Privacy Policy

This Privacy Policy explains how Dr. Mayssam Mounir (“I”, “me”, “my”) collects, uses, stores, shares, and protects personal information about you when you visit drmayssam.com, communicate with me, purchase any product or programme, or engage me as a consultant.

This Privacy Policy is read alongside the Terms of Service, the Practice Disclaimer & Informed Consent, the Cookie Policy, the Checkout Terms (for any purchase made through the website), the One-to-One Coaching Agreement (for any one-to-one engagement), and the Minors Engagement Addendum (where a minor client is involved). The documents are read together.

If you do not agree with this Privacy Policy, please do not use the website, purchase any product, or engage me as a consultant.

1. Who is responsible for your data

The data controller for the purposes of the EU General Data Protection Regulation (GDPR), the UK GDPR, the Lebanese Law No. 81 of 10 October 2018 on Electronic Transactions and Personal Data, and any other applicable data protection law is:

Dr. Mayssam Mounir Saliba

Mar Roukoz, Dekwene, Mount Lebanon, Lebanon

Email: support@drmayssam.com

drmayssam.com

I do not currently operate at a scale that requires the appointment of a Data Protection Officer under GDPR Article 37 or under Lebanese law. Privacy and data subject requests are handled by me directly at the address above.

Where you are an EU or UK data subject, my designated representative for the purposes of GDPR Article 27 and UK GDPR Article 27 is [TO BE APPOINTED]. Until a representative is appointed, EU and UK data subjects may contact me directly at the address above.

2. What information I collect

2.1 Information you give me directly

Identity: full name, title, date of birth where relevant for service delivery

Contact: email address, phone number, country of residence, time zone

Engagement: information you choose to share in intake forms, sessions, programmes, written correspondence, journals submitted for review, or assessments

Payment: name on card and billing address (full card details are processed by the payment processor and never stored by me)

Marketing preferences: subscription to newsletters, opt-in confirmations, language preference

2.2 Information collected automatically

Technical: IP address, browser type and version, device type, operating system, referring website

Usage: pages visited, time on page, click paths, search terms within the site, session duration

Cookies and similar technologies: see the Cookie Policy at drmayssam.com/cookies for the full cookie disclosure

2.3 Information from third parties

Payment confirmation and limited transactional metadata from my payment processor

Booking and scheduling details from any third-party booking platform you use to schedule a consultation

Email engagement metadata (opens, clicks) from my email service provider

2.4 Sensitive personal data

If, in the course of our work, you choose to share information that constitutes “special category” data under GDPR Article 9 (including health information, beliefs, sexual orientation, or biometric data), you are doing so voluntarily, in your own interest, and on the explicit basis that I will use it solely to deliver the service you have requested.

I do not solicit special category data through the public website, public sales pages, or marketing emails.

3. Why I collect it and on what legal basis

Under the GDPR and equivalent frameworks I rely on the following legal bases:

3.1 Performance of a contract (GDPR Art. 6(1)(b))

To deliver consultations, programmes, courses, journals, and digital products you have purchased

To communicate with you about your booking, your delivery, or our work

To process payments and issue receipts

3.2 Legitimate interest (GDPR Art. 6(1)(f))

To maintain the security of the website and prevent fraud

To improve my services and content based on aggregated, non-identifying analytics

To respond to enquiries and provide customer support

To enforce my rights, including under the Terms of Service

3.3 Consent (GDPR Art. 6(1)(a) and Art. 9(2)(a) for special category data)

To send you marketing emails or newsletters

To use non-essential cookies

To collect and process any sensitive personal data

To use any quote, story, image, or testimonial of yours in any public material

To extract anonymized derivatives of one-to-one engagement material for research, teaching, writing, and publication purposes, where you have given the separate opt-in consent set out in section 7.5 of the Coaching Agreement

3.4 Legal obligation (GDPR Art. 6(1)(c))

To comply with tax, accounting, and record-keeping requirements under Lebanese law and any other applicable jurisdiction

To respond to lawful requests from public authorities

4. Who I share your information with

I do not sell, rent, or trade your personal information to anyone, ever, under any circumstances.

