Privacy Policy

1. Introduction

Kanoony Corporate Services Provider LLC (“Kanoony”, “we”, “us” or “our”) is committed to protecting and respecting your privacy. We operate in, and from, the Dubai International Financial Centre (“DIFC”) and elsewhere in the United Arab Emirates (“UAE”). Accordingly, our data‑processing activities are subject to, and this Policy is designed to comply with the following privacy frameworks, applying the stricter requirement where they diverge:

• UAE Federal Decree‑Law No. 45 of 2021 on the Protection of Personal Data (the “UAE PDPL”) and Cabinet Decision No. 32 of 2022; and

• DIFC Data Protection Law No. 5 of 2020, as amended by Law No. 2 of 2022 (collectively, the “DIFC DP Law”).

Unless defined otherwise, capitalised terms in this Policy have the meanings given to them in the stricter of those two regimes.

This Policy explains how we collect, use, disclose, transfer and store (“Process”) Personal Data when you:

• Visit www.kanoony.com or any linked microsites (the “Site”).
• Engage our corporate‑services or SaaS solutions.
• Participate in onboarding or “know‑your‑customer” (“KYC”) procedures.
• Apply for employment with Kanoony; or
• Otherwise interact with us.

2. Controller & Contact Details

Data Controller: Kanoony Corporate Services Provider LLC, Suite 1703, South Tower, Emirates Financial Towers, Al Sukook Street, DIFC, Dubai, UAE.

Data Protection Officer (“DPO”): Appointed in accordance with Article 16 of the DIFC DP Law and Article 10 of the UAE PDPL.

E‑mail: [email protected] Tel: +971 4 587 5333.

You may contact the DPO for any query relating to this Policy or to exercise your statutory rights.

3. What Personal Data We Collect

The categories of Personal Data we Process depend on the context of your interaction with Kanoony and are detailed in Schedule A to this Policy. They include, but are not limited to:

• Identification & Contact Data (e.g., name, address, e‑mail, phone, Emirates ID/passport details).
• Technical & Usage Data (e.g., IP addresses, log files, device identifiers, browser type).
• KYC & Anti‑Money‑Laundering (“AML”) Data (e.g., source‑of‑funds evidence, sanctions‑screening results).
• Employment & Recruitment Data.
• Special‑Category Data (limited to health or dietary information you voluntarily provide for event attendance).

We may obtain Personal Data directly from you, from publicly available sources, or from third‑party service providers (credit agencies, sanctions databases, recruitment portals) as permitted by law.

4. Legal Bases for Processing

We rely on one or more of the following legal bases, selecting the stricter test where both laws apply:

1. Contractual Necessity – Processing necessary to perform a contract with you or take steps at your request prior to entering a contract (PDPL Art. 4(1)(a); DIFC DP Law Art. 10(1)(b)).
2. Legal Obligation – Processing necessary to comply with a legal or regulatory obligation (PDPL Art. 4(1)(c); DIFC Art. 10(1)(c)).
3. Legitimate Interests – Processing necessary for Kanoony’s legitimate interests or those of a third party, provided such interests are not overridden by your fundamental rights (DIFC Art. 10(1)(f)). Where the PDPL requires consent for similar Processing we will obtain it unless an exemption applies.
4. Explicit Consent – Where neither of the above bases applies or where stricter law requires consent (PDPL Art. 4(1)(b); DIFC Art. 10(1)(a)).
5. Vital Interests / Public Interest – In limited circumstances to protect life or comply with a task carried out in the public interest.

5. How We Use Personal Data

We use Personal Data only for the purposes outlined in Schedule B, which include:

• Client onboarding, KYC and service delivery.
• Operating and improving our SaaS platform and ancillary services.
• Marketing our services (subject to your right to opt out).
• Recruitment and HR administration.
• Compliance with AML, sanctions‑screening and other legal obligations.
• Responding to lawful requests by courts, regulators or law‑enforcement bodies.
• Protecting Kanoony’s rights, property and safety and those of its clients and staff.

We do not use Personal Data for automated decision‑making that produces legal effects without human review.

6. Sharing & International Transfers

We disclose Personal Data strictly on a “need‑to‑know” basis:

• within Kanoony’s group entities and authorized employees.
• to vetted vendors, cloud hosts and professional advisers under written contracts that impose confidentiality and data‑protection obligations consistent with this Policy.
• to regulators, courts or law‑enforcement agencies where required by law; and
• to potential acquirers or investors in connection with a corporate transaction.
  International Transfers: Where Personal Data is transferred outside the DIFC or UAE, we ensure that:
• the destination jurisdiction is deemed “adequate” by the applicable regulator; or
• we have implemented appropriate safeguards such as Standard Contractual Clauses or Binding Corporate Rules; or
• we rely on another derogation permitted by the stricter of the PDPL or DIFC DP Law.

7. Data Retention

We retain Personal Data only for as long as necessary to fulfil the purposes for which it was collected, including satisfying any legal, accounting or reporting requirements. The default retention period is six (6) years from the date of our last interaction with you unless:

• A longer period is mandated by UAE or DIFC law, or by professional‑indemnity rules; or
• A shorter period is required to honour an erasure request that we are obliged to grant under stricter law.

After the expiry of the retention period, data is securely deleted or irreversibly anonymised.

8. Data Subject Rights

Subject to the conditions and exemptions set out in the stricter of the PDPL or DIFC DP Law, you have the right to:

1. Access your Personal Data.
2. Rectify inaccurate or incomplete data.
3. Erase data (right to be forgotten).
4. Restrict or object to Processing.
5. Data Portability: receive data in a structured, machine‑readable format.
6. Withdraw Consent at any time where Processing is based on consent.
7. Object to Direct Marketing at any time.
8. Lodge a Complaint with the DIFC Commissioner of Data Protection or the UAE Data Office.

