Privacy Policy

Version 1.0 effective 1st June 2026

Plain summary

This notice tells you what personal information Rewire Your Life Ltd collects when you use our course, why we collect it, who we share it with, how long we keep it, and what rights you have over it. We’ve tried to write it in plain language. If anything is unclear, please contact us at support@rewireyourlife.co.uk and we’ll help.

If you have been referred to our course by your GP practice, there is some additional information sharing between us and your practice. That is set out in Section 6.

1. Who we are

Rewire Your Life Ltd is the controller of your personal information. That means we decide what information is collected, how it is used, and what happens to it.

Registered office

Suite 5, 5th Floor, City Reach, London E14 9NN, United Kingdom

Company number

15311771

ICO registration

ZB759304

Data Protection Lead

Sarah Lock

Deputy Data Protection Lead

Sheryl Pope

Contact for data protection queries

support@rewireyourlife.co.uk

2. What this notice covers

This notice covers personal information we process about you when you:

sign up for and use our online course on the learning platform Thinkific;
complete in-course self-assessment checklists, including Wellness Check-ins and self-reflection surveys;
contact us for support, to exercise a right under this notice, or to make a complaint;
(where applicable) are referred to the course by a participating GP practice.

It does not cover:

the separate processing your GP practice carries out on its own records - that is governed by your practice’s own privacy notice and the NHS records management framework;
third-party services you reach by clicking a link from our course - those services have their own privacy notices;
processing carried out by anyone we don’t have a contract with.

3. The personal information we collect

We collect the following categories of personal information.

3.1 Account and contact information

When you sign up, the following is collected:

your name and email address;
your account password (we never see this);
the date you signed up and, where applicable, the GP-practice voucher code you used.

3.2 Course engagement information

When you use the course, our course platform (Thinkific) records:

which lessons you have viewed and completed;
when you logged in and for how long;
which checklists you have submitted and when.

3.3 Health information you give us in Wellness Check-ins

The course includes Wellness Check-ins. These are short structured surveys that ask about:

the severity and frequency of your symptoms;
how your symptoms are affecting your daily activities, your work, and your social life;
your sleep, food, activity level, and stress;
self-efficacy items - your sense of confidence, knowledge and hope about managing your symptoms;
the duration of your symptoms (a single question).

The Check-ins are a symptom and functional progress tracker - designed so you can see your own changes over time. It is not as a clinical tool. We do not ask about anxiety, depression, distress, or crisis indicators in the Check-ins. We are not a clinical service and the Check-ins are not designed to detect mental or physical health conditions or crisis (see Section 7 below).

After you complete each Wellness Check-in, you can request that Jotform – the tool which hosts the Check-in forms (see Section 8) - emails a copy of your responses and your score to the email address you registered with, so you have your own record of your progress.

3.4 Health information you give us in self-reflection surveys

The course also includes self-reflection surveys – Are My Symptoms Neuroplastic, Why Me, Triggers, Perpetuating Factors, Flare Up, Course Evaluation. These are mostly structured, where you tick boxes (closed-response). Two of them contain a free-text field:

Why Me has one free-text field where you can reflect on other medical issues you have experienced. This field is for your own self-reflection. We do not routinely read it.
Course Evaluation has free-text fields about how the course helped you. We read this for course-quality purposes. It is not shared with your GP practice.

3.5 Information you give us when you contact us

When you email support@rewireyourlife.co.uk, we keep the email itself and any information you give us in it - for example, the nature of your query, your name, and your account email.

3.6 Payment information

If you pay for the course, payment is handled by Thinkific’s payment processor. We do not collect, see, or store your card details. The payment processor processes the payment under their own privacy terms and tells us only that the payment succeeded.

3.7 Information your device gives us

When you use the Thinkific platform which hosts the course, basic technical information is collected automatically, for example, your device type, operating system version, and IP address. This is used to make the platform work and to keep it secure. See Section 14 for cookies.

4. How we use your information and our lawful basis

Under UK GDPR we have to tell you the purpose for each use of your information and the lawful basis that lets us use it for that purpose. Where the information is health information, we also have to tell you the special-category condition that lets us process it. Here it is in plain terms.

