NEGINSKIY BUREAU REAL ESTATE L.L.C. — PRIVACY POLICY

Policy Number: 1
Effective Date: 15 July 2025
Version: 1.0 (Bilingual). Open the Russian version
Approved by: Yaroslav Miroshnik, Director

1. PURPOSE AND SCOPE OF APPLICATION

1.1 This Privacy Policy (“Policy”) defines the purposes, legal bases, conditions, and procedures for the processing of personal data of individuals (“Personal Information”) by NEGINSKIY BUREAU REAL ESTATE L.L.C, a company registered in the Emirate of Dubai, United Arab Emirates, licensed in accordance with the requirements of the Real Estate Regulatory Agency (RERA), and operating under applicable law (“Company”).

1.2 The Company confirms its commitment to upholding the rights and freedoms of data subjects, regardless of their nationality, residency, legal status, language of communication, or jurisdiction. The Company undertakes all reasonable, lawful, technical, and organizational measures to ensure fair, transparent, and secure processing of Personal Information in accordance with Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL), other applicable UAE laws, and international obligations where relevant.

1.3 This Policy applies to all instances in which the Company collects, records, structures, stores, uses, discloses, transfers, blocks, deletes, or destroys Personal Information, regardless of format or method of acquisition—including but not limited to oral, written, digital, electronic, paper-based, visual, or audio interaction, messengers, websites, online forms, CRM systems, and video/audio communication. Processing through informal or uncontrolled channels (including messengers or verbal negotiations) is permitted only with the confirmed consent of the data subject or where necessary to take pre-contractual steps at the subject’s request.

1.4 The Company acts as a data controller in accordance with PDPL and is responsible for ensuring proper, secure, and lawful processing, retention, and disposal of Personal Information. The Company may comply with other jurisdictions’ legal requirements if explicitly stated in international treaties, agreements with the Client, or directives issued by competent regulators.

1.5 This Policy covers, inter alia: the categories of data collected; purposes and legal bases for processing; data sources; conditions for retention and disclosure to third parties; cross-border data transfers; interaction with government authorities; engagement of third-party providers and vendors; automated processing; marketing communications; audio-visual recording; biometric and sensitive data; data subjects’ rights and enforcement mechanisms; Client obligations; governing law and jurisdiction; procedure for updates; and the Policy’s legal force and precedence in case of conflict with other internal documents.

1.6 In the event of changes, the Company reserves the right to unilaterally update this Policy by publishing a revised version on its official website or notifying data subjects through electronic communication. Renewal of consent will be requested only in cases expressly required by law. The Client acknowledges responsibility to stay informed and accepts the legal effect of such updates upon publication.

1.7 This Policy constitutes an independent legal document adopted by the Company for the purpose of complying with PDPL and other applicable UAE regulations. It may be used as evidence in case of disputes, claims, regulatory audits, or legal proceedings. It operates alongside other internal regulations, including KYC rules, AML/CFT policies, risk management procedures, and Client engagement protocols.

2. DEFINITIONS AND TERMS

2.1. Company — NEGINSKIY BUREAU REAL ESTATE L.L.C., a legal entity duly incorporated under the laws of the United Arab Emirates (UAE), operating in the real estate sector and acting as the data controller with respect to the collection, storage, transfer, and processing of personal data in accordance with this Policy and applicable legislation.

2.2. Client — any natural person whose personal data is processed by the Company in the course of providing real estate, marketing, advisory, or related services, including but not limited to: buyers, tenants, sellers, investors, legal representatives, authorized agents, and any individuals who have voluntarily submitted their data to the Company.

2.3. Personal Data (Personal Information) — any information relating to an identified or identifiable individual, including but not limited to: full name, date of birth, contact details, unique identifiers, passport or ID number, address, nationality, marital status, property details, payment information, business activity, education, and digital identifiers such as IP addresses, cookies, log files, audio/video recordings, and any other data permitting identification of the subject.

