Privacy Policy

1. Who we are

Heart iQ runs services through two legal entities, working together. Heart iQ Network LLC is the contracting party for every Heart iQ programme worldwide. New Eden B.V. owns the Sanctuary in the Netherlands and processes payment for retreats held there. Both are described in our Terms & Conditions.

• Heart iQ Network LLC (a Wyoming, USA limited liability company, mailing address 9450 SW Gemini Dr, Beaverton, OR 97008-7105) is the data controller for programme-related personal data: the Application Form you complete to enrol, intake conversations, programme participation, session recordings used for replays, course progress, community posts, the AI Oracle, and the newsletter. This applies to all programmes whether online (90-Day Challenge, Fellowship, Academy practicum, Heart iQ Experience) or in-person (retreats at the Heart iQ Sanctuary in the Netherlands and at partner venues in the United States).
• New Eden B.V. (a Netherlands private limited company, registered office Sparjeburd 2, 8409 CK Hemrik, KvK 64284328, BTW NL855599261B01) is the data controller for venue and payment-agent activities for retreats held at the Heart iQ Sanctuary: the Dutch tax invoice, accommodation logistics, on-site rooming, dietary requirements at the venue, accessibility needs at the venue, and (for the Sanctuary segment of a retreat booking) the payment record. New Eden is not involved in online programmes or in retreats held in the United States.

For a retreat booking at the Sanctuary, both entities process the same booking record. We operate as joint controllers under Article 26 GDPR for the booking record itself; New Eden alone is the controller for the venue-side activity above; Heart iQ Network LLC alone is the controller for the programme-side activity above. To make things simple, you can exercise any data right against either entity by emailing connect@heartiq.org and the request will be routed to whichever entity holds the relevant data.

2. What we collect

Account and contact information

Name, email, phone, billing address, country, time zone, and similar identifiers. We use this to register your account, send you account and service emails, and (for retreats) issue the Dutch tax invoice for your booking.

Application Form and intake

For every Heart iQ programme we ask you to complete an Application Form so the facilitation team can decide whether the programme is a good fit for you and how to support you during it. Some questions are optional and are clearly marked. We may also invite you to a short intake conversation online before approving an application; we keep brief notes from that conversation. Both the Application Form and the intake notes are processed by Heart iQ Network LLC.

Health and wellbeing context (special category data)

Several fields are about your physical or mental health: the booking wizard's optional "mental health and wellbeing" field, the "accessibility needs" field, the dietary requirements field, the relevant sections of the Application Form, and any health context you share during an intake conversation. The Terms also ask you to inform us promptly if your physical or mental condition materially changes between application and the start of a programme; whatever you share in that follow-up is treated the same way. Anything you submit to the ethics grievance form is also treated to the same standard.

Everything in this category is special category data under Article 9 GDPR and held to a higher protection standard. We collect it only when you actively choose to share it. The legal basis is your explicit consent under Article 9(2)(a) GDPR, separate from the consent you give for general booking processing. You can withdraw that consent at any time by emailing connect@heartiq.org and we will delete the field from your record. The surrounding booking or application is retained where we are still legally obliged to keep it (for example, the Dutch tax invoice on a confirmed retreat booking); only the special category fields are removed.

Session recordings and replay videos

Live online programme calls (and selected segments of in-person retreats) are recorded so participants who cannot attend live, or who want to revisit the material, can watch the replay inside the member portal. Recordings are stored on Vimeo and are accessible only to enrolled participants of that programme. Where you appear on a recording, the facilitator will name the recording at the start of the session and you can choose to keep your camera off or request edits before the replay is published. We do not publish recordings outside the member portal without explicit consent from the participants who appear on them.

Payment information

Card details are collected and processed by Stripe Payments Europe Ltd. We never see or store your full card number; we store only a tokenised reference issued by Stripe so that we can charge the deferred 75% balance for retreat bookings 30 days before the retreat begins, and so that you can be issued a refund if you are entitled to one.

Course progress and community activity

If you are enrolled in an online program, we record which lessons you have completed and any comments or community posts you publish. Your community profile (name, avatar, bio) is visible to other logged-in members of spaces you have joined.

Usage and device data

Server logs, IP address, browser type, pages visited. We use this for security (rate limiting, abuse detection) and for short-term server-side diagnostics. We do not currently run third-party analytics (no Google Analytics, no Facebook pixel, no advertising SDKs). If we add cookie-based analytics in future, we will only enable them after you give consent.

3. Why we process it, and on what legal basis

4. Who we share your data with (named processors)

We never sell your data. We share it only with the following processors, each acting under a written data processing agreement. The country listed is where the processor primarily stores or processes the data.

