Our commitment to data protection
Rewire is operated by Rewire EMDR LLC ("Rewire", "we", "us"). We provide a practitioner-assigned between-session support tool for use in conjunction with qualified mental health therapy. Because our platform is used in a clinical context, we treat data protection as a clinical governance obligation.
This policy applies to all users of the Rewire platform: licensed practitioners ("Providers") and their clients ("End Users") who access Rewire under a practitioner's assignment.
For clinical governance review: Rewire is not a HIPAA Covered Entity under 45 CFR §160.103. However, we implement security controls aligned with HIPAA's Technical Safeguard requirements (45 CFR §164.312) and can enter into a Business Associate Agreement (BAA) with US-based healthcare providers upon request. We are committed to full GDPR compliance for all European users under Regulation (EU) 2016/679. Our primary data processor, Supabase, maintains SOC 2 Type II certification and operates GDPR-compliant infrastructure. Data transfers to the US are governed by Standard Contractual Clauses (SCCs).
Who is responsible for your data
Data Controller: Rewire EMDR LLC
For all data protection enquiries, data subject rights requests, and Business Associate Agreement requests:
Email: [email protected]
Subject line: "Data Privacy Request"
We will acknowledge all requests within 72 hours and respond in full within 30 days.
What we collect and why
Practitioner (Provider) accounts
| Data type | Purpose | Legal basis (GDPR) |
|---|---|---|
| Email address | Account authentication and platform communications | Contract performance — Art. 6(1)(b) |
| Practice name | Displayed within the provider dashboard; identifies the practice to their assigned clients | Contract performance — Art. 6(1)(b) |
| Subscription and billing data | Payment processing via Stripe. Card details are not stored by Rewire. Stripe is PCI DSS Level 1 compliant. | Contract performance — Art. 6(1)(b) |
| Client roster (access codes) | Anonymous access codes generated by the practitioner. Not linked to client names within Rewire's database. | Contract performance — Art. 6(1)(b) |
End User (client) data
| Data type | Purpose | Legal basis (GDPR) |
|---|---|---|
| Email address | Authentication only. Not shared with third parties or used for marketing. | Contract performance — Art. 6(1)(b) |
| Session completion data | Records which exercises have been completed. Visible to assigning practitioner. | Legitimate interests — Art. 6(1)(f) (clinical care continuity) |
| Nervous system state ratings | Pre/post exercise ratings (0–10 scale) entered by the user. Shared with assigning practitioner for clinical review. | Consent — Art. 6(1)(a) |
| Journal entries | Optional written reflections entered during exercises. Shared with the assigning practitioner only if the user explicitly enables sharing. Constitutes potentially special category data. | Explicit consent — Art. 9(2)(a) |
| AI conversation transcripts | Used in real time to generate personalised session content only. Not stored permanently. Not used for AI model training. | Consent — Art. 6(1)(a) |
Data we do not collect
- Full legal names of end users are not collected or stored
- Clinical diagnosis or mental health history is not collected
- User data is not sold, licensed, or shared with third parties for commercial purposes
- No user data — including AI conversations — is used to train AI models
- No advertising trackers or behavioural profiling are used
How we protect your data
Infrastructure
All user data is stored in Supabase, a PostgreSQL-based platform with SOC 2 Type II certification. Data at rest is encrypted with AES-256. All data in transit is encrypted with TLS 1.2 or higher. Supabase infrastructure is hosted in AWS data centres that maintain ISO 27001, SOC 1, SOC 2, and SOC 3 compliance.
Access controls and row-level security
Rewire implements row-level security (RLS) at the database layer. Each practitioner can access only the session data for clients they have directly assigned using their own practitioner access code. No practitioner can access data belonging to clients of a different practitioner. No Rewire employee accesses user session data or journal entries in the ordinary course of operations.
AI processing safeguards
AI-generated content is processed via a Cloudflare Worker proxy to Anthropic's Claude API. This architecture ensures Anthropic does not receive directly identifying information. Anthropic's API Data Processing Addendum explicitly prohibits use of API inputs for model training. No AI conversation logs are stored server-side beyond the active session.
