Privacy Policy

Pilgrim's Path ("Company," "we," "us," or "our") operates the website and platform at pilgrimspath.io. We are the data controller responsible for your personal information. This Privacy Policy explains what data we collect, how we use it, how we protect it, and what rights you have. By using our Service, you agree to the practices described in this policy.

If you have questions or concerns, please contact our privacy team at privacy@pilgrimspath.io before using the Service.

1. Information We Collect

1.1 Account & Registration Data

When you create an account we collect:

• Full name and email address;
• Password (stored as a cryptographic hash — we never store plain-text passwords);
• Account preferences and communication settings.

1.2 Payment & Transaction Data

When you make a purchase, payment is processed by our third-party processors (Paystack, Stripe). We receive and store only:

• Transaction ID, amount, currency, and date;
• The plan or product purchased;
• Billing country (for tax purposes).

We do not receive, transmit, or store full card numbers, CVV codes, or bank account details. All financial data is handled by our processors under PCI-DSS compliance.

1.3 Usage & Technical Data

We automatically collect certain data when you use the Service:

• IP address and approximate geographic location (country/city);
• Browser type, version, and operating system;
• Device identifiers and screen resolution;
• Pages visited, features used, and time spent on each scene;
• VR session data and ritual completion progress;
• Referring URL and exit pages;
• Error logs and crash reports.

1.4 Communications Data

If you contact us by email or through our contact form, we retain the content of your messages, your email address, and our responses in order to handle your inquiry and maintain service quality.

1.5 Data You Choose Not to Provide

Providing personal data is voluntary. However, some data (e.g., email and password) is required to create an account and access paid features. Without this data, we cannot provide you with personalized services.

2. How We Use Your Information

We process your personal data for the following purposes and legal bases:

• To provide and manage the Service (contract performance) — account creation, authentication, content delivery, progress tracking;
• To process payments and prevent fraud (contract performance & legitimate interest) — transaction processing, chargeback prevention, suspicious activity detection;
• To communicate with you (contract performance & legitimate interest) — account notifications, support responses, service updates;
• To send marketing communications (consent) — promotional emails and updates; you may opt out at any time using the unsubscribe link in any email;
• To improve the Service (legitimate interest) — analytics, A/B testing, performance monitoring, bug fixes;
• To comply with legal obligations (legal obligation) — responding to lawful requests, tax record-keeping, fraud reporting.

3. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA) or United Kingdom, we process your personal data under the following legal bases under the General Data Protection Regulation (GDPR):

• Article 6(1)(b) — Contract: Processing necessary to perform the contract with you (e.g., account management, service delivery, payment processing);
• Article 6(1)(a) — Consent: Where you have given explicit consent (e.g., marketing emails); you may withdraw consent at any time;
• Article 6(1)(f) — Legitimate Interests: Processing necessary for our legitimate interests (e.g., fraud prevention, security, platform improvement), provided those interests are not overridden by your rights;
• Article 6(1)(c) — Legal Obligation: Processing required to comply with applicable laws.

4. Cookies & Tracking Technologies

We use cookies, local storage, and similar technologies. Cookies are small text files stored on your device. We use:

• Essential Cookies: Required for the Service to function (e.g., authentication session, security tokens). Cannot be disabled without breaking core functionality.
• Functional Cookies: Remember your preferences (e.g., language, progress data stored in localStorage).
• Analytics Cookies: Help us understand how users interact with the Service (e.g., page views, session duration). We use anonymized data wherever possible.
• Advertising/Marketing Pixels: We use the Meta (Facebook) Pixel (ID: 1199634958501931) to measure the effectiveness of our advertising campaigns and to show relevant ads on Facebook/Instagram to users who have visited our Service. The Meta Pixel collects data such as page views, button clicks, and purchase events and transmits them to Meta Platforms, Inc. You can opt out of Meta's use of your data for advertising by visiting Facebook Ad Settings or using the Digital Advertising Alliance opt-out at optout.aboutads.info.

You can control most cookies through your browser settings. Note that disabling non-essential cookies will not prevent us from using server-side analytics based on your interactions.

5. Data Sharing & Disclosure

We do not sell, rent, or trade your personal information to third parties for their own marketing purposes.

