Contents
1. Overview
This Privacy Policy explains how ICONIC Human Design Education PMA ("ICONIC," "we," "us," or "our"), operating as The Human Design System at thehumandesignsystem.com, collects, uses, and protects information about you when you use our website and services.
We are committed to protecting your privacy and handling your personal data responsibly. We comply with applicable data protection laws, including the European Union's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
We do not sell your personal data. We do not share your birth data with advertisers or data brokers. Your information is used solely to operate and improve our services.
2. Data We Collect
2.1 Information You Provide
| Data Type | Examples | Purpose |
|---|---|---|
| Account information | Name, email address, password (hashed) | Account creation, authentication, communications |
| Birth data | Date of birth, time of birth, place of birth | Generating your Human Design BodyGraph chart |
| Payment information | Card type, last 4 digits, billing address | Processing subscriptions and purchases via Stripe |
| Profile information | Display name, profile photo, member bio | Community features, practitioner directory |
| Communications | Messages, form submissions, support requests | Customer support, member services |
| Community content | Forum posts, comments, reactions | Operating community features |
2.2 Information Collected Automatically
| Data Type | Details |
|---|---|
| Log data | IP address, browser type, operating system, referring URL, pages visited, time of visit |
| Device information | Device type, screen resolution, language settings |
| Usage data | Features accessed, content viewed, interactions with the Service |
| Cookies & local storage | Session tokens, preferences, analytics identifiers (see Cookie Policy) |
2.3 Information from Third Parties
If you connect a third-party account (e.g., sign in with Google), we receive limited profile information from that provider as permitted by your authorization. We do not receive your password from third-party providers.
3. How We Use Your Data
We use your information to:
- Operate the Service — create and manage your account, generate your Human Design chart, process subscriptions
- Communicate with you — send transactional emails (receipts, password resets), course updates, and member communications you've opted into
- Provide support — respond to questions and resolve issues you raise with us
- Personalize your experience — save your preferences, remember your chart, surface relevant educational content
- Operate community features — enable forum participation, practitioner directory listings, and member connections
- Improve the Service — analyze usage patterns to improve features, fix bugs, and develop new content
- Ensure safety and security — detect fraud, prevent abuse, and protect our systems
- Legal compliance — fulfill our legal obligations, resolve disputes, and enforce our Terms of Service
Legal Bases for Processing (GDPR)
For users in the EU/EEA, our legal bases for processing personal data are:
- Performance of a contract — processing necessary to provide the Service you've subscribed to
- Legitimate interests — analytics, security, improving the Service (where not overridden by your rights)
- Consent — marketing emails (you may withdraw consent at any time)
- Legal obligation — compliance with applicable law
4. Data Sharing & Disclosure
We do not sell your personal data. We share data only in the following circumstances:
4.1 Service Providers
We share necessary data with trusted service providers who process data on our behalf:
| Provider | Purpose | Data Shared |
|---|---|---|
| Stripe, Inc. | Payment processing | Name, email, billing address, payment card details |
| Render Services, Inc. | Cloud hosting & infrastructure | Application data stored on servers (encrypted at rest) |
| Resend / email provider | Transactional email delivery | Name, email address |
All service providers are contractually bound to protect your data and are prohibited from using it for their own purposes.
4.2 Legal Requirements
We may disclose your information if required to do so by law or in response to a valid subpoena, court order, or government request. We will notify you of such requests where legally permitted.
4.3 Business Transfers
If ICONIC is involved in a merger, acquisition, or sale of assets, your personal data may be transferred as part of that transaction. We will notify you before your data is transferred and becomes subject to a different privacy policy.
4.4 With Your Consent
We may share your data with third parties when you have explicitly consented, such as opting into a partner program or granting a practitioner access to your chart data.
5. Cookies & Tracking
We use cookies and similar technologies to operate the Service, remember your preferences, and analyze usage. See our Cookie Policy for a complete breakdown of the cookies we use, their purpose, and how to manage them.
We do not use cross-site tracking for advertising purposes. We do not share identifiers with advertising networks.
