1. Controllers and the compliance envelope
Exec x AI operates with two named controllers. The primary controller is Exec X AI Ltd, incorporated in the Dubai International Financial Centre (DIFC). Its UK affiliate, Exec x AI UKS02 Ltd, registered in England and Wales, is the entity that handles user-facing touch-points for data subjects resident in the United Kingdom and the European Economic Area, and is the entity that operates the synchronisation of contact data into our communications processor, Bird.com
The Regulatory Atlas is produced and curated in the DIFC. Personal data collected when you register for The Atlas, or when you transact with us, is processed under DIFC data protection law as primary, with UK and EEA mirror obligations applied where the data subject is resident in those jurisdictions. The compliance envelope, in order of primacy, is:
- DIFC Data Protection Law (DIFC Law No. 5 of 2020) and DIFC Regulation 10 (Personal Data through AI) — primary.
- UK Data Protection Act 2018 — for data subjects resident in the United Kingdom.
- UK GDPR — for data subjects resident in the United Kingdom.
- EU GDPR — residual, for visitors and data subjects resident in the European Economic Area.
Where the DIFC and the UK or EU regimes diverge, we apply the stricter standard in respect of the rights of the affected data subject. We do not use a lowest-common-denominator approach
2. Who we are and how to contact us
2.1 Primary controller
Entity
Jurisdiction
Registered office
Privacy enquiries
General compliance
2.2 UK and EEA touch-point
Entity
Company number
Registered office
2.3 Data Protection Officer
We have appointed a Data Protection Officer who oversees compliance across both controllers and serves as the named point of contact for data protection matters in any jurisdiction
Data Protection Officer
Alternative email
3. Legal bases for processing
Each processing activity is anchored to a specific legal basis. The bases we rely on are set out below in DIFC and UK/EEA pairs so that a data subject in either regime can see, on the same page, the corresponding ground
| Purpose | DIFC DPL | UK GDPR / EU GDPR |
|---|---|---|
| Account creation, authentication, and delivery of The Regulatory Atlas | Article 10(1)(b) — necessary for performance of contract | Article 6(1)(b) — contract |
| Marketing communications and AI-training telemetry | Article 10 — consent | Article 6(1)(a) — consent |
| Operating and securing our services, fraud prevention, record-keeping | Article 10(1)(f) — legitimate interests, balanced against your rights | Article 6(1)(f) — legitimate interests |
| Compliance with law, regulator requests, tax and accounting obligations | Article 10(1)(c) — legal obligation | Article 6(1)(c) — legal obligation |
| Employment, contractor, and supplier records | Article 10(1)(b) — contract; Article 10(1)(c) — legal obligation | Article 6(1)(b) — contract; Article 6(1)(c) — legal obligation |
Where we rely on consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing that took place while consent was in force
4. The Regulatory Atlas — what we collect at registration
To register for The Regulatory Atlas at execxai.com/atlas, we collect the following personal data on a single registration form. We do not ask for more
- First name and last name — to identify and address you.
- Company — the organisation you are reading on behalf of.
- Work email — verified by one-time passcode and used as your immutable username thereafter.
- Location — country only, ISO 3166-1 alpha-2 code, with a geolocated default that you may override.
- Password — hashed at rest using Argon2id with a per-user salt and an application-wide pepper held in our secrets store. We never see, store, or log the password in plain text.
