Privacy Policy

In One Heart ("Company," "we," "us," or "our") operates the website located at inoneheart.com (the "Site") and provides retreats, workshops, private sessions, and related services (collectively, the "Services"). This Privacy Policy describes how we collect, use, disclose, and protect information you provide to us or that we collect when you visit the Site or use our Services. By using the Site or Services, you agree to the practices described in this Privacy Policy.

1. Information We Collect

We collect information in the following ways:

a. Information You Provide Directly

• Contact and identity information: your name, email address, phone number, and country when you contact us, subscribe to our newsletter, or submit an application or booking.
• Application and intake information: personal history, intentions, emotional or mental health history, physical health conditions, dietary requirements, and emergency contact details provided when applying for a retreat, workshop, or private session. This information is collected solely to assess participant suitability and ensure safety.
• Payment information: billing name, address, and card or payment details. Payment transactions are processed entirely by Stripe, Inc. and/or PayPal, Inc. We do not store, access, or retain full payment card numbers on our servers.
• Communications: messages you send us via email, contact forms, or our AI chat assistant.

b. Information Collected Automatically

• Usage data: pages visited, time on site, links clicked, and referring URLs, collected through analytics services.
• Device and browser data: IP address, browser type, operating system, and device identifiers.
• Cookies and similar technologies: session cookies necessary for the Site to function, and analytics cookies as described in Section 5 below.

2. How We Use Your Information

We use the information we collect to:

• Process, confirm, and manage applications and bookings for our Services
• Communicate with you about your booking, application status, event logistics, and related matters
• Send order confirmations, receipts, and transactional emails
• Send newsletters, promotions, and updates you have subscribed to (you may unsubscribe at any time)
• Assess participant suitability and ensure physical and emotional safety at our events
• Send post-event follow-up communications and support materials
• Operate, improve, and personalise our Site and Services
• Comply with applicable legal obligations
• Enforce our Terms & Conditions and protect the rights, property, and safety of In One Heart and others

3. Sensitive Health Information

Our applications collect health-related information — including physical conditions, mental health history, and medication use — to evaluate whether our offerings are appropriate for each individual and to plan appropriate support. This information is treated as strictly confidential. It is accessible only to In One Heart's facilitation and administrative team on a need-to-know basis and is never sold or shared with third parties, except:

• where you have given explicit consent;
• in a medical emergency where disclosure is necessary to protect your life or the life of another; or
• as required by applicable law or a valid legal process.

By submitting health information in an application or intake form, you expressly consent to our collection and use of that information for the purposes described in this Policy.

4. Email Communications — CAN-SPAM Compliance

We comply with the federal CAN-SPAM Act. All marketing emails we send will: (i) clearly identify the sender; (ii) include a valid physical mailing address; (iii) include a clear and conspicuous unsubscribe mechanism; and (iv) honor opt-out requests within 10 business days. Transactional emails (order confirmations, booking confirmations) are not subject to opt-out, as they are necessary to complete your purchase or booking.

To unsubscribe from marketing communications, click the "Unsubscribe" link in any email we send you or email us at hello@inoneheart.com.

5. Cookies

We use cookies and similar tracking technologies on the Site:

• Strictly necessary cookies: Required for the Site to function correctly (e.g., session management, cart functionality). These cannot be disabled.
• Analytics cookies: We use Google Analytics and PostHog to understand aggregate website usage. These services may set cookies that collect anonymised information about how visitors use the Site. You can opt out of Google Analytics by visiting tools.google.com/dlpage/gaoptout.

You can control and delete cookies through your browser settings at any time.

6. Third-Party Service Providers

We share information with the following third-party service providers only to the extent necessary to provide our Services. Each provider is contractually bound to protect your data and use it only for the specified purpose:

• Stripe, Inc. — payment processing. Privacy Policy
• PayPal, Inc. — payment processing. Privacy Policy
• Supabase, Inc. — secure cloud database hosting. Privacy Policy
• Resend, Inc. — transactional email delivery. Privacy Policy
• Google LLC — website analytics (Google Analytics). Privacy Policy
• PostHog, Inc. — product analytics. Privacy Policy
• Constant Contact — email marketing. Privacy Policy
• Vercel, Inc. — website hosting and content delivery. Privacy Policy

We do not sell, rent, or trade your personal information to any third party for their own marketing purposes.

7. Data Retention

We retain personal information for as long as necessary to fulfil the purposes described in this Policy, plus a reasonable additional period to comply with legal obligations and resolve disputes:

• Application and booking data: retained for up to 5 years after the last event you attended or applied for.
• Newsletter subscriber data: retained until you unsubscribe. Upon unsubscribing, your email address is removed from active mailing lists within 10 business days.
• Financial records: retained for 7 years as required by applicable tax and accounting laws.
• Analytics data: retained in anonymised or aggregated form indefinitely.

8. Your Privacy Rights

Depending on your state of residence, you may have the following rights regarding your personal information:

• Access: request a copy of the personal information we hold about you.
• Correction: request correction of inaccurate or incomplete data.
• Deletion: request that we delete your personal information, subject to certain legal exceptions.
• Opt-out of marketing: unsubscribe from promotional communications at any time.
• Data portability: request your data in a portable, machine-readable format (where technically feasible).

To exercise any of these rights, email us at hello@inoneheart.com with your full name and a description of your request. We will respond within 45 days. We may need to verify your identity before fulfilling your request.

9. California Residents — CCPA/CPRA Rights

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

• Right to Know: You have the right to know what categories of personal information we collect, the purposes for which it is used, and the categories of third parties with whom it is shared.
• Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions.
• Right to Correct: You have the right to correct inaccurate personal information.
• Right to Opt Out of Sale or Sharing: We do not sell or share your personal information for cross-context behavioural advertising. You do not need to opt out.
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.
• Sensitive Personal Information: We collect sensitive personal information (health data) as described in Section 3. We use this information solely to provide and improve our Services and do not use it for any other purpose requiring a limitation notice.

To submit a CCPA request, contact us at hello@inoneheart.com or by mail at the address in Section 13. We will verify your identity and respond within 45 days (extendable by an additional 45 days with notice).

10. Data Security

We implement commercially reasonable technical and organisational safeguards designed to protect your personal information against unauthorised access, disclosure, alteration, or destruction. These include encrypted data transmission (TLS/HTTPS), restricted administrative access, and use of industry-standard cloud infrastructure. However, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security. In the event of a data breach affecting your rights, we will notify affected individuals in accordance with applicable law.

11. Children's Privacy — COPPA

Our Services are directed solely to individuals aged 18 and older. We do not knowingly collect, solicit, or retain personal information from anyone under the age of 13 in accordance with the Children's Online Privacy Protection Act (COPPA). If we become aware that we have inadvertently collected personal information from a child under 13, we will delete it promptly. If you believe a minor has provided us with personal information, please contact us immediately at hello@inoneheart.com.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. The "Last updated" date at the top of this page will reflect the most recent revision. For material changes, we will provide notice via email or a prominent notice on the Site. Your continued use of the Site or Services after any changes constitutes acceptance of the updated Policy.

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

In One Heart
Email: hello@inoneheart.com