Privacy Policy

1. Introduction and Scope

3Embody Lifestyle LLC, a limited liability company organized under the laws of the State of Wyoming, doing business as Human Garage ("Company," "Human Garage," "we," "us," or "our"), is committed to protecting and respecting your privacy. This Privacy Policy ("Policy") explains how we collect, use, disclose, store, and protect your personal information when you use our website at humangarage.net, mobile application, and related services (collectively, the "Services").

This Policy applies to all users of our Services worldwide and complies with applicable privacy laws including:

• California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) - United States
• Children's Online Privacy Protection Act (COPPA) - United States
• Virginia Consumer Data Protection Act (VCDPA) - United States
• Colorado Privacy Act (CPA) - United States
• Connecticut Data Privacy Act (CTDPA) - United States
• Utah Consumer Privacy Act (UCPA) - United States
• Texas Data Privacy and Security Act (TDPSA) - United States
• Oregon Consumer Privacy Act (OCPA) - United States
• Montana Consumer Data Privacy Act (MCDPA) - United States
• Iowa Consumer Data Protection Act - United States
• Indiana Consumer Data Protection Act - United States
• Tennessee Information Protection Act (TIPA) - United States
• Delaware Personal Data Privacy Act - United States
• New Hampshire Privacy Act - United States
• New Jersey Data Privacy Act - United States
• Nebraska Data Privacy Act - United States
• Maryland Online Data Privacy Act (MODPA) - United States
• Minnesota Consumer Data Privacy Act - United States
• FTC Health Breach Notification Rule (16 CFR Part 318) - United States
• General Data Protection Regulation (GDPR) - European Union
• Personal Information Protection and Electronic Documents Act (PIPEDA) - Canada
• Lei Geral de Proteção de Dados (LGPD) - Brazil
• Privacy Act 1988 - Australia
• Personal Data Protection Act (PDPA) - Singapore
• Data Protection Act 2018 - United Kingdom
• Other applicable regional and national privacy laws

2. Definitions and Key Terms

3. Information We Collect

3.1 Information You Provide Directly

• Account Information: Name, email address, phone number, date of birth, gender, address
• Profile Information: Bio, preferences, goals, wellness interests, profile photos
• Payment Information: Credit card details, billing address, transaction history
• Wellness Information: Wellness goals, fitness levels, program preferences, self-reported conditions
• Communication Data: Messages, emails, chat conversations, support tickets
• User-Generated Content: Posts, comments, reviews, testimonials, photos, videos
• Survey and Feedback Data: Responses to questionnaires, polls, and feedback forms
• Event Registration: Information for classes, workshops, and events
• Verification Documents: Government-issued ID for age verification or parental consent

3.2 Information Collected Automatically

• Device Information: IP address, device type, operating system, browser type, device identifiers
• Usage Data: Pages visited, time spent, click patterns, navigation paths, feature usage
• Location Data: Approximate location based on IP address, precise location if permitted
• Technical Data: Log files, error reports, performance metrics, system diagnostics
• Cookies and Tracking: Session data, preferences, authentication tokens, analytics data
• App Usage: Screen views, app interactions, crash reports, performance data
• Network Information: Internet service provider, connection type, network performance

3.3 Information from Third Parties

• Social Media Platforms: Profile information when you connect social accounts
• Payment Processors: Transaction verification and fraud prevention data
• Marketing Partners: Lead generation and referral information
• Public Databases: Information to verify identity or prevent fraud
• Analytics Providers: Aggregated usage statistics and demographic data
• Integration Partners: Data from connected wellness apps or wearable devices

3.4 Sensitive Personal Information

We may collect sensitive personal information including wellness-related data, biometric information, and precise geolocation data. We will obtain explicit consent before collecting such information and implement additional security measures for its protection.

3.5 Special Categories of Data (GDPR Article 9)

Where we process special categories of personal data as defined under GDPR Article 9 (including wellness-related data related to your educational journey), we rely on one or more of the following legal bases:

• Explicit consent (Article 9(2)(a)): You provide explicit consent when submitting wellness questionnaires, assessments, or wellness goals through our platform
• Legitimate activities (Article 9(2)(d)): Processing is carried out by our organization in the course of our legitimate wellness education activities with appropriate safeguards
• Data manifestly made public (Article 9(2)(e)): Where you voluntarily share wellness-related experiences in community forums or testimonials

You may withdraw consent for special category data processing at any time by contacting us at support@humangarage.net. Withdrawal does not affect the lawfulness of processing before withdrawal.

3.6 AI-Powered Features and Data Processing

Our Services include an AI-powered chat assistant that processes your data to provide personalized wellness guidance. In connection with these AI features, we collect and process:

• Conversation Data: Messages you send to and receive from our AI assistant
• Contextual Data: Your profile information, program enrollment, and wellness preferences used to personalize AI responses
• Usage Patterns: Frequency and topics of AI interactions for service improvement

Your AI conversation data is stored securely and is not used to train third-party AI models. You may request deletion of your AI conversation history at any time through your account settings or by contacting us.

4. How We Use Your Information

We use your personal information for the following purposes, based on legitimate interests, contractual necessity, legal obligations, or your consent:

4.1 Service Provision and Improvement

• Providing access to our wellness programs, courses, and content
• Creating and managing your user account and profile
• Processing payments and managing subscriptions
• Delivering personalized content and recommendations
• Facilitating communication between users and instructors
• Providing customer support and technical assistance
• Improving our Services through analytics and user feedback
• Developing new features and functionalities

4.2 Communication and Marketing

• Sending service-related notifications and updates
• Delivering marketing communications about our Services (with consent)
• Responding to inquiries and providing customer support
• Sending newsletters and educational content
• Notifying you about events, classes, and special offers
• Conducting surveys and collecting feedback

4.3 Legal and Security Purposes

• Complying with legal obligations and regulatory requirements
• Protecting against fraud, abuse, and security threats
• Enforcing our Terms of Use and other policies
• Resolving disputes and investigating violations
• Protecting the rights, property, and safety of Human Garage and users
• Conducting internal audits and risk assessments

4.4 Analytics and Research

• Analyzing usage patterns and user behavior
• Conducting market research and trend analysis
• Measuring the effectiveness of our marketing campaigns
• Creating aggregated and anonymized statistics
• Improving our algorithms and recommendation systems

5. Legal Basis for Processing (GDPR Compliance)

For users in the European Union, we process your personal data based on the following legal grounds:

• Consent: When you have given clear consent for specific processing activities
• Contract Performance: To fulfill our contractual obligations to provide Services
• Legitimate Interests: For our legitimate business interests that do not override your rights
• Legal Obligation: To comply with applicable laws and regulations
• Vital Interests: To protect your life or physical safety in emergency situations
• Public Task: When processing is necessary for public interest or official authority

You have the right to withdraw consent at any time where processing is based on consent, without affecting the lawfulness of processing based on consent before its withdrawal.

6. Information Sharing and Disclosure

We may disclose limited information in the following narrowly defined circumstances:

6.1 Service Providers and Business Partners

• Cloud hosting and data storage providers
• Payment processors and financial institutions
• AI and machine learning service providers
• Analytics and performance monitoring platforms
• Email and communication service providers
• Authentication and identity management providers
• Content management and delivery platforms
• Security and fraud prevention services
• Legal and professional service providers

All service providers are contractually bound to protect your information and use it only for specified purposes.

6.2 Legal Requirements and Protection

• To comply with legal obligations, court orders, or government requests
• To protect the rights, property, and safety of Human Garage, users, or the public
• To investigate and prevent fraud, abuse, or illegal activities
• To enforce our Terms of Use and other agreements
• In connection with legal proceedings or investigations

6.3 Business Transfers

In the event of a merger, acquisition, sale of assets, or bankruptcy, your personal information may be transferred to the acquiring entity, subject to the same privacy protections.

6.4 With Your Consent

We may share your information with third parties when you have given explicit consent for such sharing.

7. International Data Transfers

As a United States company operating globally, we may transfer your personal information to countries outside your jurisdiction, including:

• United States (our primary data processing location)
• Canada (service providers and business partners)
• European Union (service providers and users)
• Other countries where we have users or service providers

When transferring data internationally, we implement appropriate safeguards including:

• Standard Contractual Clauses (SCCs) approved by relevant authorities
• Adequacy decisions by competent data protection authorities
• Binding Corporate Rules for intra-group transfers
• Certification schemes and codes of conduct
• Explicit consent where required by law

8. Data Retention and Deletion

We retain your personal information only as long as necessary for the purposes outlined in this Policy or as required by applicable law:

When personal information is no longer needed, we will securely delete or anonymize it using industry-standard methods.

9. Your Privacy Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

9.1 Universal Rights (Available to All Users)

• Right to Access: Request information about what personal data we hold about you
• Right to Correction: Request correction of inaccurate or incomplete information
• Right to Deletion: Request deletion of your personal information (subject to legal requirements)
• Right to Opt-Out: Unsubscribe from marketing communications
• Right to Data Portability: Request a copy of your data in a portable format

9.2 GDPR Rights (EU Residents)

• Right to Restrict Processing: Limit how we use your personal data
• Right to Object: Object to processing based on legitimate interests
• Right to Withdraw Consent: Withdraw consent for consent-based processing
• Right to Lodge a Complaint: File complaints with data protection authorities
• Right to Data Protection Impact Assessment: Information about automated decision-making

9.3 CCPA/CPRA Rights (California Residents)

• Right to Know: Detailed information about data collection and use
• Right to Delete: Request deletion of personal information
• Right to Opt-Out of Sale: Opt-out of the sale of personal information
• Right to Non-Discrimination: Equal service regardless of privacy choices
• Right to Correct: Request correction of inaccurate personal information
• Right to Limit Use of Sensitive Personal Information: Restrict use of sensitive data

9.4 Exercising Your Rights

To exercise your privacy rights, contact us using the information provided in Section 15. We will respond to your request within the timeframes required by applicable law (typically 30 days for GDPR and 45 days for CCPA).

10. Children's Privacy Protection

10.1 Age Restrictions

Our Services are not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13 without verifiable parental consent.

10.2 Parental Consent for Minors (13-17 Years)

For users between 13-17 years of age, we require verifiable parental consent before collecting, using, or disclosing personal information. Parents have the right to:

• Review their child's personal information
• Request deletion of their child's personal information
• Refuse to permit further collection or use of their child's information
• Receive notification of our information practices regarding children
• Consent to collection and use but not disclosure to third parties

10.3 COPPA Compliance

We comply with the Children's Online Privacy Protection Act (COPPA) and implement additional safeguards for children's information including:

• Enhanced security measures for children's data
• Limited data collection to what is necessary for participation
• No behavioral advertising directed at children
• Parental access and control mechanisms
• Regular review and deletion of unnecessary children's data

11. Data Security and Protection Measures

We implement comprehensive security measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction:

11.1 Technical Safeguards

• Encryption of data in transit and at rest using industry-standard protocols
• Multi-factor authentication for administrative access
• Regular security assessments and penetration testing
• Secure coding practices and vulnerability management
• Network security monitoring and intrusion detection systems
• Regular software updates and security patches
• Secure data backup and disaster recovery procedures

11.2 Organizational Safeguards

• Employee training on data protection and privacy practices
• Background checks for employees with access to personal information
• Confidentiality agreements and access controls
• Data protection impact assessments for high-risk processing
• Incident response procedures and breach notification protocols
• Regular audits and compliance monitoring
• Privacy by design principles in system development

11.3 Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will notify you and relevant authorities within the timeframes required by applicable law (typically 72 hours for authorities and without undue delay for individuals).

11.4 FTC Health Breach Notification Rule

As a provider of wellness education services that may handle personal wellness records, we comply with the FTC Health Breach Notification Rule (16 CFR Part 318). In the event of a breach of unsecured personally identifiable wellness information:

• We will notify affected individuals without unreasonable delay and no later than sixty (60) days after discovery of the breach
• We will notify the Federal Trade Commission as required by the Rule
• If the breach involves 500 or more individuals, we will provide notice to prominent media outlets serving the affected area
• Notifications will include a description of the breach, the types of information involved, steps individuals should take, and what we are doing in response
• We maintain a log of all breaches and make it available to the FTC upon request

12. Cookies and Tracking Technologies

12.1 Types of Cookies We Use

• Essential Cookies: Necessary for basic website functionality and security
• Performance Cookies: Collect information about how you use our Services
• Functional Cookies: Remember your preferences and personalize your experience
• Marketing Cookies: Track your activity for advertising and marketing purposes
• Third-Party Cookies: Set by our partners for analytics and advertising

12.2 Other Tracking Technologies

• Web Beacons: Small graphics that track email opens and website visits
• Pixel Tags: Monitor user behavior and measure advertising effectiveness
• Local Storage: Store information locally on your device
• Session Replay Tools: Record user interactions for analysis and improvement
• Analytics Tools: Third-party analytics and performance monitoring services

12.3 Managing Cookies

You can control cookies through your browser settings, our cookie preference center, or opt-out tools provided by advertising networks. Note that disabling certain cookies may affect the functionality of our Services.

12.4 Global Privacy Control (GPC)

We recognize and honor the Global Privacy Control (GPC) signal as a valid opt-out preference signal. When we detect a GPC signal from your browser, we will treat it as a request to opt out of the sale or sharing of your personal information, as required by the CCPA/CPRA, Colorado Privacy Act, Connecticut Data Privacy Act, and other applicable state privacy laws. You can enable GPC in your browser settings or through a browser extension. For more information about GPC, visit globalprivacycontrol.org.

