Privacy Policy

 

0. Commitment & What This Policy Covers (Enhanced)

IPAR Health Sciences, Inc., together with its subsidiaries, affiliates, and authorized local operating companies (collectively, “IPAR”, “we”, “us”, “our” and “ours”), is committed to protecting the privacy and security of your personal data.

This Privacy Policy describes:
(1) how and why we collect, hold, process and use your personal data;
(2) your rights in relation to your personal data; and
(3) how to contact us if you have questions or a complaint.

This Policy is intended to comply with data privacy and security laws applicable to you in your country or region, including, where applicable, the Personal Information Protection Law (PIPL) of the People’s Republic of China, the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), the General Data Protection Regulation (GDPR), the United Kingdom General Data Protection Regulation (UK GDPR), and other applicable national and regional data protection and privacy laws, regulations, and implementing rules, as amended or updated from time to time (collectively, the “Data Protection Legislation”).

Country / Region Specific Terms.
Specific privacy and information practices may apply to some of our services in certain jurisdictions to reflect local practices and legal requirements. If you reside in a country or region addressed in Section [14] “Country / Region Specific Terms”, those supplemental terms apply to you.
If there is any inconsistency between this Policy and a country/region-specific notice or language version that is designated to apply to your jurisdiction, the country/region-specific terms or designated local-language version will prevail for residents of that jurisdiction to the extent required by law.

1. When This Policy Applies (Enhanced)

This Policy applies to you when IPAR processes your personal data, including when you:

• Visit our website, microsites, online shopping sites, or other sites operated by IPAR (or by authorized third parties on behalf of IPAR) that link to this Policy (collectively, the “IPAR Websites”);
• Use any IPAR mobile application;
• Enroll or participate as a Guest, Preferred Customer (PC), Associate, or Independent Business Associate (IBA) through IPAR systems, customer service, in person, or otherwise;
• Purchase products online, by phone, through customer service, or in person;
• Create an account, sign in, or update your profile;
• Engage with promotions, surveys, training, events, incentives, travel, or conventions;
• Subscribe to newsletters or product updates; or
• Contact us in any other way.

2. Accuracy of Personal Data (New – recommended)

It is important that the personal data IPAR holds about you is accurate, complete, and current. Please keep your account information updated and inform IPAR if your personal data changes.

If you provide inaccurate, incomplete, or false information, we may be unable to provide you with products or services, may delay fulfillment or support, or may be required to restrict or terminate services in accordance with applicable law and IPAR policies.

3. What Personal Data We Collect (Expanded, with role-based approach)

“Personal data” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked to an identified or identifiable individual.

Depending on how you interact with IPAR, we may collect the following categories of personal data:

3.1 Technical & Usage Data (Web / App)

When you use IPAR Websites or apps, we may collect:

• IP address and device identifiers
• browser type/version, operating system and platform
• time zone and approximate location (derived from IP)
• traffic data, weblogs, analytics, clickstream, and site usage
• pages viewed, resources accessed, and referral URLs
• communications metadata and device settings (where permitted)

When you contact us, we may keep records of that correspondence.

3.2 Order and Service Data

If you order products or request services, we may process:

• name, email, phone number
• domicile country, postal code
• delivery address, billing address
• payment method details (processed through secure payment providers)
• order history, returns, refunds, chargebacks, and support requests

3.3 Role-Based Data (Guest / PC / Associate / IBA)

A. Guests and Retail Customers (where applicable)
We may collect:

• name, contact information, shipping details
• purchase history and preferences
• technical and device data related to online access
• marketing preferences (if subscribed)

B. Preferred Customers (PCs)
We may collect:

• personal details (name, contact information, domicile country)
• date of birth (where required for eligibility)
• order and transaction history
• marketing preferences and communications preferences
• account authentication information

C. Associates (light participation / referral program, where offered)
We may collect:

• personal details and contact details
• referral link identifiers and referral performance metrics
• payout-related information where rewards apply (subject to market rules)
• technical, device, and usage data

