Privacy Policy

Kyma is a private coaching and counseling practice founded by Ana [Cognome / Surname], operating from Italy and serving international clients online — with a long-standing community in the Gulf, particularly across the United Arab Emirates.

The data controller for the purposes of Regulation (EU) 2016/679 (GDPR) and of the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (the “UAE PDPL”) is Ana [Cognome / Surname], trading as Kyma. You can reach the controller by writing to ana@kymatalk.com, or by WhatsApp at +971 50 323 1302 (Dubai) or +39 333 328 5099 (Italy).

This notice applies to personal data we collect through the website kymatalk.com — including the contact form, the discovery-call booking flow and any direct correspondence by email or WhatsApp — and to the data we process when you enroll in a Coaching or Counseling engagement with Kyma.

It does not cover third-party websites linked from ours; those are governed by their own privacy notices.

We collect only what is strictly necessary. From the contact form: your name, email, the message you write, the area of interest you select, the explicit consent flag, and — for security and abuse prevention — your IP address and user-agent string at the moment of submission.

From the Cal.com discovery booking: your name, email, the selected time slot, your time zone, and any voluntary notes you add. From ongoing communications: the metadata of our email and WhatsApp exchanges (sender, recipient, date, subject), kept strictly for continuity of service.

From cookies and analytics: only the data described in our Cookie Policy. We do not buy data from data brokers, we do not build advertising profiles, and we do not collect special-category data — including health data — unless you voluntarily share it with us during a coaching or counseling conversation.

Each processing activity is grounded in a specific lawful basis under both Article 6 GDPR and Articles 4 and 5 of the UAE PDPL. We rely on your consent — informed, specific, freely-given and unambiguous (GDPR Art. 6.1.a; PDPL Art. 5 and Art. 6) — for the contact form, for the optional newsletter, and for loading non-essential third-party widgets such as the Cal.com booking iframe.

We rely on the performance of a contract or pre-contractual measures (GDPR Art. 6.1.b; PDPL Art. 5) to schedule and deliver coaching and counseling sessions. We rely on our legitimate interest (GDPR Art. 6.1.f; PDPL Art. 5) to respond to inquiries you initiate, to prevent abuse of the contact form and to keep the site secure. We rely on legal obligation (GDPR Art. 6.1.c) where Italian tax and accounting rules require us to retain invoicing records.

Where you share sensitive information during a session, processing is based on your explicit consent (GDPR Art. 9.2.a; PDPL Art. 5) for the strict purpose of providing the service you requested. Under PDPL Art. 6 you may withdraw your consent at any time, as easily as you granted it.

We work with a short list of carefully chosen processors, each bound by a Data Processing Agreement under Art. 28 GDPR and by equivalent contractual safeguards aligned with the UAE PDPL.

Vercel Inc. (USA) hosts the website and serves edge functions. Sanity.io (USA, with EU regional storage available) stores editorial content. Resend Inc. (USA) delivers the transactional emails generated by the contact form. Cal.com Inc. (USA, with EU infrastructure) handles discovery-call scheduling, and is loaded only after you actively open the calendar widget. Vercel Web Analytics provides first-party, cookieless aggregate analytics. Google Fonts are self-hosted by Next.js at build time, so your browser never connects to Google’s servers.

Several of our processors are established in the United States. Where personal data is transferred outside the European Economic Area, we rely on the European Commission’s Standard Contractual Clauses (SCCs) adopted by Implementing Decision (EU) 2021/914 under Article 46.2.c GDPR, complemented by the supplementary measures recommended by the European Data Protection Board — including encryption in transit and at rest, contractual data minimisation, and the right to challenge government access requests.

Where personal data of UAE residents is transferred outside the UAE, we rely on Articles 22 and 23 of the UAE PDPL: transfers occur either to jurisdictions recognised as providing an adequate level of protection or, in their absence, on the basis of appropriate contractual safeguards equivalent to the SCCs and on your explicit, informed consent for non-essential vendors. The current routing is: Vercel — USA region; Sanity — USA with optional EU mirror; Resend — USA; Cal.com — USA and EU.

