Draft for review. This policy is a good-faith starting point and should be reviewed by privacy counsel before launch, especially the sub-processor, cross-border-transfer, and retention sections.
Who we are
DMT Hypnosis (“we”, “us”) provides hypnosis sessions, courses, and guided audio. We are based in Canada and are committed to handling your personal information in line with PIPEDA and applicable provincial privacy laws (and, where they apply, laws of the regions we serve).
What we collect
- Account & contact: name, email, and authentication details (via Clerk).
- Booking & payment: the sessions/packages you buy; payments are processed by Stripe (we don't store card numbers).
- Sessions (sensitive): if you consent, we may record your video session and create a transcript, an AI summary, and detected keywords. These are highly sensitive and are only created with your express, in-session consent.
- Learning: course progress, XP, and activity in the academy.
Why we use it
To deliver and schedule your sessions, process payments, run the academy and marketplace, send service messages and reminders, and improve and secure the service. We do not sell your personal information, and we do not use session recordings or transcripts to train AI models or for advertising.
Consent — especially for recordings
A session can take place without recording. Recording, transcription, and AI analysis only happen with your express, granular consent, captured in the session with a timestamp and the policy version. You can decline, and you can ask us to stop and delete a recording at any time.
Service providers & cross-border transfers
We rely on trusted providers to run the service, some of which process data outside Canada (including the United States): Clerk (auth), Stripe (payments), Neon (database), Vercel (hosting), LiveKit (video), AWS S3 (recording storage), Deepgram (transcription), Anthropic (AI summaries), and UploadThing (uploads). We remain accountable for your information when it is processed on our behalf.
How long we keep it
We keep personal information only as long as needed. Session recordings, transcripts, and AI summaries are retained for a limited period and then deleted.You can request earlier deletion at any time (see “Your rights”).
How we protect it
Data is encrypted in transit (TLS) and recordings are stored in access-controlled storage. Access is limited to your practitioner and you. We maintain safeguards appropriate to the sensitivity of the information.
Your rights — access & deletion
You can ask to
access, correct, or
delete your personal information — including your session recordings and transcripts. Email
lucas@pluginwork.ai and we will respond within the timelines required by law.
Age
The service is intended for adults 18 and older. We do not knowingly collect personal information from minors.
If something goes wrong
If a privacy breach occurs that poses a real risk of significant harm, we will notify affected individuals and the appropriate authorities as required by law.