Legal

Privacy Policy

Last Updated and Effective: 27 May 2026

What this document is

Privacy policies are usually dense. This one tries not to be. If you have a question while reading and want a direct answer, write to privacy@naltherapy.com and Shainna or her team will reply within 5 working days.

For purposes of this Policy, "data" means any information that identifies you or could reasonably be used to identify you — name, email, phone number, intake answers, session notes, and the content of your communications with the practitioner. Under EU law (GDPR) this is called "personal data", and some of it (specifically clinical and health data) is called "special category data", which receives additional legal protection.

Section 01

Who is the Data Controller

The data controller for your personal data is Neuro Alchemy Lab ("NAL"), a clinical practice founded and operated by Shainna, affiliated with C.Q.F.D. A.S.B.L. (a Belgian non-profit registered in Brussels, registration in progress). The data controller is responsible for deciding how and why your personal data is processed.

For all data-protection matters — including Subject Access Requests, consent withdrawal, and complaints — contact us at: privacy@naltherapy.com.

If you are not satisfied with how we handle a data concern, EU residents have the right to lodge a complaint with their national supervisory authority. Belgian residents may contact the Autorité de Protection des Données (APD/GBA) at autoriteprotectiondonnees.be. Residents of other EU member states may contact their own national data protection authority — a full list is available from the European Data Protection Board at edpb.europa.eu.

Section 02

What Data We Collect, and Why

We collect only the data that is necessary for the specific purpose it serves. The table below sets out each category, what it contains, why we collect it, and the legal basis under GDPR.

Type of data What we collect Why we collect it Legal basis (GDPR)
Visitor Data IP address, browser type, pages visited, time on site, referrer URL To operate and improve the site; detect security threats Art. 6(1)(f) — Legitimate Interest
Booking Form Data First name, last name, email address, preferred language, session type, free-text message To respond to the booking request and schedule a session Art. 6(1)(a) — Consent; Art. 6(1)(b) — Contract
Intake Data Name, contact details, emergency contact, medical/psychiatric history disclosed by client, presenting issues To provide safe, informed clinical care Art. 9(2)(a) — Explicit Consent (health data); Art. 6(1)(b) — Contract
Clinical Records Session notes, dates of service, treatment plan, NAP-D axis mapping To deliver clinical care and meet professional record-keeping obligations Art. 6(1)(b) — Contract; Art. 6(1)(c) — Legal Obligation
Payment Data Transaction records. We do not store full card numbers — payment is processed by to be filled in To process and record payment Art. 6(1)(b) — Contract
Newsletter Data (Lab Letter) Email address, language preference, engagement data (opens, clicks) To deliver the newsletter to subscribers who have opted in Art. 6(1)(a) — Consent
WhatsApp Communication Phone number, message content when you initiate contact via WhatsApp To communicate with you via your chosen channel Art. 6(1)(a) — Consent; Art. 6(1)(b) — Contract. Note: Meta is a joint processor for WhatsApp metadata.
Cookies and Analytics See Section 5 below See Section 5 below See Section 5 below

We do not collect data about race, ethnicity, political opinions, trade union membership, biometric identifiers, or genetic data. Where a client voluntarily discloses cultural, ethnic, or ancestral context as part of their clinical narrative, that disclosure is treated as part of the clinical record and handled under the special category data protections above.

Section 03

How We Use AI

NAL does not use any client clinical content — session notes, intake answers, written exchanges with the practitioner — to train any AI model, whether proprietary or third-party.

The practitioner may use AI tools for general administrative support (for example, drafting newsletter content or summarising public clinical literature). These uses never involve identifiable client data. Any text submitted to an AI tool for administrative purposes is first stripped of all identifying information.

If AI is used at any point in client-facing clinical work in the future — for example, AI-assisted note summarisation or translation — you will be notified in advance and explicit consent will be requested before any such use begins. This policy will be updated to reflect the change.

Section 04

Who We Share Data With

NAL does not sell client data. Ever. NAL does not share clinical content — session notes, intake answers, or the substance of communications — with any third party for advertising, marketing, or research purposes.

We work with a small number of service providers who may process personal data on our behalf. Each is listed below with the data they access and the reason:

  • Hosting — Hostinger: stores the website files and serves them to visitors. Hostinger has access to server logs including IP addresses. Hostinger Privacy Policy.
  • Newsletter provider to be specified: processes subscriber email addresses and engagement data to deliver the Lab Letter. Most major newsletter providers (Mailchimp, ConvertKit, Substack) operate GDPR-compliant Data Processing Agreements.
  • Booking form backend to be specified — e.g. Formspree: booking form submissions pass through this service before reaching info@naltherapy.com. Only the data you enter in the form is transmitted.
  • Payment processor to be specified — e.g. Stripe, PayPal, Wise: card payment data goes directly to the processor. NAL does not see or store full card numbers.
  • WhatsApp / Meta: where you initiate contact via WhatsApp, your phone number and message content are processed by Meta Platforms, Inc., subject to Meta's own terms and privacy policy.
  • Video and calendar to be specified — e.g. Google Meet, Zoom, Calendly: used to schedule and conduct online sessions. These platforms process your email address, name, and connection metadata.
  • Legal and regulatory authorities: we disclose data only when required by law — for example, under a valid subpoena, court order, or mandatory clinical reporting obligation (imminent risk of harm, suspected abuse of a minor or vulnerable adult).
Section 05

Cookies and Tracking

A cookie is a small text file stored on your device by a website. Cookies help sites remember your preferences, measure how visitors use the site, and (on other sites) serve targeted advertising. Here is what we use and why:

  • Strictly necessary cookies: required for the site to function — for example, remembering your language preference (EN/FR/AR) within a browsing session. These cannot be disabled because the site would not work correctly without them. No consent is required under GDPR for strictly necessary cookies.
  • Analytics cookies — Google Analytics: we use Google Analytics to understand how visitors find and use the site (pages viewed, time spent, referral source). Google Analytics sets cookies that may transmit data to Google's servers, including your IP address, which Google may anonymise depending on your settings. You may opt out via the cookie banner or by installing the Google Analytics Opt-out Browser Add-on.
  • Marketing / retargeting cookies: NAL does not currently run advertising retargeting campaigns and does not place marketing cookies. If this changes, this policy and the site's cookie banner will be updated before any marketing cookie is set.

For granular cookie controls and preferences, visit /sharing-settings.html.

Section 06

Data Retention

We hold data only for as long as it is needed for the purpose it was collected, or as required by law. The specific periods are:

  • Website visitor data (analytics): 14 months, in line with Google Analytics default configuration.
  • Booking form submissions where no session was subsequently booked: deleted after 12 months.
  • Active client records: retained for the duration of the therapeutic relationship.
  • Closed client records: retained for the legally required period under clinical record-keeping rules in the practitioner's jurisdiction — typically 10 years for clinical records in Belgium; longer if required by applicable professional regulation.
  • Newsletter subscriber data: retained until unsubscribe. Engagement data (opens, clicks) is deleted after 24 months of inactivity.
  • Payment records: 7 years, as required under standard tax and accounting obligations.

After the applicable retention period, data is securely deleted or anonymised so it can no longer be attributed to an individual.

Section 07

Your Rights Under GDPR

If you are an EU/EEA resident, you have the following rights regarding your personal data. To exercise any of them, email privacy@naltherapy.com. We will respond within 5 working days and fulfil formal requests within 30 days as required by law.

Right of Access Art. 15 GDPR
Request a copy of all personal data we hold about you, along with information about how it is processed.
Right to Rectification Art. 16 GDPR
Ask us to correct any inaccurate or incomplete personal data without undue delay.
Right to Erasure Art. 17 GDPR
Request deletion of your personal data — the "right to be forgotten". This right is subject to our legal retention obligations for clinical records; we cannot delete records we are required by law or professional regulation to retain.
Right to Restrict Processing Art. 18 GDPR
Ask us to pause processing your data in certain circumstances — for example, while you contest its accuracy or object to its use.
Right to Data Portability Art. 20 GDPR
Receive the personal data you have provided to us in a structured, commonly used, machine-readable format so you can transfer it to another service.
Right to Object Art. 21 GDPR
Object to processing based on our legitimate interest (Art. 6(1)(f)), including profiling. We will stop unless we can demonstrate compelling legitimate grounds that override your interests.
Right to Withdraw Consent Art. 7(3) GDPR
Withdraw consent at any time where processing is based on consent, without affecting the lawfulness of processing carried out before withdrawal. To withdraw newsletter consent, use the unsubscribe link in any Lab Letter email.
Right to Lodge a Complaint Art. 77 GDPR
Lodge a complaint with the supervisory authority in your EU member state. A full list of national data protection authorities is maintained by the European Data Protection Board at edpb.europa.eu.

