Privacy Policy

HMS Privacy, Data & AI Use Policy

Legal Notice

  • Company Name: HMS High Performance Solutions Company Ltd

  • Trading Name: HMS Coaching

  • Representative: Hassan M. Al-Shohaty

  • Address: Kyriakou Chatzioannou 5, IL PRIMO Block B, Office 301, Agios Athanasios, 4107, Limassol, Cyprus

  • Registry Number: HE 449878

  • Contact: hassan@hellohms.com | +357 99 123 086

  • Applicable Law: Republic of Cyprus, EU GDPR, EU AI Act

  • Supervisory Authority: Office of the Commissioner for Personal Data Protection, Kypranoros 15, Nicosia 1061, Cyprus | commissioner@dataprotection.gov.cy | +357 22818456

  • The European Commission provides a platform for online dispute resolution (ODR): https://ec.europa.eu/consumers/odr. HMS is neither obligated nor willing to participate in dispute resolution proceedings before a consumer arbitration board.

  • HMS High-Performance Solutions (“HMS”) is my coaching and leadership development practice, grounded in ethics, trust, and personal transformation. Through one-to-one coaching, group programs, leadership retreats, podcasting, and AI-powered tools, I support high-performing individuals and organizations to thrive—with human connection at the center.

    I’m physically based in Europe, but I work globally. I act as the sole data controller for the personal data I collect through my website, coaching services, podcast outreach, scheduling tools, assessments, and communication channels.

    This Privacy, Data, and AI Use Policy outlines how I collect, process, store, share, and protect personal information, in full alignment with:

    • The EU General Data Protection Regulation (GDPR)

    • The EU Artificial Intelligence Act (EU AI Act)

    • Global data protection principles (ISO/IEC 27701, EDPB, OECD)

    • Coaching ethics from the ICF, EMCC, and AC

    I believe in radical transparency—so I’ve designed this policy to be human-readable, clear, and comprehensive.

    Controller: HMS High-Performance Solutions (Hassan M. Al-Shohaty) — Limassol, Cyprus.
    Contact: hassan@hellohms.com

  • Under What Jurisdiction?

    I operate under the European Union’s General Data Protection Regulation (GDPR) and, where relevant, comply with other international data protection and AI-related regulations. My data handling is structured to meet the standards of the EU AI Act, and I follow guidance from supervisory authorities such as the EDPB.

  • Managing Our Relationship

    I collect and use personal data so I can:

    • Deliver coaching, training, and consulting services

    • Communicate effectively with you throughout our engagement

    • Understand your goals, challenges, and progress

    • Customize sessions, frameworks, or tools for your needs

    • Maintain accurate records for performance tracking, support, and administrative purposes

    • Evaluate and improve the effectiveness of services

    I may also use anonymized and aggregated insights from my coaching work to analyze trends, support R&D, and demonstrate impact in a privacy-preserving way.

    Data processed may include:

    • Name, email, phone number, job title, organization

    • Coaching goals, challenges, and session insights

    • Questionnaire responses and onboarding materials

    • Scheduling data and communication history

    • Audio transcripts (if you opt in)

    • Progress tracking tools and templates

    • Leadership and personality assessments (e.g. Hogan HPI, HDS, MVPI) and resulting reports, where you choose to complete them

    • Publicly available information (e.g., from LinkedIn)

    Lawful bases for processing:

    • Contractual necessity (Art. 6(1)(b) GDPR) – to deliver coaching, training, consulting, and related services you have requested

    • Legitimate interest (Art. 6(1)(f) GDPR) – for improving services, running the business, and protecting systems, balanced against your rights

    • Legal obligation (Art. 6(1)(c) GDPR) – for tax, accounting, and regulatory requirements

    • Consent (Art. 6(1)(a) GDPR) – for optional features like session recordings, newsletter subscriptions, and participation in Hogan assessments where required (including any international data transfers associated with those assessments)

    Where I rely on legitimate interest—for example, to improve my coaching methods or evaluate impact—I always assess whether your rights and freedoms are respected and give you the ability to object.