D. Independent Business Associates (IBAs)
We may collect:

• personal details (name, contact details, date of birth)
• identity verification or tax documentation where required (e.g., tax ID, government ID, passport for travel programs, bank account verification)
• payment and payout details (bank information, payout history)
• organizational and program data (sponsorship, placement, qualification status, rank/recognition history where applicable)
• training, event registration, travel information (where you elect to participate)
• marketing preferences and communications preferences
• technical/device/usage data for IPAR systems

3.4 Third-Party Personal Data Provided by You (Critical clause)

If you provide IPAR with personal data of other individuals (for example, a customer, spouse, beneficiary, downline participant, or travel companion), you are responsible to:

• inform them of this Policy and their rights;
• collect and share their personal data lawfully; and
• obtain any consent required by applicable law.

3.5 Required vs. Optional Data (New – recommended)

Some personal data we request is necessary to:

• fulfill your order,
• provide requested services,
• administer accounts and participation, or
• comply with legal obligations.

If you fail to provide certain required data, we may be unable to provide products or services, may delay fulfillment or support, or may need to restrict or terminate the relationship, as permitted by law.

The categories and scope of personal data collected may vary over time depending on your interaction with IPAR and the country/region where you reside.

3.6 Sensitive Personal Data & Minors (Enhanced)

Sensitive personal data.
Depending on applicable Data Protection Legislation and the services we provide, some information may be treated as sensitive personal data (for example, payment card details, tax identification numbers, government-issued identification, or precise location data if enabled). We only collect and process sensitive personal data in accordance with applicable law and appropriate safeguards, including consent where required.

Minors.
We do not knowingly solicit or collect personal data from individuals under the minimum age defined by applicable law in their jurisdiction. If you have not reached the age of majority (or other legally defined minimum age), please do not use our services or submit your personal data.

4. Why We Process Your Personal Data (Purposes)

Where lawfully permitted, IPAR may collect, use, disclose, store, and otherwise process your personal data for the following purposes:

Account and Participation Administration

• Process your application/enrollment (Guest, PC, Associate, IBA), create and manage your account, authenticate you, and manage logins, passwords, and profiles.
• Administer participation programs, including eligibility, qualification, recognition, and (where applicable) commission or bonus administration.

Orders, Payments, and Customer Service

• Process, fulfill, and deliver your orders; provide order updates and customer support.
• Process one-time or recurring payments (where you opt in), returns, exchanges, refunds, chargebacks, and warranty/satisfaction processes.

Communications and Program Experience

• Communicate with you about your account, orders, services, product updates, and operational notices.
• Provide program services such as training, events, and participant support where offered.

Business Operations and Improvement

• Operate and improve IPAR Websites, apps, and internal systems; troubleshoot, test, and maintain service quality.
• Conduct analytics to understand preferences, improve services, develop new services, and enhance user experience.

Compliance, Security, and Risk Management

• Detect, prevent, and investigate fraud, policy violations, security incidents, and misuse of programs.
• Protect confidential and commercially sensitive information (including genealogy and business analytics where applicable).
• Perform compliance monitoring, audits, dispute handling, and enforcement of agreements and policies.

Marketing (Subject to Your Choices and Applicable Law)

• Send marketing communications, promotions, special offers, and event information where you have consented or where otherwise permitted by law.
• Manage your marketing preferences and opt-outs.

Business continuity

·         To support business continuity, system integrity, and corporate governance.

Legal and Regulatory

• Comply with applicable laws and regulatory requirements (including tax reporting, accounting, consumer protection, and recordkeeping).
• Respond to lawful requests from regulators, authorities, courts, or law enforcement; support investigations.

Compatibility of Purpose
We use personal data only for the purposes described above (or compatible purposes). If we need to use personal data for a materially different purpose, we will provide notice and seek consent where required by applicable law.

5. Legal Bases for Processing

Where required by applicable Data Protection Legislation, IPAR processes personal data only when a lawful basis applies. Depending on jurisdiction, these bases may include:

• Performance of a contract (e.g., to fulfill orders, manage accounts, provide services you request).
• Legitimate interests (e.g., to operate our business, improve services, prevent fraud, ensure system security), where not overridden by your rights.
• Legal obligations (e.g., tax reporting, consumer protection, compliance obligations).
• Consent (e.g., direct marketing in some jurisdictions; processing of sensitive personal data where required).

