Clario Life LLC — Privacy Policy
Effective date: August 27th 2025

1. Introduction, Scope, and Controller

1.1 This Privacy Policy explains how Clario Life LLC (“Clario Life,” “we”, “us”, or “our”) collects, uses, shares and protects personal information relating to users of our platform and services (the “Services”). The Services operate at www.clariolife.com and related sites, apps and integrations.
1.2 Controller. The data controller is Clario Life LLC. For EU/UK processing concerns and data subject requests from the EU/UK, contact: info@clariolife.com.
1.3 Scope. This Policy applies to Clients, Coaches, and visitors worldwide. It covers collection from forms, bookings, video sessions, emails, analytics, and third-party integrations (Stripe, Calendly, Zoom, Google Workspace, AWS, analytics).

2. Key Definitions

2.1 “Personal Data” means any information that identifies or can reasonably identify an individual.
2.2 “Special Category” or sensitive data includes health-related information, including disclosures of medical conditions or mental health issues. Clario Life avoids collecting sensitive data as a matter of design; if collected, we obtain explicit consent and apply extra safeguards.

3. Categories of Personal Data We Collect

We collect the following categories where necessary for provision of Services:

A. Registration & Profile Data

Name, email, phone, date of birth (optional), country, time zone, profile photo, biography, credentials (for Coaches).

B. Identity & Verification Data

ID documents, background-check data, qualification certificates (Coaches where required).

C. Payment & Billing Data

Payment card details (tokenized by Stripe), billing address, tax information, invoices, refund history.

D. Session Data

Session scheduling metadata (date, time, coach), session notes (if Client or Coach records notes), session duration, session-type.

E. Audio/Video/Transcript Data

If recorded with consent: audio/video files, transcripts, and derivative materials. (Stored per retention policy and with explicit consent.)

F. Messaging / Communication

In-platform messages, emails, support tickets, and chat logs.

G. Device & Usage Data

IP address, device type, browser, operating system, log data, pages visited, referral data, cookies and analytics identifiers.

H. Marketing Data

Newsletter opt-ins, marketing preferences, campaign engagement.

I. Coach-supplied Materials

Coaching exercises, worksheets, program materials uploaded by Coaches.

J. Legal & Safety Data

Reports of abuse, incident logs, complaint materials.

4. Purposes of Processing & Legal Bases

We process personal data for the following purposes and lawful grounds:

A. Contract Performance (GDPR Art. 6(1)(b)) / Necessary for Contract

Purpose: deliver the Services, book sessions, process payments, provide customer support.

Data: registration, payment, booking, scheduling data.

B. Legitimate Interests (GDPR Art. 6(1)(f))

Purpose: fraud prevention, platform security, service improvement, analytics, direct marketing (subject to opt-out rights).

Data: usage data, IP, device data, cookies.

We conduct LIA for any new processing based on legitimate interest and document mitigation.

C. Consent (GDPR Art. 6(1)(a) & special category Art. 9 where applicable)

Purpose: processing sensitive data (rare), recording sessions, marketing beyond transactional messages, cross-border transfers where needed.

Data: explicit consent for recordings, marketing preferences.

D. Legal Compliance

Purpose: respond to legal requests, tax reporting, record retention for financial audits.

Data: billing, identity verification.

E. PIPEDA (Canada) Basis

PIPEDA requires knowledge & consent for collection, use, disclosure except where otherwise permitted. We rely on consent for non-essential uses, and contract performance/legitimate interest for core Services.

F. CCPA/CPRA

For California residents we process personal data as a business; legal bases are business purposes and contractual necessity. California residents have opt-out rights for sale/sharing — Clario Life does not “sell” personal information as commonly defined, but we honor opt-out requests and disclose data sales/sharing if relevant.

5. Sharing and Third-Party Processors

5.1 We share data with service providers who perform functions on our behalf under contract and DPA: for example Stripe (payments), Calendly (scheduling), Zoom (video), Google Workspace (email, drive), AWS (hosting), Mixpanel/GA (analytics), and email platforms.
5.2 We require DPAs with processors, restrict their use to authorized processing, and require technical & organizational measures. See Appendix: Processor List.
5.3 We may disclose data to: (a) comply with legal obligations or court orders; (b) protect safety and rights of others; (c) enforce Terms; (d) corporate transactions (M&A) — with notice and opt-out rights where required by law.
5.4 We do not sell personal data to third parties for unrelated commercial uses. If this changes, we will update the Policy and obtain necessary consent / provide opt-outs.

6. Cross-Border Transfers & Safeguards

6.1 International transfers: Clario Life operates internationally. Personal data may be processed and stored in the U.S., Canada, South Africa, Israel, and AWS regions. Transfers will be protected by:

EU Standard Contractual Clauses (SCCs) where transferring EU data outside the EEA/UK;

SCCs or similar contractual safeguards for transfers to South Africa and Israel;

Relying on explicit consent for certain transfers where appropriate;

Implementing technical safeguards (encryption, access controls).
6.2 EU/UK Data Export: For transfers to the U.S./other countries where adequacy is not recognized, Clario Life will (a) use SCCs, and (b) document transfer impact assessments. Consider appointing an EU/UK representative if you process large-scale EU personal data. Consult EU counsel for SCC implementation.
6.3 South Africa & Israel: ensure vendor DPAs include local transfer clauses; consider local counsel review for adequacy if processing sensitive categories.

