Privacy Policy

1. Introduction

This Privacy Policy explains how Think Menai Ltd ("we", "us", "our") collects, uses, shares, and protects your personal data when you use the MyJourneyTracker platform. We are committed to safeguarding your privacy and complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Who We Are

MyJourneyTracker is provided by Think Menai Ltd, a company registered in England & Wales, company number 16363058, with registered office at Capel Bethel Vestry, Stryd Fawr, Caernarfon, Gwynedd, LL54 6PL.

We act as the data controller for the personal data you provide through MyJourneyTracker.

For any data protection queries, you can contact us at:

Email: dataprotection@thinkmenai.com

Postal Address: Think Menai Ltd, Capel Bethel Vestry, Stryd Fawr, Caernarfon, Gwynedd, LL54 6PL.

3. Data We Collect

When you use MyJourneyTracker, we may collect and process the following categories of data:

a. Identity & Contact Data

• First name and last name
• Email address
• Date of Birth (required to verify age eligibility)
• IP address and device identifiers

b. Health & Wellness Data

• Medication details and injection schedule
• Weight and mood logs
• Side effect reports and journal entries
• Menstrual cycle tracking (optional)

c. Usage & Technical Data

• Login timestamps and browser/device metadata
• Feature usage and settings preferences

d. Subscription & Transaction Data

• Stripe customer ID (payment metadata)
• Subscription plan and payment history
• Referral codes or promotions (if applicable)

4. How We Use Your Data

We process your data to:

• Verify that you are 18 years or older
• Deliver core wellness and tracking features
• Send reminders, updates, and insights based on your data
• Manage subscriptions and process payments
• Support customer service and technical support
• Improve and optimise the platform
• Conduct anonymised research and analytics (with consent)

5. Lawful Basis for Processing

Our use of your data is based on one or more of the following legal grounds:

• Consent – for processing sensitive health data and sending optional communications
• Contractual necessity – to provide services in line with our Terms of Use
• Legitimate interest – to improve the service and monitor security
• Legal obligations – for NHS data standards, tax, and compliance requirements

You may withdraw your consent at any time via your account or by contacting us.

6. Security of Your Data

We implement robust technical and organisational safeguards designed to meet leading industry standards:

• Date of Birth and personal identifiers are securely encrypted at rest using AES-256 encryption
• All data transmission uses HTTPS (TLS 1.3) encryption
• Health and wellness data is encrypted with access controls and audit logging
• Our security framework is designed to align with ISO 27001 standards
• We are working towards NHS Data Security and Protection Toolkit compliance
• Regular security assessments and penetration testing are conducted
• Continuous monitoring for security incidents and data breaches

Future Clinical Integration: As we develop healthcare provider integrations, all clinical data sharing will meet FHIR R4 standards and NHS Digital requirements.

7. Data Retention

We retain personal data for as long as needed to provide the service or as required by law:

• Active accounts: full data is retained
• Inactive accounts: data is deleted after 24 months of inactivity
• Deleted accounts: personal data is erased within 30 days of deletion request (subject to exceptions under legal or clinical requirements)

8. Your Rights Under UK GDPR

You have the right to:

• Access – request a copy of your personal data
• Rectify – correct inaccurate or incomplete data
• Erasure – request deletion of your account and associated data
• Restrict – limit how your data is used in certain situations
• Portability – request your data in a machine-readable format
• Object – to processing based on legitimate interest or direct marketing
• Withdraw consent – at any time
• Complain – to the UK Information Commissioner's Office (ICO)

To exercise any of these rights, email dataprotection@thinkmenai.com

9. International Data Sharing and Transfers

9.1 Data Sharing Principles

We never sell your personal data. We may share data only with:

Current Sharing:

• Trusted service providers (Stripe for payments, SMTP2Go for communications, hosting providers)
• Legal authorities where required by law
• Healthcare providers (only with your explicit written consent)

Future Clinical Sharing (subject to regulatory approval):

• NHS Digital and approved clinical systems
• FHIR-compliant healthcare networks
• Clinical research partners (fully anonymised data only)

9.2 International Transfers

UK/EU Data: Primarily stored within UK/EU data centres

Global Compliance: Where data is transferred outside the UK/EU, we use:

• Standard Contractual Clauses (SCCs) approved by the UK ICO
• Adequacy decisions where available
• Additional safeguards for healthcare data including encryption and access controls

US Transfers: For essential services (e.g. payment processing), we ensure providers meet UK GDPR equivalency standards through binding corporate rules or approved certification schemes.

9A. Future Clinical System Integration

MyJourneyTracker is designed with healthcare integration in mind. When clinical features become available, they may include:

• Integration with NHS systems (EMIS Web, SystmOne, Vision) subject to NHS Digital approval
• FHIR-compliant data sharing with healthcare providers (with your explicit consent)
• Clinical decision support tools for healthcare professionals
• Real-time patient monitoring capabilities for subscribed clinical users

You will be notified of any new clinical features and asked for separate consent before your data is shared with healthcare systems.

10. Cookies

MyJourneyTracker uses cookies to:

• Manage login sessions
• Store user preferences
• Monitor usage (anonymous analytics)

See our Cookie Policy for more details.

11. Children's Privacy

MyJourneyTracker is only for users aged 18 and over. We do not knowingly collect data from minors. If you believe a user is under 18, please contact us immediately.

12. Research & Anonymised Data

With your consent, we may use your data (fully anonymised) to support:

• Clinical research
• Behavioural insights
• Platform improvements

You can opt in or out of research participation at any time.

13. Changes to This Policy

We may update this Privacy Policy periodically. Major changes will be communicated via email or in-app notification. Continued use of MyJourneyTracker after changes implies your acceptance.

14. Contact

If you have any questions or concerns: