1. Introduction
This Privacy Policy ("Policy") describes how Consult Me ("the Company", "we", "us", or "our") collects, uses, discloses, retains, and safeguards personal data when you access or use the Consult Me mobile application, the consultmebh.com website, and any related services (collectively, the "Platform"). This Policy applies to all visitors, registered users ("Clients"), and registered legal practitioners ("Consultants"). By accessing or using the Platform, you acknowledge that you have read, understood, and consented to the practices set out in this Policy. If you do not agree to this Policy, you must refrain from using the Platform.
2. Definitions
- ·"Personal Data" — any information relating to an identified or identifiable natural person.
- ·"Processing" — any operation performed on Personal Data, whether or not by automated means.
- ·"Data Subject" — the natural person to whom Personal Data relates.
- ·"Data Controller" — the person or entity that determines the purposes and means of Processing.
- ·"Data Processor" — a third party that processes Personal Data on behalf of the Data Controller.
- ·"PDPL" — the Personal Data Protection Law of the Kingdom of Bahrain (Law No. 30 of 2018).
- ·"PDPA" — the Personal Data Protection Authority established under the PDPL.
3. Data Controller
For the purposes of the PDPL, the Data Controller responsible for the Processing of Personal Data through the Platform is Consult Me (CR 189616), with its registered office at Office 262, Building 58, Road 1701, Block 317, Diplomatic Area, Manama, Kingdom of Bahrain. You may contact the Data Controller using the channels set out in section 20 below.
4. Personal Data We Collect
In the course of providing the Platform, we collect the following categories of Personal Data:
From Users (Clients):
- ·Identification data — full legal name, date of birth (where required), and electronic mail address.
- ·Contact data — telephone number, where voluntarily provided.
- ·Geolocation data — only where express consent has been granted to enable location-based functionality.
- ·Engagement data — information you submit within consultation forms, messages, attachments, and supporting documents.
- ·Transaction data — records of payments processed through the Platform (excluding full payment-card numbers).
From Consultants (Licensed Practitioners):
- ·Identification data — full legal name, electronic mail address, and telephone number.
- ·Professional data — licensing credentials issued by the Ministry of Justice, Islamic Affairs and Endowments, and membership status with the Bahrain Bar Society.
- ·Financial data — banking and payment details required for the disbursement of professional fees.
- ·Practice data — documents, templates, and materials uploaded to the Platform in the course of practice.
Payment Information:
- ·When you save a payment method or make a payment, your card details are collected and stored directly by our trusted, certified payment provider using industry-standard encryption. We do not receive or store your full card number — only a secure token and limited details (such as card type and last four digits) needed to display and charge your saved method.
Collected automatically:
- ·Technical data — IP address, device identifiers, browser type, operating system, language settings, time-zone, and referring or exit pages.
- ·Usage data — pages visited, features used, click-stream data, and session timestamps.
- ·Approximate location — derived from IP address, used for security and analytics.
5. Sources of Personal Data
We collect Personal Data from the following sources:
- ·Directly from you, when you register for an account, communicate with us, or use the Services.
- ·Automatically, through your interaction with the Platform (technical and usage data).
- ·From Consultants, in relation to a User they have engaged through the Platform.
- ·From authorised payment service providers, in connection with transactions you initiate.
- ·From identity providers, where you elect to sign in via a third-party service.
6. Purposes of Processing and Lawful Bases
We process Personal Data only where we have a lawful basis to do so under the PDPL. Our lawful bases include:
- ·Consent — for non-essential cookies, marketing communications, and optional features such as location services.
- ·Performance of a Contract — to provide the Services you request, including account management, appointment scheduling, communications between you and Consultants, and payment processing.
- ·Legal Obligation — to comply with applicable laws, tax and accounting requirements, anti-money-laundering obligations, and lawful requests from competent authorities.
- ·Legitimate Interests — to maintain Platform security, prevent fraud and abuse, improve our Services, and conduct internal analytics, provided that such interests are not overridden by your fundamental rights and freedoms.
Where Processing is based on your consent, you may withdraw that consent at any time, without affecting the lawfulness of Processing carried out prior to such withdrawal.