For clients outside the EU — including those in MENA, Africa, and other regions — NAL extends these same rights as a matter of practice, even where local law does not require them. You have the same access to your data, the same right to correct or delete it, and the same right to a response within the same timeframes.

Section 08

International Data Transfers

Some of the service providers we use are based in or transfer data to countries outside the EU/EEA — principally the United States. Where this occurs, we ensure the transfer relies on one of the safeguards recognised by GDPR:

  • Adequacy decision: the European Commission has determined that the destination country provides an equivalent level of data protection (e.g., the EU–US Data Privacy Framework for qualifying US companies).
  • Standard Contractual Clauses (SCCs): we use the European Commission's approved model clauses where an adequacy decision does not cover a specific provider.
  • Explicit consent: in limited circumstances, where neither of the above applies, we will seek your explicit consent before the transfer.

The main providers involved in international transfers are: Google (Analytics, Meet) — covered by the EU–US Data Privacy Framework and SCCs; Meta/WhatsApp — SCCs; payment processor to be specified — SCCs or adequacy decision depending on provider; newsletter provider to be specified — SCCs or adequacy decision depending on provider.

You may request information about the specific safeguards in place for any transfer by writing to privacy@naltherapy.com.

Section 09

Children's Privacy

NAL does not knowingly collect personal data from anyone under the age of 16. The site and Services are directed at adults. Family sessions that involve the presence of a minor are arranged only with the documented written consent of all legal guardians, and any personal data relating to the minor is collected only to the extent necessary for safe clinical care and is handled under the strictest confidentiality in accordance with Section 2 of these terms.

If you believe that personal data relating to a child has been submitted to NAL without appropriate consent, please contact us immediately at privacy@naltherapy.com and we will delete it promptly.

Section 10

Security Measures

No system is perfectly secure. What follows is an honest account of the technical and organisational measures in place:

  • Transport encryption: the website uses 256-bit TLS (AES-256-GCM) via a Let's Encrypt SSL certificate. All traffic between your browser and the server is encrypted in transit. The Site enforces HTTPS via a 301 redirect from HTTP.
  • Domain security: the domain is locked at the registrar level; DNSSEC is enabled where supported by the DNS provider.
  • Booking form submissions: transmitted over HTTPS and delivered to the practitioner's email account, which is protected by two-factor authentication.
  • Clinical records: stored in specify — e.g. encrypted cloud drive / dedicated EHR / encrypted local device, access-restricted to the practitioner.
  • WhatsApp communications: use Meta's end-to-end encryption. Message content is not accessible to Meta in transit; however, metadata (who communicated with whom, when) is visible to Meta.
  • Video sessions: conducted on platforms that use AES-256-GCM encryption in transit (Zoom uses AES-256-GCM; Google Meet uses DTLS-SRTP). The practitioner does not retain video or audio recordings of sessions unless the client provides explicit written consent — this is rare and used only for clinical supervision purposes.
  • Staff access: personal and clinical data is accessible only to the practitioner. No third-party team members access client records without explicit clinical need and consent.

If you become aware of a potential security incident affecting your data, please contact privacy@naltherapy.com immediately. If we become aware of a breach that is likely to affect your rights, we will notify you and the relevant supervisory authority within 72 hours as required by GDPR Art. 33–34.

Section 11

Updates to This Policy

We will update this policy when our practices change, when we add new service providers, or when legal requirements evolve. The "Last Updated" date at the top of the page reflects the most recent revision; the version published at naltherapy.com/privacy.html is always the current version.

For significant changes — particularly those affecting how clinical data is processed — active clients will be notified directly by email at least 14 days before the change takes effect. Minor clarifications (corrections, updated provider names, formatting) may be made without advance notice.

Section 12

Contact

For all privacy-related questions, data subject access requests, consent withdrawals, or complaints: privacy@naltherapy.com.

We aim to acknowledge all privacy enquiries within 5 working days. Formal Subject Access Requests are fulfilled within 30 days as required by GDPR Art. 12. Where a request is complex or numerous, we may extend this period by a further two months, in which case we will notify you of the extension and the reason within the initial 30-day window.

Postal address (correspondence only): C.Q.F.D. A.S.B.L., Brussels, Belgium. Registration is in progress; the full registered address will be added once available.