Privacy Policy

SAIL UKS02 Ltd, registered in England and Wales with company number 16535629, acts as the data controller for the personal data we process about you. We comply with the EU GDPR, the UK Data Protection Act 2018 and UK GDPR, and the DIFC Data Protection Law No. 5 of 2020.

We process personal data lawfully, fairly, and transparently. We collect it for specified purposes and keep it only as long as those purposes require. We protect it with appropriate technical and organisational measures. We are accountable for demonstrating compliance with each of those obligations.

We have appointed a Data Protection Officer to oversee our compliance and to serve as your point of contact for data protection matters.

Contact the DPO if you have questions about how your data is handled, wish to exercise your rights, or have concerns about our practices.

4.1 Recruitment and employment data

When you apply for a position with S.AI.L or during the course of your employment, we collect: contact details; date of birth for identity and right-to-work verification; identification documents including passport and driving licence; employment history; education history; right-to-work documentation; and criminal conviction data where legally permitted and relevant to the role.

We use this data to assess suitability for employment, verify identity, conduct pre-employment screening, maintain employment records, communicate throughout the recruitment process, comply with health and safety requirements, and administer payroll and benefits.

4.2 Client and business partner data

When you engage with us as a client or business partner, we collect: contact information including names, job titles, business addresses, telephone numbers, and business email addresses; professional information; communication records; financial information; and project information.

We use this data to deliver our consulting and advisory services, manage client relationships, process payments, maintain financial records, improve our services, comply with legal and regulatory requirements, and, where you have consented or we have a legitimate interest, market our services.

4.3 Website and digital communications data

When you visit our website or interact with our digital communications, we collect: technical information including IP addresses, browser types, device information, and operating systems; usage data including pages visited and navigation patterns; communication preferences; and cookies as described in our Cookie Policy.

We use this data to provide and improve our website, analyse performance, deliver relevant content, ensure security, and comply with legal obligations.

4.4 Marketing and communications data

With your consent or where we have a legitimate interest, we collect: contact preferences; marketing engagement data; event participation records; and professional interests. We use this data to send relevant communications, invite you to events, share industry insights, and improve our marketing effectiveness.

We rely on consent for marketing communications, non-essential cookies, certain data sharing, and special category data where required. You may withdraw consent at any time. Withdrawal does not affect processing that took place while consent was in force.

We rely on contract for processing employment contracts and delivering consulting services.

We rely on legal obligation for compliance with employment law, tax and accounting requirements, anti-money laundering and know-your-customer requirements, health and safety obligations, and regulatory reporting.

We rely on legitimate interests for operating and improving our business, ensuring network and information security, preventing fraud, direct marketing to existing clients and prospects, maintaining business records, and defending legal claims. Where we rely on legitimate interests, we conduct a balancing test to ensure those interests are not overridden by your rights and freedoms.

For special category data including criminal conviction data, we rely on explicit consent, employment law obligations, substantial public interest grounds, or legal claims as appropriate to the specific processing.

6.1 Group companies

We may share your data with companies wholly or partially owned by S.AI.L and with our parent company Exec X AI Ltd, to provide integrated services, share resources, and maintain consistent data protection standards. All group companies are bound by this policy and applicable law.

6.2 Employer of record services

If you have applied to work for S.AI.L, we may share your details with RemoFirst, Inc., our employer of record service provider, to facilitate employment in jurisdictions where we do not have a direct legal presence. RemoFirst's privacy policy is at remofirst.com/legal/privacypolicy. RemoFirst may further share your details with in-country partners as necessary for specific employment arrangements.

6.3 Professional service providers

If you submit a request to establish a communications channel with us via email, video call, telephone, social media, or messaging, we will send your details to Pipedrive, Inc., which provides our customer relationship management service as a data controller.

We also share data with legal advisors, accountants, IT and cloud hosting providers, marketing agencies, recruitment and background check providers, insurance providers, and banking and payment processors. All are required to maintain appropriate technical and organisational measures and to process your data only in accordance with our instructions.

6.4 Regulatory and legal authorities

We may share your data with regulators, law enforcement, courts, and other public bodies where required by law, necessary to comply with regulatory obligations, needed to protect our rights or safety, or required for the administration of justice.

6.5 Business transfers

In a merger, acquisition, or asset sale, your data may transfer to the relevant parties. Any such transfer will comply with applicable data protection law and include appropriate safeguards.

We transfer personal data to the following organisations outside the UK and EEA:

Where no adequacy decision applies, we use standard contractual clauses approved by the relevant supervisory authorities. You can request copies of those safeguards at compliance@execxai.com.

We retain personal data for as long as necessary to fulfil the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce agreements.

General retention: one calendar year from the date of last interaction or the end of our relationship, unless a specific period applies below.

Employment records: duration of employment plus seven years after termination, or as required by applicable employment law.