4.1 To deliver the course you’ve signed up for

This includes setting up your account, giving you access to the course content, tracking your progress so you can see it, sending you your own Check-in score by email, and dealing with any administrative tasks like password resets.

Lawful basis: Article 6(1)(b) UK GDPR - performance of our contract with you.
Special category condition (for health information in Wellness Check-ins and self-reflection surveys): Article 9(2)(a) - your explicit consent, captured in a consent module available after you pay but before you start the course.

4.2 To let you see your own progress

Your Wellness Check-in responses feed a progress view in Thinkific so you can see how your symptoms and functioning have changed across the course.

Lawful basis: Article 6(1)(b) - performance of contract.
Special category condition: Article 9(2)(a) - your explicit consent.

4.3 To evaluate and improve the course

We analyse Wellness Check-in data, course evaluation feedback and engagement data on a pseudonymised basis - meaning we remove names and email addresses before the data goes into the analysis dataset. This lets us look at how the course performs at a group level without working from named records.

Lawful basis: Article 6(1)(f) - our legitimate interests in running and improving the course.
Special category condition (for the pseudonymised health data): Article 9(2)(a) - your explicit consent. Pseudonymised data is still personal data under UK GDPR.

4.4 To handle requests, complaints and rights

If you make a subject rights request (Section 11) or a complaint, we process the relevant information to handle it.

Lawful basis: Article 6(1)(c) - legal obligation (responding to subject rights is a legal duty under UK GDPR).
Special category condition (where health information is involved): Article 9(2)(g) - substantial public interest, specifically Schedule 1 Part 2 paragraph 6 Data Protection Act 2018 (statutory and government purposes), and Article 9(2)(f) - establishment, exercise or defence of legal claims, where applicable.

4.5 To keep our records and meet our legal duties

We keep limited records - for example consent records, breach records, complaint records - to demonstrate our compliance with UK GDPR and to defend against possible legal claims.

Lawful basis: Article 6(1)(c) - legal obligation (UK GDPR accountability principle, Article 5(2)); and Article 6(1)(f) - legitimate interests in defending claims.
Special category condition (where relevant): Article 9(2)(f) - legal claims.

4.6 If you are referred to the course by a participating GP practice

There is additional processing covered in Section 6. Lawful basis for that processing is set out there.

5. Special category (health) data - what your explicit consent means

The Wellness Check-in and self-reflection responses are special category data under UK GDPR Article 9 because they concern your health. This category gets extra protection in law.

We process this data on the basis of your explicit consent (Article 9(2)(a) UK GDPR), which you give in the consent module at the start of the course. The consent module tells you what data is being collected, what we do with it, and what we don’t do with it, before you tick the consent box.

You can withdraw your consent at any time by emailing support@rewireyourlife.co.uk. Withdrawal:

stops us doing any further processing of your Wellness Check-in or self-reflection responses;
does not undo processing we did before withdrawal - that was lawful at the time;
does not automatically delete the existing data - but you can additionally ask for erasure under Section 11 if you want the data removed sooner than the standard retention period;
does not stop us giving you access to the course you have signed up for (that is on a separate basis - performance of contract).

6. If you were referred to the course by a participating GP practice

If you have been referred to the course by a participating GP practice and have used a practice voucher code to enrol, there is some information sharing between us and your practice that does not apply to customers who signed up directly.

This section sets it out in full.

6.1 What we share with your practice - and what we don’t

Your GP practice signs a Data Sharing Agreement with us covering this arrangement. Under that agreement, with your explicit consent, we tell your practice:

your name; and
your enrolment status - meaning that you have signed up for and begun engaging with the course.

We do not share with your practice:

your Wellness Check-in responses;
your self-reflection survey responses;
your Course Evaluation responses;
your progress through the course;
whether you complete the course or drop out;
any information about your symptom trajectory, mood, or anything else from the in-course surveys.

