Privacy Notice

1. Legal Basis for Processing

Personal data we hold about you will be processed because:

• the processing is necessary in order for us to comply with our obligations under a contract between you and us, specifically for the provision of our services; or

• the processing is necessary in pursuit of a "legitimate interest", meaning a valid interest we or a third party has in processing your personal data which is not overridden by your interests in data privacy and security; or

• we have your consent to the processing, in the case of information relating to health or other "special category" information for which additional safeguards are required.

2. Personal Data We Collect

We may collect and process the following personal data (information that can be uniquely identified with you) about you:

• Health Information: information relating to health which we hold and process in the provision of our services, which may include information about your medical or health history, medication which has been prescribed for you, any conditions which may affect you, details of medical professionals you interact with and related information;

• Client Contact Information: for individuals associated with our clients or potential clients, contact information such as names, email addresses, phone numbers, and addresses;

• Third Party Contact Information: for individuals associated with our suppliers, potential suppliers and other third parties we interact with, contact information such as names, email addresses, phone numbers, addresses, and job titles and/or specific roles within your organisation;

• Communication Information: a record of any correspondence or communication between you and us in the delivery of our services and any information we may require from you when you report a problem or submit a complaint;

• Service Information: information we hold and process in the provision of our services, which may include information about your business and personal life, travel, and events you attend;

• Marketing Information: marketing information we may hold about you in order to provide information about our services, which may include names, email addresses, phone numbers, addresses, and job titles.

We will collect information either from you directly or from a third party (for instance a family member). If we obtain your personal data from a third party, your privacy rights under this notice are not affected and you are still able to exercise the rights contained within this notice.

You do not have to supply any personal information to us, but in practice we may be unable to provide our services to you without personal data (for instance we will need contact information in order to communicate with you). You may withdraw our authority to process your personal data (or request that we restrict our processing) at any time, but there are circumstances in which we may need to continue to process personal data.

3. How We Process Your Data

We process your personal data for the following purposes:

• Setting up a relationship with a client or potential client, or entering into an agreement to provide services. We process Client Contact Information and Communication Information on the basis of performance of a contract with you and our legitimate interests in establishing the necessary information to provide our services.

• Communicating with our clients to provide our services. We process Client Contact Information, Communication Information, Service Information and Health Information on the basis of performance of a contract with you, our legitimate interests in delivering our services, and your consent.

• Providing clinical assessment and diagnostic services. We process Client Contact Information, Communication Information, Service Information and Health Information on the basis of performance of a contract with you, our legitimate interests in delivering our services, and your consent.

• Communicating with a supplier or another third party we interact with in relation to the provision of our services or the services of the supplier. We process Third Party Contact Information, Communication Information and Health Information on the basis of performance of a contract with you, our legitimate interests in delivering our services, and your consent.

• Communicating with you or our clients about our services (for instance if a client requests assistance or makes a complaint). We process Client Contact Information, Communication Information, Service Information and Health Information on the basis of performance of a contract with you, our legitimate interests in running our business and providing our services, and your consent.

• Managing our relationship with our clients and suppliers and otherwise providing our services. We process Client Contact Information, Communication Information, Service Information and Health Information on the basis of performance of a contract with you, compliance with a legal obligation, our legitimate interests in delivering our services, and your consent.

• Storing your contact information for marketing purposes and sending marketing and other promotional communications. We process Client Contact Information and Marketing Information on the basis of our legitimate interests in promoting our services to business customers.

4. Data Retention

Our current data retention policy is to delete or destroy (to the extent we are able to) the personal data we hold about you in accordance with the following:

• Records relevant for tax and customs authorities: 8 years from the end of the year to which the records relate.

• Personal data processed in relation to a contract between you and us: 7 years from either the end of the contract or the date you last used our service, being the length of time following a breach of contract in which you are entitled to make a legal claim.

• Personal data held on marketing or business development records: 3 years from the last date on which a data subject has interacted with us.

For any category of personal data not specifically defined in this notice, and unless otherwise specified by applicable law, the required retention period will be deemed to be 7 years from the date of receipt by us.

The retention periods stated in this notice can be prolonged or shortened as may be required (for example, in the event that legal proceedings apply to the data or if there is an on-going investigation).

We review the personal data we hold on a regular basis to ensure it is still relevant and accurate. If we discover that certain data is no longer necessary or accurate, we will take reasonable steps to correct or delete it. If you wish to request that data we hold about you is amended or deleted, please refer to your privacy rights below.

