Privacy policy

Effective Date: April 1, 2026 | Last Updated: June 2, 2026

Herb Dock LLC ("Herb Dock," "we," "us," or "our") operates the websites herbdock.com and scan.herbdock.com, and any associated mobile applications (collectively, the "Platform"). We are committed to protecting the privacy and personal information of all individuals who interact with our Platform, including customers, visitors, and affiliate partners.

This Privacy Policy explains what personal information we collect, why we collect it, how we use and protect it, and your rights with respect to your data. This policy is designed to comply with applicable privacy laws worldwide, including but not limited to:

General Data Protection Regulation (GDPR) — European Union and United Kingdom
California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA) — United States
Personal Information Protection and Electronic Documents Act (PIPEDA) — Canada
Lei Geral de Proteção de Dados (LGPD) — Brazil
Australian Privacy Act 1988 and the Australian Privacy Principles (APPs)
Illinois Biometric Information Privacy Act (BIPA) and similar state biometric laws

By using the Platform, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with its terms, please do not use our Platform.

1. Who We Are

Herb Dock LLC is the data controller for personal information collected through the Platform. Our primary business involves the sale of herbal supplement products and the provision of artificial intelligence ("AI")-assisted, iridology-inspired supplement recommendation services through our proprietary eye scanning application.

For privacy inquiries, requests, or concerns, please contact us at:

Email: privacy@herbdock.com
Website: herbdock.com/contact

For EU/UK residents, we are in the process of designating a local representative as required under GDPR Article 27. Contact details for our representative will be updated here upon appointment. In the meantime, all privacy matters may be directed to the email address above.

2. Information We Collect

We collect information in three primary ways: information you provide to us directly, information collected automatically through your use of the Platform, and information generated by our eye scanning technology.

2.1 Information You Provide Directly

Account registration information: name, email address, password (hashed and never stored in plain text)
Purchase information: shipping address, billing address, phone number
Payment information: processed and stored by Shopify Payments and third-party payment processors. Herb Dock does not store full payment card numbers.
Communications: messages you send us via email, contact forms, or customer support
Affiliate program information: name, email, payment details, and promotional activity data

2.2 Information Collected Automatically

Device and browser information: browser type, operating system, device type, screen resolution
Usage data: pages visited, time spent on pages, links clicked, referring URLs
IP address and approximate geographic location (country/region level)
Cookie data and similar tracking technologies (see Section 6 for details)
Affiliate tracking data: referral source, affiliate codes, and attribution cookies scoped to .herbdock.com

2.3 Eye Scan and Biometric Data

Important: The collection of eye scan images constitutes biometric data under applicable laws in several jurisdictions, including Illinois, Texas, Washington, and others. We treat this data with the highest level of care.

When you use the eye scanning feature on scan.herbdock.com, we collect:

Photographs or video frames of your iris and surrounding eye area, submitted voluntarily by you
AI-generated analysis results and supplement recommendations derived from your scan
Technical metadata associated with the scan submission (timestamp, device type)

Important disclosures regarding eye scan data:

Eye scan images used for product recommendations are processed by our AI system and the resulting recommendations are associated with your account. The raw image is stored in our secure cloud infrastructure (Google Cloud Storage) for the limited purpose of training and improving our AI models.
Eye scan images stored for AI training purposes are de-identified: they are not linked to your name, email address, account, or any other personally identifiable information.
We will never sell, rent, or commercially exploit your eye scan images or biometric data.
We will never share your eye scan images with third parties except as described in Section 4.
You will be asked for explicit consent before any eye scan is taken. You may withdraw this consent at any time by contacting us at privacy@herbdock.com.
Retention of eye scan images: de-identified training images are retained for up to 3 years. Upon verified request, we will delete any images associated with a specific submission within 30 days.

3. How We Use Your Information

We use the information we collect for the following purposes:

3.1 To Provide and Operate Our Services

Create and manage your Herb Dock account
Process and fulfill your supplement orders
Operate the eye scanning and recommendation service
Send transactional emails (order confirmations, shipping updates) via SendGrid
Manage affiliate relationships and track referral commissions via GoAffPro

3.2 To Improve Our Services

Train and improve our AI/iridology recommendation models using de-identified eye scan images
Analyze usage patterns to improve Platform functionality and user experience
Conduct internal research and analytics

3.3 To Communicate With You

Respond to your inquiries and customer support requests
Send marketing emails about products and promotions, if you have opted in
Notify you of changes to our policies or services

3.4 Legal and Safety Purposes

Comply with applicable laws and regulations
Enforce our Terms of Service
Detect, prevent, and address fraud, security issues, or technical problems
Protect the rights, property, and safety of Herb Dock, our customers, and the public

3.5 Legal Basis for Processing (GDPR / UK GDPR)

For individuals located in the European Union or United Kingdom, we rely on the following legal bases for processing your personal data:

