Privacy Policy

1. Who we are and the scope of this Policy

Polaris Corporate Services FZ-LLC (“Polaris”, “we”, “us”) is a licensed Trust and Corporate Service Provider operating from the Dubai International Financial Centre, with registered office at S18W1002, Shed No. 18, Al Hulaila Industrial Free Zone, Ras Al Khaimah, United Arab Emirates.

This Privacy Policy describes how we collect, use, share, retain and protect personal data in the course of operating polaris.ae and in providing professional services to clients and prospective clients. It is issued in accordance with Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (the “UAE PDPL”) and its implementing regulations.

2. Data controller and contact

For the purposes of the UAE PDPL, the data controller is:

Where you exercise rights under this Policy or raise concerns about the processing of your personal data, please contact us using the details above and address your communication for the attention of the Data Protection Officer.

3. Categories of personal data we process

The categories of personal data we may collect and process depend on your relationship with us. They include, without limitation:

3.1. Identification data. Full legal name, date of birth, place of birth, nationality, gender, photograph, signature, Emirates ID number, passport number, residence visa details and other government-issued identifiers.

3.2. Contact data. Postal address, residential address, registered office address, email address and telephone number(s).

3.3. Professional and financial data. Occupation, employer, role, professional qualifications, business activities, source of funds, source of wealth, bank account details, tax identification numbers, regulatory registrations and credit-history information where lawfully obtainable.

3.4. Beneficial-ownership data. Ownership percentages, control structures, board composition, and the identity of ultimate beneficial owners pursuant to Cabinet Decision No. 58 of 2020 regarding the Regulation of Procedures of the Real Beneficiary.

3.5. Compliance data. Politically Exposed Person (PEP) status, sanctions screening results, adverse media findings, Customer Due Diligence (CDD) documentation, and the outputs of any Enhanced Due Diligence (EDD).

3.6. Transactional and engagement data. Correspondence, meeting notes, instructions, engagement letters, invoices, payment records and the documents and deliverables produced in the course of an engagement.

3.7. Website usage data. IP address, device and browser identifiers, language preferences, pages viewed, referring URL, session duration and similar technical information collected via cookies and similar technologies (see Section 13).

We do not seek to collect special categories of personal data (such as data concerning health, religion or political opinion) save where strictly necessary for the performance of a regulated engagement or where lawfully obtainable in connection with sanctions screening; in such cases, additional safeguards apply.

4. Sources of personal data

We collect personal data from the following sources: (i) directly from you, including via the Website, engagement letters, KYC questionnaires and email correspondence; (ii) from your authorised representatives, agents, employers, advisers or family members where they engage us on your behalf; (iii) from public registers, including the Emirates ID system, commercial registers, real estate registries, court records and any sanctions or PEP screening databases; (iv) from credit-reference and adverse-media services lawfully subscribed to by us; and (v) from regulators, banks or counterparties in the course of conducting a transaction in which you are involved.

5. Purposes of processing

We process personal data for the following purposes:

1. to negotiate, conclude and perform engagements for the provision of professional services;
2. to discharge our obligations as a licensed TCSP and DNFBP, including the Client Due Diligence, Enhanced Due Diligence, Suspicious Transaction Reporting and record-keeping obligations under Federal Decree-Law No. 20 of 2018 and Cabinet Decision No. 10 of 2019;
3. to administer ongoing client relationships, including communications, billing, payment collection, document management and conflict checks;
4. to comply with applicable laws, regulations, tax filings, accounting standards, court orders and lawful requests of competent authorities;
5. to detect, prevent and investigate fraud, financial crime, abuse of our services and breaches of our policies;
6. to manage and improve our website and services, including security, fault diagnosis, analytics and personalisation;
7. to communicate with you about events, publications and insights that we reasonably consider relevant to your professional interests, where you have not objected to such communications; and
8. where reasonably necessary, to establish, exercise or defend legal claims.

6. Lawful bases for processing

In accordance with Article 4 of the UAE PDPL, we process personal data on one or more of the following lawful bases:

• Consent — where you have provided explicit consent for a specified processing purpose, which you may withdraw at any time;
• Performance of a contract — where processing is necessary for the conclusion or performance of an engagement letter to which you are a party;
• Legal obligation — where processing is necessary to comply with a legal obligation to which Polaris is subject (including AML, tax and corporate law obligations);
• Vital interests — where processing is necessary to protect your vital interests or those of another natural person;
• Public interest — where processing is necessary for the performance of a task carried out in the public interest;
• Legitimate interests — where processing is necessary for the legitimate interests pursued by Polaris or a third party, except where such interests are overridden by your rights and freedoms.

