PRIVACY POLICY
Dr. Maya Coaching OÜ
Website: www.drmayacoaching.com
Effective Date: 6 July 2026
This Privacy Policy describes how Dr. Maya Coaching OÜ collects, uses, and protects personal data in connection with the Website and our online coaching services. Please read it carefully. Capitalised terms not defined here have the meanings given to them in our Terms and Conditions.
1. INTRODUCTION AND SCOPE
This Privacy Policy explains how Dr. Maya Coaching OÜ, a private limited company (osaühing) registered in the Republic of Estonia, operating the website www.drmayacoaching.com ("Dr. Maya Coaching", "we", "us", or "our"), collects, uses, discloses, retains, and protects personal data about visitors to the Website, prospective clients, current and former clients, and other individuals with whom we interact (each, a "Data Subject" or "you").
This Policy applies to processing carried out through the Website, our booking and intake process, our online coaching sessions delivered by video, our email and scheduling systems, and any other channel through which we collect personal data. It is designed to satisfy our obligations under the EU General Data Protection Regulation 2016/679 ("EU GDPR"), the Estonian Personal Data Protection Act 2018 (Isikuandmete kaitse seadus), the UK General Data Protection Regulation and the UK Data Protection Act 2018 (together, "UK GDPR"), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), and other applicable data protection and privacy laws in the jurisdictions where our Data Subjects reside.
2. DATA CONTROLLER AND CONTACT DETAILS
Dr. Maya Coaching OÜ is the "controller" of personal data processed under this Policy for the purposes of the EU GDPR and the UK GDPR, and a "business" for the purposes of the CCPA/CPRA. Contact details for privacy matters are:
Controller: Dr. Maya Coaching OÜ, Republic of Estonia.
Website: www.drmayacoaching.com
Privacy contact email: as published in the "Contact" or "Privacy" section of www.drmayacoaching.com.
For EU/EEA Data Subjects, our lead supervisory authority is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon).
3. DEFINITIONS
The terms "personal data", "processing", "controller", "processor", "data subject", "special category data", "sensitive personal information", "pseudonymisation", "profiling", and "international transfer" have the meanings given to them under the EU GDPR, the UK GDPR, and equivalent applicable laws. "Services" has the meaning given in our Terms and Conditions.
4. CATEGORIES OF PERSONAL DATA WE COLLECT
Depending on your interaction with us, we may collect and process the following categories of personal data:
Identity data: full name, title, date of birth (where required), country of residence, and preferred language.
Contact data: email address, telephone number, postal address (for invoicing), and time zone.
Account and booking data: login credentials for our scheduling system, session bookings, appointment history, and preferences.
Intake and coaching data: information you provide in intake questionnaires, discovery calls, and coaching sessions, which may include information about your relocation, work, family, background, goals, and general wellbeing.
Special category / sensitive data: information relating to your mental or emotional wellbeing, health, or lifestyle that you choose to share in the course of coaching (see Section 5).
Financial data: billing address, invoice history, payment amounts, payment status, and last four digits of the card used. Full card numbers are handled by Stripe and are not stored on our systems.
Technical data: IP address, browser type and version, device identifiers, time-zone settings, operating system, and pages viewed on the Website.
Usage data: information about how you interact with the Website and our emails, including clicks, opens, and referral URLs.
Marketing and communications data: your preferences in receiving marketing communications and your communications with us.
Video conference metadata: session date, duration, and connection quality. Recordings are not made unless separately agreed in writing.
5. SPECIAL CATEGORY DATA AND SENSITIVE PERSONAL INFORMATION
Coaching sessions may involve you sharing information that constitutes "special category data" under the EU/UK GDPR (in particular data concerning health, including mental health) or "sensitive personal information" under the CCPA/CPRA and equivalent US state laws.
We process such data only where (a) you have given us explicit consent, obtained through the intake process, to process such data for the purpose of delivering the Services; or (b) processing is necessary for the establishment, exercise, or defence of legal claims. You may withdraw explicit consent at any time by writing to the privacy contact address, without affecting the lawfulness of processing carried out before withdrawal, but withdrawal may mean we can no longer provide the Services.
