Skip to content
Mama Hala ConsultingDr. Hala Ali | Mama Hala
Privacy

Privacy Policy

Your privacy matters to us. This policy explains how we collect, use, and protect your personal information in compliance with Canadian, UAE, and international data protection standards.

Effective: April 19, 2026PIPEDA / PHIPAUAE PDPLGlobally Compliant

Table of Contents

01Operator Identity & Scope02Legal Frameworks & Compliance Standards03Data We Collect04Sensitive Data & Mental Health Information05How We Use Your Data06Legal Basis for Processing07AI & Automated Processing08Third-Party Data Processors09Cross-Border & International Data Transfers10Cookies & Local Storage11Data Retention12Your Rights (Canada)13Your Rights (UAE)14Your Rights (International Clients)15Data Deletion & Erasure Requests16Children’s Privacy17Data Breach Notification18Information Security19Email & Communications20Links to Third-Party Resources21Changes & Amendments22Contact & Complaints
01

Operator Identity & Scope

This Privacy Policy (“Policy”) is issued by Mama Hala Consulting Group (registered in Ontario, Canada) and Mama Hala Project Management (registered in Dubai, UAE), collectively operating under the trade name “Mama Hala Consulting” (“Operator”, “we”, “us”, or “our”). We are a professional counseling practice operated by Dr. Hala Ali, with the following physical presence:

• Canada: 430 Hazeldean Rd, Ottawa, ON K2L 1E8, Canada • United Arab Emirates: HDS Business Centre, Cluster M, JLT, 34th Floor, Dubai, UAE

Contact: admin@mamahala.ca | +1 613-222-2104

This Policy applies to the mamahala.ca website (“Website”), all related products, services, and digital platforms (collectively, “Services”), including in-person counseling sessions in Canada and the UAE, online counseling sessions delivered to clients worldwide, the Mama Hala Academy, downloadable toolkits, quizzes, the AI Chat Companion, and all related communications.

This Policy is legally binding between you (“User”, “you”, or “your”) and the Operator. By accessing or using the Website and Services, you acknowledge that you have read, understood, and agree to be bound by this Policy, regardless of your geographic location. If you do not agree, you must not access or use the Website and Services.

02

Legal Frameworks & Compliance Standards

Mama Hala Consulting Group (Canada) and Mama Hala Project Management (UAE) are registered and operate in both Canada and the United Arab Emirates, and provide online services to clients globally under the trade name “Mama Hala Consulting.” We are committed to meeting or exceeding the requirements of all applicable privacy and data protection laws, including but not limited to:

PIPEDA — Personal Information Protection and Electronic Documents Act (Canada)
PHIPA — Personal Health Information Protection Act (Ontario) — applicable to counseling and mental health records
CASL — Canadian Anti-Spam Legislation
UAE PDPL — Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data, and its Executive Regulations
UAE Consumer Protection Law — Federal Law No. 15 of 2020
GDPR-aligned standards — We voluntarily adopt the EU General Data Protection Regulation’s principles as our global baseline, providing all clients worldwide with the highest standard of data protection regardless of location
OECD Privacy Principles — Our practices align with internationally recognized principles of fair information practices

Where these frameworks differ, we apply the stricter standard. Our goal is to provide every client, regardless of location, with the most robust privacy protections available under any applicable law.

03

Data We Collect

We collect and process personal data only where we have a lawful basis to do so and only to the extent necessary to provide our Services. You can browse the Website without revealing your identity; however, certain features require you to provide information. The categories of data we may collect include:

Identity & Contact Data — Full name, email address, phone number, country of residence, timezone, preferred language, salutation
Booking & Scheduling Data — Service selected, appointment date and time, session mode (online or in-person), session duration, client notes, preferred language for session
Payment & Billing Data — Transaction amounts, currency, payment method type, billing address (where provided). Note: We do NOT store credit card numbers or bank account details; all payment card data is processed exclusively by our PCI-DSS compliant payment processor
Health & Counseling Data (Sensitive) — AI-generated intake notes, session preparation tips, counseling context, service recommendations, assessment results, and any information you voluntarily share during sessions or via forms. This data is classified as sensitive personal data under all applicable laws and receives heightened protection
Educational & Program Data — Academy enrollment status, course progress, module completion, quiz answers and scores, toolkit downloads, certificate records
Communications Data — Contact form messages, email correspondence, chat transcripts with our AI Companion, newsletter subscription status
Behavioral & Analytics Data — Pages visited, services browsed, event registrations, toolkit downloads, quiz participation, referral source. This data is collected in aggregate and used only for service improvement
Technical Data — IP address (used for rate limiting and abuse prevention only, not for profiling), browser type, device information, session identifiers, cookies and local storage data as described in this Policy

You may choose not to provide certain information, but this may limit your ability to use specific features of the Services.

