Privacy Policy

Modern HSV Playbook

Last Updated: 26 January 2026

1. Introduction

1.1 About This Policy

This Privacy Policy explains how Modern HSV Playbook (“we,” “us,” or “our”) collects, uses, discloses, and safeguards your personal information when you visit our website at https://modernhsvplaybook.com/ (the “Website”) or purchase our digital educational resources.

We are committed to protecting your privacy and handling your personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable data protection laws.

Please read this Privacy Policy carefully. By using our Website, you acknowledge that you have read and understood this Policy and agree to be bound by its terms.

1.2 Who We Are

Website: https://modernhsvplaybook.com/

Contact Email: hello@modernhsvplaybook.com

For questions about this Privacy Policy or to exercise your data protection rights, please contact us using the details above.

1.3 Age Restrictions

Our Website and educational materials are intended exclusively for adults aged 18 years and older. We do not knowingly collect personal information from individuals under the age of 18. If you are under 18, please do not use our Website or provide any personal information to us. If we become aware that we have collected personal information from someone under 18, we will take prompt steps to delete that information.

1.4 Scope of This Policy

This Privacy Policy applies to personal information collected through our Website, when you purchase our ebooks, subscribe to our email newsletter, and information collected through cookies and tracking technologies.

2. Data We Collect

2.1 Categories of Personal Information

Contact Information: Full name, email address, country/region

Technical Information: IP address, browser type, device information, pages visited, time spent on site

Transaction Information: Products purchased, purchase date, transaction amount, payment method type (not full card details)

Communication Information: Emails you send us, form submissions, newsletter preferences

Usage Information: Website navigation patterns, download history, email engagement metrics (with consent)

2.2 Health-Related Information

Important Notice About Special Category Data

The subject matter of our educational materials relates to herpes simplex virus (HSV), which is health information. Under GDPR Article 9, this is classified as “special category data” requiring enhanced protection.

What We Do NOT Collect: Medical records, test results, detailed health history, insurance information, specific HSV diagnoses

What We Recognise: Your interest in our materials may indicate interest in HSV-related health information.

Legal Basis: We process this information based on your explicit consent during purchase or newsletter subscription, for educational purposes.

2.3 Information Collection Methods

Direct Collection: Account registration, purchase checkout, newsletter forms, contact forms, customer support emails

Automated Collection: Cookies, analytics tools, email tracking pixels (with consent), server logs

Third-Party Sources: Payment processors, email service providers

2.4 Payment Information

We do NOT store or collect your complete payment card details. Your payment information goes directly to our payment processor (Stripe). We only receive confirmation of successful payment, transaction reference numbers, and transaction amounts.

2.5 Optional Information

Marketing email subscription, surveys, testimonials, and community participation are optional. Declining optional information will not prevent you from purchasing products.

3. How We Use Your Information

Order Fulfilment: Processing purchases, delivering ebooks, sending confirmations and receipts

Customer Service: Responding to enquiries, troubleshooting issues, resolving complaints

Marketing Communications (With Consent): Sending educational content, notifying about new products, providing discounts, delivering newsletters

Website Improvement: Understanding visitor behaviour, identifying technical issues, testing features, conducting analytics

Legal Compliance: Complying with legal obligations, preventing fraud, protecting against threats, enforcing terms of service

Personalisation (With Consent): Recommending relevant products, customising your experience, tailoring marketing messages

3.2 Automated Decision-Making

We do NOT use automated decision-making or profiling that produces legal effects or significantly affects you. We may use automated systems for basic fraud detection, email segmentation, and analytics, but these do not make decisions that affect your rights.

3.3 Artificial Intelligence (AI)

We do NOT currently use AI systems for processing your data. If we introduce AI in the future, we will update this Policy and obtain your explicit consent where required.

4. Cookies and Tracking Technologies

4.1 What Are Cookies?

Cookies are small text files placed on your device to remember preferences, understand site usage, and improve your experience.