Client records: duration of engagement plus seven years after completion, or as required by applicable professional and regulatory obligations.

Financial records: seven years after the end of the relevant financial year, or as required by applicable tax and accounting law.

Marketing data: until you withdraw consent or object to processing, or three years from last interaction, whichever is earlier.

Legal claims: we may retain data for longer periods where necessary to establish, exercise, or defend legal claims.

When data is no longer required, we securely delete or destroy it, including both electronic and physical records.

Under applicable data protection law, you have the following rights in relation to your personal data.

Access. You may request confirmation of whether we process your data, a copy of it, and information about how we use it, who we share it with, and how long we keep it.

Rectification. You may request that we correct inaccurate or incomplete data. We will notify any third parties to whom we have disclosed it of any corrections made.

Erasure. You may request deletion of your data where it is no longer necessary for the original purpose, you withdraw consent and no other legal basis applies, you object and no overriding legitimate grounds exist, the data has been unlawfully processed, or deletion is required by law.

Restriction. You may request that we restrict processing where you contest the accuracy of the data, the processing is unlawful but you prefer restriction to deletion, we no longer need the data but you require it for legal claims, or you have objected pending verification of our legitimate grounds.

Objection. You may object to processing based on legitimate interests or for direct marketing. Where you object to direct marketing, we will stop processing immediately.

Portability. Where we process your data based on consent or contract using automated means, you may receive it in a structured, machine-readable format and transmit it to another controller.

Withdrawal of consent. Where we rely on consent, you may withdraw it at any time. Withdrawal does not affect processing that took place while consent was in force.

To exercise any of these rights, contact us at compliance@execxai.com. We will respond within one month of receipt. In complex cases, we may extend this by a further two months and will inform you of the extension and reasons. We may request information to verify your identity. We will not charge a fee unless a request is manifestly unfounded or excessive.

We use automated tools to assist with application screening, website analytics, fraud detection, and personalising marketing communications. In all cases, these tools are subject to human oversight in accordance with our Responsible AI Policy. Significant decisions affecting you will involve human judgment and consideration of your individual circumstances.

Where we engage in automated decision-making that produces legal or similarly significant effects, we will provide you with meaningful information about the logic involved, its significance, and its likely consequences. You will have the right to obtain human review of the decision, express your point of view, and contest the outcome.

Where legally permitted and relevant to the role or engagement, we may conduct criminal background checks. This includes Disclosure and Barring Service (DBS) checks in England and Wales, Access NI checks in Northern Ireland, Disclosure Scotland checks in Scotland, and equivalent checks in other jurisdictions.

We conduct such checks only where legally permitted; necessary and proportionate for the specific role; supported by a lawful basis; and where you have been informed of the check and its scope. Results are retained only as long as necessary and in accordance with our data retention policy.

To maintain service quality and support professional accountability, S.AI.L may record and transcribe Microsoft Teams calls with clients, candidates, and other participants.

Before any Teams call commences where recording or transcription is intended, we activate Microsoft Teams' "Require participant agreement for recording and transcription" feature. Participants receive an in-meeting notification and are asked to consent before any recording begins. If you do not wish to be recorded or transcribed, you may opt for a view-only meeting at which no recording or transcription will take place.

Recording is not activated for every meeting. It is enabled only where there is a specific purpose, such as quality assurance, action-item capture, or professional development.

Meeting recordings are retained for six months and deleted automatically at the end of that period, unless a shorter retention period is agreed or a legal obligation requires otherwise.

For further information on how Microsoft Teams handles participant consent for recording and transcription, see Microsoft's documentation at learn.microsoft.com/en-us/microsoftteams/meeting-recording.

The legal basis for processing personal data through Teams recordings is legitimate interests, specifically service quality and professional accountability. You may object to this processing by contacting compliance@execxai.com.

S.AI.L uses cookies and similar technologies on our website to improve your experience, understand how the site is used, and support our communications. For full details of which cookies we use, their purposes, and how to manage your preferences, see our Cookie Policy.

We update this policy when our practices, technology, or legal obligations change. The effective date at the top of this page reflects the current version. Previous versions are accessible via the archive link in the page header.

Significant changes will be communicated by posting the updated policy on our website with a new effective date and, where appropriate, by email notification.

If you have questions, concerns, or complaints about this policy or our data protection practices, contact us:

We take all privacy concerns seriously. We aim to respond within one month of receipt.

If you are not satisfied with our response, you may complain to a supervisory authority:

United Kingdom: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF. Telephone: 0303 123 1113. Website: ico.org.uk/makeacomplaint.

European Union: details of your local supervisory authority are at edpb.europa.eu/aboutedpb/board/members_en.

DIFC: Commissioner of Data Protection, Dubai International Financial Centre Authority, Level 14, The Gate Building. Telephone: +971 4 362 2222. Email: commissioner@dp.difc.ae.