On submission, we issue a six-digit one-time passcode to the email address you provided. The OTP is short-lived, single-use, and stored only as a salted SHA-256 hash. On successful entry we activate the account; on failure or expiry, the OTP is purged. Your email becomes your username and cannot be changed
5. Atlas registration — what we collect and on what basis
5.0 Atlas registration summary
Controllers and joint processing. Exec x AI Ltd (DIFC) and its UK affiliate Exec X AI UKS02 Ltd act as joint controllers for personal data submitted via Atlas registration
Personal data collected on Atlas registration. Name, company, email, and approximate location
Purposes. Account creation, authentication, and delivery of The Regulatory Atlas
Legal frameworks. Processing is carried out under the DIFC Data Protection Law (DIFC Law No. 5 of 2020), the UK Data Protection Act 2018, and UK GDPR
Sub-processors. Includes (but not limited to) MessageBird / Bird.com for transactional and account communications. Standard contractual clauses are in place where international transfers occur. A current sub-processor list is maintained at www.execxai.com/legal/sub-processors
Withdrawing consent. Users may withdraw any consent by emailing privacy@execxai.com or via account settings. Withdrawal of the Required consent will close the Atlas account but does not affect the lawfulness of processing already carried out
AI training scope. Telemetry (items viewed, filters applied, queries run) may be used to improve the AI underlying the Atlas where the user has opted in. Free-text submissions are never used for training without separate, explicit consent
The registration form presents four consent statements. Each is presented as an unticked box. We do not pre-tick optional consents, we do not bundle separate purposes into a single tick, and we do not use dark patterns. The first is required for the account to exist; the other three are independent optional consents. A footer disclaimer appears beneath the fieldset and is shown to every user; it is not a tickable consent
5.1 Box 1 — required, account creation
Your agreement that Exec X AI Ltd (DIFC) and Exec x AI UKS02 Ltd may create your Atlas account and process the details you provide on the registration form. If this box is not ticked, the form cannot be submitted. You may withdraw this consent at any time by emailing privacy@execxai.com. Withdrawal closes the account; it does not affect the lawfulness of processing already carried out under the consent
5.2 Box 2 — optional, third-party sharing
Your agreement that Exec x AI may share your contact details with its service providers — most notably our communications processor MessageBird B.V., trading as Bird.com — to support your account and send Atlas updates. If this box is not ticked, no data is sent to Bird.com at all; you remain inside our own authentication database. You may withdraw this consent at any time in your account settings
5.3 Box 3 — optional, AI-training telemetry
Your agreement that your Atlas activity (items viewed, filters used, queries run) can be used to improve the AI behind the Atlas. Free-text you submit is not used for training without separate, explicit consent obtained at the point of submission. You may withdraw this consent at any time in your account settings
5.4 Box 4 — optional, marketing email
Your agreement to receive occasional emails from Exec x AI about the Atlas, new regulatory items, and related services. This consent is required under UK PECR (Regulation 22) and DIFC DPL for direct marketing communications. Transactional email such as one-time passcodes, password resets, and security notices is sent on the basis of contract regardless of this box. You can unsubscribe at any time, either using the unsubscribe link in any email or in your account settings
5.5 Footer disclaimer (shown to every user)
Beneath the consent fieldset every user is shown the following plain-text disclaimer: “The Regulatory Atlas is for general information only. It is not legal advice and may be incomplete or out of date. Always speak to a qualified lawyer in the relevant jurisdiction before relying on it for any regulated activity, transaction, or decision. No commercial use.” This text is not a tickable consent; it is a universal acknowledgement of scope. Submission of the form is treated as your acknowledgement of this scope alongside Box 1
The exact label text of each box, the footer text version, the time at which you ticked the boxes, the truncated /24 of your IP address, and a hash of your user agent are written to our consent audit log at the moment of submission. The audit log is the legal system of record for consent. See section 11
6. Other categories of data we process
6.1 Client and business partner data
When you engage with us as a client or business partner, we collect contact information including names, job titles, business addresses, telephone numbers, and business email addresses; professional information; communication records; financial information; and project information. We use this data to deliver our consulting and advisory services, manage client relationships, process payments, maintain financial records, improve our services, comply with legal and regulatory requirements, and, where you have consented or we have a legitimate interest, market our services
6.2 Recruitment and employment data
When you apply for a position with Exec x AI, or during the course of your employment, we collect contact details; date of birth for identity and right-to-work verification; identification documents including passport and driving licence; employment history; education history; right-to-work documentation; and, where legally permitted and relevant to the role, criminal conviction data. We use this data to assess suitability for employment, verify identity, conduct pre-employment screening, maintain employment records, communicate throughout the recruitment process, and administer payroll and benefits
6.3 Website and digital communications
When you visit our website or interact with our digital communications, we collect technical information including IP addresses, browser types, device information, and operating systems; usage data including pages visited and navigation patterns; communication preferences; and cookies as described in our Cookie Policy. We use this data to provide and improve our website, analyse performance, deliver relevant content, ensure security, and comply with legal obligations. The cookie posture for the homepage globe and for /atlas is set out in section 13
6.2A Candidate privacy notice
6.2A.1 What this section covers
This section supplements section 6.2. It applies when you apply for a role with Exec x AI, including consultant roles you apply for through our careers pages at execxai.com/careers and our consultant application page. Section 6.2 sets out the wider recruitment and employment position. This section explains how we handle the data you give us as an applicant, before any employment or engagement begins
6.2A.2 Candidate data we collect
We collect the identity and contact data you submit. This includes your name, email address, telephone number and any professional profile link you provide. We collect the structured profile you complete on the application form. This covers your years of consulting experience, whether you have led client accounts, whether you have AI consulting experience, whether you have built an AI agent, and the note you add to each answer. We collect your CV or résumé file. We generate a candidate reference for you, and we generate the assessment outputs described in 6.2A.5
We also collect candidate data from other sources. Those sources are the recruitment agencies and referrers who introduce you, public professional profiles such as LinkedIn, and the background-check and right-to-work providers who verify what you tell us
6.2A.3 Why we process candidate data and our legal bases
We process candidate data to assess your suitability and to run our selection process. We also verify your identity and right to work, keep records of our decisions, defend legal claims, and improve our recruitment. Where you agree, we keep you on file for future roles. Each purpose is anchored to a legal basis. The table below pairs the DIFC basis with the UK and EU basis, as section 3 does
| Purpose | DIFC DPL | UK GDPR / EU GDPR |
|---|---|---|
| Assessing your application, screening, interview and selection, as steps taken at your request before any contract | Article 10(1)(b), pre-contract steps | Article 6(1)(b), pre-contract steps |
| Assessment and scoring, identity and fraud checks, recruitment analytics, defence of legal claims, security of our systems | Article 10(1)(f), legitimate interests | Article 6(1)(f), legitimate interests |
| Verifying right to work, and meeting immigration, tax and statutory employment duties | Article 10(1)(c), legal obligation | Article 6(1)(c), legal obligation |
| Keeping you on file for future roles, and recruitment marketing | Article 10, consent | Article 6(1)(a), consent |
| Health data for reasonable adjustments, and criminal record data where the role and the law allow | Article 11, special categories conditions | Article 9 / Article 10, with a Schedule 1 condition under the UK Data Protection Act 2018 |
Where we rely on legitimate interests, we have carried out a balancing assessment, and we will provide it on request. Where we rely on consent, you may withdraw it at any time, and withdrawal does not affect processing already carried out
6.2A.4 Health and criminal record data
We do not ask for health data or criminal record data at the application stage unless the role requires it. Where we do, we process health data to make reasonable adjustments for you during selection. We process criminal record data only where the role and the law permit. For this data we rely on an employment condition, and on a substantial public interest condition where relevant, under Schedule 1 of the UK Data Protection Act 2018, the conditions in UK and EU GDPR Articles 9 and 10, and the special categories conditions in Article 11 of the DIFC Data Protection Law. We keep the appropriate policy document that the UK regime requires for this data
6.2A.5 Automated screening and AI assistance
We use an automated screening workflow, operated for us by AppliedAI through its Opus platform, to read your CV and structured profile and to produce an advisory recommendation. The recommendation is a score and a written summary. A member of our team reviews it. The recommendation supports a human decision, and it does not by itself decide the outcome of your application. We keep an audit record of each assessment
This processing uses AI on your personal data, so DIFC Regulation 10 applies, and we have completed the required impact assessment. You have the right to obtain human review of any decision that produces a legal or similarly significant effect on you, to express your point of view, and to contest the outcome. To exercise these rights, email privacy@execxai.com
6.2A.6 Sharing within the Exec x AI group
We share candidate data with Exec X AI Ltd in the DIFC, with Exec x AI UKS02 Ltd in the United Kingdom, and with any present or future company in the Exec x AI group that is involved in recruitment, assessment, talent planning or the administration of our systems. Group sharing relies on our legitimate interests and on an intra-group data processing agreement. Where we later engage you, your data passes into employment records under section 10
6.2A.7 Processors and other recipients