4.2 Types of Cookies We Use

Essential Cookies (Always Active): Required for checkout, shopping basket, transactions, fraud prevention, security. Legal Basis: Legitimate interests.

Preference Cookies (Require Consent): Remember language, settings, preferences. Duration: Up to 12 months.

Analytics Cookies (Require Consent): Track page views, navigation, content popularity, performance. Provider: Google Analytics. Duration: Up to 24 months. Opt-out: Google Analytics Opt-out Add-on

Marketing Cookies (Require Consent): Show relevant ads, measure campaign effectiveness, limit ad frequency. Duration: Up to 12 months.

4.3 Email Tracking Pixels

Two-Consent Framework:

• Consent 1: Permission to receive marketing emails

• Consent 2: Separate consent for email tracking pixels (measuring opens, clicks, engagement)

You can provide or withdraw consent for each independently. Declining email tracking will not prevent you from receiving marketing emails if you’ve consented to them.

5. How We Share Your Information

5.1 Third-Party Service Providers

We share data with vetted service providers who must use your data only as authorised, implement appropriate security, comply with data protection laws, and delete data when no longer needed.

Payment Processing

• Provider: Stripe, Inc.

• Data Shared: Name, email, payment card information, billing address, transaction amount

• Privacy Policy: https://stripe.com/gb/privacy

• Location: United States (EU-US Data Privacy Framework participant)

• Security: PCI-DSS Level 1

Analytics

• Provider: Google LLC (Google Analytics)

• Data Shared: Anonymised IP address, browser info, pages visited (with consent)

• Privacy Policy: https://policies.google.com/privacy

• Location: United States (EU-US Data Privacy Framework participant)

5.2 Legal Requirements

We may disclose information when required by law, court orders, or to protect rights, detect fraud, prevent harm, or respond to legal claims.

5.3 Business Transfers

If we merge, are acquired, reorganise, or sell assets, your data may be transferred. We will notify you at least 30 days in advance and ensure the acquiring entity protects your data at least as well as this Policy.

5.4 With Your Consent

If we merge, are acquired, reorganise, or sell assets, your data may be transferred. We will notify you at least 30 days in advance and ensure the acquiring entity protects your data at least as well as this Policy.

5.5 What We Do NOT Do

We do NOT sell your data, share with data brokers, use data for incompatible purposes, share health information with insurers/employers/healthcare providers, or provide information to marketing platforms without explicit consent.

6. International Data Transfers

6.1 Transfers Outside the UK and EEA

Some service providers are located outside the UK and EEA, particularly in the United States. We implement appropriate safeguards for international transfers.

6.2 Safeguards

EU-US Data Privacy Framework: Our US service providers (Stripe, ConvertKit, Google, AWS) participate in this Framework, which the European Commission recognises as providing adequate protection. Verify at: https://www.dataprivacyframework.gov/list

Standard Contractual Clauses (SCCs): For providers not covered by an adequacy decision, we use SCCs approved by the European Commission and UK ICO, which require our service providers to provide GDPR-level protection.

Transfer Risk Assessments: We have conducted assessments for each third-country transfer to ensure protection is not materially lower than under UK/EU law.

6.3 Your Rights

You have the right to obtain information about safeguards, request copies of SCCs, object to transfers if adequate safeguards are lacking, or lodge complaints with data protection authorities.

7. Data Security

7.1 Technical Measures

• Encryption in Transit: TLS 1.2 or higher between your browser and our servers

• Encryption at Rest: Industry-standard encryption for sensitive data

• Secure Authentication: Password protection and optional two-factor authentication

• Access Controls: Role-based restrictions for employees and contractors

• Regular Updates: Timely security patches

• Firewalls: Network firewalls and intrusion detection systems

• Backups: Encrypted backups in geographically separate locations

7.2 Organisational Measures

• Staff Training: Regular data protection and security awareness training

• Confidentiality Agreements: All personnel sign confidentiality agreements

• Data Protection Policies: Comprehensive internal policies

• Vendor Due Diligence: Rigorous vetting of third-party providers

• Incident Response: Documented procedures for detecting and responding to incidents

• Regular Audits: Periodic security audits and vulnerability assessments

7.3 Your Responsibilities

Create strong passwords, don’t share credentials, log out after using shared computers, keep your email secure, report suspicious activity, and ensure your devices have current security software.

