Privacy Policy
Last updated: June 24, 2026
Effective date: June 24, 2026
1. Introduction
Welcome to NRF2.com ("we," "our," or "us"). We are committed to protecting your privacy and personal information in compliance with applicable data protection laws worldwide, including but not limited to the EU General Data Protection Regulation (GDPR), UK GDPR, California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA), Brazil's Lei Geral de Proteção de Dados (LGPD), Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), and various US state privacy laws.
This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website at nrf2.com (the "Site"). By accessing or using the Site, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our data practices, please discontinue use of the Site.
2. Data Controller & Contact Information
For the purposes of applicable data protection laws, the data controller responsible for your personal data is:
NRF2.com
Email: [email protected]
Website: https://nrf2.com
If you are located in the European Economic Area (EEA) or the United Kingdom, you may also contact us regarding the exercise of your data protection rights at the email address above.
3. Information We Collect
3.1 Personal Information You Voluntarily Provide
We collect personal information that you voluntarily provide when you interact with our Site through the following activities:
| Activity | Data Collected | Purpose |
|---|---|---|
| Newsletter Signup | Name, email address, interest preferences | Deliver NRF2 research updates |
| eBook Download | Name, email address | Deliver educational resources |
| Health Quiz | Name, email, quiz responses, NRF2 activator usage, health goals | Personalized health pathway insights |
| Product Inquiry | Name, email, phone number, product interest, message | Respond to product-related questions |
| Contact Communications | Any information you include in correspondence | Respond to your inquiries |
3.2 Automatically Collected Information
When you visit the Site, we may automatically collect certain technical information through cookies and similar technologies, subject to your consent where required by law:
- IP address and approximate geographic location
- Browser type, version, language, and operating system
- Pages visited, time spent on pages, and navigation paths
- Referring website URL or search terms
- Device type, screen resolution, and device identifiers
- Date and time of access
This information is collected through Google Analytics 4 (GA4) and server logs, subject to your cookie consent preferences.
3.3 Information We Do Not Collect
We do not collect sensitive personal data including racial or ethnic origin, political opinions, religious beliefs, genetic or biometric data, health data beyond voluntary quiz responses, or sexual orientation. We do not process payment information directly on this Site.
4. Legal Bases for Processing (GDPR/UK GDPR)
If you are located in the EEA, UK, or another jurisdiction that requires a legal basis for processing personal data, we rely on the following legal bases:
- Consent (Article 6(1)(a) GDPR): When you voluntarily submit your information through our forms, subscribe to our newsletter, or accept analytics cookies. You may withdraw consent at any time.
- Legitimate Interests (Article 6(1)(f) GDPR): To improve our Site's functionality, understand usage patterns, ensure security, and prevent fraud, where our interests are not overridden by your rights.
- Legal Obligation (Article 6(1)(c) GDPR): When processing is necessary to comply with a legal obligation to which we are subject.
- Performance of a Contract (Article 6(1)(b) GDPR): When processing is necessary to deliver content or services you have requested.
5. How We Use Your Information
We use the information we collect for the following purposes:
- Service Delivery: To deliver content, resources (eBooks, newsletters), and responses to inquiries you have requested
- Communications: To send newsletters, research updates, and educational content you have opted into receiving
- Analytics: To analyze Site usage and traffic patterns to improve content, layout, and user experience (subject to cookie consent)
- Personalization: To personalize your experience based on your stated interests and preferences
- Security: To protect against fraud, unauthorized access, and other security threats
- Legal Compliance: To comply with applicable laws, regulations, and legal processes
We will not use your personal information for purposes that are incompatible with the purposes listed above without notifying you and, where required, obtaining your consent.
6. Third-Party Services & Data Sharing
We may share your information with the following categories of third-party service providers who assist us in operating the Site and delivering our services:
| Service Provider | Purpose | Data Shared | Privacy Policy |
|---|---|---|---|
| Google Analytics (GA4) | Website analytics & traffic measurement | Anonymized usage data, IP address (anonymized) | Google Privacy Policy |
| Go High Level (CRM) | Lead management & email communications | Name, email, phone, form submissions | GHL Privacy Policy |
| Email Notification Service | Transactional & marketing emails | Email address, name | Governed by our data processing agreements |
| Hosting Provider | Website hosting & infrastructure | Server logs, IP addresses | Governed by our data processing agreements |
We do not sell, rent, or trade your personal information to third parties for their own marketing purposes. Under the CCPA/CPRA, we do not "sell" or "share" personal information as those terms are defined under California law.
We may disclose your information if required by law, regulation, legal process, or governmental request, or to protect our rights, privacy, safety, or property.
7. Cookies & Tracking Technologies
Our Site uses cookies and similar tracking technologies. For complete details about the cookies we use, their purposes, and how to manage them, please see our Cookie Policy.
7.1 Categories of Cookies
- Strictly Necessary Cookies: Essential for the Site to function. These cannot be disabled.
- Analytics Cookies: Used by Google Analytics 4 to collect aggregated usage data. These require your consent in jurisdictions where consent is required.
7.2 Managing Cookies
You can manage your cookie preferences at any time using our cookie consent banner, which appears when you first visit the Site. You can also control cookies through your browser settings. For more information, visit our Cookie Policy.
8. International Data Transfers
Your information may be transferred to and processed in countries other than your country of residence, including the United States, where our servers and service providers are located. These countries may have data protection laws that differ from the laws of your jurisdiction.
If you are located in the EEA, UK, or Switzerland, we ensure that adequate safeguards are in place for such transfers, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- EU-U.S. Data Privacy Framework certification (where applicable)
- Adequacy decisions by relevant authorities
- Your explicit consent to the transfer
9. Data Retention
We retain your personal information only for as long as necessary to fulfill the purposes described in this policy, unless a longer retention period is required or permitted by law. Specific retention periods include:
- Newsletter subscribers: Until you unsubscribe or request deletion
- Lead/inquiry data: Up to 3 years from last interaction, unless you request earlier deletion
- Analytics data: Google Analytics retains data for up to 14 months (GA4 default)
- Server logs: Up to 90 days
When data is no longer needed, we will securely delete or anonymize it.
10. Data Security
We implement appropriate technical and organizational security measures to protect your personal information, including:
- Encryption in transit via HTTPS/TLS
- HTTP Strict Transport Security (HSTS) headers
- Content Security Policy (CSP) headers
- Secure database storage with access controls
- Regular security assessments
However, no method of electronic transmission or storage is 100% secure. While we strive to protect your personal information, we cannot guarantee its absolute security. In the event of a data breach affecting your personal data, we will notify you and the relevant supervisory authorities as required by applicable law.
11. Your Privacy Rights — Overview
Depending on your location, you may have the following rights regarding your personal data. Specific rights by jurisdiction are detailed in sections 12–17 below.
- Right of Access: Request a copy of the personal data we hold about you
- Right to Rectification: Request correction of inaccurate or incomplete data
- Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data
- Right to Restriction: Request that we restrict processing of your data
- Right to Data Portability: Receive your data in a structured, machine-readable format
- Right to Object: Object to processing based on legitimate interests or direct marketing
- Right to Withdraw Consent: Withdraw previously given consent at any time
- Right to Non-Discrimination: Exercise your rights without discriminatory treatment
To exercise any of these rights, please contact us at [email protected]. We will respond within the timeframes required by applicable law (typically 30 days for GDPR, 45 days for CCPA/CPRA).
12. European Union — General Data Protection Regulation (GDPR)
If you are located in the European Economic Area (EEA), you have the following additional rights under the GDPR:
- Right to lodge a complaint: You have the right to lodge a complaint with your local data protection supervisory authority if you believe our processing of your personal data violates the GDPR.
- Automated decision-making: We do not engage in automated decision-making or profiling that produces legal or similarly significant effects on you.
- Data Protection Officer: For inquiries related to GDPR, contact us at [email protected].
Response time: We will respond to your request within 30 days of receipt. This period may be extended by an additional 60 days where necessary, taking into account the complexity and number of requests.
13. United Kingdom — UK GDPR
If you are located in the United Kingdom, you have equivalent rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, including:
- All rights listed in Section 11 above
- Right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk
- Protection equivalent to GDPR under the UK adequacy framework
14. California — CCPA/CPRA
If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):
14.1 Your California Privacy Rights
- Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes, and the categories of third parties with whom we share it.
- Right to Delete: You may request deletion of your personal information, subject to certain exceptions.
- Right to Correct: You may request correction of inaccurate personal information.
- Right to Opt-Out of Sale/Sharing: You have the right to opt out of the "sale" or "sharing" of your personal information. We do not sell or share your personal information as defined by the CCPA/CPRA.
- Right to Limit Use of Sensitive Information: You may limit the use and disclosure of sensitive personal information. We do not collect sensitive personal information as defined by the CCPA/CPRA beyond what is necessary to provide our services.
- Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.
14.2 Categories of Personal Information Collected
In the preceding 12 months, we may have collected the following categories of personal information as defined by the CCPA/CPRA:
- Identifiers: Name, email address, phone number, IP address
- Internet Activity: Browsing history on our Site, search history, interaction data
- Inferences: Health interests and preferences derived from quiz responses
14.3 How to Exercise Your Rights
To submit a verifiable consumer request, contact us at [email protected] or visit our Do Not Sell or Share My Personal Information page. We will verify your identity before processing your request. You may also designate an authorized agent to submit requests on your behalf.
Response time: We will acknowledge your request within 10 business days and respond substantively within 45 days of receipt. This period may be extended by an additional 45 days where necessary.
15. Other US State Privacy Laws
Residents of the following US states have additional privacy rights under their respective state laws:
15.1 Virginia Consumer Data Protection Act (VCDPA)
Virginia residents have rights to access, correct, delete, obtain a copy of, and opt out of the processing of personal data for targeted advertising, sale, or profiling. To exercise these rights, contact us at [email protected]. You may appeal our decision regarding your request by contacting us at the same email address.
15.2 Colorado Privacy Act (CPA)
Colorado residents have rights to access, correct, delete, and obtain a portable copy of their personal data, and to opt out of targeted advertising, sale of personal data, or profiling. Contact us at [email protected] to exercise these rights.
15.3 Connecticut Data Privacy Act (CTDPA)
Connecticut residents have rights to access, correct, delete, obtain a copy of, and opt out of the processing of personal data for targeted advertising, sale, or profiling. Contact us at [email protected] to exercise these rights.
15.4 Utah Consumer Privacy Act (UCPA)
Utah residents have rights to access and delete their personal data and to opt out of the sale of personal data or targeted advertising. Contact us at [email protected].
15.5 Additional States
Privacy laws in additional US states including Montana, Oregon, Texas, Iowa, Indiana, Tennessee, and others grant similar rights. Residents of these states may exercise their rights by contacting us at [email protected]. We will process your request in accordance with the applicable state law.
16. Brazil — Lei Geral de Proteção de Dados (LGPD)
If you are located in Brazil, you have rights under the Lei Geral de Proteção de Dados (LGPD), including:
- Confirmation and access: Confirm whether your data is processed and access it
- Correction: Request correction of incomplete, inaccurate, or outdated data
- Anonymization, blocking, or deletion: Of unnecessary, excessive, or non-compliant data
- Portability: Transfer your data to another service provider
- Deletion: Of data processed with your consent
- Information about sharing: Know which public and private entities your data has been shared with
- Revocation of consent: Revoke consent at any time
- Opposition: Object to processing that violates the LGPD
To exercise your rights under the LGPD, contact us at [email protected]. You may also file a complaint with the Autoridade Nacional de Proteção de Dados (ANPD).
17. Canada — Personal Information Protection and Electronic Documents Act (PIPEDA)
If you are located in Canada, you have rights under PIPEDA and applicable provincial privacy legislation, including:
- Access: Request access to your personal information held by us
- Correction: Challenge the accuracy and completeness of your information
- Withdrawal of consent: Withdraw consent to the collection, use, or disclosure of your information, subject to legal and contractual restrictions
- Complaint: File a complaint with the Office of the Privacy Commissioner of Canada (OPC)
We will only collect, use, or disclose your personal information with your knowledge and consent, except where permitted or required by law. To exercise your rights, contact us at [email protected].
18. Children's Privacy
Our Site is not intended for children under the age of 16 (or under 13 in the United States, per COPPA). We do not knowingly collect personal information from children under these ages. If you believe we have inadvertently collected personal information from a child, please contact us immediately at [email protected] so we can promptly delete such information.
If you are a minor over the applicable age but under 18, you may use the Site only with the involvement of a parent or guardian.
19. Do Not Track Signals
Some web browsers transmit "Do Not Track" (DNT) signals. We respect DNT signals and Global Privacy Control (GPC) signals. When we detect a GPC or DNT signal, analytics cookies will not be loaded unless you explicitly opt in through our cookie consent banner.
20. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. Any changes will be posted on this page with an updated "Last updated" date at the top.
For material changes that significantly affect how we process your personal data, we will provide prominent notice on the Site and, where required by law, obtain your consent before implementing such changes.
We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.
21. Contact Us
If you have any questions, concerns, or requests related to this Privacy Policy or our data practices, please contact us at:
NRF2.com — Privacy Inquiries
Email: [email protected]
Website: https://nrf2.com
We will endeavor to respond to all legitimate requests within the timeframes required by applicable law.