6. SOURCES OF PERSONAL DATA
We collect personal data from (a) you, directly, when you visit the Website, complete forms, book sessions, communicate with us, or participate in coaching; (b) automatically, through cookies and similar technologies as described in our Cookie Policy; and (c) from third parties, such as payment processors (transaction confirmations), our scheduling and email provider (booking data), and, where relevant, referrers who have your consent to introduce you.
7. PURPOSES OF PROCESSING
We process personal data for the following purposes:
To provide, personalise, and administer the Services, including scheduling and delivering coaching sessions.
To communicate with you, including confirmations, reminders, follow-ups, and responses to enquiries.
To process payments, issue invoices, prevent fraud, and manage refunds and payment plans.
To operate, secure, and improve the Website and our internal systems.
To comply with legal, regulatory, tax, and accounting obligations, including those applicable in Estonia and other jurisdictions.
To establish, exercise, or defend legal claims and to enforce our Terms and Conditions.
With your consent, to send you marketing communications about our Services and related content.
To keep confidential coaching notes for the duration of the engagement and for a reasonable period thereafter, for continuity of care and legal-protection purposes.
8. LEGAL BASES FOR PROCESSING
Under the EU/UK GDPR, we rely on the following legal bases:
Performance of a contract (Article 6(1)(b)): to book and deliver Services under a Coaching Agreement and to take pre-contractual steps at your request.
Legal obligation (Article 6(1)(c)): to comply with tax, accounting, anti-money-laundering, and other statutory obligations.
Legitimate interests (Article 6(1)(f)): to operate and improve the Website, maintain the security of our systems, respond to enquiries, keep short-form records of engagements for continuity, and (where lawful) to send limited service-related communications. Where we rely on legitimate interests, we have carried out balancing tests and you may object as described in Section 14.
Consent (Article 6(1)(a)): for non-essential cookies, marketing communications, testimonials, and any recording of sessions. Consent may be withdrawn at any time without affecting the lawfulness of prior processing.
Explicit consent (Article 9(2)(a)) and/or legal claims (Article 9(2)(f)): for processing of special category data (see Section 5).
9. COOKIES AND SIMILAR TECHNOLOGIES
We use cookies and similar technologies on the Website. Full details of the cookies we use, their purposes, durations, and how you can manage them are set out in our separate Cookie Policy, which is incorporated into this Policy by reference. Non-essential cookies are set only with your consent, obtained through our cookie banner.
10. DISCLOSURES AND CATEGORIES OF RECIPIENTS
We do not sell personal data. We disclose personal data only to the categories of recipients listed below, and only to the extent necessary for the purposes set out in Section 7:
Website and hosting: Squarespace, Inc. (USA) — hosting of www.drmayacoaching.com and the customer-facing checkout.
Payment processing: Stripe, Inc. and its affiliates (USA/Ireland) — card payments; and Wise Payments Limited (UK/Estonia) — bank and ACH transfers. These providers act as independent controllers for their own payment, fraud-prevention, and regulatory purposes.
Email, calendar, workspace, and scheduling: Zoho Corporation entities (India/USA/Netherlands) — email, calendar, forms, meetings, and productivity tools.
Video conferencing: the video-conferencing platform used to host coaching sessions (identified at the point of booking).
Professional advisers: lawyers, accountants, auditors, and insurers, engaged under confidentiality obligations.
Regulators, tax authorities, and law enforcement: where required by law, court order, or a competent regulatory authority.
Successors: to a successor entity in the context of a merger, acquisition, insolvency, or sale of all or part of our business, subject to appropriate confidentiality and data-protection safeguards.
Emergency responders and nominated emergency contacts: where necessary to protect a Data Subject's or another person's vital interests (see Section 16 of the Terms and Conditions).