2.4. Sensitive (Special) Categories of Personal Data — personal data subject to heightened protection under PDPL or other applicable law, including data concerning racial or ethnic origin, religious or philosophical beliefs, health status, political opinions, sexual orientation, criminal records, genetic and biometric data, and any other categories defined as special by law.

2.5. Processing of Personal Data — any operation or set of operations performed on personal data, whether by automated means or otherwise, including but not limited to: collection, recording, organization, storage, adaptation, use, retrieval, transfer (including cross-border), dissemination, anonymization, blocking, deletion, and destruction.

2.6. Third Parties — any natural or legal persons, government bodies, partners, vendors, platforms, or agents that are not part of the Company’s organizational structure but lawfully access personal data under a contract, legal obligation, or other legitimate basis to fulfill their obligations or safeguard the Company’s interests.

2.7. Policy — this Privacy Policy, including all versions, appendices, and amendments, which sets forth the internal rules, purposes, conditions, and procedures for personal data processing and is binding on all employees of the Company.

2.8. Data Subject Consent — a voluntary, specific, informed, and unambiguous expression of will by the data subject, made in written, electronic, or other legally acceptable form, by which they authorize the processing, transfer, and cross-border transfer of their personal data in accordance with this Policy. Consent may be withdrawn as provided by applicable law.

2.9. Cross-Border Data Transfer — the transfer of personal data outside the UAE territory or access to such data by third parties located abroad, including via cloud services, CRM systems, hosting providers, and other platforms, provided that all PDPL and other applicable requirements are satisfied.

2.10. Data Controller — a person or legal entity (including the Company) that, alone or jointly with others, determines the purposes and means of personal data processing and bears legal responsibility for ensuring data subject rights and compliance with data protection laws.

2.11. Data Processor — a person or organization that processes personal data on behalf of and pursuant to the Company’s instructions under a valid Data Processing Agreement (DPA), without the right to use such data for its own purposes.

3. CATEGORIES OF COLLECTED DATA

3.1. The Company collects identification data, including full name, nationality, gender, date and place of birth, identity document number and series (passport, Emirates ID, driver's license or any other legally recognized ID), as well as photo and video materials containing facial images, where required for client identification, verification, legal compliance, or protection of the Company’s legitimate interests.

3.2. The Company processes contact details voluntarily provided by the Client or obtained during business interactions, including mobile and/or landline phone numbers, email address, postal and residential address, as well as messaging app IDs, social media profiles, and other communication identifiers used by the Client to interact with the Company.

3.3. In compliance with KYC (Know Your Customer), AML (Anti-Money Laundering), CFT (Countering the Financing of Terrorism), and other applicable requirements, the Company collects and processes supporting documents and information, including proof of residence (e.g., utility bills, lease agreements, bank statements), employment details, sources of funds and income, tax residency, political exposure (PEP), and inclusion in sanction lists, criminal records, or other risk registries.

3.4. Where justified, the Company may process information regarding potential conflicts of interest, including family, business, or other connections between the Client and Company employees, where such ties may affect compliance with legal or internal rules or impair the objectivity of service delivery.

3.5. Depending on the nature of services requested and applicable laws, the Company may additionally request and process information necessary for service delivery, including Client preferences regarding location, budget, property acquisition or rental goals, investment plans, transaction support criteria, documentation, and interaction terms.

3.6. The processing of special categories of personal data (sensitive data), such as health status, criminal records, racial or ethnic origin, religious, philosophical or political beliefs, biometric data, and sexual orientation, is performed strictly on the basis of legal grounds and informed, explicit consent from the Client, and only to the extent necessary for achieving a lawful and specific purpose.

3.7. In case of digital interaction (via website, forms, CRM, messengers, mobile apps, or other platforms), the Company may collect technical and digital data, including IP address, device and OS type, system language, browser type and version, interaction timestamps, cookies, session identifiers, log files, geolocation and navigation parameters, to ensure security, system functionality, analytics, and service improvement.

3.8. The Company may receive and process additional information not explicitly listed in this section if such information is voluntarily provided by the Client, or is necessary to perform a contract, deliver services, fulfill legal obligations, or protect the Company’s rights and interests.