Contract performance: processing necessary to fulfill your orders and provide account services
Legitimate interests: improving our platform, fraud prevention, and marketing to existing customers
Consent: eye scan image collection, marketing emails, and non-essential cookies
Legal obligation: tax records, regulatory compliance, and law enforcement requests

4. How We Share Your Information

We do not sell your personal information. We share your information only in the following circumstances:

4.1 Service Providers

We share data with trusted third-party vendors who help us operate the Platform. These providers are contractually bound to protect your data and may only use it for the purposes we specify:

Shopify Inc. — e-commerce platform, order management, customer account infrastructure, and live chat support via Shopify Inbox (collects chat transcripts and associated customer information)
Google Cloud Platform — cloud storage and computing infrastructure (including eye scan image storage)
Google Firebase / Firestore — application database and backend services
SendGrid (Twilio Inc.) — transactional email delivery (order confirmations, shipping notifications, authentication emails)
Klaviyo Inc. — marketing email automation and customer behavior analytics, integrated with Shopify purchase data
Judge.me — product review collection and display (collects reviewer name, email address, and review content)
GoAffPro — affiliate program management and tracking
Payment processors — as integrated through Shopify Payments (e.g., Stripe)
Analytics providers — traffic and usage analytics (e.g., Google Analytics, if enabled)
Meta Platforms (Ad Measurement): When you complete a purchase on herbdock.com, we transmit hashed purchase data to Meta via the Meta Conversions API for advertising measurement purposes. Data transmitted includes: SHA-256 hashed email address, phone number, first name, last name, city, province/state, postal code, country, and your IP address. This data is used solely to measure the effectiveness of our advertising and is transmitted in a privacy-preserving hashed format. We do not share product names, supplement identifiers, or health-related purchase details with Meta.

4.2 Affiliate Partners

If you arrive at Herb Dock through an affiliate referral link, we share limited purchase event data (such as order value and commission amounts) with the referring affiliate partner through GoAffPro. We do not share your name, email, or personal details with affiliates.

4.3 Legal Requirements

We may disclose your information if required to do so by law, subpoena, court order, or government regulation, or if we believe in good faith that such disclosure is necessary to protect our rights, your safety, or the safety of others.

4.4 Business Transfers

In the event of a merger, acquisition, bankruptcy, or sale of assets, your personal information may be transferred to a successor entity. We will notify you of any such change and any choices you may have before data is transferred and becomes subject to a different privacy policy.

4.5 International Data Transfers

Herb Dock operates globally, and your data may be transferred to and processed in countries other than your country of residence, including the United States and Canada, where data protection laws may differ from those in your jurisdiction.

For transfers from the European Economic Area (EEA) or UK to countries without an adequacy decision, we rely on Standard Contractual Clauses (SCCs) or other approved transfer mechanisms as required under GDPR.

For transfers of Canadian residents' data outside Canada, we ensure appropriate contractual protections are in place consistent with PIPEDA requirements.

5. Your Privacy Rights

Depending on where you live, you may have specific legal rights regarding your personal information. We honor these rights regardless of your location.

5.1 Rights Available to All Users

Access: Request a copy of the personal information we hold about you
Correction: Request that we correct inaccurate or incomplete personal information
Deletion: Request that we delete your personal information, subject to legal retention requirements
Objection: Object to certain processing activities, including direct marketing
Portability: Request your data in a structured, machine-readable format
Withdraw consent: Withdraw consent at any time where processing is based on consent (including eye scan data and marketing emails)

5.2 Additional Rights — EU/UK Residents (GDPR)

Right to restrict processing while a dispute is being resolved
Right to lodge a complaint with your national data protection authority (e.g., the ICO in the UK, or your local EU supervisory authority)
Right not to be subject to solely automated decision-making that significantly affects you

5.3 Additional Rights — California Residents (CCPA/CPRA)

California residents have the following additional rights:

Right to Know: the categories and specific pieces of personal information we collect, use, disclose, and sell
Right to Delete: request deletion of personal information we have collected
Right to Correct inaccurate personal information
Right to Opt-Out of the sale or sharing of personal information — Note: Herb Dock does not sell personal information
Right to Limit the use of sensitive personal information (including biometric data such as eye scan images)
Right to Non-Discrimination: we will not discriminate against you for exercising your privacy rights

To exercise California rights, contact us at privacy@herbdock.com. We will respond within 45 days as required by law.

5.4 Additional Rights — Canadian Residents (PIPEDA)

Right to access personal information we hold about you
Right to challenge the accuracy and completeness of your information and have it amended
Right to lodge a complaint with the Office of the Privacy Commissioner of Canada

5.5 Additional Rights — Australian Residents

Right to access and correct personal information under the Australian Privacy Principles
Right to make a complaint to the Office of the Australian Information Commissioner (OAIC)

5.6 Biometric Data Rights (Illinois BIPA and Similar Laws)

If you are a resident of Illinois or another state with biometric privacy protections, you have the right to:

Receive notice before biometric data collection
Provide written consent before your eye scan images are collected
Request deletion of your biometric identifiers and data
Not be subjected to profit from the sale or disclosure of your biometric data

To exercise any of your privacy rights, please contact us at privacy@herbdock.com. We may need to verify your identity before processing your request. We will respond to all verified requests within the timeframe required by applicable law.

