top of page
IW_Wordmark-Horizontal_blue.png

Privacy Policy

Last updated: September, 2025

We are Expand Your Mind LLC, operated by Kirra Sherman (“we”, “us”, “our”). This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our websites, programs, coaching services, and related offerings (collectively, the “Services”).

Our site is built with enterprise-grade security and adheres to major international privacy standards like GDPR, CCPA, and LGPD, supported by certifications such as PCI DSS Level 1 and SOC 2 Type 2. The platform includes features like multi-factor authentication, roles and permissions for account security, incident response, and a multi-layered defense framework for resilience. WixStudio also provides tools for users to maintain compliance with privacy regulations, including cookie banners and features to help manage user data rights. 

Contents

1. Introduction

2. Contact Information

3. Types of Data We Collect

4. How & Where We Process Data

5. Detailed Processing Activities (by purpose & tool)

6. Legal Bases (GDPR/UK-GDPR)

7. Retention

8. International Transfers

9. Security

10. Your Privacy Rights (GDPR/UK-GDPR)

11. Your Privacy Rights (Brazil — LGPD)

12. Your Privacy Rights (U.S. — CA/VA/CO/CT/UT)

13. Children’s Privacy

14. Additional Information (Testimonials, Social, Do Not Track)

15. Changes to This Policy

16. Definitions & Legal References

1. Introduction

This document explains what we collect, why we collect it, how we use it, and the choices you have. “Personal data” (or “personal information”) means any information that identifies or can reasonably be linked to an individual.

 

Note: Coaching is not therapy, legal, or medical advice. Privacy practices below apply to our website, booking, payment, email, and coaching delivery tools.

2. Contact Information

Data Controller: Expand Your Mind LLC (operated by Kirra Sherman)

me@kirrasherman.com | www.kirrasherman.com

Mailing address: 576 Colonial Drive, Hilton Head SC 29926

If you are in the EEA/UK and we appoint an EU/UK representative, we will list them here.

3. Types of Data We Collect

Identifiers & contact data: first/last name, email, phone, postal address, account IDs/handles.

 

Booking & service data: preferred times, time zone, session notes you choose to share, intake form responses, program enrollments, attendance, progress.

 

Payment data: billing address, transaction info, last 4 digits/exp (payment processors handle full card data).

 

Communications: emails, messages, form submissions, testimonials, support requests.

 

Usage data & trackers: IP address, device info, browser, pages viewed, referring URLs, session duration, cookies/pixels/UTMs.

 

Marketing preferences: opt-in/opt-out status, campaign engagement (opens/clicks).

 

Data you provide is generally mandatory to receive Services; usage data is collected automatically. If a field is optional, we’ll indicate it. You are responsible for any third-party personal data you submit to us.

4. How & Where We Process Date

Methods. We use appropriate technical and organizational measures to protect data. Processing occurs via secure systems and authorized personnel/contractors on a need-to-know basis.

 

Location. We process data at our offices and with trusted providers that may be located in other countries. See “International Transfers.”

5. Detailed Processing Activities

A) Analytics (Website usage measurement)

Tool: Google Analytics/GA4 (Google LLC)

Data: Usage data; cookies/trackers; IP (truncated), device/browser info.

Purpose: Understand site performance, improve content, detect issues.

Privacy: https://business.safety.google/privacy/

Opt-out: https://tools.google.com/dlpage/gaoptout

 

Depending on your jurisdiction, certain analytics may be considered “selling”/“sharing” for cross-context behavioral advertising. See U.S. state rights below.

B) Displaying External Content (Fonts, embeds)

Tool: Google Fonts (Google LLC) and similar embeds

Data: Usage data; IP; device/browser data via content delivery.

Purpose: Visual consistency and performance.

Privacy: https://business.safety.google/privacy/

C) Contacting Us (Lead/contact forms, email)

Data: name, email, message, context (e.g., coaching goals).

Purpose: Respond to inquiries, provide quotes, pre-contract steps.

D) Appointment Booking

Tools: Calendly, WIX Booking

Data: name, email, time zone, availability, notes.

Purpose: Schedule sessions, reminders.

Privacy: [Calendly privacy link] [Wix Booking privacy link]

E) Video Sessions

Tools: Zoom, GoogleMeet (optionally)

Data: name, email, IP/logs, session metadata; recordings only if you opt-in.

Purpose: Deliver coaching sessions.

Privacy: [Zoom privacy link]

F) Payments

Processors: Apple Pay, Google Pay, PayPal, and others depending on your region like Stripe or Square

Data: billing details, transaction metadata; processors handle full card info.

Purpose: Process payments, refunds, fraud prevention.

Privacy: [Stripe privacy], [PayPal privacy], [Apple Pay privacy]

G) Email Marketing & WIXStudio CRM

Tools: WIXStudio Email Marketing

Data: name, email, opt-in status, campaign engagement (opens/clicks).

Purpose: Send updates, program info, resources, offers (with consent where required).

Unsubscribe: link in every email. Unsubscribe at any time.

Privacy: [Wix Booking privacy link]

H) Testimonials & Social Proof

Data: name, likeness, statements, results (as provided with consent).

Purpose: Marketing with your permission; you may withdraw consent prospectively.

6. Legal Bases (GDPR/UK–GDPR)

Where applicable, we process personal data under one or more of the following bases:

Consent (Art. 6(1)(a)) — newsletters, certain analytics/marketing, recordings.

Contract (Art. 6(1)(b)) — delivering coaching, bookings, payments, client portal.