13. Third-Party Services and Links

Our Services may contain links to third-party websites, applications, or services that are not owned or controlled by Human Garage. This Privacy Policy does not apply to third-party services.

13.1 Third-Party Integrations

• Social Media Platforms: Third-party social media and content sharing platforms
• Payment Processors: Third-party payment processing and financial services providers
• Analytics Services: Third-party analytics, performance, and audience measurement platforms
• Communication Tools: Email, messaging, and customer support service providers
• Cloud Services: Cloud infrastructure and hosting providers
• Marketing Platforms: Marketing automation and advertising platforms

13.2 Third-Party Privacy Practices

We encourage you to review the privacy policies of any third-party services you access through our Services. We are not responsible for the privacy practices or content of third-party services.

14. Updates to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes through:

• Email notification to registered users
• Prominent notice on our website and mobile application
• In-app notifications and alerts
• Updates to our Terms of Use or other communications

Your continued use of our Services after the effective date of any changes constitutes acceptance of the updated Privacy Policy. If you do not agree to the changes, you should discontinue use of our Services.

15. Contact Information and Data Protection Officer

15.1 General Privacy Inquiries

15.2 Data Protection Officer (DPO)

15.3 Regulatory Authorities

If you believe we have not addressed your privacy concerns adequately, you have the right to lodge a complaint with the relevant data protection authority in your jurisdiction:

• Canada: Office of the Privacy Commissioner of Canada (www.priv.gc.ca)
• EU: Your local Data Protection Authority
• California: California Attorney General (oag.ca.gov)
• UK: Information Commissioner's Office (ico.org.uk)
• Australia: Office of the Australian Information Commissioner (oaic.gov.au)

16. Jurisdiction-Specific Provisions

16.1 California Residents (CCPA/CPRA)

In the past 12 months, we have collected the following categories of personal information: identifiers, commercial information, internet activity, geolocation data, audio/visual information, professional or employment-related information, education information, and inferences. We do not sell or share personal information with third parties as defined under the CCPA/CPRA. We only use anonymized, aggregated data for analytics and service improvement purposes. We honor the Global Privacy Control (GPC) signal as a valid opt-out of sale/sharing request. California residents may submit verified consumer requests no more than twice within a twelve-month period. We will respond within forty-five (45) days, with one extension of up to forty-five (45) additional days where reasonably necessary. We will not discriminate against you for exercising your CCPA/CPRA rights.

16.2 European Union and United Kingdom Residents (GDPR / UK GDPR)

3Embody Lifestyle LLC (d/b/a Human Garage) acts as the data controller for personal information collected through our Services. We have appointed a Data Protection Officer and EU representative as required by GDPR. Under the GDPR and UK GDPR, you have the following additional rights:

• Right to be informed about the collection and use of your personal data
• Right of access to your personal data (Subject Access Request)
• Right to rectification of inaccurate personal data
• Right to erasure ("right to be forgotten")
• Right to restrict processing
• Right to data portability in a machine-readable format
• Right to object to processing, including direct marketing
• Rights related to automated decision-making and profiling
• Right to lodge a complaint with your local supervisory authority

We process your personal data only when we have a lawful basis to do so under Article 6 of the GDPR. We do not transfer your personal data outside the EEA/UK without appropriate safeguards, such as Standard Contractual Clauses. To exercise any of your GDPR rights, contact our Data Protection Officer at support@humangarage.net. We will respond within 30 days of receipt.

16.3 Herbal Supplement and Product Purchases (Canadian Entity)

All herbal supplement sales and physical product purchases are processed by Human Garage, Inc., a corporation incorporated under the laws of Canada. Personal information collected in connection with herbal supplement orders (including shipping address, payment details, and order history) is processed by Human Garage, Inc. in accordance with PIPEDA and applicable Canadian provincial privacy laws. For product-related privacy inquiries, contact support@humangarage.net.

16.4 Canadian Residents (PIPEDA)

Where applicable, we comply with PIPEDA and provincial privacy laws when processing personal information of Canadian residents. You have the right to access your personal information and request corrections. Complaints can be filed with the Privacy Commissioner of Canada.

16.5 Brazilian Residents (LGPD)

We process personal data in accordance with LGPD. You have rights to access, correct, delete, and port your personal data. Contact our Data Protection Officer for LGPD-related inquiries.

