Privacy policy

Quick Summary — What This Policy Covers


We collect name and email when you register for webinars or programs.

Payment information is processed by Stripe — we do not store your card details.

Health-related information is only collected inside the secured membership area, with your consent.

We use Mailchimp for email marketing. You can unsubscribe at any time.

We do not sell your personal data to any third party.

EU/EEA visitors have additional rights under GDPR — see Section 9.


1. Who We Are

This Privacy Policy applies to the educational services, website, and online platforms operated by:

  • Nutritional Pathology Institute ("NPI")

  • Dr. Brandon Lundell, D.C.

  • Harmony Healing Center


Collectively referred to in this policy as "NPI," "we," "us," or "our." NPI is based in Colorado, United States.

Questions about this policy? Contact us at: hhc@drbrandonlundell.com

2. Who This Policy Applies To

This Privacy Policy applies to all visitors of our website and all individuals who register for, enroll in, or purchase any NPI program, including webinars, online courses, the Practice Accelerator seminar, mentorship programs, and certification courses.

Our services are designed for licensed healthcare professionals. If you are accessing our public website as a general consumer seeking personal health guidance, please note that our educational content is not directed at you, and we encourage you to consult a licensed healthcare provider for personal health matters.

3. What Personal Information We Collect

3.1 Registration and Account Information

When you register for a webinar, create an account, or enroll in a program, we collect:

  • Full name

  • Email address

  • Professional credentials or license type (where requested)

  • Username and password for your NPI membership account

  • Course enrollment and progress data


3.2 Payment Information

Payment processing is handled by Stripe, Inc. When you purchase an NPI program, Stripe collects and processes your payment card details directly. NPI does not receive, store, or have access to your full payment card number, CVV, or billing details beyond what is necessary to confirm a completed transaction (e.g., last four digits, transaction ID).

Stripe's privacy practices are governed by Stripe's own Privacy Policy, available at stripe.com/privacy.

3.3 Health Information (Membership Area Only)

Health-related information — such as clinical case details, health questionnaires, or intake forms — is collected exclusively within the secured, authenticated membership area of our platform. This information is never collected on public-facing pages of our website.

Before submitting any health-related information within the membership area, you will be presented with a clear consent request explaining the purpose of the collection and how the information will be used. You may decline to provide this information without affecting your access to course content.

Health information collected within the membership area is treated as sensitive personal data and is subject to heightened protections, including restricted access and enhanced security measures.

3.4 Communications

When you contact us by email or through a contact form, we collect the information you choose to share, including your name, email address, and the content of your message.

3.5 Automatically Collected Information

Like most websites, our platform automatically collects certain technical information when you visit, including:

  • IP address and approximate location (country/region)

  • Browser type and operating system

  • Pages visited and time spent on the site

  • Referring website or link


This information is used to maintain platform security, diagnose technical issues, and understand general patterns of site usage. It is not used to build individual profiles for advertising purposes.

3.6 Analytics (Future Use)

We may introduce analytics tools such as Google Analytics in the future to better understand how our site is used. If we do so, we will update this Privacy Policy, update our Cookie Policy, and implement appropriate consent mechanisms for visitors from jurisdictions that require opt-in consent before analytics tracking begins.

4. How We Use Your Information

We use the personal information we collect for the following purposes:

  • Program delivery: To process enrollment, provide access to courses, deliver webinar access links, and track course completion.

  • Account management: To maintain your membership account, authenticate login, and provide customer support.

  • Payment processing: To facilitate transactions through Stripe and maintain records of purchases.

  • Email communications: To send program updates, educational content, promotional information about NPI offerings, and transactional messages related to your account. You may opt out of marketing emails at any time.

  • Continuing education records: To issue CE certificates and maintain records of program completion where applicable.

  • Legal and compliance: To comply with applicable law, respond to legal process, and enforce our Terms and Conditions.

  • Platform improvement: To understand how our programs are used and improve future educational content.

5. Legal Basis for Processing (GDPR — EU/EEA Visitors)

If you are located in the European Union or European Economic Area, we process your personal data on the following legal bases:

  • Contract performance: Processing necessary to deliver the educational program you enrolled in.

  • Legitimate interests: Processing for security, fraud prevention, platform maintenance, and improving our educational offerings.

  • Consent: Marketing emails and the collection of health-related information within the membership area. You may withdraw consent at any time.

  • Legal obligation: Where we are required to process data to comply with applicable law.

6. How We Share Your Information

NPI does not sell, rent, or trade your personal information to any third party for commercial purposes. We share your information only as described below.

6.1 Service Providers

We share data with trusted third-party vendors who process data on our behalf, under contractual obligations that restrict their use of your data:

  • LearnWorlds: Our learning management system and website platform. LearnWorlds stores your account information, course progress, and login credentials. LearnWorlds is registered in Cyprus and participates in applicable data transfer frameworks for EU data.

  • Stripe, Inc.: Payment processing. Stripe processes payment transactions and may use transaction data as described in their own privacy policy.

  • Mailchimp (Intuit Inc.): Email marketing. Your name and email address are stored in Mailchimp to facilitate program communications and marketing emails.

  • Zoom Video Communications: Live webinars and seminars. When you register for a live event, your registration information is shared with Zoom to generate your access link.