7. AML, KYC and ongoing monitoring

As a DNFBP, Polaris is required by UAE law to conduct Client Due Diligence at onboarding, refresh that diligence on a risk-based periodicity, and report any suspicion of money laundering, terrorist financing or proliferation financing to the UAE Financial Intelligence Unit. The legal bases for this processing are legal obligation and legitimate interests. The retention period for AML records is no less than five (5) years from the end of the engagement or from the date of the relevant transaction, whichever is later. Please refer to our AML & Client Due Diligence Notice for further detail.

8. Sharing of personal data with third parties

We do not sell personal data. We may share personal data with the following categories of recipients, in each case subject to confidentiality and data-protection safeguards:

• Government and regulatory authorities — the UAE Ministry of Economy, Federal Tax Authority, Financial Intelligence Unit, licensing authorities (RAKEZ, DIFC, ADGM and other free zones), GDRFA, ICP, MOHRE and equivalent foreign authorities, where required by law;
• Banks and financial institutions — in the course of opening accounts, processing payments, or facilitating transactions on your behalf;
• Auditors and external advisers — including auditors, lawyers, tax advisers and notaries instructed to act in the engagement;
• Service providers — including IT, hosting, cloud, email, document-management, secure messaging and back-up providers acting as data processors on our behalf under written contracts;
• Counterparties and their advisers — where information sharing is necessary to complete a transaction in which you are a party;
• Sanctions and screening providers — for the limited purpose of conducting compliance checks;
• Successors in interest — in the event of a corporate reorganisation, sale or merger of Polaris, subject to equivalent confidentiality protections.

9. Cross-border transfers

9.1. Polaris operates from the United Arab Emirates and serves an international client base. The provision of Services may require transfer of personal data to jurisdictions outside the UAE, including Cyprus, Switzerland, and any other jurisdiction in which the Client or a transaction has a nexus.

9.2. Where personal data is transferred to a jurisdiction that has not been deemed by the UAE Data Office to provide an adequate level of protection, we shall implement appropriate safeguards in accordance with Article 22 of the UAE PDPL, including (where applicable) standard contractual clauses, binding corporate rules, or your explicit consent following appropriate notice.

10. Retention periods

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including the satisfaction of any legal, regulatory, accounting or reporting obligations. Indicative retention periods are:

• AML and engagement records — not less than five (5) years from termination of the engagement, in accordance with Federal Decree-Law No. 20 of 2018;
• Corporate tax, VAT and accounting records — not less than seven (7) years from the end of the relevant tax period, in accordance with Federal Decree-Law No. 47 of 2022 and Federal Decree-Law No. 8 of 2017;
• Other client-engagement records — retained for the duration of the engagement plus the applicable statutory limitation period;
• Marketing data — retained until you opt out, plus a reasonable period to give effect to that opt-out;
• Website analytics data — retained in aggregated form only beyond thirteen (13) months from collection.

11. Your data subject rights

Subject to the conditions and exceptions in the UAE PDPL, you have the following rights:

• Right of access — to obtain confirmation as to whether we process your personal data and a copy of that data;
• Right to rectification — to request correction of inaccurate or incomplete personal data;
• Right to erasure — to request deletion of personal data where the processing is no longer necessary or lacks lawful basis;
• Right to restriction — to request restriction of processing in certain circumstances;
• Right to data portability — to receive personal data in a structured, commonly used, machine-readable format;
• Right to object — to processing based on legitimate interests, direct marketing, or automated decision-making;
• Right to withdraw consent — without affecting the lawfulness of processing carried out before withdrawal;
• Right to file a complaint — with the UAE Data Office (see Section 18).

Certain rights are subject to limitations where exercise of the right would conflict with our legal obligations (for example, retention of AML records) or would prejudice the rights of third parties.

12. How to exercise your rights

To exercise any of the rights set out in Section 11, please send a written request to legal@polaris.ae, providing sufficient information to verify your identity and to identify the personal data in question. We aim to respond within thirty (30) calendar days of receipt of a complete request. In complex cases, we may extend this period by a further thirty (30) days upon notice to you.

13. Cookies, tracking and analytics

This Section sets out the full Cookie Policy of Polaris Corporate Services FZ-LLC for polaris.ae. It forms part of, and should be read together with, this Privacy Policy. References below to “this Policy” mean this consolidated Privacy & Cookie Policy.

