Privacy Policy

1. Introduction

Eightfold Path LLC ("we," "our," "us," or "the Platform") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our website, mobile applications, and services (collectively, the "Services").

By using our Services, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, please do not use our Services.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

• Email address (required for account creation and authentication)
• Full name (optional, for personalization)
• Password (encrypted and hashed, never stored in plain text)
• Profile information you choose to provide (avatar, bio, preferences)
• Authentication data if you sign in with Google OAuth

2.2 Chat Conversations and Content

When you interact with Noah AI, we collect:

• Your questions and prompts ("Inputs") to the AI assistant
• AI-generated responses ("Outputs")
• Conversation history (stored so you can review past interactions)
• Feedback and ratings you provide on responses (thumbs up/down, corrections)
• Content you access (episodes, articles, courses you view)

Important: If you include personal information in your chat conversations (such as details about your life, relationships, health, or other sensitive topics), that information will be stored as part of your conversation history. Please be mindful of what you share.

2.3 Payment Information

If you subscribe to a paid tier, we collect:

• Billing information (processed securely through Stripe - we never see your full credit card number)
• Subscription details (tier, billing cycle, payment history)
• Transaction records for accounting and support purposes

2.4 Technical Information

When you use our Services, we automatically collect:

• Device information (device type, operating system, browser type and version)
• IP address (for security, fraud prevention, and approximate location)
• Usage data (pages visited, features used, time spent, click patterns)
• Log data (error reports, performance metrics, system diagnostics)
• Referrer information (how you found our site)

3. How We Use Your Information

We use the information we collect to:

• Provide and maintain our Services - Deliver AI responses, store conversation history, manage your account
• Process transactions - Handle subscription payments, send receipts, manage billing
• Improve Noah AI - Train and refine the AI model to provide better, more accurate responses (see Section 4 for details)
• Personalize your experience - Remember your preferences, show relevant content, customize your dashboard
• Communicate with you - Send account notifications, service updates, respond to support requests
• Ensure security - Detect fraud, prevent abuse, protect against unauthorized access
• Comply with legal obligations - Meet regulatory requirements, respond to legal requests
• Analyze usage patterns - Understand how users interact with the platform to improve features

4. AI Chat Conversations & Training

This section explains how your conversations with Noah AI are used to improve the service.

4.1 How Conversations Are Used

Your conversations with Noah AI may be used to improve the quality, accuracy, and helpfulness of future responses. This helps us:

• Better understand the types of questions users ask
• Identify areas where the AI needs improvement
• Train the model to provide more relevant and accurate answers
• Develop new features and capabilities

4.2 De-Identification Process

Before any conversation data is used for training purposes, it is de-identified. This means:

• Your name, email address, and other account identifiers are removed
• Any information that could directly identify you is stripped out
• The content cannot be traced back to you personally
• Only the conversation text itself (questions and answers) is used, without any connection to your identity

You can engage freely with Noah AI knowing that your personal questions about relationships, struggles, spiritual practice, or life challenges are not tied to your identity when used for training.

4.3 Opt-Out Option

By default, your conversations are used to improve Noah AI (with de-identification as described above). However, you can opt out at any time by visiting your account settings and toggling off the "Use my conversations for AI training" option.

If you opt out:

• Your conversations will still be stored for your personal history
• Your conversations will not be used to train or improve the AI model
• You can change this setting at any time

4.4 Safety Exceptions

Even if you opt out, we may still review conversations that are flagged for safety, security, or policy violations. This helps us:

• Detect harmful content or misuse of the service
• Enforce our Terms of Service and Usage Policy
• Advance AI safety research
• Protect other users and the platform

5. Data Sharing and Disclosure

We do not sell your personal information. We may share your data in the following circumstances:

5.1 Service Providers

We share data with trusted third-party service providers who help us operate the platform:

• Supabase - Database hosting, authentication, and data storage
• Stripe - Payment processing (they handle all credit card transactions securely)
• Railway - Application hosting and infrastructure
• Brevo - Email delivery for transactional and marketing emails, and behavior-based automation tracking for users who opt into Practice Support (see Section 9.2 for details)
• PostHog - Product analytics, event tracking, and session recording to improve the platform (see Section 9.4 for details)
• AI Model Providers - Your chat requests are sent to OpenAI, Anthropic, Google, or other AI providers to generate responses. These providers process your prompts but do not use them for training their models (we use their APIs, not their consumer products).

All service providers are contractually obligated to protect your data and use it only for the purposes we specify.

5.2 Legal Requirements

We may disclose your information if required by law or to:

• Comply with legal obligations, court orders, or government requests
• Protect our rights, property, or safety, or that of our users
• Investigate potential violations of our Terms of Service
• Prevent fraud, abuse, or illegal activity

5.3 Business Transfers

If Eightfold Path LLC is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change in ownership or control.

6. Data Retention

We retain your information for different periods depending on the type of data:

• Account information - Retained while your account is active and for up to 30 days after account deletion
• Conversation history - Retained while your account is active. If you delete your account, conversations are deleted within 30 days
• Payment records - Retained for 7 years as required by tax and accounting laws
• De-identified training data - May be retained indefinitely as it cannot be linked back to you
• Log data - Retained for up to 90 days for security and debugging purposes

You can request deletion of your account and data at any time through your account settings or by contacting us. Some information may remain in backups for a limited period but will be permanently deleted according to our retention schedule.