This is a single per-patient signal that tells your practice the referral closed in the sense that you enrolled for the course. It is not any form of clinical monitoring and it is not a progress report. Your practice does not receive ongoing updates from us about your course experience after that initial signal is given.

6.2 What your practice sends to us - and what they don’t

To evaluate how the course works alongside primary-care use, your practice sends us anonymised information about appointment and referral patterns for the group of patients they referred to the course. This information is anonymised at source by your practice — it contains no names, no NHS numbers, no clinical codes, no specialty, no reason codes, and no free text. We receive it with no individual identifiable to us.

There is also a minimum cohort size (set at 10 patients per practice, unless your practice has set it higher) — no data is shared if the cohort would be smaller than this threshold, to further reduce any theoretical re-identification risk.

6.3 Our lawful basis for this sharing

For sharing your name and enrolment status with the practice (the outbound flow): Article 6(1)(a) - your consent, captured in Q2 of the consent module. Because the fact of enrolment in this course concerns your health, we treat this at Article 9 level and rely on Article 9(2)(a) - your explicit consent.
For receiving anonymised data from your practice (the inbound flow): Article 6(1)(f) - our legitimate interests in evaluating how the course works alongside primary-care use. Where Article 9 applies (for the rare case of identification risk despite the cohort floor), Article 9(2)(j) - research, archiving and statistical purposes in the public interest of evaluating the course’s effect on primary-care use, with appropriate safeguards (cohort floor, column-set restrictions, field-expansion controls).

6.4 Your practice’s lawful basis for sharing with us

Your practice - not us - decides on what lawful basis it shares the data with us. That decision sits in the practice’s own data protection records and is reflected in our Data Sharing Agreement with them. If you want to understand what your practice does, ask the practice directly or look at their privacy notice.

6.5 Withdrawing your consent to share with your practice

You can withdraw your consent to us sharing your name and enrolment status with your practice at any time, by emailing support@rewireyourlife.co.uk. Withdrawal of this specific consent:

stops any further per-patient signal flowing from us to your practice;
does not undo the initial signal (your practice already knows you enrolled - once they know, they know);
does not affect your access to the course (that is on a separate basis);
does not affect the inbound flow from your practice to us - that is at cohort level and is anonymised at source, and there is no per-patient withdrawal mechanism for that flow because we don’t know who any individual row or count represents.

If you want to be clear with your practice that you no longer want your records associated with this arrangement at their end, you would need to contact your practice as well - we cannot reach into their records to change anything.

6.6 What we do not share with your practice

Your individual Wellness Check-in responses do not go to your practice. Not at the start of the course, not during the course, not at the end of the course. This arrangement is built so that your practice never sees the content of what you, individually, tell us in the course surveys.

We may share aggregate evaluation findings derived from Wellness Check-in data with practices as part of course evaluation reporting — for example, average changes in symptom or functional scores across the group of patients they referred. These aggregate findings do not identify you individually.

If at any point in the future we wanted to change the position on individual-level data, we would need to:

update this privacy notice;
update the Data Sharing Agreement with your practice;
ask for your explicit consent again on the new basis;
complete a new data protection impact assessment.

7. What we don’t do - the non-monitoring position

This is important and we want to be explicit.

We do not monitor your Wellness Check-in or self-reflection survey responses in real time or otherwise. The course is self-paced, pre-recorded and generic. It is not a clinical service. It is not a support service. It is not a crisis service.

What this means in practice:

If you describe a worsening symptom in a Wellness Check-in, no one at Rewire Your Life will be monitoring it.
If you write something distressing in the Why Me free-text field, no one at Rewire Your Life will be reviewing that field.
We do not have a workflow that triggers a phone call, an email, or an escalation based on what you put in a survey.

If you need clinical help or you are in crisis, please contact your GP, your usual healthcare provider, NHS 111, or - in an emergency - 999. We make this signposting visible at the top of every Wellness Check-in and self-reflection survey in the course.

A separate matter: if you email us at support@rewireyourlife.co.uk and what you say suggests you need urgent help, we will read that and signpost you appropriately. Our support inbox is monitored. Our in-course surveys are not.

