At Epiidosis Global Finance LLC-FZ (“Epiidosis,” “we,” “our,” or “us”), protecting your personal information is a top priority. This Privacy Policy explains how we collect, process, store, and protect your personal data when you use our website (epiidosisglobalfin.com), engage with our services, or otherwise interact with us. We are committed to complying with UAE Personal Data Protection Law (PDPL), European Union General Data Protection Regulation (GDPR), and other applicable international data protection laws. By using our services or website, you consent to the practices described herein.

1. Information We Collect

At Epiidosis Global Finance LLC-FZ, we are committed to collecting only the personal data necessary to provide our services, comply with legal obligations, and enhance user experience. This section explains in detail all categories of information we collect, how it is obtained, and why it is required.

1.1 Personal Data You Provide

We may collect personal information that you voluntarily provide when you interact with us, register an account, submit forms, communicate with our team, or use our services. This includes, but is not limited to:

1.1.1 Identification & Contact Information

• Full Name: Legal first and last name for identification and account creation.
• Professional Title/Position: Used to tailor services for corporate clients and understand your professional context.
• Contact Details:
  • Email address: For communication, updates, newsletters, and service notifications.
  • Phone number: For direct communication, confirmations, or security verification (e.g., OTP).
  • Mailing/Physical address: For delivery of documents, correspondence, or legal notices.

1.1.2 Company or Organization Information

• Business name, legal structure, registration number, and corporate address.
• Role within the organization and any relationship with other entities.
• Details of subsidiaries, affiliates, or beneficial owners for compliance with corporate regulations.

1.1.3 Identification & Verification Documents

• Passport, national ID, driver’s license, or other government-issued identification.
• Proof of address (utility bills, bank statements, or tenancy contracts).
• Additional verification documents required for compliance with KYC (Know Your Customer), AML (Anti-Money Laundering), and CFT (Counter Financing of Terrorism) obligations.

1.1.4 Financial & Investment Information

• Bank account details for processing payments or receiving funds.
• Investment preferences, portfolio holdings, and financial objectives.
• Credit or financial history required for advisory, loan facilitation, or investment services.

1.1.5 Communication Records

• Emails, telephone calls, and in-person meeting notes when interacting with Epiidosis.
• Notes or summaries from consultations, webinars, or presentations.
• Chat or messaging transcripts collected during customer support or service engagement.

1.1.6 Account & Login Information

• Username, password, and security questions for account authentication.
• Any user preferences or settings configured in your account.
• Transaction or service history linked to your account.

Purpose of Collection: All personal data collected directly from you is necessary to deliver services, manage your account, comply with legal obligations, communicate effectively, prevent fraud, and improve our services.

1.2 Information Collected Automatically

When you interact with our website, mobile applications, or digital services, certain information is collected automatically through technologies such as cookies, log files, and analytics software. This includes:

1.2.1 Device & Technical Information

• IP Address: To determine location, prevent unauthorized access, and ensure network security.
• Browser Type and Version: For website compatibility and user experience optimization.
• Operating System & Device Type: Desktop, mobile, tablet, or other smart devices.
• Unique Device Identifiers: Device IDs, MAC addresses, or mobile advertising IDs for analytics and fraud prevention.

1.2.2 Website Interaction & Usage Data

• Pages visited, duration of visit, and navigation flow through the website.
• Clicks, downloads, form submissions, or interactions with interactive tools.
• Referring URLs, search queries, and other metadata to analyze traffic sources.

1.2.3 Cookies, Pixels, and Tracking Technologies

• Strictly Necessary Cookies: Required to enable core website functions.
• Performance Cookies: Collect aggregated data to improve site speed and usability.
• Functional Cookies: Remember user preferences or account settings.
• Targeting/Advertising Cookies: Track user behavior to deliver relevant promotions or analyze campaign performance.

Purpose of Collection: Automatically collected information is used to enhance website functionality, analyze usage patterns, provide personalized experiences, secure our systems, detect fraud, and support marketing efforts.

1.3 Information from Third Parties

In certain cases, we receive personal information about you from trusted third-party sources. This allows us to verify, supplement, or enhance the data we already hold. Third-party data sources may include:

1.3.1 Professional Service Providers

• Legal advisors, compliance consultants, auditors, or tax advisors who provide information necessary to deliver services.
• Confidential information exchanged under binding agreements to support advisory, structuring, or regulatory compliance tasks.

1.3.2 Regulatory & Financial Institutions

• Regulatory bodies for verification of licenses or compliance records.
• Credit reference agencies for due diligence, risk assessment, or financial evaluation.
• Banks, financial institutions, or investment platforms as required for account setup, transactions, or compliance.

1.3.3 Publicly Available Sources

• Corporate registries, government databases, professional networks, or other public sources to verify identity or enrich profiles.
• Social media platforms or professional directories when explicitly relevant to service delivery.

Purpose of Collection: Third-party information is collected to validate your identity, comply with legal and regulatory obligations, improve service accuracy, and prevent financial crime or fraud.

Key Compliance Notes

• Minimization: We only collect personal data necessary for specific purposes.
• Transparency: You are informed of all categories of data collected and their purposes.
• Consent: Where applicable, explicit consent is obtained before collecting sensitive personal data.
• Security: All collected data is secured using encryption, access controls, and monitoring systems.
• Retention: Data is retained strictly for the period required for service delivery, legal obligations, or regulatory compliance.

2. How We Use Your Information

Epiidosis Global Finance processes your personal data only for specific, explicit, and legitimate purposes. We ensure that all processing activities are lawful, transparent, and limited to what is necessary for the stated objectives. Below is a detailed disclosure of how we use your information:

2.1 Service Delivery

We use your personal data to provide and manage the full range of financial services you engage with, including but not limited to:

• Financial Advisory Services: To assess your financial goals, risk tolerance, and investment preferences, enabling personalized advice.
• Investment Management: To process investment transactions, monitor portfolios, provide reporting, and issue statements.
• Corporate Structuring: To assist in company formation, corporate governance, financial planning, and cross-border structuring.
• Customized Solutions: To tailor services based on your business profile, industry, and investment objectives.
• Account Management: To maintain records, process client instructions, and manage contractual obligations.

Legal Basis: Processing is necessary for the performance of a contract or to take steps at your request prior to entering into a contract (GDPR Art. 6(1)(b)), and legitimate interest to deliver high-quality, personalized services.

2.2 Regulatory Compliance

We process personal data to comply with all applicable legal and regulatory obligations, including:

• Know Your Customer (KYC): Verifying identity, corporate ownership structures, and beneficial owners to prevent fraud or misuse.
• Anti-Money Laundering (AML) & Counter-Terrorism Financing (CFT): Monitoring transactions, reporting suspicious activity, and complying with financial intelligence obligations.
• Sanctions & Watchlists Screening: Checking against global regulatory and governmental databases to ensure lawful dealings.
• Recordkeeping: Retaining transaction history, identification documents, and communication records as required by law.

Legal Basis: Legal obligation under UAE PDPL, AML regulations, and other applicable laws; also legitimate interest in ensuring compliance with financial and regulatory standards.

2.3 Communication

Your information enables us to communicate with you efficiently and provide support, including:

• Responding to inquiries submitted via email, phone, or website forms.
• Sending notifications about service updates, account activities, and regulatory changes affecting you.
• Facilitating meetings, calls, and other client interactions, including scheduling and follow-up.
• Maintaining internal records of communications to provide consistent, informed support.

Legal Basis: Consent (for marketing communications) or legitimate interest (for operational communications and support).

2.4 Marketing & Promotions

We may use personal data for promotional purposes only if you have provided explicit consent, including:

• Sending newsletters, event invitations, or service updates.
• Offering special promotions or product/service recommendations based on your preferences.
• Conducting surveys or market research to improve service offerings.

You can opt out at any time from marketing communications without affecting your access to our services. Legal Basis: Consent (for direct marketing) and legitimate interest for limited non-intrusive communications.

2.5 Security & Fraud Prevention

We process your data to ensure the safety, security, and integrity of our systems and operations, including:

• Detecting, preventing, and investigating unauthorized access, fraud, or cyber threats.
• Monitoring unusual activity or suspicious transactions that may indicate identity theft or financial crimes.
• Protecting our infrastructure from malware, hacking, or other cybersecurity risks.
• Maintaining logs and audit trails to support investigations and regulatory reporting.

Legal Basis: Legitimate interest in securing our systems and protecting clients, assets, and information.

2.6 Service Improvement & Analytics

We analyze personal and non-personal data to improve our services and develop new offerings:

• Website and Platform Analytics: Understanding user behavior, site performance, and engagement patterns.
• Service Optimization: Identifying areas for operational efficiency and enhanced client experience.
• Product Development: Evaluating demand for new financial solutions or enhancements to existing services.
• Internal Reporting: Aggregating and anonymizing data for strategic decision-making.

Legal Basis: Legitimate interest in service improvement, provided such analysis does not compromise privacy rights.

2.7 Legal & Regulatory Requirements

We may process and disclose personal data to meet legal or regulatory obligations, including:

• Responding to court orders, subpoenas, or lawful governmental requests.
• Cooperating with investigations by regulators, law enforcement, or financial authorities.
• Addressing disputes, claims, or litigation involving clients, partners, or employees.

Legal Basis:

• Legal obligation to comply with judicial or regulatory mandates.
• Legitimate interest in protecting legal rights and interests.

2.8 Special Processing Considerations

Sensitive Data: Certain information (e.g., identification documents, financial details) may be classified as sensitive. We apply enhanced protections, including encryption, restricted access, and additional consent where required.

Cross-Border Transfers: When processing involves international transfers, we ensure compliance with UAE PDPL, GDPR, and relevant data protection frameworks (e.g., standard contractual clauses, adequacy decisions).

Automated Decisions: If any automated processing (profiling, scoring, risk assessment) is used, we provide transparency and allow human review where legally required.

This section ensures full transparency, identifies specific purposes, and links each processing activity to its legal basis, satisfying both UAE PDPL and GDPR requirements.

3. Legal Basis for Processing

Epiidosis Global Finance processes personal data only where there is a lawful basis for doing so under applicable data protection laws, including the UAE Personal Data Protection Law (PDPL), the European Union General Data Protection Regulation (GDPR), and other relevant regulations. For each type of processing, we identify and rely on one or more of the following legal bases:

3.1 Consent

Definition: Consent means that you have given a clear, specific, and informed agreement for the processing of your personal data for a defined purpose.

Scope and Usage: We rely on consent when processing personal data for purposes beyond service delivery or regulatory compliance, including:

• Sending marketing communications, newsletters, and promotional offers.
• Collecting sensitive personal data, such as identification documents for optional services.
• Using cookies for targeted advertising or analytics beyond strictly necessary functionality.

Consent is obtained in a freely given, explicit, and unambiguous manner. You may provide consent by ticking opt-in boxes, electronically signing forms, or otherwise affirmatively agreeing to processing.

You have the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent prior to withdrawal. Withdrawal can be done by contacting privacy@epiidosisglobalfin.com or using opt-out mechanisms provided in communications.

Transparency Measures:

• We inform you exactly what data is collected, for what purpose, and for how long.
• Consent records are securely stored and auditable for compliance purposes.

3.2 Contractual Necessity

Definition: Processing is lawful if it is necessary to perform a contract to which you are a party or to take steps at your request prior to entering into a contract.

Scope and Usage: We process personal data necessary to deliver our contractual obligations, including:

• Provision of financial advisory, investment, and corporate structuring services.
• Administration of client accounts and service agreements.
• Execution of payment transactions and billing.
• Delivering client support and managing inquiries.

Processing under this legal basis is limited strictly to what is essential to fulfill contractual obligations.

Transparency Measures:

• We provide clear information about what data is required for the contract and the consequences of not providing such data.
• Personal data processed under contractual necessity is retained only for the duration of the contract plus any legally required retention period.

3.3 Legal Obligation

Definition: Processing is necessary for compliance with a legal obligation to which Epiidosis is subject, including laws, regulations, or enforceable governmental orders.

Scope and Usage: This basis covers activities such as:

• Compliance with KYC, AML, and CFT obligations under UAE and international law.
• Retention of financial and transactional records required by regulatory authorities.
• Reporting obligations to government agencies, tax authorities, or financial regulators.
• Responding to lawful requests from courts, law enforcement, or government agencies.

Personal data may be disclosed to regulatory bodies as necessary for legal compliance.

Transparency Measures:

• We ensure processing is limited to what is legally required and retain records to demonstrate compliance.
• Where permissible, we notify data subjects of processing required by law.

3.4 Legitimate Interests

Definition: Processing is lawful when necessary for the legitimate interests of Epiidosis or a third party, provided such interests are not overridden by your rights, freedoms, or interests.

Scope and Usage: Legitimate interests are applied in the following scenarios:

• Enhancing and improving services: Analyzing usage patterns, service performance, and client feedback.
• Security and fraud prevention: Monitoring, detecting, and mitigating unauthorized access or fraudulent activity.
• Internal business management: Risk management, auditing, and administrative purposes.
• Communication management: Sending operational updates or notices regarding service changes or enhancements.

We carefully balance our legitimate interests against your rights and ensure that your personal data is not used in a manner that is intrusive or unexpected.

Transparency Measures:

• We provide clear notices when processing relies on legitimate interests.
• You have the right to object to processing based on legitimate interests, in which case we will assess your objection and either cease processing or demonstrate compelling legitimate grounds that override your interests.

3.5 Combined Processing

Some processing activities may rely on multiple legal bases simultaneously. For example:

• Processing identification documents for both contractual necessity and legal obligation (KYC/AML).
• Marketing communications sent based on both consent and legitimate interests (e.g., service-related updates).

In all cases, we ensure full transparency, provide opt-out or withdrawal mechanisms, and retain evidence of the lawful basis.

3.6 Documentation and Compliance

Epiidosis maintains detailed records of all processing activities, including the legal basis, purposes, categories of personal data, retention periods, and data recipients.

All processing is auditable to demonstrate compliance with PDPL, GDPR, and international data protection requirements.

Regular reviews are conducted to ensure that the legal basis remains valid and documented.

4. Data Sharing and Disclosure

At Epiidosis Global Finance LLC-FZ, we take your privacy seriously and do not sell, trade, or rent your personal information to third parties. We only share personal data when it is necessary to provide our services, comply with legal obligations, or support legitimate business operations.

4.1 Categories of Recipients

4.1.1 Service Providers

We may share your personal data with third-party service providers who perform functions on our behalf, including:

• Information Technology and Cloud Hosting Providers: For secure storage, backup, maintenance, and performance monitoring of our digital systems.
• Analytics and Business Intelligence Providers: For analyzing trends, usage patterns, and website or service performance.
• Marketing and Communication Platforms: Only if you have opted-in to receive communications.

Safeguards:

• Service providers are bound by strict confidentiality agreements.
• Data is processed solely to perform contracted services and not for their own purposes.
• We conduct due diligence to ensure that these providers implement adequate technical, organizational, and security measures, such as encryption, access controls, and compliance with international standards (ISO 27001, SOC 2, etc.).

4.1.2 Financial Institutions

Personal and financial information may be shared with:

• Banks and Investment Partners: For executing investment instructions, account management, fund transfers, or other financial operations required to provide our services.
• Payment Processors: For processing payments securely and preventing fraudulent transactions.

Safeguards:

• All financial institutions are required to comply with KYC (Know Your Customer), AML (Anti-Money Laundering), and CFT (Counter Financing of Terrorism) regulations.
• Data shared is strictly limited to what is necessary for the specific service or transaction.

4.1.3 Regulatory Authorities

We may disclose your personal data to:

• Government Agencies, Regulatory Bodies, or Supervisory Authorities: When required to comply with laws, regulations, audits, or enforcement actions.
• Courts, Law Enforcement, or Legal Processes: In response to lawful requests, subpoenas, or orders.

Safeguards:

• Disclosures are made only to the extent necessary and in accordance with legal obligations.
• Records of such disclosures are maintained for auditing and compliance purposes.

4.1.4 Professional Advisors

We may share personal data with professional advisors who provide independent services to support our operations, including:

• Legal Counsel – for contract review, litigation, or regulatory advice.
• Accounting and Auditing Firms – for financial reporting, tax compliance, and operational audits.
• Risk and Compliance Consultants – for advisory, monitoring, and internal control purposes.

Safeguards:

• Advisors are bound by professional secrecy obligations and contractual confidentiality agreements.
• Access to personal data is strictly on a need-to-know basis.

4.1.5 Authorized Business Partners

We may engage with business partners, affiliates, or collaborators to enhance our services, including:

• Strategic partners for investment syndication or joint offerings.
• Vendors supporting software platforms, CRM systems, or client engagement tools.

Safeguards:

• All partners are contractually required to implement adequate technical and organizational measures to protect personal data.
• Data is shared only for legitimate business purposes, and partners may not use it for their own marketing or resale without your consent.

4.2 Cross-Border Data Sharing

Since Epiidosis operates internationally, personal data may be transferred to entities located outside the UAE. All cross-border transfers are conducted under lawful mechanisms, including:

• Adequacy Decisions: Where the destination country provides an adequate level of data protection.
• Standard Contractual Clauses (SCCs): Approved by regulatory authorities.
• Binding Corporate Rules (BCRs): For intra-group transfers within Epiidosis affiliates.

4.3 Data Minimization and Purpose Limitation

• Only the minimum necessary data is shared with each recipient.
• Data is used solely for the specific purpose for which it was shared.
• Unauthorized secondary processing is strictly prohibited.