16.6 Additional U.S. State Privacy Laws

Residents of the following states have additional privacy rights similar to those provided under the CCPA/CPRA. We extend the rights described in Section 9 to residents of these states as required by applicable law:

• Virginia (VCDPA): Right to access, correct, delete, obtain a copy, and opt out of targeted advertising, sale, and profiling
• Colorado (CPA): Same rights as Virginia; we also honor universal opt-out mechanisms including GPC
• Connecticut (CTDPA): Same rights as Virginia; includes right to opt out of sale and profiling
• Texas (TDPSA): Right to access, correct, delete, and opt out of sale, targeted advertising, and profiling
• Oregon (OCPA): Right to access, correct, delete, data portability, and opt out of targeted advertising and sale
• Montana (MCDPA), Iowa, Indiana, Tennessee, Delaware, New Hampshire, New Jersey, Nebraska, Maryland, Minnesota: Substantially similar rights to access, correct, delete, and opt out of sale and targeted advertising as provided under each state's respective privacy law

To exercise your rights under any of these state laws, contact us at support@humangarage.net. We will respond within the timeframe specified by your state's applicable law (typically 45 days). If we deny your request, you have the right to appeal, and we will provide instructions for the appeal process.

16.7 Canada's Anti-Spam Legislation (CASL)

In compliance with Canada's Anti-Spam Legislation (S.C. 2010, c. 23), we commit to the following for Canadian users:

• We obtain express or implied consent before sending commercial electronic messages (CEMs) to Canadian recipients
• All CEMs include our contact information and a clear unsubscribe mechanism
• Unsubscribe requests are processed within ten (10) business days
• We do not install software or programs on your device without express consent
• Express consent is obtained through clear opt-in (not pre-checked boxes) at the time of account registration or newsletter sign-up
• Implied consent is based on an existing business relationship (e.g., you purchased a product or service within the last two years) or an existing non-business relationship (e.g., you made a donation or volunteered within the last two years)

16.8 CAN-SPAM Act Compliance

In compliance with the CAN-SPAM Act (15 U.S.C. § 7701 et seq.):

• We will not use false or misleading header information or deceptive subject lines
• All commercial messages are clearly identified as advertisements where required
• Every commercial email includes our physical mailing address: 309 Coffeen Avenue, STE 1200, Sheridan, WY 82801
• A clear and conspicuous opt-out mechanism is included in every commercial email
• Opt-out requests are honored within ten (10) business days
• We do not sell or transfer email addresses to third parties for their marketing purposes
• We monitor third-party email marketing conducted on our behalf to ensure compliance

17. Automated Decision-Making, AI, and Profiling

We may use automated decision-making, artificial intelligence, and profiling to:

• Personalize content and wellness recommendations
• Provide AI-powered chat assistance for wellness guidance
• Detect and prevent fraud
• Optimize marketing campaigns
• Improve user experience and engagement
• Match content to your wellness journey stage

17.1 AI Transparency

In compliance with the EU AI Act and Colorado AI Act, we provide the following disclosures about our AI systems:

• Our AI chat assistant uses large language models to generate responses — it is clearly identified as AI, not a human
• AI-generated content is not a substitute for professional medical, legal, or financial advice
• Your conversations with AI are processed by our AI service providers under data processing agreements
• AI inputs are not used to train third-party foundation models
• We implement human oversight of AI outputs and regularly review for accuracy and safety
• You may opt out of AI-personalized content by contacting us at support@humangarage.net

17.2 Your Rights Regarding Automated Decisions

Under GDPR Article 22 and applicable state laws, you have the right to: (a) be informed about automated decision-making; (b) request human intervention for decisions that significantly affect you; (c) express your point of view and contest automated decisions; (d) obtain an explanation of the logic involved; and (e) opt out of profiling that produces legal or similarly significant effects. We do not make any decisions based solely on automated processing that produce legal effects or similarly significantly affect you without human review.

18. Biometric and Wellness Data Protection

If we collect biometric identifiers or wellness-related information, we will:

• Obtain explicit consent before collection
• Implement enhanced security measures
• Limit retention to the minimum necessary period
• Provide clear opt-out mechanisms
• Comply with applicable data protection and privacy laws
• Use de-identification and anonymization techniques where possible

19. Marketing and Communications

19.1 Consent for Marketing

We will only send you marketing communications if you have consented to receive them. You can opt-out at any time using the unsubscribe link in our emails or by contacting us directly.

19.2 Types of Communications

• Service announcements and updates
• Educational content and wellness tips
• Event invitations and class schedules
• Product recommendations and special offers
• Newsletters and community updates
• Survey and feedback requests

20. Data Minimization and Purpose Limitation

We adhere to the principles of data minimization and purpose limitation by:

• Collecting only personal information necessary for specified purposes
• Using personal information only for the purposes for which it was collected
• Regularly reviewing and deleting unnecessary personal information
• Implementing privacy by design in our systems and processes
• Conducting privacy impact assessments for new processing activities