    Marketing & Community Engagement

    If you subscribe to updates, attend an event, or engage with HMS on social media or via my podcast, I may use your information to:

    • Send newsletters, podcast content, or event invites via MailerLite

    • Share program launches or leadership insights

    • Invite you to surveys, community forums, or research

    • Track and improve engagement using analytics tools (e.g., MailerLite and Google Analytics)

    You will always have a clear opt-out option, and I only send communications based on:

    • Consent (Art. 6(1)(a) GDPR)

    • Legitimate interest (Art. 6(1)(f) GDPR, if we have an existing relationship)

  • Sensitive or Special Category Data

    During coaching sessions, sensitive information—such as mental health, stress, relationships, or diversity-related insights—may naturally arise. I do not proactively seek this data, and I only process or retain it under these conditions:

    • You voluntarily share it during a session, and

    • You give explicit consent to retain it (Art. 9(2)(a) GDPR)

    This includes topics like:

    • Mental health, burnout, neurodiversity, and well-being

    • Race, religion, cultural background

    • Family or caregiving responsibilities

    • Gender identity, sexual orientation, or personal values

    • Hogan Assessments do not process special category (sensitive) personal data, and HMS does not transmit or request such data as part of the assessment process. This aligns with ICAP’s contractual requirement that sensitive data such as health information, racial/ethnic data, or sexual life are not collected or shared in the assessment workflow.

    If you do not wish for such information to be stored, you can request it not be documented. I take extra care when working with sensitive insights and always keep them confidential, private, and protected.

    Anonymized and Aggregated Coaching Insights

    Learning from Patterns, Without Ever Revealing Individuals

    To continuously improve the coaching experience, share evidence of impact, and contribute to broader learning, I occasionally process coaching data in anonymized, aggregated form. This practice is conducted under legitimate interest (GDPR Art. 6(1)(f))—which means it supports HMS’s mission to deliver high-quality, data-informed services while protecting individual privacy.

    Examples of where this shows up:

    • Leadership trend reports

    • Podcast themes based on real coaching insights

    • Speaking engagements or program proposals

    • Evaluation dashboards for organizational clients

    What I might share:

    • “80% of senior leaders reported increased clarity by session 4”

    • “Common barriers include people-pleasing and overextension”

    • “Resilience improved in 7 out of 9 team engagements after workshop 2”

    How I safeguard your data:

    • All identifiers are stripped—no names, emails, or personal stories

    • k-anonymity rules apply—no subgroup is shared unless it includes at least 5 people

    • No re-identification is possible, even through metadata or patterns

    • Small or unique cohorts are excluded unless I’ve obtained explicit consent

    This allows HMS to share what works—without ever exposing who shared it. If you’d prefer to opt out of anonymized data usage, you can do so at any time by contacting me at hassan@hellohms.com.

    Responsible Use of AI & Transcripts

    Only With Consent. Always With Oversight.

    When used responsibly, AI can enhance your coaching journey. But it will never replace the human connection we build together.

    AI tools I use fall into two categories based on their data protection terms:

    Category 1 — Tools covered by a signed Data Processing Agreement (DPA)

    These tools may process personal data, including session transcripts, where you have given explicit consent:

    • Google Workspace / Gemini (Google LLC) — HMS has a signed Cloud Data Processing Addendum with Google (accepted July 2025). Data is stored on EU servers. Gemini is used to process session transcripts and generate coaching summaries, where explicit consent has been obtained. Google does not use your data to train its AI models.

    Category 2 — Tools used for non-personal data only

    These tools operate under consumer terms and are therefore only used for tasks that do not involve your personal data — such as drafting frameworks, generating content, or business writing:

    • Claude (Anthropic) — Used for content creation, framework development, communications drafting, and other tasks that do not involve personal client data. Claude Pro operates under Anthropic's consumer terms. No personal client data, session notes, or transcripts are processed through this tool.

    Recordings and transcripts are only generated when:

    • You explicitly request them, and

    • You give written or verbal consent

    How I protect you:

    • AI summaries are reviewed manually and never stored long-term

    • Transcripts are deleted after use unless otherwise agreed

    • Only tools with a signed DPA are used to process personal data

    • Human oversight is applied to every AI-assisted output

    You are always in control — able to opt in or out of AI support at any time.