I share information only with the following categories of recipient and only to the extent strictly necessary:

Payment processors, to take payment and issue refunds

Email service provider, to send you emails you have opted to receive

Booking and scheduling platform, to manage consultations

Course and learning platform, to deliver programmes you are enrolled in

Cloud storage provider, where session notes, intake forms, written assessments, and session recordings (during their retention windows under Section 6) are encrypted at rest

Professional advisers (accountant, lawyer) bound by professional confidentiality

Public authorities, where I am compelled by court order or by law to disclose

Each of these processors is engaged under written terms requiring them to process your data only on my instruction, to keep it confidential, to apply appropriate security, and to assist with data subject rights.

5. International data transfers

Some of my service providers are based outside Lebanon and outside the European Economic Area (“EEA”), including in the United States. Where personal data is transferred outside the EEA or the United Kingdom, I rely on one of the following safeguards as required by GDPR Chapter V:

The Standard Contractual Clauses approved by the European Commission

The UK International Data Transfer Agreement, where the UK GDPR applies

An adequacy decision of the European Commission or the UK government, where one applies

Your explicit consent, where required and clearly given

You may request a copy of the safeguards in place by writing to me at the contact address in Section 1.

6. How long I keep your information

I keep personal information only for as long as is necessary for the purpose for which it was collected, plus any period legally required.

Retention periods:

One-to-one session recordings: ninety (90) days from the date of the session, after which they are permanently deleted. Recordings are retained only for the purpose of extracting working notes; they are not retained as a long-term record

One-to-one client records (intake forms, case notes, written assessments, written correspondence): ten (10) years from the end of the engagement, then permanently deleted

Digital product, course, cohort, and masterclass purchaser records: three (3) years from the date of last interaction, then permanently deleted, except where you have an active engagement or an active credit (a cohort credit issued under Section 7.2 of the Checkout Terms, valid for up to eleven months from issue)

Anonymized research derivatives: where a one-to-one client has given separate opt-in consent under section 7.5 of the Coaching Agreement, anonymized derivatives of session content, written assessments, and correspondence may be retained indefinitely. Once anonymized, these derivatives are no longer your personal data

Financial and tax records: ten (10) years from the end of the relevant tax year, as required by Lebanese law

Marketing list (newsletter subscribers): until you unsubscribe, after which I retain only the suppression record needed to honour your unsubscribe

Website analytics: aggregated and anonymised after 26 months

Payment records: as required by my payment processor and applicable tax law

Where you exercise your right to erasure, I will delete your personal data within thirty (30) days, except where I am required to retain it by law (for example, financial records) or where retention is necessary for the establishment, exercise, or defence of legal claims.

7. How I protect your information

All session notes, intake forms, and correspondence containing personal data are stored in encrypted systems

Access is restricted to me and to processors strictly necessary to deliver the service

Passwords are stored hashed; no plaintext password storage

Devices used to access client data are encrypted at rest and protected by strong authentication

Email correspondence containing sensitive content is, where you request it, conducted using end-to-end encrypted channels

In the event of a personal data breach affecting your rights and freedoms, I will notify the relevant supervisory authority within 72 hours where required, and I will notify you without undue delay where the breach is likely to result in a high risk to your rights and freedoms

8. Your rights

Under GDPR, UK GDPR, and Lebanese Law 81/2018, you have the following rights regarding your personal data:

Right of access: you may ask whether I hold information about you and request a copy

Right to rectification: you may ask me to correct inaccurate or incomplete data

Right to erasure (“right to be forgotten”): you may ask me to delete your data, subject to legal retention requirements

Right to restrict processing: you may ask me to stop processing your data while a dispute is resolved

Right to data portability: you may request your data in a structured, machine-readable format

Right to object: you may object to processing based on legitimate interest, including profiling

Right to withdraw consent: where I rely on your consent, you may withdraw it at any time, without affecting the lawfulness of processing carried out before withdrawal

Right to lodge a complaint: you may complain to your local data protection authority. In Lebanon, complaints regarding electronic data protection may be addressed to the Ministry of Economy and Trade or pursued through judicial channels under Lebanese Law 81/2018. In the EU, you may complain to the supervisory authority in your country of residence. In the UK, the Information Commissioner's Office (ico.org.uk).

