Privacy Policy

Last updated: March 2026

1. Who we are

True Integrated Care Ltd (trading as “DOPA”) is the data controller responsible for your personal data. We are a CQC-registered private healthcare provider (CQC registration ID: 1-6637864915) offering ADHD assessment and treatment services to adults aged 18 and over in the United Kingdom.

For all data protection enquiries, including subject access requests, please contact our data protection lead:

2. What personal data we collect

We collect the following categories of personal data depending on how you interact with us:

Identity data

  • Full name
  • Date of birth
  • Gender

Contact data

  • Email address
  • Telephone number
  • Postal address

Health data — special category under UK GDPR

This is the most sensitive category of personal data we process. It includes:

  • ADHD screening questionnaire responses
  • ADHD assessment results and clinical findings
  • Mental health history (current and past)
  • Medication history and current prescriptions
  • GP records shared with us (with your consent)
  • Consultation notes and correspondence with our clinicians
  • Diagnosis and treatment plans
  • Controlled drug prescription records

Financial data

Payment card details are collected and processed by Stripe, our PCI-DSS compliant payment processor. Where you choose a deposit or subscription payment option, Stripe securely stores your card details on our behalf so we can collect future payments. DOPA does not have direct access to your full card number. We retain a record of the transaction amount and date for accounting purposes.

Technical data

  • IP address
  • Browser type and version
  • Device type and operating system
  • Pages visited and time spent on site
  • Cookie identifiers (see our Cookie Policy)

Communication data

  • Emails and messages you send us
  • Appointment booking records and confirmations
  • Feedback and complaints

3. How we collect your data

Directly from you

  • When you complete our online booking form or screening questionnaire
  • When you attend a clinical consultation (in person or online)
  • When you contact us by email or phone
  • When you make a payment through our website
  • When you subscribe to service communications

From third parties

  • Your NHS GP — we may request relevant medical records with your explicit consent
  • Referral letters from other healthcare professionals (with your consent)
  • Pharmacies — confirmation of prescription dispensing

Automatically

When you visit dopa.co.uk, we automatically collect certain technical data via cookies and similar technologies. You can control non-essential cookies through our cookie consent banner.

4. Our lawful basis for processing

UK GDPR requires us to have a lawful basis before processing your personal data. For health data, we must also satisfy a condition under Article 9. Our bases are:

  • Your clinical care— contract (Article 6(1)(b)) and healthcare provision (Article 9(2)(h)). This is our primary basis for all clinical data.
  • Legal obligations— tax, CQC reporting, and controlled drug record-keeping (Article 6(1)(c)).
  • Your consent— analytics cookies and marketing communications only (Article 6(1)(a)).
  • Legitimate interests— website security and fraud prevention (Article 6(1)(f)).

5. Why we process your data

  • Providing ADHD assessment, diagnosis, and treatment services
  • Managing your appointments and sending appointment reminders
  • Processing payments for our services
  • Issuing and managing prescriptions (including controlled drugs)
  • Sharing information with your GP for shared care arrangements (with your consent)
  • Communicating with pharmacies for prescription dispensing
  • Maintaining clinical records as required by CQC and professional standards
  • Responding to complaints and queries about your care
  • Complying with legal and regulatory obligations
  • Sending service-related communications (appointment confirmations, follow-up information)
  • Sending marketing communications (only where you have given explicit consent)
  • Analysing website usage to improve our services (only where you have consented to analytics cookies)
  • Protecting the security of our website and systems

6. Who we share your data with

We do not sell your personal data. We share your data only where necessary, with the following categories of recipient:

Technology & infrastructure providers

  • Payment processor (PCI-DSS compliant — securely stores card details for future payments)
  • Database hosting (EU-based servers)
  • Email delivery
  • Website hosting
  • Security and fraud prevention

Healthcare providers

  • Your NHS GP — we share relevant clinical information for shared care arrangements. This is only done with your explicit consent and in your clinical interest.
  • Pharmacies — we transmit prescription information to your chosen pharmacy for dispensing.

Regulatory & legal bodies

  • Care Quality Commission (CQC) — we are legally required to share information for regulatory inspections and notifications.
  • Professional regulatory bodies (GMC, NMC, HCPC, GPhC) — if required for fitness-to-practise investigations.
  • HMRC — for tax reporting and financial record-keeping.
  • Courts & law enforcement — only where we are legally required to do so.

