Privacy Policy

1. Introduction & Controller Identity

pathforge.buzz is an online learning platform focused on technical sewing education for performance compression garments (including compression leggings), joint-support construction concepts, and practical brand-launch operations (such as spec packs and production briefs). This policy describes the personal data we collect, why we collect it, what we share with third parties, and what choices you can make.

For the purposes of the UK General Data Protection Regulation (“UK GDPR”) and the EU General Data Protection Regulation (“GDPR”), the data controller is:

• Legal entity: IMBRACE Ltd
• Registered address: UNIT 1 GATE FARM HIGH STREET, SUTTON BENGER, CHIPPENHAM, SN15 4RE, United Kingdom
• Email: [email protected]

We do not appoint a Data Protection Officer (DPO) as a matter of course. If you have privacy questions, you can contact us using the email address above and we will route your request appropriately.

Effective Date: March 17, 2026.

2. Personal Data We Collect

The categories of personal data we may collect depend on how you use the site. Some data is provided directly by you (for example, when you complete a registration form). Other data is collected automatically when your browser loads a page (for example, basic device information and cookie identifiers).

• Identity and contact data: your name (if provided), email address, and any other details you choose to include in a message.
• Form content: information you enter into forms, including your questions and any project details you share about sewing, materials, machine setup, patterns, or brand planning.
• Technical data: IP address, browser type and version, device type, operating system, language settings, and approximate region (derived from IP).
• Usage data: pages viewed, time spent on pages, referral source, navigation path, and interactions such as button clicks or form-start/form-submit events.
• Cookies and identifiers: cookie values and similar identifiers used to remember preferences and measure performance (see Section 4).
• Conversion events: events that indicate a user took an action, such as completing a registration request or consenting to cookies.

We do not intentionally collect special-category personal data (such as health data, genetic or biometric data, religious or political information), financial account details, or government-issued identification numbers through this website. Please do not include sensitive personal details in free-text fields.

3. Why We Process Personal Data & Legal Basis (GDPR Article 6)

We process personal data only when we have a lawful basis. Depending on the context, we may rely on one or more of the following legal bases under GDPR and UK GDPR:

Contact and registration requests

When you submit a form (for example, to register interest or request course access), we use your data to process the request, send operational emails, and provide support. Legal basis: performance of a contract or steps prior to entering a contract (Article 6(1)(b)) and, where required, consent (Article 6(1)(a)).

Analytics and performance measurement

If you consent to analytics cookies, we may measure site usage to understand what content is useful (for example, which course pages people read before registering) and to improve usability. Legal basis: consent (Article 6(1)(a)).

Marketing and advertising measurement

If you consent to marketing cookies, we may measure ad performance and build remarketing or lookalike audiences. This helps us show relevant ads to people who have indicated interest in sewing performance garments or building a sportswear label. Legal basis: consent (Article 6(1)(a)).

Security and fraud prevention

We process limited technical data (such as IP address and request metadata) to protect the site, prevent abuse, and keep services available. Legal basis: legitimate interests (Article 6(1)(f)).

Legal obligations

We may process personal data when required to comply with applicable laws, respond to lawful requests, or establish, exercise, or defend legal claims. Legal basis: legal obligation (Article 6(1)(c)).

Automated decision-making

We do not engage in automated decision-making or profiling that produces legal or similarly significant effects within the meaning of GDPR Article 22.

4. Cookies & Tracking

Cookies are small text files stored on your device. We also use similar technologies such as pixel tags and server-side events where appropriate. Our cookie categories are aligned with our Cookie Policy at /cookie-policy/.

Essential cookies (always on)

Essential cookies are required for the site to function and cannot be switched off in our preferences panel. They support basic features such as maintaining a session and remembering your cookie consent choice.

• Examples: _site_session, cookie_consent
• Retention: session to 12 months (depending on the cookie)

Analytics cookies (consent required)

Analytics cookies help us understand how visitors use the site. Where Google Analytics 4 (“GA4”) is enabled, it may set cookies such as _ga and _ga_XXXXXXXXXX. We configure analytics to reduce data where possible (including IP anonymization settings where supported).

• Examples: _ga (2 years), _ga_XXXXXXXXXX (2 years)
• Analytics data retention: 14 months

Marketing cookies (consent required)

Marketing cookies are used to measure advertising performance and build audiences for remarketing. Examples include cookies from Google Ads and Meta. These cookies can help us understand whether a campaign led to a registration request, without needing to display sensitive or personal information publicly.

• Examples: _gcl_au (90 days), _fbp (90 days), _fbc (90 days where click ID is present)

In addition to cookies, pixels and server-side events can send limited technical identifiers (such as IP address and User-Agent) to help with fraud prevention and conversion attribution. Where advertising tools are used, identifiers may be hashed before transmission as part of a server-side integration.

5. Consent (EEA and UK)

Users in the EEA and UK receive a consent notice under GDPR and UK GDPR. Analytics and marketing cookies activate only after explicit, informed, freely given consent (Article 6(1)(a)). Your choice is recorded in the cookie_consent browser cookie for 12 months.

You can withdraw consent at any time by selecting “Manage cookie preferences” in the site footer, or by clearing cookies in your browser. Withdrawing consent does not affect the lawfulness of processing based on consent before its withdrawal.

