Privacy Policy

HMS Privacy, Data & AI Use Policy

Welcome to the Privacy, Data Protection, and AI Use Policy for HMS High-Performance Solutions (“HMS”). I believe that high-performance starts with high-trust environments—and that means being radically transparent about how I handle your data, use artificial intelligence, and protect your rights.

This policy is designed for clarity, depth, and accountability, and it reflects our alignment with:

  • GDPR (EU General Data Protection Regulation)

  • EU AI Act

  • Global privacy frameworks (ISO/IEC 27701, EDPB, OECD Guidelines)

  • Industry-leading coaching ethics (ICF, EMCC, AC)

Whether you're a client, partner, website visitor, or someone curious about how I coach with integrity, you’re in the right place.

  • HMS High-Performance Solutions (“HMS”) is my coaching and leadership development practice, grounded in ethics, trust, and personal transformation. Through one-to-one coaching, group programs, leadership retreats, podcasting, and AI-powered tools, I support high-performing individuals and organizations to thrive—with human connection at the center.

    I’m physically based in Europe, but I work globally. I act as the sole data controller for the personal data I collect through my website, coaching services, podcast outreach, scheduling tools, assessments, and communication channels.

    This Privacy, Data, and AI Use Policy outlines how I collect, process, store, share, and protect personal information, in full alignment with:

    • The EU General Data Protection Regulation (GDPR)

    • The EU Artificial Intelligence Act (EU AI Act)

    • Global data protection principles (ISO/IEC 27701, EDPB, OECD)

    • Coaching ethics from the ICF, EMCC, and AC

    I believe in radical transparency—so I’ve designed this policy to be human-readable, clear, and comprehensive.

    Controller: HMS High-Performance Solutions (Hassan M. Al-Shohaty) — Limassol, Cyprus.
    Contact: hassan@hellohms.com

  • Under What Jurisdiction?

    I operate under the European Union’s General Data Protection Regulation (GDPR) and, where relevant, comply with other international data protection and AI-related regulations. My data handling is structured to meet the standards of the EU AI Act, and I follow guidance from supervisory authorities such as the EDPB.

  • Managing Our Relationship

    I collect and use personal data so I can:

    • Deliver coaching, training, and consulting services

    • Communicate effectively with you throughout our engagement

    • Understand your goals, challenges, and progress

    • Customize sessions, frameworks, or tools for your needs

    • Maintain accurate records for performance tracking, support, and administrative purposes

    • Evaluate and improve the effectiveness of services

    I may also use anonymized and aggregated insights from my coaching work to analyze trends, support R&D, and demonstrate impact in a privacy-preserving way.

    Data processed may include:

    • Name, email, phone number, job title, organization

    • Coaching goals, challenges, and session insights

    • Questionnaire responses and onboarding materials

    • Scheduling data and communication history

    • Audio transcripts (if you opt in)

    • Progress tracking tools and templates

    • Leadership and personality assessments (e.g. Hogan HPI, HDS, MVPI) and resulting reports, where you choose to complete them

    • Publicly available information (e.g., from LinkedIn)

    Lawful bases for processing:

    • Contractual necessity (Art. 6(1)(b) GDPR) – to deliver coaching, training, consulting, and related services you have requested

    • Legitimate interest (Art. 6(1)(f) GDPR) – for improving services, running the business, and protecting systems, balanced against your rights

    • Legal obligation (Art. 6(1)(c) GDPR) – for tax, accounting, and regulatory requirements

    • Consent (Art. 6(1)(a) GDPR) – for optional features like session recordings, newsletter subscriptions, and participation in Hogan assessments where required (including any international data transfers associated with those assessments)

    Where I rely on legitimate interest—for example, to improve my coaching methods or evaluate impact—I always assess whether your rights and freedoms are respected and give you the ability to object.