8. Who we share your information with

Beyond the sharing covered in Section 6 (which only applies if you were referred by a participating practice), we share your information with:

8.1 Our processors

These are organisations that handle your data on our instructions, under written contracts that meet UK GDPR Article 28 requirements.

Thinkific Labs Inc.

Hosts the course platform and your account.

Canada (primary). See Section 9.

Jotform Inc.

Hosts the in-course surveys (Wellness Check-ins, self-reflection surveys) and sends you the email copy of your Check-in responses and score described in Section 3.3.

United States. See Section 9.

Google LLC (Google Workspace)

Email, document storage, and the working sheets where we handle exports for administration and analysis.

Configurable; we are confirming UK/EU data residency. See Section 9.

Stripe Inc.

Payment processing (only if you pay us directly - not applicable for customers enrolled via a GP-practice voucher). Sub-processor of Thinkific.

United States. See Section 9.

8.2 Your GP practice - only if you were referred by a participating practice

Covered in Section 6.

8.3 Law enforcement, courts and regulators

We may disclose your information where we are legally required to - for example, in response to a court order, a regulator’s information notice, or a properly-authorised law enforcement request. We assess each such request and disclose only what is necessary.

8.4 Buyers of the business

If Rewire Your Life Ltd is sold or merges with another business, your information may transfer to the new owner. The new owner would be bound by this notice (or a successor notice) until and unless they tell you something different.

We do not sell your information. We do not share it with advertisers. We do not use it to target you with third-party advertising.

9. International transfers

Some of our processors are based outside the United Kingdom or hold data outside the UK. UK GDPR requires us to have a lawful transfer mechanism for each of these flows. The position is:

Thinkific

Canada

UK adequacy regulations cover the Canadian commercial sector (PIPEDA). No further mechanism required for the Canadian processing. (If Thinkific instead processes in the US, we rely on the UK extension to the EU-US Data Privacy Framework or the UK Addendum to Standard Contractual Clauses.)

Jotform

United States

UK extension to the EU-US Data Privacy Framework (where Jotform is certified), or UK Addendum to Standard Contractual Clauses.

Google Workspace

UK / EU / global

UK Addendum to Standard Contractual Clauses in Google’s published Data Processing Addendum, and UK extension to the EU-US Data Privacy Framework. We are confirming Data Region pinning to UK/EU.

Stripe

United States

UK extension to the EU-US Data Privacy Framework, and UK Addendum to Standard Contractual Clauses, flowed down through our contract with Thinkific.

If you would like more detail on any of these mechanisms, or copies of the safeguards in place, email support@rewireyourlife.co.uk.

10. How long we keep your information

We keep your information for the periods set out below. Then we delete it across all the systems it sits in (Thinkific, Jotform, Google Workspace, and any working copies).

Your account record (name, email, sign-up date, voucher code)

While your account is active, plus a 12-month grace period after closure during which the data is held dormant so you can return without re-enrolling. After that, deletion.

Your Wellness Check-in and self-reflection responses

Same as your account record - active period plus 12-month grace.

Consent records (the fact you ticked the consent box, and any later withdrawal)

Duration of your account plus 6 years after closure. Held to demonstrate our compliance with UK GDPR.

Pseudonymised analysis data (data with your name and email removed)

Up to 5 years from collection of each data point, with annual review. Deleted sooner if the dataset is no longer in active analytical use.

Working copies on staff laptops (created during administrative tasks)

Deleted within 7 calendar days of completing the task. The Drive primary record is the only persistent copy.

Subject rights request records

6 years from closure of the request.

Complaint records

6 years from resolution of the complaint.

Breach records

6 years from closure of the breach response.

Support emails

Aligned to the underlying activity (a support email about a Wellness Check-in is held with the Check-in retention; one about a complaint is held with the complaint retention; where unclear, the longer period applies).

GP-share records at Rewire end

The share log is kept for the same period as consent records (6 years post account closure). The single per-patient outbound signal does not create a separate persistent record beyond what your account record already governs. At the practice end, the information is governed by NHS records management (typically 10 years for adult records) - that is not under our control.

