Section_01
Who We Are
Deadband Life ("we," "us," or "our") is a consulting and education firm registered as Deadband Life, located in Richmond, Virginia, United States.
We operate the website at www.deadbandlife.com and any associated products, services, courses, or community platforms (collectively, the "Services").
For purposes of GDPR, Deadband Life is the Data Controller. For purposes of CCPA, we are the "Business" as defined in Cal. Civ. Code § 1798.140.
Privacy Officer / Data Protection Officer
We have designated a Privacy Officer responsible for data protection compliance. Contact: Peter Lavallee at [PRIVACY EMAIL].
EU/EEA residents: Our EU representative under GDPR Article 27 (if required) is: [Not currently required].
Section_02
Information We Collect
We collect personal information you provide directly, information collected automatically through your use of our Services, and information received from third parties.
2.1 Information You Provide Directly
| Category | Examples | Source |
|---|---|---|
| Identifiers | Name, email address, username, password | Account registration, contact forms, waitlist signup |
| Contact Information | Mailing address, phone number | Profile settings, billing, correspondence |
| Payment & Financial | Payment card type and last four digits, billing address | Course or product purchase (processed by third-party payment processors; we do not store full card data) |
| Profile Information | Life stage, financial goals, learning preferences, audit responses | Life Systems Audit, onboarding questionnaire |
| User Content | Messages, forum posts, badge submissions, uploaded documents | Community platform, merit badge system |
| Communications | Email content, support tickets, survey responses | Direct correspondence, feedback forms |
2.2 Information Collected Automatically
| Category | Examples | Method |
|---|---|---|
| Usage Data | Pages visited, time on page, click paths, features used | Server logs, analytics cookies |
| Device & Technical Data | IP address, browser type, operating system, device type, screen resolution | Automatic collection upon site access |
| Location Data | Country/region inferred from IP address | IP geolocation |
| Cookies & Tracking | Session identifiers, preference cookies, analytics identifiers | Cookies, web beacons, pixels (see Section 8) |
2.3 Information from Third Parties
- Payment processors — transaction confirmation and fraud signals
- Email service providers — delivery and engagement metrics
- Analytics providers — aggregated behavioral data
- Social platforms — if you connect or share content from our Services
2.4 Sensitive Personal Information
We do not intentionally collect sensitive personal information such as Social Security numbers, government IDs, financial account numbers, health data, biometric data, racial or ethnic origin, religious beliefs, or sexual orientation. Please do not submit such information through our Services.
Categories of personal information collected in the preceding 12 months include: Identifiers; Commercial Information; Internet or Other Electronic Network Activity; Geolocation Data (country/region only); and Inferences drawn from the above to create a profile.
Section_03
How We Use Your Information
| Purpose | Description | Legal Basis (GDPR) |
|---|---|---|
| Providing Services | Account management, course delivery, merit badge system operation | Contract performance |
| Early Access / Waitlist | Processing waitlist signups, sending access notifications | Consent / Legitimate interest |
| Service Communications | Sending updates, policy notices, and support responses | Contract / Legal obligation |
| Marketing | Sending newsletters, educational content, and product announcements (opt-in only) | Consent |
| Analytics & Improvement | Understanding how Services are used to improve content and features | Legitimate interest |
| Security & Fraud Prevention | Detecting and preventing unauthorized access, abuse, and fraud | Legitimate interest / Legal obligation |
| Legal Compliance | Meeting obligations under applicable laws, responding to lawful requests | Legal obligation |
| Personalization | Tailoring content and recommendations based on Life Systems Audit results | Consent / Legitimate interest |
We will not use your personal information for purposes materially different from those described above without prior notice and, where required by law, your consent.
Section_04
Legal Basis for Processing
Under GDPR Article 6, we must identify a lawful basis for each processing activity. This section applies to individuals in the EU or EEA.
- Contract Performance (Art. 6(1)(b)): Processing necessary to deliver requested Services, manage your account, and process transactions.
