Privacy Policy – Capable Again

1 Introduction

Welcome to Capable Again. Capable Again is the trading name of Im Minded Ltd. This Privacy Policy describes how Capable Again ("we", "us", "our") collects, uses, stores, and protects personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

We provide assistive technology products, workplace coping strategy sessions, and a telephone-based eligibility consultation service to individuals across the United Kingdom. This policy applies to everyone who uses our website, submits an eligibility enquiry form, or interacts with our team.

By submitting an enquiry or requesting a call-back, you acknowledge that you have read and understood how we handle your personal data as described in this policy.

2 Who We Are

Im Minded Ltd is the data controller for all personal data collected through this website. We are registered with the Information Commissioner's Office (ICO) under registration number ZB832770.

We have appointed a Data Protection Officer (DPO) responsible for overseeing this policy and ensuring compliance with UK data protection law. Their contact details are provided in Section 14.

Company Details: Im Minded Ltd | Registered in England & Wales | Company No. 13373334 | 6 Clifton Road, London, E16 4PS

3 Information We Collect

We collect personal data when you complete our online eligibility enquiry form — the gateway to our telephone-based assessment service. The categories of data we collect are:

Personal & Contact Information

Full name — to address you correctly and personalise our service.
Email address — for booking confirmations and pre-call resources.
Telephone number — the number we will call for your eligibility consultation.

Health & Symptom Information

Self-reported symptoms and workplace challenges — descriptions of difficulties you experience at work (e.g. cognitive, physical, sensory, or mental health related).
Disability or condition details — where voluntarily provided, to help us identify relevant assistive technology and coping strategies.

shield

Special Category Data

Health and disability information is classified as Special Category Data under UK GDPR Article 9. We process this data only with your explicit written consent, which you may withdraw at any time.

Employment & Workplace Details

Employment status — employed, self-employed, or in education.
Job role and industry sector — to understand your workplace context and tailor recommendations.
Employer details (if applicable) — to understand your role and any existing workplace adjustments.
Description of workplace impact — how your condition affects your day-to-day tasks and performance.

Service Preferences & Access Needs

Your primary area of interest: assistive technology, coping strategy sessions, or both.
Preferred call-back times and any access requirements for the telephone consultation (e.g. BSL interpreter, live captioning).

Technical Data (Collected Automatically)

IP address, browser type, device type, and pages visited — collected via cookies solely for website analytics purposes.

4 Legal Basis for Processing

Under UK GDPR we must have a lawful basis for every type of processing. The table below sets out each category of data and the basis on which we process it:

Data Type	Legal Basis (UK GDPR)	Article
Name, email, phone, employment details	Legitimate interests — to provide the service you requested	Art. 6(1)(f)
Health, disability & symptom information	Explicit consent — freely given, specific, informed, and unambiguous	Art. 9(2)(a)
Booking confirmations & service delivery	Contract performance	Art. 6(1)(b)
Website analytics & cookies	Consent (via cookie banner)	Art. 6(1)(a)
Legal, tax or regulatory obligations	Legal obligation	Art. 6(1)(c)

Where we rely on explicit consent for health data, you may withdraw that consent at any time without affecting the lawfulness of processing carried out beforehand.

5 How We Use Your Information

We use your personal data only for the following specific, lawful purposes:

call Telephone Eligibility Calls

To schedule and conduct your telephone eligibility assessment and match you to appropriate services and funding pathways.

tune Tailored Recommendations

To identify the most suitable assistive technology products and coping strategy sessions for your specific needs and workplace context.

mail Service Communications

To send booking confirmations, call reminders, pre-session resources, and relevant follow-up information.

verified Funding Eligibility

To assess eligibility for schemes such as Access to Work or other disability employment support programmes.

bar_chart Service Improvement

To analyse aggregated, fully anonymised data to improve our services. No individual will ever be identifiable from this analysis.

gavel Legal Compliance

To meet our legal obligations under UK law, including financial, regulatory, and record-keeping requirements.

We will never use your personal data for automated decision-making, profiling, or direct marketing without your separate explicit consent.

6 Sharing Your Personal Data

We do not sell, rent, or trade your personal data. We may share it only in the following limited circumstances:

Booking & Scheduling Tools: Third-party scheduling software used to manage appointments. All providers are bound by UK GDPR-compliant data processing agreements.
IT & Hosting Providers: Our website and data are hosted on secure UK-based servers. Hosting providers act as data processors under a written contract.
Statutory Authorities: We may disclose data if required by law, court order, or a regulatory or law enforcement authority.
With Your Explicit Consent: Where you ask us to refer your information to a third party (e.g. Access to Work, an employer, or a healthcare professional), we will only do so with your prior, explicit consent.

We do not transfer your personal data outside the United Kingdom without ensuring an equivalent level of data protection is in place, in accordance with UK GDPR international transfer rules.

