Privacy Policy

Welcome to Mindset Alchemist. The Terms and Conditions, including this Privacy Policy, set out the terms for your use of the website www.yingyingsu.com ("Website") and your access to any related platforms. The Website and all offerings are provided by Ying-Ying Su, who operates under the business name “Mindset Alchemist” (referred to in these Terms as “we,” “our,” or “us”).

We are committed to protecting your privacy and ensuring that your personal data is handled transparently and lawfully. This Privacy Policy explains how we collect, use, store, and protect your personal data when you interact with our website or engage with any of our services, products, or programs.

By browsing the public areas or by accessing and using the Website, you acknowledge that you have read, understood, and agree to be legally bound by the Terms and Conditions and our Privacy Policy, which is hereby incorporated by reference (collectively, the “Agreement”). If you do not agree to any of these terms, then please do not use our Website.

This policy complies with the Swiss Federal Data Protection Act (revDSG) and the European Union’s General Data Protection Regulation (GDPR).

1. Who We Are

This website and all related services are operated by Ying-Ying Su, under the professional business name Mindset Alchemist. If you have any questions or requests regarding your data, you can via email: info@yingyingsu.com

2. What Personal Data We Collect

We collect and process personal data when you:

  • Visit our website

  • Book a session or purchase a product

  • Subscribe to our newsletter

  • Fill out forms or questionnaires

  • Communicate with us directly

The types of data we may collect include:

a) Information you provide directly

  • Full name, email address, and phone number

  • Billing and mailing address

  • Payment information (processed securely via Stripe)

  • Responses to coaching or therapy intake forms, consent forms (e.g., testimonial or story sharing), and discovery call questionnaires

  • Information shared via contact forms, email, or surveys

  • Testimonials or reviews (with separate written consent)

  • Personal information disclosed during individual or group sessions, including notes taken by the practitioner

b) Sensitive personal data
Some intake forms and session-related documents may request sensitive personal data (e.g., information about your physical or mental health, medications, or general practitioner). This information is collected only with your explicit consent and is used solely to provide personalized services in line with your needs and goals.

c) Automatically collected data
When you visit our website, some information may be collected automatically by Squarespace (our website host) or third-party analytics tools. This may include:

  • IP address

  • Browser type and version

  • Device type and operating system

  • Referring pages or URLs

  • Website usage patterns (e.g., pages visited, session duration)

This information is not used to personally identify individuals but helps us improve site performance and user experience.

3. How We Use Your Data

We use your personal data to provide a safe, personalized, and legally compliant experience across all of our services and offerings. Specifically, we use your data to:

  • Deliver and personalize your experience with services such as one-to-one mindset coaching, Rapid Transformational Therapy® (RTT), online courses (live or self-paced), and digital memberships

  • Create and send personalized resources, such as custom hypnosis recordings, session notes, or integration exercises

  • Process bookings and purchases, issue invoices, and manage payments via secure platforms like Stripe

  • Provide access to protected digital products, such as downloads, audio files, course platforms, and membership materials

  • Send confirmation emails, session reminders, or service updates related to your bookings or course participation

  • Respond to inquiries or support requests via email or contact forms

  • Send newsletters or marketing communications, only with your explicit consent

  • Comply with legal and regulatory obligations, including tax, accounting, and lawful data retention

  • Improve website functionality, using anonymized analytics and usage data

We may also invite you to share a testimonial about your experience. Testimonial sharing is entirely voluntary and requires separate written consent. With your permission, testimonials may be published on our website, social media, or promotional materials. You may choose how you are identified (first name, initials, or anonymously), and you can withdraw your consent at any time for future use.

From time to time, we may share high-level summaries of client transformations to illustrate the impact of our services. These stories are fully anonymized, meaning they include no names or identifying information. We take great care to protect the privacy of our clients. If we ever wish to use direct quotes or more specific details, we will always ask for your explicit written permission first.

4. Legal Basis for Processing (GDPR)

We process your personal data under one or more of the following lawful bases:

  • Consent – When you actively agree (e.g., newsletter signup, testimonial sharing, intake form submission)

  • Contractual necessity – To deliver the service or product you purchased

  • Legal obligation – To comply with financial or regulatory duties

  • Legitimate interest – To maintain secure services and improve our offerings

5. Data Retention

We retain your personal data only as long as necessary to fulfill the purposes for which it was collected, unless a longer retention period is required or permitted by law.

  • Contact information (e.g., name, email, phone): retained for up to 5 years after our last interaction, to support potential future work or inquiries.

  • Coaching/RTT session notes, intake forms, and related documents: retained for up to 5 years after our last session, unless a longer or shorter period is mutually agreed upon.

  • Financial and transaction records (e.g., invoices, receipts): retained for 10 years, in compliance with Swiss accounting law.

  • Email marketing preferences: retained until you unsubscribe or request deletion.

  • Testimonials: retained until you withdraw your consent or request their removal from future use.

  • Course or membership platform access data: retained as long as your access remains active or for up to 2 years of inactivity.