4.4 Documentation and Accountability

All data sharing arrangements are documented and regularly audited.

We maintain records of disclosures, recipients, and the legal basis for each transfer in compliance with UAE PDPL, GDPR, and other applicable regulations.

Third parties are contractually obligated to notify Epiidosis in case of any data breach affecting your personal information.

4.5 Your Rights Regarding Third-Party Sharing

• You have the right to request information about the categories of recipients, purpose of sharing, and safeguards in place.
• You may withdraw consent for marketing-related sharing at any time.
• You can lodge complaints with our Data Protection Officer or the relevant supervisory authority regarding any concerns about third-party data processing.

5. Data Retention

At Epiidosis Global Finance LLC-FZ, we retain personal data only for as long as necessary to fulfill the purposes for which it was collected, to comply with legal obligations, to resolve disputes, or to enforce agreements. Our retention practices are designed to balance operational needs with privacy compliance, ensuring adherence to UAE PDPL, GDPR, and other applicable laws.

5.1 Principles of Retention

We apply the following principles when determining retention periods:

• Purpose Limitation: Personal data is retained only for the specific purposes described in this Privacy Policy (service delivery, compliance, communication, marketing, security, and legal obligations).
• Legal Compliance: Retention is aligned with statutory and regulatory requirements in the UAE and jurisdictions where we operate.
• Data Minimization: Only data necessary for the defined purpose is retained; unnecessary data is deleted or anonymized promptly.
• Risk Management: Personal data related to potential disputes, investigations, or claims may be retained beyond standard periods for legitimate business or legal reasons.

5.2 Retention Periods by Data Type

Data Type	Retention Purpose	Typical Retention Period	Notes / Legal Basis
KYC / AML Documentation	Verification of identity, regulatory compliance, anti-money laundering and counter-terrorism financing obligations	Minimum 5–10 years from end of business relationship or as mandated by UAE Central Bank, DIFC, or other regulatory authorities	Includes passport/ID copies, proof of address, corporate ownership records, transaction monitoring data. Retention is extended if required for audits or ongoing investigations.
Financial Records	Accounting, tax reporting, transaction history	7 years or as required by UAE Federal Tax Authority, VAT regulations, and other authorities	Includes bank account details, invoices, payment records, investment portfolios.
Client Communications	Service provision, dispute resolution, historical record	Typically 3–7 years after last interaction	Emails, phone logs, meeting notes, support tickets. May be retained longer for legal claims or regulatory inquiries.
Employee & Contractor Data	HR, payroll, contractual obligations	Duration of employment/contract + 7 years	Includes employment contracts, performance records, payroll, benefits, disciplinary records.
Website & Analytics Data	Service improvement, marketing, security monitoring	Up to 24 months unless anonymized	Includes cookies, IP addresses, browsing behavior, analytics logs.
Dispute Resolution & Legal Claims	Ongoing or potential litigation, arbitration, investigations	Until final resolution + statutory limitation periods	All relevant communications, agreements, and documentation are preserved until claims are conclusively resolved.
Marketing & Consent Records	Proof of consent and opt-in/opt-out preferences	Duration of consent + 3 years	Retained to comply with GDPR and PDPL accountability requirements.

• Note: Retention periods may vary depending on jurisdictional requirements, type of data, or applicable agreements. Where no statutory retention period applies, we retain data only as long as reasonably necessary for the purpose collected.

5.3 Secure Deletion and Anonymization

Once personal data is no longer required, we ensure secure disposal using appropriate methods:

• Digital Data: Permanently deleted from live systems, backup media, and cloud storage using secure erasure protocols.
• Physical Documents: Shredded or incinerated in accordance with secure handling procedures.
• Anonymization: Where full deletion is impractical or historical data is needed for statistical, research, or compliance purposes, personal identifiers are removed or masked to prevent identification.

5.4 Exceptions to Standard Retention

Certain data may be retained beyond standard periods under specific circumstances:

• Legal Obligations: When required by law, regulatory guidance, or contractual obligations.
• Ongoing Investigations or Audits: Data necessary to investigate fraud, security incidents, or compliance violations.
• Dispute Resolution: Data related to unresolved complaints, litigation, or claims.
• Archival / Historical Purposes: Data anonymized for research, reporting, or statistical purposes in accordance with legal frameworks.

6. Your Rights

Epiidosis Global Finance LLC-FZ is committed to respecting and facilitating your data protection rights under applicable laws, including the UAE Personal Data Protection Law (PDPL), the EU General Data Protection Regulation (GDPR), and other relevant privacy regulations. Depending on your jurisdiction and the context of processing, you may have the following rights regarding your personal data:

6.1 Right of Access

You have the right to obtain confirmation as to whether we are processing your personal data and, if so, to request access to the personal data we hold about you. This includes:

• The categories of personal data processed.
• The purposes of processing.
• Recipients or categories of recipients to whom the data has been or will be disclosed.
• The period for which your personal data will be stored, or the criteria used to determine that period.
• The source of the data if not collected directly from you.
• Information about any automated decision-making, including profiling, and the logic involved.

We will provide a copy of your personal data in a structured, commonly used, and machine-readable format upon request (also known as data portability) without undue delay, typically within 30 days of receiving a valid request.

6.2 Right to Correction / Rectification

You have the right to request correction or updating of any inaccurate or incomplete personal data we hold about you. Examples include:

• Updating contact details (email, phone number, mailing address)
• Correcting identification or financial records
• Amending business or organizational information

We will take reasonable steps to verify and promptly correct your personal data to ensure it is accurate and up-to-date.

6.3 Right to Erasure (“Right to be Forgotten”)

You may request that we delete your personal data where:

• The data is no longer necessary for the purposes for which it was collected or processed.
• You withdraw your consent, and there is no other legal ground for processing.
• You object to processing, and there are no overriding legitimate grounds.
• The personal data has been unlawfully processed.
• The deletion is required to comply with a legal obligation.

