1. Controllers and the compliance envelope
Exec x AI operates with two named controllers. The primary controller is Exec x AI Ltd, incorporated in the Dubai International Financial Centre (DIFC). Its UK affiliate, Exec x AI UKS02 Ltd, registered in England and Wales, is the entity that handles user-facing touch-points for data subjects resident in the United Kingdom and the European Economic Area, and is the entity that operates the synchronisation of contact data into our communications processor, Bird.com.
The Regulatory Atlas is produced and curated in the DIFC. Personal data collected when you register for The Atlas, or when you transact with us, is processed under DIFC data protection law as primary, with UK and EEA mirror obligations applied where the data subject is resident in those jurisdictions. The compliance envelope, in order of primacy, is:
- DIFC Data Protection Law (DIFC Law No. 5 of 2020) and DIFC Regulation 10 (Personal Data through AI) — primary.
- UK Data Protection Act 2018 — for data subjects resident in the United Kingdom.
- UK GDPR — for data subjects resident in the United Kingdom.
- EU GDPR — residual, for visitors and data subjects resident in the European Economic Area.
Where the DIFC and the UK or EU regimes diverge, we apply the stricter standard in respect of the rights of the affected data subject. We do not use a lowest-common-denominator approach.
2. Who we are and how to contact us
2.1 Primary controller
Entity
Jurisdiction
Registered office
Privacy enquiries
General compliance
2.2 UK and EEA touch-point
Entity
Company number
Registered office
2.3 Data Protection Officer
We have appointed a Data Protection Officer who oversees compliance across both controllers and serves as the named point of contact for data protection matters in any jurisdiction.
Data Protection Officer
Alternative email
3. Legal bases for processing
Each processing activity is anchored to a specific legal basis. The bases we rely on are set out below in DIFC and UK/EEA pairs so that a data subject in either regime can see, on the same page, the corresponding ground.
| Purpose | DIFC DPL | UK GDPR / EU GDPR |
|---|---|---|
| Account creation, authentication, and delivery of The Regulatory Atlas | Article 10(1)(b) — necessary for performance of contract | Article 6(1)(b) — contract |
| Marketing communications and AI-training telemetry | Article 10 — consent | Article 6(1)(a) — consent |
| Operating and securing our services, fraud prevention, record-keeping | Article 10(1)(f) — legitimate interests, balanced against your rights | Article 6(1)(f) — legitimate interests |
| Compliance with law, regulator requests, tax and accounting obligations | Article 10(1)(c) — legal obligation | Article 6(1)(c) — legal obligation |
| Employment, contractor, and supplier records | Article 10(1)(b) — contract; Article 10(1)(c) — legal obligation | Article 6(1)(b) — contract; Article 6(1)(c) — legal obligation |
Where we rely on consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing that took place while consent was in force.
4. The Regulatory Atlas — what we collect at registration
To register for The Regulatory Atlas at execxai.com/atlas, we collect the following personal data on a single registration form. We do not ask for more.
- First name and last name — to identify and address you.
- Company — the organisation you are reading on behalf of.
- Work email — verified by one-time passcode and used as your immutable username thereafter.
- Location — country only, ISO 3166-1 alpha-2 code, with a geolocated default that you may override.
- Password — hashed at rest using Argon2id with a per-user salt and an application-wide pepper held in our secrets store. We never see, store, or log the password in plain text.
On submission, we issue a six-digit one-time passcode to the email address you provided. The OTP is short-lived, single-use, and stored only as a salted SHA-256 hash. On successful entry we activate the account; on failure or expiry, the OTP is purged. Your email becomes your username and cannot be changed.
5. The five consents — what each one covers
The registration form presents five consent statements. Each is presented as an unticked box. We do not pre-tick optional consents, we do not bundle separate purposes into a single tick, and we do not use dark patterns. The first and the fifth are required for the account to exist; the three in between are independent optional consents.