    Marketing & Community Engagement

    If you subscribe to updates, attend an event, or engage with HMS on social media or via my podcast, I may use your information to:

    • Send newsletters, podcast content, or event invites via MailerLite

    • Share program launches or leadership insights

    • Invite you to surveys, community forums, or research

    • Track and improve engagement using analytics tools (e.g., MailerLite and Google Analytics)

    You will always have a clear opt-out option, and I only send communications based on:

    • Consent (Art. 6(1)(a) GDPR)

    • Legitimate interest (Art. 6(1)(f) GDPR, if we have an existing relationship)

  • Sensitive or Special Category Data

    During coaching sessions, sensitive information—such as mental health, stress, relationships, or diversity-related insights—may naturally arise. I do not proactively seek this data, and I only process or retain it under these conditions:

    • You voluntarily share it during a session, and

    • You give explicit consent to retain it (Art. 9(2)(a) GDPR)

    This includes topics like:

    • Mental health, burnout, neurodiversity, and well-being

    • Race, religion, cultural background

    • Family or caregiving responsibilities

    • Gender identity, sexual orientation, or personal values

    • Hogan Assessments do not process special category (sensitive) personal data, and HMS does not transmit or request such data as part of the assessment process. This aligns with ICAP’s contractual requirement that sensitive data such as health information, racial/ethnic data, or sexual life are not collected or shared in the assessment workflow.

    If you do not wish for such information to be stored, you can request it not be documented. I take extra care when working with sensitive insights and always keep them confidential, private, and protected.

    Anonymized and Aggregated Coaching Insights

    Learning from Patterns, Without Ever Revealing Individuals

    To continuously improve the coaching experience, share evidence of impact, and contribute to broader learning, I occasionally process coaching data in anonymized, aggregated form. This practice is conducted under legitimate interest (GDPR Art. 6(1)(f))—which means it supports HMS’s mission to deliver high-quality, data-informed services while protecting individual privacy.

    Examples of where this shows up:

    • Leadership trend reports

    • Podcast themes based on real coaching insights

    • Speaking engagements or program proposals

    • Evaluation dashboards for organizational clients

    What I might share:

    • “80% of senior leaders reported increased clarity by session 4”

    • “Common barriers include people-pleasing and overextension”

    • “Resilience improved in 7 out of 9 team engagements after workshop 2”

    How I safeguard your data:

    • All identifiers are stripped—no names, emails, or personal stories

    • k-anonymity rules apply—no subgroup is shared unless it includes at least 5 people

    • No re-identification is possible, even through metadata or patterns

    • Small or unique cohorts are excluded unless I’ve obtained explicit consent

    This allows HMS to share what works—without ever exposing who shared it. If you’d prefer to opt out of anonymized data usage, you can do so at any time by contacting me at hassan@hellohms.com.

    Responsible Use of AI & Transcripts

    Only With Consent. Always With Oversight.

    When used responsibly, AI can enhance your coaching journey. But it will never replace the human connection we build together.

    If you opt-in, I may use AI tools like:

    • CoachBot.AI (EU) – To help you track commitments, journal reflections, and receive reminders between sessions

    • OpenAI (ChatGPT Business Tier, EU/US) – To summarize transcripts or generate coaching insights (e.g., themes or goal tracking)

    Recordings and transcripts are only generated when:

    • You explicitly request them, and

    • You give written or verbal consent

    How I protect you:

    • AI summaries are reviewed manually and never stored long-term

    • Transcripts are deleted after use unless otherwise agreed

    • No data is used to train models (guaranteed by DPA)

    • Tools are business-grade and compliant with the EU AI Act, GDPR, and ISO standards

    You are always in control—able to opt in or out of AI support at any time. I continuously monitor ethical developments in AI to ensure your experience remains safe, respectful, and empowering.

  • Where Your Data Lives and Who Helps Me Manage It

    To deliver services securely and efficiently, I rely on trusted, GDPR-compliant third-party platforms (also known as subprocessors). These platforms help me schedule sessions, store documents, facilitate virtual meetings, and run core business operations. I only work with providers that offer robust privacy safeguards and have appropriate Data Processing Agreements (DPAs) in place.