  • Where Your Data Lives and Who Helps Me Manage It

    To deliver services securely and efficiently, I rely on trusted, GDPR-compliant third-party platforms (also known as subprocessors). I only work with providers that offer robust privacy safeguards and have appropriate Data Processing Agreements (DPAs) in place where required.

    Coaching and Client Experience

    • Google Workspace / Gemini (Google LLC, EU) — Secure cloud storage, email, calendar, file management, and AI-assisted transcript summarisation. Covered by a signed Cloud Data Processing Addendum (July 2025). Data stored on EU servers.

    • Google Meet (EU) — For secure video sessions and session transcription where consent is given.

    • Zoom (EU) — For secure and private video sessions. Covered by Zoom's Data Processing Agreement.

    • Microsoft Teams (EU) — For video sessions and transcript generation where consent is given. Covered by Microsoft's Data Processing Agreement.

    • Calendly (US, SCCs in place) — For scheduling sessions and automating availability.

    • Typeform (US, SCCs in place) — For onboarding, feedback, and evaluations.

    • Miro (EU/US, SCCs in place) — For interactive exercises and visual tools during workshops or programs.

    Business Operations and Compliance

    • Adobe (EU/US/Asia, SCCs in place) — Document preparation and PDF management.

    • Revolut Business (UK/EU) — Invoicing, payment processing, and accounting.

    • MailerLite (EU) — Newsletters, programme updates, and event invitations.

    • Google Analytics (Global, SCCs in place) — Website usage tracking and performance improvement. Only activated after cookie consent is given.

    • Pitch.com (EU) — Used internally for presentation creation. Does not process client personal data.

    AI Tools

    • Google Workspace / Gemini (EU) — See above. Primary AI tool for processing session transcripts and generating summaries. Covered by signed DPA.

    • CoachBot.AI (EU) — Optional accountability support with personalised reminders. Covered by CoachBot.AI's Data Processing Agreement.

    • Claude / Anthropic (US) — Used for content creation, framework development, and business writing only. No personal client data is processed through this tool. Claude Pro operates under Anthropic's consumer terms. No DPA in place — personal data is never inputted.

    Assessment Providers

    • ICAP People Solutions (EU) — Certified Hogan distributor and Data Processor for administering leadership assessments on behalf of HMS. ICAP processes only personal data (no special category data) and retains it for 6 months after project completion, in line with our signed DPA.

    • Hogan Assessments (USA) — Subprocessor used by ICAP for assessment scoring and reporting. Data is transferred to the US only with explicit participant consent and under Standard Contractual Clauses (SCCs).

    Safeguards Applied to All Subprocessors

    Each subprocessor is either located in the European Economic Area (EEA), or operates outside the EEA with Standard Contractual Clauses (SCCs) or equivalent safeguards in place, ensuring compliance with Articles 44–49 of the GDPR.

    • I do not share session notes, sensitive data, or performance metrics with any external party without your explicit consent.

    • I choose EU-based hosting and platforms wherever possible.

    • I limit the volume of data shared with subprocessors to the minimum necessary.

    • I regularly review my vendor list to ensure continued GDPR compliance.

    You can request a current list of subprocessors, including their roles and locations, by contacting hassan@hellohms.com.

  • How I Store Your Data and for How Long

    All personal data is stored on encrypted, access-controlled systems selected for their security, GDPR compliance, and alignment with privacy-by-design principles. Only I have access to your data unless explicitly agreed otherwise in writing.

    Storage Practices

    • Primary storage: Google Workspace (EU servers, confirmed). All coaching records, session notes, transcripts, and intake forms are stored here under encryption and restricted access.

    • Session platforms: Zoom, Microsoft Teams, and Google Meet store session data temporarily in accordance with their own DPAs and retention policies.

    • All other platforms (Typeform, Miro, Calendly, CoachBot.AI, MailerLite) offer EU-based hosting or GDPR-approved safeguards for any transfers outside the EEA.

    Retention Periods

    I retain personal data only as long as necessary for the purpose it was collected, in line with GDPR Article 5(1)(e). Below are the specific retention periods I apply:

    • Active client records (notes, goals, progress) — Duration of engagement

    • Former client records — 3 years after end of engagement

    • Session transcripts and AI-generated summaries — Deleted within 30 days of delivery to client, unless otherwise agreed in writing.

