GDPR & Data Protection Policy
3Embody Lifestyle LLC d/b/a Human Garage — Effective Date: March 7, 2026
This policy supplements our Privacy Policy and provides additional information required under the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the UK General Data Protection Regulation ("UK GDPR").
1. Data Controller Information
For the purposes of the GDPR and UK GDPR, the data controller responsible for your personal data is:
3Embody Lifestyle LLC d/b/a Human Garage
309 Coffeen Avenue, STE 1200
Sheridan, WY 82801, United States
Data Protection Officer: support@humangarage.net
For herbal supplement sales and physical product purchases, the data controller is:
Human Garage, Inc.
A corporation incorporated under the laws of Canada
Contact: support@humangarage.net
2. Scope and Applicability
This GDPR Policy applies to:
- All individuals located in the European Economic Area (EEA) who access or use our Services
- All individuals located in the United Kingdom who access or use our Services
- Any processing of personal data that falls within the material scope of the GDPR under Article 3
- Both automated and manual processing of personal data that forms part of a filing system
Even though we are established outside the EEA/UK, we are subject to the GDPR and UK GDPR because we offer Services to individuals in those regions and monitor their behavior through analytics and tracking technologies.
3. Categories of Personal Data We Process
We process the following categories of personal data as defined under Article 4 of the GDPR:
Identity Data
First name, last name, username, date of birth, gender
Contact Data
Email address, phone number, billing address, shipping address
Financial Data
Payment card details (processed by third-party payment processors — we do not store full card numbers), transaction history, subscription details
Technical Data
IP address, browser type and version, device identifiers, operating system, time zone, login data
Usage Data
Pages visited, features used, course progress, lesson completion, search queries, click patterns
Profile Data
Preferences, goals, wellness interests, feedback, survey responses
Communication Data
Messages sent through our chat assistant, support tickets, email correspondence
3.1 Special Categories of Personal Data (Article 9)
Given the nature of our wellness education Services, we may process special category data including wellness-related information such as physical conditions and wellness goals. We process this data only with your explicit consent under Article 9(2)(a) of the GDPR. You may withdraw this consent at any time without affecting the lawfulness of processing performed before withdrawal.
We never use wellness data for advertising, marketing profiling, or automated decision-making. Wellness data is used solely to personalize your education experience and is never sold or shared with third parties.
4. Lawful Bases for Processing (Article 6)
We only process your personal data when we have a valid lawful basis under Article 6 of the GDPR. The table below sets out our processing activities and the lawful basis relied upon for each:
| Processing Activity | Lawful Basis | GDPR Article |
|---|---|---|
| Account creation and management | Contract performance | Art. 6(1)(b) |
| Processing payments and subscriptions | Contract performance | Art. 6(1)(b) |
| Delivering courses, programs, and content | Contract performance | Art. 6(1)(b) |
| Sending service-related communications | Contract performance | Art. 6(1)(b) |
| Marketing emails and promotional content | Consent | Art. 6(1)(a) |
| Processing wellness/education data | Explicit consent | Art. 9(2)(a) |
| Analytics and service improvement | Legitimate interests | Art. 6(1)(f) |
| Fraud prevention and security | Legitimate interests | Art. 6(1)(f) |
| Cookie-based tracking (non-essential) | Consent | Art. 6(1)(a) |
| Tax, accounting, and regulatory compliance | Legal obligation | Art. 6(1)(c) |
| Responding to legal claims and disputes | Legitimate interests | Art. 6(1)(f) |
4.1 Legitimate Interests Assessment
Where we rely on legitimate interests as a lawful basis, we have conducted a Legitimate Interests Assessment (LIA) to ensure our interests do not override your fundamental rights and freedoms. Our legitimate interests include:
- Improving and optimizing our Services based on aggregated, anonymized usage patterns
- Protecting our platform from fraud, abuse, and security threats
- Maintaining and defending legal claims
- Ensuring network and information security
You have the right to object to processing based on legitimate interests at any time. Upon receiving an objection, we will cease processing unless we demonstrate compelling legitimate grounds that override your rights.
5. Your Rights Under the GDPR
If you are located in the EEA or UK, you have the following rights under Chapter III of the GDPR. We are committed to facilitating the exercise of these rights without undue delay.
5.1 Right of Access (Article 15)
You have the right to obtain confirmation as to whether your personal data is being processed, and if so, to access that data along with information about the purposes of processing, categories of data, recipients, retention periods, and the existence of automated decision-making. You may request one copy of your personal data free of charge. Additional copies may be subject to a reasonable fee.
5.2 Right to Rectification (Article 16)
You have the right to obtain rectification of inaccurate personal data without undue delay. Taking into account the purposes of processing, you also have the right to have incomplete personal data completed, including by providing a supplementary statement.
5.3 Right to Erasure — "Right to Be Forgotten" (Article 17)
You have the right to obtain the erasure of your personal data without undue delay where one of the following grounds applies:
- The data is no longer necessary for the purposes for which it was collected
- You withdraw consent and there is no other legal ground for processing
- You object to processing and there are no overriding legitimate grounds
- The data has been unlawfully processed
- Erasure is required to comply with a legal obligation
Note: We may retain certain data where processing is necessary for compliance with legal obligations, establishment or defense of legal claims, or archiving in the public interest.
5.4 Right to Restriction of Processing (Article 18)
You have the right to restrict the processing of your personal data where:
- You contest the accuracy of the data (restriction applies during verification)
- Processing is unlawful but you oppose erasure and request restriction instead
- We no longer need the data but you require it for legal claims
- You have objected to processing pending verification of legitimate grounds
5.5 Right to Data Portability (Article 20)
You have the right to receive your personal data in a structured, commonly used, and machine-readable format (such as JSON or CSV) and to transmit that data to another controller without hindrance. This right applies where processing is based on consent or contract performance and is carried out by automated means.
5.6 Right to Object (Article 21)
You have the right to object at any time to:
- Processing based on legitimate interests: We must stop processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms
- Direct marketing: We must stop processing immediately upon receiving your objection — no exceptions
- Processing for scientific/statistical purposes: Unless processing is necessary for a task carried out in the public interest
5.7 Rights Related to Automated Decision-Making (Article 22)
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. We do not currently make any solely automated decisions that produce legal or similarly significant effects. Our content recommendation algorithms personalize your experience but do not have legal or significant effects on you.
5.8 Right to Withdraw Consent (Article 7(3))
Where processing is based on consent, you have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal. You can withdraw consent by updating your account privacy settings, clicking unsubscribe in marketing emails, or contacting us at support@humangarage.net.
5.9 Right to Lodge a Complaint (Article 77)
If you believe we have not handled your personal data properly or have not responded adequately to your requests, you have the right to lodge a complaint with the supervisory authority in your country of residence, place of work, or place of the alleged infringement. We encourage you to contact us first so that we can attempt to resolve your concern.
5.10 How to Exercise Your Rights
To exercise any of your GDPR rights, contact us using any of the following methods:
- Email: support@humangarage.net (subject line: "GDPR Request")
- Account Settings: Account Privacy Settings — access, download, or delete your data
- Mail: 3Embody Lifestyle LLC, 309 Coffeen Avenue, STE 1200, Sheridan, WY 82801 (Attn: Data Protection Officer)
We will acknowledge your request within 72 hours and respond substantively within 30 days. If your request is complex or we receive a high volume of requests, we may extend this period by up to 60 additional days with prior notice to you.
6. Data Sharing and Disclosure
WE DO NOT SELL, RENT, OR SHARE YOUR PERSONAL DATA WITH THIRD PARTIES FOR THEIR OWN MARKETING PURPOSES. Any data disclosed to third parties is limited to anonymized, aggregated information or is shared under strict data processing agreements.
