Privacy Policy
Effective Date: July 15, 2026
This Privacy Policy explains how Holistic Healing Horizons LLC ("we," "us," "our") handles your personal information when you use Thrive After Narcissistic Abuse — our website at emotionalabuserecovery.com, membership platform, mobile app, courses, live sessions, community features, and AI companions (together, the "Services"). If anything here doesn’t sit right with you, please don’t use the Services, and reach out with any questions at support@emotionalabuserecovery.com.
In short: we collect what we need to run your membership and support your healing journey, we don’t sell your data, we use trusted processors like Stripe and PayPal for payments and providers like OpenRouter, Anthropic, and ElevenLabs to power our AI companions, and depending on where you live, you have real rights over your information — access, correction, deletion, and more.
- What Information We Collect
- How We Process Your Information
- The Legal Bases We Rely On
- When and With Whom We Share Your Information
- Cookies and Other Tracking Technologies
- Our AI Companions
- How Long We Keep Your Information
- How We Keep Your Information Safe
- Do We Collect Information From Minors
- Your Privacy Rights
- Do-Not-Track Signals
- US State-Specific Privacy Rights
- Rights in Other Regions
- Updates to This Notice
- Contact Us
- Reviewing, Updating, or Deleting Your Data
1. What Information We Collect
When you create an account, join a course, or take part in the community, we collect the details you give us directly — your name, email address, phone number, username, and password. If you make a purchase, payment details (card number, billing address) are collected and handled entirely by our payment processors, Stripe and PayPal — we never store your full card details ourselves. You can review their own privacy practices at stripe.com/privacy and paypal.com.
If you use our mobile app, we may also collect device information (device model, operating system), and — only with your permission — approximate location and push notification tokens, so we can send you reminders or session alerts. You can turn any of this off in your device settings at any time.
We also automatically pick up some technical information whenever you visit the Site: your IP address, browser type, the pages you view, and general usage patterns. This helps us keep the Site secure, fix bugs, and understand what’s working. None of this technical data identifies you by name on its own.
2. How We Process Your Information
We use the information we collect to run your account and membership, deliver the courses and sessions you’ve signed up for, respond when you reach out for support, send you important updates about your account or our policies, process your payments and orders, keep the Site secure against fraud and abuse, and — where it’s truly necessary — to protect someone’s safety.
3. The Legal Bases We Rely On
If you’re in the EU, UK, or a similar jurisdiction, data protection law requires us to point to a specific legal reason every time we process your information. Depending on the situation, we rely on one of these:
- Your consent — for anything we only do because you’ve agreed to it. You can withdraw this at any time, and we’ll stop that specific processing going forward.
- Delivering our contract with you — using your information to actually provide the membership, course, or session you signed up for.
- Our legitimate interests — things like diagnosing technical problems or catching fraudulent activity, where we’ve weighed this against your own rights and don’t believe it unfairly overrides them.
- A legal obligation — situations where we’re required by law to process or disclose information, such as cooperating with a lawful request from a regulator.
- Protecting someone’s vital interests — the rare case where using your information is necessary to protect your safety or someone else’s.
If you’re in Canada, we rely on your express consent, or in some cases your implied consent, and you’re free to withdraw either at any time. The law also allows us to process information without your consent in a handful of narrow situations, including: when getting consent isn’t realistically possible and doing so clearly serves your own interest; for fraud prevention or investigations; as part of a business transaction (like a merger), under conditions the law sets out; when it’s part of a witness statement needed to handle an insurance claim; to identify an injured, ill, or deceased person and reach their next of kin; when we reasonably believe someone has been the victim of financial abuse; when getting consent could compromise investigating a broken agreement or a legal violation; in response to a subpoena, warrant, or court order; when information was produced by someone in the course of their job or profession and our use of it matches why it was originally created; for purely journalistic, artistic, or literary purposes; or when the information is already publicly available in a way the law specifically recognizes. We may also share de-identified data for approved research, under strict confidentiality commitments.