6. Sharing With Advertising & Service Partners

We use reputable service providers to host and protect the website and, if you consent, to measure performance and advertising conversions. Depending on your consent choices and configuration, we may share limited information with the following categories of partners:

• Google LLC (Google Analytics 4, Google Ads, Google Tag Manager, remarketing): cookie identifiers, usage data, and conversion events. https://policies.google.com/privacy
• Meta Platforms, Inc. (Meta Pixel, Custom/Lookalike Audiences, Conversion API): page views, conversions, audience membership signals, and hashed identifiers where applicable. https://www.facebook.com/privacy/policy
• Cloudflare, Inc. (content delivery network and security): IP-based threat detection and performance protection. https://www.cloudflare.com/privacypolicy/

We do not sell personal data. We do not permit these providers to use site data for their own independent commercial purposes; they act as processors or service providers under applicable data protection law, subject to their contractual obligations and platform terms.

7. International Transfers

Some of our service providers are based outside the EEA and UK, including in the United States. When personal data is transferred internationally, we use appropriate safeguards, which may include:

• EU–US Data Privacy Framework (and the UK Extension and Swiss–US DPF where applicable)
• Standard Contractual Clauses (EU Commission Decision 2021/914) as a fallback
• UK International Data Transfer Addendum (IDTA) or equivalent UK mechanisms as a fallback

We also apply practical safeguards where possible, such as limiting the amount of personal data transmitted and using hashed identifiers in server-side measurement workflows where supported.

8. Data Retention

We keep personal data only as long as needed for the purposes described in this policy, unless a longer period is required by law. Typical retention periods include:

• Contact and registration submissions: up to 2 years from the last interaction
• Analytics data: 14 months (where enabled via consent)
• Marketing cookies: retained according to cookie lifetimes (for example, 90 days for certain advertising cookies)
• Email correspondence: duration of the relationship plus 1 year
• Server/security logs: typically 90 days
• Cookie consent record: up to 3 years for audit purposes
• Legal and tax: as required by applicable law (often 6–10 years for financial records when applicable)

9. Your Rights (GDPR and UK GDPR)

If you are in the UK or EEA, you may have the following rights, subject to conditions and exemptions:

• Right of access (Article 15)
• Right to rectification (Article 16)
• Right to erasure (Article 17)
• Right to restriction of processing (Article 18)
• Right to data portability (Article 20)
• Right to object (Article 21)
• Right to withdraw consent (Article 7(3))
• Right to lodge a complaint with a supervisory authority (Article 77)

To exercise your rights, email [email protected]. We aim to respond within 30 days, although we may extend by up to 60 additional days for complex requests. We may need to verify your identity before fulfilling a request.

Supervisory authority references:

• EU: https://edpb.europa.eu
• UK (ICO): https://ico.org.uk
• Germany (BfDI): https://www.bfdi.bund.de
• France (CNIL): https://www.cnil.fr
• Poland (UODO): https://uodo.gov.pl
• Spain (AEPD): https://www.aepd.es

10. Children

This website is not directed at individuals under 16. We do not knowingly collect personal data from minors. If we learn that we have collected personal data from a child under 16 without verifiable parental consent, we will delete it promptly.

11. Do Not Track

This website does not respond to “Do Not Track” (DNT) browser signals. Third-party providers may have their own policies regarding DNT signals.

12. Account & Data Deletion Requests

You may request deletion of your personal data by emailing [email protected] with the subject line “Data Deletion Request”. We will complete the request within 30 days after identity verification, unless we must retain certain data to comply with legal obligations or for the establishment, exercise, or defense of legal claims.

13. Business Transfers

If we are involved in a merger, acquisition, asset sale, financing, reorganization, bankruptcy, or similar event, personal data may be transferred to a successor or affiliate as part of that transaction. We will provide notice on the website if such a transfer materially changes how personal data is used.

14. California (CCPA / CPRA)

This section applies to California residents where the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA/CPRA”), applies.

In the last 12 months, we may have collected the following categories of personal information:

• Identifiers: name (if provided), email address, IP address, cookie identifiers
• Internet or network activity: browsing and interaction data on our site
• Inferences: preferences inferred from pages viewed or course topics read (used only where marketing consent is given)

We do not sell personal information as defined by CCPA. We may share information for cross-context behavioral advertising when marketing cookies are enabled by consent. California residents may opt out of sharing by using our cookie preferences panel (available via “Manage cookie preferences” in the footer).

California residents may have the right to know, delete, correct, and opt out of sale/sharing, and the right to non-discrimination for exercising privacy rights. To submit a request, email [email protected] with the subject line “California Privacy Request”. We may need to verify your identity. Authorized agents may submit requests with written permission.

15. Virginia (VCDPA)

If you are a Virginia resident and the Virginia Consumer Data Protection Act (“VCDPA”) applies, you may have rights to access, correct, delete, and obtain a copy of personal data, and to opt out of targeted advertising. We do not sell personal data and we do not engage in profiling that produces legal or similarly significant effects.

To submit a request, email [email protected] with the subject line “Virginia Privacy Request”. If you wish to appeal a refusal, email with the subject line “Appeal of Refusal — Privacy Request”. We will respond to appeals within 60 days. If you are not satisfied with the result, you may contact the Virginia Attorney General.

16. Nevada

Nevada residents may submit a verified opt-out request by emailing [email protected] with the subject line “Nevada Do Not Sell Request”. We do not currently sell personal information under Nevada Revised Statutes Chapter 603A.

17. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the platform, or legal requirements. If we make material changes, we will post a notice on the website at least 14 days before the changes take effect. The “Last Updated” date at the top of this page will also be revised.

18. Contact

If you have questions about privacy, data retention, or this policy, contact:

• IMBRACE Ltd
• UNIT 1 GATE FARM HIGH STREET, SUTTON BENGER, CHIPPENHAM, SN15 4RE, United Kingdom
• [email protected]