119
HTMA
LABS

Legal

HTMA Labs Privacy Policy

Understand how HTMA Labs collects, uses, and safeguards customer data.

HTMA Labs — Privacy Policy

Entity: Sweet Potato LLC d/b/a “HTMA Labs”
Address: 30 N Gould St, Ste R, Sheridan, Wyoming 82801, USA
Contact: buildooor [at] gmail [dot] com
Effective Date: November 08, 2025
Version: 1.0

Important: HTMA Labs is a consumer‑health education platform. We do not provide medical care, diagnosis, treatment, or emergency services. Content is educational only. If you are experiencing a medical emergency, call your local emergency number immediately.

Age: Services are for individuals 18 years and older.

Geography: Services are not offered to residents of New York or New Jersey and are not offered to residents of the European Union or the United Kingdom. Services are offered worldwide elsewhere to the extent lawful in the user’s location.

Privacy Policy

1. Scope

This Privacy Policy explains how we collect, use, disclose, and retain information when you use the Services. We do not offer the Services to residents of the European Union or the United Kingdom. If you are in a location where the Services are unlawful, do not use them.

2. Who We Are and How to Contact Us

Sweet Potato LLC d/b/a HTMA Labs, 30 N Gould St, Ste R, Sheridan, WY 82801. Questions or requests: buildooor [at] gmail [dot] com.

3. Information We Collect

We collect the following categories of information:

  • Identifiers and Contact Information: name, email address, account IDs, country, state, and other details you provide.
  • Transactional Information: product purchased, price, currency, time of purchase, and processor metadata (handled by Stripe). We do not store full card numbers.
  • Account and Access Information: sign‑in email link events, entitlement activations, and access status.
  • Content and Uploads: forms, notes, files, or other content you submit.
  • Health‑Related Information (Self‑Provided): health history answers, symptoms, mineral or lab‑related information that you choose to provide. We are not a HIPAA‑covered entity.
  • Telemetry and Logs: device and request metadata, session identifiers, and application logs generated during checkout, entitlement, and access.
  • Practitioner Interactions: messages may be routed through third‑party secure messaging services; those services may be the system of record for those messages.

4. Sources of Information

Directly from you; automatically from your device; from our payment processor; and from third‑party services used to provide features (e.g., authentication and secure messaging).

5. How We Use Information

We use information to:

  • Provide, maintain, and improve the Services;
  • Authenticate users and deliver access to digital goods;
  • Operate cohorts and memberships;
  • Communicate with you about purchases, access, and updates;
  • Provide educational insights and decision‑support features, including automated or AI‑assisted features;
  • Detect, investigate, and prevent security incidents, fraud, and abuse;
  • Comply with legal obligations and enforce our Terms.

6. AI and Automated Processing

We may use automated systems or AI to assist with educational insights and product features. Practitioners may use AI tools at their discretion. Input data used for AI may include information you provide (for example, mineral or health‑history data). We may process such inputs with third‑party AI providers or service partners. We do not use automated decision‑making that produces legal or similarly significant effects without human review.

7. Disclosures and Third Parties

We disclose information to:

  • Payment Processors: to process transactions (e.g., Stripe).
  • Authentication/Messaging Providers: for account creation, magic links, and secure communications.
  • Hosting/Infrastructure Providers: to host the Services (e.g., U.S.‑based cloud services).
  • Labs and Shipping Partners: if required to coordinate HTMA kits or sample handling; at present, users ship samples directly, and lab partners may vary.
  • Service Providers and Contractors: for support, analytics, email delivery, backup, and security.
  • Professional Advisors and Legal Authorities: as necessary to protect rights, comply with law, or in connection with corporate transactions.

We do not sell personal information as commonly defined by U.S. state privacy laws. We may share de‑identified or aggregated data.

8. International Data Transfers

We process data in the United States and Canada and may transfer data to service providers in those countries. By using the Services, you consent to the transfer of your information to these locations, which may have different data‑protection laws than your home jurisdiction. Where a law requires specific safeguards (for example, Standard Contractual Clauses or equivalent transfer mechanisms), we implement those safeguards or rely on another lawful basis before moving data across borders.

9. Retention

We retain information for as long as necessary to provide the Services, for legitimate business purposes, and as required by law. Backups and logs may persist for a period after account deletion. We may de‑identify or aggregate data for longer retention.

10. Your Choices and Requests

  • Access, Correction, Deletion. You may request access to or deletion of your information by emailing buildooor [at] gmail [dot] com. We will process requests in a reasonable time, and may deny or limit requests where permitted by law (for example, to maintain transaction records, comply with legal obligations, or ensure the security of the Services).
  • Marketing Communications. We may send transactional emails about your account and purchases. If we send marketing emails, you may opt out by using unsubscribe links or contacting us.
  • Cookies/Tracking. If we use cookies or similar technologies, we will provide notice in the product or via a cookie banner as applicable.

11. State Privacy Rights and Appeals

Residents of certain U.S. states (including California, Colorado, Connecticut, Utah, and Virginia) may have additional rights, such as the right to confirm whether we process their data, obtain a copy in a portable format, correct inaccuracies, delete information, or opt out of targeted advertising. You may exercise these rights by emailing buildooor [at] gmail [dot] com with the subject line “State Privacy Request” and describing the request. We may ask you to verify your identity (and authority, if acting for someone else) and will respond within 45 days unless an extension is permitted. If we deny a request, you may appeal by replying to our decision within 30 days; we will review and respond within 45 days. If you remain dissatisfied, you may contact your state attorney general or privacy regulator.

12. Security

We use commercially reasonable safeguards to protect information. No method of transmission or storage is completely secure. You are responsible for maintaining the security of your devices and credentials. We are not a HIPAA‑covered entity.

13. Children

The Services are for users 18 years and older. We do not knowingly collect personal information from children. Do not use the Services if you are under 18.

14. Changes to this Policy

We may update this Privacy Policy by posting a new version with an updated Effective Date. Material changes will be notified via email or in‑product notice when feasible.

15. Contact

For questions, requests, or complaints: buildooor [at] gmail [dot] com.

Attachments

Attachment A — Checkout Consent Text (Short Form)

  • Microcopy (≤140 characters): “Instant access. No refunds. Educational only. Wyoming law. By paying you agree to our Terms and Privacy.”
  • Checkbox Consent (displayed before pay): “I am 18+, not a resident of NY or NJ, and I understand digital access is delivered instantly and is non‑refundable except where required by law. I agree this is educational only and accept the Terms of Service and Privacy Policy.”

Attachment B — Dispute Evidence Narrative (Template)

  • Payment intent ID, session ID, and timestamp of processor confirmation.
  • Entitlement activation timestamp and product slug.
  • First access attempt or sign‑in email delivery logs.
  • Customer communications regarding access.
  • Statement: “Digital goods delivered instantly upon processor confirmation; customer accessed via email sign‑in link; non‑refundable terms shown and acknowledged at checkout.”

Attachment C — Incident Response Commitments

If we determine that a security incident has compromised personal information, we will investigate promptly, contain the event, and notify affected individuals and regulators within a reasonable timeframe consistent with applicable law. Notifications will describe what happened, the information involved, our actions, and recommended protective steps.