Privacy Policy & Data Protection

Farah Solutions – Sole Proprietorship L.L.C. ("Company," "we," "us," or "our") is committed to protecting the privacy and personal data of our clients, users, partners, and website visitors. This Privacy Policy describes how we collect, use, store, share, and protect personal data in connection with our compliance management, ICV optimization, and professional services platform (the "Farah Suite") and related services.

This policy applies to all individuals who interact with our services, whether through our website, platform, mobile applications, or direct engagement with our team.

Our data protection practices are governed by and comply with:

• UAE Federal Decree-Law No. 45 of 2021 — Personal Data Protection Law (PDPL), as amended
• Abu Dhabi Data Management Regulations — ADGM and local emirate-level requirements
• UAE Cyber Security Council Frameworks — National cybersecurity standards
• Federal Decree-Law No. 34 of 2021 — Combating Rumours and Cybercrimes
• Federal Decree-Law No. 26 of 2025 — Child Digital Safety Law
• Cabinet Decision No. 21 of 2023 — Executive Regulations of the PDPL

Where our services involve cross-border data transfers, we also reference the EU General Data Protection Regulation (GDPR) as a best-practice benchmark, although our primary obligations are under UAE law.

We collect the following categories of personal data:

3.1 Information You Provide Directly

• Full name, job title, and company affiliation
• Email address, phone number, and business address
• Trade license details and commercial registration numbers
• ICV certificate data and compliance documentation
• Financial information necessary for service delivery (invoicing, payment processing)
• Communication records (emails, support tickets, meeting notes)

3.2 Information Collected Automatically

• Device information (browser type, operating system, device identifiers)
• Usage data (pages visited, features used, session duration)
• IP address and approximate geolocation
• Cookies and similar tracking technologies (see Section 9)

3.3 Information from Third Parties

• Business verification data from government registries
• ICV certification data from authorized certifying bodies
• Credit and financial standing information from licensed providers

We process personal data for the following purposes:

• Service Delivery: To provide compliance management, ICV optimization, document preparation, and professional advisory services
• Platform Operations: To operate, maintain, and improve the Farah Suite platform and related tools
• Communication: To respond to inquiries, send service updates, and provide customer support
• Compliance Monitoring: To track regulatory deadlines, generate compliance alerts, and maintain audit trails
• Legal Obligations: To comply with applicable UAE laws, regulations, and lawful government requests
• Business Analytics: To analyze service usage patterns and improve our offerings (using aggregated, anonymized data where possible)
• Security: To detect, prevent, and respond to fraud, unauthorized access, and other security threats

Under the UAE PDPL, we process personal data based on one or more of the following legal grounds:

• Consent: Where you have given explicit consent for specific processing activities
• Contractual Necessity: Where processing is necessary to perform our contractual obligations to you
• Legal Obligation: Where processing is required to comply with UAE law
• Legitimate Interest: Where processing is necessary for our legitimate business interests, provided these do not override your fundamental rights

All personal data collected through our services is stored within the United Arab Emirates, in compliance with UAE data residency requirements. Our infrastructure is hosted on cloud services with UAE-based data centers, ensuring that your data remains within national borders.

We implement industry-standard security measures including:

• AES-256 encryption at rest for all stored data
• TLS 1.3 encryption in transit for all data transfers
• Role-based access controls with multi-factor authentication
• Regular security audits and penetration testing
• Automated backup and disaster recovery procedures

We do not sell personal data. We may share data with:

• Service Providers: Trusted partners who assist in platform operations, payment processing, and customer support, bound by data processing agreements
• Government Authorities: UAE regulatory bodies when required by law or in response to lawful requests
• Certifying Bodies: ICV certifying bodies as necessary for certification processes
• Professional Advisors: Legal, accounting, and audit professionals under confidentiality obligations

All third-party data sharing is governed by written agreements that require equivalent data protection standards.

Under the UAE PDPL, you have the following rights regarding your personal data:

• Right of Access: Request a copy of the personal data we hold about you
• Right to Rectification: Request correction of inaccurate or incomplete data
• Right to Erasure: Request deletion of your data, subject to legal retention requirements
• Right to Restrict Processing: Request limitation of how we process your data
• Right to Data Portability: Receive your data in a structured, machine-readable format
• Right to Object: Object to processing based on legitimate interests
• Right to Withdraw Consent: Withdraw previously given consent at any time

To exercise any of these rights, contact our Data Protection Officer at [email protected].

Our website and platform use cookies and similar technologies to enhance your experience. We use:

• Essential Cookies: Required for platform functionality (session management, security)
• Analytics Cookies: Help us understand usage patterns and improve our services
• Preference Cookies: Remember your settings and preferences

You can manage cookie preferences through your browser settings. Disabling essential cookies may affect platform functionality.

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by UAE law. Specific retention periods include:

• Active client data: Duration of the service relationship plus 5 years
• Financial records: 7 years as required by UAE Commercial Companies Law
• Compliance audit trails: 10 years for regulatory compliance
• Marketing communications: Until consent is withdrawn

Upon expiration of retention periods, data is securely deleted or anonymized.

Our services are designed for business use and are not directed at individuals under the age of 18. We do not knowingly collect personal data from minors. In compliance with Federal Decree-Law No. 26 of 2025 (Child Digital Safety Law), if we become aware that we have inadvertently collected data from a minor, we will promptly delete it and notify the relevant authorities as required.

As a UAE-based company committed to data residency, we minimize international data transfers. Where cross-border transfers are necessary (e.g., for global service providers), we ensure:

• Adequate data protection standards in the receiving jurisdiction
• Binding contractual clauses that maintain UAE-equivalent protections
• Compliance with UAE Data Office transfer requirements

We may update this Privacy Policy periodically to reflect changes in our practices or applicable law. Material changes will be communicated through our platform and website. The "Effective Date" at the top of this policy indicates the date of the most recent revision.