04

Sensitive Data & Mental Health Information

As a professional counseling practice, we may collect and process sensitive personal data related to your mental health, emotional well-being, family circumstances, and personal life. This includes information you share during counseling sessions, booking intake forms, AI-generated session notes and preparation tips, and assessment or quiz results.

This data receives the highest level of protection under all applicable laws:

• Under PHIPA (Ontario): We act as a Health Information Custodian and handle your personal health information in accordance with Part II of the Act, including the requirement for express consent before collection, use, or disclosure. • Under UAE PDPL (Article 7): Sensitive personal data requires explicit and informed consent, which we obtain before processing. • Under GDPR-aligned standards: This data constitutes special category data, processed only with your explicit consent or where necessary for healthcare purposes.

Sensitive data is never used for marketing, analytics, or any purpose other than providing you with counseling services and improving your care. It is never shared with third parties for commercial purposes.

05

How We Use Your Data

We act as both a data controller and data processor when handling Personal Information. We process your data only for specific, legitimate purposes:

Service Delivery — Managing bookings, conducting counseling sessions, providing academy courses, delivering toolkits and resources
Payment Processing — Processing payments through our secure payment processor, generating invoices and receipts, managing billing records
AI-Powered Support — Generating session preparation tips, intake summaries, and service recommendations to enhance your counseling experience
Communications — Sending booking confirmations, session reminders, receipts, and responding to your inquiries
Account Management — Maintaining your account, tracking course progress, managing session history
Service Improvement — Analyzing aggregate usage patterns (not individual behavior) to improve our Website and Services
Legal & Regulatory Compliance — Meeting obligations under PIPEDA, PHIPA, UAE PDPL, tax law, and other applicable regulations
Safety & Security — Preventing abuse, detecting fraud, enforcing our terms, and protecting the rights and safety of users
Marketing (Consent-Based Only) — Sending newsletters and service updates only to users who have expressly opted in, in full compliance with CASL and UAE PDPL requirements

We will never sell your personal data to third parties. We do not engage in automated decision-making or profiling that produces legal effects concerning you without human oversight.

06

Legal Basis for Processing

We process your personal data only where we have a lawful basis to do so. The legal bases we rely on depend on the applicable law and the nature of the processing:

• Consent: Where you have given clear, informed, and voluntary consent to the processing of your data for specific purposes. You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal. • Contract Performance: Where processing is necessary to perform our obligations under a contract with you (e.g., delivering counseling sessions you have booked and paid for). • Legal Obligation: Where processing is necessary to comply with a legal obligation (e.g., tax reporting, responding to lawful government requests, PHIPA health record retention requirements). • Legitimate Interest: Where processing is necessary for our legitimate interests, provided those interests are not overridden by your rights and freedoms (e.g., improving our services, ensuring security). • Vital Interests: In exceptional circumstances, where processing is necessary to protect someone’s life or physical safety.

For sensitive data (including mental health information), we rely exclusively on your explicit consent, obtained before processing begins. Under PHIPA, we process personal health information only as permitted by the Act, including with your express consent.

07

AI & Automated Processing

We use third-party artificial intelligence technology to enhance certain aspects of our Services. We believe in full transparency about how AI is used in our practice:

• AI Chat Companion: An AI-powered conversational assistant is available for general informational support related to our academy courses and resources. It does not provide clinical advice, diagnoses, or therapeutic interventions. • Session Preparation: AI may generate intake summaries, session preparation tips, and service recommendations based on information you provide during the booking process. • Administrative Support: AI assists with invoice descriptions, email drafting, and other administrative tasks.