7. Cookies and Tracking (short)

7.1 See the separate Cookie Policy below. We use essential cookies (required for the site to function), performance/analytics cookies, and marketing cookies. We require opt-in for non-essential cookies under GDPR.

8. Retention & Deletion (Concrete Periods)

We retain data only as long as needed for the purpose and legal obligations:

Account profile data: retained while account active + 2 years after deactivation for business continuity and fraud prevention.

Payment & billing records: retained for 7 years for tax/audit (align with local tax law). [Adjust to local counsel].

Session metadata (booking history):5 years after last activity.

Session notes (Coach notes):5 years (or longer if consent and business need) — Coaches must not keep separate copies outside the platform.

Session recordings (audio/video/transcripts):90 days by default, unless Client or Coach gives explicit, documented consent to longer storage (e.g., 1 year) — recordings are deleted or archived per request. (If you plan longer retention, state and get explicit consent.)

Support tickets and logs:2 years.

Marketing opt-in data: until opt-out.

Legal holds: where litigation or compliance requires, data may be retained beyond the above periods.

Rationale: periods balance operational needs, consumer expectations, and legal obligations. Local laws may require different retention — consult counsel for jurisdictional adjustments.

9. Data Subject Rights and How to Exercise Them

9.1 Rights (varies by jurisdiction): access, rectification, deletion (right to be forgotten), restriction, objection, portability, withdraw consent, and complain to a supervisory authority. California residents have additional rights under CCPA/CPRA (right to know, delete, opt-out of sale, nondiscrimination).
9.2 How to Submit a Request: send an email to privacy@clariolife.com with subject line “DSR Request: [Type]” and include: name, email associated with account, jurisdiction, and description. For deletion or access, we will verify identity (we may request government ID or other verification).
9.3 Timeline: We will acknowledge within 5 business days and respond substantively within 30 calendar days. We may extend by 30 days with notice where necessary.
9.4 Fees: We do not charge for standard DSRs. We may charge a reasonable fee for manifestly unfounded or excessive requests.

10. Security Measures

10.1 Controls: encryption in transit (TLS 1.2+), encryption at rest for sensitive storage (AWS KMS), role-based access control, least privilege, 2FA for admin access, secure key management, and vulnerability scanning.
10.2 Operational: logging & monitoring, incident response plan, regular penetration testing (annual), internal access reviews quarterly, security training for staff, background checks for admin personnel with access to personal data.
10.3 Vendor Security: DPAs require SOC 2/ISO27001 or equivalent and right to audit (see Vendor checklist).

11. Children’s Privacy

11.1 Our Services are not directed to children under the age of majority. We will not knowingly collect data from minors. If we become aware a minor’s data was collected, we will delete it as soon as feasible and notify parent/guardian as required by local law (COPPA, PIPEDA/Canada). We require parental consent where applicable.

12. Automated Decision-Making and AI

12.1 If Clario Life deploys AI assistance or profiling (e.g., automated coaching suggestions, matching), we will disclose the logic, meaningful information about the processing, and offer human review and opt-out. (See AI Disclosure template below.)
12.2 If profiling yields legal or similarly significant effects, we will obtain explicit consent where required.

13. Breach Notification Procedures

13.1 Incident Response: on discovery of a data breach, Clario Life will: (a) contain and remediate; (b) assess risk to data subjects; (c) notify supervisory authority within 72 hours for GDPR-relevant incidents where feasible; (d) notify affected data subjects without undue delay where there is high risk to their rights. For Canada/PIPEDA we will notify “as soon as feasible” and follow applicable provincial rules; for U.S. state law incidents, we will comply with state-specific timelines (many require prompt notice—often 30-60 days).
13.2 Content of Notification will include nature of breach, categories of data affected, mitigation steps taken, and contact information (privacy@clariolife.com).

14. International Notices & Jurisdictional Caveats

14.1 Canadian Users: PIPEDA grants rights including access and correction. Some provincial rules (Quebec, BC, Alberta) impose extra requirements — consult local counsel. Arbitration and waiver of certain consumer rights may be limited under Canadian law.
14.2 EU/UK Users: You have rights under GDPR — access, rectification, erasure, restriction, portability, complaint to a supervisory authority. For transfers outside the EEA/UK, we rely on SCCs or appropriate safeguards.
14.3 California Users: You have rights under CCPA/CPRA (right to know, delete, opt-out of sale / sharing). To submit a request as a California resident use privacy@clariolife.com with “California DSR” subject.

15. Contact, DPO Recommendation, and Supervisory Authority Info

15.1 Data contact: info@clariolife.com (DSR requests, privacy concerns).
15.2 DPO: If processing EU/UK data at scale, designate a DPO: [DPO email placeholder].
15.3 Supervisory authority contact: EU/EEA data subjects may contact their local supervisory authority. For UK data subjects: ICO. For Canadian subjects: OPC or provincial privacy regulator as applicable.

16. Changes to this Policy

16.1 We may update this Policy. We will post the updated Policy with an effective date at the top and notify active users by email for material changes.

17. Appendix — Key Processors

Stripe — payments (processor) — stores tokenized payment data. DPA required.

Calendly — scheduling (processor).

Zoom — video hosting (processor).

Google Workspace — email/storage (processor).

Squarespace — hosting and storage (processor).

Analytics: Google Analytics / Mixpanel.
Each integration is governed by a DPA that limits uses and imposes security obligations.