We will respond to any validated request within one calendar month (or the shorter timeframe mandated by stricter law). Requests can be submitted to [email protected].

9. Security Measures & Breach Notification

We implement technical and organisational measures appropriate to the risk, including encryption, access controls, staff training and third‑party audits. In the event of a Personal‑Data Breach:

• Notification to the regulator – within 72 hours of becoming aware of the breach (DIFC Art. 41; PDPL Art. 9(5)) where it is likely to result in a high risk to individuals; and
• Notification to affected individuals – without undue delay where the breach is likely to result in a serious risk to their rights and freedoms.

10. Cookies & Tracking Technologies

Our Site uses strictly necessary and analytics cookies. For details, please refer to our Cookie Notice at www.kanoony.com/cookies. You can manage cookie preferences through your browser settings.

11. Marketing Communications

We may send you marketing e‑mails about products or services similar to those you have previously acquired from Kanoony. You can opt out at any time by clicking “unsubscribe” in the e‑mail or by writing to [email protected]. We will honour opt‑out requests promptly and, in any event, within the shorter period required by stricter law.

12. Policy Updates

We may amend this Policy from time to time. Material changes will be notified via the Site or by e‑mail. Your continued use of our services after such notice constitutes acceptance of the revised Policy.

13. Contact & Complaints

Questions, comments or requests regarding this Policy should be addressed to our DPO at [email protected].

If you are dissatisfied with our response, you may lodge a complaint with:

• Office of the UAE Data Office (dataoffice.gov.ae); or
• Commissioner of Data Protection, DIFC Authority, Level 14, The Gate Building, DIFC, Dubai, UAE ([email protected]).

Schedule A — Categories of Personal Data

#	Category	Typical Data Elements	Primary Source	Retention (see Section 6)
1	Identification & Contact Data	Name, title, date of birth, nationality, Emirates ID / passport number & copies, signature, postal address, e‑mail, telephone and mobile numbers	Data subject; KYC providers	6 years after last interaction unless longer required by law
2	Corporate & Professional Data	Employer name, job title, trade‑license number, professional qualifications, shareholding or UBO status	Data subject; public registries (e.g., DIFC Registrar, DED)	6 years
3	KYC & AML Data	Source‑of‑funds / wealth statements, bank references, sanctions / PEP screening results, enhanced‑due‑diligence reports	Data subject; screening vendors; banks	Minimum statutory AML period (currently 5 years) plus audit buffer
4	Financial & Transaction Data	Bank account details, IBAN, payment‑card metadata, invoices, fee notes, payment confirmations, outstanding balances	Data subject; payment processors	6 years
5	Technical & Usage Data	IP address, device ID, browser type/version, time‑zone, log‑in timestamps, session logs, user‑journey clicks, cookies	Automated collection via Site / SaaS platform	12 months for logs; aggregated thereafter
6	SaaS Service Data	Corporate‑document templates, incorporation forms, cap‑table data, user comments, audit trail	Data subject (platform user)	For the life of subscription + 12 months, unless earlier deletion requested and legally permissible
7	Marketing & Communications Data	Marketing preferences, event registrations, feedback forms, survey responses, correspondence history	Data subject	Until opt‑out + 30 days
8	Employment & Recruitment Data	CV, cover letter, academic transcripts, interview notes, background‑check results, salary expectations, references	Candidate; recruitment agencies	24 months after hiring cycle or as required by labour law
9	Special Category Data (processed on explicit consent only)	Dietary restrictions, mobility or accessibility requirements, health information voluntarily provided for event attendance	Data subject	Deleted within 30 days after the event unless further consent obtained
10	Legal & Compliance Data	Court filings, regulatory correspondence, licences, dispute records, internal investigation notes	Courts; regulators; internal records	6 years or longer if open dispute

Schedule B — Purposes & Corresponding Legal Bases

#	Purpose of Processing	Principal Data Categories (see Schedule A)	Stricter Legal Basis*
1	Client onboarding, KYC & service delivery	Identification & Contact; Corporate & Professional; KYC & AML; Financial & Transaction	Contractual Necessity (perform engagement) and Legal Obligation (AML / sanctions laws)
2	Operating and improving the SaaS platform (e.g., user authentication, feature optimization, bug‑fixing)	Technical & Usage; SaaS Service Data	Legitimate Interests (maintain secure, efficient services); no override by PDPL provided opt‑out available
3	Marketing, newsletters & event invitations	Marketing & Communications; Identification & Contact	Explicit Consent (stricter PDPL requirement); opt‑out anytime
4	Recruitment & HR administration	Employment & Recruitment; Identification & Contact	Legitimate Interests (talent acquisition) or Contractual Necessity where employment offer made
5	Compliance with AML, sanctions‑screening & other legal duties	KYC & AML; Identification & Contact; Corporate & Professional	Legal Obligation (PDPL & DIFC DP Law)
6	Responding to lawful requests by regulators, courts or law‑enforcement	Legal & Compliance; Identification & Contact	Legal Obligation
7	Protecting Kanoony’s rights, property & safety (including fraud prevention and dispute resolution)	Identification & Contact; Technical & Usage; Legal & Compliance	Legitimate Interests (risk management)
8	Event management & special‑category data handling (dietary / accessibility needs)	Special‑Category Data; Identification & Contact	Explicit Consent (required under both regimes)

*Where multiple legal bases apply, we rely on the strictest basis that satisfies both the UAE PDPL and the DIFC DP Law. If subsequent legislative changes impose a higher standard, Kanoony will adopt that higher standard without further notice.

© 2025 Kanoony Corporate Services Provider LLC.  All rights reserved.