Contact-form messages and ad-hoc email correspondence are kept for up to 24 months from our last interaction, then deleted, unless an active coaching or counseling relationship has begun in the meantime.

Booking and session records are retained for 5 years after the end of the engagement, in line with the ordinary limitation period for service contracts under Article 2946 of the Italian Civil Code, and for up to 10 years where Italian tax and accounting rules (Art. 2220 c.c.) require longer retention of invoicing records. Consent records — including the timestamp, the wording shown and the choice made — are retained for 5 years after withdrawal, to evidence compliance with both GDPR Art. 7 and PDPL Art. 6.

Aggregated, non-identifying analytics are retained indefinitely. You may always request earlier deletion subject to overriding legal obligations.

Under Articles 15 to 22 GDPR and Articles 13 to 21 of the UAE PDPL, you have the right to access your data, to rectify it, to request its erasure (the “right to be forgotten”), to restrict or object to its processing, to receive it in a portable, machine-readable format, and to opt out of decisions based solely on automated processing. Where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of processing carried out before the withdrawal.

You also have the right to lodge a complaint. EU residents may contact the Italian Garante per la Protezione dei Dati Personali — www.garanteprivacy.it — or the supervisory authority in their country of residence. UAE residents may contact the UAE Data Office (UAE DO), the regulator established under Federal Decree-Law No. 44 of 2021, which oversees the application of the PDPL.

Kyma’s services are not directed at children. The website is intended for adults aged 18 and over. We do not knowingly collect personal data from anyone under 16 in the EU or under 18 in the UAE.

Where applicable national law requires it — and in any case under the UAE PDPL — the processing of a minor’s personal data is subject to the verifiable consent of a parent or legal guardian. If you believe a minor has provided us with personal data without such consent, please contact us and we will promptly delete it.

We protect your data through TLS encryption in transit, encrypted storage at rest, strict role-based access for the controller alone, and routine deletion of data no longer needed. Our processors are required to maintain comparable or higher technical and organisational measures.

No system is ever perfectly secure; if a personal-data breach occurs that is likely to result in a risk to your rights, we will notify the competent supervisory authority within 72 hours (GDPR Art. 33) and, where required, the affected individuals (GDPR Art. 34; PDPL Art. 9).

The website uses a minimal set of strictly necessary technologies and a small number of opt-in analytics and third-party widgets. Full details — including categories, vendors, durations and how to withdraw consent — are available in our Cookie Policy.

If we update this notice, the new version will appear here with a refreshed “last updated” date. Material changes — those that affect the lawful basis, the categories of data, the processors or the retention periods — will additionally be communicated by email to existing clients before they take effect.

This notice is governed by Italian law and by Regulation (EU) 2016/679 (GDPR), as supplemented by D.Lgs. 196/2003 as amended by D.Lgs. 101/2018, for clients residing in the European Economic Area.

For clients residing in the United Arab Emirates, the UAE Federal Decree-Law No. 45 of 2021 (PDPL), Federal Decree-Law No. 34 of 2021 on Combatting Rumours and Cybercrimes, Federal Law No. 15 of 2020 on Consumer Protection, and the regulations issued by the Telecommunications and Digital Government Regulatory Authority (TDRA) apply in addition. Where the two regimes diverge, you may rely on the protection that is more favourable to you.

To exercise any of the rights above, write to ana@kymatalk.com with the subject line “Privacy request”. We will respond within 30 days as required by GDPR Art. 12.3 and within the timelines set by PDPL Art. 13.

For urgent matters you can also reach us on WhatsApp at +971 50 323 1302 (Dubai) or +39 333 328 5099 (Italy).

This Privacy Policy was last updated on 19 May 2026. The English, Italian and Arabic versions are equally authoritative; in the event of any divergence in interpretation, the version in the language chosen by the data subject shall prevail.