7. Your Rights and Choices

You have the following rights regarding your personal information:

• Access - Request a copy of the personal data we hold about you
• Correction - Update inaccurate or incomplete information through your account settings
• Deletion - Request deletion of your account and associated data
• Export - Download your conversation history and account data in a portable format
• Opt-out of AI training - Disable use of your conversations for AI improvement (see Section 4.3)
• Marketing preferences - Unsubscribe from marketing emails (transactional emails will still be sent)
• Account controls - Manage your subscription, update payment methods, change password

To exercise these rights, visit your account settings or contact us at [email protected].

Note for EU residents: If you are located in the European Economic Area, you have additional rights under GDPR, including the right to lodge a complaint with your local data protection authority. See Section 11 for more information.

8. Data Security

We implement industry-standard security measures to protect your personal information:

• Encryption in transit - All data transmitted between your device and our servers uses HTTPS/TLS encryption
• Secure password storage - Passwords are hashed using bcrypt and never stored in plain text
• Access controls - Only authorized personnel have access to personal data, and access is logged
• Regular security audits - We review and update our security practices regularly
• Secure infrastructure - Our hosting providers (Supabase, Railway) maintain industry-leading security standards

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security.

If we become aware of a data breach that affects your personal information, we will notify you and relevant authorities as required by applicable law.

9. Cookies and Tracking Technologies

9.1 Essential Cookies

We use essential cookies and similar technologies to operate our Services:

• Session cookies - Maintain your login session and preferences
• Authentication cookies - Remember that you're logged in
• Security cookies - Help protect against fraud and unauthorized access

We do not use tracking cookies for advertising purposes. We do not sell your data to advertisers, and we do not participate in third-party advertising networks.

9.2 Behavior Tracking for Practice Support

If you opt into our Practice Support email list (via your account settings), we use Brevo's tracking technology to personalize your learning experience and send relevant practice reminders. This includes:

• First-party cookie - A cookie (sib_cuid) is set to identify you as a visitor across page visits. This cookie is only associated with your Brevo contact record if you are logged in and have opted into Practice Support.
• Page visit tracking - We track which pages you visit (courses, lessons, podcast episodes) to understand your learning progress and send personalized practice nudges.
• Custom events - We track specific actions like starting or completing a lesson to trigger relevant follow-up emails.

Who is tracked: Only authenticated users who have opted into Practice Support are identified and tracked. Anonymous visitors and users who have not opted in are not associated with any tracking data.

How to opt out: You can disable Practice Support tracking at any time in your account settings by toggling off "Practice Support from Noah." This will stop all behavior tracking and associated automation emails.

9.3 Email Link Tracking

Emails we send may include tracking parameters in links (_se for transactional emails,_sc for marketing emails). These parameters help us:

• Identify you when you click a link from an email (so we can personalize your experience)
• Measure email engagement (which links are clicked)
• Trigger automation workflows (e.g., follow-up emails based on your activity)

These tracking parameters are first-party (between you and Eightfold Path) and are not shared with third-party advertisers. We strip these parameters from our analytics to prevent URL fragmentation.

9.4 Analytics

We use PostHog for product analytics to understand how users interact with our platform. PostHog helps us track page views, feature usage, and user journeys to improve the learning experience.

• Event tracking - We track actions like viewing episodes, starting courses, and using chat features
• Session recording - We may record browsing sessions to identify usability issues (recordings exclude sensitive form inputs)
• Revenue tracking - We track subscription and contribution events to measure platform sustainability

PostHog data is used solely to improve the Eightfold Path platform and is not shared with third-party advertisers. We do not sell your analytics data.

You can control cookies through your browser settings. However, disabling cookies may affect the functionality of our Services.

10. Children's Privacy

Our Services are not intended for children under the age of 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at [email protected].

If we become aware that we have collected personal information from a child under 13 without parental consent, we will take steps to delete that information promptly.

11. International Users and Data Transfers

Eightfold Path LLC is operated from the United States. If you access our Services from outside the United States, please be aware that your information will be transferred to, stored, and processed in the United States.

By using our Services, you consent to the transfer of your information to the United States and to the processing of your information as described in this Privacy Policy.

For users in the European Economic Area (EEA), United Kingdom, or Switzerland:

• We process your personal data based on legitimate interests (to provide and improve our Services), contract performance (to fulfill our Terms of Service), and your consent (for marketing communications and AI training, where applicable)
• You have the right to access, rectify, erase, restrict processing, object to processing, and data portability
• You have the right to withdraw consent at any time (this does not affect processing that occurred before withdrawal)
• You have the right to lodge a complaint with your local data protection authority if you believe we have violated GDPR
• We use appropriate safeguards (including Standard Contractual Clauses where applicable) for international data transfers

To exercise your GDPR rights, please contact us at [email protected].

12. California Privacy Rights

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to know - Request information about what personal information we collect, use, and disclose
• Right to delete - Request deletion of your personal information (subject to certain exceptions)
• Right to opt-out - Opt out of the "sale" of personal information (we do not sell personal information)
• Right to non-discrimination - We will not discriminate against you for exercising your privacy rights

To exercise your California privacy rights, please contact us at [email protected].

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes, we will:

• Update the "Last updated" date at the top of this policy
• Notify you of material changes via email or through a notice on our Services
• Provide a summary of significant changes when appropriate

Your continued use of our Services after changes become effective constitutes acceptance of the updated Privacy Policy. If you do not agree with the changes, you may delete your account or stop using our Services.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• Email: [email protected]
• Through our Services: Visit the Help section
• Account Settings: Manage your privacy preferences in your account settings

We will respond to your inquiry within a reasonable timeframe, typically within 30 days.