Privacy Policy
Privacy Policy
Effective Date: February 28 2026
This Privacy Policy explains how Forgiveness+ LLC (“we,” “us,” “our”) collects, uses, shares, stores, and protects personal information when you interact with any of our digital products and services—including the Cortisol Trigger Tracker, workbooks, courses, membership portal, website (the “Services”). By accessing or using the Services you consent to the practices described below. If you do not agree, please do not use the Services.
1. What Information We Collect
Category, Examples, and How We Collect It
Account & Identification
Name, email address, password, username, time‑zone, billing information (card last 4 digits, Stripe customer ID)
Registration form, purchase checkout, OAuth/social login (optional).
Device & Usage Data
IP address, browser type, operating system, device model, screen size, referral URL, cookies, analytics events (e.g., “Day 3 completed”)
Automatic logging via web‑server logs, Google Analytics/Amplitude, and our own event tracker.
Trigger Tracker Data
Date/time of each trigger entry, trigger type (emotion, situation, physical), intensity rating (1‑10), notes, optional photo or voice memo
In‑app form when you log a trigger.
Content Interaction
Which PDFs, videos, audio episodes you view/download, progress through the 7‑day protocol, badge achievements
Application state stored locally and synced to our backend.
Communications
Messages you send through the in‑app chat, support tickets, newsletter subscriptions
Submitted via contact forms, email, or chat widget.
Marketing Preferences
Opt‑in status for promotional emails, SMS, push notifications
Preference center in your account settings.
Legal & Compliance
Copies of signed license agreements, proof of age (if required)
Uploaded during purchase or account verification.
We never collect health‑diagnosis data, medical records, or any information that would be considered “special category” under GDPR unless you voluntarily provide it in a trigger note. Such data is treated as ordinary personal data and protected accordingly.
2. How We Use Your Information
Purpose and Data Used
Provide & Operate Services
Account details, trigger logs, progress data, subscription status.
Deliver Purchased Content
Email address (delivery receipts), download links, access tokens for PDFs, audio, video.
Personalise Experience
Device & usage data, progress metrics, badge history – to surface relevant next steps and recommendations.
Customer Support
Contact information, support tickets, chat transcripts.
Security & Fraud Prevention
IP address, device fingerprint, login timestamps – to detect suspicious activity.
Analytics & Product Improvement
Aggregated usage events (e.g., “% of users complete Day 5”), crash reports – to refine the protocol and UI.
Marketing & Communications
Email address, marketing preferences – to send newsletters, product updates, promotional offers (only if you opted‑in).
Legal Obligations
License agreement data, transaction records – to comply with tax, accounting, and regulatory requirements.
We do not sell, rent, or otherwise disclose your personal data to third‑party advertisers for their own marketing purposes.
3. Legal Basis for Processing (GDPR)
Activity & Legal Basis
Performance of Contract (providing purchased content, account access)
Contractual necessity.
Consent (marketing emails, push notifications)
Explicit opt‑in consent.
Legitimate Interests (security monitoring, fraud prevention, product analytics)
Legitimate business interests, balanced against your rights.
Legal Obligation (tax reporting, record‑keeping)
Compliance with law.
Vital Interests (only if required to protect life or safety)
Rare, but covered.
You may withdraw consent for marketing at any time via the unsubscribe link in each email or through your account settings.
4. Who We Share Your Information With
Recipient & Reason for Sharing
Safeguards
Payment Processors (Stripe)
Process subscription payments, issue invoices.
Only transaction‑specific data (amount, currency, last 4 digits) is shared; no passwords or personal health data.
Cloud Hosting Providers (AWS, Supabase, Firebase)
Store and serve application data securely.
Data is encrypted at rest and in transit; providers are bound by contractual data‑processing agreements.
Analytics Vendors (Amplitude, Mixpanel, Google Analytics)
Aggregate usage statistics.
Data is pseudonymised; IP addresses are masked or truncated where possible.
Legal Authorities
Respond to lawful requests, protect rights.
Disclosure only when required by subpoena, court order, or to prevent fraud/harm.
Third‑Party Service Integrations (e.g., OneSignal for push notifications)
Deliver notifications.
Only device tokens and minimal profile data are shared; no personally identifiable information beyond what you have consented to.
Business Partners (e.g., co‑hosted webinars, affiliate programs)
Provide joint services or promotions you have explicitly opted into.
Agreements require partners to adhere to equivalent privacy standards.
All third parties are required to process your data only as instructed by us and to maintain appropriate security measures.
5. International Data Transfers
Our primary servers are located in the United States. If you reside outside the U.S., your data may be transferred to, stored, and processed in the U.S. or other countries where we maintain infrastructure. We rely on:
Standard Contractual Clauses (SCCs) approved by the European Commission, or
Adequacy decisions (e.g., U.K., Canada, Japan) where applicable.
These mechanisms provide EU‑standard data‑protection safeguards.
6. Data Retention
Data Type & Retention Period
Account information
Until you delete your account (or we terminate it for breach).
Purchase & billing records
Minimum 7 years (tax & accounting requirements).
Trigger logs & progress data
As long as your account remains active; you may request deletion at any time.
Support communications
90 days after resolution, unless needed for ongoing issues.
Analytics aggregates
Indefinitely (anonymous, non‑identifiable).
Marketing preferences
Until you withdraw consent or request removal.
When you request deletion, we will purge your personal data from active databases within 30 days and from backup archives within 90 days, except where retention is required by law.
7. Security Measures
Encryption – TLS 1.3 for all data in transit; AES‑256‑GCM for data at rest.
Access Controls – Role‑based permissions; multi‑factor authentication for administrative staff.
Regular Audits – Quarterly vulnerability scans and annual third‑party penetration testing.
Incident Response – Formal breach‑notification plan; we will notify affected users and regulators within 72 hours of discovery, as required by law.
While we strive for robust security, no transmission over the Internet is 100 % guaranteed. You are responsible for safeguarding your login credentials.
8. Your Rights & Choices
Right & How to Exercise
Access – Obtain a copy of the personal data we hold about you.
Submit a request via privacy@forgiveness.plus.
Rectification – Correct inaccurate or incomplete data. Update directly in your account settings or email us.
Erasure (“Right to be Forgotten”) – Delete your personal data. Request deletion; we will close your account and remove data as described in Section 6.
Restriction – Limit processing of your data (e.g., while a dispute is resolved). Email us; we will suspend processing where feasible.
Portability – Receive your data in a structured, machine readable format. Request via email; we’ll provide a CSV/JSON file.
Object to Processing – Object to direct marketing or profiling. Unsubscribe via email link or toggle in account settings.
Withdraw Consent – Pull consent for any purpose you previously consented to. Same as “Object to Processing.”
We will respond to all verifiable requests within 30 days. If we deny a request, we will provide a clear explanation and inform you of your right to lodge a complaint with a supervisory authority.
9. Children’s Privacy
Our Services are intended for persons 13 years of age or older. We do not knowingly collect personal information from children under 13. If you become aware that a child has provided us with personal data, please contact us at privacy@forgiveness.plus so we can promptly delete that information.
10. International Users (CCPA, CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):
Right to Know – Request the categories of personal information we have collected.
Right to Delete – Request deletion of your personal information (subject to exemptions).
Right to Opt‑Out – Request that we do not sell your personal information (we do not sell).
Non‑Discrimination – We will not discriminate against you for exercising any CCPA rights.
To exercise any of these rights, email privacy@forgiveness.plus with “CCPA Request” in the subject line.
11. Changes to This Privacy Policy
We may update this Policy from time to time to reflect changes in law, technology, or our practices. When we make a material change, we will:
Post the revised policy on our website with a new “Effective Date.”
Notify active users via email or in‑app banner (at least 30 days before the change takes effect).
Your continued use of the Services after such notice constitutes acceptance of the updated terms.
12. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact:
Privacy Officer
Forgiveness+ LLC
1201 W Peachtree St NW Ste 2625 PMB 95440
Atlanta, GA 30309‑3499, United States
Email: privacy@forgiveness.plus
Phone: (404) 555‑0123 (business hours)
We will make a good‑faith effort to address your inquiry promptly.
This Privacy Policy is incorporated by reference into the Digital Product License Agreement and the Terms of Service governing your use of Forgiveness+ products.
The Cortisol Cleanse