13.1 About this Policy

This Cookie Policy explains how Polaris Corporate Services FZ-LLC uses cookies and similar technologies on polaris.ae. It supplements our Privacy Policy and should be read together with it. The Cookie Policy is issued in accordance with Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (UAE PDPL) and Federal Decree-Law No. 46 of 2021 on Electronic Transactions and Trust Services.

13.2 What cookies are

A cookie is a small text file that a website places on your device when you visit it. Cookies are widely used to enable a website to function, to remember your preferences, to support analytics, and to deliver functionality across sessions. Cookies may be set by the website operator (“first-party”) or by a third-party service used by the operator (“third-party”). Cookies may persist on your device until expiry or until you delete them (“persistent cookies”), or only for the duration of a single browsing session (“session cookies”).

13.3 Categories of cookies we use

3.1. Strictly necessary cookies. These cookies are essential for the operation of the Website and cannot be switched off. They enable navigation, secure log-in (where applicable), submission of contact forms, and remembering of cookie-consent preferences. They do not store personally identifiable marketing information.

3.2. Preference and functionality cookies. These cookies remember the choices you make on the Website (for example, your language preference). They are used to provide a more personalised experience but are not strictly necessary for operation.

3.3. Analytics cookies. These cookies allow us to count visits, identify popular content and understand how users navigate the Website. The information collected is aggregated and used only for the improvement of our Website. We use first-party analytics where reasonably possible.

3.4. Marketing cookies. We do not currently set marketing cookies on the Website, nor do we permit third-party advertising networks to do so.

13.4 Specific cookies in use

The principal cookies currently set on the Website are:

13.5 Third-party cookies and analytics

Where we use a third-party analytics or content-delivery service (for example, Google Analytics or a content-delivery network for fonts), that third party may set cookies on your device. The processing of personal data by such third parties is governed by their respective privacy policies. We endeavour to configure such services in privacy-preserving modes (including IP anonymisation where available).

13.6 Managing your cookie preferences

You can manage your cookie preferences in three ways:

1. Cookie banner. When you first visit the Website, a cookie banner allows you to accept, reject or customise non-essential cookies. You may revisit your choices at any time by clicking the cookie-preferences link in the footer.
2. Browser settings. Most browsers allow you to control cookies through the settings menu, including blocking all cookies, deleting existing cookies, or being notified before a cookie is set. Please consult your browser’s documentation.
3. Opt-out tools. For third-party analytics, you may install opt-out browser add-ons provided by the third party (for example, the Google Analytics Opt-Out Browser Add-On).

Please note that disabling strictly necessary cookies will affect the operation of the Website.

13.7 Do Not Track signals

Some browsers transmit “Do Not Track” signals. As there is no universally agreed standard for how websites should respond, the Website does not currently respond to Do Not Track signals. We do, however, honour the choices recorded by you in the cookie banner.

13.8 Updates to this Policy

This Cookie Policy is reviewed periodically and may be updated to reflect changes in the cookies we use or in applicable law. The current version, together with the date on which it took effect, is available on the Website.

14. Security

We have implemented technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. These measures include encrypted storage and transmission, access controls based on the principle of least privilege, role-based segregation of duties, multi-factor authentication for privileged accounts, regular back-ups, incident response procedures and staff confidentiality undertakings. Notwithstanding these measures, no method of transmission or storage is completely secure, and we cannot guarantee the absolute security of personal data.

15. Children

Our Services are not directed to children and the Website is not intended for use by persons under the age of eighteen (18) years. We do not knowingly collect personal data from children, save in the context of family-sponsorship and migration matters where the child’s parent or legal guardian is the Client and has provided lawful instruction.

16. Automated decision-making

We do not make decisions about you that produce legal effects or significantly affect you on the basis of automated processing alone. Sanctions screening and analytics tools may be used to inform manual review by qualified personnel, but final decisions remain with a natural person.

17. Updates to this Policy

This Policy is reviewed at least annually and may be updated to reflect changes in our practices or in applicable law. The current version, together with the date on which it took effect, is available on the Website. Where the changes are material, we will provide reasonable notice (which may include posting a notice on the Website or, where appropriate, contacting you directly).

18. Complaints and supervisory authority

If you believe that our processing of your personal data is not in accordance with the UAE PDPL or this Policy, you may file a complaint with us at legal@polaris.ae. We will investigate and respond in accordance with our Complaints Handling Procedure.

You are also entitled to file a complaint with the UAE Data Office, the supervisory authority established under the UAE PDPL.