Legal
Privacy Policy
Last updated: 3 July 2026
1. Who we are
Subconscious Surgery™ (“we”, “us”) is the data controller. Contact: subconscioussurgery@gmail.com.
2. What we collect
Applications (name, email, free-text answers); account and membership data; payment metadata via our payment processors (we never see full card numbers); session and community content you choose to share; call recordings where notified; support correspondence; and — with consent via the cookie banner — analytics and advertising data.
3. Wellbeing information — special protection
What you share in sessions and community spaces can include information about your mental wellbeing and health. We process it only with your explicit consent, captured separately at enrolment (see the Enrolment Declaration at Health & Wellbeing), only to deliver the programme, and never for marketing. You can withdraw that consent at any time; we then stop the processing going forward. Session and call recordings are made only with notice, retained 24 months, and are never published without your separate written release.
4. Lawful bases
Contract (delivering what you bought); consent (analytics/ads cookies; wellbeing data; marketing emails); legitimate interests (service security, fraud prevention, login-sharing detection — balanced and documented); legal obligation (tax/accounting records).
5. Cookies and analytics
We use Google Analytics 4 to understand site performance. These load only after you consent via the cookie banner shown when you first visit; declining changes nothing about your access to the site or programme. You can change your choice at any time by clearing your browser’s local storage for this site and reloading.
6. Who processes your data
Our course platform, payment processor, hosting provider, email delivery provider, Google, and Meta. US providers are used under the UK Extension to the EU–US Data Privacy Framework where certified, otherwise the UK Addendum/IDTA. Where our team processes data from outside the UK, this is covered by the UK International Data Transfer Agreement plus a transfer risk assessment.
7. Retention
Applications not accepted: 12 months. Membership records: duration of membership plus 6 years (tax/legal). Recordings: 24 months. Wellbeing data: for the membership, or until consent withdrawn. Community posts: while the space exists; deletion on request.
8. Your rights
Access, correction, deletion, restriction, portability, objection, and consent withdrawal. Email subconscioussurgery@gmail.com; we respond within one month. You can complain to the ICO (ico.org.uk) or your local data protection authority.
9. Confidentiality
What you share in an application or session is treated as strictly confidential, disclosed only where the law requires — or where we reasonably believe someone is at serious risk of harm.
10. Not covered here
Other members’ conduct (see the Community Guidelines & Confidentiality Code); third-party sites we link to.
11. Changes
If this policy changes materially, we will update the date above and, where appropriate, notify you directly. 3 July 2026 — rewritten: corrected analytics disclosure (Google Analytics 4 with consent banner); added special-category consent framework, international-transfer safeguards, and a retention table.