Legal
Privacy Policy
We treat your data, especially anything about your body and mind, as a trust we have to earn. This explains what we collect, why, where it lives, and the control you have over it.
Last updated June 2026
Who we are
Alchemy Rewire is operated by Alchemy Rewire - F.Z.C., a free-zone company registered in the United Arab Emirates (“we”, “us”), whose registered office is Office C1-1F-SF8278, Ajman Free Zone C1 Building, Ajman, United Arab Emirates. We are the data controller for the personal data described here. For any privacy question or to exercise your rights, contact privacy@alchemyrewire.com.
The data we collect
- Account data, your name, email, and password (stored only as a secure hash).
- Practice data, which courses you own, your progress, and completion records.
- Special-category health data (GDPR Article 9), optional inputs such as mood check-ins, Control Pause / CO₂ measurements, and subjective state ratings. We process these only with your explicit consent, and never for any purpose you have not agreed to.
- Payment data, handled by our payment processor (Stripe). We never see or store your full card details; we keep only a customer reference and your purchase record.
- Technical & usage data, limited, consent-gated analytics about how the site is used. We do not put raw health values into analytics.
Why we use it (lawful bases)
- To provide the service (account, access to what you own, progress), performance of our contract with you.
- Health data, your explicit consent, recorded and withdrawable at any time. Withdrawing consent stops further processing for that purpose.
- Payments and record-keeping, to fulfil your purchase and meet legal accounting obligations.
- Marketing email, only if you opt in; you can unsubscribe at any time.
Where your data lives (EU residency by design)
Our database and authentication run on Supabase in the EU (Frankfurt, Germany). We choose EU-resident or DPA-covered processors. Our current processors include:
- Supabase (EU), database, authentication, and file storage.
- Stripe, payment processing.
- Klaviyo, transactional and (opt-in) marketing email.
- Vimeo / Cloudflare, video hosting and delivery.
- Hosting & analytics, our site host and a privacy-focused, EU-hosted analytics provider (consent-gated).
Where a processor transfers data outside the EEA, that transfer is covered by appropriate safeguards (e.g. Standard Contractual Clauses).
How long we keep it
- Account, practice, and purchase records, for the life of your account.
- Mood check-ins and similar lightweight health logs, minimised; older entries are deleted on a rolling basis.
- Invoices and payment records, retained for the period required by law (accounting obligations), even after account deletion.
Your rights
Under the GDPR you can access, correct, export, restrict, or erase your personal data, and withdraw consent at any time. We have built these into the product:
- Export, download everything we hold about you, from your profile settings.
- Erasure, delete your account and associated data in one action, from your profile settings (legally required financial records are retained as above).
- Consent, grant or withdraw health-data and marketing consent from your profile at any time.
You also have the right to lodge a complaint with your local data protection authority.
Cookies & analytics
We use only the cookies needed to run the site (e.g. keeping you signed in) plus, if you consent, privacy-focused analytics to understand how the site is used. You control non-essential cookies and analytics from the consent banner and your profile, and we never place raw health values into analytics.
Children
The service is not intended for anyone under 18, and we do not knowingly collect data from children.
Changes
We will update this policy as the platform evolves and post the revised date above. Material changes affecting health-data processing will be brought to your attention and, where required, re-consented.