7 Business Transfers and Corporate Transactions

If we are involved in a merger, acquisition, investment, reorganisation, insolvency process, sale of assets, or transfer of all or part of our business, we may disclose and/or transfer your personal data to a prospective or actual buyer, investor, lender, insurer, professional adviser, or successor organisation.

We will only do this where lawful under UK data protection law, including where necessary for our legitimate interests in managing or transferring our business, and subject to appropriate confidentiality and security measures.

Any successor organisation receiving your personal data must process it in accordance with applicable data protection law and this Privacy Policy (or an updated policy notified to you). Where required, we will notify you of a change in data controller identity and provide updated privacy information.

Where personal data is transferred outside the United Kingdom as part of a corporate transaction, we will ensure an equivalent level of protection is in place in accordance with UK GDPR international transfer rules.

8 How Long We Keep Your Data

We retain personal data only for as long as necessary for the purposes for which it was collected, and to meet any legal or regulatory obligations.

Enquiry form data (no service taken): Deleted securely within 12 months of your last contact with us.
Active service users: Retained for the duration of our engagement plus 6 years after final contact, in line with the Limitation Act 1980 for contractual records.
Health / Special Category data: Deleted at the end of your service engagement unless you consent to longer retention or legal obligations require otherwise.
Website analytics data: Anonymised and retained for up to 26 months, in line with ICO guidance.

When data is no longer required, it is securely and permanently deleted or anonymised using industry-standard methods.

9 Data Storage & Security

We take the security of your personal data — particularly your sensitive health information — extremely seriously. We have implemented the following technical and organisational measures:

Encryption in transit: All data submitted via our website is protected using TLS 1.2 / 1.3 (SSL) encryption.
Encryption at rest: Stored data is encrypted using AES-256 on our secure, UK-based servers.
Access controls: Only authorised staff with a legitimate need can access personal data. All staff complete UK GDPR training before handling any personal data.
Data minimisation: We collect only what we genuinely need. Special Category health data is never stored beyond its stated purpose.
Breach response: In the event of a breach that poses a risk to your rights, we will notify you and the ICO within 72 hours of becoming aware, as required by UK GDPR Article 33.

10 Cookies

Our website uses cookies to distinguish you from other users and to improve your experience. We comply with the UK Privacy and Electronic Communications Regulations (PECR) and UK GDPR in our use of cookies.

Strictly necessary cookies: Required for the website to function. No consent is required.
Analytics cookies: Help us understand how visitors use our site. Your consent is required before these are set.
Functional cookies: Remember your preferences, such as accessibility settings. Your consent is required.

You can manage, accept, or withdraw cookie consent at any time by adjusting your browser settings. Disabling certain cookies may affect some website functionality.

11 Your Rights Under UK GDPR

You have the following rights as a data subject. You may exercise any of these rights by contacting our DPO (see Section 14). We will respond within one calendar month at no charge to you.

visibility

Right of Access (Article 15) Request a copy of all personal data we hold about you (a Subject Access Request).
edit

Right to Rectification (Article 16) Ask us to correct any inaccurate or incomplete personal data we hold about you.
delete

Right to Erasure / "Right to be Forgotten" (Article 17) Request deletion of your personal data where there is no overriding legitimate reason to retain it.
pause_circle

Right to Restriction of Processing (Article 18) Request that we limit how we use your data in certain circumstances, for example while accuracy is disputed.
upload_file

Right to Data Portability (Article 20) Receive your data in a structured, machine-readable format, or ask us to transfer it to another controller.
block

Right to Object (Article 21) Object to processing based on legitimate interests, including any use of your data for direct marketing.
check_circle

Right to Withdraw Consent Where processing is based on consent (including health data), you may withdraw at any time without affecting prior lawful processing.

12 Complaints

If you have concerns about how we handle your personal data, please contact our Data Protection Officer in the first instance — we will always try to resolve your concern directly and promptly.

If you remain unsatisfied, you have the right to lodge a complaint with the UK's supervisory authority:

account_balance

Information Commissioner's Office (ICO)
Website: ico.org.uk | Helpline: 0303 123 1113
Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

13 Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will:

Update the "Last updated" date at the top of this page.
Notify active users by email where a change significantly affects how we process their data.

We encourage you to review this policy periodically. Continued use of our services after changes are posted constitutes acceptance of the updated policy.

14 Contact Information

If you have any questions about this Privacy Policy, wish to exercise your data rights, or have concerns about how we handle your personal data, please contact our Data Protection Officer.

Data Protection Officer — Im Minded Ltd

email info@imminded.com

call 07539774474 (Monday – Friday, 9am – 5pm)

location_on Im Minded Ltd, 6 Clifton Road, London, E16 4PS

schedule We aim to respond to all data rights requests within one calendar month.