7. Cookies and Similar Technologies
The Platform uses cookies and similar tracking technologies to operate, secure, and personalise your experience. The categories used are:
- ·Strictly necessary — required for the Platform to function (authentication, session management, security).
- ·Performance and analytics — including Google Analytics, used to understand aggregate usage patterns and improve the Platform.
- ·Advertising and measurement — including Google Ads conversion tracking and the Meta (Facebook) Pixel, used to measure the effectiveness of marketing campaigns.
You may control or disable non-essential cookies through your browser settings. Disabling certain cookies may affect the availability or functionality of the Platform.
8. Disclosure to Third Parties
We do not sell, rent, or trade Personal Data. Disclosure is limited to the following categories of recipients, each acting under contractual obligations of confidentiality and data protection consistent with the PDPL:
Service Providers & International Transfers:
- ·We rely on reputable international service providers to operate the Platform — including for payment processing, messaging and email delivery, cloud hosting and storage, and AI-assisted features. They process data on our behalf, only as needed to provide the Services and under appropriate safeguards. By accepting this Policy, you explicitly consent to your personal data being processed and transferred outside Bahrain by these international service providers, where it remains protected to the standards described in this Policy.
- ·Payment service providers — including Visa, MasterCard, BenefitPay, and Apple Pay, for the sole purpose of processing transactions.
- ·Cloud and infrastructure providers — retained to host the Platform and ensure operational continuity.
- ·Analytics and advertising providers — including Google and Meta, in respect of the categories described in section 7.
- ·Professional advisors — including legal, accounting, and audit professionals, where engaged in the ordinary course of business.
- ·Competent authorities — including law enforcement, regulatory, and judicial authorities, where required by law or valid legal process.
- ·Successors — in the context of a corporate transaction such as a merger, acquisition, reorganisation, or asset sale, in which Personal Data may be transferred as part of the transferred business.
9. Where We Process Personal Data
The Company is established in the Kingdom of Bahrain and operates its Platform primarily from infrastructure located within the Kingdom. Specifically:
- ·Our application servers, which handle requests on the Platform and process Personal Data in transit, are operated by us within the Kingdom of Bahrain.
- ·Our public website is delivered through a global content-delivery network (Cloudflare) for performance and security; the website itself does not store Personal Data at the edge.
- ·Persistent database services are provided by reputable cloud-database providers and may be hosted in data centres located within the European Union (currently Frankfurt, Germany), a jurisdiction recognised as offering an adequate level of data protection.
- ·Payment processing is performed by certified third-party payment service providers, which may operate from multiple jurisdictions in accordance with their licensing and security obligations.
Where Personal Data is transferred outside the Kingdom of Bahrain in the course of providing the Services, we ensure that one or more of the following applies: (i) the recipient jurisdiction provides a level of protection equivalent to the PDPL; (ii) the transfer is subject to appropriate safeguards, including standard contractual data-protection clauses; or (iii) the transfer is otherwise permitted under the PDPL — including with your explicit consent, for the performance of a contract concluded with you, or to fulfil a legal obligation. All such transfers are conducted over encrypted connections.
10. Data Retention
Personal Data is retained only for so long as is necessary to fulfil the purposes for which it was collected, including:
- ·Account information — for the duration of your account and for a reasonable period thereafter, unless earlier deletion is requested or required by law.
- ·Transaction records — for the period required by applicable accounting, tax, and anti-money-laundering laws, typically not less than five (5) years from the date of the transaction.
- ·Communications and case-related materials — for as long as necessary to deliver the Services and to address any legal claims or regulatory inquiries.
- ·Marketing data — until the relevant consent is withdrawn.
- ·Technical and security logs — for a period proportionate to the security purpose, generally not exceeding twelve (12) months.
Upon expiry of the applicable retention period, Personal Data is securely deleted or irreversibly anonymised.
11. Security of Personal Data
We implement appropriate administrative, technical, and organisational safeguards designed to protect Personal Data against unauthorised access, alteration, disclosure, loss, or destruction. These include:
- ·Transport-layer encryption (TLS) for data in transit.
