OUR PRIVACY POLICY

 

Effective date: 13 November 2025 (Australia/Adelaide)
Who we are: Michelle Harpas (“we”, “us”, “our”), operating at michelleharpas.com and related programs, communities, and services.
Contact: support@michelleharpas.com • 19 Calstock Avenue, Edwardstown, SA 5039, Australia

1) Our promise

Your story stays yours. We collect the minimum information needed to deliver our services, keep it secure, and give you clear choices. We never sell your personal information.

 

2) Scope of this policy

This policy covers visitors and customers worldwide who interact with our website, emails, checkouts (ThriveCart), programs, communities, events/calls (Zoom), client portal/scheduling (Paperbell), and our social media pages and ads—regardless of device or channel. It explains how we collect, use, share, store, and protect personal information, and your rights.

Region coverage: Australia (Privacy Act 1988 & APPs), EU/EEA & UK (GDPR/UK-GDPR + ePrivacy/PECR), and major US state laws (e.g., CPRA).

 

3) The data we collect

3.1 Information you give us

  • Contact details: name, email, phone, address, company.
  • Account / purchases: products/programs bought, billing address. (Cards are processed by our payment processors via ThriveCart/Stripe/PayPal; we don’t store full card numbers.)
  • Program info: questionnaires, quiz results, intake forms, homework, forms you sign (incl. Paperbell coaching agreements), community posts, and DMs you send our team.
  • Bookings & portal (Paperbell): packages purchased, schedules, cancellations, session notes you choose to share.
  • Sessions (Zoom): meeting metadata; and only with consent, audio/video recordings and/or transcripts.
  • Support messages: email/contact-form/social DMs.
  • Feedback, reviews & testimonials: survey responses, feedback emails/DMs, ratings or public reviews, and any testimonial text, name, role/title, business name, photo/headshot, video/audio, and social handle you choose to provide. With your consent, we may publish these (see Testimonials, Reviews & Social Proof).

 3.2 Information collected automatically

  • Usage & device data: pages viewed, clicks, IP, device/browser details, time zone, approximate location.
  • Cookies/SDKs: essential, analytics, and (if you consent) advertising cookies/pixels. See Cookies & similar technologies.

3.3 Information from third parties

  • Attribution & performance data from ad/analytics partners (e.g., Google, Meta) and platforms we use (e.g., ThriveCart, ConvertKit), consistent with your consent choices and applicable law.

 
4) How we use your data (purposes)

  • Provide services: access to content/coaching, manage accounts, fulfil purchases, send essential comms, support you.
  • Program operations: scheduling (Paperbell), sessions/replays (Zoom), community participation, progress tracking.
  • Improve & secure: analytics (in line with your choices), troubleshooting, testing features, performance, fraud/abuse prevention, safety.
  • Communications: onboarding, reminders, updates, and (if you consent) marketing. Unsubscribe anytime.
  • Compliance: tax, accounting, legal obligations, and enforcement of terms.

4.1 Our legal bases (EEA/UK)

  • Contract (Art. 6(1)(b)) — provide programs, support, purchases.
  • Consent (Art. 6(1)(a)) — marketing emails, non-essential cookies, optional recordings/transcripts.
  • Legitimate interests (Art. 6(1)(f)) — improve services, basic analytics, security (balanced with your rights).
  • Legal obligation (Art. 6(1)(c)) — tax, accounting, compliance.

 

5) AI-assisted processing (what we do & don’t do)

What AI does (admin only):

  • Convert Zoom transcripts into summaries/checklists; organise/tag internal content; draft reminders/FAQs; research & synthesise public information (no paywall bypass).
  • A human reviews AI outputs before we rely on them. No automated decisions about you.

What AI never does:

  • Coaching, diagnosis, identity labels, eligibility/risk scoring, “ghost-coaching,” trauma-adjacent advice, money decisions, or ritual/ceremonial scripts.

Data minimisation & redaction: We avoid personal data in AI inputs; where needed, we redact identifiers (names/emails/locations/minors/therapy history) or use anonymised summaries.

Training control: Where vendors offer a choice, we opt out of using your content to train general models.

Your choice: You can opt out of AI-assisted summaries/organisation at any time—no loss of access or support. See Your choices & rights.

Retention: Raw call transcripts auto-delete within 90 days (or sooner on request). Summaries/notes may be retained in your program record (see How long we keep your data).

 

6) Who we share your data with (processors)

We use trusted providers (“processors”) to operate our services. Typical vendors include:

  • ThriveCart — checkout & LMS
  • Stripe/PayPal — payments (via ThriveCart)
  • ConvertKit — email communications
  • Zoom — video calls; optional recordings/transcripts
  • Paperbell — bookings, client portal, contracts, package management
  • Descript/Transcription tool — audio/video transcription → summaries
  • Google Workspace/Drive/Analytics — email, storage, docs, analytics (Consent Mode)
  • Make/Zapier — secure automations (data minimised)

We require appropriate security, confidentiality, and (where applicable) data processing agreements. We do not sell personal information.