3.9. The Company does not collect or process personal data unrelated to the stated purposes and undertakes to limit processing to information that is relevant, necessary, and proportionate to the nature of the services and legal requirements.

3.10. In the event of the Client’s refusal to provide mandatory data required by law or contract, or if false, incomplete, or misleading data is provided, the Company reserves the right to suspend services, terminate interactions, or request additional verification until such deficiencies are rectified.

4. LEGAL GROUNDS FOR DATA PROCESSING

4.1 The Company processes personal data on the basis of the prior, free, specific, informed, and unambiguous consent of the data subject. Consent is provided voluntarily in written, electronic, or other form allowing the fact of consent to be recorded. The Client has the right to withdraw consent at any time; however, such withdrawal shall not affect the legality of processing carried out prior to the withdrawal.

4.2 Processing of personal data is allowed when necessary for the conclusion and/or performance of a contract to which the data subject is a party, or for taking steps at the request of the data subject prior to entering into such a contract.

4.3 The Company has the right to process personal data when it is necessary to fulfill legal or regulatory obligations imposed by applicable legislation, including but not limited to: anti-money laundering and counter-terrorism financing (AML/CFT) laws, tax regulation, financial reporting, licensing, court or administrative requests, and compliance with the requirements of RERA, DLD, the Central Bank of the UAE, and other competent authorities.

4.4 Personal data may be processed without the prior consent of the data subject in situations where it is necessary to protect the vital interests of the data subject or other persons, including in cases of threats to life, health, or property, as well as during emergencies or force majeure where obtaining consent is not reasonably possible in advance.

4.5 The Company may process personal data based on the necessity of pursuing legitimate interests, including but not limited to: ensuring information, legal and physical security; fraud prevention; protecting the Company’s rights and interests in administrative, arbitral, and judicial proceedings; enhancing client relations; improving service quality; and conducting internal audits and analysis, provided that such interests do not override the fundamental rights and freedoms of the data subject.

4.6 Personal data may also be processed if necessary for performing tasks carried out in the public interest or in the exercise of official authority vested in the Company under applicable law, including interactions with competent authorities, notaries, courts, regulators, lawyers, or other authorized bodies.

4.7 The Company reserves the right to suspend the provision of services, terminate a contract, or restrict access to interaction if the data subject refuses to provide mandatory personal data as required by law or withdraws consent to process such data without providing an alternative legal ground for further processing.

5. PURPOSES OF PERSONAL DATA PROCESSING

5.1. Preparation, conclusion, and execution of real estate transactions. Personal data are processed for the purpose of preparing, concluding, amending, and fulfilling transactions such as sale, purchase, lease, reservation, property viewings, legal representation, financial settlements, and other obligations arising from the client’s request or contract.

5.2. Identification and legal status verification. Data are used to verify the client’s identity, validate documents, and confirm legal rights over property (including via powers of attorney, court rulings, inheritance certificates, etc.) in order to prevent legal violations and protect the interests of all parties.

5.3. Communication with the client. Contact data are used to communicate regarding property offers, transaction progress, property viewings, negotiation of terms, document provision, updates, and responding to inquiries.

5.4. Data transfer to third parties. The Company transfers personal data to third parties strictly to the extent necessary for contract performance, legal compliance, service delivery, or protection of legitimate interests, including to notaries, brokers, developers, legal counsel, and CRM or IT service providers.

5.5. Legal and regulatory compliance. Data are processed to fulfill obligations under AML/CFT laws, taxation, corporate governance, document retention, compliance reporting, and responses to official requests from authorities.

5.6. Internal control and legal protection. Data are processed for internal audits, conflict-of-interest prevention, risk management, safeguarding legal rights, and protecting the Company’s, its clients’, partners’, and employees’ interests and business reputation.

5.7. Creditworthiness and background checks. The Company may engage third-party verification providers (e.g., KYC/AML agencies) to assess a client’s financial standing, legal capacity, and potential regulatory or sanctions risks.

