Legal

Privacy Policy

Last updated: April 6, 2026

1. Overview

Path Eight Collective ("we," "us," or "our") operates the Family Blueprint platform (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our Service. By accessing or using the Service, you agree to the collection and use of information in accordance with this policy.

We are committed to protecting your privacy and handling your data with transparency. If you have questions about this policy, please contact us using the information provided at the end of this document.

2. Data We Collect

We collect several categories of information to provide and improve our Service. The specific data points depend on how you interact with the platform.

CategoryData PointsCollection Method
Account InformationName, email address, login methodProvided during sign-up via Manus OAuth
Numerology ProfileBirthdate, full birth name, calculated numerology numbersProvided by you during profile creation
Family DataFamily member names, birthdates, birth names, minor statusProvided by you during blueprint creation
Generated ContentAI-generated blueprint sections, ask responses, chat messagesCreated through your use of the Service
Pattern TrackingDaily check-in data (mood, energy, events, personal day number), energy goals, weekly digest summariesProvided by you through the Pattern Tracker
Payment InformationStripe customer ID, session ID, payment intent ID, tier purchasedProcessed by Stripe; we store only reference IDs
Usage DataPage views, feature usage, session durationCollected automatically via Umami analytics
Technical DataIP address, browser type, device informationCollected automatically from server logs
Security DataMFA secrets (encrypted), backup codes, security alert logsGenerated during MFA setup and security events
Optional Number LayersDerived numerology number only (e.g. compound display "35/8", root digit "8"); last 4 digits of SSN stored as a display hint onlyCalculated locally in your browser — raw SSN and phone digits are never transmitted to our servers

Local computation for sensitive inputs: When you enter a Social Security Number or phone number into the Optional Number Layers feature, the numerology calculation is performed entirely within your browser using client-side JavaScript. Only the derived numerology number (e.g. \"35/8\") is sent to our servers. The raw SSN and phone digits are cleared from memory immediately after calculation and are never transmitted over the network or stored in our database. The only SSN-related data stored is the last four digits as a display hint (e.g. \"***-**-1234\") so you can identify which reading belongs to which input.

Data we do NOT collect: We do not collect full credit card numbers, CVV codes, or bank account details. All payment processing is handled securely by Stripe. We do not collect biometric data, raw government-issued identification numbers, or precise geolocation data.

3. How We Use Your Data

  • Provide and maintain the Service, including generating numerology blueprints and AI-powered insights
  • Process payments and manage your subscription tier
  • Personalize your experience (daily energy calculations, pattern tracking, AI chat context)
  • Send important service communications (account changes, security alerts)
  • Detect, prevent, and address security issues and fraud
  • Analyze usage patterns to improve the Service (via privacy-respecting analytics)
  • Comply with legal obligations and enforce our Terms of Service
  • Generate aggregated, anonymized statistics about platform usage

5. Data Sharing & Third Parties

We do not sell your personal data. We share data only with the following categories of service providers, each bound by contractual data protection obligations:

Service ProviderPurposeData Shared
Manus PlatformAuthentication (OAuth), hosting, AI processing (LLM)Account info, content generation requests
StripePayment processingEmail, name, payment details (handled by Stripe directly)
Umami AnalyticsPrivacy-respecting usage analyticsAnonymized page views, events (no personal identifiers)
Google FontsTypography renderingIP address (standard web request)
TiDB / MySQLDatabase hostingAll stored application data (encrypted at rest)
Amazon S3File storage (PDF exports, uploaded assets)Generated files, user-uploaded content

We may also disclose your information if required by law, court order, or governmental regulation, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

6. Cookies & Tracking Technologies

We use a limited number of cookies and similar technologies. For detailed information about each cookie, its purpose, and how to manage your preferences, please see our Cookie Policy.

Cookie TypeExamplesRequired
EssentialSession cookie (app_session_id), CSRF protectionYes — Service cannot function without these
FunctionalTheme preference, sidebar widthNo — stored in localStorage, not cookies
AnalyticsUmami tracking scriptNo — requires consent

7. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes outlined in this policy, unless a longer retention period is required by law.

Data TypeRetention PeriodDeletion Method
Account dataUntil account deletionCascade deletion of all associated records
Blueprints & generated contentUntil account deletionDeleted with account
Chat messages & ask responsesUntil account deletionDeleted with account
Pattern check-in data & energy goalsUntil account deletionDeleted with account; exportable as CSV
Payment records7 years (tax/legal requirement)Anonymized after retention period
Security audit logs2 yearsAutomatically purged
Analytics data26 monthsAutomatically aggregated and anonymized
Session cookies30 daysAutomatically expired

You may request deletion of your account and all associated data at any time through the Account settings page. Account deletion is permanent and cannot be undone.

8. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Right of Access — Request a copy of the personal data we hold about you
  • Right to Rectification — Request correction of inaccurate or incomplete data
  • Right to Erasure — Request deletion of your personal data ("right to be forgotten")
  • Right to Restrict Processing — Request that we limit how we use your data
  • Right to Data Portability — Receive your data in a structured, machine-readable format
  • Right to Object — Object to processing based on legitimate interests or direct marketing
  • Right to Withdraw Consent — Withdraw consent at any time where processing is consent-based
  • Right to Non-Discrimination — Exercise your rights without receiving discriminatory treatment

To exercise any of these rights, please contact us at the address provided below. We will respond to your request within 30 days (or as required by applicable law). You may also delete your account directly from the Account settings page, which removes all associated personal data.

California residents: Under the CCPA/CPRA, you have additional rights including the right to know what personal information is collected, the right to delete, and the right to opt out of the sale of personal information. We do not sell personal information.

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

  • HTTPS/TLS encryption for all data in transit
  • Database encryption at rest
  • Content Security Policy (CSP) headers to prevent XSS attacks
  • HttpOnly, Secure, SameSite cookies to prevent session hijacking
  • Rate limiting on all API endpoints
  • Multi-Factor Authentication (MFA) support for account security
  • Regular security scanning and dependency auditing
  • Admin audit logging for all privileged operations
  • Input validation and sanitization on all user inputs

While we strive to protect your personal data, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security but are committed to maintaining industry-standard protections.

10. Children's Privacy

The Service is not directed to children under the age of 13 (or 16 in the European Economic Area). We do not knowingly collect personal information from children. Family Blueprint data may include information about minors provided by their parent or legal guardian — this data is collected and processed with the consent of the parent/guardian who creates the blueprint.

If you believe we have inadvertently collected personal information from a child without proper consent, please contact us immediately and we will take steps to delete such information.

11. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. These countries may have data protection laws that differ from the laws of your jurisdiction. When we transfer data internationally, we ensure appropriate safeguards are in place, including standard contractual clauses approved by relevant data protection authorities.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by posting the updated policy on this page with a revised "Last updated" date. For significant changes, we may also provide additional notice through the Service (such as a banner or email notification).

Your continued use of the Service after any changes to this Privacy Policy constitutes your acceptance of the updated policy.

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

  • Email: [email protected]
  • Through the Account settings page on the platform
  • By using the contact form on our website

For data protection inquiries within the European Economic Area, you also have the right to lodge a complaint with your local data protection supervisory authority.