Data Protection and Privacy Policy

Adhdful Coaching

Policy Owner / Data Controller: Emma Cose
Role: ADHD Life Coach
ICO Registration Reference: ZB993512
Date of last review: January 2026
Next review due: January 2027

1. Background

Adhdful Coaching understands that your privacy is important and is committed to protecting your personal data. This policy explains how personal data is collected, used, stored, and protected in line with UK data protection law and guidance from the Information Commissioner’s Office (ICO).

Adhdful Coaching operates as a sole trader, providing online, one-to-one ADHD coaching services to adults and young people aged 14–18 only. 

2. Information About Adhdful Coaching

Business name: Adhdful Coaching
Data Controller: Emma Cose
ICO Registration Reference: ZB993512
Website: https://www.adhdful.co.uk

3. What Does This Policy Cover?

This policy explains:

  • What personal data is

  • What data is collected and why

  • How personal data is stored and protected

  • How long data is retained

  • Your rights under UK GDPR

This policy applies to all clients, including organisations, adults, young people aged 14–18, and to parents/carers where applicable.

4. What Is Personal Data?

Personal data is defined by UK GDPR as any information relating to an identifiable person. This includes information that can identify you directly or indirectly.

Personal data may include names, contact details, health-related information, and online identifiers.

5. What Personal Data Is Collected?

Depending on your relationship with Adhdful Coaching, the following data may be collected:

  • Name

  • Email address

  • Telephone number

  • Address

  • Coaching intake information

  • Information relating to neurodivergence (e.g. ADHD, autism)

  • Relevant wellbeing or mental health information

For clients under 18, parental or guardian contact details and those of a safeguarding contact are also collected.

Only data that is necessary and relevant is collected.

6. How Is Personal Data Used?

Personal data is used for the following purposes:

  • Providing ADHD coaching services

  • Managing bookings and communications

  • Maintaining appropriate coaching records

  • Safeguarding

  • Meeting legal or regulatory obligations

Personal data is never used for marketing without consent.

7. Lawful Basis for Processing

Under UK GDPR, personal data is processed on the following lawful bases:

  • Consent – provided through intake forms and coaching agreements

  • Contract – processing necessary to deliver coaching services

  • Legal obligation – including safeguarding duties

  • Vital interests – where processing is necessary to prevent serious harm

Special category data is processed with explicit consent and appropriate safeguards.

8. How and Where Data Is Stored

Personal data is stored securely in the UK using a combination of digital and paper-based systems.

Digital data

Digital personal data is stored using:

  • Password-protected devices and accounts

  • Secure cloud-based storage systems

  • Encrypted or secure software platforms where available

  • Restricted access (sole practitioner only)

Paper records

Paper-based records, including handwritten coaching notes where used, are:

  • Kept to a minimum

  • Stored securely in a locked cabinet or secure location

  • Accessible only to the data controller

  • Never left unattended or visible to others

Safeguarding records are stored securely and separately from general coaching notes, whether held digitally or in paper form.

9. How Long Is Data Kept?

Personal data is retained only for as long as necessary and in line with data protection and safeguarding guidance.

Unless there is a legal, safeguarding, or regulatory reason to retain data for longer, the following retention periods apply:

  • Adult client records (digital and paper): One year after coaching ends

  • Records relating to young people (digital and paper): One year after coaching ends

  • Safeguarding records: One year after coaching ends, but could be retained for longer where required, in line with safeguarding guidance and legal obligations

Paper records are securely shredded once retention periods expire. Digital records are securely deleted or anonymised.

10. Do You Share My Personal Data?

Personal data is not shared with third parties except:

  • Where required for safeguarding purposes

  • Where there is a legal obligation

  • With explicit written consent

  • With professional supervisors (anonymised where possible)

Personal data is never sold or shared for commercial purposes.

11. Your Rights

Under UK GDPR, you have the right to:

  • Be informed about how your data is used

  • Access your personal data (subject access request)

  • Request rectification of inaccurate data

  • Request erasure where applicable

  • Restrict or object to processing

  • Data portability

Requests should be made in writing and will be responded to within one calendar month.

You also have the right to complain to the Information Commissioner’s Office (ICO).

12. Children and Young People

Adhdful Coaching works with young people aged 14–18.

Parental consent is required for under-18s, and data processing is explained in an age-appropriate way. 

13. Data Breaches

A personal data breach is any accidental or unlawful loss, disclosure, or access to personal data.

If a breach occurs:

  • The breach will be assessed promptly

  • Steps will be taken to reduce risk

  • The ICO will be notified within 72 hours if required

  • Affected individuals will be informed if there is a high risk to their rights and freedoms

14. Training and Awareness

As a sole practitioner, Emma Cose undertakes regular GDPR and data protection training to ensure ongoing compliance and good practice.

15. Changes to This Policy

This policy may be updated to reflect changes in legislation or business practices. The most current version will always be available on the Adhdful Coaching website.

Signed:
Emma Cose
ADHD Life Coach
Adhdful Coaching