Skip to main content

Privacy Policy

Your privacy is our priority. Learn how we protect and handle your data.

Version: 1.0.0
Effective Date: November 19, 2025
Last Updated: January 13, 2026

๐Ÿ”’ Your Privacy Matters

This Privacy Policy explains how we collect, use, and protect your personal information. We are committed to transparency and compliance with GDPR, CCPA, PIPEDA, and other privacy laws.

Privacy Policy

Effective Date: November 19, 2025 Version: 1.0.0 Last Updated: November 19, 2025

Controller Information

GuidedMindHypnosis Email: [email protected] Data Protection Officer: [email protected]

This Privacy Policy explains how GuidedMindHypnosis ("we," "us," "our") collects, uses, discloses, and protects your personal information when you use our website and services (collectively, the "Services"). This policy applies to all users worldwide and includes specific notices required by applicable data protection laws.

1. Information We Collect

1.1 Information You Provide Directly

We collect personal information that you voluntarily provide when you:

  • Create an account: Username, email address, password, country of residence
  • Make a purchase: Billing information (processed securely through Stripe), payment history
  • Contact us: Name, email address, message content
  • Use social login: If you sign in via Google OAuth, we collect your Google ID, email, name, and profile picture
  • Participate in reviews or feedback: Your comments, ratings, and review content

1.2 Information Collected Automatically

When you use our Services, we automatically collect:

  • Technical information: IP address, browser type and version, device type, operating system, user agent string
  • Usage data: Pages visited, products viewed, time spent on pages, click patterns, search queries, referral URLs
  • Session data: Session IDs, authentication tokens (stored securely), login timestamps
  • Analytics data: Aggregated statistics about product views, purchases, and user behavior for recommendation algorithms

1.3 Cookies and Tracking Technologies

We use cookies and similar tracking technologies:

  • Essential cookies: Required for authentication, session management, CSRF protection (cannot be disabled)
  • Analytics cookies: Track usage patterns to improve our Services (can be managed via cookie settings)
  • Performance cookies: Monitor site performance and errors

You can manage cookie preferences through your browser settings. Refusing essential cookies may prevent you from using certain features.

1.4 Information from Third Parties

  • Payment processors (Stripe): Payment confirmation, transaction IDs, payment status
  • OAuth providers (Google): Authentication data as described in section 1.1
  • IP geolocation services: Approximate location for jurisdiction detection and fraud prevention

2. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), UK, and Switzerland, we process your personal data based on the following legal grounds:

Purpose Legal Basis
Account creation and management Performance of contract (GDPR Art. 6(1)(b))
Payment processing Performance of contract (GDPR Art. 6(1)(b))
Consent tracking for ToS/Privacy Policy Legal obligation (GDPR Art. 6(1)(c)) and Consent (GDPR Art. 6(1)(a))
Marketing communications Consent (GDPR Art. 6(1)(a)) - opt-in required
Product recommendations Legitimate interests (GDPR Art. 6(1)(f)) - to improve user experience
Fraud prevention and security Legitimate interests (GDPR Art. 6(1)(f)) - to protect our users and business
Compliance with legal obligations Legal obligation (GDPR Art. 6(1)(c))

Where we rely on legitimate interests, we have balanced our interests against your rights and freedoms. You may object to processing based on legitimate interests by contacting us at [email protected].

3. How We Use Your Information

We use your personal information for the following purposes:

3.1 Service Delivery

  • Create and manage your account
  • Process payments and fulfill orders
  • Deliver purchased digital products (hypnosis/meditation audio files)
  • Provide customer support and respond to inquiries
  • Send transactional emails (order confirmations, password resets, account notifications)

3.2 Service Improvement

  • Analyze usage patterns to improve our Services
  • Develop and refine product recommendation algorithms
  • Conduct internal analytics and research
  • Test new features and user interfaces

3.3 Security and Compliance

  • Prevent fraud, unauthorized access, and abuse
  • Enforce our Terms of Service
  • Comply with legal obligations (e.g., tax reporting, law enforcement requests)
  • Maintain audit trails of user consent and data processing activities

3.4 Marketing (with consent)

  • Send promotional emails about new products or special offers (opt-in required; unsubscribe anytime)
  • Personalize content and recommendations

4. How We Share Your Information

We do not sell your personal information to third parties. We share your information only in the following limited circumstances:

4.1 Service Providers (Data Processors)

We engage trusted third-party service providers who process data on our behalf under strict confidentiality obligations:

Provider Purpose Data Shared Location
Stripe Payment processing Billing information, transaction amounts USA (Standard Contractual Clauses)
Amazon Web Services (AWS) or equivalent hosting Cloud infrastructure, data storage All user data EU/USA (adequacy decision or SCCs)
Email service provider (e.g., SendGrid, Mailgun) Transactional emails Email address, name, order details USA (SCCs)
Google OAuth Social login Email, name, Google ID USA (consent-based transfer)

All service providers are contractually bound to process data only as instructed and implement appropriate technical and organizational measures.

