Privacy Policy

1. Data Controller

The data controller responsible for the processing of your personal data is Aesan SA, registered in Morges, Canton of Vaud, Switzerland. You can contact us regarding any data protection matter at contact@alexmillius.com.

This Privacy Policy applies to all services offered through www.alexmillius.com and any related services, including session booking, clinical intake, program delivery, and between-session communication (collectively, the "Services").

2. Legal Framework

This Privacy Policy is governed by the Swiss Federal Act on Data Protection (nLPD/nDSG), which entered into force on 1 September 2023, and its implementing ordinance (OPDo/DSV). Where applicable, we also comply with the EU General Data Protection Regulation (GDPR) for clients based in the European Economic Area.

3. Personal Data We Collect

3.1 Data you provide directly

• Identity and contact information: full name, email address, phone number, location, timezone, emergency contact details
• Professional information: current role, company name, company size, years in role
• Health and clinical data: responses to intake questionnaires covering sleep, physical health, mental and emotional state, substance use, nutrition, exercise, and medical history (including current medications and diagnosed conditions)
• Session content: information disclosed during Strategic Assessment calls, Deep Diagnostic sessions, and Protocol sessions, including clinical observations and therapeutic notes
• Communication content: voice messages and text messages exchanged between sessions via WhatsApp Business or Signal
• Goals and expectations: your responses to questions about recovery goals and personal reflections
• Consent and preferences: your consent choices, preferred session times, and communication preferences

3.2 Data generated through our services

• Burnout Map and clinical assessments: personalized documents created based on your intake data and session content
• Session recordings: video/audio recordings of Zoom sessions, made only with your explicit prior consent
• Progress tracking data: anonymized scores and metrics used to measure your recovery trajectory
• Custom hypnosis recordings: personalized audio files created for your use

3.3 Data collected automatically

• Website analytics: anonymized usage data collected through privacy-respecting analytics (no personal tracking)
• Booking data: scheduling information processed through Calendly
• Payment data: transaction records processed through Stripe (we do not store credit card numbers or bank account details)

4. Sensitive Personal Data

A significant portion of the data we process qualifies as sensitive personal data under the nLPD, including health data, information about mental and emotional states, and substance use patterns. We process this data exclusively on the basis of your explicit consent, provided through the Client Agreement signed before the commencement of any clinical services.

You may withdraw your consent to the processing of sensitive data at any time. However, withdrawal may affect our ability to continue providing clinical services, as this data is essential to the delivery of the Founder Reset Protocol.

5. Purposes of Processing

• Service delivery: conducting assessments, delivering hypnotherapy and coaching sessions, creating personalized recovery protocols, and providing between-session support
• Partner coordination: sharing relevant clinical data with named partner practitioners (see Section 6) to develop personalized nutrition and movement plans
• Program improvement: using anonymized and aggregated data to improve our methodology (only with your consent)
• Communication: sending appointment confirmations, reminders, follow-up emails, and clinical documents
• Payment processing: collecting fees for the Deep Diagnostic and the Founder Reset Protocol
• Legal obligations: retaining records as required by Swiss law

6. Data Sharing and Third Parties

We share personal data only with the following categories of recipients, and only to the extent necessary for the stated purposes.

6.1 Clinical partner practitioners

• Nutrition protocol partner (aesan.ch): receives relevant health, dietary, and lifestyle data to create your personalized meal plan
• Movement protocol partner (Yota-sante.ch): receives relevant physical health and capacity data to design your movement plan

Data shared with clinical partners is limited to what is strictly necessary for their specific role. Partners are bound by their own professional confidentiality obligations and by contractual data processing agreements. You will be informed of and asked to consent to any data sharing with partners before it occurs.

6.2 Technology service providers

• Calendly (Calendly LLC, USA): booking and scheduling
• Stripe (Stripe Inc., USA): payment processing
• Zoom (Zoom Video Communications Inc., USA): session delivery and recordings
• Typeform or Google Forms: intake questionnaires
• WhatsApp Business (Meta Platforms Inc., USA) or Signal: between-session messaging
• Google Workspace (Google LLC, USA): clinical document storage and email
• Notion (Notion Labs Inc., USA): internal practice management

These providers act as data processors on our behalf. Where providers are based outside Switzerland, appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) or equivalent mechanisms recognized under Swiss data protection law.

6.3 No other disclosures

We do not sell, rent, or trade your personal data. We do not disclose your data to any other third party unless required by Swiss law or a valid court order.

7. International Data Transfers

Several of our technology service providers are based in the United States. Where transfers are made to countries without an adequate level of protection as recognized by the FDPIC, we rely on Standard Contractual Clauses or other recognized safeguards.

8. Session Recordings

With your explicit prior consent, sessions conducted via Zoom may be recorded (video and audio). You have the right to decline recording for any session without consequence. Recordings are stored securely in encrypted cloud storage, accessible only to your practitioner, and retained for the duration of your program plus 12 months, after which they are permanently deleted. Recordings are never shared with third parties.

9. Data Retention

• Clinical records (session notes, Burnout Maps, assessments): 10 years from the end of the client relationship, in accordance with Swiss professional record-keeping obligations
• Session recordings: duration of program plus 12 months, then permanently deleted
• Custom hypnosis recordings: until you request deletion or 12 months after the end of the client relationship
• Intake questionnaire responses: retained as part of clinical records (10 years)
• Between-session communications: duration of program plus 6 months, then deleted
• Payment records: 10 years as required by Swiss commercial law (Code of Obligations, Art. 958f)
• Website analytics: anonymized data only; no personal data is stored

10. Security Measures

We implement appropriate technical and organizational measures to protect your personal data, including encrypted storage for all clinical documents and recordings, two-factor authentication on all accounts used to process client data, access controls limiting data access to the practitioner and authorized partners, and secure communication channels for between-session support.

In the event of a data breach affecting your personal data, we will notify you and the relevant authorities in accordance with nLPD requirements.

11. Your Rights

Under the nLPD (and GDPR where applicable), you have the following rights:

• Right of access: request a copy of all personal data we hold about you
• Right to rectification: request correction of inaccurate data
• Right to deletion: request deletion of your data, subject to legal retention obligations
• Right to data portability: request your data in a structured, commonly used format
• Right to withdraw consent: at any time, without affecting the lawfulness of prior processing
• Right to object: object to processing based on legitimate interests
• Right to lodge a complaint: with the Swiss Federal Data Protection and Information Commissioner (FDPIC), or for EU-based clients, with your local supervisory authority

To exercise any of these rights, contact us at contact@alexmillius.com. We will respond within 30 days.

12. Cookies and Tracking

Our website uses only essential cookies necessary for the functioning of the site. We do not use advertising cookies, tracking pixels, or third-party analytics that collect personal data. If this changes in the future, this policy will be updated and your consent will be sought.

13. Services for Adults Only

Our services are designed for adult professionals. We do not knowingly collect data from persons under the age of 18.

14. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated to active clients by email. The current version is always available at www.alexmillius.com/privacy-policy.html.

15. Contact

For any questions about this Privacy Policy or to exercise your data protection rights, please contact:

Aesan SA
Morges, Canton of Vaud, Switzerland
contact@alexmillius.com