Please note that erasure requests may be limited in cases where retention is necessary to comply with legal, regulatory, or contractual obligations, such as KYC/AML requirements, accounting, tax, or dispute resolution.

6.4 Right to Restriction or Objection to Processing

You may request that we restrict the processing of your personal data under the following circumstances:

• You contest the accuracy of your personal data during the verification or correction process.
• Processing is unlawful, and you oppose erasure and request restriction instead.
• We no longer need your data for processing, but you require it for the establishment, exercise, or defense of legal claims.
• You object to processing based on legitimate interests or direct marketing purposes.

Where applicable, we will comply with your objection and restrict processing while we review your request.

6.5 Right to Withdraw Consent

Where we rely on consent as the legal basis for processing, you have the right to withdraw your consent at any time without affecting the lawfulness of processing conducted before withdrawal.

• Withdrawal can be made through email or other designated communication channels.
• Once consent is withdrawn, we will cease processing personal data for the purposes you previously consented to, unless another legal basis applies.

6.6 Right to Data Portability

You have the right to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format. You may also request that your data be transmitted directly to another data controller, where technically feasible, without hindrance.

6.7 Right to Lodge Complaints

You have the right to lodge a complaint with a competent supervisory authority regarding the processing of your personal data, including issues related to:

• Access to your data
• Accuracy of data
• Lawfulness of processing
• Data transfers
• Data security

For UAE residents, this may include the UAE Data Office or other designated authorities. For EU residents, complaints may be lodged with your local Data Protection Authority (DPA).

6.8 How to Exercise Your Rights

To exercise any of your rights listed above, you may contact our Data Protection Officer:

• Email: privacy@epiidosisglobalfin.com
• Phone: +971 52 398 1350
• Address: Meydan Grandstand, 6th Floor, Meydan Road, Nad Al Sheba, Dubai, U.A.E.

Process for Requests:

• Submit a written request detailing the specific rights you wish to exercise.
• We may request additional information to verify your identity before processing your request.
• We will acknowledge your request promptly and respond within the legally mandated timeframe (typically 30 days).
• Where a request is complex or numerous, we may extend the response period by an additional 2 months, with prior notice and explanation.
• Certain requests may be limited or denied if legal or contractual obligations prevent full compliance; in such cases, we will provide an explanation.

7. Cookies and Tracking Technologies

Epiidosis Global Finance LLC-FZ (“Epiidosis,” “we,” “our,” or “us”) uses cookies, pixels, web beacons, and other tracking technologies (collectively, “Cookies”) on our website (epiidosisglobalfin.com) to enhance user experience, provide functionality, analyze usage, and deliver relevant content and marketing.

By continuing to use our website, you consent to the use of Cookies as described herein, unless you choose to disable them.

7.1 What Are Cookies?

Cookies are small text files stored on your device when you visit a website. They allow the website to recognize your device, store your preferences, and improve your browsing experience. Cookies may be first-party (placed by our website) or third-party (placed by trusted service providers).

7.2 Types of Cookies We Use

7.2.1 Strictly Necessary Cookies

• Purpose: Enable core website functionality, including secure login, form submission, session management, and navigation between pages.
• Examples: Authentication cookies, session identifiers, security tokens.
• Legal Basis: These cookies are essential for the operation of the website and cannot be disabled without affecting functionality.
• Duration: Session-based or persistent (for necessary security purposes).

7.2.2 Performance & Analytics Cookies

• Purpose: Collect aggregated and anonymized information about website usage to understand how visitors interact with our site. This helps us monitor performance, detect errors, and improve usability.
• Examples: Cookies that record page views, time spent on pages, clicks, or error logs.
• Legal Basis: Consent or legitimate interest (for website performance improvement).
• Third-Party Providers: We may use analytics platforms such as Google Analytics or similar providers.
• Duration: Typically 6–24 months depending on the analytics tool.

7.2.3 Functional Cookies

• Purpose: Remember your preferences, language settings, theme choices, or personalized features to enhance your experience.
• Examples: Language selection, preferred layout, region settings, remembering form inputs.
• Legal Basis: Consent or legitimate interest for personalized functionality.
• Duration: Typically persistent for 12 months or until the preference changes.

7.2.4 Targeting / Advertising Cookies

• Purpose: Deliver relevant marketing content or advertisements based on your browsing behavior, interests, and engagement. These may also help measure the effectiveness of campaigns.
• Examples: Cookies from social media platforms, advertising networks, remarketing tools.
• Legal Basis: Consent is required before placing targeting/advertising cookies.
• Duration: Typically 6–12 months depending on the provider.

7.3 Third-Party Cookies

Some Cookies may be set by third-party service providers for analytics, advertising, or social media integration. These third parties may collect data in accordance with their own privacy policies. We do not control third-party cookie practices and encourage you to review their policies.

7.4 Cookie Management and Consent

You have full control over Cookies and can manage them in several ways:

• Browser Settings: Most web browsers allow you to block or delete cookies (instructions are usually in the browser “Settings” or “Preferences” menu).
• Consent Management Tools: On our website, you can review and modify your cookie preferences at any time via our Cookie Consent Banner or Privacy Settings.
• Effect of Disabling Cookies: Disabling cookies may affect website functionality, including logging in, submitting forms, or accessing certain personalized features.

7.5 Legal Compliance and Documentation

We document all Cookies used on our site, including purpose, type, duration, and legal basis.

• For cookies requiring consent (performance, functional, targeting/advertising), consent is obtained prior to placement in accordance with GDPR Article 6(1)(a) and ePrivacy Directive requirements.
• Users can withdraw consent at any time by adjusting cookie preferences on the website or deleting cookies via browser settings.
• Cookies are regularly reviewed to ensure minimal data collection and compliance with UAE PDPL, GDPR, and other applicable laws.

###S 7.6 Data Collected via Cookies

Data collected via Cookies may include:

• Device and browser identifiers
• IP address and approximate geolocation
• Pages visited, clicks, and time spent
• Interaction with content or advertisements
• Referrer URL and search queries

This data is aggregated or pseudonymized for analytics and marketing purposes and is not used to identify you personally unless combined with information you provide directly.