11. INTERNATIONAL TRANSFERS OF PERSONAL DATA
Because we operate globally and use processors headquartered in the United States, India, and elsewhere, personal data may be transferred to and processed in countries outside the European Economic Area, the United Kingdom, or your country of residence, which may have data-protection laws that differ from those in your country.
Where such transfers occur from the EEA or the United Kingdom to a jurisdiction not covered by an adequacy decision, we implement appropriate safeguards, which typically include (a) the European Commission's Standard Contractual Clauses (2021) and, where applicable, the UK International Data Transfer Addendum or the UK International Data Transfer Agreement; (b) supplementary technical and organisational measures where required by a transfer-impact assessment; and (c) reliance on the EU-U.S. Data Privacy Framework and its UK Extension where the recipient is certified thereunder. Copies of the applicable safeguards are available on request via the privacy contact address.
12. RETENTION PERIODS
We retain personal data only for as long as is necessary for the purposes for which it was collected, including to satisfy any legal, accounting, or reporting requirements. Indicative retention periods are:
Booking, session-attendance, and coaching notes: for the duration of the engagement plus seven (7) years thereafter, to comply with limitation periods and continuity-of-care considerations.
Invoicing and accounting records: for seven (7) years, in line with Estonian bookkeeping requirements under the Accounting Act (Raamatupidamise seadus).
Marketing preferences and consents: until consent is withdrawn or, if longer, for the period required to evidence compliance.
Website analytics and cookie data: as set out in the Cookie Policy.
Recorded sessions (where separately consented to): as agreed in writing at the time of consent and, in any event, no longer than reasonably necessary.
Where retention is no longer required, we securely delete or anonymise the data. Where deletion is not technically feasible (for example, in secure back-ups), we isolate the data and protect it from further processing until deletion is possible.
13. SECURITY MEASURES
We implement appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction, or damage. Measures include access controls and least-privilege access, encryption in transit (TLS) and, where applicable, at rest, strong authentication for administrative access, vendor due diligence, staff confidentiality obligations, and secure disposal of records.
No online transmission or storage system can be guaranteed to be one-hundred-per-cent secure. If you have reason to believe that your interaction with us is no longer secure, please notify us immediately at the privacy contact address.
14. YOUR RIGHTS UNDER THE EU GDPR
Subject to the conditions and limitations set out in the EU GDPR, EU/EEA Data Subjects have the following rights:
Right of access to the personal data we hold about you.
Right to rectification of inaccurate or incomplete personal data.
Right to erasure of personal data ("right to be forgotten") in specified circumstances.
Right to restriction of processing in specified circumstances.
Right to data portability, where processing is based on consent or contract and carried out by automated means.
Right to object to processing based on legitimate interests, including profiling based on those grounds, and to object at any time to processing for direct-marketing purposes.
Right to withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal.
Right not to be subject to solely automated decisions that produce legal or similarly significant effects on you (see Section 18).
Right to lodge a complaint with a supervisory authority (see Section 24).
15. YOUR RIGHTS UNDER THE UK GDPR
United Kingdom Data Subjects have equivalent rights under the UK GDPR and the UK Data Protection Act 2018. Requests may be made to the privacy contact address. UK Data Subjects also have the right to lodge a complaint with the UK Information Commissioner's Office ("ICO") at ico.org.uk.
16. YOUR RIGHTS UNDER THE CCPA/CPRA (CALIFORNIA RESIDENTS)
If you are a California resident, subject to the conditions and limitations of the CCPA/CPRA, you have the right to (a) know what categories and specific pieces of personal information we have collected, the categories of sources, the business or commercial purposes for which the information is used, and the categories of third parties with whom it is shared; (b) request deletion of personal information we collected from you; (c) correct inaccurate personal information; (d) opt out of any "sale" or "sharing" of personal information (as those terms are defined under CCPA/CPRA); (e) limit the use and disclosure of sensitive personal information to specific permitted purposes; and (f) not be discriminated against for exercising your rights.