    • Invoices and financial records — 7 years (Cyprus tax law requirement)

    • Signed agreements and contracts — 5 years after end of engagement.

    • Newsletter subscriber data — Until unsubscribe or deletion request

    • Website analytics data (Google Analytics) — 14 months (Google Analytics default, anonymised).

    • Hogan Assessment data (held by ICAP) — 6 months after project completion - Job applicant data (if applicable) — 6 months after decision.

    Once the relevant retention period expires:

    • Files are securely deleted or anonymised

    • Backups are purged from cloud platforms

    • Session notes are erased or depersonalised

    Exceptions

    I may retain minimal data beyond the above periods where required by:

    • Financial or tax regulations (Cyprus law requires 7 years for accounting records)

    • Coaching accreditation verification (EMCC/AC/ICF)

    • Dispute resolution or contractual claims

    • Legal obligation

    In these cases, only the minimum data necessary is retained, and only for as long as the obligation requires.

    Hogan Assessment Data Transfers

    Assessment-related data is transferred to the United States for scoring and report generation by Hogan Assessments, via ICAP People Solutions. This occurs only after you have provided explicit consent. Safeguards include Standard Contractual Clauses (SCCs), strict purpose limitation, and a 6-month retention period by ICAP. You may decline the assessment if you prefer your data not to be transferred outside the EU.

    Your right to request deletion

    You can request deletion of your data at any time by emailing hassan@hellohms.com. I will action this promptly unless a legal obligation requires me to retain specific records, in which case I will explain exactly what is retained and why.

  • What I Record — and Only With Your Consent

    I do not record coaching sessions by default. Recording only happens when you explicitly request it and give your informed consent beforehand.

    If a session is recorded:

    • You will be clearly informed of what is being recorded (video, audio, or transcript).

    • Consent will be confirmed verbally or in writing before the session begins.

    • The recording will be stored in a secure, encrypted folder on Google Workspace.

    • Access is restricted solely to you and me, unless additional permissions are given in writing.

    • Recordings are deleted once they have served their intended purpose, unless otherwise agreed in writing.

    Transcriptions and Summaries

    With your explicit consent, I may use Google Meet, Microsoft Teams, or Zoom to record or transcribe our sessions. When a transcript is created, I upload it to Gemini within Google Workspace to generate a summary and key insights — for example, themes, action points, or goal tracking.

    This process is:

    • Only used when you explicitly opt in.

    • Covered by a signed Data Processing Agreement with Google (Cloud Data Processing Addendum, accepted July 2025).

    • Processed on EU servers — your data does not leave the European Economic Area.

    • Used exclusively for coaching summaries or structured reflection tools.

    • Deleted within 30 days of delivery to you.

    What is never used for transcript processing:

    Session transcripts containing personal data are never uploaded to Claude (Anthropic) or any other tool operating under consumer terms without a signed DPA.

    You remain in full control of:

    • What is captured

    • How it is used

    • When it is deleted

    You can withdraw consent for recording or transcript processing at any time — no justification required.

  • How I Use AI — And Why You're Always in Control

    AI can enhance the coaching experience, streamline workflows, and help you gain faster insights. But it is never a replacement for human connection — or your consent.

    I use a small number of carefully selected AI tools, divided into two categories based on their data protection terms and what data is permitted to flow through them.

    Category 1 — AI tools covered by a signed Data Processing Agreement

    These tools may process personal data, including session transcripts and coaching content, where you have given explicit prior consent.

    Google Workspace / Gemini (Google LLC)

    • Used for: transcript summarisation, session insights, coaching summaries, and goal tracking.

    • DPA status: Signed Cloud Data Processing Addendum in place (accepted July 2025).

    • Data location: EU servers — your data does not leave the EEA.

    • Model training: Google does not use your data to train Gemini models outside your organisation's domain without explicit permission.

    • Consent required: Yes — always opt-in before any transcript is processed.

    CoachBot.AI

    • Used for: optional accountability support, progress tracking, and personalised reminders between sessions.

    • DPA status: Data Processing Agreement in place with CoachBot.AI.

    • Data location: EU.