Important safeguards:

• AI does not make clinical or therapeutic decisions — all counseling decisions are made by Dr. Hala. • AI-generated content is reviewed and supplemented by professional judgment. • You have the right to request human review of any AI-generated assessment or recommendation. • Data processed by AI is transmitted to our AI service provider’s servers in the United States, subject to their privacy practices and our contractual safeguards. • AI outputs are never used to profile or make automated decisions that produce legal effects concerning you.

08

Third-Party Data Processors

We share your data only with trusted third-party service providers who are essential to the operation of our Services. Each processor is bound by contractual obligations to protect your data. We do not sell or share your data with unaffiliated third parties for their own purposes.

Our data processors and their roles:

Payment Processor (United States) — A PCI-DSS Level 1 certified payment processor handles all payment card transactions. We never store credit card numbers on our servers.
Email Delivery Service (United States) — A professional email delivery service processes transactional and marketing emails on our behalf, handling email addresses and message content.
Calendar & Video Conferencing Platform (United States) — A secure calendar and video conferencing platform manages appointment scheduling and hosts online counseling sessions. Appointment details and participant email addresses are shared.
AI Service Provider (United States) — A third-party AI service provider powers the Chat Companion, session preparation tools, and administrative support features. Processes text data submitted to AI features.
Cloud Hosting & Computing Provider (United States) — A cloud hosting platform provides website hosting, serverless computing, and edge delivery. Processes all data transmitted through the Website.
Managed Database Service (United States) — A managed database service hosts session data, analytics, lead records, and booking information.

We may also disclose personal data if required by law, court order, or government request, or if necessary in good faith to protect our rights, your safety, or the safety of others, to investigate fraud, or to respond to a lawful government request in any jurisdiction where we operate.

09

Cross-Border & International Data Transfers

Because we operate in multiple jurisdictions and use service providers based in different countries, your personal data may be transferred across international borders.

Regardless of where you are located, data submitted through our Website is processed on servers in Canada and may be further processed by our sub-processors in the United States (as described in the Third-Party Data Processors section above).

We ensure the protection of your data during cross-border transfers through the following safeguards:

• TLS 1.3 encryption for all data in transit • Encryption at rest for all stored data • Contractual obligations with all processors requiring equivalent data protection standards • Data minimization — we only transfer data that is necessary for the specific processing purpose • Under UAE PDPL Article 22: We ensure that data is transferred only to jurisdictions or organizations providing adequate levels of protection, or with your explicit consent • Under PIPEDA: We use contractual and other means to ensure your data receives comparable protection when processed outside Canada • Under GDPR-aligned standards: Our transfers are supported by appropriate safeguards consistent with Chapter V of the GDPR

By using our Services, you acknowledge and consent to the transfer and processing of your data as described in this section. If you have concerns about data transfers to a specific jurisdiction, please contact us before submitting personal data.

10

Cookies & Local Storage

Our Website uses a limited number of cookies and local storage mechanisms, exclusively for functional purposes. We do not use third-party advertising or tracking cookies.

Cookies we set:

booking_session — Functional cookie (HttpOnly, Secure, SameSite=Lax). Maintains your session when managing bookings. Expires at end of browser session.
academy_session — Functional cookie (HttpOnly, Secure, SameSite=Lax). Maintains your session when accessing academy content. Expires at end of browser session.
mh_preview — Internal administrative cookie used only by the Operator for testing purposes. Not set for regular users.
SessionStorage keys — Used for analytics deduplication to prevent counting the same page view multiple times. Cleared when you close the browser tab. No personal data is stored.

You can manage or delete cookies through your browser settings. Disabling functional cookies may affect your ability to use certain features such as booking management and academy access. For detailed instructions on managing cookies, consult your browser’s help documentation.

11

Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law. Our retention periods are:

Health & Counseling Records — 7 years from the date of the last session, as required by PHIPA and applicable professional standards
Payment & Billing Records — 7 years, as required by Canada Revenue Agency and UAE Federal Tax Authority regulations
Contact Inquiries — 2 years from the date of submission, or until you request deletion
Academy & Course Progress — Duration of your enrollment plus 2 years, or until you request deletion
Analytics Data — Rolling 12-month window for aggregate statistics; individual event records deleted after 12 months
Session Cookies — Expire at the end of your browser session
Email Communications — Retained for the duration of our business relationship plus 2 years
AI Chat Transcripts — Retained for a maximum of 30 days for quality assurance, then permanently deleted

After the applicable retention period expires, we securely delete or anonymize the data. Where we retain aggregated or anonymized data for statistical purposes, such data cannot be used to identify you.