Where processing is based on consent, you may withdraw consent at any time, subject to legal or contractual restrictions. Withdrawal of consent does not affect the lawfulness of processing prior to withdrawal.

6. Direct Marketing Communications

Subject to applicable law and your preferences, IPAR may use your personal data to send marketing communications (including by email, SMS/text, phone, push notification, or post) about IPAR products, services, promotions, events, and offers we think may interest you.

In connection with marketing, we may use:

• your contact details and account identifiers,
• information about products/services you purchased or viewed,
• preference indicators and engagement patterns (where permitted).

Opt-out. You may opt out of marketing at any time using unsubscribe links, account settings, or by contacting us. Opting out of marketing does not affect service communications (e.g., order confirmations, security alerts, policy updates).

We may ask you to confirm or update your marketing preferences where required by law or when you engage with new services.

7. Sharing, Disclosure, and Transfer of Personal Data

7.1 Why We Share Personal Data

IPAR may share personal data:

• to provide products and services,
• to administer participation programs,
• to comply with legal obligations,
• to protect IPAR, our participants, and customers, and
• to operate our business effectively.

We do not share personal data except as permitted by law and consistent with this Policy.

7.2 Categories of Recipients

Where permitted by Data Protection Legislation, IPAR may share personal data with:

(a) IPAR Affiliates and Local Operating Companies
Other IPAR entities that need access to personal data to perform responsibilities related to the purposes described in this Policy, on a “need-to-know” basis.

(b) Service Providers and Vendors
Third parties that provide services such as:

• payment processing,
• logistics and fulfillment,
• hosting, cloud services, IT support,
• analytics, email delivery, customer support tools,
• fraud prevention, security monitoring,
• printing, event registration, and travel support (where applicable).

(c) Professional Advisors
Lawyers, accountants, auditors, insurers, and banking partners providing professional services.

(d) Regulators, Authorities, and Law Enforcement
Where required by law, subpoena, court order, or to protect rights and safety.

(e) Business Transfers
If IPAR undergoes a merger, acquisition, restructuring, sale of assets, change of control, or similar transaction, personal data may be shared as part of that transaction subject to legal requirements. Where required, we will provide notice and/or seek consent.

7.3 Protection and Control Over Service Providers

We require service providers to:

• protect personal data with appropriate security measures,
• process personal data only for specified purposes,
• act on our instructions where required,
• maintain confidentiality and comply with applicable laws.

8. International Data Transfers

IPAR operates internationally. Your personal data may be transferred to, stored, or processed in countries outside your country of residence, including where IPAR or our service providers operate.

Whenever we transfer personal data internationally, we will take steps required by applicable law to ensure adequate safeguards, which may include:

• contractual protections,
• security measures,
• transfer risk assessments and local filing/approval where required (market-specific),
• or other lawful mechanisms.

Country/region-specific transfer rules may apply under Section 14.

9. Data Security

IPAR maintains reasonable administrative, technical, and physical safeguards designed to protect personal data against unauthorized access, disclosure, alteration, misuse, or loss.

Security measures may include (as appropriate):

• encryption in transit and/or at rest for sensitive data,
• access controls and least-privilege permissions,
• monitoring, logging, and incident response procedures,
• vendor security requirements and assessments.

No method of transmission or storage is 100% secure. If you believe your account has been compromised, please contact us promptly.

Data Breach Response.
We maintain procedures to address suspected personal data breaches and will notify affected individuals and regulators where legally required.

10. Data Retention

IPAR retains personal data only for as long as necessary to fulfill the purposes described in this Policy, including:

• providing services,
• maintaining accurate records,
• resolving disputes,
• enforcing agreements,
• and meeting legal, accounting, or regulatory requirements.