    • Consent required: Yes — entirely optional and opt-in.

    Category 2 — AI tools used for non-personal data only

    These tools operate under consumer terms. They are used exclusively for tasks that do not involve your personal data — such as drafting frameworks, generating content, writing communications, and business administration.

    Claude (Anthropic)

    • Used for: content creation, coaching framework development, communications drafting, LinkedIn content, agreement templates, and general business writing.

    • DPA status: Claude Pro operates under Anthropic's consumer terms. No Data Processing Agreement is in place.

    • Personal data: No personal client data, session notes, transcripts, or identifying information is ever inputted into this tool.

    • Model training: Training opt-out is applied in settings.

    Safeguards that apply to all AI tools:

    • Consent-only processing — No AI tool processes your personal data unless you have explicitly agreed.

    • Human oversight — Every AI-assisted output is reviewed by me before use. Nothing is shared externally or stored without necessity.

    • Purpose limitation — Each tool is used only for the purpose described above. No cross-purpose processing.

    • No automated decisions — HMS does not use AI for automated decision-making or profiling that produces legal or similarly significant effects on you.

    • EU AI Act alignment — HMS applies best practices for transparency, fairness, and human oversight in line with the EU AI Act, and monitors regulatory developments on an ongoing basis.

    You stay in control:

    • You can opt out of any AI tool at any time — no justification required.

    • You will always be informed of what data is being processed, how it is used, and who can access it.

    • Any AI-generated summary or content produced about you is never reused or repurposed without your knowledge.

    • You can request details of which AI tools were used in your engagement at any time by contacting hassan@hellohms.com.

  • When You Hear From Me (And How to Stop)

    If you sign up for my newsletter, download a resource, attend a webinar, or join a mailing list, you might occasionally receive:

    • Leadership insights or personal development tools

    • Invitations to webinars, workshops, or events

    • Announcements about new services or coaching offers

    • Updates about the Present Potential podcast

    These emails are sent via MailerLite, a GDPR-compliant provider based in the EU.

    You’ll always find an unsubscribe link in every email. You can also email me directly at hassan@hellohms.com if you want to:

    • Update your email preferences

    • Stop receiving marketing communications altogether

    • Ask questions about what data I use for outreach

    For clients in the UAE and Dubai, I adhere to Federal Decree Law No. 45 of 2021. I process your data for marketing only upon receiving your express, unambiguous consent. You have the right to withdraw this consent instantly, and I will cease all processing within the timeframe required by local law.

    I’ll never sell your data or share your details with third parties for marketing unless you’ve explicitly consented.

  • What My Website Collects Behind the Scenes

    When you visit www.hellohms.com, certain data is automatically collected to ensure the site works smoothly and helps me understand how people use it. This includes:

    • Your IP address

    • Browser type and version

    • Device type

    • Pages you visit and for how long

    • Referrer URL (where you came from)

    • Country/region location (approximate, not GPS-based)

    This data is collected through cookies and similar technologies, primarily via Google Analytics, which helps me monitor site performance and tailor content to what matters most to my audience.

    Your Cookie Choices

    When you land on the site, you’ll see a cookie banner allowing you to accept or decline non-essential cookies. You can also manage your cookie settings via your browser.

    If you opt out, you’ll still have access to all content—just without personalized analytics or features like embedded scheduling.

    Cookie Use is Based On:

    • Consent (GDPR Art. 6(1)(a)) for non-essential cookies

    • Legitimate interest (Art. 6(1)(f)) for essential, security-related cookies

  • When I Might Share Your Data—and Why

    I do not sell, trade, or rent your personal data—ever. However, I may share it in specific, limited circumstances that support the delivery of services or fulfill legal and ethical responsibilities.

    Here’s when sharing might happen:

    • Service Delivery:
      I work with trusted subprocessors (e.g. Zoom, Google Workspace, CoachBot.AI) that help me operate efficiently and securely. These partners only access your data as necessary to perform services and are bound by GDPR-compliant agreements.

    • Anonymized, Aggregated Insights (Legitimate Interest):
      From time to time, I may use anonymized and aggregated data to:

      • Illustrate the impact of coaching (e.g., “85% of participants achieved a breakthrough by session 5”)

      • Share program insights in marketing, reports, or educational content

      • Inform research, partnerships, or strategic development

      These insights are:

      • Fully anonymized (no names, emails, or identifiers)

      • Shared only when k-anonymity ≥ 5 (i.e., no group contains fewer than five participants)

      • Never capable of being traced back to you

      This processing is carried out under legitimate interest (GDPR Art. 6(1)(f)) and is always balanced with your right to object.

    • Legal Compliance:
      If legally required (e.g., under tax laws or a court order), I may disclose relevant data to authorities or regulatory bodies.

    • Professional Standards & Accreditation:
      If you’re working with me as part of a credentialed coaching program or corporate engagement, I may confirm participation or completion with minimal data (e.g., name, engagement dates) to organizations like the EMCC or ICF. This will only happen with your awareness.

    • Business Operations:
      If HMS were to merge, restructure, or transfer ownership, relevant client information may be included in the transferred assets—but only under lawful conditions and with adequate protection.

    Important Safeguards:

    • No coaching session notes or sensitive personal data will ever be shared without your explicit written consent.

    • Any third parties I work with are selected based on their strong privacy practices, data security, and contractual obligations.

    • Shared data will always be proportionate, purpose-limited, and legally justified.

    • HMS shares personal data with ICAP People Solutions solely for the purpose of administering Hogan Assessments.

    • ICAP may share data with Hogan Assessments in the USA as a subprocessor, only under explicit consent and with GDPR-aligned safeguards in place.

    • No sensitive data or coaching session notes are ever shared with ICAP or Hogan.

  • I follow a privacy-by-design approach and only collect data necessary to deliver coaching, communications, and services. This means:

    • I don’t require personal data unless it directly supports our work together.

    • I avoid capturing sensitive information unless you choose to share it.

    • I regularly review the data I hold and securely delete or anonymize anything that’s no longer needed.

    If you’d like any or all of your data erased—session notes, contact history, transcripts—you can request this at any time by emailing me. I’ll honor that immediately, unless I’m legally obligated to retain something (e.g. for accounting or contractual recordkeeping).

  • Your Rights Under GDPR

    You’re Always in Control

    GDPR gives you a set of rights over your data. Here’s what you can do:

    • Access: Ask what data I hold about you

    • Correct: Request updates if something’s wrong

    • Erase: Delete your data, unless I have a legal reason to keep it

    • Restrict or Object: Limit or opt out of legitimate-interest processing or marketing

    • Withdraw Consent: For AI use, session recording, or newsletters—at any time

    • Data Portability: Request a copy in a machine-readable format

    • Additional rights specific to Hogan assessments

      • Right to withdraw consent for Hogan Assessments at any time before completion.
      • Right to request deletion of your Hogan data through HMS, who will coordinate removal with ICAP and Hogan.
      • Right to access or correct assessment data, including raw scores or narrative summaries, subject to Hogan’s policies.
      • ICAP is obligated to notify HMS of any data subject requests and may only act following HMS’s written instruction as Data Controller.

    • Complain: You can lodge a complaint with the Office of the Commissioner for Personal Data Protection (Cyprus), Kypranoros 15, Nicosia 1061, Cyprus, +357 22818456, commissioner@dataprotection.gov.cy

    • HMS responds to access/erasure/objection and other requests within one month (extendable by two months for complex cases; we’ll notify you if extended)

    • For residents of the United Kingdom, you also have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk).

    To exercise any of these, just email hassan@hellohms.com.

Updates to This Policy

I review this policy periodically, especially when:

  • I introduce new tools (like AI, scheduling, or coaching platforms)

  • GDPR or AI regulations evolve

  • I change service offerings or subprocessors

HMS maintains internal governance procedures for AI tool use, including an AI Safety & Security Framework, Incident Response Template, and AI Fact Sheet.

These are reviewed when new tools are introduced or regulations change.

Summaries are available on request by emailing hassan@hellohms.com.

Contact

For any questions, concerns, or data-related requests, just reach out to me via my Contact page.

If a personal-data breach occurs, HMS will assess and, where required, notify the supervisory authority within 72 hours and affected individuals without undue delay.

Version 2.0 — Last updated: April 2026