Privacy Policy

pdcatracker.com is the organization responsible for your personal information.

• Legal entity: pdcatracker.com
• Owner: Aristide Abrahams
• Registered address: 29035 5 Mile Rd., Livonia, MI 48154, United States
• Email: info@pdcatracker.com
• Privacy contact: privacy@pdcatracker.com

2.1 Information you provide directly

• Account data: name, email address, password (hashed).
• Subscription and billing data: billing name, billing address, last four digits of payment card, billing history. Full payment card details are processed by our payment processor and never stored on our servers.
• Content you submit: your Plan-Do-Check-Act cycle entries, progress notes, and any in-app bug reports you send.

2.2 Sensitive information (mood, reflection, and self-assessment entries)

The Service lets you record moods, feelings, reflections, notes, and self-assessment responses (such as the in-book quizzes and check-ins, including the color and Four Rooms assessments) tied to the exercises in the book. This is sensitive personal information, and we treat it with extra care. We:

• Collect it only with your explicit, opt-in consent.
• Use it only to provide the tracking and journaling features you choose to use.
• Never sell it and never use it for advertising.
• Let you export or delete it at any time.
• Let you withdraw consent and stop using these features at any time.

2.3 Information collected automatically

• Device and usage data: IP address, browser type, operating system, pages visited, referring URL, in-app events, timestamps.
• Cookies and similar technologies (see our Cookie Policy).

2.4 Information from third parties

• Payment confirmation data from Stripe.

We do not buy data lists. We do not enrich your profile with third-party data brokers.

We collect, use, and disclose personal information only for purposes a reasonable person would consider appropriate in the circumstances, and we rely on your consent. We make clear what we collect and why at or before the point of collection.

For sensitive information, including the mood and reflection entries you log, we obtain your express, opt-in consent before collecting it.

You can withdraw consent at any time, subject to legal and contractual limits and reasonable notice. Withdrawing consent may mean we can no longer provide some features.

• Create and manage your account and subscription.
• Process payments and send invoices.
• Deliver the Service, including your journaling, reflection, and Plan-Do-Check-Act tracking features.
• Respond to support requests.
• Send transactional emails (receipts, password resets, security alerts).
• Send marketing emails only if you have opted in. Each marketing email has a one-click unsubscribe link.
• Monitor and improve the Service, troubleshoot bugs, and analyze aggregate usage trends.
• Detect and prevent fraud, abuse, and security incidents.
• Comply with legal obligations and enforce our Terms.

We do not sell your personal information. We do not share your personal information with third parties for cross-context behavioral advertising. This applies under the California CCPA/CPRA, Canadian PIPEDA, and all other applicable laws.

We share data only with the following categories of recipients, and only as needed to deliver the Service:

• Payment processor: Stripe, Inc. (privacy policy at stripe.com/privacy).
• Hosting and infrastructure: Amazon Web Services (AWS).
• Email delivery: Amazon Web Services (AWS SES) for transactional and account emails.
• Customer support: handled internally through in-app bug reports. We do not use a third-party helpdesk.
• Product analytics: PostHog, to understand feature usage and improve the Service. PostHog may process a user identifier, IP address, and in-app events. We use PostHog US Cloud and load it only after consent. We do not send mood or reflection entries to PostHog.
• Professional advisors: auditors, lawyers, accountants, under confidentiality.
• Authorities: when required by law, court order, or to defend our legal rights.
• Successor entity: in connection with a merger, acquisition, or sale of assets, in which case you will be notified.

Each processor is bound by a written Data Processing Agreement that requires them to protect your data and process it only on our instructions.

pdcatracker.com stores and processes personal data in the United States, including with our product analytics provider PostHog (PostHog US Cloud).

If you are in Canada, your personal data is transferred to and stored in the United States, where data protection laws differ from those in Canada. We protect transferred data through contractual safeguards with our service providers and reasonable security measures. By using the Service, you acknowledge this transfer, consistent with PIPEDA.