8. Data Security

At Epiidosis Global Finance LLC-FZ, we are committed to safeguarding your personal data against unauthorized access, disclosure, alteration, or destruction. To achieve this, we implement comprehensive technical, administrative, and physical security measures designed to meet international standards, including ISO/IEC 27001, GDPR, and UAE PDPL requirements.

8.1 Encryption

• Encryption in Transit: All data transmitted between your device and our servers, including web forms, emails, and API communications, is encrypted using industry-standard protocols such as TLS 1.2 or higher. This ensures protection against eavesdropping, interception, and man-in-the-middle attacks.
• Encryption at Rest: Personal data stored on our servers, databases, or backup media is encrypted using AES-256 or equivalent strong encryption algorithms. Encryption keys are securely managed with strict access policies, rotated periodically, and stored separately from the encrypted data.
• End-to-End Encryption (where applicable): Sensitive communications or financial information exchanged with clients or partners may be protected using end-to-end encryption to ensure only authorized parties can access the content.

8.2 Secure Storage Systems and Access Controls

• Data Segregation: Personal data is stored in logically and physically segregated systems based on sensitivity levels to minimize risk exposure.
• Access Controls: Access to personal data is restricted on a need-to-know basis using role-based access controls (RBAC). Only authorized personnel who require access for legitimate business purposes can view or process your data.
• Multi-Factor Authentication (MFA): Critical systems and administrative accounts are secured using MFA to prevent unauthorized access.
• Secure Backups: Regular encrypted backups are performed and securely stored in geographically diverse locations to ensure data recovery in the event of accidental loss or disaster.
• Data Integrity Controls: Checksums, digital signatures, and integrity verification processes are employed to detect unauthorized modifications or corruption of stored data.

8.3 Authentication and Authorization Protocols

• User Authentication: All internal users and external clients accessing our systems must authenticate using strong credentials. Password policies enforce complexity, regular rotation, and non-reuse.
• Authorization Management: Fine-grained authorization policies define which users can perform specific actions on sensitive data, ensuring least-privilege access.
• Audit Logging: All access and modification activities are logged and monitored, providing a detailed audit trail for accountability, forensic investigations, and regulatory compliance.

8.4 Security Monitoring, Audits, and Vulnerability Management

• Continuous Monitoring: Network traffic, server activity, and application performance are monitored continuously using automated security tools to detect suspicious or anomalous activity in real time.
• Regular Security Audits: Independent internal and external security audits are conducted periodically to assess the effectiveness of security measures and identify areas for improvement.
• Vulnerability Assessments & Penetration Testing: We perform routine vulnerability scans, penetration testing, and risk assessments to proactively identify and remediate security weaknesses.
• Patch Management: All systems, applications, and network devices are updated with security patches promptly to mitigate known vulnerabilities.

8.5 Staff Training and Awareness

• Data Protection Training: All employees, contractors, and third-party service providers receive mandatory training on data protection, information security policies, and confidentiality obligations.
• Security Awareness Programs: Ongoing programs educate staff about phishing, social engineering, malware threats, and secure handling of personal data.
• Incident Response Preparedness: Staff are trained to respond effectively to security incidents, data breaches, or suspected unauthorized access in accordance with our Incident Response Plan.

8.6 Physical Security

• Facility Access Control: Offices and data centers are protected by access control measures, surveillance cameras, and visitor management systems.
• Environmental Protections: Critical systems are housed in secure facilities with fire suppression, climate control, and redundant power systems.

8.7 Data Breach Preparedness and Notification

In the unlikely event of a personal data breach, Epiidosis will:

• Contain and mitigate the incident immediately
• Assess the impact and classify affected data
• Notify regulators and affected individuals where required under UAE PDPL, GDPR, or applicable law
• Implement corrective actions to prevent recurrence

By implementing these multi-layered security measures, we ensure that your personal data is protected against unauthorized access, loss, or compromise throughout its lifecycle.

9. International Data Transfers

Epiidosis Global Finance LLC-FZ operates across multiple jurisdictions, providing financial services to clients and partners worldwide. As part of our business operations, it may be necessary to transfer your personal data outside the United Arab Emirates (“UAE”) to countries that may not provide the same level of data protection as the UAE or the European Union. We ensure that all international data transfers are conducted lawfully, securely, and transparently, in accordance with UAE Personal Data Protection Law (PDPL), the EU General Data Protection Regulation (GDPR), and other applicable international regulations.

9.1 Purpose of International Transfers

International transfers may occur for purposes including, but not limited to:

• Service Delivery: To financial institutions, investment partners, or professional advisors located outside the UAE.
• Regulatory Compliance: To satisfy cross-border reporting requirements or regulatory obligations.
• Operational Support: To cloud hosting providers, IT support vendors, or data processors operating internationally.
• Group-Wide Operations: To affiliates within the Epiidosis corporate group for centralized management, auditing, and strategic business purposes.

9.2 Legal Mechanisms for International Transfers

Epiidosis implements one or more of the following lawful mechanisms to ensure the protection of your personal data when transferred internationally:

• a) Adequacy Decisions: Where personal data is transferred to a country recognized by the UAE or the European Commission as having an adequate level of data protection, transfers are considered compliant by default. Epiidosis ensures that any recipient in such jurisdictions maintains privacy standards comparable to UAE PDPL and GDPR.
• b) Standard Contractual Clauses (SCCs): When transferring data to countries without an adequacy decision, Epiidosis relies on EU-approved Standard Contractual Clauses or equivalent contractual safeguards mandated under UAE PDPL. These clauses legally bind the recipient to implement appropriate technical, organizational, and administrative measures to protect your personal data.
• c) Binding Corporate Rules (BCRs): For intra-group transfers to affiliates located abroad, Epiidosis may use Binding Corporate Rules, which have been formally approved by relevant data protection authorities. BCRs establish a consistent global framework for personal data protection, including:
  • Defined purposes and legal bases for processing
  • Roles and responsibilities of all internal stakeholders
  • Data protection safeguards, including encryption, access control, and breach response
  • Processes for handling data subject rights requests across borders
  • Accountability and oversight mechanisms, including audits and compliance reporting

9.3 Security Measures for International Transfers

Regardless of the transfer mechanism, Epiidosis ensures that your personal data is protected through:

• Encryption: Both in transit (via TLS/SSL) and at rest.
• Access Control: Restriction to authorized personnel only, with role-based permissions.
• Data Minimization: Only transferring the personal data necessary to achieve the intended purpose.
• Vendor Due Diligence: Assessment of third-party recipients for compliance with data protection standards.
• Contractual Safeguards: Binding agreements mandating confidentiality, security measures, and lawful processing.