5. Sharing Your Information

We do not disclose any information you provide to any third parties other than as follows:

• we may share information relating to our clients and customers in the ordinary course of the provision of our services;

• if we are under a duty to disclose or share your personal data in order to comply with any legal obligation (for example, if required to do so by a court order or for the purposes of prevention of fraud or other crime);

• in order to enforce any terms and conditions or agreements for our services that may apply;

• if we are sub-contracting services to a third party, we may provide information to that third party in order to provide the relevant services;

• we may transfer your personal information to a third party as part of a sale of some or all of our business and assets, or as part of any business restructuring or reorganisation, but we will take steps with the aim of ensuring that your privacy rights continue to be protected;

• to protect our rights, property and safety, or the rights, property and safety of our users or any other third parties, including exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.

Other than as set out above, we will not disclose any of your personal information unless either you give us permission to do so or we have taken steps to ensure that your privacy rights are protected.

6. Security

We will take all reasonable steps to ensure that appropriate technical and organisational measures are carried out in order to safeguard the information we collect from you and protect against unlawful access and accidental loss or damage. These measures may include (as necessary):

• protecting our servers with software firewalls;

• locating our data processing storage facilities in secure locations;

• encrypting all data stored on our server with an industry-standard encryption method that encrypts the data between your computer and our server, so that in the event of your network being insecure no data is passed in a format that could easily be deciphered;

• when necessary, disposing of or deleting your data securely;

• regularly backing up and encrypting data we hold.

We will ensure that our employees are aware of their privacy and data security obligations, and we will take reasonable steps to ensure that the employees of third parties working on our behalf are aware of their privacy and data security obligations. This notice and our procedures for handling personal data will be reviewed as necessary.

7. Your Privacy Rights

The UK GDPR gives you the following rights in respect of personal data we hold about you:

• Right to be informed: you have a right to know about our personal data protection and data processing activities, details of which are contained in this notice.

• Right of access: you can make a Subject Access Request (“SAR”) to request information about the personal data we hold about you (free of charge, save for reasonable expenses for repeat requests).

• Right to correction: please inform us if information we hold about you is incomplete or inaccurate, and we will update our records as soon as possible, in any event within one month. We will take reasonable steps to communicate the change to any third parties to whom we have passed the same information.

• Right to erasure (the “right to be forgotten”): please notify us if you no longer wish us to hold personal data about you. Unless we have reasonable grounds to refuse the erasure, we will securely delete the personal data in question within one month of receipt of such a request. Data may continue to exist in certain backups, but we will take steps to ensure that it will not be accessible. We will communicate the erasure to any third parties to whom we have passed the same information.

• Right to restrict processing: you can request that we no longer process your personal data in certain ways, whilst not requiring us to delete the same data. Some of our services will not be available if processing is restricted.

• Right to data portability: you have the right to receive copies of personal data we hold about you in a commonly used and easily storable format. You may also request that we transfer your personal data directly to a third party (where technically possible).

• Right to object: unless we have overriding legitimate grounds for such processing, you may object to us using your personal data for direct marketing purposes (including profiling) or for research or statistical purposes.

• Right to withdraw consent: if we are relying on your consent as the basis on which we are processing your personal data, you have the right to withdraw your consent at any time. Even if you have not expressly given your consent, you also have the right to object as set out above.

All SARs and other requests or notifications in respect of your above rights must be sent to us in writing using the contact details below. We will endeavour to comply with such requests as soon as possible, in any event within one month of receipt (unless a longer period of time to respond is reasonable by virtue of the complexity or number of your requests).

8. Email and Other Communications

If you are a current or former client of ours we may from time to time contact you. We may also contact you with information about our services if you have expressly consented to receive such communications (e.g. by signing up via our website).

When we send email and other electronic communications we will comply with applicable regulations including the Privacy and Electronic Communications Regulations 2003. In particular we will identify the nature of the message and the sender clearly, and you will have an opportunity to opt out of receiving any further communications from us.

9. Data Breaches

If personal data we hold about you is subject to a breach or unauthorised disclosure or access, we will report this to the Information Commissioner’s Office (ICO) and/or our data protection manager. If a breach is likely to result in a risk to your data rights and freedoms, we will notify you as soon as possible.

10. Other Websites

Our website may contain links and references to other websites. Please be aware that this notice does not apply to those websites.

We cannot be responsible for the privacy policies and practices of sites that are not operated by us, even if you access them via our website. In addition, if you arrive on our website via a third party site, we cannot be responsible for the privacy policies and practices of the owners or operators of that third party site, and we recommend that you check the policy of that third party site and contact its owner or operator if you have any concerns or questions.