7.4 Data Breach Notification

If a breach occurs that poses high risk to your rights, we will notify you and relevant authorities within 72 hours, describe the breach, explain consequences, detail remediation measures, and provide contact information for enquiries

8. Your Data Protection Rights

8.1 Rights Under UK GDPR and EU GDPR

Right of Access: Obtain confirmation of whether we process your data and receive a copy in common electronic format. Email hello@modernhsvplaybook.com with “Data Access Request” in subject line.

Right to Rectification: Correct inaccurate or incomplete data. Email hello@modernhsvplaybook.com with “Data Correction Request”.

Right to Erasure (“Right to be Forgotten”): Request deletion when data is no longer necessary, you withdraw consent, you object to processing, processing is unlawful, or deletion is required by law. Email hello@modernhsvplaybook.com with “Data Deletion Request”. Limitations apply if we need data for legal obligations, legal claims, or contract fulfilment.

Right to Restriction: Request restriction of processing when you contest accuracy, processing is unlawful but you oppose erasure, we no longer need data but you require it for legal claims, or you’ve objected to processing. Email hello@modernhsvplaybook.com with “Processing Restriction Request”.

Right to Data Portability: Receive your data in structured, common, machine-readable format (CSV, JSON) and transmit to another controller. Applies only to data you provided based on consent or contract, processed by automated means. Email hello@modernhsvplaybook.com with “Data Portability Request”.

Right to Object: Object to processing based on legitimate interests or direct marketing. For marketing, click “Unsubscribe” in any email. For other processing, email hello@modernhsvplaybook.com with “Processing Objection”.

Right to Withdraw Consent: Withdraw consent anytime for processing based on consent. Withdrawal doesn’t affect lawfulness of past processing but may affect our ability to provide services. For marketing: click “Unsubscribe”. For email tracking: access Cookie Preferences Centre. For cookies: access Cookie Preferences Centre or adjust browser settings. For other consent: email hello@modernhsvplaybook.com.

8.2 Rights Under CCPA/CPRA (California Residents)

Right to Know: Request disclosure of categories of personal information collected, specific pieces collected, sources, purposes, and categories of third parties.

Right to Delete: Request deletion of collected personal information (subject to exceptions).

Right to Opt-Out: We do NOT sell or share your information as defined by CCPA/CPRA.

Right to Correction: Request correction of inaccurate information.

Right to Limit Sensitive Information: Limit use of sensitive personal information (including health data) to purposes necessary to provide requested services.

Right to Non-Discrimination: No discrimination for exercising CCPA/CPRA rights.

How to Exercise: Submit online form insert link, email privacy@modernhsvplaybook.com with “CCPA Request”, or mail Insert Physical Address.

8.3 Request Processing

We verify identity before fulfilling requests. Response timelines: GDPR 30 days (extendable 2 months), CCPA 45 days (extendable 45 days). First request is free; subsequent requests may incur reasonable fees if manifestly unfounded, excessive, or repetitive.

8.4 Right to Lodge Complaint

UK: Information Commissioner’s Office (ICO), https://ico.org.uk/make-a-complaint/, 0303 123 1113

EU: Contact your national Data Protection Authority at https://edpb.europa.eu/about-edpb/board/members_en

California: California Attorney General’s Office, https://oag.ca.gov/privacy

Contact us first so we can address your concerns before approaching a supervisory authority.

9. Third-Party Links and Services

Our Website may contain links to third-party websites not controlled by us. We are not responsible for their privacy practices, content, or security. Read their privacy policies before using them.

Third-party services (payment processing, email delivery) collect information directly from you. Their use of your information is governed by their own privacy policies.

