Effective date: January 29, 2026

Encephalon Inc. ("us", "we", or "our") operates the https://unlimited-with-dr-joe-dispenza.myshopify.com/, http://www.drjoedispenza.com, websites and the "Making Your Mind Matter" mobile application (collectively the "Service"). We also use additional websites and associated mobile applications provided by service providers to support the Service. http://www.cvent.com, http://www.myshopify.com, http://www.mindmovies.com This Privacy Policy explains how we collect, use, share, and protect your personal information when you use our services. It also describes your choices and rights with respect to your personal information.

We are committed to handling your personal data transparently and in accordance with applicable privacy laws, including the General Data Protection Regulation (GDPR) in the European Union and relevant U.S. privacy and data protection laws.

Unless otherwise defined here, terms used in this Privacy Policy have the same meanings as in our Terms and Conditions.

Service means the websites, service websites, along with the "Making Your Mind Matter" mobile application and associated mobile applications provided and operated by Encephalon Inc.along with our additional service providers.

Personal Data means any information relating to an identified or identifiable natural person. A person is identifiable if they can be identified, directly or indirectly, for example by a name, email address, an online identifier or by one or more factors specific to their identity. Personal data may cover information you provide to us directly, information generated in the course of your use of the Service or information we lawfully obtain from third parties.

Usage Data is data collected automatically either generated by the use of the Service or from the Service infrastructure itself (for example, the duration of a page visit).

Cookies and Similar Technologies are small files or identifiers stored on, or accessed from, your device (such as a computer, smartphone, or connected device). While "cookies" are the most common example, this term also covers other technologies used for the same purposes, such as tracking pixels, SDKs, browser local storage, unique identifiers, and device fingerprinting techniques. These tools may be used to make our Service work properly, to remember your preferences, to analyze how our Service is used, or to deliver relevant content and advertising. The use of cookies and similar technologies is subject to your consent, except where they are strictly necessary for the operation of the Service.

Data Controller means the natural or legal person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal information are, or are to be, processed.

For the purpose of this Privacy Policy, we are a Data Controller of your Personal Data.

If you have any questions about our Privacy Policy or the handling of your personal data, please contact our Data Protection Officer at dataprotection@drjoedispenza.com.

Data Processor (or Service Provider) means any natural or legal person who processes the data on behalf of the Data Controller.

We engage processors under written data-processing agreements that require them to handle Personal Data securely, confidentially and solely on our instructions, with appropriate safeguards in place for international transfers.

More specifically, we use external IT service providers to host and operate our applications and databases. These include cloud infrastructure providers and database providers who store and process personal data on our behalf.

These service providers act as our processors within the meaning of Art. 28 GDPR. They are contractually obliged to follow our instructions, implement appropriate technical and organisational measures, and may not use the data for their own purposes.

Data Subject (or "User") means any identified or identifiable natural person whose Personal Data we process in connection with the Service, including those who directly use the Service and those whose information is otherwise provided to us.

When you use our Service, we collect different types of information. Some of this data you provide directly, some is collected automatically, and some is collected through cookies and similar technologies.

We may collect and process the following personal data:

• Name (first and last)
• Email address
• Phone number
• Postal address (street, city, state/province, postal code)
• Any additional information you provide when registering for or attending our workshops or events
• Financial information: such as payment card details or bank account information necessary for payment processing including billing information.

We may also use your Personal Data to send newsletters, promotional materials, or other communications you have consented to receive. You can opt out at any time by following the unsubscribe link in our emails.

We may also collect information that your browser sends whenever you visit our Service or when you access the Service by or through a mobile device ("Usage Data").

This Usage Data may include information such as:

• Your device's Internet Protocol (IP) address
• Browser type and version
• Device type, operating system and unique device identifiers
• Pages visited, time and date of visit, and time spent on each page
• Mobile-specific details (e.g., mobile device ID, mobile operating system, type of mobile browser)
• Diagnostic data such as crash reports or error logs

On our website, we use cookies from ourselves and from third parties. Cookies are information files that can be automatically stored on or read from the website visitor's device (such as PC, tablet or smartphone) when visiting a website. This is done through the web browser on the device. We and third parties use cookies to:

• enable functionalities of the website (technical and functional cookies);
• analyze the use of the website and on this basis make the website more user-friendly (analytical cookies);
• show personalized advertisements (marketing cookies). We use non-essential cookies and similar technologies for advertising subject to opt-in consent.

Other technologies may include:

• Beacons, tags, and scripts to collect and track information and to improve and analyze our Service.

Except for cookies that are strictly necessary for the functioning of the website, we will only place cookies with your prior consent. You can manage or withdraw your consent at any time through our cookie banner or your browser/device settings.

We will process your personal data based on one or more of the following legal bases:

• Performance of a contract: Processing is necessary for the performance of a contract to which you are a party, or to take steps at your request prior to entering into a contract.
• Compliance with legal obligations: Processing is necessary to comply with our legal obligations.
• Consent: Processing is based on your explicit consent, which you can withdraw at any time.
• Legitimate interests: Processing is necessary for our legitimate interests or those of a third party, provided your interests and fundamental rights do not override those interests.

