Privacy Policy

Leading for the First Time (“we”, “us”, or “our”) is operated by Kevin Reimer. This Privacy Policy explains what personal information we collect when you use our website and program, how we use that information, and what choices you have.

We are committed to handling your information with care. Your entries are private. We do not read them, share them, or use them for any other purpose. Only you can see them.

We collect only the information necessary to provide the service:

• Email address — provided when you create an account or log in via a magic link.
• Full name and bio — optionally provided in your profile settings.
• Payment information — processed directly by Stripe. We do not receive or store your card number or banking details.
• Program entries — your monthly reflections, journal entries, assessment responses, and saved progress. These are stored in your account and accessible only to you.
• Usage events — anonymised events such as which month you opened or when a reflection was saved. These help us understand how the program is used at an aggregate level.

We use your information to:

• Authenticate you and maintain your account session.
• Store and retrieve your program progress across devices.
• Process your one-time payment via Stripe and confirm your access.
• Send you the magic-link email when you sign in.
• Understand aggregate usage patterns so we can improve the program.
• Respond to support requests you send us.

We do not use your information for advertising, and we do not sell it to third parties.

Your entries are private. We do not read them, share them, or use them for any other purpose. Only you can see them.

The year-end synthesis is generated entirely from your own saved entries and displayed only to you. You may export or print it at any time.

Your data is stored in a PostgreSQL database hosted on Supabase infrastructure, which is located in data centres that meet SOC 2 Type II and ISO 27001 standards. Data is encrypted at rest and in transit using TLS.

We use industry-standard security practices including parameterised database queries, HTTP security headers, rate limiting, and server-side-only environment secrets. No sensitive credentials are ever exposed to the browser.

We work with two external services to deliver the program:

• Supabase — provides authentication infrastructure. When you sign in, your email is processed by Supabase to generate and verify magic links. Supabase does not have access to your program entries.
• Stripe — processes your one-time payment. Stripe receives your payment details and email address to complete the transaction. We receive only a confirmation of payment status. Stripe's privacy policy is available at stripe.com/privacy.

We do not use analytics platforms, advertising networks, or social-media tracking pixels.

You have the right to:

• Access the personal information we hold about you.
• Export your program entries and year-end synthesis from within the app.
• Correct inaccurate information by updating your profile.
• Request deletion of your account and all associated data.
• Withdraw consent at any time by deleting your account.

To exercise any of these rights, email us at kevin@howtoprincipal.com. We will respond within 14 days.

We retain your account and program data for as long as your account is active. If you request account deletion, we will permanently remove your personal information and program entries within 30 days, except where we are required to retain records for legal or financial compliance purposes (such as payment records, which we retain for seven years).

This service is intended for adults working in professional roles. We do not knowingly collect personal information from anyone under 16. If you believe we have inadvertently collected such information, please contact us and we will delete it promptly.

We may update this Privacy Policy from time to time. When we do, we will revise the “Last updated” date at the top of this page. If changes are significant, we will notify you by email. Continued use of the service after changes take effect constitutes acceptance of the revised policy.

This Privacy Policy is governed by the laws of the Province of British Columbia and the federal laws of Canada applicable therein.