    The platforms I currently use include:

    Coaching and Client Experience

    • Google Workspace (EU) – Secure cloud storage, email, calendar, and file management

    • Zoom / Microsoft Teams (EU) / Google Meet (EU) – For secure and private video sessions

    • Calendly (US with SCCs) – For scheduling sessions and automating availability

    • Typeform (US with SCCs) – For onboarding, feedback, and evaluations

    • Miro (EU/US) – For interactive exercises and visual tools during workshops or programs

    Business Operations and Compliance

    • Adobe (EU/US/Asia) – Document preparation and PDF management

    • Revolut Business (UK/EU) – For invoicing, payment processing, and accounting

    • MailerLite (EU) – For sending newsletters, program updates, and event invitations

    • Google Analytics (Global) – For tracking website usage and improving performance

    AI and Innovation Tools

    • CoachBot.AI (EU) – Optional accountability support with personalized reminders

    • OpenAI (Ireland/US) – Used exclusively for transcript summarization and only with consent

    Each subprocessor is either:

    • Located in the European Economic Area (EEA), or

    • Operates outside the EEA but has Standard Contractual Clauses (SCCs) or equivalent safeguards in place

    This ensures compliance with Articles 44–49 of the GDPR for international data transfers.

    How I Limit Risk

    I do not share session notes, sensitive data, or performance metrics with any external party without your explicit consent.

    Wherever possible:

    • I choose EU-based hosting and platforms

    • I avoid integrations that use personal data for advertising or profiling

    • I limit the volume of data shared with subprocessors to the minimum necessary

    • I regularly review my vendor list to ensure continued GDPR alignment

    You can request a current list of subprocessors, including their roles and locations, by contacting me at hassan@hellohms.com.

    Assessment Providers

    ICAP People Solutions (EU) – Certified Hogan distributor and Data Processor for administering leadership assessments on behalf of HMS. ICAP processes only personal data (no special category data) and retains it for 6 months after completion of the relevant project, in line with our DPA.

    Hogan Assessments (USA) – Subprocessor used by ICAP for assessment scoring and reporting. Hogan stores assessment data in the United States and processes it only with the subject’s explicit consent and under appropriate transfer safeguards.

    Safeguards Applied

    • Explicit participant consent before any assessment processing or international transfer.

    • ICAP must notify HMS of any data breaches or any inability to meet compliance obligations.

    • Hogan Assessments is contractually bound by ICAP to equivalent GDPR-aligned protections.

    • No assessment data is transferred or processed outside the EEA without HMS’s prior authorization as Data Controller.

    You may request the ICAP DPA summary or subprocessors list at any time.

  • How I Store Your Data and for How Long

    When you work with me—whether through coaching, assessments, or simply subscribing to my newsletter—your data is treated with confidentiality, integrity, and purpose. I store your information on encrypted, access-controlled systems that are selected specifically for their security, GDPR compliance, and alignment with privacy-by-design principles.

    Storage Practices

    • Encrypted Platforms: All coaching records, session notes, transcripts (if applicable), and intake forms are stored on Google Workspace under encryption and restricted access (accessible only by me).

    • Role-Based Access: I operate under a need-to-know-only principle—meaning no one else has access to your data unless explicitly agreed.

    • Cloud-Based Security: All systems used (e.g., Zoom, Typeform, Miro, CoachBot.AI, MailerLite) offer EU-based hosting or include GDPR-approved safeguards for transfers outside the EEA.

    How Long I Keep Your Data

    I retain personal data only as long as necessary to fulfill the purposes for which it was collected, or as required under EU law, tax regulations, or ethical recordkeeping. This principle is in line with GDPR Article 5(1)(e).