- Consent (Art. 6(1)(a)): Where you have given clear, freely given, specific, informed consent — for example, subscribing to marketing emails or enabling non-essential cookies. You may withdraw consent at any time without affecting the lawfulness of prior processing.
- Legitimate Interests (Art. 6(1)(f)): Where processing is necessary for our legitimate interests — such as improving our Services, ensuring security, and preventing fraud — unless overridden by your interests or fundamental rights.
- Legal Obligation (Art. 6(1)(c)): Where processing is required to comply with applicable law, regulation, or court order.
To withdraw consent or object to legitimate-interest processing, contact us using Section 16.
Section_05
How We Share Your Information
We do not sell your personal information. We share personal information only in the limited circumstances described below.
5.1 Service Providers (Processors)
We engage trusted third-party service providers who process personal information on our behalf under contractual obligations consistent with this Policy. These include:
- Email delivery: [Provider, e.g., Mailchimp / ConvertKit / Beehiiv]
- Payment processing: [Provider, e.g., Stripe] — full card data is not stored by us
- Web analytics: [Provider, e.g., Google Analytics / Fathom / Plausible]
- Cloud hosting: [Provider, e.g., AWS / Vercel / Netlify]
- Customer support: [Provider, e.g., Intercom / HelpScout]
- Community platform: [Provider, e.g., Circle / Mighty Networks]
5.2 Legal and Regulatory Disclosure
We may disclose personal information when required by law, court order, or government request; to enforce our Terms of Service; or to protect the rights, property, or safety of Deadband Life, our users, or the public.
5.3 Business Transfers
In the event of a merger, acquisition, reorganization, or sale of assets, personal information may be transferred as part of that transaction. We will provide notice before any such transfer.
5.4 With Your Consent
We may share your information with third parties when you have given us explicit consent to do so.
We do not sell personal information to third parties for monetary consideration. See Section 10 for our full Do Not Sell or Share disclosure.
Section_06
Data Retention
We retain personal information only as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce agreements.
| Data Category | Retention Period | Basis |
|---|---|---|
| Account information | Duration of account plus 3 years after closure | Contract performance; legal claims |
| Transaction records | 7 years from transaction date | Tax and accounting legal obligations |
| Marketing communications | Until unsubscribe; unsubscribe record retained indefinitely | Consent management; CAN-SPAM / CASL compliance |
| Waitlist signups | Until launch plus 12 months, or until you unsubscribe | Consent |
| Support correspondence | 3 years from last interaction | Legitimate interest (dispute resolution) |
| Analytics / usage data | 26 months (or per analytics platform settings) | Legitimate interest (service improvement) |
| Audit logs / security data | 12 months | Security; legal obligation |
After the applicable retention period, we securely delete or anonymize personal information. Anonymized, aggregated data may be retained longer for research purposes.
Section_07
International Data Transfers
Deadband Life is based in the United States. If you access our Services from outside the United States, your personal information may be transferred to, stored, and processed in the US or other countries where our service providers operate.
For transfers of personal data from the EU/EEA to countries without an adequacy decision, we rely on the following GDPR Chapter V safeguards:
- Standard Contractual Clauses (SCCs): Adopted by the European Commission, incorporated into our data processing agreements with service providers.
- EU-US Data Privacy Framework: Where our service providers are certified participants.
- Adequacy Decisions: Where applicable countries have received an adequacy decision from the European Commission.
Personal information transferred to the United States may be subject to access by US law enforcement and national security authorities under applicable US law. We take commercially reasonable steps to protect your information as described in Section 11.
Section_08
Cookies & Tracking Technologies
We use cookies and similar tracking technologies to operate our Services, analyze usage patterns, and (where you have consented) deliver relevant content.