6.2 Legal Disclosures

We may disclose your personal information if required to do so by law, court order, or government authority, or where we believe in good faith that such disclosure is necessary to protect the rights, property, or safety of NPI, our users, or the public.

6.3 Business Transfers

If NPI undergoes a merger, acquisition, or sale of assets, your personal information may be transferred as part of that transaction. We will notify you of any such change and the resulting changes to this Privacy Policy.

7. Data Retention

We retain your personal information for as long as necessary to provide our services and comply with our legal obligations:

  • Account and enrollment records: Retained for the duration of your active account, plus 3 years after account closure or last activity.

  • Payment transaction records: Retained for 7 years to comply with financial record-keeping requirements.

  • Health information collected in the membership area: Retained only for the duration of your active membership, unless you request earlier deletion.

  • Email marketing records: Retained until you unsubscribe or request deletion.


You may request deletion of your personal data at any time (see Section 8). Where we are required by law to retain certain records, we will retain only what is legally required.

8. Your Privacy Rights

Depending on your location, you may have the following rights regarding your personal information:

  • Access: Request a copy of the personal information we hold about you.

  • Correction: Request correction of inaccurate or incomplete information.

  • Deletion: Request deletion of your personal information, subject to our legal retention obligations.

  • Opt-out of marketing: Unsubscribe from marketing emails at any time using the unsubscribe link in any NPI email, or by contacting us directly.

  • Data portability: Request a copy of your data in a portable format (EU/EEA users).

  • Object to processing: Object to processing based on legitimate interests (EU/EEA users).


To exercise any of these rights, contact us at hhc@drbrandonlundell.com. We will respond to verifiable requests within 30 days (45 days if additional time is needed, with notice).

9. International Visitors and GDPR

NPI is based in the United States. If you are accessing our services from outside the United States, including from the European Union or European Economic Area, please be aware that your information will be transferred to and processed in the United States, where data protection laws may differ from those in your country.

For EU/EEA users, we rely on Standard Contractual Clauses (SCCs) and our service providers' participation in applicable data transfer frameworks to ensure your data is protected in accordance with GDPR requirements.

EU/EEA users have the right to lodge a complaint with their local data protection authority if they believe their data has been processed in violation of applicable law. You also have the right to withdraw consent at any time for processing activities based on consent, without affecting the lawfulness of prior processing.

10. Colorado Privacy Act (CPA)

The Colorado Privacy Act (C.R.S. § 6-1-1301 et seq.) applies to businesses that process the personal data of 100,000 or more Colorado consumers per year, or 25,000 or more consumers where data is sold. NPI's current operations may fall below these thresholds.

Regardless of threshold applicability, NPI is committed to the privacy principles underlying the CPA, including data minimization, purpose limitation, and transparency. Colorado residents who believe they have rights under the CPA may contact us to submit a request. We will respond within 45 days and will provide an appeal process if a request is denied.

Colorado's data breach notification law applies to all businesses regardless of size. In the event of a data breach affecting Colorado residents, NPI will provide notification within 30 days of discovery, and will notify the Colorado Attorney General if the breach affects 500 or more residents.

11. Cookies

Our website and learning platform use cookies. For full details about the cookies we use and your choices, please review our separate Cookie Policy.

In summary: we currently use only essential cookies necessary for platform functionality and secure payment processing. We do not currently use advertising or tracking cookies. If we add analytics cookies in the future, we will update our Cookie Policy and obtain appropriate consent.

12. Children's Privacy

NPI's services are directed exclusively at licensed healthcare professionals and are not intended for individuals under the age of 18. We do not knowingly collect personal information from minors. If we become aware that a minor has submitted personal information, we will delete it promptly.

13. Data Security

NPI implements reasonable technical and organizational measures to protect your personal information against unauthorized access, disclosure, alteration, or destruction. These include:

  • Encrypted data transmission (HTTPS/TLS) across all platform pages

  • Authentication controls for membership account access

  • Restricted staff access to personal data on a need-to-know basis

  • Payment data handled exclusively by PCI-DSS compliant Stripe infrastructure


No method of electronic transmission or storage is completely secure. While we work to protect your information, we cannot guarantee absolute security. In the event of a breach affecting your personal data, we will notify you as required by applicable law.

14. Email Marketing and CAN-SPAM Compliance

NPI sends marketing and educational emails through Mailchimp. In compliance with the CAN-SPAM Act:

  • Every marketing email includes a clear and conspicuous unsubscribe link

  • We honor all opt-out requests within 10 business days

  • We do not use deceptive subject lines or sender information

  • Our physical mailing address is included in all marketing emails


Transactional emails related to your account (enrollment confirmations, access credentials, CE certificates) will be sent regardless of your marketing preferences, as they are necessary for service delivery.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or applicable law. When we make material changes, we will update the "Last updated" date at the top of this policy and, where appropriate, notify you by email or through a notice on our platform. Your continued use of NPI services after any update constitutes acceptance of the revised policy.




This Privacy Policy does not constitute legal advice. NPI recommends consulting with qualified legal counsel regarding your own compliance obligations.


Contact:

hhc@drbrandonlundell.com

Harmony Healing Center, PC

714 Kimbark Street

Longmont, Colorado 80501


Nutritional Pathology Institute | Harmony Healing Center | Colorado, United States


Created with