    Here's what "necessary" typically means in practice:

    • For active clients: As long as we’re working together

    • For former clients: As long as needed for legitimate business or legal reasons, such as providing references, follow-up summaries, invoicing audits, or coaching certifications

    • For newsletter subscribers: Until you unsubscribe or request deletion

    • For session recordings or transcripts: Only if requested, and retained for the duration agreed upon in writing

    Once retention is no longer needed:

    • Files are securely deleted or anonymized

    • Backups are purged from cloud platforms

    • Session notes are erased or depersonalized

    Exceptions

    In some cases, I may retain minimal data (e.g. invoice records or program dates) where required by:

    • Financial regulations

    • Coaching accreditation verification (e.g. EMCC/AC)

    • Dispute resolution or contractual claims

    Transfers for Hogan Assessments

    Some assessment-related data is transferred to the United States for scoring and report generation by Hogan Assessments.

    This occurs only after the participant has provided explicit consent, in line with ICAP requirements and GDPR Chapter V (Articles 44–49) on international data transfers.

    Safeguards include:

    • Standard Contractual Clauses (SCCs) used by Hogan Assessments

    • Explicit consent collected before processing

    • Strict purpose limitation – data used solely to generate your assessment report

    • 6-month retention by ICAP after completion of the relevant project, before deletion

    • HMS may keep the final assessment report (PDF) for coaching purposes under the general client-data retention rules unless you request deletion.

    If you prefer not to have your data transferred outside the EU, you may decline the assessment.

    You have the right to ask for more detail on what I hold, for how long, and why—just email hassan@hellohms.com and I’ll walk you through it.

  • What I Record—and Only With Your Consent

    Your privacy is paramount in every interaction. I do not record coaching sessions by default. However, if you specifically request a session to be recorded—whether for personal reflection, team learning, or summary documentation—I’ll only proceed after receiving your explicit, informed consent.

    If a Session is Recorded:

    • You will be clearly informed of what is being recorded (e.g. video, audio, transcript).

    • Consent will be confirmed verbally or in writing before the session.

    • The recording will be stored in a secure, encrypted folder on Google Workspace.

    • Access will be restricted solely to you and me, unless additional permissions are given in writing.

    • Recordings will be deleted once they’ve served their intended purpose (e.g. for note-taking, summarization, or reflection), unless otherwise agreed.

    Transcriptions and Summaries

    With your explicit consent, I may use platforms such as Google Meet, Microsoft Teams, or Zoom to record or transcribe our sessions. When a transcript is created, I may upload it to ChatGPT (OpenAI), with your consent as well, to generate summaries and key insights—especially useful in high-intensity leadership programs, group workshops, or performance coaching.

    These are:

    • Only used when you explicitly opt-in.

    • Processed under a signed Data Processing Agreement (e.g., with OpenAI).

    • Used exclusively for coaching summaries or structured reflection tools (e.g., SMART goals or the Wheel of Professional Life).

    • Deleted immediately after the summaries are completed and validated with you.

    Why This Matters:

    Session recordings and transcripts offer value, but they are never a default or assumed part of coaching. You remain in full control of:

    • What is captured

    • How it is used

    • When it is deleted

    My commitment is to protect your trust—not just through policies, but through every step of how we work together.

  • How I Use AI—And Why You’re Always in Control

    Artificial intelligence (AI) can enhance the coaching experience, streamline workflows, and help clients gain faster insights. But it’s never a replacement for human connection—or consent.

    I integrate select AI-supported tools into HMS coaching services, but only with your informed, opt-in consent. Here’s what that looks like in practice.

    AI Tools I Use:

    • CoachBot.AI (Alexis): A digital accountability companion that supports progress tracking between sessions. You may choose to use it to log actions, journal thoughts, or get nudges toward your goals.

    • OpenAI (ChatGPT Business Tier): Used solely to summarize coaching session transcripts (with consent), draft session insights, or assist in developing reflection questions or tailored resources.