Legal obligation (Art. 6(1)(c)) — tax/accounting, compliance.

Legitimate interests (Art. 6(1)(f)) — site security, spam prevention, basic analytics, improving Services, limited direct marketing (where permitted).

 

 

We’ll clearly request consent where required and you can withdraw it at any time.

7. Retention

We keep personal data only as long as necessary for the purposes of serving our customers, including:

Contracts/coaching records

Marketing contacts

Payments/finance

Recordings (if any)

 

When retention ends, data is securely deleted or anonymized.

8. International Transfers

If data is transferred outside your country (e.g., to the U.S.), we use appropriate safeguards such as Standard Contractual Clauses, Data Processing Agreements, and vendor due diligence. Details available upon request.

9. Security

We use reasonable administrative, technical, and physical safeguards (encryption in transit, access controls, least-privilege access, MFA where available). No method is 100% secure; please use strong, unique passwords and do not share credentials if signing up as a member.

Wix Studio features: 

  • Account Security: Includes multi-factor authentication, login activity review, and role-based access control. 

  • Incident Response: A framework for responding to security incidents. 

  • Infrastructure: A multi-cloud hosting strategy, global CDN, and DDoS protection. 

  • Enterprise-Grade Security: Features like IP allowlisting and Single Sign-On (SSO) for advanced security. 

Wix Studio provides built-in data protection features like HTTPS for encrypted data transfer, a dedicated Security Operations Center (SOC) monitoring for threats, and tools to help us meet GDPR requirements. Our platform offer resources to assist with your data protection obligations.

10. Your Rights (GDPR/UK-GDPR)

10) Your Rights (GDPR/UK-GDPR)

Subject to law, you may:

Access your data and request a copy

Rectify inaccurate or incomplete data

Erase data (right to be forgotten)

Restrict processing

Object to processing (including direct marketing)

Portability of data

Withdraw consent at any time (does not affect prior processing)

Lodge a complaint with a supervisory authority

 

How to exercise: email us at [legal@yourexpandyourmind.com]. We’ll respond within statutory timelines. If we shared your data with recipients, we’ll notify them of corrections/erasure where feasible.

11. Your Rights (Brazil—LGPD)

If you reside in Brazil, you may have rights to: confirm processing, access, correct, anonymize/block/delete unnecessary or excessive data, portability, deletion of consent-based data, information about sharing, withdraw consent, object to non-compliant processing, and complain to the ANPD.

How to exercise: contact [legal@yourexpandyourmind.com].

12. Your Rights (U.S. State Laws)

This section covers California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and Utah (UCPA). Depending on your state, you may have the right to:

  • Know/Access the categories and specific pieces of personal information we collect, use, disclose, sell/share.

  • Delete personal information (with exceptions).

  • Correct inaccurate personal information.

  • Opt-out of “sale” or “sharing” (e.g., cross-context behavioral advertising/analytics).

  • Limit use/disclosure of Sensitive Personal Information (CA).

  • Data portability.

  • Appeal a decision on your rights request (VA/CO/CT).

How to exercise: email [legal@yourexpandyourmind.com] with “Privacy Request” and your state of residence. We may need to verify your identity (and, for authorized agents, proof of authority). We do not discriminate for exercising your rights.

Sale/Sharing/Targeted Advertising.

Some analytics/ads technologies could be considered a “sale”/“share” under these laws. To opt out, please email us with a Do Not Sell or Share My Personal Information, adjust cookie preferences when provided with the option, and/or use the Global Privacy Control (GPC) if enabled in your browser.

Categories collected (last 12 months) — CA disclosure summary (example):

 

  • Identifiers (name, email, IP): collected; shared with service providers.

  • Customer records (billing data): collected; shared with payment processors.

  • Internet/Network activity (usage, device, cookies): collected; may be “shared” for analytics/marketing.

  • Geolocation (coarse/IP-based): collected for security/analytics.

  • Inferences: not created intentionally.

  • Sensitive data: we do not intentionally collect sensitive categories for advertising.

13. Children's Privacy

Our Services are intended for adults 18+. We do not knowingly collect personal data from children. If you believe a child provided data, contact us to delete it.

14. Additional Information

Testimonials & Case Studies have been shared with explicit consent; as a client, you can revoke consent prospectively.

Social Media & Links. Interactions with social widgets/links are governed by those platforms’ policies.

Do Not Track. We currently do not respond to DNT signals; please use our cookie banner/preferences and GPC where available. Third-Party Processors. An up-to-date list of key vendors we use for our coaching practice (analytics, booking, payments, email, video, CRM) is available if requested.

15. Changes to This Policy

We may update this Policy periodically. We’ll post the new date at the top and, if changes are material, we’ll notify you (e.g., email or prominent notice). Continued use of the Services after changes means you accept the updated Policy.

16. Definitions & Legal References

  • Personal Data/Information: Information that identifies or relates to an identifiable individual.

  • Processing: Any operation performed on personal data (collection, storage, use, disclosure, deletion).

  • Controller / Business: Entity determining the purposes and means of processing.

  • Processor / Service Provider / Contractor: Entity processing data on behalf of the Controller/Business.

  • Sale/Share (U.S. laws): Broadly defined transfers for value or cross-context ads/analytics.

  • GDPR/UK-GDPR, LGPD, CCPA/CPRA, VCDPA, CPA, CTDPA, UCPA: Relevant privacy laws referenced in this Policy.

Schedule a free consultation to begin living from your Infinite Self.

bottom of page