• Account data: for the life of your account, then deleted within 90 days of account closure unless we are required to retain it longer.
• Billing and tax records: 7 years, as required by US and Canadian tax law.
• Marketing preferences and consent records: 3 years from your last interaction.
• Support tickets: 2 years after resolution.
• Operational logs: kept only briefly on our infrastructure for security and troubleshooting; we do not export them to long-term storage.
• Database backups: rolling 7-day cycle, then overwritten.

9.1 If you are in Canada (PIPEDA and provincial law)

Under PIPEDA and any applicable provincial privacy law (such as British Columbia’s PIPA or Alberta’s PIPA), you have the right to:

• Access the personal information we hold about you and learn how it has been used and disclosed.
• Correct inaccurate or incomplete personal information.
• Withdraw consent at any time, subject to legal or contractual limits and reasonable notice.
• Data portability where required under applicable provincial law.
• Complain to the Office of the Privacy Commissioner of Canada (priv.gc.ca) or your provincial privacy regulator.

To exercise these rights, email privacy@pdcatracker.com. We respond within 30 days, as required by PIPEDA.

9.2 If you are a California resident (CCPA / CPRA)

• Right to know what personal information we collect, use, and disclose.
• Right to delete personal information we hold about you.
• Right to correct inaccurate personal information.
• Right to opt out of the sale or sharing of your personal information. We do not sell or share your personal information, so there is nothing to opt out of.
• Right to limit the use of sensitive personal information.
• Right to non-discrimination for exercising your privacy rights.

To exercise these rights, email privacy@pdcatracker.com. We will verify your identity before responding.

9.3 Other US states

We extend the baseline rights of access, correction, and deletion to all US users where local law permits.

We apply technical and organizational measures appropriate to the risk, including:

• HTTPS / TLS encryption in transit for all pages.
• Encryption at rest for the production database and backups.
• Hashed and salted passwords (bcrypt or equivalent).
• Role-based access control. Employees access data only when needed.
• Two-factor authentication for all employee accounts that touch user data.
• Regular vulnerability scans and dependency updates.
• Written incident response plan.

No system is 100% secure. You are responsible for keeping your password confidential.

If a breach of security safeguards creates a real risk of significant harm, we will notify affected individuals and the Office of the Privacy Commissioner of Canada, and we will keep a record of the breach, as required under PIPEDA. Where US state law requires breach notification, we will comply with those requirements as well.

Some US state laws, such as Washington’s My Health My Data Act and Nevada’s consumer health data law, treat information about your mental or physical wellbeing as “consumer health data.” The mood and reflection entries you log may qualify. For residents of those states:

• We collect this data only with your separate, explicit consent.
• We do not sell it, and we will not share it without your separate authorization.
• You can ask us to delete it by emailing privacy@pdcatracker.com.
• We restrict employee access to it and keep it out of analytics.

This section supplements the rest of this Privacy Policy. We also maintain a separate Consumer Health Data Privacy notice linked from our website.

We do not make decisions about you using solely automated processing that produces legal or similarly significant effects.

The Service is for adults aged 18 or older. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us with personal data, contact privacy@pdcatracker.com and we will delete it.

We use a limited number of cookies. See our Cookie Policy for details and to manage your preferences.

The Service may link to third-party websites. We are not responsible for their privacy practices. Review their policies before sharing personal data.

We may update this Privacy Policy. We will post the new version on this page and update the “Last updated” date. For material changes, we will notify you by email or a prominent notice in the Service at least 30 days before the change takes effect.

• General privacy questions: privacy@pdcatracker.com
• Postal mail: pdcatracker.com, 29035 5 Mile Rd., Livonia, MI 48154, United States
• Privacy contact (accountable individual): Aristide Abrahams, Owner, reachable at privacy@pdcatracker.com. This is the person responsible for our compliance with PIPEDA.