4.2 Legal Requirements

We may disclose your information if required by law, legal process, or government request, or to: - Comply with valid subpoenas, court orders, or legal obligations - Protect our rights, property, or safety, or that of our users - Detect, prevent, or investigate fraud, security breaches, or illegal activity

4.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your personal information may be transferred to the acquiring entity. We will notify you via email and/or prominent notice on our website before your data is transferred and becomes subject to a different privacy policy.

5. International Data Transfers

Our primary servers are located in [specify: EU/USA/other]. If you are located outside this region, your data will be transferred internationally.

5.1 Transfers from the EEA/UK/Switzerland

For data transfers from the EEA, UK, or Switzerland to countries without an adequacy decision, we rely on: - Standard Contractual Clauses (SCCs) approved by the European Commission - Adequacy decisions (e.g., EU-UK adequacy, EU-US Data Privacy Framework if applicable) - Explicit consent for certain transfers (e.g., OAuth providers)

You may request a copy of the SCCs by contacting [email protected].

5.2 Transfers from Canada

For Canadian users, we ensure that third-party service providers in other countries provide a comparable level of protection as required by PIPEDA, either through contractual safeguards or adequacy findings.

6. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.

Data Type Retention Period
Account information Until account deletion + 30 days (backup retention)
Purchase history and order data 7 years (for tax/accounting compliance)
Consent records (ToS, Privacy Policy) Indefinitely (legal compliance requirement under GDPR Art. 7(1))
Analytics and usage data 24 months (aggregated data may be retained indefinitely)
Session logs and IP addresses 12 months (security and fraud prevention)
Marketing consents Until withdrawn + 3 years (to honor opt-out requests)
Inactive accounts (no login for 3+ years) Deleted after notice unless user re-activates

When we delete your data, we ensure permanent removal from active systems. Backup copies are purged within 90 days.

7. Your Privacy Rights

Depending on your location, you have the following rights regarding your personal data:

7.1 Rights Under GDPR (EEA, UK, Switzerland)

  • Right to access (Art. 15): Request a copy of your personal data
  • Right to rectification (Art. 16): Correct inaccurate or incomplete data
  • Right to erasure (Art. 17): Request deletion of your data ("right to be forgotten"), subject to legal retention requirements
  • Right to restrict processing (Art. 18): Limit how we process your data in certain circumstances
  • Right to data portability (Art. 20): Receive your data in a structured, machine-readable format (CSV/JSON)
  • Right to object (Art. 21): Object to processing based on legitimate interests or for direct marketing
  • Right to withdraw consent (Art. 7(3)): Where processing is based on consent, withdraw it at any time
  • Right to lodge a complaint: Contact your local supervisory authority (see Section 7.5)

Automated decision-making: We use algorithms for product recommendations. You may object to automated profiling by contacting us.

7.2 Rights Under CCPA/CPRA (California Residents)

Under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), California consumers have the right to:

  • Know: Request disclosure of categories and specific pieces of personal information collected, sources, purposes, and third parties with whom we share data
  • Delete: Request deletion of your personal information, subject to exceptions
  • Correct: Request correction of inaccurate personal information (CPRA)
  • Opt-out of sale/sharing: We do not sell or share personal information for cross-context behavioral advertising
  • Limit use of sensitive personal information: We do not use sensitive personal information beyond necessary service provision
  • Non-discrimination: We will not discriminate against you for exercising your rights

Notice at Collection (CCPA): We collect the categories of personal information described in Section 1. We use this information for the business purposes described in Section 3. We disclose information to the categories of third parties described in Section 4.

Retention and Deletion: See Section 6 for retention periods.

Do Not Track: We do not currently respond to Do Not Track (DNT) signals.