8.1 Types of Cookies We Use
| Type | Purpose | Consent Required? |
|---|---|---|
| Strictly Necessary | Session management, security, load balancing — required for the site to function | No (legitimate interest) |
| Functional / Preference | Remembering your settings, language, and login state | No (legitimate interest) |
| Analytics | Understanding site usage, page performance, and user journeys (anonymized where possible) | Yes (consent) |
| Marketing / Targeting | Measuring campaign effectiveness; retargeting (if implemented) | Yes (consent) |
8.2 Third-Party Cookies
Third-party services we use may set their own cookies subject to their own privacy policies. We do not control third-party cookies.
8.3 Managing Cookies
You may manage cookie preferences at any time through our cookie consent banner, accessible via the "Cookie Settings" link in our footer. You may also configure your browser to refuse or delete cookies, though this may affect Services functionality.
8.4 Global Privacy Control (GPC)
We honor the Global Privacy Control (GPC) signal. If your browser transmits a GPC signal, we treat it as a request to opt out of the sale or sharing of personal information for targeted advertising, as required under CCPA/CPRA and applicable US state laws.
8.5 Email Tracking
Marketing emails may contain tracking pixels to determine whether an email was opened and which links were clicked, for analytics and deliverability purposes. You may opt out by unsubscribing or disabling images in your email client.
Section_09
Your Privacy Rights
Depending on your location, you may have specific rights regarding your personal information. We honor all applicable rights and will respond to verified requests within the timeframes required by law.
9.1 Rights Available to All Users
- Access: Request a copy of the personal information we hold about you.
- Correction: Request correction of inaccurate or incomplete information.
- Deletion: Request deletion of your personal information, subject to legal exceptions.
- Withdraw Consent: Withdraw previously given consent at any time without penalty.
- Opt Out of Marketing: Unsubscribe from marketing emails via the unsubscribe link or by contacting us.
- Right of Access (Art. 15): Obtain confirmation of processing and a copy of your data.
- Right to Rectification (Art. 16): Have inaccurate data corrected without undue delay.
- Right to Erasure / “Right to be Forgotten” (Art. 17): Have data deleted where certain conditions apply.
- Right to Restrict Processing (Art. 18): Request that we limit how we use your data in certain circumstances.
- Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format.
- Right to Object (Art. 21): Object to processing based on legitimate interests or for direct marketing purposes.
- Rights Related to Automated Decisions (Art. 22): Not be subject to solely automated decisions producing significant legal or similar effects.
- Response Time: We respond within 30 calendar days, extendable by 2 months for complex requests with notice.
- Right to Know: Categories and specific pieces of personal information collected, used, disclosed, or sold.
- Right to Delete: Request deletion of personal information we collected from you.
- Right to Correct: Request correction of inaccurate personal information.
- Right to Opt Out: Opt out of the sale or sharing of personal information.
- Right to Limit Sensitive PI: Limit use and disclosure of sensitive personal information.
- Right to Non-Discrimination: We will not discriminate against you for exercising your rights.
- Response Time: We respond within 45 calendar days, extendable by an additional 45 days with notice.
Residents of Virginia, Colorado, Connecticut, Texas, Oregon, Montana, Iowa, Indiana, Tennessee, Utah, and Florida may have rights including access, correction, deletion, portability, and opt-out of targeted advertising or profiling under their respective state privacy laws. Where applicable, you may also have the right to appeal our decision regarding a privacy request. Contact us using Section 16 to exercise these rights.
Canadian residents have the right to access personal information we hold and to challenge its accuracy. Access requests must be made in writing. We respond within 30 calendar days. You may also file a complaint with the Office of the Privacy Commissioner of Canada (OPC) at priv.gc.ca.
How to Exercise Your Rights
Submit a Privacy Request
To exercise any right described above, submit a verifiable request using one of the methods below. We will verify your identity before processing. We do not charge a fee for reasonable requests.
By Email
Authorized Agent (CA)
California residents may designate an authorized agent. We require written authorization and identity verification from both you and your agent.
Section_10
Do Not Sell or Share My Personal Information
We do not sell your personal information for monetary consideration.
