Privacy Policy

Last updated: March 2026

This Privacy Policy describes how Dr. Sabyasachi Roy, MBBS, MRCP ("I", "me", "my") collects, uses, and protects personal data when you visit sabyroy.com (the "Site") or purchase a programme offered on it. This policy is written to comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Data Controller

Dr. Sabyasachi Roy, acting as a sole trader, is the data controller. Contact: saby@sabyroy.com. Any questions about this policy or your data should be sent to this address.

2. Information I Collect

Data you give me directly

• Email address and name — when you subscribe to the newsletter, download the free guide, or register for a programme.
• Payment details — processed by Luma and Stripe. I never see or store your card numbers.
• Correspondence — anything you send me by email.

Data collected automatically

• Technical data — IP address, browser type, device type, referring URL (collected by Cloudflare for security and performance).
• Cookies — small files stored in your browser for essential site function and, with your consent, analytics.

3. Legal Bases for Processing

• Consent — to send you the free guide, newsletter, or marketing emails. You can withdraw consent any time via the "unsubscribe" link in any email.
• Contract — to deliver a paid programme you've purchased.
• Legitimate interests — to protect the Site from abuse, improve content, and respond to enquiries.
• Legal obligation — to keep records required by HMRC for tax and accounting.

4. Third-Party Processors

I use a small number of trusted processors. Each has its own privacy policy.

• Kit (ConvertKit) — email delivery. Stores your email, name, subscription status. kit.com/privacy
• Luma — event registration and payment processing.
• Stripe — payment processing (via Luma).
• Cloudflare — website hosting and security.
• Google (Gmail) — direct email correspondence.

I do not sell your data. I do not share it with advertisers or data brokers.

5. International Transfers

Some processors store data on servers outside the UK, principally in the United States or EU. Where this happens, transfers rely on Standard Contractual Clauses or the UK–US Data Bridge as appropriate.

6. Cookies

• Strictly necessary cookies — for core site function (e.g. remembering your cookie preference). These do not require consent.
• Analytics cookies — only set if you accept via the cookie banner. Used anonymously to understand Site usage.

The Site does not use advertising or third-party tracking cookies. You can decline analytics cookies via the cookie banner when you first visit, or change your preference at any time via your browser settings.

7. Your Rights (UK/GDPR)

You have the right to:

• Access the personal data I hold about you.
• Correct inaccurate data.
• Delete your data ("right to be forgotten") — subject to legal retention rules.
• Restrict or object to processing.
• Data portability — receive your data in a machine-readable format.
• Withdraw consent at any time.
• Complain to the UK Information Commissioner's Office (ICO) at ico.org.uk.

To exercise any of these rights, email saby@sabyroy.com. I aim to respond within 30 days.

8. Data Retention

• Newsletter list — until you unsubscribe.
• Purchase records — 7 years (HMRC requirement).
• Email correspondence — up to 3 years, then deleted.
• Technical logs — up to 90 days (Cloudflare default).

9. Children

This Site is intended for adults aged 18 and over. I do not knowingly collect data from anyone under 18.

10. Changes to This Policy

I may update this policy from time to time. The "last updated" date at the top will reflect any change. Significant changes will be communicated by email where possible.