5.8. Administrative and operational purposes. Data are processed for CRM management, workflow automation, documentation systematization, digital service support, and internal efficiency improvement.

5.9. Marketing communications. The Company may use client data to inform about its services, promotions, and updates relevant to the client’s prior interests, with an option to opt out at any time.

5.10. Employment and HR administration. Data related to employees, contractors, and applicants are processed for hiring, visa processing, labor compliance, and corporate governance.

5.11. Personalization of services. Information provided by the client is used to personalize property searches based on preferences, family status, income, residency, or professional needs.

5.12. Business restructuring. In the event of merger, acquisition, asset transfer, or investment, personal data may be transferred under confidentiality and data protection obligations.

5.13. Data completeness assessment. The Company reserves the right to suspend services if required data are missing or inaccurate until the issue is rectified.

5.14. Thematic newsletters and content personalization. When subscribing to newsletters, clients may indicate topics of interest. The Company uses such preferences to tailor content and improve communication.

5.15. Documentation for legal defense. The Company may process and retain documents and correspondence to build evidentiary records for dispute resolution, claims, or litigation within UAE jurisdiction.

6. USER CONSENT

6.1. The data subject provides the Company with voluntary, specific, informed, and unambiguous consent for the collection, storage, use, transfer, processing, systematization, archiving, and other handling of their personal data in the scope, for the purposes, and under the terms set forth in this Privacy Policy. This consent may be given by signing a document, checking a box online, submitting data via digital channels, or by any other means that reliably records the subject’s intent.

6.2. The consent covers all forms of data processing, including oral, written, electronic, digital, automated, and non-automated processing carried out via messengers, forms, correspondence, contracts, CRM systems, cloud storage, calls, meetings, and other communication channels used by the Company in its business operations.

6.3. The data subject confirms that they have reviewed and understood this Policy, including its purposes, legal grounds, data categories, methods and retention periods, cross-border transfer provisions, data subject rights, and possible consequences of refusal. In the event of providing third-party data (e.g., representatives, family members, authorized persons), the data subject warrants that such third parties have given consent and shall be informed of the transfer.

6.4. The data subject has the right to withdraw their consent at any time by submitting a written notice to the Company’s email: buroneginskiy@gmail.com. Upon receipt of such notice, the Company shall cease data processing unless other legal grounds for continuation exist (e.g., contractual obligations, AML/CFT requirements, legitimate interests, legal proceedings, or compliance with applicable laws).

6.5. The data subject acknowledges and accepts that refusal to provide data or withdrawal of consent may limit or prevent the Company from delivering services, fulfilling contractual obligations, or complying with legal or regulatory requirements, and the Company reserves the right to suspend or terminate such services.

6.6. By submitting personal data via the website, forms, messengers, email, telephone, or other digital means, the data subject confirms that they have read and understood this Policy prior to data submission, have received necessary explanations, accept the processing terms (including third-party and cross-border transfers), and express their voluntary and legally binding consent. Any action aimed at data submission (such as clicking “Submit,” “Confirm,” “Agree,” “Request,” or similar) shall be deemed equivalent to a handwritten signature and constitute valid consent.

6.7. This consent shall remain in full legal force until it is withdrawn in accordance with the procedure set out in this Policy. Withdrawal does not affect the lawfulness of data processing carried out based on this consent prior to such withdrawal.

7. DISCLOSURE AND TRANSFER OF PERSONAL DATA TO THIRD PARTIES

7.1. The Company may transfer or disclose personal data to third parties strictly for the purposes outlined in this Privacy Policy and only to the extent necessary for: (1) fulfilling contractual obligations to the data subject; (2) complying with applicable UAE legislation, including but not limited to AML/CFT regulations; and (3) ensuring security, preventing violations, and protecting the legal rights, business reputation, and interests of the Company, its clients, employees, and partners. Any such transfer shall be based on a lawful ground and accompanied by appropriate technical, legal, and organizational safeguards.