6.1 Categories of Recipients
We may disclose your personal data to the following categories of recipients, each bound by data processing agreements under Article 28 of the GDPR:
| Recipient Category | Purpose | Data Shared |
|---|---|---|
| Cloud hosting and database providers | Infrastructure and data storage | All data categories (encrypted at rest) |
| Payment processors | Payment processing | Financial data, identity data |
| E-commerce platforms (via Human Garage, Inc.) | Herbal supplement order fulfillment | Identity, contact, order data |
| Analytics providers | Usage analysis and improvement | Anonymized technical and usage data |
| Email service providers | Service communications | Email address, name |
| AI service providers | Chat assistant functionality | Chat messages (anonymized profile data) |
6.2 Legal Disclosures
We may disclose personal data without your consent where required by law, regulation, legal process, or enforceable governmental request, or where necessary to protect the vital interests of any individual (Article 6(1)(d)).
7. International Data Transfers
As a United States-based company serving users in the EEA and UK, we transfer personal data outside the EEA/UK. We ensure all international transfers comply with Chapter V of the GDPR through the following mechanisms:
7.1 Transfer Safeguards
- Standard Contractual Clauses (SCCs): We use the European Commission's approved SCCs (Commission Implementing Decision (EU) 2021/914) for transfers to our US-based infrastructure and processors
- EU-US Data Privacy Framework: Where applicable, we rely on service providers certified under the EU-US Data Privacy Framework
- UK International Data Transfer Agreement (IDTA): For UK data transfers, we implement the UK IDTA or UK Addendum to SCCs as appropriate
- Supplementary Measures: We implement technical measures including encryption in transit (TLS 1.3) and at rest (AES-256), access controls, and pseudonymization where feasible
7.2 Transfer Impact Assessment
We have conducted Transfer Impact Assessments (TIAs) for our key data transfers to the United States and Canada, evaluating the legal framework in each destination country and confirming that our supplementary measures provide an essentially equivalent level of protection to that guaranteed within the EEA/UK.
7.3 Sub-Processors
A current list of our sub-processors and their locations can be obtained by contacting our Data Protection Officer. We notify users of any changes to our sub-processor list and provide an opportunity to object to new sub-processors.
8. Data Retention
In accordance with the data minimization principle (Article 5(1)(c)) and storage limitation principle (Article 5(1)(e)), we retain personal data only for as long as necessary to fulfill the purposes for which it was collected:
| Data Category | Retention Period | Justification |
|---|---|---|
| Account data | Duration of account + 30 days | Contract performance; grace period for reactivation |
| Financial/transaction records | 7 years after transaction | Legal obligation (tax and accounting laws) |
| Wellness and education data | While account is active or until consent withdrawn | Consent; deleted upon withdrawal |
| Support communications | 3 years | Legitimate interest (service quality) |
| Marketing consent records | Until consent withdrawn + 1 year | Legal obligation (proof of consent) |
| Analytics data | 26 months (anonymized thereafter) | Legitimate interest; anonymized data retained |
| Login/security logs | 12 months | Legitimate interest (security) |
| Cookie data | See Cookies Policy | Consent; varies by cookie type |
When data reaches the end of its retention period, it is securely deleted or irreversibly anonymized. Anonymized data that can no longer identify individuals is not subject to the GDPR and may be retained for analytical and statistical purposes.