    • Zoom, Microsoft Teams, and Google Meet: These platforms may be used to record or transcribe sessions, but only when you explicitly request it.

    These tools are designed to support—not replace—human-led coaching. They’re opt-in, use business-level subscriptions, and operate under GDPR-compliant terms.

    Safeguards in Place:

    • Consent-Only Processing: No AI tool processes any personal data unless you've explicitly agreed.

    • No AI Model Training: Data shared with OpenAI or CoachBot.AI is never used to train their models. We ensure this via strict provider agreements.

    • Human Oversight: Every AI-assisted output is reviewed by me. Nothing is shared externally or stored without necessity.

    • EU AI Act Alignment: I stay updated on evolving AI regulations, including the EU AI Act, and apply best practices for transparency, fairness, and safety—even where formal obligations may not yet apply.

    Examples of AI Use:

    • After a session (with your consent), I may generate a summary using OpenAI to help you reflect or plan next steps.

    • CoachBot.AI may send you a reminder to follow up on an action or log a win between sessions.

    • If you request a recording or transcript, Zoom, Teams, or Google Meet may facilitate that—with secure storage and deletion practices in place.

    You Stay in Control:

    • You can opt out of any AI tool at any time—no justification required.

    • You’ll always be informed of what data is being processed, how it’s used, and who can access it.

    • Any AI-generated summary or content is your property and is never reused or repurposed elsewhere.

    • HMS does not use AI for automated decision-making or profiling that produces legal or similarly significant effects.

    In short, AI supports your transformation—but you remain in the driver’s seat.

  • When You Hear From Me (And How to Stop)

    If you sign up for my newsletter, download a resource, attend a webinar, or join a mailing list, you might occasionally receive:

    • Leadership insights or personal development tools

    • Invitations to webinars, workshops, or events

    • Announcements about new services or coaching offers

    • Updates about the Present Potential podcast

    These emails are sent via MailerLite, a GDPR-compliant provider based in the EU.

    You’ll always find an unsubscribe link in every email. You can also email me directly at hassan@hellohms.com if you want to:

    • Update your email preferences

    • Stop receiving marketing communications altogether

    • Ask questions about what data I use for outreach

    I’ll never sell your data or share your details with third parties for marketing unless you’ve explicitly consented.

  • What My Website Collects Behind the Scenes

    When you visit www.hellohms.com, certain data is automatically collected to ensure the site works smoothly and helps me understand how people use it. This includes:

    • Your IP address

    • Browser type and version

    • Device type

    • Pages you visit and for how long

    • Referrer URL (where you came from)

    • Country/region location (approximate, not GPS-based)

    This data is collected through cookies and similar technologies, primarily via Google Analytics, which helps me monitor site performance and tailor content to what matters most to my audience.

    Your Cookie Choices

    When you land on the site, you’ll see a cookie banner allowing you to accept or decline non-essential cookies. You can also manage your cookie settings via your browser.

    If you opt out, you’ll still have access to all content—just without personalized analytics or features like embedded scheduling.

    Cookie Use is Based On:

    • Consent (GDPR Art. 6(1)(a)) for non-essential cookies

    • Legitimate interest (Art. 6(1)(f)) for essential, security-related cookies

  • When I Might Share Your Data—and Why

    I do not sell, trade, or rent your personal data—ever. However, I may share it in specific, limited circumstances that support the delivery of services or fulfill legal and ethical responsibilities.

    Here’s when sharing might happen:

    • Service Delivery:
      I work with trusted subprocessors (e.g. Zoom, Google Workspace, CoachBot.AI) that help me operate efficiently and securely. These partners only access your data as necessary to perform services and are bound by GDPR-compliant agreements.

