Privacy Policy

Last updated: May 1, 2026 · Effective date: May 1, 2026

1. Who We Are

Oils Companion ("we", "us", "our") operates the website https://www.oilscompanion.com and the My Oils Home Companion web application (collectively, the "Service"). We are the data controller for personal data processed through the Service.

For any privacy-related questions, you can reach us at hello@oilscompanion.com.

2. Information We Collect

2.1 Information you provide directly

• Account data: name, email address, and password (stored hashed with bcrypt).
• Profile data: wellness goals, focus areas, routine preferences, experience level, household context — all optional and provided during onboarding.
• Oil inventory: the essential oils you add, quantities, notes, usage history.
• User-generated content: routines you create, recipes you save, reminders you set, journal notes.
• Communications: when you email us, we store the message and your email address.
• Cashback submissions: if you participate in the doTERRA cashback program, you provide order number, order amount, and payout details (PayPal email).

2.2 Information collected automatically

• Log data: IP address, browser type and version, operating system, referring URL, timestamps of requests.
• Usage data: pages viewed, features used, actions taken within the Service.
• Device data: screen size, language preference, time zone.
• Session cookies: a single first-party session cookie to keep you logged in (see Cookie Policy).

2.3 Information from third parties

• Stripe: if you subscribe or make a purchase, Stripe processes your payment and shares a limited transaction confirmation with us (customer ID, subscription status, last 4 digits of card). We never see or store full card numbers.

3. How We Use Information

We use collected information to:

• Provide, operate, and maintain the Service;
• Generate personalized AI-powered routines, recipes, and daily inspiration;
• Send transactional emails (account confirmation, password reset, receipts);
• Send daily inspiration emails if you opt in;
• Process payments and manage subscriptions;
• Respond to your support requests;
• Detect, prevent, and address fraud, abuse, and security issues;
• Comply with legal obligations;
• Improve the Service through aggregate, de-identified analysis.

4. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), UK, or Switzerland, we process personal data under the following legal bases:

• Contractual necessity: to deliver the Service you signed up for.
• Consent: for optional communications like daily inspiration emails (withdrawable anytime).
• Legitimate interests: for security, fraud prevention, and service improvement, balanced against your rights.
• Legal obligation: to comply with tax, accounting, and consumer-protection laws.

5. How We Share Information

We never sell your personal data. We share it only with the following categories of recipients, strictly as needed:

• Service providers (processors):
  • Railway — hosting infrastructure.
  • Stripe — payment processing (privacy policy).
  • Anthropic — AI-powered content generation via Claude API (privacy policy). We send only the minimum context required (e.g. list of oil names) — never your email, password, or identifiable data.
  • Resend — transactional email delivery (privacy policy).
• Legal compliance: if required by law, court order, or to protect our legal rights.
• Business transfers: in the event of a merger, acquisition, or sale of assets, your data may be transferred — you'll be notified in advance.
• With your consent: for any other purpose you explicitly authorize.

6. Cookies & Tracking Technologies

We use a single first-party session cookie (connect.sid) to maintain your login session. This cookie is essential for the Service to function and does not track you across other websites.

We do not use:

• Third-party advertising cookies;
• Cross-site tracking pixels;
• Facebook Pixel, TikTok Pixel, or similar;
• Third-party analytics that profile individual users.

For full details, see our Cookie Policy.

7. Advertising & Analytics

We may display Google Ads on certain blog pages to support our free content. When we do:

• Google and its partners may use cookies to serve ads based on prior visits to our site or other sites;
• You can opt out of personalized advertising by visiting Google Ads Settings;
• Google's use of advertising cookies is governed by Google's Advertising Policies.

We may also use privacy-respecting analytics (such as Plausible or Google Analytics 4 with IP anonymization) to understand aggregate traffic patterns. We never use analytics to identify individual users.

8. Data Retention

• Account data: kept while your account is active and for up to 30 days after account deletion, then permanently erased (except where retention is required by law).
• Server logs: retained for 30 days for security and debugging purposes.
• Payment records: retained for 7 years to comply with US tax and accounting laws.
• Support correspondence: retained for 2 years.

9. Data Security

We implement industry-standard security measures including:

• HTTPS/TLS encryption for all data in transit;
• Passwords hashed with bcrypt (we never store plaintext passwords);
• Regular security updates of our infrastructure;
• Principle of least privilege for staff access;
• Secure session management with HTTP-only, SameSite cookies.

No system is 100% secure. In the unlikely event of a breach affecting your data, we will notify you and relevant authorities within 72 hours as required by applicable law.

10. International Data Transfers

Our servers are located in the United States. If you access the Service from outside the US, your data will be transferred to, stored, and processed in the US. Where we transfer personal data out of the EEA, UK, or Switzerland, we rely on Standard Contractual Clauses approved by the European Commission or equivalent safeguards.

11. Your Privacy Rights

Regardless of where you live, you have the following rights:

• Access: request a copy of personal data we hold about you.
• Rectification: correct inaccurate or incomplete data.
• Erasure ("right to be forgotten"): request deletion of your account and associated data.
• Portability: receive your data in a structured, machine-readable format.
• Object: object to processing based on legitimate interests.
• Restrict processing: request that we temporarily halt processing.
• Withdraw consent: at any time for processing based on consent.
• Lodge a complaint: with your local data protection authority.

To exercise any right, email hello@oilscompanion.com with the subject line "Privacy Request". We will respond within 30 days.

12. Children's Privacy (COPPA)

The Service is not directed at children under 13 years of age. We do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal information, please contact us at hello@oilscompanion.com and we will promptly delete it.

13. California Residents (CCPA/CPRA)

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to know what personal information we collect, use, disclose, and sell;
• Right to delete personal information we collected from you;
• Right to correct inaccurate personal information;
• Right to opt-out of the sale or sharing of personal information — we do not sell or share personal information, so no opt-out is needed;
• Right to limit use of sensitive personal information — we do not use sensitive PI for any purpose requiring this opt-out;
• Right to non-discrimination for exercising your privacy rights.

To submit a verifiable consumer request, email hello@oilscompanion.com. We may ask you to verify your identity.

14. Do Not Track Signals

Our Service honors the Global Privacy Control (GPC) signal where applicable. We do not track users across third-party websites, so "Do Not Track" has no material effect on our processing.

15. Changes to This Policy

We may update this Privacy Policy to reflect changes in law or our practices. The "Last updated" date at the top indicates when changes were made. For material changes, we will notify registered users via email at least 30 days before the change takes effect.

16. Contact Us

For questions, concerns, or to exercise your privacy rights, contact:

Oils Companion
Email: hello@oilscompanion.com
Website: https://www.oilscompanion.com