacy Notice.

Registered office: Unit 4B, Ridgeway Court, Leighton Buzzard, Bedfordshire, LU7 4SJ.

We are:

• Registered with the Care Quality Commission (CQC) as an independent healthcare provider in England.

• Registered with the Information Commissioner’s Office (ICO) under registration number ZB862099 as a Data Controller under the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018.

For any queries about this Privacy Notice, or to exercise your data rights, you can contact us at:
support@cognitioncare.co.uk (please include “Data Protection” in the subject line) Registered office: Unit 4B, Ridgeway Court, Leighton Buzzard, Bedfordshire, LU7 4SJ

This Privacy Notice explains how Cognition Care Ltd collects, uses, stores and protects your personal data.

It applies to:

• Patients and clients who use our services

• Parents, carers, or nominated representatives

• Referring healthcare professionals or organisations involved in a patient’s care

• Visitors to our website or individuals making enquiries

We are committed to protecting your privacy and handling your personal data in accordance with applicable data protection law and healthcare confidentiality standards, including:

• The UK General Data Protection Regulation (UK GDPR)

• The Data Protection Act 2018

• The Caldicott Principles for confidentiality in health and social care

• Relevant healthcare and professional regulatory requirements, including those of the Care Quality Commission (CQC)

The type of information we collect depends on your relationship with Cognition Care. This may include:

• Personal details: name, date of birth, contact details and address
• Health information: medical history, current symptoms, family history, medication details and relevant lifestyle factors
• Assessment materials: pre-appointment questionnaires, forms, test results and consultation notes
• Communication records: emails, messages, telephone call notes and video consultation logs
• Third-party details: information relating to your GP, pharmacy, referrer or nominated representative where relevant to your care
• Administrative information: payment records, invoices and finance applications (where applicable)
• Website data: online form submissions, cookies and usage data (see Section 11)

Some of the information we collect is classified as special category personal data under UK GDPR, including health information. This data is processed where necessary for the provision of healthcare and safeguarding purposes, and is subject to enhanced confidentiality and security protections.

We only collect the minimum information necessary to provide safe and effective care and to meet our legal and regulatory obligations.

We may collect personal data when you:

• Complete a contact form on our website
• Book an appointment or submit medical forms
• Speak with a clinician or member of our administrative team
• Use our services (for example clinical assessment, treatment, coaching or prescribing)

In some circumstances we may also receive information from third parties where this is necessary for the provision of healthcare or required by law. For example:

• Where another healthcare professional shares relevant clinical information with us (such as your GP or pharmacy)
• Where a family member, partner, parent, teacher or other informant provides information as part of a clinical assessment
• Where a safeguarding authority, regulator or court provides information we are legally required to record
• Where information is shared to protect you or others from serious risk of harm

We only collect and record the minimum data necessary to provide safe and effective care.

We use your personal data to:

• Provide safe and effective care - including assessments, reports, prescribing, and ongoing treatment.
• Coordinate care with other healthcare professionals - for example sharing relevant information with your GP, pharmacy, or another provider where this is necessary for your care or required by law.
• Maintain accurate clinical and administrative records - ensuring your information is up to date and available to those involved in your care.
• Manage appointments and communications - such as confirming bookings, sending reminders, or responding to enquiries.
• Meet legal, safeguarding and regulatory obligations - including duties under healthcare regulation and professional standards.
• Improve our services by reviewing anonymised or aggregated data which does not identify individual patients.

We never sell, trade, or share your data with third parties for marketing or non-care purposes.

Under UK GDPR, we process your data using one or more lawful bases:

• Consent – where you have given clear permission for us to process your information for a specific purpose.
• Contract – where we need your information to deliver the healthcare services you have requested.
• Legal obligation – where we are required by law to retain or share certain records.
• Vital interests or safeguarding – in rare cases, to protect life or prevent serious harm.
• Legitimate interests – we may process limited non-clinical data (such as contact details for reminders, or anonymised service usage for audits) where it is necessary to support the safe and efficient running of Cognition Care.

Where we process special category health data (such as medical information), we do so in accordance with Article 9 of the UK GDPR. In most cases this processing is necessary for the provision of health or social care and the management of healthcare services.

We only share your information where it is necessary, lawful, and proportionate for the provision of healthcare or to meet legal obligations.

This may include:

• Your GP or nominated healthcare professional – where relevant to your care and where appropriate in accordance with healthcare confidentiality and data protection law.
• Other healthcare providers involved in your care – where necessary for treatment, referrals, or continuity of care.
• Signature Pharmacy – all prescriptions issued via SignatureRx are dispensed through Signature Pharmacy. We share only the clinical details required for safe dispensing. Payment for medication is made directly to Signature Pharmacy and Cognition Care does not access or store your financial data.
• Emergency services or safeguarding teams – where there is a risk of serious harm to you or others, or where required by law.
• Our secure clinical systems – such as Semble (patient records) and SignatureRx (e-prescribing).
• Regulators or insurers – where legally required for audit, compliance, or indemnity purposes.
• Humm Finance – where you apply for a finance agreement, your information is submitted directly to Humm. Cognition Care does not access or store your financial data but may receive confirmation of approval or decline.
• Secure digital service providers – including clinical systems, document management tools, and other secure digital platforms used to support service delivery under strict data protection obligations.