5.1 Box 1 — required, data processing
Your consent for Exec x AI Ltd (DIFC) and Exec x AI UKS02 Ltd to collect, store, and process the personal data you provide on the registration form for the purposes of creating your account, authenticating you, and delivering The Regulatory Atlas. If this box is not ticked, the form cannot be submitted. You may withdraw this consent at any time by emailing privacy@execxai.com. Withdrawal closes the account; it does not affect the lawfulness of processing already carried out under the consent.
5.2 Box 2a — optional, third-party sharing
Your consent for us to share your contact details with third-party service providers outside the Exec x AI group of companies — most notably our communications processor MessageBird B.V., trading as Bird.com — for the purposes of account servicing, transactional messaging, and Atlas-related updates. If this box is not ticked, no data is sent to Bird.com at all; you remain inside our own authentication database. You may withdraw this consent at any time in your account settings.
5.3 Box 2b — optional, AI-training telemetry
Your consent for us to use your usage telemetry within The Regulatory Atlas — the dots, jurisdictions, and briefings you view, the filters you apply, and the queries you run — to train and improve the AI agent that populates The Atlas. No free-text content you submit is used for training without a separate, explicit consent obtained at the point of submission. You may withdraw this consent at any time in your account settings.
5.4 Box 2c — optional, marketing email
Your consent to receive periodic updates from Exec x AI Ltd about The Regulatory Atlas, new regulatory items, and related products and services by email. This consent is required under UK PECR (Regulation 22) and DIFC DPL for direct marketing communications. Transactional email such as one-time passcodes, password resets, and security notices is sent on the basis of contract regardless of this box. You may withdraw this consent at any time, either using the unsubscribe link in any email or in your account settings.
5.5 Box 3 — required, acknowledgement
Your acknowledgement that the information contained within The Regulatory Atlas is provided for informational and editorial purposes only, must not be used for any commercial purpose, may be incomplete, out of date, or inaccurate, and is not legal advice. You agree to obtain advice from a qualified lawyer admitted in the relevant jurisdiction before relying on any item within The Atlas in connection with a regulated activity, transaction, or decision. If this box is not ticked, the form cannot be submitted.
The exact label text of each box, the time at which you ticked it, the truncated /24 of your IP address, and a hash of your user agent are written to our consent audit log at the moment of submission. The audit log is the legal system of record for consent. See section 11.
6. Other categories of data we process
6.1 Client and business partner data
When you engage with us as a client or business partner, we collect contact information including names, job titles, business addresses, telephone numbers, and business email addresses; professional information; communication records; financial information; and project information. We use this data to deliver our consulting and advisory services, manage client relationships, process payments, maintain financial records, improve our services, comply with legal and regulatory requirements, and, where you have consented or we have a legitimate interest, market our services.
6.2 Recruitment and employment data
When you apply for a position with Exec x AI, or during the course of your employment, we collect contact details; date of birth for identity and right-to-work verification; identification documents including passport and driving licence; employment history; education history; right-to-work documentation; and, where legally permitted and relevant to the role, criminal conviction data. We use this data to assess suitability for employment, verify identity, conduct pre-employment screening, maintain employment records, communicate throughout the recruitment process, and administer payroll and benefits.
6.3 Website and digital communications
When you visit our website or interact with our digital communications, we collect technical information including IP addresses, browser types, device information, and operating systems; usage data including pages visited and navigation patterns; communication preferences; and cookies as described in our Cookie Policy. We use this data to provide and improve our website, analyse performance, deliver relevant content, ensure security, and comply with legal obligations. The cookie posture for the homepage globe and for /atlas is set out in section 13.
7. Atlas fingerprinting — protection scheme on /atlas
The Regulatory Atlas is fingerprinted per user. We make this explicit because the protection scheme involves the rendering of your email address on screen and the deterministic generation of an attributable identifier from your account.