We may share your data in the following limited circumstances:

• Service Providers & Processors: Trusted vendors who process data on our behalf under strict data processing agreements, including: Supabase Inc. (database & authentication hosting), Paystack (payment processing), Stripe (payment processing), Meta Platforms Inc. (advertising analytics via Pixel), and Cloudflare Inc. (CDN & DDoS protection).
• Payment Processors: When you make a purchase, relevant transaction data is shared with our payment processor to complete the transaction and prevent fraud.
• Legal Requirements: We may disclose your data if required by applicable law, court order, or government authority, or if necessary to protect our rights, property, or safety or that of our users or the public.
• Business Transfers: In the event of a merger, acquisition, reorganization, or sale of all or substantially all of our assets, your data may be transferred as part of that transaction. We will provide notice before your data becomes subject to a materially different privacy policy.
• With Your Explicit Consent: For any other purpose, only with your prior consent.

6. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes outlined in this policy, or as required by law:

• Account data: Retained for the duration of your account. If you request deletion, we will delete or anonymize your account data within 30 days, subject to legal retention obligations.
• Transaction records: Retained for a minimum of 7 years to comply with financial and tax regulations.
• Usage data & logs: Retained for up to 24 months for analytics and security purposes, then aggregated or deleted.
• Communications: Retained for up to 3 years to maintain service quality and handle disputes.
• Backup data: May persist in encrypted backups for up to 90 days after deletion requests are processed.

7. Data Security

We implement appropriate technical and organizational security measures to protect your personal data against unauthorized access, disclosure, alteration, or destruction, including:

• HTTPS/TLS encryption for all data in transit;
• Industry-standard hashing (bcrypt) for all passwords;
• Role-based access controls limiting data access to authorized personnel;
• Regular security reviews and vulnerability assessments;
• Supabase's enterprise-grade database security and row-level security policies.

Despite these measures, no system is 100% secure. We cannot guarantee absolute security of your data. In the event of a data breach that is likely to result in a high risk to your rights and freedoms, we will notify affected users and relevant authorities as required by applicable law (within 72 hours for GDPR-regulated breaches).

8. Your Rights

Rights for All Users

• Access: Request a copy of the personal data we hold about you;
• Correction: Request correction of inaccurate or incomplete data;
• Deletion: Request deletion of your account and associated personal data (subject to legal retention requirements);
• Opt-Out of Marketing: Unsubscribe from marketing emails at any time using the unsubscribe link in any email or by contacting us.

Additional Rights for EEA/UK Users (GDPR)

• Portability: Receive your data in a structured, machine-readable format and, where technically feasible, have it transferred to another controller;
• Restriction: Request restriction of processing in certain circumstances;
• Objection: Object to processing based on legitimate interests or for direct marketing;
• Withdraw Consent: Withdraw previously given consent at any time without affecting the lawfulness of prior processing;
• Lodge a Complaint: You have the right to lodge a complaint with your national data protection authority (e.g., the ICO in the UK, or your local EU supervisory authority).

California Residents (CCPA)

If you are a California resident, you have the right to: (a) know what personal information we collect and how it is used; (b) request deletion of your personal information; (c) opt out of the sale of personal information (note: we do not sell personal information); and (d) non-discrimination for exercising your privacy rights. To exercise these rights, contact us at privacy@pilgrimspath.io.

How to Exercise Your Rights

To exercise any of the above rights, please submit a written request to privacy@pilgrimspath.io. We will respond within 30 days (or as required by applicable law). We may need to verify your identity before processing your request.

9. Children's Privacy

The Service is not directed to children under the age of 13 (or 16 in the EEA/UK). We do not knowingly collect personal information from children below these age thresholds. If you believe we have inadvertently collected data from a child, please contact us immediately at privacy@pilgrimspath.io and we will delete such data promptly.

10. International Data Transfers

Our infrastructure is hosted primarily in the United States and may involve transfers of your data to countries outside your jurisdiction. Where we transfer data from the EEA/UK to countries without an adequate level of data protection, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) approved by the European Commission, or equivalent mechanisms. You may request details of the safeguards in place by contacting us.

11. Third-Party Links

Our Service may contain links to external websites. This Privacy Policy applies only to our Service. We encourage you to review the privacy policies of any third-party sites you visit, as we are not responsible for their practices.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last Updated" date at the top of this page and, where appropriate, notify registered users by email. Your continued use of the Service after the effective date of the updated policy constitutes acceptance of the changes. We encourage you to review this policy periodically.

13. Contact & Data Protection Inquiries

For any questions, concerns, or requests relating to this Privacy Policy or your personal data:

• Privacy Inquiries: privacy@pilgrimspath.io
• General Contact: contact@pilgrimspath.io
• Website: www.pilgrimspath.io

We will acknowledge your inquiry within 5 business days and aim to resolve all requests within 30 days.