6. Data Retention
We retain your personal data for as long as your account is active or as needed to provide the Service. Specific retention periods:
- Account data — retained while your account is active; deleted within 90 days of account closure upon request
- Birth data & charts — retained for the life of your account to regenerate charts on demand; deleted with your account upon verified request
- Payment records — retained for 7 years as required by applicable tax and accounting laws
- Log data — retained for up to 12 months for security and debugging purposes
- Communications — retained for 2 years from last interaction for support continuity
We regularly audit stored data and delete records that are no longer necessary for the purpose they were collected.
7. Security
We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:
- Transport Layer Security (TLS/HTTPS) for all data in transit
- Encryption of sensitive data at rest (including authentication tokens)
- Hashed and salted password storage — we never store plaintext passwords
- Access controls limiting employee access to personal data on a need-to-know basis
- Regular security audits and vulnerability assessments
No method of transmission over the internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security. In the event of a data breach that poses a high risk to your rights, we will notify you and relevant authorities as required by applicable law.
8. Your Rights
You have the following rights with respect to your personal data:
- Access — request a copy of the personal data we hold about you
- Correction — request correction of inaccurate or incomplete data
- Deletion — request deletion of your personal data ("right to be forgotten"), subject to legal retention requirements
- Portability — receive your data in a structured, machine-readable format (e.g., JSON or CSV) and transfer it to another service
- Restriction — request that we restrict processing of your data in certain circumstances
- Objection — object to processing based on legitimate interests
- Withdraw consent — opt out of marketing emails at any time via the unsubscribe link in any email or via your account settings
To exercise any of these rights, contact us via the web form at thehumandesignsystem.com/contact. We will respond within 30 days. Identity verification may be required before we fulfill certain requests.
You also have the right to lodge a complaint with your local data protection authority. For EU/EEA residents, this is your national Data Protection Authority (DPA).
9. GDPR (EU/EEA Residents)
If you are located in the European Union or European Economic Area, you have rights under the General Data Protection Regulation (GDPR) in addition to those listed above.
Data Controller: ICONIC Human Design Education PMA is the data controller for personal data processed through the Service.
International Data Transfers: Your data may be transferred to and processed in the United States. Where we transfer data outside the EU/EEA, we rely on Standard Contractual Clauses (SCCs) or other appropriate safeguards as approved by the European Commission.
Automated Decision-Making: We do not make decisions that significantly affect you solely through automated means without human involvement.
To exercise your GDPR rights or to contact our data protection representative, use the contact form at thehumandesignsystem.com/contact.
10. CCPA (California Residents)
If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with specific rights regarding your personal information.
Your CCPA Rights
- Right to Know — request disclosure of the categories and specific pieces of personal information we've collected, used, disclosed, or sold about you in the past 12 months
- Right to Delete — request deletion of personal information we've collected, subject to certain exceptions
- Right to Opt-Out of Sale — we do not sell personal information. If this changes, we will provide a "Do Not Sell My Personal Information" link
- Right to Non-Discrimination — we will not discriminate against you for exercising your CCPA rights
Categories of Personal Information Collected (Past 12 Months)
- Identifiers (name, email address, IP address)
- Personal records (billing address, subscription history)
- Internet or electronic network activity information (browsing history on our site, feature usage)
- Geolocation data (general location derived from IP address)
- Inferences drawn from the above to create a profile (chart type, member tier)
To exercise your CCPA rights, submit a verifiable consumer request via our contact form. We will respond within 45 days.
11. Children's Privacy
The Service is not directed to children under the age of 18. We do not knowingly collect personal information from children under 18. If you believe we have inadvertently collected information from a child under 18, please contact us immediately via the contact form and we will take prompt steps to delete that information.
12. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by posting the updated Policy on this page with a revised "Last updated" date and, where required by law, by sending you a notification.
Your continued use of the Service after the effective date of an updated Privacy Policy constitutes your acceptance of the changes.
Contact Us
For privacy-related inquiries, data access requests, or to exercise your rights, please use our web form. We do not accept privacy requests via email to avoid phishing and verification issues.
We will respond within 30 days (or 45 days for CCPA requests).
Related: Terms of Service · Cookie Policy