Get Tickets

Legal

Privacy Policy

Last updated: April 10, 2026

1. Introduction & Data Controller

This Privacy Policy explains how Glow Wellness (“we,” “our,” or “us”), a brand operated by Ascendra Enterprises LLC, collects, uses, shares, and protects personal information when you visit growingwithglow.com, purchase tickets, attend our events, or otherwise interact with our services.

For the purposes of the EU/UK General Data Protection Regulation (GDPR), the data controller is:

If you do not agree with this policy, please do not use our website or services.

2. Information We Collect

Information you provide directly:

  • Identity & contact data: name, email address, phone number.
  • Transaction data: items purchased, quantity, order ID, billing city and postal code. Full payment card details are collected and stored by Stripe — we never see or store your card number.
  • Event waiver data: emergency contact, medical disclosures you choose to share, and digital signature.
  • Account data: account preferences, saved profile information, communication preferences (if you create a member account).
  • Vendor application data: business name, contact details, product or service description, social links, images.
  • Content you submit: contact form messages, testimonials, reviews, feedback.

Information collected automatically:

  • Device & usage data: browser type, operating system, device identifiers, pages viewed, referring URL, timestamps.
  • Approximate location: derived from IP address (country / region level).
  • Cookies & similar technologies: see Section 5.

We do not knowingly collect any “special category” data under GDPR Article 9 (such as health data) except where you voluntarily disclose it on a waiver. We treat any such disclosures as strictly confidential.

3. Legal Bases for Processing (GDPR)

Where GDPR applies, we rely on the following legal bases under Article 6:

  • Contract (Art. 6(1)(b)) — to process ticket purchases, deliver events you’ve registered for, manage waivers, and handle vendor agreements.
  • Consent (Art. 6(1)(a)) — for marketing emails, newsletter signups, analytics cookies, and any non-essential tracking. You may withdraw consent at any time.
  • Legitimate interests (Art. 6(1)(f)) — to secure our site, prevent fraud, respond to enquiries, and improve our services. We balance these interests against your rights and only rely on this basis where your rights do not override them.
  • Legal obligation (Art. 6(1)(c)) — to comply with tax, accounting, and other laws we are subject to.

4. How We Use Your Information

  • Process ticket purchases, send order confirmations, and deliver event access.
  • Send transactional emails about events you’ve registered for (reminders, logistics, post-event follow-ups).
  • Send marketing emails and our newsletter, only if you have opted in. Every marketing email contains an unsubscribe link.
  • Respond to contact form submissions, vendor applications, and customer support enquiries.
  • Operate, secure, and improve our website and services (including analytics, when you have consented).
  • Comply with legal, tax, and regulatory obligations.
  • Defend our legal rights and enforce our terms.

We do not use your personal information for automated decision-making or profiling that produces legal or similarly significant effects.

5. Cookies & Tracking Technologies

We use two categories of cookies and similar technologies:

  • Strictly necessary — required to run the site, authenticate admin sessions, process checkout, and remember your consent choice. These cannot be turned off and do not store tracking identifiers.
  • Analytics (optional, consent-based) — Google Analytics helps us understand how visitors use the site. We use Google Consent Mode v2, which defaults to denied. Analytics data is only collected after you click “Accept All” on our cookie banner.

You can change or withdraw your choice at any time by clicking Cookie Preferences in the site footer. We do not use advertising, retargeting, or cross-site tracking cookies.

6. Service Providers & International Transfers

We share personal information only with service providers who help us run our business, under contracts that require them to protect your data:

  • Stripe, Inc. — payment processing (PCI-DSS compliant).
  • Resend — transactional and marketing email delivery.
  • Vercel, Inc. — website hosting and edge delivery.
  • Cloudflare, Inc. — DNS, CDN, WAF, and bot protection.
  • Google LLC — Google Analytics (only with your consent).
  • OpenRouter / third-party AI APIs — used only for content generation on our side; no visitor personal data is sent to these APIs.

We are based in the United States, and our service providers may process your data in the US or other countries. Where GDPR applies and data is transferred outside the EEA or UK, we rely on appropriate safeguards, including the EU Standard Contractual Clauses and, where applicable, providers’ certification under the EU-US Data Privacy Framework.

We do not sell your personal information and we do not share it with third parties for their own marketing.

7. Data Retention

We keep personal information only as long as needed for the purposes described above:

  • Ticket purchases & financial records: 7 years, to comply with US tax and accounting laws.
  • Event waivers: 4 years after the event date, to defend against potential claims.
  • Newsletter subscribers: until you unsubscribe, after which we retain a suppression record to honour your request.
  • Contact form & support emails: up to 2 years after the last interaction.
  • Member accounts: for as long as the account is active, plus up to 12 months after deletion for backup cleanup.
  • Analytics data: up to 14 months in Google Analytics (default retention).

When a retention period ends, we delete or irreversibly anonymise the data.

8. Data Security

We apply technical and organisational measures appropriate to the risk, including HTTPS/TLS encryption in transit, HSTS, a web application firewall, rate limiting on public endpoints, signed admin sessions stored in HttpOnly cookies, secure payment processing through Stripe, principle-of-least-privilege access to production systems, and atomic file writes to prevent data corruption. No system is 100% secure, and we cannot guarantee absolute security.

If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours where required by law, and will notify you without undue delay where the breach is likely to result in a high risk.

9. Your Rights (GDPR / UK GDPR)

If you are in the EEA, UK, or another jurisdiction with equivalent law, you have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — request correction of inaccurate or incomplete data.
  • Erasure (“right to be forgotten”) — request deletion, subject to legal retention obligations.
  • Restriction — ask us to limit how we use your data while a concern is being resolved.
  • Data portability — receive your data in a structured, machine-readable format, where processing is based on consent or contract.
  • Object — object to processing based on legitimate interests, including direct marketing.
  • Withdraw consent — at any time, without affecting the lawfulness of processing before withdrawal.
  • Lodge a complaint — with your local data protection authority. In the UK, this is the Information Commissioner’s Office (ICO). In the EU, see your national authority’s website.

To exercise any of these rights, email [email protected]. We will respond within 30 days and may ask you to verify your identity before fulfilling the request.

10. California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act gives you additional rights:

  • The right to know what personal information we collect, use, and disclose.
  • The right to delete personal information we have collected from you.
  • The right to correct inaccurate personal information.
  • The right to opt out of the “sale” or “sharing” of personal information. We do not sell or share personal information as those terms are defined under the CCPA.
  • The right to non-discrimination for exercising your rights.

To exercise these rights, email [email protected].

11. Children’s Privacy

Our services are intended for adults aged 18 and over. We do not knowingly collect personal information from children under 16. If you believe a child has provided us personal information, please contact us and we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or for legal, operational, or regulatory reasons. When we make material changes we will update the “Last updated” date at the top of this page and, where appropriate, notify you by email or through a prominent notice on our site.

13. Contact Us

Questions, requests, or complaints about this policy or your data:

You can also manage your cookie choice at any time via the Cookie Preferences link in the footer, or review our Terms of Service.