6. Cookies and Tracking Technologies

We use cookies, pixel tags, and similar tracking technologies to operate and improve the Platform and to track affiliate referrals.

Meta Pixel (Advertising): herbdock.com uses the Meta Pixel (ID: 999174335982813), a tracking technology provided by Meta Platforms, Inc. This sets two cookies scoped to .herbdock.com:

_fbp — a browser identifier used by Meta to measure ad performance (persists ~90 days)
_fbc — an ad click identifier set when you arrive via a Meta ad link (persists ~90 days)

These cookies are readable across all herbdock.com subdomains. Their purpose is ad measurement and attribution — to help us understand whether our advertising is effective. We do not use them to identify you personally. You can opt out of Meta's use of this data via Meta's Ad Preferences.

6.1 Types of Cookies We Use

Essential cookies: required for the Platform to function (authentication, shopping cart, checkout). These cannot be disabled.
Preference cookies: remember your settings and preferences across visits
Analytics cookies: help us understand how visitors use the Platform
Marketing cookies: track the effectiveness of advertising campaigns
Affiliate tracking cookies: track referral links and attribute purchases to the correct affiliate partner. These cookies are scoped to .herbdock.com to maintain attribution across herbdock.com and scan.herbdock.com.
We may use cookie types such as Google Analytics, Meta Pixel, and others.

6.2 Managing Cookies

You can control non-essential cookies through your browser settings or our cookie preference center (if available). Note that disabling certain cookies may affect the functionality of the Platform. For residents of the EU/UK, we obtain your consent before placing non-essential cookies in accordance with the ePrivacy Directive.

7. Data Retention

We retain personal information for as long as necessary to fulfill the purposes described in this policy, or as required by law:

Account information: retained for the lifetime of your account plus 7 years after account closure (for tax and legal compliance)
Order records: 7 years (tax and accounting requirements)
Marketing email data: until you unsubscribe or request deletion
Eye scan images linked to recommendations: retained for the duration of your account
De-identified eye scan images (AI training): up to 3 years from the date of submission
Customer support records: 3 years
Affiliate program records: 5 years

8. Security

We take the security of your personal information seriously and implement appropriate technical and organizational measures to protect it against unauthorized access, disclosure, alteration, and destruction. These measures include:

Encryption of data in transit using TLS/HTTPS
Encryption of sensitive data at rest
Access controls limiting employee access to personal data on a need-to-know basis
Secure cloud infrastructure through Google Cloud Platform
Regular review of our security practices

Despite our efforts, no security system is impenetrable. In the event of a data breach affecting your rights and freedoms, we will notify you and applicable regulatory authorities as required by law.

9. Children's Privacy

The Platform is not directed to children under the age of 16 (or 13 in the United States under COPPA). We do not knowingly collect personal information from children under these ages. If you believe we have inadvertently collected information from a child, please contact us immediately at privacy@herbdock.com and we will delete the information promptly.

10. Marketing Communications

With your consent, we may send you email newsletters and promotional offers. You may opt out of marketing emails at any time by clicking the unsubscribe link in any marketing email or by contacting us at support@herbdock.com.

Opting out of marketing communications will not affect transactional emails related to your orders or account.

11. Third-Party Links

The Platform may contain links to third-party websites. We are not responsible for the privacy practices of those websites and encourage you to review their privacy policies before providing any personal information.

12. Health Information Disclaimer

The recommendations generated by our eye scanning technology are based on iridology principles and are provided for informational and wellness purposes only. They do not constitute medical advice, diagnosis, or treatment. The data generated by your eye scan is not classified as medical data under HIPAA (as we are not a covered entity) but is treated as sensitive health-related information subject to the protections described in this policy.

We strongly encourage you to consult a qualified healthcare provider before making changes to your supplement regimen based on any recommendations from the Platform.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by:

Posting the updated policy on this page with a new effective date
Sending an email notification to the address associated with your account
Displaying a prominent notice on the Platform

Your continued use of the Platform after the effective date of any updated policy constitutes your acceptance of the changes. If you do not agree with the updated policy, you should stop using the Platform and may request deletion of your account.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or the handling of your personal information, please contact our Privacy Team:

Herb Dock LLC
Email: privacy@herbdock.com
Website: herbdock.com/contact

For EU/UK residents: You have the right to lodge a complaint with your local data protection authority if you are unsatisfied with our response. A list of EU supervisory authorities can be found at: edpb.europa.eu

For Canadian residents: You may contact the Office of the Privacy Commissioner of Canada at www.priv.gc.ca.

For Australian residents: You may contact the Office of the Australian Information Commissioner at www.oaic.gov.au.

Country/Region