The protection scheme has three components that are visible to you or that touch your personal data:
- Watermark overlay — your email address and a UTC timestamp are rendered diagonally across the ledger at low opacity. This is itself a processing activity and is covered by the Box 1 consent. It is intended to survive screenshots and identify any later circulation of Atlas content.
- Per-user honeypot row — one row of The Atlas, indistinguishable from a real entry, is generated deterministically from a hash of your account identifier and a server-side secret. If that row appears in a leaked dataset, the leaker is identifiable. The honeypot is disclosed in our Terms of Use for the same reason it is disclosed here: we will not rely on a covert deterrent.
- Devtools-attempt logging — we record an audit event when the browser developer tools are opened on /atlas. This is a non-blocking signal. It does not change what you see and does not prevent you from inspecting the page; it is logged for our own forensic purposes.
The legal basis for the watermark and the devtools signal is legitimate interests (Article 10(1)(f) DIFC DPL; Article 6(1)(f) UK GDPR), specifically the protection of editorial content from unauthorised commercial reuse. The legal basis for the honeypot row is the same. We have completed a balancing assessment. You may object to this processing by emailing privacy@execxai.com; if you do, we will discuss alternatives but we cannot continue to deliver The Atlas without the protection scheme, and we may close the account.
8. Sub-processors
We use a small number of named sub-processors to deliver our services. We do not engage further sub-processors without updating this list and giving notice. Sub-processors are bound by data processing agreements that include obligations on confidentiality, security, sub-processing, international transfers, audit, and breach notification.
8.1 Our directly engaged sub-processors
| Sub-processor | Purpose | Processing location |
|---|---|---|
| MessageBird B.V. (trading as Bird.com) | Transactional and, where consented, marketing email; contact management for Atlas Registrants | European Union (Netherlands), with onward sub-processors as listed below |
| Amazon Web Services EMEA SARL | Application hosting, database, object storage, customer-managed key management (KMS) | EU-West (Frankfurt) primary; UK-South (London) failover |
| OpenAI, L.L.C. | Agent runtime and ChatKit components for transactional AI features within The Atlas | United States, under standard contractual clauses |
| Vercel Inc. | Edge delivery of the public website; no personally identifying data is stored at the edge | Global edge network; origin in EU-West |
8.2 Bird.com onward sub-processors
Bird.com publishes its own list of approved sub-processors at docs.bird.com/applications/help-and-reference/data- protection. The list below is reproduced from that page and applies wherever you have ticked Box 2a. If Box 2a is not ticked, none of the parties below process your personal data, because no data is sent to Bird.com in the first place.
| Sub-processor | Function | Location |
|---|---|---|
| Bird Affiliates | Performance of the agreement; support services | Netherlands, United Kingdom, United States |
| Anthropic Ireland Ltd. | Customer-support AI LLM service provider | United States |
| Amazon Web Services EMEA SARL | Cloud hosting for multiple Bird platform services | Ireland, India, United States |
| Google Cloud EMEA Limited | Cloud hosting (SMS, voice, numbers, contacts, WhatsApp, RCS) | Netherlands, Belgium, Singapore, United Kingdom, United States |
| Clickhouse Inc. | Analytics database service provider | Ireland |
| Microsoft Azure | Cloud hosting (numbers) | Netherlands, Hong Kong, United States |
| WhatsApp Ireland Limited | Provision of WhatsApp for Business services | European Union, United States |
| Google Ireland Limited (Jibe Mobile Ltd.) | Provision of Google Business Messages (RCS) | European Union |
| LiveKit Inc. | Conduit processing of video and audio streams | Global |
| Sentry | Error monitoring | United States |
| Postmark | Dashboard log management and analysis | United States |
| Digital Ocean | TURN server provider | Netherlands |
| Flowmailer | Email service provider | Netherlands |
| Luzmo | In-app dashboard provider | Ireland |
| Hubper | Online learning academy | Netherlands |
| Twilio | SMS and phone-number verification | Global |
8.3 Other recipients of business data
Outside the Atlas context, we share business and employment data with legal advisers, accountants, IT and cloud hosting providers, marketing agencies, recruitment and background check providers, insurance providers, and banking and payment processors. All are required to maintain appropriate technical and organisational measures and to process your data only on our instructions. Where you engage with us through our customer relationship management platform, Pipedrive, Inc., your business contact details are processed by that controller in addition to us.