 

7) International transfers

We operate in Australia and use providers that may process data in other countries (including the US and EU/UK). We implement appropriate safeguards (e.g., Standard Contractual Clauses, vendor security controls). Contact us for details.

 

8) How long we keep your data (retention)

We keep personal data only as long as necessary for the purposes above or to meet legal/accounting/reporting requirements, then securely delete or de-identify it.

Defaults (unless law requires otherwise):

  • Accounts & program records: while active + up to 6 years (e.g., tax/contract).
  • Marketing contacts: until you unsubscribe or request deletion; we periodically remove inactive contacts.
  • Zoom recordings: retained per program need in private storage; if Zoom Cloud is used, set to ≤90 days retention, then deleted.
  • Raw transcripts: auto-delete ≤90 days (or sooner on request).
  • Summaries/notes/metadata: retained in your program record for continuity unless you request deletion.
  • Support emails: per our service/compliance schedule.
  • Cookies: per vendor/category (typically 6–13 months for analytics/ads). See Cookies & similar technologies.
  • Testimonials & consent records: retained while in use and for a reasonable period after removal for compliance/audit, then deleted or de-identified.

 

9) Security

We use administrative, technical, and physical safeguards: secure hosting, TLS encryption, least-privilege/role-based access, credential hygiene, vendor DPAs where available, incident response procedures. No method is 100% secure; if you suspect an issue, email support@michelleharpas.com.

 

10) Cookies & similar technologies

We use cookies/SDKs for:

  • Essential operations — site functionality, fraud prevention, consent storage.
  • Functional — preferences, embedded schedulers/players (e.g., Paperbell scheduler, Zoom launcher).
  • Analytics — site performance/measurement (e.g., Google Analytics with Consent Mode).
  • Advertising — (e.g., Google/Meta, Pinterest, LinkedIn) to show relevant promotions only with your consent.

We show a cookie banner so you can accept, reject, or manage categories. We honour Global Privacy Control (GPC) where applicable. You can also control cookies in your browser. Rejecting certain cookies may limit features. See our Cookie Policy for categories, vendors and typical lifespans, and our Do Not Sell or Share My Personal Information page for US opt-outs.

 

11) Social Media & Advertising Platforms

Where this applies. Your interactions with our pages, profiles, communities, ads, lead forms, posts, stories/reels/pins, videos, DMs, comments, and pixels on: Facebook & Instagram (Meta), Pinterest, YouTube (Google), and LinkedIn.

11.1 What we collect via Platforms

  • Public interactions: likes, follows, comments, replies, saves, shares, tags/mentions, and public content you post in response to us.
  • Direct messages & lead forms: messages you send us; data you submit via lead forms (e.g., name, email, interests, offer/quiz choices, scheduling preferences).
  • Ad/analytics signals (with your website cookie consent): page views, events (e.g., add-to-cart, purchase), campaign parameters (UTM), approximate IP-based location, device/browser type, and cookie/pixel IDs.
  • Audience membership: whether you were included/excluded in an ad audience (e.g., Custom, Lookalike/Similar, Retargeting) and basic performance attribution.

11.2 How we use this data

  • Community & support: respond to comments/DMs, moderate discussions, provide help.
  • Lead nurture & fulfilment: send requested resources; deliver offers you opted into (e.g., Meta Lead Ads) via ConvertKit, ThriveCart, or Paperbell.
  • Measurement & improvement: track what resonates, measure ad performance, refine messaging.
  • Advertising (with appropriate consent/choices): retarget site visitors, reach similar audiences, exclude current customers from prospecting.

11.3 Pixels, tags & cookies

  • On our website: Meta Pixel, Google/YouTube tags, Pinterest Tag, and LinkedIn Insight Tag are blocked by default and only run if you allow Analytics/Advertising in our cookie banner. Change anytime in Manage Cookie Preferences (cookie icon). We honour GPC where recognised.
  • On the Platforms: each Platform sets its own cookies/identifiers under its own policies.

11.4 Custom/retargeting audiences & your choices

We may create Custom/Retargeting Audiences from: site visitors (subject to your cookie choices), subscribers/customers (we may upload hashed email lists), and Platform engagement tools.
Opt out: email support@michelleharpas.com with subject “Ad Audience Opt-Out” to be added to our suppression list; use Manage Cookie Preferences to disable Advertising/Retargeting; and/or use each Platform’s ad controls (GPC browser signals also respected where applicable).

11.5 Legal bases (EEA/UK)

  • Website pixels (Analytics/Advertising): Consent (Art. 6(1)(a)).
  • DMs/comments; fulfilling lead-form requests: Contract (Art. 6(1)(b)) or Legitimate Interests (Art. 6(1)(f)).
  • Custom audiences from lists: Consent where obtained for marketing, or Legitimate Interests with an easy opt-out (suppression list) and minimal (hashed) data handling.