7.3 Rights Under PIPEDA (Canadian Residents)

Canadian users have the right to: - Access your personal information and understand how it is used - Challenge the accuracy and completeness of your data and request corrections - Withdraw consent for certain processing activities - File a complaint with the Office of the Privacy Commissioner of Canada (see Section 7.5)

We comply with PIPEDA's 10 principles, including accountability, transparency, and limiting collection/use/disclosure to identified purposes.

7.4 Rights Under Other U.S. State Privacy Laws

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), and other states with comprehensive privacy laws have similar rights to those described above. Please contact us at [email protected] to exercise your rights.

7.5 How to Exercise Your Rights

To exercise any of the above rights, please: - Email us: [email protected] - Use our account settings: Some rights (e.g., data portability, account deletion) can be exercised directly in your account settings - Authorized agent: California residents may designate an authorized agent to submit requests on your behalf (written authorization required)

We will respond to verified requests within: - 30 days (GDPR, CCPA) - extendable by 60 days if necessary - 30 days (PIPEDA) - extendable if request is complex

We may require additional information to verify your identity (e.g., email confirmation, account credentials).

Supervisory authorities: - EEA/UK: Contact your local data protection authority (list: https://edpb.europa.eu/about-edpb/board/members_en) - California: California Attorney General's Office (https://oag.ca.gov/privacy/ccpa) - Canada: Office of the Privacy Commissioner of Canada (https://www.priv.gc.ca/)

8. Data Security

We implement industry-standard technical and organizational measures to protect your personal information:

8.1 Technical Safeguards

  • Encryption: HTTPS/TLS for data in transit; AES-256 encryption for sensitive data at rest
  • Password security: Bcrypt hashing with salts (never storing plaintext passwords)
  • Session management: Secure, HTTPOnly, SameSite cookies with 1-hour expiration
  • CSRF protection: Tokens required for state-changing requests
  • Database security: Parameterized queries to prevent SQL injection; row-level access controls
  • Regular security audits: Vulnerability scanning and penetration testing

8.2 Organizational Safeguards

  • Access controls: Role-based access; principle of least privilege
  • Employee training: Regular privacy and security training for staff
  • Data breach response plan: Incident detection, containment, notification procedures

8.3 Data Breach Notification

In the event of a personal data breach, we will: - Notify affected users within 72 hours (GDPR requirement) via email - Notify relevant supervisory authorities as required by law - Provide information about the breach, potential impact, and remedial actions

Despite our safeguards, no system is 100% secure. If you believe your account has been compromised, contact us immediately at [email protected].

9. Children's Privacy

Our Services are not directed to children under 16 years of age (or under 13 in the USA). We do not knowingly collect personal information from children. If we learn that we have collected data from a child without parental consent, we will delete it promptly.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us at [email protected].

10. Consent and Withdrawal

10.1 How We Obtain Consent

We obtain your consent in the following ways: - Express consent: Checkboxes for ToS and Privacy Policy acceptance (unchecked by default) at registration and checkout - Implied consent: By using our Services after being informed of this Privacy Policy - Opt-in for marketing: Separate checkbox for promotional emails (optional)

10.2 How to Withdraw Consent

You may withdraw your consent at any time: - Marketing emails: Click "unsubscribe" in any promotional email or adjust settings in your account - Account deletion: Delete your account (this withdraws consent for data processing beyond legal retention requirements) - Contact us: Email [email protected] to withdraw specific consents

Withdrawal of consent does not affect the lawfulness of processing before withdrawal. Some consents (e.g., for essential Services) cannot be withdrawn without terminating your account.

10.3 Consent Records

We maintain detailed records of your consent, including: - Date and time of consent - Version of ToS/Privacy Policy accepted - IP address and user agent (as evidence under GDPR Art. 7(1)) - Context of consent (registration, checkout, etc.)

You may request a copy of your consent records by contacting us.

11. Cookies and Tracking

11.1 Types of Cookies We Use

Cookie Type Purpose Duration Can be disabled?
session_id Authentication, session management 1 hour No (essential)
csrf_token Security (CSRF protection) Session No (essential)
analytics_id Anonymized usage analytics 24 months Yes
preferences User interface preferences 12 months Yes

11.2 Managing Cookies

You can control cookies through: - Browser settings: Most browsers allow you to refuse or delete cookies - Cookie consent banner: Adjust preferences when you first visit our site - Account settings: Toggle analytics cookies in your account preferences

Disabling essential cookies will prevent you from logging in or making purchases.