9.4 Transparency and Accountability

We maintain full transparency regarding international transfers by:

• Documenting all cross-border data flows in our records of processing activities.
• Providing information to data subjects upon request regarding the location, purpose, and recipients of international transfers.
• Reviewing and updating transfer mechanisms periodically to ensure ongoing compliance with UAE PDPL, GDPR, and other applicable laws.

9.5 Your Rights Regarding International Transfers

You have the right to:

• Request information about the countries or entities to which your personal data is transferred.
• Withdraw consent for international transfers where consent is the legal basis.
• Raise objections or complaints with the UAE Data Office, relevant EU supervisory authority, or our Data Protection Officer if you believe your data is being transferred unlawfully or insecurely.

By using our services, you acknowledge and agree that personal data may be transferred internationally in accordance with this clause, and that all transfers are subject to robust safeguards to protect your privacy.

10. Children’s Privacy

At Epiidosis Global Finance LLC-FZ, protecting the privacy of children and minors is of utmost importance. Our services, including our website, mobile applications, communications, and other offerings (collectively, the “Services”), are not intended for individuals under the age of 18. We recognize the heightened privacy protections required for children under applicable laws, including the UAE Personal Data Protection Law (PDPL), the European Union General Data Protection Regulation (GDPR), and other international privacy standards.

10.1 Age Restriction

• Users must be 18 years or older to access or use our Services.
• Any registration forms, online submissions, or account creation procedures include mechanisms to confirm the age of the user where legally required.
• We do not knowingly solicit or collect personal data from children under 18.

10.2 Types of Data

The personal data we explicitly avoid collecting from minors include, but are not limited to:

• Full name, date of birth, or other identifiers
• Contact information, including email, phone number, or home address
• Financial information, such as bank account details, investment preferences, or payment methods
• Educational or employment information

10.3 Parental Consent

• Where applicable by law, any collection of personal information from minors requires verifiable parental or guardian consent.
• Parents or legal guardians may review, approve, or request the deletion of any personal data submitted by a minor under their care.
• Our processes ensure that no services are provided to minors without explicit consent.

10.4 Discovery of Personal Data from Minors

If we become aware that we have inadvertently collected personal data from a child under 18, we will:

• Immediately suspend processing of such data.
• Promptly notify the parent or guardian where possible.
• Securely delete or anonymize the data in accordance with legal retention and deletion requirements.

10.5 Data Retention and Deletion

• Personal data of minors will never be retained longer than necessary for legal compliance, resolving disputes, or enforcing our agreements.
• Automated systems, backups, and archives are monitored to ensure that data from minors is promptly removed upon discovery or notification.

10.6 Third-Party Services

• Our Services may include links or integrations with third-party platforms. We do not control the data practices of these third parties.
• Parents and guardians are encouraged to review the privacy policies of third-party services before allowing minors to interact with them.

10.7 Communication and Marketing Restrictions

• We do not direct marketing, promotional materials, or newsletters to individuals under 18.
• All subscription forms include explicit age verification mechanisms to prevent underage sign-ups.

10.8 Children’s Rights

Minors and their parents/legal guardians have the right to:

• Request access to any personal data collected
• Request correction or deletion of personal data
• Withdraw any previously given consent for processing

Requests can be submitted to our Data Protection Officer at privacy@epiidosisglobalfin.com.

10.9 Security Measures

• All data collected is subject to our robust security and encryption measures, including secure storage, access controls, and regular audits.
• Special safeguards are implemented to prevent unauthorized access to personal data from minors.

10.10 Compliance and Accountability

• We conduct regular internal reviews and audits to ensure adherence to child privacy standards.
• Our policies align with international best practices, including GDPR Article 8 (Children’s Consent), UAE PDPL provisions regarding personal data of minors, and COPPA-like frameworks where applicable.

• Summary: Our Services are strictly not for minors under 18, we do not knowingly collect their data, and any data inadvertently collected is promptly and securely deleted. Parents and guardians maintain full rights to access, correct, or remove data related to their children.

11. Updates to This Privacy Policy

Epiidosis Global Finance LLC-FZ (“Epiidosis,” “we,” “our,” or “us”) may update this Privacy Policy from time to time to ensure that it remains accurate, complete, and compliant with applicable laws and regulations, including the UAE Personal Data Protection Law (PDPL), the European Union General Data Protection Regulation (GDPR), and other international standards. Updates may be required due to, but not limited to:

• Changes in our business operations, services, or product offerings;
• Introduction of new technologies or data processing systems;
• Modifications to legal or regulatory requirements in jurisdictions where we operate;
• Updates to industry best practices or security standards;
• Adjustments to data collection, storage, or processing procedures;
• Changes in third-party service providers or contractual arrangements affecting personal data.

11.1 Notification of Changes

We are committed to keeping you informed about significant updates to this Privacy Policy:

• Email Notifications: When you are a registered user or client, we will send you a direct email detailing the nature and scope of significant changes.
• Website Notices: For all users, significant changes will be prominently displayed on our website, including banners, pop-ups, or dedicated privacy notice pages.
• Effective Date Updates: Each version of the Privacy Policy will include a clearly indicated “Effective Date” to help users identify the most current policy.

