Updated: October 29, 2024
This Privacy Policy (“Policy”) outlines the privacy practices of AlchemistOne Inc.(“AlchemistOne”, “we,” “us,” “our”) relating to your access and use of our AlchemistOne app, or AlchemistOne.io.
At AlchemistOne, we only process Personal Data in compliance with applicable data protection laws and regulations. AlchemistOne is responsible as controller for the data processing described in this Policy, unless stated otherwise. The term “controller” under data protection law refers to the entity which decides what to do with the Personal Data that has been collected, and how to do it.
We may update this Policy from time to time by publishing a new version on our website.
Key Points
- We will never advertise products and/or services to you through our mobile application and/or website. All revenue from AlchemistOne comes from paid user subscriptions.
- We have been diligent about using as few third party services as possible to ensure your data and your recovery are completely private. While we do integrate with services such as Apple HealthKit, and Google Health Connect and Customer.io to help you streamline your recovery, we’ve made it a point to limit our touch points wherever possible.
- All personalized data you enter into the app, such as journals, gratitude lists and workout histories, remains encrypted on your device. Even if we wanted to, we couldn’t access this information. We never share this data with anyone, including our employees.
- We’ll always honour any requests to delete your user data at any time.
If you have questions or concerns about this policy at any time, please email us at privacy@alchemistone.io.
Contents
1. On what basis do we process your Personal Data?
2. What kinds of Personal Data do we use?
3. Your rights in relation to your Personal Data
4. Where do we process your Personal Data?
5. How do we use “cookies” and other tracking technologies?
6. How long do we store your Personal Data?
7. How can you contact us?
8. Who do we share your Personal Data with, and why?
Additional region/country-specific information:
9. California Privacy rights
10. Other U.S. State privacy rights
11. Additional information for residents of Canada
1. On what basis do we process your Personal Data?
We process your Personal Data using the following legal bases:
(i) with your consent,
(ii) in order to provide services to you (e.g., when you sign up for an AlchemistOne account),
(iii) for compliance by AlchemistOne with a legal obligation
2. What kinds of Personal Data do we use?
2.0 – In-App Users
2.0.1 – Information You Provide To Us
- Personal identifiers, such as your first name, last name, email address, and your current timezone
- Payment information, such as your credit card number. This data is stored and processed by a third-party processor (Stripe) or by the pertinent app store.
- Physical activity data, such as your recent workouts, heart rates, calories burned and distance traveled.
- Addiction recovery data. This includes in-app journals, gratitude lists, and group meeting attendance. Note, however, while an aggregate of this data is used to track goals achieved throughout the app, we as a company do not have access to your individual journals, gratitude lists, written insights, logged therapy, and/or workout history. AlchemistOne has been designed to keep this data encrypted on your device. We cannot access it at any time, or share it with anyone.
- Usage data. This includes data indicating your meditation preferences, time spent in the app, time spent writing journals, and other metrics that help is in providing a quality service.
- Inferences based on any of the above data
2.0.2 – Information We Infer From In-App Behaviour
We process information about your recovery behavior, vocabulary and progress. This includes content and voice recordings you create in the app, if applicable. This Personal Data is processed for the following purposes, and on the following legal bases:
- Deploying the app and adapting our services to your needs and skills;
2.1 – Website visitors
2.1.0 – Contact Form Data
We process data you provide to us in contact forms about yourself or the company you work for, such as your name, email address and telephone number. This Personal Data is processed for the following purposes:
- Customer acquisition
- Support and communication: answering inquiries.
2.1.1 – Job Applicants
We process data that you provide to us as part of your job application, or that a recruiter provides to us, or that we collect during the application process. This includes information about your resume or curriculum vitae, your career to date and other data that you provide to us before or during the application process.
This Personal Data is processed for the following purposes:
- Initiation of a current or future employment relationship.
3. Your rights in relation to your Personal Data
You have the right to exercise certain data subject rights under applicable laws. To exercise your data subject rights, please email privacy@alchemistone.io
Depending on the data protection laws that apply to you, you have at least the following rights:
- To ask for access to information confirming whether and, if so, to what extent we are processing Personal Data concerning you.
- To ask us to correct your Personal Data if it is incorrect or out of date.
- To ask us to delete your Personal Data.
- To ask us to restrict the processing of your Personal Data.
- To receive your Personal Data, which you have provided to us, in a structured, commonly used, and machine-readable format, and the right to transfer your Personal Data to another company.
4. Where do we process your Personal Data?
5. How do we use "cookies" and other tracking technologies?
We use cookies and similar technologies on our website and in providing our services. We have compiled more information about how we use these technologies in our cookie banners. The banners are accessible from the footer of any of our websites, or in the app. There you will also find a list of other companies that place cookies on our websites, a list of cookies that we place, and an explanation of how you can refuse certain types of cookies.
6. How long do we store your Personal Data?
7. How can you contact us?
If you have any questions about this Policy or would like to exercise your data subject rights, please contact us at privacy@alchemistone.io.
8. Who do we share your Personal Data with, and why?
8.1 – Hosting provider
We do not have our own servers. We engage certified service providers to host our systems.
8.2 – Payment provider
To process payments, we share your data with payment providers and banks that process your data as data controllers and processors.
9. California Privacy rights
The California Consumer Privacy Act of 2018 (“CCPA”), as amended by the California Privacy Rights Act of 2020, provides you with specific rights regarding your personal information (which is very similar to Personal Data described above). This section describes the rights that California consumers have and explains how to exercise those rights. To be clear, these rights are granted only to the extent that you are a California consumer and we are acting as a “business” under the CCPA with respect to your personal information.
9.1 Information We Collect; How We Collect It; How We Use It
The section in this Policy titled “What kinds of Personal Data do we use?” describes the Personal Data that we collect. The categories of such information are as follows:
9.1.1 Identifiers
Examples
Personal identifiers, such as your first name, last name, email address and current timezone
Purposes
To provide you with our services, to enhance our services and to retarget advertising to you.
9.1.2 Commercial information
Examples
Payment information, such as your credit card number. This data is stored and processed by a third-party processor (Stripe) or by the pertinent app store.
Purposes
To provide you with our services and to enhance our services.
9.1.3 Physical activity data
Examples
Recent workouts, heart rates, calories burned and distance traveled.
Purposes
To connect with services like Apple Health and Google Fit and provide a personalized recovery framework.
9.1.4 Addiction recovery data
Examples
In-app journals, gratitude lists, and group meeting attendance.
Purposes
To provide a personalized recovery framework.
9.1.5 Usage data
Examples
Data indicating your meditation preferences, time spent in the app, time spent writing journals, and other specifics about your usage patterns.
Purposes
To provide a personalized recovery framework.
9.2 How We Use and Disclose Your Personal Information
We collect and disclose your personal information as follows:
9.2.1 Identifiers
Source
Directly from consumers when interacting with our services
Disclose(d) to
Vendors, service providers and other third parties
Sell/Sold to
Not “sold”, as defined under the CCPA
Share(d) with
Not “shared”, as defined under the CCPA
9.2.2 Commercial information
Source
Directly from consumers when interacting with our services
Disclose(d) to
Vendors and service providers
Sell/Sold to
Not “sold”, as defined under the CCPA
Share(d) with
Not “shared”, as defined under the CCPA
9.2.3 Physical activity data
Source
Directly from consumers when interacting with our services
Disclose(d) to
Vendors, service providers and other third parties
Sell/Sold to
Not “sold”, as defined under the CCPA
Share(d) with
Not “shared”, as defined under the CCPA
9.2.4 Addiction recovery data
Source
Directly from consumers when interacting with our services
Disclose(d) to
Vendors, service providers and other third parties
Sell/Sold to
Not “sold”, as defined under the CCPA
Share(d) with
Not “shared”, as defined under the CCPA
9.2.5 Usage data
Source
Directly from consumers when interacting with our services
Disclose(d) to
Vendors, service providers and other third parties
Sell/Sold to
Not “sold”, as defined under the CCPA
Share(d) with
Not “shared”, as defined under the CCPA
9.3 Rights to Your Information
9.3.1 Right to Know
As a California consumer, you have the right to ask us to tell you certain information about our collection, use, disclosure, or sale of your personal information. Once we receive and confirm your verifiable consumer request (see Exercising Your Rights, below), and subject to certain limitations that we describe below, we will give you this information. You have the right to ask for any or all of the following:
- The categories of personal information we collected about you;
- The categories of sources from which the personal information is collected;
- Our business or commercial purpose for collecting or selling that personal information;
- The categories of third parties with whom we share that personal information; and/or
- The specific pieces of personal information we collected about you.
9.3.2 Right to Delete
You have the right to ask us to delete any of your personal information that we collected from you and stored, with certain exceptions. Once we receive and confirm your verifiable consumer request (see Exercising Your Rights, below), we will delete (and tell our service providers to delete) your personal information from our records, unless an exception applies. However, we may retain personal information that has been de-identified or aggregated. Additionally, we may deny your deletion request if retaining the information is necessary for us or our service provider(s) to perform certain actions that are legally required under CCPA, such as detecting security incidents and protecting against fraudulent or illegal activity.
9.3.3 Right to Data Portability
You have the right to ask for a copy of personal information that we have collected and maintained about you. You may ask for your information from us up to twice during a 12-month period. We will provide our response in a readily usable (and usually electronic) format.
9.3.4 Right to Correct
You have the right to ask us to correct any personal information we have about you.
9.3.5 Right to Opt Out of Selling or Sharing Your Personal Information
You have the right to opt out of the sale or sharing of your personal information, along with the right to opt in to the sale of such information. We do not sell or share the personal information of consumers we actually know are less than 16 years of age, unless we receive affirmative authorization (the “right to opt-in”) from either the consumer who is less than 16 (but greater than 13) years of age, or the parent or guardian of a consumer less than 13 years of age. To our knowledge, we do not sell or share the personal information of minors under 16 years of age.
9.3.6 Right to Non-Discrimination
We will not discriminate against you for exercising any of your CCPA rights, including but not limited to, by denying you goods or services or charging you different prices or rates for goods or services.
