Consent to Processing of Special Category Data

Document type: SENSITIVE_DATA_PROCESSING · Version: 1.1 · Effective from: 9 June 2026

This notice explains what special category data we process when you use the She Came Back member portal, why we need your explicit consent, and how you can withdraw it. It supplements our Privacy Policy.

1. What data this covers

When you use the program, you may enter journal entries, exercise responses, check-in notes, and similar free-text answers. These responses are stored so we can deliver your membership — show your progress, save your work, and generate your end-of-program assessment.

Because the topics of the program relate to wellbeing and personal development, your responses may reveal information about your health or mental wellbeing. Under the EU General Data Protection Regulation (GDPR), this is special category data (Article 9).

We also process related program activity (for example completed days and metrics) needed to provide the service. This consent focuses on the content of your responses and assessments derived from them.

2. Why we need your explicit consent

We process this data only where you have given explicit consent under Article 9(2)(a) GDPR, together with the legal basis in Article 6(1)(a) for the related processing.

Without this consent we cannot store or use your journal and exercise responses, or generate your fully automated personal AI assessment based on them. You may still use parts of the site that do not require this processing, but you will not be able to complete the program experience in the portal.

3. What we use the data for

We process your responses and derived assessment output solely to:

• deliver and personalise your program membership;
• save and display your progress and history in the portal;
• generate your fully automated end-of-program assessment using an AI language model (Microsoft Azure OpenAI), as described in the Privacy Policy;
• maintain security, support, and audit logs where access to sensitive data occurs.

We do not use your journal content for advertising, sale to third parties, or unrelated profiling.

4. Who receives the data

Access is limited to authorised staff and subprocessors acting on our instructions under data processing agreements, including hosting (Vercel, Neon), email (Resend), and AI assessment generation (Microsoft Azure OpenAI). Details are listed in the Privacy Policy.

5. Retention and your control

We keep your responses for as long as your account is active and as described in the Privacy Policy. You may:

• withdraw this consent at any time in the portal or by contacting us — withdrawal does not affect processing that was lawful before withdrawal;
• export your data or request erasure using the tools in Account → Data & Privacy, subject to legal retention requirements;
• exclude specific responses from AI analysis where that option is offered in program settings.

If you withdraw consent, we will stop processing your journal and exercise content for the purposes above and may need to limit or close access to program features that depend on it.

6. Your acknowledgement

By checking the consent box at registration, you confirm that:

• you have read this notice and the Privacy Policy;
• you explicitly consent to the processing of your journal and program responses (which may reveal health-related information) for delivering your membership, including AI assessment generation as described; and
• you understand you may withdraw consent at any time.

7. Mandatory rights unaffected

Nothing in this notice limits your statutory rights under GDPR or applicable consumer protection law.