• Supabase (Frankfurt, EU): Primary database, authentication, file storage. Holds bookings, profiles, course progress, community content.
• Netlify (USA): Web hosting and CDN.
• Stripe Payments Europe Ltd (Ireland, EU) and Stripe, Inc. (USA): Payment processing.
• Resend (USA): Transactional email delivery (bookings, account, ethics intake).
• Anthropic, PBC (USA): The AI Oracle inside the member portal sends your queries to Anthropic Claude under their commercial terms.
• Airtable, Inc. (USA): Operations mirror used by the retreat team for guest list, dietary and rooming logistics. Mental health, accessibility, and emergency-contact fields are not mirrored to Airtable; they remain only in Supabase.
• HighLevel, Inc. (USA): CRM used for marketing automation. Stores your email and lifecycle tags only.
• Vimeo, Inc. (USA): Video hosting for course lessons.

We may also disclose information when required by law, court order, or to protect the safety of participants, staff, or the public.

5. International transfers

Some of the processors above are based in the United States. Where personal data leaves the European Economic Area (EEA), we rely on the European Commission's Standard Contractual Clauses (2021) and, where applicable, the EU-U.S. Data Privacy Framework. The DPA we hold with each US processor includes those clauses.

We do not transfer special category data (health, wellbeing, grievance reports) outside the EEA. Those fields remain inside the EU-hosted Supabase database.

6. How long we keep it

• Retreat invoices and booking records: 7 years from issue (Dutch tax law, Article 52 AWR).
• Application Form and intake notes: for the duration of the programme, plus up to 24 months after completion to support follow-up programmes; deleted on request thereafter unless we are still legally obliged to keep it.
• Health, wellbeing, accessibility disclosures: deleted within 90 days of the retreat end date, or sooner on request.
• Session recordings used as replays: for as long as the programme they belong to is offered, plus 12 months grace for late catch-up; recordings are deleted on the same schedule as the programme's archive.
• Ethics grievance submissions: retained for the duration of the investigation plus 5 years for the protection of all parties; anonymised summaries may be kept longer for safeguarding policy review.
• AI Oracle conversation history: 30 days, then automatically deleted.
• Course progress and community posts: for the lifetime of your account, plus 12 months after closure.
• Server access logs: 30 days.
• Audit trail of admin reads of sensitive data: 2 years (used for breach forensics).
• Marketing email contact records: until you unsubscribe, plus a suppression record indefinitely so we do not email you again.

7. Your rights

If we hold personal data about you, GDPR gives you the following rights. We will respond within one month of a verified request.

• Access the personal data we hold about you (Article 15)
• Have inaccurate data corrected (Article 16)
• Have your data erased, subject to our retention obligations above (Article 17)
• Restrict processing while a dispute is resolved (Article 18)
• Receive a portable copy of the data you provided (Article 20)
• Object to processing based on legitimate interest (Article 21)
• Withdraw consent for processing that relies on it (Article 7), including special category data
• Not be subject to a solely automated decision with legal or significant effects (Article 22). We do not make such decisions.

To exercise any of these rights, email connect@heartiq.org. We will verify your identity before acting and will not charge a fee unless your request is manifestly unfounded or excessive.

8. Cookies and similar technologies

We use only strictly necessary cookies for authentication, session continuity, and CSRF protection. Without them the site cannot function, so they do not require consent. We do not currently set analytics, advertising, or third-party tracking cookies. If that changes, we will publish an updated policy and add a consent prompt before any non-essential cookie is set.

9. How we protect your data

We use TLS for data in transit, encryption at rest in Supabase, role-based access control on admin functions, row-level security policies on the database, audit logging of sensitive reads, and rate limiting on public endpoints. The retreat team accesses health and grievance data only through admin routes that are server-side authenticated; access is logged.

If a breach happens that is likely to result in a risk to your rights and freedoms, we will notify the Dutch supervisory authority (Autoriteit Persoonsgegevens) within 72 hours of becoming aware, and we will notify you directly without undue delay.

10. Children

Our services are intended for adults aged 18 and over. We do not knowingly collect personal data from children. Where a booking is made for a child, the booking adult is the data subject and provides the child's information under their parental responsibility.

11. Changes to this policy

We may update this policy. The "Last Updated" date at the top reflects the most recent version. Material changes are notified by email to active users.

12. Contact and complaints

For privacy questions or to exercise any of your rights:

The fastest way to reach the right team is connect@heartiq.org — this inbox is monitored for both entities and a privacy request will be routed to whoever holds the relevant data. If you would like to address a specific entity directly, their details are below.

If your concern is about safety, conduct, or an ethics matter rather than data, please use the grievance form — we acknowledge formal grievances within 5 business days.

If you are not satisfied with our response, you have the right to lodge a complaint with a supervisory authority:

• Netherlands: Autoriteit Persoonsgegevens
• Or the supervisory authority of your country of residence within the EEA.