9.3.7 Exercising Your Rights
To exercise the rights described above, please contact us by using the following methods:
- Emailing us at privacy@alchemistone.io
After you send us certain requests, we may take steps to verify your identity so that we can properly respond and confirm that your request is not fraudulent. To verify your identity, we may ask that you provide your name, email address, phone number, address, and relationship to us, so that we can check this information against the information in our records. Only you, or an agent legally authorized to act on your behalf, may make a verifiable request related to your personal information. If you are making a request as the authorized agent of a California consumer, we may ask you to send us reliable proof that you have been authorized in writing by the consumer to act on such consumer’s behalf, such as a signed document.
10. Other U.S. State privacy rights
Residents of Virginia, Colorado, Connecticut, Utah, Iowa and other U.S. States with comprehensive consumer privacy laws (collectively, the “State Laws”) have certain rights with respect to their personal information. The rights available to residents of these States are explained below, and are different based upon the State Laws that are applicable to us and to you. Such laws are being enacted and modified on a regular basis, so these rights are evolving.
The categories of personal information we process, our purposes for processing your personal information, the categories of personal information that we share with third parties, and the categories of third parties with whom we share it are explained in detail above.
10.1 Rights to Your Information
In addition to the rights described in our Policy, the State Laws provide you with the following rights, except where indicated otherwise below:
Right to know: You have the right to know whether we process your personal information and to access this personal information.
Right to data portability: You have the right to get a copy of your personal information that you previously provided to us or that we have obtained in a portable and, to the extent technically possible, readily usable format that allows you to transmit the data to another business without difficulty, where the processing is carried out by automated means.
Right to delete: You may have the right to delete personal information that you have provided to us or that we have obtained about you. Please note that we may deny requests to delete if the requested deletion falls under an exception described in the applicable State Laws.
Right to opt out: You may have the right to opt out of the processing of the personal information for purposes of: (i) targeted advertising; (ii) the sale of personal information; or (iii) profiling that produces legal or similarly significant effects concerning you.
As of the date of this Policy:
- We do not sell your personal information in exchange for monetary consideration; and
- We do not engage in profiling decisions based on your personal information that produce legal or similarly significant effects concerning you.
If you want to opt out of the processing of your personal information for any of the above purposes, and your state of residence provides for such opt-out right, please email privacy@alchemistone.io.
Right to correct. Residents of Virginia, Colorado and Connecticut have the right to correct inaccuracies in their personal information, taking into account the nature of the personal information and the purposes for which we process it.
Right to nondiscrimination. You have the right not to be discriminated against by us for exercising your privacy rights.
10.2 How to Exercise Your Rights; Verifying Your Identity
To exercise any of your State Law privacy rights, or if you have any questions about your privacy rights, you can contact us by:
- Emailing us at privacy@alchemistone.io
After you send us a request, we will take steps to verify your identity so that we can properly respond and/or confirm that your request is not fraudulent. We may contact you for additional information as reasonably necessary to authenticate your request. if we are ultimately unable to authenticate your request using reasonable commercial efforts, then we may not be able to comply with it. Only you may make a verifiable request related to your personal information. If you are making a request as the parent or legal guardian of a person known to be a child, regarding the processing of that child’s personal information, we may ask you to submit reliable proof of your identity.
11. Additional information for residents of Canada
AlchemistOne collects, uses and discloses (in other words, processes) your Personal Data in connection with your access and use of our services in compliance with Canadian privacy laws, specifically the Personal Information Protection and Electronic Documents Act (PIPEDA) and relevant provincial privacy laws. This Policy provides information regarding our practices and procedures for such processing and how we comply with these laws. In addition to the information provided above, please note the following.
11.1 Consent
We may obtain your consent to our collection, use and disclosure of your Personal Data either expressly, for stated purposes, or impliedly when the purposes are indicated by the relevant circumstances or follow logically from other stated purposes.
By providing us with your Personal Data, you consent to the collection, use and disclosure of that information relating to providing our services, managing our relationship with you, administering our business and as permitted or required by law, in accordance with this Policy.
We rely on the GDPR’s “legitimate interests” rule as authorization to process your Personal Data where the circumstances and uses of such processing are known to or would be expected by you in connection with your access and uses of our services, in particular as set out in this Policy, provided that we will always seek your express, actively provided consent in instances where we propose to process your information for purposes of profiling, tracking, advertising or publication or if the information would be considered sensitive.
We will seek your consent before using Personal Data for any purpose beyond the scope of your original consent or our stated purposes.
You may withdraw your consent or request us to stop processing your Personal Data at any time, subject to legal and contractual restrictions and reasonable notice, by:
- Emailing us at privacy@alchemistone.io
11.2 Service providers outside of Canada
We may use service providers that are located outside of Canada. As a result, Personal Data under our custody or control may be accessible to regulatory authorities, courts and law enforcement outside of Canada in accordance with the laws of these jurisdictions. Subject to these laws, AlchemistOne will use reasonable measures to maintain protections of your Personal Data that are equivalent to those that apply in Canada.