11.6 Joint/independent controllership

For certain page analytics and ad tools, we and the Platform may act as independent or joint controllers for specific, limited purposes (e.g., Page/Account Insights). Each party is responsible for its own compliance.

11.7 Data sharing & processors

We may sync lead-form submissions to ConvertKit, ThriveCart, and Paperbell to deliver what you requested. We also use Make/Zapier to securely pass data between services (data minimised; role-based access). We do not sell personal information. Where “sharing” could be deemed to occur for cross-context ads (e.g., CPRA), you can opt out as described here and on our Do Not Sell or Share page.

11.8 Retention

  • Public comments/DMs: retained per Platform capabilities and our moderation needs.
  • Lead-form submissions: kept in our email/CRM while you remain subscribed or until deletion is requested; inactive contacts are periodically purged.
  • Ad/analytics data: retained per cookie lifespans and platform reporting windows (see Cookie Policy).
  • Suppression lists: retained to honour your opt-out.

 

12) Testimonials, Reviews & Social Proof

What we may use: With your permission, we may display your testimonial/review (text, name, role/title, business name, image/headshot, video/audio, social handle, and country/city if provided).

Where it appears: Website pages, sales pages, lead magnets, emails, social posts/ads, webinars, and printed materials.

Legal basis (EEA/UK): Consent for publication (Art. 6(1)(a)); Legitimate interests (Art. 6(1)(f)) to verify authenticity and store consent records. You can withdraw consent for future publication at any time—email hello@michelleharpas.com—and we’ll remove future uses within a reasonable period (this won’t affect past print runs or third-party republishes outside our control).

Accuracy & fairness: We may request verification that you purchased/participated. If a testimonial was incentivised (e.g., discount, gift), we disclose that per advertising rules (e.g., FTC/ASA/CAP). Testimonials describe individual experiences and don’t guarantee results.

Images & video: By supplying media, you confirm you own rights to share it and grant us a non-exclusive licence to display it with your testimonial until you withdraw consent. We don’t knowingly publish testimonials from minors (under 18).

Retention: We keep testimonial content and consent records while in use and for a reasonable period after removal for compliance/audit, then delete or de-identify.


13) Children

Our services target adults (18+). We do not knowingly collect data from children. If you believe a child’s data was provided to us, contact us for prompt deletion.

 

14) Your choices & rights

Everyone:

  • Marketing: unsubscribe anytime via email footer.
  • AI: reply “OPT OUT OF AI SUMMARIES” to any email or contact us to exclude your data from AI-assisted summaries/organisation.
  • Recording preference (Zoom): we announce recording at the start; you can keep camera/mic off, use chat, or request a non-recorded alternative where feasible.
  • Access / Correction / Deletion: email support@michelleharpas.com. We’ll verify identity and respond within applicable timeframes.

Australia (Privacy Act / APPs): request access and correction; if unresolved, lodge a complaint with the OAIC.

EEA/UK (GDPR/UK-GDPR): rights to access, rectification, erasure, restriction, portability, and objection (including to processing based on legitimate interests and to direct marketing). You may complain to your supervisory authority.

California & similar US laws: rights to know/access, correct, delete, portability, and to opt out of “sale” or sharing for cross-context behavioural advertising, and to limit use of Sensitive Personal Information. We do not sell personal information. If “sharing” is deemed to occur via ad cookies/pixels, opt out via Manage Cookie Preferences, use a GPC-enabled browser, or contact us. You may designate an authorised agent; we may require proof of agency and identity.

 

15) Third-party links & platforms

Our site contains links or embeds (e.g., Zoom launch pages, Paperbell booking, ThriveCart checkout, video hosts, social media). Their privacy practices are their own; review their policies before use.

 

16) Automated decision-making & profiling

We do not engage in automated decision-making or profiling producing legal or similarly significant effects. AI is used for admin support only, with a human in the loop.

 

17) Changes to this policy

We may update this policy from time to time. The Effective date above shows the latest version. Material changes will be highlighted on this page and/or via email where appropriate.

 

18) Contact us

Questions, requests, or complaints: support@michelleharpas.com
Mail: Michelle Harpas, 19 Calstock Avenue, Edwardstown, SA 5039, Australia
We aim to respond within 48 hours (and always within any legal timeframe that applies).

 

19) Change Log

Date

Summary of Updates

15 Dec 2021

First publication of the Privacy Policy.

12 Nov 2025

Global refresh: plain-language structure, regional rights (AU GDPR/UK-GDPR/CPRA), vendor list (ThriveCart, ConvertKit, Zoom, Paperbell, Descript, Google, Make/Zapier), incident contact added.

13 Nov 2025

Major overhaul: AI (admin-only, human-reviewed, opt-out); Zoom/Paperbell recordings & transcripts (90-day default); social/ad platforms (Meta, Google/YouTube, Pinterest, LinkedIn) with consent-based pixels and suppression lists; tightened Consent Mode & GPC, security/retention, SCCs; added Testimonials/Reviews section with consent & removal options.