Anonymised inbound data from your practice

Held while in active evaluation, and folded into the pseudonymised analysis dataset thereafter (5-year ceiling, annual review).

If your circumstances mean you would like data deleted sooner, please see your right to erasure under Section 11.

11. Your rights

You have the following rights over your personal information.

Right to be informed

The right to know what data we hold and what we do with it. This notice is how we provide that.

Right of access

The right to a copy of the personal information we hold about you.

Right to rectification

The right to have inaccurate or incomplete information corrected.

Right to erasure

Often called the “right to be forgotten.” The right to have your information deleted in certain circumstances –for example, if you withdraw consent, if the data is no longer necessary, or if we processed it unlawfully. Some exemptions apply, for example where we need to keep records to meet a legal duty.

Right to restriction

The right to ask us to stop processing your information temporarily while a question about it is resolved.

Right to data portability

The right to receive a machine-readable copy of information you gave us so you can take it elsewhere. Applies where processing is based on consent or contract and is carried out by automated means.

Right to object

The right to object to processing based on legitimate interests (Article 6(1)(f)) - for example, our pseudonymised analysis. We then have to assess whether our interest overrides your objection.

Right to withdraw consent

The right to withdraw any consent you gave us, at any time. Withdrawal stops further processing on that consent.

Right not to be subject to solely automated decisions

The right not to have decisions about you made solely by automated means with significant effects. We do not make any such automated decisions about you.

Right to complain to a supervisory authority

Covered separately in Section 13.

These rights are not absolute. Some have exemptions. We will tell you in plain terms if we can’t comply with a request and why.

12. How to exercise your rights

Email support@rewireyourlife.co.uk with what you want. You don’t need to use a particular form of words. We may need to ask you for information to confirm your identity before we act on a request (typically a confirmation from the email address we have on file, plus a second check if the request is unusual or sensitive).

Our response time: we will respond within one calendar month of receiving a valid request, in line with UK GDPR Article 12(3). For complex or numerous requests we may extend this by up to two further months and will tell you within the first month if we are doing so.

There is no charge for exercising your rights, unless a request is manifestly unfounded or excessive (in which case we may charge a reasonable fee or refuse - both with reasons).

Our full subject rights procedure is published as E1 Subject Rights Procedure - request a copy if you’d like to see it.

13. Complaints

If you are unhappy with how we have handled your information:

First, please tell us by emailing support@rewireyourlife.co.uk. We take complaints seriously, we will investigate, and we will respond. Our complaints process is set out in our Complaints Policy (in development under Domain 9).

You also have the right to complain to the Information Commissioner’s Office (ICO) - the UK’s independent supervisory authority for data protection. You can contact them at:

Website: https://ico.org.uk/make-a-complaint
Helpline: 0303 123 1113
Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

You do not have to complain to us first before going to the ICO, but in our experience most things resolve faster if you tell us first.

14. Cookies and similar technologies

The Thinkific platform uses cookies and similar technologies to make the course function, to keep your session secure, and to provide basic usage analytics. Strictly necessary cookies (those that make the platform work) are set without a separate consent because they are exempt from PECR consent requirements. Non-essential cookies (analytics, personalisation) are only set with your consent through the cookie banner you see when you first visit.

You can change your cookie preferences at any time using the cookies link in the website footer.

A separate Cookies Notice sets out the full cookie inventory - what each cookie does, who sets it, and how long it lasts. The cookies notice is published alongside this privacy notice.

We do not currently use cross-site tracking, third-party advertising cookies, or fingerprinting.

15. Changes to this notice

We may update this notice from time to time - for example, if we change a processor, change a retention period, or add a new processing activity. When we do, we will:

update the version number and date at the top of the notice;
if the change is material (something that meaningfully affects your rights or what we do with your data), tell you by email and, where you are an active customer, in your Thinkific account, before the change takes effect;
keep a version history so you can see what changed.

We will never use a notice change to retrospectively widen what we do with data you gave us under an earlier version. New processing requires new lawful basis - and where it requires consent, a new consent - at the point of the change.