Data protection
Last updated: 30 June 2026
BeWell IT Limited runs the BeWell Catalyst platform, which powers the Mindful Brian and ESRT StrongMind apps. This page explains, in plain terms, how we protect the personal data on the platform. The binding detail is in our Data Processing Agreement and our Privacy Policy, both linked at the end.
Who is responsible for what
When a teacher or organisation runs a course on the platform, they are the data controller for their participants' personal data, and BeWell IT acts as the data processor on their behalf. That relationship is governed by our Data Processing Agreement (DPA), which forms part of the Teacher Tier terms and is entered into under Article 28 of the UK GDPR.
BeWell IT acts as an independent data controller only for a limited set of data described in the DPA and our Privacy Policy, for example website visits, billing, and the support chatbot.
Where data is hosted
Mindful Brian and the standard platform run on a European instance, with personal data hosted in the European Union. ESRT StrongMind, used by the UCSF Center for Mindfulness in Surgery, runs on a United States instance hosted in the United States. Each organisation's data stays on the instance for the app it uses.
International transfers
BeWell IT operates under UK GDPR. Where personal data is transferred internationally, for example to a service provider that supports the platform, those transfers are protected by the safeguards set out in the DPA. These include the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, and the UK Extension to the EU-US Data Privacy Framework (the UK-US Data Bridge), where applicable.
AI features
Where the platform uses AI features on the European instance, that processing is pinned to a European region. Our AI sub-processor does not use platform data to train its models when the paid service is used, which is the case for the platform. The full position, including the lawful basis for each AI feature, is set out in the DPA.
Security
BeWell IT is Cyber Essentials certified. The platform uses encrypted connections (HTTPS), encryption of data at rest, access controls, and the technical and organisational measures set out in Schedule 1 of the DPA.
Teachers outside the UK and EU
We work with teachers and organisations in other regions and are happy to talk through how these arrangements fit local requirements.
The documents
- Data Processing Agreement, the agreement that governs how we process participant data on behalf of teachers and organisations.
- Privacy Policy, how we handle data when you visit bewellit.com.
- Terms of Service.
Contact
For any data-protection question, you can reach the person responsible at BeWell IT:
BeWell IT Limited
68 Queens Road
Feltham TW13 5AR
United Kingdom
Email: privacy@bewellit.com
Company No: 16095961, registered in England and Wales.