Privacy Policy

1. Introduction

NeuroVeda (“we,” “our,” or “us”) is a wellness practice based in British Columbia, Canada, offering personalized neurofeedback and Ayurvedic sound sessions at our Salt Spring Island studio, partner locations across British Columbia, and at events and festivals in the United States. We are committed to protecting your personal information and being transparent about how we collect, use, and safeguard it.

This Privacy Policy explains what information we collect, why we collect it, how we protect it, and what rights you have regarding your data. It applies to all personal information collected through our website, in-person sessions, intake forms, and any digital tools or devices used during your sessions.

Important: NeuroVeda is a wellness practice, not a medical clinic. We are not licensed healthcare practitioners and do not provide medical diagnoses or treatment. However, because we collect sensitive wellness and biometric data, we apply strong privacy protections that meet or exceed the requirements of applicable privacy laws.

2. Privacy Laws That Apply

Because we operate in British Columbia and serve clients across Canada and at events in the United States, several privacy laws may apply depending on where you are located:

• BC PIPA (Personal Information Protection Act) — Our primary law. Applies to all personal information we collect as a BC-based private-sector business.
• PIPEDA (Personal Information Protection and Electronic Documents Act) — Federal Canadian law. Applies when we collect information from clients outside British Columbia.
• CASL (Canada’s Anti-Spam Legislation) — Applies to marketing emails. We require explicit opt-in consent.
• CAN-SPAM Act (US) — Applies to marketing emails sent to US recipients.
• US State Privacy Laws (California CCPA/CPRA, Virginia, Colorado, Connecticut, and others) — May apply based on the home state of clients we serve at US events.

HIPAA does not apply to NeuroVeda. We are not licensed healthcare practitioners, not a clinic, and not a “covered entity” under US health privacy law. Nevertheless, we apply strong protections to all wellness and biometric data.

3. Information We Collect

We collect different types of personal information depending on how you interact with us:

High Sensitivity (Encrypted)

• EEG brainwave data collected during sessions
• Health intake information including medications, health conditions, and safety-relevant information
• Practitioner notes and observations from your sessions
• Journal entries from post-session reflection

Medium Sensitivity

• Ayurvedic profile (dosha type, guna state) from our wellness quiz
• Session history including which sessions you attended and your feedback
• Outcome measure scores from periodic wellness questionnaires
• Music and sensory preferences

Low Sensitivity

• Name, email address, and contact information
• Booking dates and session locations
• Country and state/province of residence
• Website browsing behavior

4. Why We Collect Your Information

1. To personalize your sessions. Your profile, health intake, and preferences help us recommend sessions tailored to your unique needs.
2. To ensure your safety. Health conditions and safety flags allow us to exclude sessions that could be contraindicated for you.
3. To track your progress. Session history, outcome measures, and journal reflections help you and your practitioner understand how your wellness is evolving.
4. To improve our services. Aggregated, de-identified data helps us understand which sessions are most effective.
5. To communicate with you. With your explicit consent, we send wellness-related emails personalized to your profile.
6. To process bookings and payments. Handled through Jane App, subject to their privacy policy.

5. How We Obtain Your Consent

We obtain explicit, informed consent before collecting your personal information. Consent is collected separately for different types of data:

• General data collection: Presented when you first take our wellness quiz or create an account.
• EEG/Biometric data: Separate consent required before your first EEG session. At US events, this includes a written biometric consent form.
• Device sessions: Consent obtained before your first session using light stimulation or haptic feedback devices.
• Marketing communications: Explicit opt-in, compliant with both CASL (Canada) and CAN-SPAM (US).

Each consent form carries a version number. If we update a consent form, you will be asked to review and re-consent. You can withdraw any consent at any time through your member dashboard or by contacting us directly.

6. Personalized Session Recommendations

NeuroVeda uses automated technology to match you with sessions suited to your unique profile:

• Your dosha profile, wellness preferences, and session history are used to generate personalized session recommendations.
• To provide these recommendations, limited wellness data (not your name, email, or other identifying information) is processed by a secure third-party service. This data is used only to generate your recommendations and is not stored or used for any other purpose by that service.
• Recommendations are temporarily saved so we don’t need to reprocess the same information if you return within 24 hours.
• You can opt out of personalized recommendations at any time. You will still be able to browse and select sessions manually.

7. How We Protect Your Information

• Encryption in transit: All data is encrypted using HTTPS/TLS 1.2 or higher.
• Encryption at rest: High-sensitivity data is encrypted at the field level using AES-256 encryption.
• Access controls: Only authorized practitioners and administrators can access client data. All admin accounts require two-factor authentication.
• Audit logging: We maintain logs of who accessed what data, when, and from where.
• Backups: Encrypted backups stored off-site, tested quarterly.

8. Where Your Data Is Stored

• Your personal information may be stored on servers located outside of Canada.
• When data is stored outside of Canada, it may be subject to the laws of that jurisdiction.
• We ensure that any cross-border transfer is accompanied by appropriate safeguards as required by PIPEDA.
• Third-party services we use (such as Jane App for booking, Brevo for email, and our session recommendation engine) process limited data under their own privacy policies.

9. Your Rights

For All Clients

• Right to access: Request a copy of all personal information we hold about you. We will respond within 30 days.
• Right to correction: Request that we correct any inaccurate information.
• Right to deletion: Request that we delete your personal information.
• Right to withdraw consent: Withdraw any previously given consent at any time.
• Right to complain: File a complaint with the OIPC (BC) or the Privacy Commissioner of Canada.

Additional Rights for US Clients

• Right to know: Request details about what personal information we collect, why, and who we share it with.
• Right to opt out of data sharing: Use the “Do Not Sell or Share My Personal Information” link on our website.
• Right to non-discrimination: We will not treat you differently for exercising your privacy rights.
• Response timeline: We will respond to data requests within 45 days.

10. How Long We Keep Your Data

• Active clients: All data retained while your client relationship is active.
• Inactive clients: Data retained 3 years after your last session, then securely deleted.
• Consent records: Retained 5 years after withdrawal.
• Audit logs: Retained 3 years, then purged.
• Marketing data: Deleted immediately upon unsubscribe.

11. “Do Not Sell or Share My Personal Information”

NeuroVeda does not sell your personal information in the traditional sense. However, under California’s CCPA/CPRA, “sale” is broadly defined and may include sharing data with third-party analytics or marketing platforms.

To opt out, you can use the toggle in your member dashboard, click the link in our website footer, or contact us directly. Opting out will not affect your core session experience.

12. Data Breach Notification

In the unlikely event of a data breach, we will notify the Office of the Privacy Commissioner of Canada, notify affected individuals as soon as feasible, log the breach in our audit system, and comply with applicable US state breach notification laws where relevant.

13. Children’s Privacy

NeuroVeda services are designed for adults aged 18 and older. We do not knowingly collect personal information from children under 18.

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the “Last Updated” date at the top of this page. For significant changes, we will notify you by email or through a notice on our website.

15. Contact Us

If you have questions about this Privacy Policy, want to exercise your data rights, or have a privacy concern:

Privacy Contact: [Jo’s Full Name]
Email: [privacy@vedazon.com]
Mailing Address: [Physical Address, Salt Spring Island, BC, Canada]
Website: vedazon.com

For British Columbia residents: You may also contact the Office of the Information and Privacy Commissioner for British Columbia (OIPC) at www.oipc.bc.ca.

For Canadian residents outside BC: You may contact the Office of the Privacy Commissioner of Canada at www.priv.gc.ca.

Last Updated: March 30, 2026