11.3 Do Not Track

We do not currently respond to "Do Not Track" (DNT) browser signals because there is no industry consensus on how to interpret DNT.

12. Third-Party Links

Our Services may contain links to third-party websites or services (e.g., blog articles, partner sites). We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any personal information.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or Services. When we make material changes:

  • We will update the "Effective Date" and "Version" at the top of this policy
  • We will notify you via email and/or a prominent notice on our website at least 30 days before the new policy takes effect
  • If the change is material, we will require you to re-accept the updated Privacy Policy at your next login or checkout

We encourage you to review this Privacy Policy periodically. Continued use of our Services after changes take effect constitutes your acceptance of the updated policy.

Version history: - Version 1.0.0 (November 19, 2025): Initial Privacy Policy

14. Jurisdiction-Specific Notices

14.1 European Economic Area (EEA), UK, Switzerland

  • Data controller: GuidedMindHypnosis, DPO: [email protected]
  • Legal basis: See Section 2
  • International transfers: See Section 5.1
  • Rights: See Section 7.1
  • Supervisory authority: https://edpb.europa.eu/about-edpb/board/members_en

14.2 California (United States)

  • CCPA/CPRA compliance: See Sections 1, 3, 4, 6, 7.2
  • Shine the Light Law: California residents may request information about disclosure of personal information to third parties for direct marketing purposes. We do not share personal information with third parties for their direct marketing purposes.
  • Notice at collection: See Section 7.2

California-specific data practices: - Categories of PI collected: Identifiers, commercial information, internet activity, geolocation data - Categories of sources: Directly from you, automatically from your device, from third-party OAuth providers - Business purposes: See Section 3 - Third parties with whom we share PI: Payment processors, hosting providers, email services (see Section 4.1) - Sale/sharing of PI: We do not sell or share personal information

14.3 Canada

  • PIPEDA compliance: We adhere to PIPEDA's 10 privacy principles
  • Accountability: We are responsible for personal information under our control, including data transferred to third-party processors
  • Privacy officer: [email protected]
  • Complaint procedure: Office of the Privacy Commissioner of Canada (https://www.priv.gc.ca/)

14.4 Other U.S. States (Virginia, Colorado, Connecticut, Utah, etc.)

Residents of states with comprehensive privacy laws have rights similar to those described in Section 7.2. Please contact us to exercise your rights.

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: [email protected] Data Protection Officer: [email protected] Mailing Address: [To be filled in with actual business address]

Response time: We aim to respond to all inquiries within 7 business days.

16. Legal References and Compliance Citations

This Privacy Policy has been drafted to comply with the following legal frameworks:

  • GDPR (EU Regulation 2016/679): Articles 5 (principles), 6 (lawfulness), 7 (consent), 12-23 (data subject rights), 32 (security), 33-34 (breach notification), 44-50 (international transfers)
  • CCPA/CPRA (Cal. Civ. Code ยงยง 1798.100โ€“1798.199): Notice at collection, consumer rights, opt-out of sale/sharing
  • PIPEDA (Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5): Schedule 1, principles 1-10
  • Virginia VCDPA (Va. Code Ann. ยงยง 59.1-571 to 59.1-581)
  • Colorado CPA (Colo. Rev. Stat. ยงยง 6-1-1301 to 6-1-1313)
  • Connecticut CTDPA (Conn. Gen. Stat. ยงยง 42-515 to 42-520)
  • Utah UCPA (Utah Code Ann. ยงยง 13-61-101 to 13-61-404)

For a detailed mapping of legal requirements to specific clauses, see the Legal Compliance Memo (available upon request).

Last reviewed: November 19, 2025 Next scheduled review: May 19, 2026 (6-month review cycle)

Your Privacy Rights

You have the right to:

  • Access your personal data and know what information we have about you
  • Correct inaccurate or incomplete information
  • Delete your data ("right to be forgotten" under GDPR)
  • Export your data in a portable, machine-readable format
  • Object to certain processing activities, including marketing
  • Withdraw consent at any time for consent-based processing
  • Lodge a complaint with your local data protection authority

To exercise your rights, contact us at [email protected]

Questions About Your Privacy?

We're here to help. Contact our privacy team:

Data Protection Officer: [email protected]

Privacy Inquiries: [email protected]

โ† Back to Home Terms of Service โ†’