Privacy Policy

1.1. Depending on how you interact with me and this website, I may collect and use the following personal data about you:

• your name and contact details, including email address, and any other information you choose to share when you contact me or subscribe to the newsletter;
• your invoicing details when you work with me, including company or trading name where relevant;
• information shared during sessions, including brief working notes I take to support the continuity of our work — described in more detail under “How long your personal data will be kept” below;
• technical data about your visit to this website, including IP address, browser, operating system, country-level location, and pages viewed, collected through privacy-respecting analytics;
• metadata about communications between us, such as the time, sender, and subject of emails.

1.2. I do not collect or process payment card details on this website. Payments for one-to-one work are handled separately through Revolut Business and do not pass through this website.

2.1. I collect most of this personal data directly from you — by email, through the contact form on this website, when you subscribe to the newsletter, and during our work together. Some technical data is collected automatically when you visit this website, through privacy-respecting analytics provided by Cloudflare; this website does not set tracking cookies.

2.2. The Nondual Inquiry page includes a podcast player that is built into this website; it is not a third-party iframe or widget, and no Acast JavaScript runs on the page or in your browser. However, because the player streams audio directly from Acast’s servers, your browser makes direct requests to Acast — when the page loads (to fetch audio metadata) and when you play an episode (to fetch the audio file itself). Those requests carry the technical information any web request carries: your IP address, basic information about your browser and device, and the page you are visiting from. In the response, Acast may also try to place a third-party cookie in your browser; modern browsers typically block or limit such cookies under their tracking-protection settings. None of this involves Acast running code on the page, and Acast cannot observe how you use the rest of this website.

2.3. Outbound links to other services (for example, YouTube, Spotify, or Apple Podcasts) take you to those services, which have their own privacy practices.

3.1. Under data protection law, I can only use your personal data if I have a lawful basis. The bases I rely on, and the purposes they support, are:

• performance of a contract with you, or steps taken at your request before entering into a contract — for example, when you contact me to enquire about working together, when we have a first conversation, and when we work together one-to-one;
• compliance with legal and regulatory obligations — for example, retaining invoices and contractual records for tax and accounting purposes;
• your consent — for example, when you subscribe to the newsletter, or when you explicitly consent to a specific use of your personal data;
• my legitimate interests — for example, keeping records of past engagements, maintaining basic security and analytics for this website, and operating my practice. Where I rely on legitimate interests, I balance my interests against your own rights and freedoms.

3.2. Special category personal data. During one-to-one work, what you share with me may sometimes touch on emotional or psychological matters. To the extent any special category personal data is shared during sessions, I rely on your explicit consent given at the start of our engagement as the lawful basis for processing it. I treat such data with heightened confidentiality, take care not to record more than is needed for the continuity of our work, and do not retain it in identifiable form beyond what is operationally necessary.

4.1. I send a newsletter to people who have explicitly subscribed to receive it. Subscription is opt-in: I will not add you to the newsletter without your consent.

4.2. The newsletter may contain writing, reflections, and occasional notes about the work. I rely on your consent as the lawful basis for sending it.

4.3. You can withdraw your consent and unsubscribe from the newsletter at any time by:

• using the ‘unsubscribe’ link at the bottom of any newsletter email; or
• contacting me using the form on my ‘ Contact ’ page.

4.4. I will never sell your personal data or share it with other organisations for their own marketing purposes.

5.1. I use a small number of trusted third-party services to operate this website and my practice. These are my processors. They process personal data on my behalf, under contract, and only as required to provide their service to me.

• Netlify — hosts this website and receives contact form submissions (the name, email, and message you provide), which it stores in its forms inbox and forwards to me by email; also processes basic request data such as IP address for delivery and security; based in the United States, certified under the EU-US Data Privacy Framework including the UK Extension;
• Cloudflare — provides cookieless web analytics and content delivery; processes IP address and basic technical data without setting tracking cookies in your browser; based in the United States, certified under the EU-US Data Privacy Framework including the UK Extension;
• MailerLite — receives newsletter subscriptions; this website integrates with MailerLite by server-side request, so no MailerLite scripts are loaded in your browser and no MailerLite cookies are set when you subscribe; for visitors in the EEA, the UK, and Switzerland, services are provided by MailerLite Limited (Ireland) with data hosted on EU servers;
• Google Workspace — used for email correspondence with you; provided by Google with EU-US Data Privacy Framework certification including the UK Extension for relevant US transfers;
• Google Calendar — used to schedule sessions; same provider and transfer basis as Google Workspace;
• Zoom — used to host one-to-one sessions by video; based in the United States, certified under the EU-US Data Privacy Framework including the UK Extension;
• Acast — provides podcast hosting and audio delivery; receives basic request data (IP address, browser information, referring page) directly from your browser when the Nondual Inquiry page loads audio metadata or when episodes are played, and may try to place a third-party cookie that modern browsers typically block or limit; based in Sweden;
• Revolut Business — handles payments for one-to-one work; provided by Revolut Bank UAB (Lithuania); payment data does not pass through this website.

5.2. I only use processors who provide appropriate safeguards for your personal data and who are bound by contractual confidentiality and security obligations. Each processor publishes its own privacy notice describing how it handles personal data.