Retention periods vary depending on:

• the nature and sensitivity of the data,
• the purposes of processing,
• your role (Guest/PC/Associate/IBA),
• and applicable legal requirements (including litigation holds and investigations).

In some circumstances, we may anonymize or aggregate data so it can no longer be associated with you, and we may use such information for lawful business purposes.

11. Cookies and Similar Technologies

When you use IPAR Websites or apps, we may use cookies, pixels, SDKs, and similar technologies to:

• enable core site functionality,
• remember preferences,
• support security and fraud prevention,
• analyze traffic and performance,
• and (where permitted) deliver relevant marketing.

Some cookies are essential for operation. You can manage cookies through browser settings and (where available) IPAR cookie preference tools. Disabling cookies may affect functionality.

Where required by law, we will obtain consent for non-essential cookies.

12. Personal Data Processed by IBAs (Third-Party Personal Data)

12.1 IBAs’ Role When Handling Personal Data

If, in the course of conducting an IPAR business, an IBA collects or processes personal data of customers or other individuals (“Third-Party Personal Data”), the IBA must:

• process such data only for authorized IPAR business purposes and only as necessary to support the customer relationship and permitted IPAR activities;
• comply with applicable Data Protection Legislation and IPAR policies;
• use only IPAR-approved systems, tools, and channels for collecting and storing Third-Party Personal Data, unless IPAR provides written approval for alternative tools.

12.2 Prohibited Activities (Critical)

IBAs must not:

• sell, license, rent, or otherwise monetize Third-Party Personal Data;
• disclose Third-Party Personal Data to any third party except as permitted by IPAR policies and applicable law;
• export or upload Third-Party Personal Data to unauthorized CRM systems, messaging lists, or external databases without IPAR’s written authorization;
• conduct independent international transfers of Third-Party Personal Data, except through IPAR-approved systems.

12.3 Security and Breach Notice

IBAs must maintain reasonable security measures to protect Third-Party Personal Data.
If an IBA becomes aware of a suspected or confirmed data breach involving Third-Party Personal Data, the IBA must:

• notify IPAR without undue delay, and in any event within 24 hours of becoming aware of the breach; and
• cooperate with IPAR in investigating, mitigating, and responding to the incident, including responding to data subject requests and regulator inquiries as required.

12.4 Requests From Individuals (Data Subject Rights)

If an individual submits a privacy request to an IBA regarding Third-Party Personal Data, the IBA must promptly refer the request to IPAR, unless the IBA is legally required to respond directly. IBAs must not attempt to fulfill rights requests in a manner that conflicts with IPAR instructions or applicable law.

12.5 Termination

Upon termination of an IBA’s participation, the IBA must delete or securely destroy Third-Party Personal Data in their possession or control unless retention is required by law, and must confirm deletion upon request.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in laws, regulations, business operations, or data practices.

• Updates will be posted on IPAR Websites and/or through IPAR account notices.
• Where changes have a material impact on how we process personal data, we will provide notice and obtain consent where required by applicable law.

Continued use of IPAR services after an update constitutes acceptance to the extent permitted by law.

13.1 How to Contact Us / Complaints (Optional placement if you already have Section 15)

If you have questions, requests, or complaints about privacy, you may contact IPAR’s Privacy Office using the contact information provided in Section 15. Where applicable, you also have the right to lodge a complaint with your local data protection authority.

Section 14｜Country / Region Specific Terms

The following Country / Region Specific Terms apply in addition to the main IPAR Privacy Policy.
Where there is any inconsistency between these terms and the main Privacy Policy, these Country / Region Specific Terms shall prevail for residents of the applicable jurisdiction to the extent required by law.

14.1 Kyrgyz Republic

If you reside in the Kyrgyz Republic, your personal data is processed in accordance with the Law of the Kyrgyz Republic on Personal Information and other applicable regulations.

• IPAR processes personal data only for legitimate, specific, and lawful purposes.
• Personal data may be collected and processed based on your consent, performance of a contract, or other lawful grounds permitted under Kyrgyz law.
• IPAR implements organizational and technical measures to protect personal data against unauthorized access, loss, or misuse.
• Where cross-border transfers occur, IPAR takes reasonable steps to ensure that personal data is protected in accordance with applicable law.
• You may have the right to access, correct, or request deletion of your personal data, subject to applicable legal limitations.