8.4 Regulatory and legal authorities
We may share data with regulators, law enforcement, courts, and other public bodies where required by law, necessary to comply with regulatory obligations, or needed to protect our rights or safety. We do not provide bulk access and we do not respond to informal requests.
9. Storage, encryption, and international transfers
Personal data we control is stored in EU-West (Frankfurt) as the primary region, with UK-South (London) as the failover region. Both regions are within the European Economic Area and the United Kingdom respectively. We do not store EEA or UK personal data in a United States region.
Data at rest is encrypted with AES-256 under customer-managed keys held in AWS Key Management Service. Data in transit is protected by TLS 1.3 as a minimum. Keys are rotated on a documented schedule and are not held by any third party.
For cross-border transfers we rely on the following safeguards:
- MessageBird B.V. (Bird.com) — Standard Contractual Clauses are in place. The data processing agreement was executed on [DATE — to confirm before publication].
- Amazon Web Services — EU-region by default; no cross-border transfer is anticipated under normal operation. Where AWS engineering support requires access from a non-EU region, AWS's published Standard Contractual Clauses apply.
- OpenAI, L.L.C. — Standard Contractual Clauses are in place; transfers are limited to the data necessary to operate the ChatKit and agent components inside The Atlas.
- Exec x AI Ltd (DIFC) — transfers between the UK affiliate and the DIFC parent rely on the DIFC adequacy framework and on the intra-group data processing agreement.
You can request copies of the relevant safeguards by emailing privacy@execxai.com.
10. Retention
We retain personal data only for as long as is necessary for the purposes for which it was collected and for any further period required by law, contract, or the defence of legal claims. The periods set out below apply specifically to The Regulatory Atlas and to the related authentication and communications data. Retention for client, employment, and financial records follows the longer of contractual and statutory requirements.
- Active Atlas account — retained indefinitely while the account is in active use.
- Dormant Atlas account — soft-deleted at 24 months of inactivity, with hard-deletion 30 days after soft-deletion. Soft-deletion suspends access; hard-deletion removes the record.
- One-time passcode records — purged 24 hours after consumption or expiry, whichever is earlier. Only a salted hash of the OTP is ever stored.
- Consent audit log — retained for 7 years from the date of the relevant consent event. This period reflects the statute-of-limitations buffer applicable to disputes about lawful basis.
- Employment records — duration of employment plus seven years after termination, or as required by applicable employment law.
- Client records — duration of engagement plus seven years after completion, or as required by applicable professional and regulatory obligations.
- Financial records — seven years after the end of the relevant financial year, or as required by applicable tax and accounting law.
- Website and analytics data — retained for the period set out in the Cookie Policy.
When data is no longer required, we delete or destroy it securely, including both electronic and physical records.
11. Audit log — the system of record for consent
We maintain a segregated, append-only audit log that captures, at minimum, the events listed below. This log is the legal system of record for consent and for the lifecycle of the account. Downstream copies, including the state of any consent flag inside Bird.com, are reconciled to the audit log.
- Registration submitted — timestamp, IP truncated to /24, hashed user agent.
- One-time passcode issued, consumed, or expired — with timestamp.
- Each consent box state at submission, with the exact label text version that was displayed at the moment of consent.
- Account activated.
- Subsequent consent toggles in account settings — before and after values, timestamp.
- Login events — success or failure.
- Password reset events.
- Bird.com sync events — success or failure.
The audit log is retained for seven years on the schedule set out in section 10 and is available to a regulator on lawful request.
12. Your rights
You have a set of rights in respect of personal data we process about you. The DIFC DPL, UK GDPR, and EU GDPR all provide substantially equivalent rights; we have mapped them to the most efficient route to exercise each right.