11. Transferring Your Information Outside Europe

In delivering our services to you, information may be transferred to, processed and stored at, countries or international organisations outside of the UK and European Economic Area (together the “European Area”).

If we transfer your information outside of the European Area in a systematic way, and the third country or international organisation in question has not been deemed by the UK Secretary of State or the EU Commission to have adequate data protection laws, we will provide appropriate safeguards and we will be responsible for ensuring your privacy rights continue to be protected as outlined in this notice. In particular, we will ensure that there is a contract in place with our partners to ensure that your data is processed in accordance with this notice.

By submitting your personal information to us you agree to the transfer, storing or processing of your information outside the European Area in the manner described above.

12. Cookies

A cookie is a small text file which is placed onto your device (for example, computer, smartphone or other electronic device) when you use the platform. We use cookies on the platform to help provide you with the best experience while using our services and the platform.

We use the following cookies:

• Strictly necessary cookies: required for the operation of the platform. These essential cookies are always enabled because the platform will not work properly without them. They include, for example, cookies that enable you to log into secure areas of the platform. You can switch off these cookies in your browser settings, but you may then not be able to access all or parts of the platform.

• Analytical or performance cookies: allow us to recognise and count the number of visitors and to see how visitors move around the platform. This helps us improve the way the platform works, for example by ensuring that users are finding what they are looking for easily.

• Functionality cookies: used to recognise you when you return to the platform. This enables us to personalise our content for you, greet you by name and remember your preferences (for example, your choice of language or region).

• Targeting cookies: record your visit to the platform, the pages you have visited and the links you have followed. We use this information to make the platform and the advertising displayed on it more relevant to your interests.

We will ask for your consent to place cookies or other similar technologies on your device, except where they are essential for us to provide you with a service that you have requested (for example, providing security for payment activities or ensuring that the platform loads quickly and effectively).

You can withdraw any consent to the use of cookies or other similar technologies, or manage any other such preferences, via the Cookie Settings link in the site footer. It may be necessary to refresh the page for the updated settings to take effect.

A complete list of cookies used on this site, including their category, name, purpose and duration, is available in our Cookie Policy at /cookies.

13. Notification of Changes

We will post details of any changes to our policy on our website to help ensure you are always aware of the information we collect, how we use it, and in what circumstances, if any, we share it with other parties.

14. Complaints About Our Use of Personal Data

If you have concerns about how we handle your personal information, you have the right to make a complaint directly to us. In accordance with the Data Protection Act 2018 (as amended by the Data (Use and Access) Act 2025), we maintain a formal data-protection complaints process that allows you to raise any issues relating to our processing of your personal data. We will acknowledge your complaint within 30 days, investigate it without undue delay, and keep you informed of progress until we provide you with a written outcome.

You can submit a complaint by email using the contact details set out below. We encourage you to contact us first, but if you remain dissatisfied after we have responded, you may escalate your complaint to the Information Commissioner’s Office, the UK’s data-protection authority. Further information about your rights is available at www.ico.org.uk.

Receiving a complaint: data subjects have the right to complain to us about how we handle their personal information. A data-protection complaint may be received by email, in writing, or verbally. We treat any expression of dissatisfaction about our processing of personal data as a potential complaint and log it immediately by notifying the Data Security Lead. We will acknowledge receipt of the complaint within 30 days.

Investigation: the Data Security Lead will take appropriate steps to investigate the complaint without undue delay, including making enquiries, gathering relevant information, and keeping the complainant updated. In accordance with ICO guidance, outcomes will be provided within three months, unless exceptional circumstances apply.

Outcome: once the investigation is complete, we will issue a written outcome explaining our findings and any remedial steps. The complainant will be informed of their right to escalate the matter to the Information Commissioner’s Office if they remain dissatisfied.

15. Data Protection Officer

Neurocheckpro Limited is in the process of formally appointing a Data Protection Officer (DPO) in accordance with its obligations under the UK GDPR and the Data Protection Act 2018. The name and direct contact details of the appointed DPO will be published here once the appointment is confirmed.

In the meantime, all data-protection enquiries, Subject Access Requests, and requests to exercise your privacy rights should be directed to us at support@neurocheckpro.com or by post to the address set out at the foot of this notice. We will ensure that any such enquiry is handled by a suitably qualified member of the team with responsibility for data-protection compliance.

You retain the right at all times to raise a concern or complaint with the Information Commissioner’s Office, the UK’s supervisory authority for data-protection matters, regardless of whether you have first contacted us. Further information is available at www.ico.org.uk.