Our templates and guidelines are advisory content, not legal, assurance, or audit documents. This Policy applies to our websites/portals, storefront, downloads, delivery mechanisms, and related support (the “Services”). 

1) Scope & Roles 

We act as: 

  • Controller for account, billing, and usage data related to the Services; and 
  • Processor for client-provided data handled only to support the Services under written instructions (where applicable). Where we act as a processor, processing is subject to a separate Data Processing Addendum (DPA) agreed with the client. 

Applicable law. Onshore UAE processing is governed by Federal Decree-Law No. 45 of 2021 (PDPL). Where other local laws grant additional rights, we follow them to the extent required.

2) Personal Data We Collect

Category  Examples 

Identifiers Name, business email, job title, company 

Account & Transaction  Order history, license metadata, support tickets 

Payment (limited)  Policy& does not collect or store full payment details. Payments are processed by a third-party payment processor that applies strict security controls (e.g., PCI DSS). We receive only limited information such as payment status, a tokenized or truncated reference (e.g., last 4 digits), and transaction metadata. 

Technical/Usage  IP address, device/OS, browser, activity logs, cookie IDs 

Communications  Emails, chat logs, feedback 

We do not knowingly collect Sensitive Personal Data or children’s data; the Services are not directed to individuals under 18.

3) Sensitive & Confidential Data Classification

  • Sensitive Personal Data (PDPL concept). For example, data relating to health status, biometric identifiers, genetic data, religious beliefs, political opinions, or criminal records. We do not request this data and ask that it not be submitted via the Services. 
  • Authentication & Security Data (Highly Confidential). Passwords, passcodes, MFA codes, API keys, private tokens. Stored passwords use industry-standard cryptographic hashing and access to authentication systems is restricted. 
  • Payment Data (Highly Confidential). We do not store full payment card numbers (PAN), CVV/CVC, or magnetic-stripe data. Card payments are handled by third-party PCI DSS–validated processors; we receive tokenized/truncated references and transaction status. 

Client Confidential Business Data. Non-personal confidential materials you provide (e.g., internal policy drafts) are handled per this Policy and our Terms of Use. 

4) Sources of Data

  • Directly from you (forms, checkout, emails, chat). 
  • Automatically via the Services (cookies, logs). 
  • From service providers/partners (payments, analytics, security), consistent with this Policy. 

5) Purposes & Legal Bases

We handle personal data to: 

  • Provide the Services (accounts, orders/licenses, downloads, support) — contract necessity and consent where applicable (e.g., optional features). 
  • Operate, secure & improve the Services (fraud prevention, diagnostics, analytics, service notices) — processing permitted within the PDPL framework (including compliance with law, contract performance, or protection of rights) and subject to PDPL processing controls and security duties. 
  • Communicate (transactional emails; product updates; marketing where permitted) — consent for marketing and non-essential cookies; contract or legal obligation for service notices/records. 
  • Comply with law and exercise legal rights (records, responding to lawful requests). 

6) Cookies & Similar Technologies 

We currently do not deploy non-essential cookies on the Services. 

  • We may use strictly necessary cookies for core functions (e.g., sign-in, downloads, security). 
  • We may introduce functional/analytics/advertising cookies in the future. If we do, we will update this Policy, present a Cookie Dashboard, and obtain consent where required. You can revisit choices via the Cookie Dashboard (footer) when available. 

7) Sharing & Disclosure 

We may share personal data with: 

  • Service providers/processors (hosting, payments, email/CRM, analytics, security) under contractual confidentiality; 
  • Employees, agents, and individual contractors with a need-to-know for the purposes described in this Policy, subject to confidentiality obligations and access controls; 
  • Professional advisers (e.g., legal, accounting) under confidentiality; and 
  • Potential acquirers and counterparties in corporate transactions (subject to confidentiality). We may also disclose personal data to authorities when we consider disclosure required by applicable law or lawful process. 

We do not sell personal data.

8) International Transfers 

Personal data may be transferred outside the UAE (e.g., to global hosting and payment providers). We apply contractual and organizational measures we consider appropriate and follow PDPL cross-border rules (for example, transfers to jurisdictions with an adequate level of protection, approved safeguards/standard contracts, or permitted exceptions such as consent or contract performance). 

9) Retention (Exact Periods) 

  • Accounts & order records: retained 6 years after account closure
  • Security/technical logs: retained no longer than 24 months
  • Marketing data: retained until you opt out
  • Cookies (if introduced): durations will be listed in the Cookie Policy/Cookie Dashboard. 

We may retain limited records as necessary to comply with legal obligations, resolve disputes, and enforce agreements. 

10) Security 

We apply administrative, technical, and organizational safeguards appropriate to our Services and risk profile, including (illustrative) encrypted transport (TLS), layered access controls, segregation of duties, and periodic reviews. Payments are processed by PCI DSS–validated processors; we do not store full card numbers or CVV/CVC. No method of transmission or storage is completely secure. 

Anti-Fraud / Payment Safety Notice. Our employees, agents, and contractors will never request your full payment card number, CVV/CVC, or one-time passwords by email, chat, or phone. If anyone purporting to act for Policy& asks for such details, do not share them and report the incident immediately to Contact@policyand.com

11) Your Responsibilities (Accounts & Sensitive Data) 

  • Use strong, unique passwords and keep credentials confidential. 
  • Enable multi-factor authentication if available. 
  • Do not email or chat full card numbers or security codes to us. 
  • Do not upload Sensitive Personal Data to the Services. 

12) Your Rights (30-Day Response) 

Subject to law, you may request: access/information, correction/erasure, restriction/cessation, portability, objection to certain processing, and rights related to automated processing. Submit requests to Contact@policyand.com
We will respond within 30 days of receiving your request. If an extension is permitted by law for complex requests, we will notify you within that 30-day period. Verification may be required, and lawful limits may apply. You may also lodge a complaint with the UAE Data Office or another competent authority in your jurisdiction. 

13) Automated Decision-Making 

If we use automated decision-making that produces legal or similarly significant effects, we will provide meaningful information and available options (including requesting human review) where required. 

14) Data Breaches (72-Hour Notification)

If a personal-data breach occurs, we will assess potential risk and notify the UAE Data Office within 72 hours of becoming aware of the breach. Where required, we will also notify affected individuals without undue delay. Notifications will follow the PDPL framework and any in-force guidance.

 15) Third-Party Links 

Our Services may link to third-party sites; their privacy practices are their own. 

16) Children 

The Services are not directed to individuals under 18. We do not ask for or intentionally collect children’s details. If we become aware of children’s data, we will delete it. 

17) Changes to this Policy 

We may update this Policy periodically. Changes will be posted with a revised “Last Updated” date; material updates will be highlighted within the Services. 

18) Contact 

Policy& Global Portal 
Dubai, United Arab mirates 
Contact@policyand.com