Access. You may request a copy of the personal data we hold about you and information about how we use it. Use our DSAR endpoint at /legal/dsar. We will respond within 30 days of receipt; in complex cases we may extend by a further two months and will tell you why.
Rectification. You may correct most inaccurate or incomplete data directly in your Atlas account settings. Where that is not possible, email privacy@execxai.com.
Erasure. You may erase your Atlas account yourself through account settings. We apply a 14-day grace period during which the request can be cancelled; on expiry we hard-delete the account record. Audit log entries required for statute-of-limitations purposes are retained on the schedule in section 10.
Portability. You may export your Atlas data as a structured JSON file from account settings.
Withdrawal of consent. You may withdraw any consent at any time. The optional consents (Box 2a, Box 2b, Box 2c) can be toggled in account settings. To withdraw the required Box 1 consent, email privacy@execxai.com; this closes the Atlas account, and the lawfulness of past processing carried out while the consent was in force is not affected.
Objection and restriction. You may object to processing based on legitimate interests, including the Atlas protection scheme described in section 7, or ask us to restrict processing in defined circumstances. Email privacy@execxai.com. Where you object to direct marketing, we stop immediately.
Complaint. If we have not handled your data to your satisfaction, you may complain to the DIFC Commissioner of Data Protection, the UK Information Commissioner's Office, or your local EEA supervisory authority. Contact details are in section 15.
13. Cookies and analytics
Our analytics posture is structured around the pre-auth / post-auth split that runs through the rest of this policy.
13.1 Pre-auth — the homepage globe
Before you have authenticated, no tracking cookies are set and no analytics scripts are loaded. We maintain anonymous, aggregate counters on the server side — for example, the count of dot-clicks by jurisdiction — that cannot be tied to a visitor. Strictly necessary cookies, for security, load balancing, and language, are set on the basis of legitimate interests in line with ICO and DIFC guidance.
13.2 Post-auth — /atlas
Once you are signed in, the usage telemetry described in Box 2b is collected only if you have ticked that box. If you have not, only strictly necessary cookies are used. You may revoke the Box 2b consent at any time in account settings; telemetry collection stops as soon as the toggle is saved.
13.3 General cookie policy
For the full schedule of cookies and similar technologies, including their purposes, durations, and how to manage them in your browser, see the Cookie Policy.
14. Automated decision-making and AI
We use automated tools to assist with website analytics, fraud detection, and the curation of The Regulatory Atlas itself. These tools are subject to human oversight in accordance with our Responsible AI Policy. Significant decisions affecting you involve human judgment.
DIFC Regulation 10 (Personal Data through AI) applies to our processing where AI systems are used on personal data. We have completed the required impact assessment and recorded the AI inventory, the roles of providers and deployers, and the residual risk. Where a decision produces a legal or similarly significant effect on you, you have the right to obtain human review, to express your point of view, and to contest the outcome by emailing privacy@execxai.com.
15. Contact and complaints
If you have questions, concerns, or complaints about this policy, write to us first. We aim to respond within 30 days.
Privacy enquiries
DSAR endpoint
Data Protection Officer
DPO email
If you are not satisfied with our response, you may complain to a supervisory authority:
- DIFC: Commissioner of Data Protection, Dubai International Financial Centre Authority, Level 14, The Gate Building. Telephone: +971 4 362 2222. Email: commissioner@dp.difc.ae.
- United Kingdom: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF. Telephone: 0303 123 1113. Website: ico.org.uk/makeacomplaint.
- European Union: details of your local supervisory authority are at edpb.europa.eu/aboutedpb/board/members_en.
16. Changes to this policy
We update this policy when our practices, technology, legal obligations, or sub-processor arrangements change. The effective date at the top of this page reflects the current version. Significant changes will be communicated by posting the updated policy here with a new effective date and, where appropriate, by email notification. Previous versions are accessible from the archive link in the page header.