We use a small number of processors and recipients to run recruitment. Each processor is bound by a data processing agreement that covers confidentiality, security, sub-processing, international transfers, audit and breach notification. The recipients are set out below
| Recipient | Purpose | Location and safeguard |
|---|---|---|
| AppliedAI (operator of the Opus screening workflow) | Automated screening of your CV and profile to produce an advisory recommendation for our human reviewers | Standard contractual clauses or the UK International Data Transfer Agreement where data is processed outside the UK, EEA or DIFC |
| Background-check and right-to-work providers | Identity, right-to-work and pre-employment checks | Data processing agreement; SCCs or UK IDTA where applicable |
| Application data store (Vercel Inc. and Upstash) | Hosting the application and assessment records behind our internal recruitment board | EU and UK regions; SCCs or UK IDTA for any onward transfer |
| MessageBird B.V. (Bird.com) | Candidate communications | European Union (Netherlands); SCCs where applicable |
| Recruitment agencies and referrers | Sourcing and introducing candidates | Data processing agreement, or controller-to-controller terms where they act as a separate controller |
Where an agency or referrer acts as a separate controller, we share candidate data with it under controller-to-controller terms, and its own privacy notice also applies
6.2A.8 International transfers
We hold candidate data in our EU-West (Frankfurt) primary region and our UK-South (London) failover region, as set out in section 9. Where a recipient processes candidate data outside the United Kingdom, the European Economic Area or the DIFC, we put a transfer mechanism in place before the transfer happens. We rely on the UK International Data Transfer Agreement or the UK Addendum, the EU standard contractual clauses, and the DIFC adequacy framework, according to the route of the transfer. You can ask for a copy of the relevant safeguard by emailing privacy@execxai.com
6.2A.9 How long we keep candidate data
If your application does not lead to an engagement, we keep your candidate data for 12 months from the date of the decision. We rely on legitimate interests for this period, so that we can handle re-applications, answer questions about the process, and defend potential claims. We keep your data for longer only where you consent to join our talent pool, and we review that consent every 24 months. If your application leads to an engagement, your data moves into employment records and follows the retention period in section 10
6.2A.10 Your rights
Your rights are set out in section 12, and they apply in full to candidate data. You may ask for access to your data, ask us to correct it, ask us to delete it, object to processing based on legitimate interests, including the screening described in 6.2A.5, and withdraw any consent you have given. You may also ask for human review of an automated decision. Use the DSAR endpoint at execxai.com/legal/dsar, or email privacy@execxai.com. We will respond within 30 days, and we will tell you if we need the further time the law allows
6.2A.11 Information you give us
You are responsible for the accuracy of the information you submit, and for holding the right to share any third-party information you include. Some information is needed by law, or to take steps towards an engagement, for example evidence of your right to work. If you do not provide it, we may be unable to progress your application, and we will tell you where this is the case
7. Atlas fingerprinting — protection scheme on /atlas
The Regulatory Atlas is fingerprinted per user. We make this explicit because the protection scheme involves the rendering of your email address on screen and the deterministic generation of an attributable identifier from your account
The protection scheme has three components that are visible to you or that touch your personal data:
- Watermark overlay — your email address and a UTC timestamp are rendered diagonally across the ledger at low opacity. This is itself a processing activity and is covered by the Box 1 consent. It is intended to survive screenshots and identify any later circulation of Atlas content.
- Per-user honeypot row — one row of The Atlas, indistinguishable from a real entry, is generated deterministically from a hash of your account identifier and a server-side secret. If that row appears in a leaked dataset, the leaker is identifiable. The honeypot is disclosed in our Terms of Use for the same reason it is disclosed here: we will not rely on a covert deterrent.
- Devtools-attempt logging — we record an audit event when the browser developer tools are opened on /atlas. This is a non-blocking signal. It does not change what you see and does not prevent you from inspecting the page; it is logged for our own forensic purposes.
The legal basis for the watermark and the devtools signal is legitimate interests (Article 10(1)(f) DIFC DPL; Article 6(1)(f) UK GDPR), specifically the protection of editorial content from unauthorised commercial reuse. The legal basis for the honeypot row is the same. We have completed a balancing assessment. You may object to this processing by emailing privacy@execxai.com; if you do, we will discuss alternatives but we cannot continue to deliver The Atlas without the protection scheme, and we may close the account
8. Sub-processors
We use a small number of named sub-processors to deliver our services. We do not engage further sub-processors without updating this list and giving notice. Sub-processors are bound by data processing agreements that include obligations on confidentiality, security, sub-processing, international transfers, audit, and breach notification
8.1 Our directly engaged sub-processors