We do not sell personal information for monetary consideration and do not knowingly share personal information for cross-context behavioural advertising. Categories of personal information collected and disclosed in the twelve (12) months preceding the effective date of this Policy correspond to the categories in Section 4. To exercise CCPA/CPRA rights, submit a verifiable request to the privacy contact address. Authorised agents may submit requests with written proof of authorisation.
17. YOUR RIGHTS UNDER OTHER US STATE PRIVACY LAWS
Depending on your state of residence, you may have additional or equivalent rights under state comprehensive privacy laws, including the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, the Utah Consumer Privacy Act, the Texas Data Privacy and Security Act, the Oregon Consumer Privacy Act, and equivalent laws in other US states as they come into force. These rights typically include rights of access, correction, deletion, portability, and opt-out of targeted advertising, sale, and certain profiling. To exercise these rights, submit a request to the privacy contact address; where the relevant law provides an appeals process for denied requests, we will inform you of it.
18. AUTOMATED DECISION-MAKING AND PROFILING
We do not use personal data for solely automated decision-making that produces legal or similarly significant effects on you. To the extent we use automated tools (for example, spam filtering or basic analytics), those tools do not make significant decisions about you without meaningful human involvement.
19. CHILDREN'S PRIVACY
The Services are directed only to adults aged eighteen (18) years or older. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected personal data from a child, we will delete it as soon as reasonably practicable. Parents or guardians who believe their child has provided us with personal data should contact us at the privacy contact address.
20. MARKETING COMMUNICATIONS
We will only send you marketing communications by email where you have given consent (or, where permitted by law, where you are an existing client and have not objected). Every marketing email contains an easy-to-use unsubscribe link. You may also withdraw consent at any time by writing to the privacy contact address. Withdrawal of marketing consent does not affect service-related communications, which we may continue to send while you have an active engagement with us.
21. PERSONAL DATA BREACH NOTIFICATION
In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of Data Subjects, we will notify the competent supervisory authority within seventy-two (72) hours of becoming aware of the breach, where required. Where the breach is likely to result in a high risk to the rights and freedoms of Data Subjects, we will also notify affected Data Subjects without undue delay in accordance with Articles 33 and 34 of the EU/UK GDPR and analogous obligations under other applicable laws.
22. THIRD-PARTY LINKS AND CONTENT
The Website and our communications may contain links to third-party websites, plug-ins, and applications. We are not responsible for the privacy practices of those third parties. When you leave the Website, we encourage you to read the privacy notice of every website you visit.
23. HOW TO EXERCISE YOUR RIGHTS
To exercise any of the rights described in this Policy, please email the privacy contact address published on www.drmayacoaching.com. We may ask you to verify your identity before we act on your request, using proportionate means. We will respond to verifiable requests within the period required by applicable law (typically one (1) month under the EU/UK GDPR, extendable by up to two (2) further months for complex requests; forty-five (45) days under the CCPA/CPRA, extendable once by a further forty-five (45) days).
There is no fee for exercising your rights, save where the request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act on the request as permitted by law.
24. COMPLAINTS AND SUPERVISORY AUTHORITIES
If you are not satisfied with our handling of your personal data or your privacy rights, we encourage you to contact us first so that we may address your concerns. You also have the right to lodge a complaint with a supervisory authority, in particular in the EU/EEA member state of your habitual residence, place of work, or place of the alleged infringement. Our lead supervisory authority is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon, aki.ee). UK Data Subjects may complain to the ICO (ico.org.uk). California residents may contact the California Privacy Protection Agency (cppa.ca.gov) or the California Attorney General (oag.ca.gov).
25. CHANGES TO THIS POLICY; CONTACT
We may update this Privacy Policy from time to time to reflect changes in law, our practices, or the Services. We will post the updated Policy on the Website and update the "Effective Date" above. Where changes are material, we will take reasonable steps to notify you (for example, by email or a prominent notice on the Website) before the changes take effect.
Questions, requests, or concerns relating to this Policy or our processing of personal data should be sent to the privacy contact address published on www.drmayacoaching.com.