4. When and With Whom We Share Your Information
We don’t sell your personal information. We may share it in a few limited situations: with service providers who help us run the Site (payment processors, hosting, the AI providers described below) under contracts that require them to protect it; if our business is ever sold, merged, or restructured; with trusted partners for a service or offer you’ve opted into; or when the law genuinely requires us to.
5. Cookies and Other Tracking Technologies
We use cookies and similar technologies to keep the Site secure, remember your preferences, and understand how the Site is used. The specific tools we use and how to control them are covered in detail in our Cookies section of our Terms and Conditions, which we consider part of this Policy.
6. Our AI Companions
Thrive offers AI companions designed to support your healing journey between sessions. Behind the scenes, your conversations are processed through a few different providers depending on what’s needed: OpenRouter handles most of the actual conversation, routing your message to the model best suited to reply; Anthropic’s models handle certain background tasks, like naming your conversations or summarizing a document you’ve uploaded; and ElevenLabs generates the spoken voice you hear in our hypnosis and audio tracks. Each of these providers only receives what they need to do their specific job, under agreements that require them to handle it responsibly. We don’t use your conversations to train these providers’ public models.
You should not use the AI companions in a way that violates the usage policies of any of these underlying providers. For full detail on how our AI companions work and their limitations, please see our AI Companion Usage Policy.
7. How Long We Keep Your Information
We keep your information for as long as you have an active membership, plus a reasonable period afterward to meet legal, accounting, or dispute-resolution needs. Once we no longer have a real reason to keep it, we delete or anonymize it — and if that isn’t immediately possible (for example, information sitting in a backup), we securely isolate it until it can be deleted.
8. How We Keep Your Information Safe
We use reasonable technical and organizational safeguards to protect your information. That said, no method of transmitting or storing data online is ever 100% secure, and we can’t guarantee against every possible attack. Please use the Site over a secure connection and keep your password private.
9. Do We Collect Information From Minors
Thrive is built for adults working through their own healing. We do not knowingly collect information from anyone under 18. If we learn that we’ve accidentally collected information from a minor, we’ll deactivate the account and delete that data. If you believe a minor has used the Site, please contact us right away at support@emotionalabuserecovery.com.
10. Your Privacy Rights
If you’re in the EEA, UK, Switzerland, or Canada, you generally have the right to: access a copy of the personal information we hold about you; ask us to correct or delete it; restrict how we use it; receive a portable copy of it to take elsewhere; and object to being subject to a decision made purely by an automated system without human input — if that ever happens, we’ll explain the reasoning and give you a way to ask for a human to review it.
If you’re in the EEA or UK and think we’ve mishandled your information, you can complain to your national data protection authority. If you’re in Switzerland, that’s the Federal Data Protection and Information Commissioner specifically.
Withdrawing consent. Anywhere we’re relying on your consent, you can withdraw it at any time by contacting us — this won’t undo anything we already did lawfully before you withdrew it.
Opting out of marketing. Every marketing email we send has an unsubscribe link, or you can just email us directly. Once you opt out, we’ll stop the marketing, though we may still need to send you account or service-related messages that aren’t promotional.
Your account. You can review or update most of your information yourself by logging into your account settings, or by emailing us. If you ask us to close your account, we’ll deactivate and delete it from our active systems — though we may keep limited records where needed to prevent fraud, resolve a dispute, or meet a legal obligation.
Cookies. Most browsers accept cookies by default; you can change that in your browser settings at any time, though some parts of the Site may work less well if you do.
11. Do-Not-Track Signals
Some browsers let you send a "Do Not Track" signal. There isn’t yet an agreed-upon industry standard for how sites should respond to this signal, so at this time we don’t change our behavior based on it. If a standard is adopted that we’re required to follow, we’ll update this Policy.
12. US State-Specific Privacy Rights
If you live in a state with its own privacy law — California, Colorado, Connecticut, Virginia, and a growing list of others — you have real rights over the personal information we hold about you. We have not sold or shared personal information for a business or commercial purpose in the past twelve months, and we don’t plan to.
Here’s what we’ve actually collected in the past year, by category, and how long we keep each:
| Category | Example | Collected? | Retention |
|---|---|---|---|
| A. Identifiers | Name, address, phone, IP address, email, account name | Yes | As long as you have an account |
| B. Records under CA Customer Records law | Name, contact info, employment, financial information | Yes | As long as you have an account |
| C. Protected classifications | Gender, age, race, marital status | No | — |
| D. Commercial information | Purchase history, payment details | Yes | As long as you have an account |
| E. Biometric information | Fingerprints, voiceprints | No | — |
| F. Internet or network activity | Browsing and search history, site interactions | No | — |
| G. Geolocation data | Device location | Yes | As long as you have an account |
| H. Audio, video, or similar | Recordings tied to our business activities | Yes | As long as you have an account |
| I. Professional or employment info | Job title, work history | No | — |
| J. Education information | Student records | No | — |
| K. Inferences | Profiles built from the categories above | No | — |
| L. Sensitive personal information | — | No | — |
Depending on your state, your core rights generally include the right to: know whether we’re processing your data; access it; correct inaccuracies in it; request its deletion; get a copy of what you’ve given us; not be discriminated against for exercising any of these rights; and opt out of your data being used for targeted advertising, being "sold" or "shared" as those terms are defined under your state’s law, or being used in automated profiling that produces a legal or similarly significant effect on you.
Some states go further. Depending on where you live, you may also have the right to see the specific categories of third parties we’ve shared your data with (California, Delaware, Maryland), to get a list of the actual named third parties (Minnesota, Oregon), to question or correct how your data has been profiled (Minnesota), to limit the use of sensitive personal data (California), or to opt out of facial or voice recognition features (Florida).
To exercise any of these, email us at support@emotionalabuserecovery.com. We’ll ask you to verify your identity first, using only what you send us for that purpose — if we can’t verify you from what we already have on file, we may ask for a bit more information. If you’d like someone else to submit the request on your behalf, they’ll need to show us written proof that you’ve authorized them to act for you. We also honor the Global Privacy Control (GPC) browser signal as a valid opt-out request where applicable.
If we decline a request, you can appeal by emailing us, and we’ll explain our decision in writing. If your appeal is denied, you may take your complaint to your state’s attorney general. California residents can also ask us once a year, free of charge, for a list of what personal information (if any) we’ve disclosed to third parties for their own direct marketing, under California’s "Shine the Light" law.
13. Rights in Other Regions
If you’re in Australia or New Zealand, we handle your information under the obligations of Australia’s Privacy Act 1988 and New Zealand’s Privacy Act 2020, and this Policy is written to meet what those laws require us to disclose. You have the right to request access to or correction of your information at any time by contacting us. If you believe we’ve breached the Australian Privacy Principles, you can complain to the Office of the Australian Information Commissioner; for New Zealand’s Privacy Principles, the Office of the New Zealand Privacy Commissioner.
If you’re in South Africa, you similarly have the right to request access to or correction of your information by contacting us. If you’re not satisfied with how we’ve handled a complaint, you can reach South Africa’s Information Regulator directly — general enquiries at enquiries@inforegulator.org.za, or complaints (via the POPIA/PAIA Form 5) at PAIAComplaints@inforegulator.org.za and POPIAComplaints@inforegulator.org.za.
14. Updates to This Notice
We may update this Policy from time to time to reflect changes in our practices or the law. When we do, we’ll update the Effective Date above, and for significant changes, we may notify you directly. We encourage you to check back periodically.
15. Contact Us
Questions or concerns about this Policy or your data? Reach us at:
Holistic Healing Horizons LLC
1209 Mountain Road Pl NE, Ste N
Albuquerque, NM 87110
United States
Phone: +1 541 454 1126
support@emotionalabuserecovery.com
16. Reviewing, Updating, or Deleting Your Data
Depending on where you live, you may have the right to request access to, updates to, or deletion of the personal information we hold about you. To make a request, simply email us at support@emotionalabuserecovery.com and let us know what you’d like — we’ll guide you through it from there.