Minor or technical updates (e.g., clarifications, formatting changes, or typographical corrections) may be applied without individual notifications but will still be reflected in the updated version on our website.

11.2 User Review and Acknowledgment

We strongly encourage all users and clients to periodically review this Privacy Policy to understand how your personal data is collected, used, shared, and protected. Continuing to use our services or website after updates constitutes acceptance of the revised Privacy Policy.

Where required by law or regulation (e.g., GDPR, PDPL), we will obtain your explicit consent for material changes affecting:

• The types of personal data collected;
• Purpose of processing;
• Legal basis for processing;
• Data sharing practices with third parties;
• Your rights as a data subject;
• Cross-border transfers of personal data.

11.3 Version History and Record-Keeping

For transparency and compliance purposes, Epiidosis maintains a version history of all Privacy Policy updates, including:

• Version Number and Date of the update;
• Summary of Changes implemented;
• Reason for the Update (legal, operational, technological, or regulatory);
• Notification Methods Used to inform affected users.

This version history ensures accountability and provides a reference for any legal, regulatory, or internal audit purposes.

11.4 Communication Channels for Queries

If you have questions or concerns regarding any updates to this Privacy Policy, or if you wish to review prior versions, you can contact our Data Protection Officer (DPO) directly:

• Email: privacy@epiidosisglobalfin.com
• Phone: +971 52 398 1350
• Address: Meydan Grandstand, 6th Floor, Meydan Road, Nad Al Sheba, Dubai, U.A.E.

We will respond promptly to inquiries and provide necessary clarifications regarding any changes or their impact on your personal data.

11.5 Legal and Regulatory Compliance

All updates to this Privacy Policy are undertaken in accordance with:

• UAE PDPL: Ensuring transparent, lawful, and fair processing;
• GDPR: Maintaining clear communication, lawful processing, and user consent mechanisms;
• Other applicable international regulations: Ensuring cross-border compliance, data subject rights, and accountability.

By maintaining an up-to-date Privacy Policy and notifying users appropriately, we uphold trust, transparency, and compliance with global privacy standards.

12. Contact Information & Data Protection Officer (DPO)

To ensure transparency, accountability, and compliance with applicable data protection laws, including the UAE Personal Data Protection Law (PDPL), EU General Data Protection Regulation (GDPR), and other international standards, Epiidosis Global Finance LLC-FZ provides dedicated contact channels for all data protection inquiries, requests, or concerns.

12.1 Data Protection Officer (DPO)

We have appointed a Data Protection Officer (DPO) responsible for overseeing our data protection strategy and ensuring compliance with all applicable privacy laws. The DPO acts as the primary contact for data subjects and supervisory authorities regarding any aspect of personal data processing.

Data Protection Officer Contact Details:

• Name/Title: Data Protection Officer
• Company: Epiidosis Global Finance LLC-FZ
• Email: privacy@epiidosisglobalfin.com – primary channel for submitting data subject requests, consent withdrawals, inquiries, complaints, and privacy-related communications.
• Phone: +971 52398 1350 – available during UAE business hours (Sunday to Thursday, 9:00 AM – 6:00 PM GST) for urgent queries or assistance.
• Physical Address: Meydan Grandstand, 6th Floor, Meydan Road, Nad Al Sheba, Dubai, U.A.E. – for formal written correspondence, complaints, or submission of documents related to personal data.

12.2 Responsibilities of the DPO

The DPO is responsible for:

• Monitoring Compliance: Ensuring that all personal data processing activities comply with UAE PDPL, GDPR, and other applicable privacy laws.
• Data Subject Rights Management: Handling requests for access, rectification, erasure, restriction, objection, and data portability.
• Privacy Impact Assessments: Conducting assessments for high-risk data processing activities and advising on mitigation measures.
• Regulatory Liaison: Acting as the main contact point with data protection authorities in the UAE and other jurisdictions.
• Internal Training & Awareness: Educating staff and partners on data privacy obligations, policies, and secure handling of personal information.
• Breach Reporting: Coordinating responses to personal data breaches, including notification to regulatory authorities and affected individuals, as required by law.

12.3 How to Contact the DPO

To exercise your rights, report concerns, or submit inquiries regarding personal data processing, you may contact the DPO using any of the following methods:

• Email (preferred): privacy@epiidosisglobalfin.com – Ideal for submitting data subject requests, withdrawing consent, requesting access or correction, or reporting potential privacy issues.

• Phone: +971 52398 1350 – Use for urgent inquiries or clarifications regarding data protection practices.

• Postal Correspondence:

  Data Protection Officer Epiidosis Global Finance LLC-FZ Meydan Grandstand, 6th Floor Meydan Road, Nad Al Sheba Dubai, U.A.E.

  Formal letters, verification of identity for requests, or submission of official documentation.

12.4 Required Information for Data Requests

To process requests efficiently and in accordance with applicable laws, we may require the following details from data subjects:

• Full name and contact information
• Description of the request (e.g., access, correction, erasure)
• Proof of identity (e.g., government-issued ID or passport)
• Any relevant account or reference numbers associated with your interactions with Epiidosis

Requests that are incomplete or do not include sufficient information may require additional verification to protect your data and privacy.

12.5 Response Timeline

• Acknowledgment: Within 5 business days of receipt.
• Processing: Requests are typically fulfilled within 30 calendar days, unless a legal exception applies. If more time is required, we will notify you in writing.

12.6 Escalation & Complaints

If you are unsatisfied with our response, you have the right to:

• File a complaint with the UAE Data Office (or relevant supervisory authority): Contact details will be provided upon request.
• Seek remedies under applicable law, including UAE PDPL and GDPR provisions for data protection violations.

12.7 Privacy & Security Assurance

All communications with the DPO are treated confidentially and are protected using encryption and secure channels wherever feasible. Personal data provided during inquiries will be processed solely for the purpose of handling your request or complaint.