Privacy Policy
Bespoke Horizons – An Inclusive Care Options Service
Last updated: January 2026
1. Who We Are
This website is operated by Inclusive Care Options Ltd (trading as “Bespoke Horizons”), a company registered in England and Wales.
Company Number: 15347262
Registered Address: 128 City Road, London, EC1V 2NX
Service Address: Bespoke Horizons, Henderson Drive, London, NW8 8JQ
Email: manager@bespokehorizons.org
Telephone: 0800 246 1434
Data Protection Officer: Ryan Spears
DPO Contact: manager@bespokehorizons.org
Inclusive Care Options Ltd is the data controller responsible for your personal data. We are registered with the Care Quality Commission (CQC) and committed to protecting your privacy in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
2. What Personal Data We Collect
We collect different types of personal data depending on how you interact with us.
When you visit our website, we may automatically collect technical information including your IP address, browser type and version, time zone setting, operating system, the pages you visit, how long you spend on each page, and how you arrived at our site.
When you contact us or make an enquiry, we collect the information you provide, such as your name, email address, telephone number, and details about the person requiring care.
When you or your loved one uses our day centre services, we collect more detailed information necessary to provide safe and effective care. This includes full name and contact details, date of birth, emergency contact information, GP and health professional details, health and medical information (including diagnoses, medications, allergies, and health conditions), care and support needs assessments, risk assessments and behavioural support plans, funding and local authority information, photographs (with consent) for identification and activity records, and daily attendance and activity records.
3. Special Category Data
As a care provider, we process special category data, which includes information about health, disabilities, and in some cases ethnicity or religious beliefs relevant to care delivery. This data receives extra protection under data protection law. We process this data because it is necessary for the provision of health or social care services, it is in the substantial public interest for safeguarding purposes, or you (or your representative) have given explicit consent.
4. Why We Collect Your Data and Our Lawful Basis
We only collect and use your personal data when we have a lawful reason to do so. The table below explains our purposes and the legal basis for each.
For providing care services to you or your loved one, we rely on the legal basis of contract (to fulfil our care agreement with you) and legal obligation (to meet CQC regulatory requirements). For processing health and medical information, we rely on providing health or social care treatment under Article 9(2)(h) UK GDPR. For safeguarding and protecting vulnerable adults, we rely on legal obligation and vital interests, specifically substantial public interest under Schedule 1 DPA 2018. For sharing information with NHS, GPs, hospitals, and local authorities, we rely on legal obligation and legitimate interests in coordinating care. For responding to enquiries and communications, we rely on legitimate interests in responding to your requests. For sending newsletters or marketing (if you sign up), we rely on consent, which you can withdraw at any time. For website security and maintenance, we rely on legitimate interests in maintaining website security and improving our services. For complying with legal and regulatory requirements, we rely on legal obligation.
5. Who We Share Your Data With
We may share personal data with the following parties where necessary.
We share data with health and social care professionals including your GP, community nurses, hospitals, mental health teams, and other healthcare providers involved in care. We share data with local authorities including social workers, safeguarding teams, and commissioners funding your care. We share data with the Care Quality Commission (CQC) as our regulator. We share data with emergency services when there is a risk to life or safety. We share data with family members or representatives with your consent or where you lack capacity and it is in your best interests. We share data with IT service providers who help us maintain our systems securely (under strict data processing agreements). We share data with professional advisors such as legal, insurance, and accountancy services where necessary.
We will never sell your personal data to third parties.
6. International Transfers
We primarily store and process your data within the United Kingdom. If any data is transferred outside the UK (for example, through cloud-based services), we ensure appropriate safeguards are in place, such as UK International Data Transfer Agreements or transfers to countries with adequacy decisions.
7. How Long We Keep Your Data
We retain personal data only for as long as necessary for the purposes it was collected, or as required by law.
Care records for adults are retained for 8 years from the end of the care relationship, or longer if required for legal claims or safeguarding purposes. Care records involving children or young people are retained until the individual’s 25th birthday, or 26th if the young person was 17 at the conclusion of treatment, and longer if required. Safeguarding records are retained indefinitely where necessary for ongoing protection. Enquiry and contact form data is retained for 2 years unless you become a service user. Staff records are retained for 6 years after employment ends.
After the retention period, data is securely deleted or anonymised.
8. Your Rights
Under UK data protection law, you have important rights regarding your personal data.
You have the right to be informed about how we use your data (this privacy policy). You have the right of access, meaning you can request a copy of the personal data we hold about you. You have the right to rectification, meaning you can ask us to correct inaccurate or incomplete data. You have the right to erasure (“right to be forgotten”), meaning you can ask us to delete your data in certain circumstances (though this may be limited where we have legal obligations to retain it). You have the right to restrict processing, meaning you can ask us to limit how we use your data. You have the right to data portability, meaning you can request your data in a portable format. You have the right to object to processing based on legitimate interests. You have rights related to automated decision-making, though we do not currently make solely automated decisions about you.
If we process your data based on consent, you have the right to withdraw consent at any time. Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal.
To exercise any of these rights, please contact our Data Protection Officer, Ryan Spears, at manager@bespokehorizons.org.
9. How to Make a Complaint
If you have concerns about how we handle your personal data, we encourage you to contact us first so we can try to resolve the issue.
Internal complaints: Please email manager@bespokehorizons.org with details of your concern. We will acknowledge your complaint within 7 days and provide a full response within 30 days.
External complaints: If you are not satisfied with our response, or if you wish to complain directly to the regulator, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO).
Information Commissioner’s Office
Wycliffe House,
Water Lane,
Wilmslow,
Cheshire,
SK9 5AF
Website: www.ico.org.uk
Telephone: 0303 123 1113
10. Links to Other Websites
Our website may contain links to external websites (such as the CQC, NHS, or local authority sites). We are not responsible for the privacy practices of these external sites. We encourage you to read their privacy policies when you leave our site.
11. Information Security
We take the security of your personal data seriously. We implement appropriate technical and organisational measures to protect your data against unauthorised access, loss, destruction, or damage. These measures include encrypted data storage and transmission, access controls and staff training, regular security assessments, and secure disposal of records.
We have completed the NHS Data Security and Protection Toolkit (DSPT), demonstrating our commitment to meeting national data security standards for health and social care.
While we take all reasonable precautions, no method of transmission over the internet is completely secure, and we cannot guarantee absolute security.
12. Changes to This Policy
We may update this privacy policy from time to time to reflect changes in our practices or legal requirements. Any significant changes will be communicated through our website. We encourage you to review this policy periodically.
13. Contact Us
If you have any questions about this privacy policy or wish to exercise your data protection rights, please contact us:
Data Protection Officer: Ryan Spears
Email: manager@bespokehorizons.org
Telephone: 0800 246 1434
Post: Bespoke Horizons, Henderson Drive, London, NW8 8JQ
© 2025. All rights reserved.