| Sub-processor | Purpose | Processing location |
|---|---|---|
| MessageBird B.V. (trading as Bird.com) | Transactional and, where consented, marketing email; contact management for Atlas Registrants | European Union (Netherlands), with onward sub-processors as listed below |
| Microsoft Corporation | Application hosting, database, object storage, customer-managed key management (KMS) | UAE-North (primary), EU-West (Frankfurt) or UK-South failover |
| OpenAI, L.L.C. | Agent runtime and ChatKit components for transactional AI features within The Atlas | United States, under standard contractual clauses |
| Vercel Inc. | Edge delivery of the public website; no personally identifying data is stored at the edge | Global edge network; origin in EU-West |
| Applied Intelligence Corporation (trading as Opus) | Agentic AI platform enabling Exec x AI to build, run and optimise workflows | TBC |
8.2 Bird.com onward sub-processors
Bird.com publishes its own list of approved sub-processors at docs.bird.com/applications/help-and-reference/data- protection. The list below is reproduced from that page and applies wherever you have ticked Box 2a. If Box 2a is not ticked, none of the parties below process your personal data, because no data is sent to Bird.com in the first place
| Sub-processor | Function | Location |
|---|---|---|
| Bird Affiliates | Performance of the agreement; support services | Netherlands, United Kingdom, United States |
| Anthropic Ireland Ltd. | Customer-support AI LLM service provider | United States |
| Amazon Web Services EMEA SARL | Cloud hosting for multiple Bird platform services | Ireland, India, United States |
| Google Cloud EMEA Limited | Cloud hosting (SMS, voice, numbers, contacts, WhatsApp, RCS) | Netherlands, Belgium, Singapore, United Kingdom, United States |
| Clickhouse Inc. | Analytics database service provider | Ireland |
| Microsoft Azure | Cloud hosting (numbers) | Netherlands, Hong Kong, United States |
| WhatsApp Ireland Limited | Provision of WhatsApp for Business services | European Union, United States |
| Google Ireland Limited (Jibe Mobile Ltd.) | Provision of Google Business Messages (RCS) | European Union |
| LiveKit Inc. | Conduit processing of video and audio streams | Global |
| Sentry | Error monitoring | United States |
| Postmark | Dashboard log management and analysis | United States |
| Digital Ocean | TURN server provider | Netherlands |
| Flowmailer | Email service provider | Netherlands |
| Luzmo | In-app dashboard provider | Ireland |
| Hubper | Online learning academy | Netherlands |
| Twilio | SMS and phone-number verification | Global |
8.3 Other recipients of business data
Outside the Atlas context, we share business and employment data with legal advisers, accountants, IT and cloud hosting providers, marketing agencies, recruitment and background check providers, insurance providers, and banking and payment processors. All are required to maintain appropriate technical and organisational measures and to process your data only on our instructions. Where you engage with us through our customer relationship management platform, Pipedrive, Inc., your business contact details are processed by that controller in addition to us
8.4 Regulatory and legal authorities
We may share data with regulators, law enforcement, courts, and other public bodies where required by law, necessary to comply with regulatory obligations, or needed to protect our rights or safety. We do not provide bulk access and we do not respond to informal requests
9. Storage, encryption, and international transfers
Personal data we control is stored in EU-West (Frankfurt) as the primary region, with UK-South (London) as the failover region. Both regions are within the European Economic Area and the United Kingdom respectively. We do not store EEA or UK personal data in a United States region
Data at rest is encrypted with AES-256 under customer-managed keys held in AWS Key Management Service. Data in transit is protected by TLS 1.3 as a minimum. Keys are rotated on a documented schedule and are not held by any third party
For cross-border transfers we rely on the following safeguards:
- MessageBird B.V. (Bird.com) — Standard Contractual Clauses are in place. The data processing agreement was executed on [DATE — to confirm before publication].
- Microsoft Corporation - UAE North by default; no cross border transfer is anticipated under normal operation. Where Azure engineering support requires access from a non-EU region, Microsoft's published Standard Contractual Clauses apply.
- OpenAI, L.L.C. — Standard Contractual Clauses are in place; transfers are limited to the data necessary to operate the ChatKit and agent components inside The Atlas.
- Exec X AI Ltd (DIFC) — transfers between the UK affiliate and the DIFC parent rely on the DIFC adequacy framework and on the intra-group data processing agreement.
You can request copies of the relevant safeguards by emailing privacy@execxai.com
10. Retention
We retain personal data only for as long as is necessary for the purposes for which it was collected and for any further period required by law, contract, or the defence of legal claims. The periods set out below apply specifically to The Regulatory Atlas and to the related authentication and communications data. Retention for client, employment, and financial records follows the longer of contractual and statutory requirements
- Active Atlas account — retained indefinitely while the account is in active use.
- Dormant Atlas account — soft-deleted at 24 months of inactivity, with hard-deletion 30 days after soft-deletion. Soft-deletion suspends access; hard-deletion removes the record.
- One-time passcode records — purged 24 hours after consumption or expiry, whichever is earlier. Only a salted hash of the OTP is ever stored.