You may request deletion of your personal data at any time, where legally permissible

6. Sharing Your Data

We do not sell or rent your personal data. We may share your information with trusted third-party service providers for legitimate purposes only, such as delivering digital content, processing payments, or maintaining communication. These providers include:

  • Stripe – Payment processor

  • Squarespace – Website and contact forms

  • Google Workspace – Intake forms and session data, course delivery, newsletters

  • Google Meet – Online video sessions

  • Professional advisors – For legal or tax compliance

All third parties are GDPR-compliant and contractually obligated to protect your data.

7. Your Rights Under Swiss FADP and the GDPR

If you are a resident of Switzerland, the European Union, Iceland, Norway, or Liechtenstein, you have the right to:

  • Access the personal data we hold about you

  • Correct inaccurate or outdated information

  • Request deletion of your data (“right to be forgotten”), where legally permissible

  • Withdraw your consent at any time, if data processing is based on consent

  • Object to certain types of data processing, particularly for marketing purposes

  • Request a copy of your personal data in a portable format (this applies to EU/EEA residents under the GDPR)

If you submit repeated requests, we may charge an administrative fee where allowed by law. You also have the right to file a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC) or your local EU supervisory authority.

To exercise any of these rights, please contact us at: info@yingyingsu.com

8. Confidentiality

All information you share with us—including mindset coaching, RTT®, or any personal assessments—is treated as strictly confidential. This includes your verbal disclosures, written intake forms, session notes, email communications, and personalized audio recordings.

Confidentiality is maintained in accordance with professional ethical standards and Swiss data protection law. Your information will not be shared with anyone unless:

  • You provide explicit written consent

  • I am legally required to disclose information by Swiss law or court order

  • There is a serious risk of harm to yourself or another person

  • There is disclosure of abuse involving a minor or vulnerable adult

  • There is a reasonable belief that a serious criminal offense has occurred

Session content is stored securely using encrypted and password-protected systems.

9. Cookies and Website Analytics

Our website uses cookies to ensure essential site functionality and to help us understand how visitors interact with our content. These include:

  • Essential cookies (e.g., those used by Squarespace for secure website operations)

  • Non-essential cookies (e.g., Google Analytics, used to gather anonymized statistics to improve user experience)

Squarespace and/or Google Analytics may collect anonymized data such as pages visited, device type, and browsing behavior. This data helps us understand and improve how the website is used, but it does not personally identify users.

When you first visit our site, a cookie banner will appear asking for your consent. You may choose to:

  • Accept all cookies, including analytics

  • Decline non-essential cookies, allowing only essential ones

You can change your cookie preferences at any time through your browser settings.

By clicking “Accept,” you consent to the use of non-essential cookies as described in this Privacy Policy.

10. International Data Transfers

Your data may be processed by providers located outside Switzerland or the European Economic Area (e.g., in the United States). In these cases, appropriate safeguards such as Standard Contractual Clauses are in place to ensure your data remains protected.

11. Data Security

We take the protection of your personal data seriously and use appropriate security measures including:

  • SSL encryption on our website

  • Password-protected access to forms and session notes

  • Encrypted storage (e.g., Google Drive)

  • Access limitations based on necessity

  • Regular reviews and secure deletion protocols

12. Liability

We take your privacy seriously and follow industry best practices to protect your data. However, we cannot be held liable for unauthorized access, loss, or misuse of personal data that occurs beyond our reasonable control.

We work with carefully selected third-party service providers (e.g., Stripe, Squarespace, Google) to deliver our services. While we ensure that these providers comply with relevant data protection regulations (such as GDPR and the Swiss Data Protection Act), we are not responsible for any data breaches or security incidents that occur on their platforms. In the event of such an incident, we will support affected users to the best of our ability and take appropriate remedial action.

Client Responsibility

We take all reasonable measures to secure your data on our systems. However, we cannot be held responsible for data breaches or losses that occur due to insecure internet connections, public Wi-Fi, or device vulnerabilities on the client’s side. We recommend using secure, password-protected networks when accessing coaching sessions or downloading materials.

In addition, clients are responsible for maintaining the confidentiality of any login credentials used to access coaching materials, digital programs, or client-only platforms. We recommend that you keep passwords secure and avoid sharing access with others to protect your personal data.

13. User Consent

When you book a session, submit a form, or purchase a product or service through this Website, you are asked to confirm that you have read and agreed to this Privacy Policy.

Your continued use of this site and services implies your acceptance of the terms laid out in this Agreement. If you have any concerns, please contact us before proceeding.

14. Children’s Data

This website and our services are not intended for individuals under the age of 18. We do not knowingly collect or process data from minors. If we learn that personal data from a child under 18 has been collected, we will take reasonable steps to delete such information as soon as possible.

15. Changes to This Policy

We may update this Privacy Policy as necessary to reflect changes in our services, platform providers, or legal requirements. Any updates will be posted to this page with a new effective date. You are encouraged to check periodically.

Effective Date: 5 May, 2025