- ·Encryption at rest for sensitive data where appropriate.
- ·Role-based access controls and multi-factor authentication for personnel handling Personal Data.
- ·Audit logging, monitoring, and periodic security reviews.
- ·Training and confidentiality obligations for personnel.
No system or transmission is impenetrable. We cannot guarantee absolute security and accept no liability for unauthorised access that occurs despite the implementation of reasonable safeguards.
12. Your Rights as a Data Subject
Subject to the PDPL and applicable conditions, you have the following rights in respect of your Personal Data:
- ·Right of Access — to obtain confirmation of whether we process your Personal Data and to receive a copy.
- ·Right of Rectification — to request the correction of inaccurate or incomplete data.
- ·Right of Erasure — to request the deletion of Personal Data that is no longer necessary or unlawfully held.
- ·Right of Restriction — to request that we limit how we process your Personal Data in defined circumstances.
- ·Right to Object — to object to Processing carried out on the basis of our legitimate interests.
- ·Right to Data Portability — to receive your Personal Data in a structured, commonly used, machine-readable format.
- ·Right to Withdraw Consent — to withdraw any consent previously given, without affecting prior lawful Processing.
- ·Right to Complain — to lodge a complaint with the Personal Data Protection Authority.
To exercise any of these rights, please contact us at help@consultmebh.com. We will respond within a reasonable period and, in any event, no later than thirty (30) days from the date of receipt, unless an extension is permitted by applicable law.
13. Marketing Communications
We may send you service-related communications — including transaction confirmations, security alerts, and account notifications — regardless of your marketing preferences, as these are necessary for the performance of the Services. Marketing communications are sent only where you have provided prior consent or where otherwise permitted by law. You may opt out of marketing communications at any time by using the unsubscribe link provided in any marketing email, by adjusting your in-app preferences, or by contacting us directly.
SMS:
- ·We use your mobile number to send transactional SMS only (verification codes, and security and billing notifications). We do not use it for marketing.
14. Automated Decision-Making and AI Features
The Platform may include features that use automated Processing — including artificial-intelligence systems — to assist with matters such as preliminary legal research, document review, and the matching of Users with Consultants. These features are designed to support, and not to replace, the professional judgment of a licensed legal practitioner. The Platform does not make decisions that produce legal effects, or otherwise significantly affect you, based solely on automated Processing without meaningful human involvement. Where automated decision-making is used in a manner that significantly affects you, you have the right to request human review of the decision and to contest it.
15. Data Breach Notification
In the event of a Personal Data breach likely to result in a risk to your rights and freedoms, we will:
- ·Notify the Personal Data Protection Authority within the period required by applicable law.
- ·Notify affected Data Subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms.
- ·Take all reasonable steps to mitigate the breach, recover affected data, and prevent recurrence.
16. Children’s Privacy
The Platform is intended for users aged eighteen (18) years and above. We do not knowingly collect Personal Data from individuals under the age of eighteen. If we become aware that we have collected Personal Data from a minor without appropriate parental or guardian consent, we will take prompt steps to delete that data.
17. Third-Party Links and Services
The Platform may contain links to, or integrate with, third-party websites, applications, or services. We are not responsible for the privacy practices, content, or availability of such third parties. We encourage you to review the privacy notices of any third party before providing any Personal Data.
18. Amendments to this Policy
We may amend this Policy from time to time to reflect operational, legal, or regulatory changes. Material amendments will be notified through the Platform or by email. The "Effective" date at the top of this Policy indicates when it was last revised. Continued use of the Platform following such amendments constitutes acceptance of the revised Policy.
19. Complaints and the Supervisory Authority
If you believe that our Processing of your Personal Data infringes the PDPL, you have the right to:
- ·Raise the matter directly with us, in the first instance, using the channels in section 20. We will engage in good faith to resolve any concerns promptly.
- ·Lodge a complaint with the Personal Data Protection Authority of the Kingdom of Bahrain at any time.
20. Contact
For questions, requests, or complaints concerning this Policy, or to exercise any of your rights as a Data Subject, you may contact the Company through the channels set out below: