Skip to content

Legal

Privacy Policy

Clarity on how we handle your information, written in plain language, grounded in both EU and UAE data protection law.

Last updated · 2026-05-25

01. Introduction & Data Controller

Kyma is an international coaching and counseling practice operated by Ana Brahimaj through Lumea Digital Agency, a Dubai-based Free Zone company, serving clients internationally.

The data controller for the purposes of Regulation (EU) 2016/679 (GDPR) and of the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (the "UAE PDPL") is Ana Brahimaj, trading as Kyma through Lumea Digital Agency. You can reach the controller by writing to ana@kymatalk.com, or by WhatsApp at +971 50 323 1302 (Dubai) or +39 333 328 5099 (Italy).

02. Scope of this notice

This notice applies to personal data we collect through the website kymatalk.com (including the contact form, the discovery-call booking flow and any direct correspondence by email or WhatsApp) and to the data we process when you enroll in a Coaching or Counseling engagement with Kyma.

It does not cover third-party websites linked from ours; those are governed by their own privacy notices.

03. What data we collect

We collect only what is strictly necessary. From the contact form: your name, email, the message you write, the area of interest you select, the explicit consent flag, and (for security and abuse prevention) your IP address and user-agent string at the moment of submission.

From the Cal.com discovery booking: your name, email, the selected time slot, your time zone, and any voluntary notes you add. From ongoing communications: the metadata of our email and WhatsApp exchanges (sender, recipient, date, subject), kept strictly for continuity of service.

From cookies and analytics: only the data described in our Cookie Policy. We do not buy data from data brokers, we do not build advertising profiles, and we do not collect special-category data (including health data) unless you voluntarily share it with us during a coaching or counseling conversation.

04. Why we collect it (lawful bases)

Each processing activity is grounded in a specific lawful basis under Article 6 GDPR and the corresponding lawful-basis provisions of the UAE PDPL. We rely on your consent (informed, specific, freely-given and unambiguous, per GDPR Art. 6.1.a and Art. 7) for the contact form, for the optional newsletter, and for loading non-essential third-party widgets such as the Cal.com booking iframe.

We rely on the performance of a contract or pre-contractual measures (GDPR Art. 6.1.b) to schedule and deliver coaching and counseling sessions. We rely on our legitimate interest (GDPR Art. 6.1.f) to respond to inquiries you initiate, to prevent abuse of the contact form and to keep the site secure. We rely on legal obligation (GDPR Art. 6.1.c) where invoicing and accounting rules require us to retain records.

Where you share sensitive information during a session, processing is based on your explicit consent (GDPR Art. 9.2.a) for the strict purpose of providing the service you requested. Under both GDPR Art. 7 and the UAE PDPL, you may withdraw your consent at any time, as easily as you granted it.

05. Who processes it on our behalf

We work with a short list of carefully chosen processors, each bound by a Data Processing Agreement under Art. 28 GDPR and by equivalent contractual safeguards aligned with the UAE PDPL.

Vercel Inc. (USA) hosts the website and serves edge functions. Sanity.io (USA, with EU regional storage available) stores editorial content. Resend Inc. (USA) delivers the transactional emails generated by the contact form. Cal.com Inc. (USA, with EU infrastructure) handles discovery-call scheduling, and is loaded only after you actively open the calendar widget. Vercel Web Analytics provides first-party, cookieless aggregate analytics. Google Fonts are self-hosted by Next.js at build time, so your browser never connects to Google's servers.

06. International transfers

Several of our processors are established in the United States. Where personal data is transferred outside the European Economic Area, we rely on the European Commission's Standard Contractual Clauses (SCCs) adopted by Implementing Decision (EU) 2021/914 under Article 46.2.c GDPR, complemented by the supplementary measures recommended by the European Data Protection Board: encryption in transit and at rest, contractual data minimisation, and the right to challenge government access requests.

Where personal data of UAE residents is transferred outside the UAE, we rely on the cross-border transfer regime of the UAE PDPL: transfers occur either to jurisdictions recognised as providing an adequate level of protection or, in their absence, on the basis of appropriate contractual safeguards equivalent to the SCCs and on your explicit, informed consent for non-essential vendors. The current routing is: Vercel (USA region); Sanity (USA, with optional EU mirror); Resend (USA); Cal.com (USA and EU).

07. Retention periods

Contact-form messages and ad-hoc email correspondence are kept for up to 24 months from our last interaction, then deleted, unless an active coaching or counseling relationship has begun in the meantime.

Booking and session records are retained for 5 years after the end of the engagement, in line with ordinary contractual limitation periods, and for the longer period required by applicable invoicing and accounting rules. Consent records (including the timestamp, the wording shown and the choice made) are retained for 5 years after withdrawal, to evidence compliance with GDPR Art. 7 and the equivalent UAE PDPL requirement.

Aggregated, non-identifying analytics are retained indefinitely. You may always request earlier deletion subject to overriding legal obligations.

08. Your rights under both regimes

Under Articles 15 to 22 GDPR, and under the equivalent provisions of the UAE PDPL, you have the right to access your data, to rectify it, to request its erasure (the "right to be forgotten"), to restrict or object to its processing, to receive it in a portable, machine-readable format, and to opt out of decisions based solely on automated processing. Where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of processing carried out before the withdrawal.

You also have the right to lodge a complaint. EU residents may contact the supervisory authority in their country of residence (in Italy, the Garante per la Protezione dei Dati Personali at www.garanteprivacy.it). UAE residents may contact the UAE Data Office, the federal regulator established under Federal Decree-Law No. 44 of 2021, which oversees the application of the PDPL (Federal Decree-Law No. 45 of 2021).

09. Children

Kyma's services are not directed at children. The website is intended for adults aged 18 and over.

Under the UAE PDPL, the processing of a minor's personal data is subject to the verifiable consent of a parent or legal guardian. If you believe a minor has provided us with personal data without such consent, please contact us and we will promptly delete it.

10. Security

We protect your data through TLS encryption in transit, encrypted storage at rest, strict role-based access for the controller alone, and routine deletion of data no longer needed. Our processors are required to maintain comparable or higher technical and organisational measures.

No system is ever perfectly secure; if a personal-data breach occurs that is likely to result in a risk to your rights, we will notify the competent supervisory authority without undue delay and in any case within 72 hours (GDPR Art. 33) and, where required, the affected individuals (GDPR Art. 34), together with the equivalent notification under the UAE PDPL.

11. Cookies

The website uses a minimal set of strictly necessary technologies and a small number of opt-in analytics and third-party widgets. Full details (including categories, vendors, durations and how to withdraw consent) are available in our Cookie Policy.

12. Changes to this notice

If we update this notice, the new version will appear here with a refreshed "last updated" date. Material changes (those that affect the lawful basis, the categories of data, the processors or the retention periods) will additionally be communicated by email to existing clients before they take effect.

13. Governing law

This notice is governed by the federal law of the United Arab Emirates, including the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021), Federal Decree-Law No. 34 of 2021 on Combatting Rumours and Cybercrimes, and Federal Law No. 15 of 2020 on Consumer Protection, as supervised by the UAE Data Office (established by Federal Decree-Law No. 44 of 2021).

For clients residing in the European Economic Area, Regulation (EU) 2016/679 (GDPR) and the mandatory consumer-protection provisions of your country of residence apply in addition, to the extent they cannot be derogated from by contract.

14. Contact for privacy requests

To exercise any of the rights above, write to ana@kymatalk.com with the subject line "Privacy request". We will respond within 30 days as required by GDPR Art. 12.3 and within the timelines set by the UAE PDPL.

For urgent matters you can also reach us on WhatsApp at +971 50 323 1302 (Dubai) or +39 333 328 5099 (Italy).

15. Date of last update

This Privacy Policy was last updated on 25 May 2026. The English, Italian and Arabic versions are equally authoritative; in the event of any divergence in interpretation, the version in the language chosen by the data subject shall prevail.