- Consent audit log — retained for 7 years from the date of the relevant consent event. This period reflects the statute-of-limitations buffer applicable to disputes about lawful basis.
- Employment records — duration of employment plus seven years after termination, or as required by applicable employment law.
- Client records — duration of engagement plus seven years after completion, or as required by applicable professional and regulatory obligations.
- Financial records — seven years after the end of the relevant financial year, or as required by applicable tax and accounting law.
- Website and analytics data — retained for the period set out in the Cookie Policy.
When data is no longer required, we delete or destroy it securely, including both electronic and physical records
11. Audit log — the system of record for consent
We maintain a segregated, append-only audit log that captures, at minimum, the events listed below. This log is the legal system of record for consent and for the lifecycle of the account. Downstream copies, including the state of any consent flag inside Bird.com, are reconciled to the audit log
- Registration submitted — timestamp, IP truncated to /24, hashed user agent.
- One-time passcode issued, consumed, or expired — with timestamp.
- Each consent box state at submission, with the exact label text version that was displayed at the moment of consent.
- Account activated.
- Subsequent consent toggles in account settings — before and after values, timestamp.
- Login events — success or failure.
- Password reset events.
- Bird.com sync events — success or failure.
The audit log is retained for seven years on the schedule set out in section 10 and is available to a regulator on lawful request
12. Your rights
You have a set of rights in respect of personal data we process about you. The DIFC DPL, UK GDPR, and EU GDPR all provide substantially equivalent rights; we have mapped them to the most efficient route to exercise each right
Access. You may request a copy of the personal data we hold about you and information about how we use it. Use our DSAR endpoint at /legal/dsar. We will respond within 30 days of receipt; in complex cases we may extend by a further two months and will tell you why
Rectification. You may correct most inaccurate or incomplete data directly in your Atlas account settings. Where that is not possible, email privacy@execxai.com
Erasure. You may erase your Atlas account yourself through account settings. We apply a 14-day grace period during which the request can be cancelled; on expiry we hard-delete the account record. Audit log entries required for statute-of-limitations purposes are retained on the schedule in section 10
Portability. You may export your Atlas data as a structured JSON file from account settings
Withdrawal of consent. You may withdraw any consent at any time. The optional consents (Box 2a, Box 2b, Box 2c) can be toggled in account settings. To withdraw the required Box 1 consent, email privacy@execxai.com; this closes the Atlas account, and the lawfulness of past processing carried out while the consent was in force is not affected
Objection and restriction. You may object to processing based on legitimate interests, including the Atlas protection scheme described in section 7, or ask us to restrict processing in defined circumstances. Email privacy@execxai.com. Where you object to direct marketing, we stop immediately
Complaint. If we have not handled your data to your satisfaction, you may complain to the DIFC Commissioner of Data Protection, the UK Information Commissioner's Office, or your local EEA supervisory authority. Contact details are in section 15
14. Automated decision-making and AI
We use automated tools to assist with website analytics, fraud detection, and the curation of The Regulatory Atlas itself. These tools are subject to human oversight in accordance with our Responsible AI Policy. Significant decisions affecting you involve human judgment
DIFC Regulation 10 (Personal Data through AI) applies to our processing where AI systems are used on personal data. We have completed the required impact assessment and recorded the AI inventory, the roles of providers and deployers, and the residual risk. Where a decision produces a legal or similarly significant effect on you, you have the right to obtain human review, to express your point of view, and to contest the outcome by emailing privacy@execxai.com
15. Contact and complaints
If you have questions, concerns, or complaints about this policy, write to us first. We aim to respond within 30 days
Privacy enquiries
DSAR endpoint
Data Protection Officer
DPO email
If you are not satisfied with our response, you may complain to a supervisory authority:
- DIFC: Commissioner of Data Protection, Dubai International Financial Centre Authority, Level 14, The Gate Building. Telephone: +971 4 362 2222. Email: commissioner@dp.difc.ae.
- United Kingdom: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF. Telephone: 0303 123 1113. Website: ico.org.uk/makeacomplaint.
- European Union: details of your local supervisory authority are at edpb.europa.eu/aboutedpb/board/members_en.
16. Changes to this policy
We update this policy when our practices, technology, legal obligations, or sub-processor arrangements change. The effective date at the top of this page reflects the current version. Significant changes will be communicated by posting the updated policy here with a new effective date and, where appropriate, by email notification. Previous versions are accessible from the archive link in the page header