To exercise any of these rights, write to me at the contact address in Section 1. I will respond within thirty (30) days. I may need to verify your identity before acting on your request.

9. Cookies and tracking technologies

The Website uses cookies and similar technologies. These are governed by the standalone Cookie Policy at drmayssam.com/cookies, which forms part of this Privacy Policy by reference. The Cookie Policy describes the categories of cookies used, the legal basis for each, how long they last, and how to control them through the cookie banner, the persistent cookie preferences link in the website footer, and your browser settings.

Briefly: the Website uses strictly necessary cookies (no consent required), analytics cookies (loaded only with consent), and functional cookies (loaded only with consent). The Website does not run advertising trackers, third-party marketing pixels, or cross-site behavioural advertising tools.

10. Minors and children’s data

My services are directed to adults aged 18 and over by default. Limited exceptions exist for adolescents aged 13-17, under the architecture set out below. Services are not directed to, and I do not knowingly engage with, children under 13.

10.1 Default position

All my services, products, and engagements are directed to adults aged 18 and over by default. The exceptions in 10.2 to 10.5 below are specific, gated, and apply only where I have expressly opened the route.

10.2 Journals and similar digital products

Journals and similar reflective digital products are available for use by adolescents aged 13-17, except where a specific journal is expressly marked “Adults only (18+)” on its sales page. Purchase is made by the parent or legal guardian, who is the contracting party and the account holder. The minor uses the product under parental authorisation.

10.3 Cohorts, courses, and live programmes

Cohorts, courses, and live programmes are directed to adults aged 18 and over by default. Where a specific cohort, course, or programme is expressly marked “Teen-Welcome (Ages 13-17, parent consent required)” on its sales page, it is open to adolescents 13-17 on the same parental-purchase basis as journals.

10.4 One-to-one coaching

Direct one-to-one coaching is available only to adolescents aged 16-17. Engagements are governed by the Coaching Agreement together with a separate Minors Engagement Addendum, which sets out the parental contracting role, the safeguarding protocol, and the modified confidentiality and data protection architecture for minor clients. Direct one-to-one coaching is not available to anyone under 16.

10.5 Parent consultation about a minor

Where a parent engages me for consultation about a child of any age (including children under 13), the parent is the client, the parent is the data subject, and the work is to help the parent support the child. Data the parent shares about the child is processed only to deliver the consultation and is not retained as a record of the child.

10.6 Data protection for minor clients (where direct work is permitted)

Where the minor is the active client (one-to-one 16-17, or where a journal or teen-marked cohort is used by the minor under parental authorisation), the parent is the consenting party on behalf of the minor under GDPR Article 8 and equivalent frameworks

The data collected from the minor is the minimum necessary to deliver the work: their name, age, country of residence, the matters they bring to the work, and the engagement content. I do not solicit broader data

The parent has the same rights of access, rectification, erasure, and other data subject rights set out in Section 8, exercised on behalf of the minor

Where the minor is approaching the age of 18 and the engagement will continue past that birthday, the engagement converts to a standard adult engagement; the minor becomes the contracting party and the consenting party in their own right

The retention periods in Section 6 apply equally to records concerning minors

10.7 If a minor under 13 reaches me

If you believe that a child under 13 has provided me with personal data, or has accessed a service not intended for them, write to me at the contact address in Section 1 and I will delete the data and close any access as soon as possible.

11. Marketing communications

I send marketing emails (newsletters, programme launches, content updates) only to people who have opted in. Every marketing email contains a one-click unsubscribe link. Unsubscribing from marketing does not affect transactional emails relating to a purchase or active engagement.

12. Automated decision-making

I do not engage in automated decision-making or profiling that produces legal effects concerning you or similarly significantly affects you.

13. Changes to this Privacy Policy

I may update this Privacy Policy from time to time. The current version is always available at drmayssam.com/privacy. The “Last updated” date at the top tells you when it was last revised. Material changes affecting your rights will be communicated to you by email where I have your address, and a notice will be posted on the website.

14. How to contact me

For any question regarding this Privacy Policy, your data, or to exercise any of your rights:

Dr. Mayssam Mounir Saliba

Mar Roukoz, Dekwene, Mount Lebanon, Lebanon

Email: support@drmayssam.com

drmayssam.com