Privacy Policy

The data controller responsible for your personal data is Luis Miguel Gallardo (EIN 47-5591893), with postal address at 7203 SW 128 St, Pinecrest, FL 33156, USA.

Contact for any privacy-related matter: lgallardo@worldhappiness.foundation.

Newsletter: when you subscribe, we collect your email address, your chosen language, the source of the signup and the date / IP of the request.

Contact form: name, email address, organisation (optional), the message you send us and the topic you select.

Member portal: account email, authentication metadata, the answers you give to assessments (FP20, ROUSER), your journal entries, Peace Letters and the practice plans the system generates for you.

Bookings & payments: name, email, billing details and payment confirmations processed by our payment provider; we do not store your card number on our servers.

Analytics & technical data: IP address, browser and device information, pages visited, and cookies described in Section 8 below.

Sending the newsletter and confirming your subscription — legal basis: your consent (Art. 6.1.a GDPR).

Responding to your contact-form messages and pre-contractual requests — legal basis: steps taken at your request prior to entering a contract (Art. 6.1.b GDPR).

Delivering the services you book (sessions, assessments, member portal, Peace Letters) — legal basis: performance of a contract (Art. 6.1.b GDPR).

Maintaining accounting and tax records — legal basis: legal obligation (Art. 6.1.c GDPR).

Improving the site, preventing fraud and abuse — legal basis: our legitimate interest (Art. 6.1.f GDPR).

Analytics and behavioural measurement — legal basis: your consent given through the cookie banner (Art. 6.1.a GDPR).

Newsletter subscribers: until you unsubscribe, plus a short technical period to honour the unsubscribe request.

Contact-form messages: up to 24 months after the last interaction, unless a contract is signed.

Member portal data and assessment history: while your account is active. You can request deletion at any time.

Invoices and accounting records: kept for the period required by Spanish tax law (currently 6 years).

Analytics data: kept by Google Analytics for the period defined in its own retention policy (typically 14–26 months).

We share data only with providers that act as processors under written agreements compliant with Art. 28 GDPR:

Hosting & application platform: Lovable — application hosting and edge delivery.

Database, authentication and storage: Lovable Cloud (powered by Supabase) — stores your account, assessments, journal, Peace Letters and uploads.

Email delivery: Google Workspace (Gmail) — sends transactional emails (confirmations, newsletter, Peace Letters).

Payments: Stripe, Inc. — processes card payments and stores billing data on our behalf.

AI providers: Google (Gemini), OpenAI and ElevenLabs — used only for opt-in AI features such as Felicia chat, journal reflections, the FP20 mirror, the SGE transformer and the daily Pulse audio.

Analytics: Google Analytics — measures site usage in aggregate; only loaded if you accept analytics cookies.

Some of these providers may transfer data outside the European Economic Area. When they do, transfers rely on the European Commission's Standard Contractual Clauses or an applicable adequacy decision.

Under GDPR you have the right to access, rectify, erase, restrict or object to the processing of your personal data, the right to data portability and the right to withdraw any consent you have given at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, write to lgallardo@worldhappiness.foundation from the email address linked to your data and tell us which right you wish to exercise. We will respond within one month.

If you believe we have not handled your data correctly, you have the right to lodge a complaint with the Spanish Data Protection Agency (Agencia Española de Protección de Datos — www.aepd.es).

We apply technical and organisational measures appropriate to the risk, including encryption in transit (HTTPS), encryption at rest for our database, role-based access control, Row-Level Security policies, and regular backups handled by our infrastructure provider.

We use a small number of cookies and similar technologies. They are grouped as follows:

Essential cookies — required for the site to function (session, authentication, cookie-consent state). These do not require your consent.

Analytics cookies — Google Analytics cookies that help us understand which pages are useful. Loaded only after you accept analytics in the banner.

You can change your choice at any time by clicking the “Manage cookies” link in the footer, or by clearing this site's cookies in your browser.

We may update this policy from time to time. Material changes will be announced on this page; the “Last updated” date at the top always reflects the current version.