All our third-party processors are bound by data processing agreements and are required to process your data only on our instructions and in accordance with applicable data protection law.

7. International data transfers

Our primary database is hosted on EU-based servers. Some of our other technology providers may transfer or process your data outside the United Kingdom. Where this occurs, we ensure that appropriate safeguards are in place, including:

  • UK International Data Transfer Agreements (UK IDTAs) approved by the Secretary of State; or
  • The UK Addendum to EU Standard Contractual Clauses (SCCs); or
  • Transfers to countries with UK adequacy decisions.

We will only transfer your data internationally where we are satisfied that adequate protections are in place. You can request details of the specific safeguards applicable to any transfer by emailing hello@dopa.co.uk.

8. How long we keep your data

We keep your personal data only for as long as necessary for the purposes set out in this policy, and in line with our legal and regulatory obligations. Our key retention periods are:

Data typeRetention period
Clinical records (assessment, diagnosis, consultation notes)Minimum 8 years after last treatment (NHS Records Management Code of Practice)
Controlled drug prescription recordsMinimum 2 years (Misuse of Drugs Regulations 2001)
Financial records (invoices, payments)6 years (HMRC requirements)
Booking records6 years
Website analytics data26 months
Marketing consent recordsDuration of consent plus a reasonable period thereafter
CAPTCHA and security logs90 days

At the end of the applicable retention period, your data is securely deleted or anonymised. Where anonymisation is used, the resulting data can no longer be linked back to you and is no longer subject to this policy.

9. Your data protection rights

Under UK GDPR, you have the following rights. These rights are not absolute — some are subject to exemptions, particularly where data is held for healthcare or legal purposes.

Right of access (Subject Access Request)

You can request a copy of the personal data we hold about you. This is free of charge and we will respond within one month. We may ask you to verify your identity before releasing information.

Right to rectification

If any information we hold about you is inaccurate or incomplete, you can ask us to correct it. We will do so within one month.

Right to erasure (“right to be forgotten”)

You can ask us to delete your personal data in certain circumstances. Please be aware that we may be legally required to retain clinical records for a minimum of 8 years and controlled drug records for at least 2 years, even following an erasure request. We will inform you if an exemption applies.

Right to restrict processing

You can ask us to pause processing of your data in certain circumstances — for example, while you contest its accuracy or the lawfulness of our processing.

Right to data portability

Where processing is based on consent or contract and carried out by automated means, you can ask us to provide your data in a structured, commonly used, machine-readable format so you can transfer it to another provider.

Right to object

You can object to processing based on legitimate interests or for direct marketing purposes at any time. If you object to direct marketing, we will stop immediately. For other processing, we will assess whether our legitimate interests override your objection.

Right to withdraw consent

Where we rely on consent, you can withdraw it at any time by contacting us. Withdrawal does not affect the lawfulness of processing before withdrawal.

To exercise any of these rights, email us at hello@dopa.co.uk with your full name, email address, and a description of your request. We will respond within one month and may ask you to verify your identity before we proceed.

10. How we keep your data secure

We use appropriate technical and organisational measures to protect your personal data, including encryption, access controls, and staff training.

11. Cookies

We use cookies and similar tracking technologies on dopa.co.uk. Essential cookies are necessary for the site to function and do not require your consent. Analytics and marketing cookies are only placed with your consent, in accordance with the Privacy and Electronic Communications Regulations (PECR).

You can manage your cookie preferences at any time via the cookie settings banner on our website. For full details of the cookies we use and how to control them, please see our Cookie Policy.

12. How to raise a concern or complaint

If you have a concern about how we handle your personal data, we would appreciate the opportunity to address it before you approach a regulator. Please contact us first at hello@dopa.co.uk and we will do our best to resolve your concern promptly.

If you remain unsatisfied, you have the right to lodge a complaint with the UK supervisory authority:

  • Information Commissioner's Office (ICO)
  • Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
  • Website: ico.org.uk

13. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will update the “Last updated” date at the top of this page and, where required, notify you by email or through a prominent notice on our website.

We encourage you to review this policy periodically. Continued use of our services after any changes constitutes your acknowledgement of the updated policy.

If you have any questions about this policy or our data practices, please contact us at hello@dopa.co.uk.