Requests or inquiries may be submitted to IPAR using the contact details provided in this Privacy Policy.

14.2 Republic of Kazakhstan

If you reside in the Republic of Kazakhstan, your personal data is processed in accordance with the Law of the Republic of Kazakhstan on Personal Data and Their Protection and related regulations.

• Personal data is processed with your consent or other lawful bases permitted by Kazakh law.
• IPAR may process personal data necessary for providing products, services, and participation in IPAR programs.
• IPAR adopts security measures to prevent unauthorized or unlawful processing, loss, or disclosure of personal data.
• Cross-border transfer of personal data may occur where permitted by law and subject to appropriate safeguards.
• You may exercise rights provided under Kazakh law, including rights to access, correction, and protection of your personal data.

14.3 Republic of Uzbekistan

If you reside in the Republic of Uzbekistan, your personal data is processed in accordance with the Law of the Republic of Uzbekistan on Personal Data and applicable implementing regulations.

• Personal data is processed on lawful grounds, including consent and contractual necessity.
• Certain categories of personal data may be subject to localization or registration requirements under Uzbek law.
• IPAR implements appropriate measures to ensure confidentiality and security of personal data.
• Where required by law, IPAR will take steps to register databases or otherwise comply with local data protection obligations.
• You may have rights to access, amend, block, or delete personal data, subject to legal requirements.

14.4 Mainland China

If you reside in Mainland China, your personal information is processed in accordance with the Personal Information Protection Law (PIPL), the Data Security Law, the Cybersecurity Law, and related regulations.

• IPAR processes personal information based on lawful grounds, including consent, contractual necessity, or other bases permitted under PIPL.
• Sensitive personal information (such as identification documents, financial account information, or precise location data) will be processed only where necessary and with separate consent where required.
• Personal information may be transferred outside of Mainland China only in compliance with applicable cross-border data transfer requirements, including security assessments, standard contracts, or certification where required.
• Individuals have rights under PIPL, including rights to access, copy, correct, delete, withdraw consent, and request explanation of processing rules.
• For China-dedicated platforms (such as China-specific websites, applications, or WeChat mini programs), a separate or supplemental China Privacy Notice may apply.

14.5 United States – California (CCPA / CPRA)

If you are a resident of California, IPAR processes your personal information in accordance with the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA).

Your California Rights

Subject to applicable exceptions, you may have the right to:

• Know what categories of personal information IPAR collects, uses, and discloses;
• Access specific pieces of personal information;
• Request correction of inaccurate personal information;
• Request deletion of personal information;
• Limit the use and disclosure of sensitive personal information (where applicable);
• Opt out of “sale” or “sharing” of personal information for cross-context behavioral advertising (if applicable).

IPAR does not sell personal information as defined by the CCPA/CPRA.

You may exercise your California privacy rights by contacting IPAR using the methods described in this Privacy Policy. IPAR will not discriminate against you for exercising your rights.

14.6 European Union & United Kingdom (GDPR / UK GDPR)

If you reside in the European Economic Area (EEA) or the United Kingdom, IPAR processes personal data in accordance with the General Data Protection Regulation (GDPR) and/or the UK GDPR, as applicable.

Your Rights

Subject to applicable law, you may have the right to:

• Access your personal data;
• Rectify inaccurate or incomplete data;
• Request erasure (“right to be forgotten”);
• Restrict or object to certain processing;
• Request data portability;
• Withdraw consent at any time where consent is the legal basis.

IPAR processes personal data based on lawful grounds, including contractual necessity, legitimate interests, legal obligations, and consent where required.

Where personal data is transferred outside the EEA or UK, IPAR implements appropriate safeguards, such as standard contractual clauses or other approved mechanisms.

You also have the right to lodge a complaint with your local supervisory authority.