5.3. In addition to my processors, I may share personal data with:

• professional advisors such as accountants and lawyers, where required, who are bound by confidentiality obligations;
• law enforcement, courts, tribunals, or regulatory bodies, where I am required to do so by law;
• any party that acquires the practice in the event of a change of ownership, in which case any transfer will be subject to confidentiality obligations and a continuation of this Policy.

5.4. I will never sell your personal data.

6.1. Personal data is held within the services described under Who I share your personal data with above, and in working files I keep on devices and services I control directly. Working notes from sessions are stored only on systems I control, and are accessible only to me.

6.2. Some of my processors are based outside the EEA and the UK, principally in the United States. Where this is the case, the transfer mechanism is set out under Transferring your personal data out of the EEA and the UK below.

7.1. I keep your personal data only for as long as I need it. The default retention periods are:

• contact form enquiries and email correspondence — kept by me for up to two years from the date of last contact, then deleted, unless a working engagement begins; submissions also sit in the Netlify forms inbox under Netlify’s own retention until I delete them, which I do periodically;
• working notes from sessions — kept for the duration of our engagement and for two years after it ends, then deleted. You can ask me to delete them sooner at any time, and I will do so within thirty days of your request;
• newsletter subscription data — kept for as long as you remain subscribed; after you unsubscribe, your record is suppressed by MailerLite to prevent re-subscription in error, and removed on request;
• invoices, payment records, and contractual records — kept for the period required by Portuguese tax and accounting law, typically up to ten years following the end of the relevant calendar year;
• website analytics data — retained by Cloudflare in aggregated form according to Cloudflare’s own retention policies; I do not keep a separate copy.

7.2. Where data is no longer needed, I will delete or anonymise it.

8.1. Some of my processors are based in the United States. Where I transfer your personal data to processors outside the EEA and the UK, I rely on the following safeguards:

• the EU-US Data Privacy Framework (EU-US DPF) and the UK Extension to the EU-US DPF, where the relevant processor is certified under the framework. Netlify, Cloudflare, Google, and Zoom are all certified under the EU-US DPF including the UK Extension;
• Standard Contractual Clauses adopted by the European Commission and the UK International Data Transfer Addendum, where DPF certification is not available or applicable; and
• where neither of the above applies, a specific exception permitted under EU GDPR or UK GDPR.

8.2. If I change the destinations to which I send personal data, or the safeguards I rely on, I will update this Policy and the change will be reflected under Changes to this Privacy Policy below.

9.1. You have the following rights in respect of your personal data. You can exercise them free of charge in most circumstances; a reasonable fee may apply only where a request is manifestly unfounded or excessive.

9.2. Access — the right to be provided with a copy of the personal data I hold about you.

9.3. Rectification — the right to ask me to correct any mistakes in your personal data.

9.4. Erasure — also known as the right to be forgotten; the right to ask me to delete your personal data, in certain circumstances.

9.5. Restriction of processing — the right to ask me to restrict the way I use your personal data, in certain circumstances.

9.6. Data portability — the right to receive personal data you have provided to me in a structured, commonly used, and machine-readable format, and to ask me to transmit it to another controller, in certain circumstances.

9.7. To object — the right to object:

• at any time to your personal data being processed for direct marketing;
• in certain other situations, to my continued processing of your personal data — for example, where the processing is carried out on the basis of my legitimate interests, unless there are compelling legitimate grounds for it to continue or the processing is needed for the establishment, exercise, or defence of legal claims.

9.8. Not to be subject to automated individual decision-making — the right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you. I do not make decisions about you in this way.

9.9. The right to withdraw consent — where I rely on your consent (for example, for the newsletter or for special category personal data), the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

9.10. To exercise any of these rights, please contact me as described under How to contact me below.

I take appropriate technical and organisational measures to protect your personal data against accidental loss, unauthorised access, alteration, or disclosure. Devices used to access personal data are protected by current operating systems and strong authentication. Working notes are stored only on systems I control. The processors I use are chosen in part for their published security practices. If a personal data breach occurs that is likely to result in a risk to your rights and freedoms, I will notify you and the relevant supervisory authority without undue delay, in line with EU GDPR and UK GDPR requirements.

11.1. If you have a concern about how I handle your personal data, please contact me first using the form on my Contact page. I take complaints seriously and will respond promptly.

11.2. You also have the right to lodge a complaint with a data protection supervisory authority. If you are in the EEA, the lead supervisory authority for my practice is the Portuguese data protection authority, the Comissão Nacional de Protecção de Dados (CNPD), contactable at www.cnpd.pt . If you are in the United Kingdom, you may also contact the Information Commissioner’s Office (ICO) at ico.org.uk . In other jurisdictions, you may contact your local data protection authority.

This Privacy Policy was last updated on the 1st of June, 2026. I may update it from time to time to reflect changes in my practice, the services I rely on, or the law. The most current version is always the one published on this website. Material changes will be brought to your attention where I have a way to do so.

You can contact me using the form on my Contact page for any questions about this Privacy Policy, to exercise any of your rights, or to raise a concern. I am based in Lisbon, Portugal, and operate as a natural person rather than through a registered company.