We will process your personal data for the following purposes:

• Providing products and services: We use your personal data to fulfill your requests, deliver products or services, and manage your account.
• Communication and support: We may contact you with important updates, respond to your inquiries, and provide customer support.
• Payment processing: We collect and process financial information to facilitate transactions and secure payment processing.
• Personalization and improvement: We may analyze your personal data to personalize your experience, improve our products and services, and enhance our website's functionality
• Legal and regulatory compliance: We process personal data to comply with applicable laws, regulations, and legal obligations.
• Marketing and promotional activities: With your consent, we may send you marketing communications about our products, services, promotions, and events. You can opt-out at any time

We will retain your personal data for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law. When determining the appropriate retention period, we consider factors such as the nature and sensitivity of the personal data, the purposes for which we process it, and applicable legal requirements.

We may keep certain personal data longer than our policies specify in order to comply with legal requirements and for safety and security reasons.

We may share your personal data with trusted third-party service providers who assist us in operating our business, delivering products or services, and providing related services. These service providers are bound by contractual obligations to handle your personal data securely and only process it according to our instructions

In the event of a merger, acquisition, or sale of all or a portion of our assets, your personal data may be transferred to the acquiring entity or merged with the acquiring entity's data. We will take steps to ensure the protection of your personal data during such transfers and will notify you of any changes that may affect your rights.

If we transfer your personal data to a country (or to a public authority) outside the European Economic Area (EEA), we will ensure that any such transfer is lawful and in compliance with applicable data protection laws. We will implement appropriate safeguards, such as using standard contractual clauses or relying on adequacy decisions or other legal grounds recognized by the GDPR.

Where appropriate, we will need to send your personal data to our local servers in the United States in order to provide the product or service you require. Encephalon carefully reviews all legal requests to ensure that there's a valid legal basis for each request and complies with legally valid requests.

We may disclose your Personal Data where required to do so by applicable law, regulation, or valid legal process. For users in the European Union/EEA, any disclosure to public authorities, including foreign authorities outside the EU/EEA, will only take place in line with the requirements of the General Data Protection Regulation (GDPR). This means that such disclosures must:

• Be based on a valid legal ground under the GDPR, and
• Comply with the international transfer rules set out in Chapter V GDPR, including reliance on adequacy decisions, appropriate safeguards, or derogations, and
• Where applicable, it can be supported by an international agreement before a request from a third-country authority can be recognized.

We may also disclose Personal Data to protect and defend the rights or property of Encephalon Inc., to investigate possible wrongdoing in connection with the Service, to ensure the safety of our users and the public, or to protect against legal liability

We implement technical and organizational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access such as encryption, access and authorization controls. These measures are designed to provide a level of security appropriate to the risks associated with the processing of your personal data. For instance, we do not support Do Not Track ("DNT"). Do Not Track is a preference you can set in your web browser to inform websites that you do not want to be tracked.

You can enable or disable Do Not Track by visiting the Preferences or Settings page of your web browser.

If you are located in the European Economic Area (EEA), you are entitled to certain data protection rights under the GDPR

In certain circumstances, you have the following data subject rights:

• The right to access, update or to delete the information we have on you. Whenever made possible, you can access, update or request deletion of your Personal Data directly within your account settings section. If you are unable to perform these actions yourself, please contact us to assist you.
• The right of rectification. You have the right to have your information rectified if that information is inaccurate or incomplete.
• The right to object. You have the right to object to our processing of your Personal Data.
• The right of restriction. You have the right to request that we restrict the processing of your personal information.
• The right to data portability. You have the right to be provided with a copy of the information we have on you in a structured, machine-readable and commonly used format.
• The right to withdraw consent. You also have the right to withdraw your consent at any time where Encephalon Inc. relied on your consent to process your personal information. If you have provided consent for the receipt of marketing communications, you can withdraw your consent at any time by following the instructions provided in the communication or contacting us directly. Please note that even if you opt-out of marketing communications, we may still send you non-promotional messages relating to your account or our ongoing business relationship.
• You have the right to complain to a Data Protection Authority about our collection and use of your Personal Data. For more information, please contact your local data protection authority in the European Economic Area (EEA).

If you wish to exercise any of these rights, we may ask you to identify yourself. For this purpose, we request information to ensure that you are the correct person to whom the personal data belongs.

In principle, we will comply with your request within one month. However, this deadline may be extended by two months for reasons related to specific privacy rights or the complexity of the request. If we extend this deadline, we will notify you within the first month.

If you wish to exercise any of your rights, please let us know by contacting us using the contact information at the top.

If you are located in the EEA we handle personal data breaches in accordance with Article 33 and 34 of the GDPR. Where required, we will:

• Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals;
• Notify affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms;
• Maintain an internal breach register to document the facts relating to the breach, its effects, and remedial action taken.

Notification to data subjects will include at least:

• A description of the nature of the breach;
• The name and contact details of our Data Protection Officer;
• Likely consequences of the breach;
• Measures taken or proposed to address and mitigate its adverse effects.

We use social media buttons, which redirect you to the social media platforms. The buttons work because of pieces of code that come from social media networks. If you want to know what the social media platforms do with your personal data, please read the relevant privacy statement:

• Meta (privacy policy)
• X (privacy policy)
• YouTube (privacy policy)
• Instagram (privacy policy)

Our products and services are not directed to individuals under the age of 18. We do not knowingly collect personal data from individuals under this age. If you become aware that a child has provided us with personal data without parental consent, please contact us, and we will take steps to remove the information.

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page.

We will let you know via email and/or a prominent notice on our Service, prior to the change becoming effective and update the "effective date" at the top of this Privacy Policy.

You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.

If you have any questions about this Privacy Policy, please contact us by visiting the following page on our website: Contact Us