14.7 Singapore

If you reside in Singapore, IPAR processes personal data in accordance with the Personal Data Protection Act 2012 (PDPA) of Singapore.

• IPAR collects, uses, and discloses personal data only for purposes that a reasonable person would consider appropriate.
• Consent is obtained where required under the PDPA, and you may withdraw consent subject to legal or contractual restrictions.
• IPAR takes reasonable security arrangements to protect personal data.
• You may request access to or correction of your personal data in accordance with the PDPA.

14.8 Republic of Korea (대한민국)

If you reside in the Republic of Korea, IPAR processes your personal data in accordance with the Personal Information Protection Act (PIPA) and related regulations.

• IPAR collects and processes personal data only for lawful and specific purposes and to the minimum extent necessary.
• Certain personal data may be designated as sensitive information or unique identification information under Korean law and will be processed only where permitted and with enhanced safeguards.
• Where required by law, IPAR will obtain your consent prior to processing or transferring personal data.
• You may have rights under Korean law to access, correct, suspend processing of, or request deletion of your personal data, subject to applicable exceptions.
• IPAR implements technical, administrative, and physical security measures to protect personal data and to prevent leakage, loss, or unauthorized access.

14.9 Philippines

If you reside in the Philippines, IPAR processes your personal data in accordance with the Data Privacy Act of 2012 (DPA) and its implementing rules and regulations.

• Personal data is processed based on consent, contractual necessity, legal obligation, or other lawful criteria permitted by the DPA.
• Certain information (such as government-issued identifiers, marital status, date of birth, or financial information) may be considered Sensitive Personal Information and will be processed only with appropriate safeguards and consent where required.
• You may have rights to access, correction, objection, erasure, or blocking of your personal data, subject to applicable law.
• IPAR implements reasonable and appropriate security measures to protect personal data against accidental or unlawful destruction, alteration, or disclosure.
• Data breaches will be handled in accordance with applicable notification requirements.

14.10 Australia

If you reside in Australia, IPAR processes your personal data in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

• Personal data is collected, used, and disclosed only for purposes permitted under the APPs.
• IPAR may disclose personal data to overseas recipients, including IPAR affiliates and service providers located outside Australia.
• Where personal data is disclosed overseas, IPAR takes reasonable steps to ensure that overseas recipients handle personal data in a manner consistent with the APPs, including through contractual safeguards where appropriate.
• You have the right to request access to, or correction of, personal data held about you, subject to legal exceptions.
• Complaints regarding privacy may be submitted to IPAR. If unresolved, you may contact the Office of the Australian Information Commissioner (OAIC).

14.11 Mexico

If you reside in Mexico, this Privacy Policy constitutes a Privacy Notice under the Federal Law on Protection of Personal Data Held by Private Parties and its regulations.

• IPAR processes personal data primarily based on your consent or other lawful grounds permitted under Mexican law.
• IPAR does not intentionally collect personal data classified as sensitive under Mexican law unless required and permitted.
• Certain processing purposes (such as marketing communications or internal analytics) may be considered secondary purposes. You may object to secondary purposes using the contact details provided in this Policy.
• You have rights to Access, Rectification, Cancellation, and Opposition (ARCO rights) regarding your personal data.
• Requests to exercise ARCO rights must include sufficient information to verify your identity and locate the relevant personal data. IPAR will respond within legally required timeframes.
• Personal data may be transferred to third parties as described in this Policy, and consent for such transfers will be obtained where required by law.

14.12 Canada

If you reside in Canada, IPAR processes your personal data in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws.

• IPAR collects, uses, and discloses personal data for purposes that a reasonable person would consider appropriate under the circumstances.
• Consent is obtained where required, and may be express or implied depending on the nature of the information and the context of the processing.
• You have the right to access your personal data and to request correction of inaccurate or incomplete information, subject to legal limitations.
• IPAR uses reasonable safeguards to protect personal data against loss, theft, unauthorized access, disclosure, copying, use, or modification.
• You may direct privacy-related complaints to IPAR, and you may also contact the Office of the Privacy Commissioner of Canada if concerns are not resolved.