HIPAA-aligned controls (US practitioners)
For practitioners operating in the US healthcare system, Rewire implements the following controls aligned with the HIPAA Security Rule:
- Unique user identification and strong authentication for all accounts
- Automatic session timeout after inactivity
- Role-based access controls preventing cross-practitioner data access
- Encryption of all data at rest (AES-256) and in transit (TLS 1.2+)
- Audit logging of data access and modification events
US-based healthcare providers requiring a Business Associate Agreement (BAA) may request one at [email protected].
Data retention
- Active account data is retained for as long as the account remains active
- Practitioner account data is deleted within 30 days of account closure
- End user session data and journal entries are deleted within 30 days of account closure or client removal by the practitioner
- Billing records are retained for 7 years in accordance with applicable financial regulations
- Anonymised, aggregated analytics data (no personal identifiers) may be retained indefinitely for product improvement
Third-party processors we use
| Processor | Purpose | Jurisdiction | Certification |
|---|---|---|---|
| Supabase | Database, authentication, file storage | US / EU (configurable) | SOC 2 Type II |
| Anthropic | AI session content generation (API only, no training use) | US (API processing) | DPA in place |
| Cloudflare | Worker proxy for AI requests; DDoS and edge security | Global edge network | SOC 2 Type II, ISO 27001 |
| Stripe | Payment processing | US / EU | PCI DSS Level 1 |
We review all sub-processor agreements for GDPR adequacy before engagement. Data transfers to the US are covered by Standard Contractual Clauses (SCCs) under GDPR Art. 46(2)(c). We will notify account holders of any material change to our sub-processor list at least 30 days in advance.
Data subject rights
Users in the EEA, UK, Switzerland, and equivalent jurisdictions have the following rights under GDPR (or applicable equivalent legislation):
- Right of access (Art. 15): Request a copy of all personal data we hold about you, including the source, purpose, and any third parties it has been shared with.
- Right to rectification (Art. 16): Request correction of inaccurate or incomplete personal data.
- Right to erasure (Art. 17): Request permanent deletion of your personal data. Note: billing records may be retained for the statutory minimum period.
- Right to data portability (Art. 20): Request your personal data in a structured, machine-readable format (JSON or CSV).
- Right to restrict processing (Art. 18): Request that we restrict processing in certain circumstances while a dispute is resolved.
- Right to object (Art. 21): Object to processing based on legitimate interests, including any direct marketing.
- Right to withdraw consent: Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights: email [email protected] with the subject line "Data Subject Rights Request". We will respond within 30 days. You also have the right to lodge a complaint with your national supervisory authority (e.g. ICO in the UK, CNIL in France, or the relevant DPA in your country).
Sensitive data and mental health information
Journal entries entered by users during sessions may constitute special category data under GDPR Art. 9, specifically data concerning health and mental wellbeing. We treat all journal entry data as special category data by default and apply the following additional protections:
- Journal entry data is encrypted at the field level within the database
- Journal entries are never shared with the assigning practitioner without explicit, in-app consent from the end user
- Journal entries are never used for AI model training, analytics, or any purpose other than direct service provision to the user
- Practitioners are contractually bound by our Terms of Service to obtain appropriate informed consent from clients before assigning Rewire, including consent to data collection and storage as described in this policy
Cookies and tracking
Rewire uses session cookies for authentication only. We do not use third-party advertising or behavioural tracking cookies. We use Google Analytics with IP anonymisation enabled for aggregate, non-identifying traffic analytics. You may opt out of Google Analytics using the Google Analytics Opt-out Browser Add-on.
Rewire does not use any cookie-based retargeting, cross-site tracking, or fingerprinting technology.
Policy updates
We will notify all active account holders by email of material changes to this policy at least 14 days before they take effect. The current version is always available at rewire-emdr.com/privacy. Continued use of the platform after the effective date of a revised policy constitutes acceptance of the updated terms.
For questions about this policy: [email protected]