    • Anonymized, Aggregated Insights (Legitimate Interest):
      From time to time, I may use anonymized and aggregated data to:

      • Illustrate the impact of coaching (e.g., “85% of participants achieved a breakthrough by session 5”)

      • Share program insights in marketing, reports, or educational content

      • Inform research, partnerships, or strategic development

      These insights are:

      • Fully anonymized (no names, emails, or identifiers)

      • Shared only when k-anonymity ≥ 5 (i.e., no group contains fewer than five participants)

      • Never capable of being traced back to you

      This processing is carried out under legitimate interest (GDPR Art. 6(1)(f)) and is always balanced with your right to object.

    • Legal Compliance:
      If legally required (e.g., under tax laws or a court order), I may disclose relevant data to authorities or regulatory bodies.

    • Professional Standards & Accreditation:
      If you’re working with me as part of a credentialed coaching program or corporate engagement, I may confirm participation or completion with minimal data (e.g., name, engagement dates) to organizations like the EMCC or ICF. This will only happen with your awareness.

    • Business Operations:
      If HMS were to merge, restructure, or transfer ownership, relevant client information may be included in the transferred assets—but only under lawful conditions and with adequate protection.

    Important Safeguards:

    • No coaching session notes or sensitive personal data will ever be shared without your explicit written consent.

    • Any third parties I work with are selected based on their strong privacy practices, data security, and contractual obligations.

    • Shared data will always be proportionate, purpose-limited, and legally justified.

    • HMS shares personal data with ICAP People Solutions solely for the purpose of administering Hogan Assessments.

    • ICAP may share data with Hogan Assessments in the USA as a subprocessor, only under explicit consent and with GDPR-aligned safeguards in place.

    • No sensitive data or coaching session notes are ever shared with ICAP or Hogan.

  • I follow a privacy-by-design approach and only collect data necessary to deliver coaching, communications, and services. This means:

    • I don’t require personal data unless it directly supports our work together.

    • I avoid capturing sensitive information unless you choose to share it.

    • I regularly review the data I hold and securely delete or anonymize anything that’s no longer needed.

    If you’d like any or all of your data erased—session notes, contact history, transcripts—you can request this at any time by emailing me. I’ll honor that immediately, unless I’m legally obligated to retain something (e.g. for accounting or contractual recordkeeping).

  • Your Rights Under GDPR

    You’re Always in Control

    GDPR gives you a set of rights over your data. Here’s what you can do:

    • Access: Ask what data I hold about you

    • Correct: Request updates if something’s wrong

    • Erase: Delete your data, unless I have a legal reason to keep it

    • Restrict or Object: Limit or opt out of legitimate-interest processing or marketing

    • Withdraw Consent: For AI use, session recording, or newsletters—at any time

    • Data Portability: Request a copy in a machine-readable format

    • Additional rights specific to Hogan assessments

      • Right to withdraw consent for Hogan Assessments at any time before completion.
      • Right to request deletion of your Hogan data through HMS, who will coordinate removal with ICAP and Hogan.
      • Right to access or correct assessment data, including raw scores or narrative summaries, subject to Hogan’s policies.
      • ICAP is obligated to notify HMS of any data subject requests and may only act following HMS’s written instruction as Data Controller.

    • Complain: You can lodge a complaint with the Office of the Commissioner for Personal Data Protection (Cyprus), Kypranoros 15, Nicosia 1061, Cyprus, +357 22818456, commissioner@dataprotection.gov.cy

    • HMS responds to access/erasure/objection and other requests within one month (extendable by two months for complex cases; we’ll notify you if extended)

    To exercise any of these, just email hassan@hellohms.com.

Updates to This Policy

I review this policy periodically, especially when:

  • I introduce new tools (like AI, scheduling, or coaching platforms)

  • GDPR or AI regulations evolve

  • I change service offerings or subprocessors

AI safety evaluations, incident handling and copyright safeguards follow HMS internal governance (AI Tools & Workflows; Governance & Policies). Summaries available on request.

Contact

For any questions, concerns, or data-related requests, just reach out to me via my Contact page.

If a personal-data breach occurs, HMS will assess and, where required, notify the supervisory authority within 72 hours and affected individuals without undue delay.