9. Data Security (Article 32)
We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR:
9.1 Technical Measures
- Encryption of personal data in transit (TLS 1.3) and at rest (AES-256)
- Pseudonymization of personal data where processing permits
- Regular testing and evaluation of security measures
- Access controls with role-based permissions and least-privilege principles
- Multi-factor authentication for administrative and sensitive operations
- Automated vulnerability scanning and dependency monitoring
- Secure development lifecycle practices (SDLC)
- Database encryption and secure backup procedures
9.2 Organizational Measures
- Data protection training for all personnel with access to personal data
- Confidentiality obligations in employment and contractor agreements
- Data Protection Impact Assessments (DPIAs) for high-risk processing activities
- Incident response plan with defined escalation procedures
- Regular review and audit of data processing activities
- Data protection by design and by default (Article 25)
9.3 Breach Notification (Articles 33 & 34)
In the event of a personal data breach:
- Supervisory Authority: We will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to your rights and freedoms (Article 33)
- Affected Individuals: Where the breach is likely to result in a high risk to your rights and freedoms, we will communicate the breach to you without undue delay, describing the nature of the breach, likely consequences, and measures taken (Article 34)
- Documentation: We maintain a record of all personal data breaches, including facts, effects, and remedial actions taken (Article 33(5))
10. Data Protection Impact Assessments (Article 35)
We conduct Data Protection Impact Assessments (DPIAs) before any processing activity that is likely to result in a high risk to the rights and freedoms of individuals. This includes:
- Large-scale processing of special category data (e.g., wellness information)
- Systematic monitoring of publicly accessible areas
- Automated processing with legal or similarly significant effects
- New technologies or approaches to data processing
- Large-scale profiling or evaluation of personal aspects
DPIAs include a systematic description of the processing operations, assessment of necessity and proportionality, risk assessment, and measures to mitigate identified risks.
11. Records of Processing Activities (Article 30)
We maintain comprehensive Records of Processing Activities (ROPA) as required by Article 30 of the GDPR. These records include:
- Name and contact details of the data controller and Data Protection Officer
- Purposes of each processing activity
- Categories of data subjects and personal data processed
- Categories of recipients to whom data is disclosed
- Details of international transfers and applicable safeguards
- Envisaged retention periods for each data category
- Description of technical and organizational security measures
These records are available to the supervisory authority upon request.
12. Cookies and ePrivacy
In addition to the GDPR, our use of cookies and similar technologies is governed by the ePrivacy Directive (2002/58/EC) and applicable national implementations. We obtain prior consent before placing non-essential cookies on your device, in compliance with both the ePrivacy Directive and the GDPR.
For full details on the cookies we use and how to manage your preferences, please see our dedicated Cookies Policy.
13. Children's Data (Article 8)
Where we offer information society services directly to a child, we process the child's personal data lawfully only where the child is at least 16 years old (or the lower age specified by the applicable EU/UK member state, which may be as low as 13). Where the child is below the applicable age, processing is lawful only with the consent of the holder of parental responsibility.
We make reasonable efforts to verify that consent is given or authorized by the holder of parental responsibility, taking into consideration available technology.
14. Supervisory Authorities
You have the right to lodge a complaint with the data protection supervisory authority in your country of residence. Below are some key supervisory authorities:
European Data Protection Board (EDPB)
Coordinates supervisory authorities across the EU — edpb.europa.eu
United Kingdom — Information Commissioner's Office (ICO)
ico.org.uk | Telephone: +44 303 123 1113
Ireland — Data Protection Commission (DPC)
dataprotection.ie | Often the lead authority for US tech companies
France — Commission Nationale de l'Informatique et des Libertés (CNIL)
cnil.fr
Germany — Federal Commissioner for Data Protection (BfDI)
bfdi.bund.de | Note: Each German state also has its own authority
For a complete list of EEA supervisory authorities, visit the EDPB website at edpb.europa.eu/about-edpb/about-edpb/members_en.
15. Changes to This GDPR Policy
We may update this GDPR Policy from time to time to reflect changes in our processing activities, legal requirements, or regulatory guidance. We will provide clear notice of material changes through email notification to registered users and a prominent notice on our website. Where changes affect processing based on consent, we will seek renewed consent where required.
We encourage you to review this policy periodically. The effective date at the top of this page indicates when this policy was last updated.
16. Contact Our Data Protection Officer
For any questions, concerns, or requests related to this GDPR Policy or the processing of your personal data, please contact our Data Protection Officer:
Data Protection Officer
3Embody Lifestyle LLC d/b/a Human Garage
309 Coffeen Avenue, STE 1200, Sheridan, WY 82801
Email: support@humangarage.net
Subject Line: "GDPR Inquiry"
We will acknowledge receipt of your inquiry within 72 hours and provide a substantive response within 30 days.
© 2026 Human Garage. All Rights Reserved.
This GDPR & Data Protection Policy is effective as of the date stated above and supersedes all previous versions.