We will aim to inform you before sharing information unless doing so would increase risk or we are legally prevented from doing so.

We never sell or share your data for marketing purposes.

Some of the organisations listed above act as data processors and provide secure technical services on our behalf. These providers are contractually required to protect personal data and may only process information in accordance with our instructions and applicable data protection law.

All personal data is stored securely using encrypted systems designed to support compliance with UK data protection law. We use:

• Semble – our clinical platform and electronic health record system
• SignatureRx – for issuing prescriptions
• Secure cloud storage and email systems (e.g. Microsoft 365, Squarespace forms) for communication and administrative records

Access to your information is strictly limited to authorised Cognition Care personnel involved in your care, or those supporting the safe operation of our services.

We apply the following safeguards:

• Role-based access controls – staff only see the information they need for their role
• Encryption in transit and at rest – all records and communications are protected against unauthorised access
• Audit trails – all access and changes to records are logged
• Regular data protection training – all staff are trained on confidentiality, GDPR, and information security
• Business continuity and backup systems – to protect your data in case of system failure

Clinical records are not stored locally on staff devices and are maintained within secure cloud-based systems accessible only through secure logins.

Where data is processed using cloud service providers, appropriate safeguards are in place to ensure personal data is protected in accordance with UK data protection law.

Where personal data is processed using cloud-based service providers, appropriate safeguards are in place to ensure personal data is protected in accordance with UK data protection law.

We retain records in line with NHS and regulatory guidance (Records Management Code of Practice for Health and Social Care 2021):

• Adults – a minimum of 8 years after the conclusion of treatment or last contact with the service.
• Children and young people – until the patient’s 25th birthday, or 8 years after the conclusion of treatment, whichever is longer.
• Mental health records – in some cases may need to be retained for longer where clinically appropriate.

After these periods, records are securely deleted, anonymised, or archived in accordance with applicable legal and regulatory requirements.

We may also retain some information for a longer period where required by law, for example:

• Controlled drug records (in line with medicines legislation)
• Safeguarding records (where retention may be extended due to ongoing risk)
• Financial or tax records (in line with HMRC requirements)

We never keep your data longer than necessary.

Under UK GDPR, you have the right to:

• Access – request a copy of the personal data we hold about you.
• Rectification – ask us to correct any inaccurate or incomplete information.
• Erasure – request deletion of your personal data where there is no lawful reason for us to continue processing it.
• Restriction – ask us to limit how your data is used in certain circumstances.
• Objection – object to the use of your data for specific purposes (e.g. marketing – although we do not use your data for marketing).
• Data portability – request that information you provided to us is transferred to another provider, where technically possible.
• Withdraw consent – where we rely on consent as the lawful basis for processing, you may withdraw this at any time.
• Complain – lodge a complaint with the Information Commissioner’s Office (ICO) if you believe your data protection rights have been breached.

To exercise any of these rights, please email us at support@cognitioncare.uk.
We will normally respond within one month, in line with UK data protection law.

In healthcare settings, some requests (such as deletion of medical records) may be limited where we are required to retain records under legal, regulatory, or clinical governance obligations.

Exercising your rights will never affect the quality of care you receive from Cognition Care.

Our website uses cookies to ensure the site functions correctly, improve performance, and understand how visitors use the website.

We do not use advertising cookies and we do not use cookies to build marketing profiles of visitors.

Some cookies may collect anonymised usage information for website analytics. Where required, these cookies are used only with your consent through the cookie settings available on our website.

You can manage your cookie preferences through the cookie settings on our website or through your browser settings at any time.

For full details of the cookies we use, how long they are stored, and how to control them, please see our Cookie Policy.

If you have any questions about this Privacy Notice or how we handle your personal data, please contact us:

Email: support@cognitioncare.uk

Post:
Cognition Care Ltd
Unit 4B, Ridgeway Court
Leighton Buzzard
Bedfordshire
LU7 4SJ

Phone: 020 3818 8008

We aim to respond to enquiries within one month, in line with UK data protection law.

If you remain dissatisfied with our response, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at www.ico.org.uk or by calling 0303 123 1113.

This Privacy & GDPR Notice may be updated periodically to reflect:

• Changes in UK data protection law or other relevant regulation
• Updates to clinical systems or digital platforms we use
• Amendments to our internal governance and safeguarding processes
• Changes in how we provide or deliver services

The most current version will always be published on our website.

By using our website or engaging with our services, you acknowledge that this Privacy Notice explains how Cognition Care collects, uses, and protects personal data.

Last reviewed: 6 March 2026