Under CCPA/CPRA, "sharing" includes disclosing personal information to third parties for cross-context behavioral advertising, even without monetary exchange. To the extent we engage in any such sharing (e.g., through third-party analytics with advertising components), you have the right to opt out.
- Use the "Cookie Settings" link in our site footer to opt out of analytics and advertising cookies.
- Enable the Global Privacy Control (GPC) in your browser — we honor GPC signals as a valid opt-out.
- Submit a "Do Not Sell or Share" request via the contact methods in Section 9.
We do not have actual knowledge that we sell or share the personal information of consumers of any age or those under 16 years of age.
Section_11
Data Security
We implement appropriate technical and organizational security measures designed to protect your personal information against unauthorized access, accidental loss, destruction, alteration, or disclosure. Measures include, where appropriate:
- Encryption of data in transit (TLS/SSL) and at rest
- Access controls and role-based permissions limiting data access to authorized personnel
- Regular security assessments and vulnerability monitoring
- Contractual security requirements with all third-party service providers
- Employee training on data handling and security practices
No method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your personal information, we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials.
Section_12
Children's Privacy
Our Services are intended for adults and are not directed to children under the age of 13 (or 16 in the EU/EEA under GDPR Article 8). We do not knowingly collect personal information from children under these ages.
If we become aware that we have inadvertently collected personal information from a child under 13 (US) or 16 (EU/EEA) without verified parental consent, we will immediately delete that information. If you believe this has occurred, contact us at [PRIVACY EMAIL].
Section_13
Data Breach Notification
In the event of a personal data breach, we will comply with all applicable legal notification obligations:
- GDPR (EU/EEA): We will notify the relevant supervisory authority within 72 hours of becoming aware of a breach posing a risk to individuals' rights and freedoms. Where there is high risk to individuals, we will also notify affected individuals without undue delay.
- US State Laws: We will notify affected individuals and, where required, state attorneys general within the timeframes specified by applicable state breach notification laws (ranging from 30 to 90 days depending on jurisdiction).
- PIPEDA (Canada): We will notify the Office of the Privacy Commissioner and affected individuals of breaches that create a real risk of significant harm.
Breach notifications will be delivered by email to the address associated with your account, and/or through prominent notice on our website where individual notification is not practicable.
Section_14
Third-Party Links & Services
Our Services may contain links to third-party websites or applications not operated by us. This Privacy Policy does not apply to those third-party services. We have no control over, and assume no responsibility for, the privacy practices of any third-party sites or services.
We encourage you to review the privacy policy of every website you visit before providing any personal information.
Section_15
Changes to This Policy
We may update this Privacy Policy to reflect changes in our practices, technology, legal requirements, or for other operational reasons. We will update the "Effective Date" at the top of this page whenever we make material changes.
Where changes are material, we will notify you by:
- Email to the address associated with your account, and/or
- Prominent notice on our website for a reasonable period prior to the change taking effect.
Your continued use of our Services after the effective date constitutes acceptance of the updated policy, to the extent permitted by law.
Per CCPA § 1798.130, we review and update this Policy at least once every 12 months.
Section_16
Contact & Supervisory Authority Complaints
Contact Us
For questions, concerns, or requests related to this Privacy Policy or your personal information:
Privacy Contact
Supervisory Authority Complaints
If you believe we have not adequately addressed your privacy concern, you have the right to lodge a complaint with the relevant supervisory authority:
- EU/EEA: Your local Data Protection Authority. Find your authority at edpb.europa.eu.
- California: California Privacy Protection Agency (CPPA) — cppa.ca.gov. California Attorney General — oag.ca.gov/privacy.
- Canada: Office of the Privacy Commissioner of Canada (OPC) — priv.gc.ca.
- US Federal: Federal Trade Commission — ftc.gov/privacy.
We encourage you to contact us first. We will do our best to resolve your concern promptly and in good faith.