12

Your Rights (Canada)

If you are located in Canada, you have the following rights under PIPEDA and, where applicable, PHIPA:

• Right of Access: You may request access to your personal data and receive confirmation of whether it is being processed. Under PIPEDA Principle 9, we will respond within 30 days. • Right to Correction: You may request correction of inaccurate or incomplete personal data. • Right to Withdraw Consent: You may withdraw your consent to the processing of your data at any time by contacting us. This may affect our ability to provide certain Services. • Right to Complain: You may file a complaint with the Office of the Privacy Commissioner of Canada (OPC) at priv.gc.ca if you believe your privacy rights have been violated. • PHIPA Rights: If your data includes personal health information collected in Ontario, you have additional rights under PHIPA, including the right to request access to your health records, request corrections, and receive an accounting of disclosures.

To exercise any of these rights, contact us at admin@mamahala.ca. We will respond within 30 days of receiving your verified request. We will not charge a fee for reasonable access requests.

13

Your Rights (UAE)

If you are located in the United Arab Emirates, you have the following rights under the UAE Personal Data Protection Law (PDPL), Federal Decree-Law No. 45 of 2021:

• Right of Access (Article 13): You may request access to your personal data that we hold. • Right to Rectification (Article 14): You may request correction of inaccurate personal data. • Right to Erasure (Article 15): You may request deletion of your personal data, subject to legal retention requirements. • Right to Restriction (Article 16): You may request that we restrict the processing of your data in certain circumstances. • Right to Data Portability (Article 17): You may request to receive your personal data in a structured, commonly used, machine-readable format. • Right to Object (Article 18): You may object to the processing of your personal data for specific purposes, including direct marketing. • Right Against Automated Decisions (Article 19): You have the right not to be subject to decisions based solely on automated processing, including profiling, which produce legal effects concerning you. • Right to Complain: You may file a complaint with the UAE Data Office if you believe your data protection rights have been violated.

To exercise any of these rights, contact us at admin@mamahala.ca. We will respond within 30 days. There is no fee for exercising your rights.

14

Your Rights (International Clients)

If you are located outside Canada and the UAE, we apply GDPR-grade data protection rights as our global minimum standard. Regardless of your location, you have the right to:

• Access your personal data and obtain a copy • Rectify inaccurate or incomplete data • Request erasure of your data (“right to be forgotten”), subject to legal retention requirements • Restrict or object to certain types of processing • Receive your data in a portable format • Withdraw your consent at any time, without affecting the lawfulness of processing before withdrawal • Not be subject to decisions based solely on automated processing that produce legal effects • Lodge a complaint with your local data protection authority

We commit to responding to all data subject requests within 30 days, regardless of your location. Contact us at admin@mamahala.ca to exercise any right. If your country has specific data protection legislation that grants you additional rights, we will honor those rights to the extent they are brought to our attention.

15

Data Deletion & Erasure Requests

You may request the deletion of your personal data at any time by emailing admin@mamahala.ca with the subject line “Data Deletion Request.”

Upon receiving your verified request, we will:

• Acknowledge receipt within 5 business days • Complete the deletion within 30 days • Notify our third-party processors to delete your data from their systems • Provide written confirmation of deletion upon completion

Exceptions: We may be required to retain certain data beyond your deletion request where required by law, including:

• Health records: 7 years under PHIPA and professional standards • Financial/tax records: 7 years under CRA and UAE FTA requirements • Records needed for ongoing legal proceedings or regulatory investigations

In such cases, we will inform you of the specific legal basis for retention and the anticipated retention period. Retained data will be limited to the minimum necessary and will not be used for any other purpose.

16

Children’s Privacy

Our Services are not directed at children, and we do not knowingly collect personal data from minors without appropriate parental or guardian consent.

• Canada: We do not knowingly collect personal information from individuals under the age of 13 without verified parental consent. • UAE: Processing of personal data of individuals under 18 years of age for sensitive purposes requires the consent of a parent or legal guardian, in accordance with UAE PDPL. • Internationally: We comply with the higher of the applicable age threshold in the user’s jurisdiction.

If you are a parent or guardian and believe your child has provided personal data without your consent, please contact us at admin@mamahala.ca and we will promptly delete such data.

