GDPR Compliance

Last updated: May 8, 2026

Our Commitment to GDPR

NeuroMech is committed to protecting your personal data in accordance with the UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018. This page explains how we comply with these regulations and what rights you have regarding your personal information.

Data Controller

NeuroMech is the data controller responsible for your personal data. Our contact details are:

NeuroMech
42 Wellington Street
London WC2E 7BD
United Kingdom
Email: [email protected]

Lawful Basis for Processing

We process your personal data under the following lawful bases:

  • Consent: When you provide explicit consent for us to process your data for specific purposes
  • Contract: When processing is necessary to fulfill our contract with you for educational services
  • Legal Obligation: When we must process data to comply with legal requirements
  • Legitimate Interests: When processing is necessary for our legitimate business interests, balanced against your rights

Your GDPR Rights

Under GDPR, you have the following rights regarding your personal data:

Right to Access

You have the right to request a copy of the personal data we hold about you. This is known as a Subject Access Request (SAR).

Right to Rectification

You can request that we correct any inaccurate or incomplete personal data we hold about you.

Right to Erasure

Also known as the "right to be forgotten," you can request deletion of your personal data in certain circumstances, such as when the data is no longer necessary for the purpose it was collected.

Right to Restrict Processing

You can request that we limit how we use your personal data in certain situations, such as when you contest the accuracy of the data.

Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller.

Right to Object

You can object to the processing of your personal data in certain circumstances, particularly when we process data based on legitimate interests or for direct marketing purposes.

Right to Withdraw Consent

Where we rely on consent to process your data, you have the right to withdraw that consent at any time.

Rights Related to Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects. We do not currently engage in automated decision-making.

How to Exercise Your Rights

To exercise any of your GDPR rights, please contact us:

  • Email: [email protected]
  • Write to: NeuroMech, 42 Wellington Street, London WC2E 7BD, United Kingdom

We will respond to your request within one month of receipt. In complex cases, we may extend this period by two additional months, and we will inform you of any such extension.

Data Security

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of personal data in transit and at rest
  • Regular security assessments and updates
  • Access controls and authentication measures
  • Staff training on data protection
  • Incident response procedures

Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you without undue delay. We will also report certain types of breaches to the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach.

Data Protection Officer

While not legally required to appoint a Data Protection Officer, we have designated a privacy lead who oversees our GDPR compliance. You can contact them at [email protected] with any data protection queries.

Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, including:

  • Programme enrollment and delivery: Duration of the programme plus 6 years (in line with UK education and tax requirements)
  • Marketing communications: Until you unsubscribe or request deletion
  • Website analytics: Typically 14 months

International Data Transfers

We primarily process data within the United Kingdom. If we transfer data outside the UK, we ensure appropriate safeguards are in place, such as:

  • Standard contractual clauses approved by the ICO
  • Adequacy decisions recognizing equivalent data protection standards
  • Other legally approved transfer mechanisms

Children's Data

We provide educational services to children. When processing children's data, we:

  • Obtain parental or guardian consent before collecting data
  • Limit data collection to what is necessary for service delivery
  • Implement enhanced security measures
  • Provide parents with access to review and manage their child's information

Third-Party Processors

When we use third-party service providers to process data on our behalf, we:

  • Conduct due diligence to ensure they meet GDPR standards
  • Enter into data processing agreements with appropriate safeguards
  • Monitor their compliance with data protection obligations

Complaints

If you believe we have not handled your personal data in accordance with GDPR, you have the right to lodge a complaint with the supervisory authority:

Information Commissioner's Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
United Kingdom
Phone: 0303 123 1113
Website: ico.org.uk

Updates to This Policy

We may update this GDPR compliance statement from time to time to reflect changes in our practices or legal requirements. The "Last updated" date at the top of this page indicates when the most recent changes were made.

Contact Us

For any questions about our GDPR compliance or to exercise your rights, please contact us at [email protected].