Privacy Policy

Last Updated: March 9, 2026

INTRODUCTION AND OVERVIEW

This Privacy Policy ("Policy") describes how Elura, LLC, an Alaska limited liability company ("Elura," "we," "us," "our," or "Company"), collects, uses, discloses, and protects your personal information, including health-related data, when you use our website, mobile application, and related services (collectively, "Services").

This is an important document. Your privacy and data security matter to us. We are committed to transparency regarding our data practices and compliance with all applicable privacy laws, including HIPAA (where applicable), GDPR, CCPA, CPRA, and state-specific privacy regulations.

Read this Policy carefully. By accessing or using the Services, you consent to the practices described herein. If you do not agree with our data practices, do not use the Services.

INFORMATION WE COLLECT

Information You Provide Directly

Registration and Account Information:

• Name, email address, phone number
• Billing and payment information (through third-party processors)
• Age, gender, location
• Username and password (or other authentication credentials)
• Profile picture (optional)

Assessment and Health Data:

• Responses to the Elura Vitality Assessment™ (EVA), including symptom reports
• Your reported health history and current health concerns
• Menstrual cycle information (if applicable)
• Sleep patterns, energy levels, mood, and cognitive function observations
• Medication and supplement use
• Lifestyle information (exercise, diet, stress management practices)
• Any other health-related information you voluntarily submit

Communication Data:

• Emails, messages, or inquiries you send to us
• Survey responses and feedback
• Customer service interactions
• Support requests

Payment Information:

• Billing address and payment method details (processed by Stripe; see Section 2.2)
• Transaction history
• Purchase records

Information Collected Automatically

Cookies and Tracking Technologies:

• Device cookies (persistent identifiers stored on your device)
• Session cookies (temporary identifiers for your current session)
• Pixel tags, web beacons, and similar tracking technologies
• Analytics data about your interactions with the Services

Device and Connection Information:

• IP address
• Device type, operating system, and version
• Browser type and version
• Mobile device identifiers (IDFA, Android Advertising ID)
• Internet Service Provider (ISP)
• Pages visited and time spent on each page
• Referral source (how you came to the Services)
• Clickstream data

Location Information:

• Approximate location based on IP address (not precise GPS location, unless you grant permission)
• Country, state, and city inference

Usage Information:

• Features you access or use
• Content you view
• Search queries within the Services
• Interactions with educational materials
• Assessment completion status and responses

Information from Third Parties

Third-Party Service Providers:

• Stripe (payment processing): payment method details, transaction data
• Customer.io (email service): email engagement metrics, interaction data
• Supabase (database hosting): account authentication and data storage
• Typeform (assessment platform): EVA responses and completion data
• Google Analytics: anonymized usage analytics
• Sentry (error monitoring): error logs and system performance data

Third-Party Integrations:

• Social media platforms: if you link your account or log in via social authentication
• Analytics and advertising partners: if you interact with our ads or content

Other Users:

• Information about you provided by other users (e.g., if they refer you or mention you in community discussions)

LEGAL BASIS FOR PROCESSING (GDPR COMPLIANCE)

If you are located in the European Union or United Kingdom, we process your personal information based on the following legal bases:

1. Contract Fulfillment: Processing necessary to provide the Services you've requested, including account creation, payment processing, and delivery of educational content (Article 6(1)(b))
2. Legal Obligation: Processing required by law, including tax and financial reporting obligations (Article 6(1)(c))
3. Legitimate Interests: Processing for purposes such as:

• Fraud prevention and account security (Article 6(1)(f))
• Improving and optimizing the Services (Article 6(1)(f))
• Marketing communications you've consented to (Article 6(1)(f))
• Responding to legal claims (Article 6(1)(f))

1. Consent: Processing based on your explicit consent, particularly for:

• Marketing communications (if you've opted in)
• Non-essential cookies and tracking
• Special category data (health information) beyond what's necessary for service delivery

For special category personal data (health information), we rely on:

• Article 9(2)(a): Your explicit consent
• Article 9(2)(b): Employment-related health data (if applicable)
• Article 9(2)(h): Purposes of preventive or occupational medicine
• Article 9(2)(j): Purposes of archiving, research, or statistics in the public interest

HOW WE USE YOUR INFORMATION

We use collected information for the following purposes:

Service Delivery

• Creating and maintaining your account
• Processing payments and managing subscriptions
• Delivering educational content and courses
• Providing customer support
• Conducting the EVA assessment and providing educational results
• Personalizing your experience based on your responses

Communication

• Sending transactional emails (order confirmations, account updates, password resets)
• Responding to your inquiries and support requests
• Sending educational emails and course updates (if you've enrolled)
• Marketing communications (only if you've opted in)
• Important security or policy updates

Research and Analysis

• Analyzing patterns in symptom data to improve educational content
• Understanding user needs and preferences
• Conducting statistical analysis of EVA responses to improve assessment accuracy
• Generating anonymized, aggregated reports on health patterns
• Academic or clinical research (only with your explicit consent and anonymization)

Fraud Prevention and Security

• Detecting, investigating, and preventing fraudulent transactions
• Protecting against unauthorized access and data breaches
• Verifying user identity and preventing account takeover
• Monitoring for violations of these Terms

Legal Compliance

• Complying with legal obligations, regulatory requirements, and court orders
• Responding to government or law enforcement requests
• Enforcing our Terms of Service and other agreements
• Protecting our legal rights and the rights of other users

Service Improvement

• Analyzing usage patterns to improve functionality and user experience
• Conducting A/B testing and optimization
• Developing new features and services
• Troubleshooting technical issues

Marketing and Promotion

• Sending you promotional content if you've opted in
• Analyzing which marketing messages are most effective
• Customizing advertising based on your interests (only if you've consented)
• Conducting surveys and gathering feedback

Aggregated and Anonymized Analysis

• Creating anonymized, aggregated reports on health trends
• Contributing to public health research initiatives
• Publishing insights about midlife health patterns (in anonymized form)

HOW WE SHARE YOUR INFORMATION

Third-Party Service Providers

We share information with third-party service providers who assist us in operating the Services. These providers are bound by confidentiality agreements and data protection requirements:

Payment Processing:

• Stripe: Processes payment information. See Stripe's Privacy Policy: https://stripe.com/privacy

Email and Marketing:

• Customer.io: Manages email communications, marketing campaigns, and customer engagement. See Customer.io's Privacy Policy: https://customer.io/privacy/

Data Hosting and Database:

• Supabase: Hosts our database and manages data storage and authentication. See Supabase's Privacy Policy: https://supabase.com/privacy

Assessment Platform:

• Typeform: Hosts the EVA assessment and collects response data. See Typeform's Privacy Policy: https://www.typeform.com/privacy/

Analytics and Monitoring:

• Google Analytics: Tracks website usage and user behavior. See Google Analytics Privacy Policy: https://policies.google.com/privacy
• Sentry: Monitors errors and application performance. See Sentry's Privacy Policy: https://sentry.io/privacy/

Legal Requirements and Law Enforcement

We may disclose your information when required by law or in response to:

1. Subpoenas, court orders, or legal process
2. Government or law enforcement investigations
3. Regulatory inquiries from healthcare, consumer protection, or financial regulators
4. National security requests
5. Valid legal processes that comply with applicable law

We will provide notice of legal requests when permitted by law, except where prohibited by law enforcement or when notice would compromise an investigation.

Business Transfers

If Elura is involved in a merger, acquisition, bankruptcy, dissolution, reorganization, or similar transaction or proceeding, your information may be transferred as part of that transaction. We will provide notice via email and/or prominent notice on our website of any such change and any choices you may have regarding your information.

Health Information and Healthcare Providers

When You Request It: If you request that we share your EVA assessment results or health data with a healthcare provider, we will only share information with the specific provider you designate and with your explicit written permission.

Emergency Situations: In life-threatening emergencies, we may share necessary health information with emergency responders or healthcare providers if you are unable to consent.

What We Do NOT Share

We do not:

• Sell your personal information to third parties for their direct marketing purposes
• Share your health data with advertisers or data brokers
• Share your assessment responses with pharmaceutical companies or supplement manufacturers
• Share your information with unaffiliated health platforms or wellness services without your explicit consent
• Use your health data for behavioral advertising or targeted marketing without your consent

Aggregated and Anonymized Information

We may share aggregated, anonymized information (information that has been stripped of personal identifiers) with research partners, public health organizations, and other third parties for research, educational, and analysis purposes. This information cannot reasonably identify you.

COOKIES AND TRACKING TECHNOLOGIES

What Are Cookies?

Cookies are small text files stored on your device that help websites recognize you and remember your preferences. We use cookies to enhance your experience with the Services.

Types of Cookies We Use

Essential Cookies (Required):

• Session management (keeping you logged in)
• Security and fraud prevention
• Account authentication
• Basic website functionality

These cookies are necessary for the Services to function and cannot be disabled.

Analytics Cookies (If Consented):

• Google Analytics: tracks page views, user interactions, and usage patterns
• Helps us understand how users interact with the Services
• Data is anonymized and aggregated
• You can opt out at: https://support.google.com/analytics/answer/181881

Marketing and Personalization Cookies (If Consented):

• Remembering your preferences
• Tracking which content interests you
• Personalizing educational recommendations
• Retargeting ads on other websites (if you've consented)

Third-Party Cookies:

• Stripe (payment processing)
• Google Analytics
• Customer.io (email tracking)

Cookie Preferences and Control

Declining Non-Essential Cookies:

When you first visit the Services, you will be presented with a cookie consent banner. You can:

1. Accept all cookies
2. Decline non-essential cookies
3. Customize your preferences

You can also manage cookie preferences at any time through your browser settings.

Browser Controls:

Most browsers allow you to refuse cookies or alert you when cookies are being sent. You can:

• Delete existing cookies
• Block all cookies
• Block specific types of cookies
• Allow cookies only from certain domains

Note: Disabling essential cookies may limit the functionality of the Services.

Do-Not-Track Signals

Some browsers include a "Do Not Track" feature. We currently do not respond to Do Not Track signals, but we provide granular cookie controls so you can manage tracking yourself. You can disable analytics and marketing cookies through our cookie preference tool.

DATA STORAGE AND SECURITY

Data Storage Location

Your personal information is stored on servers located in the United States. Specifically:

• Primary Database: Supabase (hosted on AWS infrastructure in the US)
• Email Service: Customer.io (US-based)
• Payment Processing: Stripe (US-based)

If you are located outside the United States (including the EU), please note that your information will be transferred to and stored in the United States. By using the Services, you consent to this transfer.

Data Security Measures

We implement industry-standard technical and organizational safeguards to protect your information against unauthorized access, disclosure, alteration, and destruction:

Technical Measures:

• SSL/TLS encryption for data in transit (HTTPS)
• Encryption at rest for sensitive data (including health information)
• Secure password hashing
• Firewall protection
• Regular security updates and patches
• Web application firewalls
• Intrusion detection and prevention systems

Organizational Measures:

• Restricted access to personal information (need-to-know basis)
• Employee training on data protection and privacy
• Confidentiality agreements with employees and contractors
• Regular security audits and assessments
• Incident response plan and data breach procedures
• Administrative access controls and audit logging

Limitations of Security

No Absolute Guarantee: While we implement reasonable safeguards, no method of transmission over the Internet or electronic storage is completely secure. We cannot guarantee absolute security of your information. You use the Services at your own risk.

Your Responsibility: You are responsible for:

• Protecting your password
• Keeping your login credentials confidential
• Notifying us immediately of any unauthorized access
• Regularly updating your account settings

DATA RETENTION

How Long We Keep Your Information

Account Information:

• Retained for the duration of your account and for 3 years after account termination for legal and tax purposes

Health Assessment Data (EVA Responses):

• Retained for the duration of your account
• Retained for 7 years after account termination if required for legal, regulatory, or business purposes
• May be anonymized and retained indefinitely for research and analytics

Payment Information:

• Retained for 7 years (required for tax and financial compliance)
• Credit card details are not retained by Elura; Stripe handles this

Email Communications:

• Transactional emails retained for 3 years
• Marketing emails retained for 1 year unless you unsubscribe
• Support correspondence retained for 3 years

Usage Data (Analytics):

• Aggregated usage data retained for 3 years
• Individual session data retained for 1 year

Cookies:

• Session cookies deleted when you close your browser
• Persistent cookies retained for up to 2 years (or as specified in cookie preferences)

Deletion Requests

Upon your written request, we will delete your account data within 30 days, subject to:

• Legal retention obligations (tax, compliance)
• The need to preserve evidence for legal claims
• Anonymization (we may retain anonymized data indefinitely)

YOUR PRIVACY RIGHTS AND CHOICES

Access Your Information

You have the right to:

• Know what personal information we hold about you
• Request a copy of your personal information in a portable format
• Access your health assessment results and data

How to Request: Email info@elura.co with "Data Access Request" as the subject line. Include your account email address. We will respond within 30 days (or 45 days for CCPA requests).

Correct or Update Information

You have the right to:

• Correct inaccurate information
• Update outdated information
• Complete incomplete information (CPRA only)

How to Request:

• Log into your account and update information directly, or
• Email info@elura.co with details of the information you'd like to correct

Delete Your Information

You have the right to:

• Request deletion of your personal information (subject to exceptions)
• Have your account permanently closed

How to Request: Email info@elura.co with "Data Deletion Request" as the subject line. Include your account email address and confirmation that you want your account deleted. We will process within 30 days.

Exceptions: We may retain information for:

• Legal obligations (tax, regulatory)
• Fraud prevention and security
• Dispute resolution and legal claims
• Anonymized, aggregated research data

Portability

You have the right to:

• Receive your personal information in a structured, commonly used, machine-readable format (CSV, JSON)
• Transfer your information to another service

How to Request: Email info@elura.co with "Data Portability Request" as the subject line. We will provide your information within 30 days.

Opt Out of Marketing Communications

You have the right to:

• Unsubscribe from marketing emails at any time
• Opt out of promotional communications

How to Opt Out:

• Click the "Unsubscribe" link at the bottom of any marketing email
• Email info@elura.co with "Unsubscribe" as the subject line
• Log into your account and adjust notification preferences

Withdraw Consent (GDPR)

If you provided explicit consent for a particular use of your data, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing conducted before withdrawal.

How to Withdraw Consent: Email info@elura.co with "Withdraw Consent" as the subject line, specifying which consent(s) you're withdrawing.

Object to Processing (GDPR)

You have the right to object to processing of your personal information for certain purposes (legitimate interests, direct marketing).

How to Object: Email info@elura.co with "Objection to Processing" as the subject line.

Restrict Processing (GDPR)

You have the right to restrict processing of your personal information in certain circumstances (e.g., while you contest accuracy).

How to Request: Email info@elura.co with "Request to Restrict Processing" as the subject line.

CCPA/CPRA Rights (California Residents)

Do Not Sell or Share My Personal Information:

California residents have the right to opt out of the sale or sharing of their personal information. We do not currently sell your information in the traditional sense, but we do share information with service providers and analytics partners.

Right to Opt Out: You may submit a "Do Not Sell My Personal Information" request by:

• Emailing info@elura.co with "CCPA Opt-Out" as the subject line
• Calling us at [phone number if established]

We will honor opt-out requests within 45 days.

Limit Use of Sensitive Personal Information:

Under CPRA, you have the right to limit our use of sensitive personal information (including health data) to purposes necessary to provide the Services.

How to Request: Email info@elura.co with "Limit Sensitive Information" as the subject line.

Exercising Your Rights

How to Submit Requests:

1. Email: info@elura.co
2. Mail: Elura, LLC, Anchorage, Alaska (address to be provided upon request)
3. Phone: [phone number if established]

Verification: We will verify your identity by requesting:

• Email address associated with your account
• Last 4 digits of payment method (if applicable)
• Other information associated with your account

Response Time:

• GDPR: 30 days (extendable by 2 months for complex requests)
• CCPA/CPRA: 45 days
• Alaska / other state privacy laws: as required by law

No Discrimination: We will not discriminate against you for exercising your privacy rights. This includes:

• Denying services
• Charging different prices
• Providing different quality of service
• Displaying different terms or conditions

INTERNATIONAL DATA TRANSFERS

Data Transfers Outside Your Country

If you are located outside the United States, your information will be transferred to and stored in the United States. Data protection laws in the United States may differ from those in your country of residence.

GDPR Data Transfer Mechanisms

For EU and UK residents, we rely on the following lawful mechanisms for transferring personal data to the United States:

1. Standard Contractual Clauses (SCCs): We use EU-approved SCCs with our service providers to ensure adequate protection of your data
2. Adequacy Decisions: We transfer data to entities benefiting from an adequacy decision (if applicable)
3. Your Consent: By using the Services, you consent to the transfer described herein

Adequacy Notices

Please note that the US does not have an adequacy decision under GDPR. Data transfers to the US may result in greater data access by law enforcement or government authorities compared to your home jurisdiction.

CHILDREN'S PRIVACY

Not for Children Under 18

The Services are not intended for children under 18 years of age. We do not knowingly collect personal information from children under 18.

If We Learn You Are Under 18

If we discover that a user is under 18, we will:

1. Immediately delete their account and associated data (unless otherwise required by law)
2. Not knowingly retain any information from that user
3. Notify the user or parent/guardian of deletion

Parental Consent for Ages 18-21

If you are between 18 and 21, your use of the Services constitutes your representation that you have the legal capacity to enter into this agreement. If you lack such capacity, you must obtain consent from a parent or legal guardian before using the Services.

ACCESSIBILITY AND SPECIAL ACCOMMODATIONS

Accessibility Commitment

Elura is committed to making the Services accessible to people with disabilities. If you encounter barriers to accessibility, please contact us.

ADA Compliance

The Services are designed to comply with the Americans with Disabilities Act (ADA) and Web Content Accessibility Guidelines (WCAG) 2.1 Level AA standards to the extent feasible. We continue to work on improving accessibility.

Request Accommodations

If you need accommodations to access the Services, please contact:

Email: info@elura.co

Subject: Accessibility Accommodation Request

THIRD-PARTY LINKS AND SERVICES

The Services may contain links to third-party websites, applications, and services. This Privacy Policy does not apply to third-party services. We recommend reviewing the privacy policies of any third-party service before providing your information.

We are not responsible for:

• Third-party privacy practices
• Third-party use of your information
• Security of third-party services
• Content or accuracy of third-party sites

CALIFORNIA PRIVACY LAWS (CCPA AND CPRA)

Applicability

These provisions apply to residents of California. Other California-specific rights may apply under California law.

Categories of Personal Information Collected

In the past 12 months, we have collected the following categories of personal information:

CPRA Sensitive Personal Information

Under CPRA, "sensitive personal information" includes:

• Social Security numbers, financial account information (we don't collect these)
• Health data (we collect this via EVA)
• Precise geolocation (we don't collect this)
• Racial, ethnic, religious, philosophical beliefs (we don't collect this)

We process sensitive health information necessary to provide the Services. You have the right to limit this use.

Retention of Personal Information

We retain personal information for the periods specified in Section 8 (Data Retention). We do not retain information longer than necessary for the purposes collected, except as required by law.

Financial Incentives

Elura does not offer financial incentives for data collection that would constitute a "sale" under CCPA/CPRA.

GDPR COMPLIANCE (EU AND UK RESIDENTS)

Data Controller and Processor

Data Controller: Elura, LLC (determines purposes and means of processing)

Data Processors: Our service providers (Stripe, Customer.io, Supabase, etc.) process data on our instructions

Your GDPR Rights

Under GDPR, you have the rights described in Section 9, including:

• Right to access (Article 15)
• Right to rectification (Article 16)
• Right to erasure ("right to be forgotten") (Article 17)
• Right to restrict processing (Article 18)
• Right to data portability (Article 20)
• Right to object (Article 21)
• Rights related to automated decision-making (Article 22)

Lawful Basis for Processing

Our lawful bases for processing your information are described in Section 3.

International Data Transfers

International data transfers are described in Section 10.

Data Protection Officer Contact

If you have questions about our GDPR compliance or data protection practices, contact:

Email: info@elura.co

Subject: GDPR Data Protection Inquiry

EU Data Subject Rights and Complaints

If you believe your GDPR rights have been violated, you have the right to lodge a complaint with your local data protection authority:

• Austrian DPA: https://www.dsb.gv.at
• Belgian DPA: https://www.autoriteprotectiondonnees.be
• Bulgarian DPA: https://www.cpdp.bg
• Croatian DPA: https://www.azop.hr
• Cypriot DPA: https://www.dataprotection.gov.cy
• Czech DPA: https://www.uoou.cz
• Danish DPA: https://www.datatilsynet.dk
• Estonian DPA: https://www.aki.ee
• Finnish DPA: https://tietosuoja.fi
• French DPA (CNIL): https://www.cnil.fr
• German DPA: Varies by state
• Greek DPA: https://www.dpa.gr
• Hungarian DPA: https://www.naih.hu
• Irish DPA (DPC): https://www.dataprotection.ie
• Italian DPA: https://www.garanteprivacy.it
• Latvian DPA: https://www.dvi.gov.lv
• Lithuanian DPA: https://www.vdpt.lrv.lt
• Luxembourgish DPA: https://www.cnpd.public.lu
• Maltese DPA: https://www.idpc.gov.mt
• Netherlands DPA (AP): https://www.autoriteitpersoonsgegevens.nl
• Polish DPA: https://www.uodo.gov.pl
• Portuguese DPA: https://www.cnpd.pt
• Romanian DPA: https://www.dataprotection.ro
• Slovakian DPA: https://www.office.gov.sk
• Slovenian DPA: https://www.ip-rs.si
• Spanish DPA (AEPD): https://www.aepd.es
• Swedish DPA (IMY): https://www.imy.se
• UK DPA (ICO): https://www.ico.org.uk

ALASKA AND OTHER STATE PRIVACY LAWS

Alaska Privacy Rights

Alaska residents may have rights under Alaska Statute § 45.48 (Alaska Online Privacy Protection Act) and other Alaska consumer protection laws. Elura complies with all applicable Alaska privacy requirements.

State Variations

Privacy laws vary by state. If you are a resident of a state with specific privacy laws (including California, Virginia, Colorado, Connecticut, Florida, Indiana, Iowa, etc.), the applicable protections in this Privacy Policy will apply to you.

DATA BREACH NOTIFICATION

Breach Definition

A "data breach" is any unauthorized access to, disclosure of, or acquisition of personal information that compromises the security, confidentiality, or integrity of that information.

Notification Procedure

If we discover a data breach affecting your personal information, we will:

1. Notify Affected Individuals: We will notify you by email, mail, or phone within 30 days of discovery (or as soon as practical, and no later than required by law)
2. Notification Content: The notification will include:

• Description of the breach
• Types of information compromised
• Steps you should take to protect yourself
• Contact information for follow-up questions
• Information about credit monitoring (if applicable)

1. Notify Regulators: We will notify relevant data protection authorities and regulators as required by law
2. Public Notice: If the breach affects 250 or more residents of a state, we will provide public notice through press release or media

Your Responsibilities

Upon notification of a breach, you should:

• Change your password immediately
• Monitor your accounts for unauthorized activity
• Consider placing a fraud alert or credit freeze
• Review your credit report for suspicious activity

CONTACT US

Privacy Questions and Requests

For questions, concerns, or requests regarding your privacy and this Privacy Policy, contact:

Elura, LLC

Email: info@elura.co

Mailing Address: Anchorage, Alaska [specific address upon request]

Please include:

• Your name and account email address
• Nature of your inquiry or request
• Any supporting information

Regulatory Contacts

For GDPR and EU privacy concerns:

Email: info@elura.co with "GDPR Inquiry" as subject line

For CCPA/CPRA and California concerns:

Email: info@elura.co with "CCPA Request" as subject line

For Alaska privacy concerns:

Email: info@elura.co with "Alaska Privacy Inquiry" as subject line

Response Time

We aim to respond to all inquiries within 5 business days. Formal data requests (access, deletion, portability) will be addressed within applicable legal timelines (30-45 days depending on jurisdiction and request type).

CHANGES TO THIS PRIVACY POLICY

Policy Updates

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors. The date of the last update appears at the top of this page.

Notice of Material Changes

For material changes, we will:

1. Notify you via email sent to the address associated with your account
2. Post a prominent notice on the Services
3. Request your affirmative consent if required by law

Your Acceptance

Your continued use of the Services after any changes constitutes your acceptance of the updated Privacy Policy. If you do not accept the changes, discontinue use of the Services.

ENTIRE AGREEMENT

This Privacy Policy, together with our Terms of Service and Medical Disclaimer, constitutes the entire agreement regarding our privacy and data protection practices. It supersedes all prior agreements, policies, and understandings regarding privacy.