Where our counseling services involve minors (e.g., family counseling), parental or guardian consent is obtained before any personal data is collected, and additional safeguards are applied to protect the minor’s information.

17

Data Breach Notification

We maintain comprehensive security measures to protect your data. In the unlikely event of a data breach involving your personal information, we will:

• Initiate an internal investigation within 24 hours of discovering the breach • Assess the scope, cause, and risk of harm to affected individuals • Under PIPEDA: Report to the Office of the Privacy Commissioner of Canada and notify affected individuals as soon as feasible if the breach creates a real risk of significant harm (as required by the Digital Privacy Act) • Under UAE PDPL: Notify the UAE Data Office in accordance with the timelines specified in the Executive Regulations • Under GDPR-aligned standards: Notify relevant authorities within 72 hours where the breach is likely to result in a risk to individuals’ rights and freedoms • Notify affected individuals directly via email, including the nature of the breach, the data involved, steps taken, and recommended protective measures • Document the breach and our response in a breach register maintained for regulatory purposes

18

Information Security

We implement and maintain industry-standard administrative, technical, and physical safeguards to protect your personal data:

• Encryption: TLS 1.3 encryption for all data in transit; encryption at rest for stored data • Access Controls: Strict role-based access; administrative access protected by authentication • Secure Payment Processing: PCI-DSS Level 1 certified payment processor; no card data stored on our servers • Rate Limiting: IP-based rate limiting on all forms and API endpoints to prevent abuse • Spam Prevention: Multi-layered bot detection including honeypot fields, timing analysis, and disposable email blocking • Secure Sessions: HttpOnly, Secure, SameSite cookie attributes • Distributed Locking: Prevents double-booking and concurrent data conflicts • Regular Updates: We keep all software dependencies updated to patch known vulnerabilities

While we strive to protect your data using these measures, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security, but we commit to promptly addressing any security vulnerabilities that come to our attention.

19

Email & Communications

We send emails through a professional email delivery service. All electronic communications comply with the Canadian Anti-Spam Legislation (CASL) and applicable UAE and international anti-spam regulations.

• Transactional Emails: Booking confirmations, session reminders, payment receipts, and account notifications are sent based on your contract with us and do not require separate marketing consent. • Marketing Emails: Newsletters, service updates, and promotional content are sent only with your express opt-in consent. • Every marketing email includes a clear, one-click unsubscribe mechanism. • We honor unsubscribe requests within 10 business days (CASL requirement). • We do not purchase email lists or send unsolicited commercial messages.

If you correspond with us via email, we may retain the content of your messages, your email address, and our responses for the purpose of resolving your inquiry and maintaining a record of our communications.

20

Links to Third-Party Resources

Our Website may contain links to external websites, resources, or services not owned or controlled by us. We are not responsible for the privacy practices, content, or data collection of any third-party websites. We encourage you to review the privacy policy of every external site you visit.

Our linking to a third-party website does not constitute endorsement of that site’s privacy practices or content.

21

Changes & Amendments

We reserve the right to update this Policy at any time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes:

• We will update the “Effective Date” at the top of this page. • For material changes that significantly affect how we process your data, we will notify you via email at least 30 days before the changes take effect. • Your continued use of the Website and Services after the effective date of the revised Policy constitutes your acceptance of the changes. • If you do not agree with the revised Policy, you should discontinue use of the Services and contact us to exercise your data rights.

22

Contact & Complaints

If you have any questions, concerns, or complaints about this Privacy Policy or our data practices, or if you wish to exercise any of your data rights, please contact us:

Mama Hala Consulting Attn: Privacy Inquiries 430 Hazeldean Rd, Ottawa, ON K2L 1E8, Canada Email: admin@mamahala.ca Phone: +1 613-222-2104

Regulatory Authorities:

• Canada: Office of the Privacy Commissioner of Canada (OPC) — priv.gc.ca | 1-800-282-1376 • Ontario (Health Info): Information and Privacy Commissioner of Ontario — ipc.on.ca • UAE: UAE Data Office — For complaints regarding personal data processing under UAE PDPL • International: You may also contact your local data protection authority if you believe your privacy rights have been violated.

We take all privacy concerns seriously and will respond to your inquiry within 30 days.

Contact Us