Third-Party Privacy Policies:

• Stripe: https://stripe.com/gb/privacy

• Google Analytics: https://policies.google.com/privacy

• AWS: https://aws.amazon.com/privacy/

10. Children’s Privacy

Our Website is intended exclusively for adults aged 18+. We do not knowingly collect information from anyone under 18. If you are under 18, do not use our Website or provide personal information.

If you are a parent/guardian and believe your child under 18 has provided information, contact hello@modernhsvplaybook.com with “Minor’s Data” in the subject line. We will delete all associated information and block future access.

11. Medical Disclaimer and HIPAA

We are NOT a healthcare provider, medical practice, or HIPAA-covered entity. Our content is for informational and educational purposes only, not medical advice or diagnosis.

Always consult a qualified healthcare provider regarding HSV diagnosis, treatment, symptoms, sexual health decisions, pregnancy, or any medical concerns. In emergencies, contact emergency services immediately.

HSV affects individuals differently. Treatment outcomes vary. Your healthcare provider can offer personalised guidance.

12. Changes to This Privacy Policy

We may update this Policy to reflect changes in our practices, new legal requirements, technology, user feedback, or business changes.

Material Changes: We will email notification at least 30 days before changes take effect, display prominent notice on the Website for 30 days, and may show a pop-up notification on your next visit. For changes requiring new consent under GDPR, we will clearly explain what changed and request explicit consent.

Non-Material Changes: We will update the “Last Updated” date and publish the revised Policy without sending notifications.

We maintain a version history. Contact hello@modernhsvplaybook.com with “Policy Version History” in the subject line to view previous versions.

Continued use of our Website after changes constitutes acceptance of the revised Policy. If you disagree with changes, discontinue use, exercise your right to erasure, or contact us.

We review this Policy at least annually.

14. Definitions

Personal Data: Information relating to an identified or identifiable person (names, emails, IP addresses, online identifiers).

Special Category Data: Data revealing race, ethnicity, political opinions, religion, trade union membership, genetics, biometrics, health, sex life, or sexual orientation. HSV health information falls here.

Processing: Any operation on personal data (collection, recording, storage, use, disclosure, erasure).

Controller: Entity determining purposes and means of processing. Modern HSV Playbook is a controller.

Processor: Entity processing data on behalf of controller. Our service providers (Stripe, ConvertKit, AWS, Google) are processors.

Data Subject: Individual to whom data relates (you).

Consent: Freely given, specific, informed, unambiguous agreement to data processing by clear affirmative action.

Legitimate Interests: Lawful basis for processing necessary for the controller’s or third party’s legitimate interests, unless overridden by data subject’s interests or fundamental rights.

Anonymisation: Process rendering data permanently unable to identify an individual. Anonymised data is no longer personal data.

Pseudonymisation: Replacing identifying information with artificial identifiers. Pseudonymised data remains personal data under GDPR.

Data Breach: Security breach causing accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access to personal data.

Cookies: Small text files storing information about preferences, session, or activity.

TLS: Cryptographic protocol providing secure network communication.

PCI-DSS: Payment Card Industry Data Security Standard for organisations handling credit cards.

HIPAA: US federal law regulating protected health information. We are NOT subject to HIPAA.

15. Legal Compliance

This Privacy Policy complies with:

• UK GDPR (Data Protection Act 2018)

• EU GDPR (Regulation (EU) 2016/679)

• CCPA/CPRA (California Civil Code §1798.100 et seq.)

• ePrivacy Directive (Directive 2002/58/EC)

• PECR (Privacy and Electronic Communications Regulations 2003)

We follow guidance from the UK Information Commissioner’s Office (ICO), European Data Protection Board (EDPB), French Data Protection Authority (CNIL), and California Attorney General’s Office.

We align with ISO 27001 (information security), PCI-DSS (payment security), Privacy by Design principles, and data minimisation standards.

We conduct comprehensive privacy compliance reviews annually, assess legal developments quarterly, conduct ad hoc reviews when introducing new processing, and review after security incidents.