7.2. The Company does not sell client personal data or transfer it to third parties for marketing, commercial, or promotional purposes unless explicitly provided for in this Policy. Any processing of personal data beyond the scope of declared and lawful purposes is strictly prohibited, including any attempt to resell, disclose, or redistribute data without proper authorization.

7.3. Categories of third parties that may receive personal data include:
(a) legal, financial, and tax advisors, auditors, banks, and other professional institutions;
(b) notaries, lawyers, background check agencies, AML/KYC providers, insurance companies, and other transaction participants;
(c) contractors, IT service providers, cloud storage providers, CRM systems, call centers, analytics platforms, and technical support vendors;
(d) government bodies, regulatory and quasi-governmental authorities, courts, law enforcement agencies, DLD, RERA, and other authorized institutions when such disclosure is required by law, court order, official request, or in connection with a legal or regulatory investigation.

7.4. The Company may share personal data internally within its corporate structure (including branches, departments, subsidiaries, affiliates, employees, agents, representatives, and contractors) on a strict need-to-know basis, subject to internal confidentiality protocols and access control measures.

7.5. All third parties receiving personal data from the Company are contractually obligated to maintain confidentiality and to use the data solely for the purpose for which it was provided. The Company requires such parties to sign NDAs, data protection agreements, or to include appropriate confidentiality and data use clauses in their contracts. Where a third party acts as an independent data controller, the Company shall inform the data subject unless such notification is prohibited or restricted by law or regulatory instruction.

7.6. In the event of a sale of business, merger, reorganization, transfer of assets, or onboarding of investors or partners, the Company may transfer personal data to relevant parties, provided that they undertake to comply with this Policy and restrict the use of data strictly to the stated purposes.

7.7. The Company shall not be liable for any acts or omissions of third parties who have received personal data directly from the data subject or through the data subject’s independent actions, including any direct disclosures made by the client without prior notice to or coordination with the Company.

8. INTERNATIONAL DATA TRANSFERS

8.1. The Company may transfer, store, or otherwise process personal data outside the United Arab Emirates (UAE) for purposes including the performance of contractual obligations, provision of services, use of cloud and digital infrastructure, engagement of external consultants, operation of IT systems, compliance with international or local regulations, and internal business operations.

8.2. Such cross-border transfers may involve jurisdictions that do not provide a level of data protection equivalent to that required under UAE laws. In such cases, the Company shall ensure the transfer is lawful and secure by relying on one or more of the following safeguards:
– execution of data transfer agreements with third parties, incorporating clauses on confidentiality, technical and organizational security, legal warranties, and return procedures;
– enforcement of contractual obligations to prevent unauthorized access, alteration, or loss of data;
– reliance on internationally certified service providers (e.g., ISO/IEC 27001, SOC 2, GDPR-compliant platforms);
– restriction of data volumes to the minimum necessary for the stated purpose.

8.3. Cross-border transfers may be made to external service providers acting on behalf of the Company under binding agreements, including but not limited to:
– cloud storage providers, hosting and server platforms;
– CRM systems, email marketing and communication platforms;
– web analytics, advertising, marketing, and payment processors;
– legal, financial, accounting, and other professional advisors, provided data security safeguards and non-transfer clauses are in place.

8.4. The transfer of data outside the UAE does not exempt the Company from compliance with the Personal Data Protection Law (PDPL) and other applicable UAE legislation. All such transfers are governed by the Company’s internal policies and accompanied by continuous enforcement of confidentiality, integrity, and availability safeguards.

8.5. By providing consent under this Policy, the data subject expressly agrees to the cross-border transfer of their personal data for the purposes stated herein, including to jurisdictions with differing data protection standards, subject to adherence to this Policy and the implementation of all reasonable and appropriate protective measures.

9. DATA SUBJECT RIGHTS

9.1. The data subject has the right to receive full, accurate, and clear information regarding the purposes, legal grounds, scope, and methods of processing their personal data, including the content of this Policy, the categories of data processed, sources of data collection, and any transfers to third parties or outside the UAE.

9.2. The data subject may request confirmation from the Company as to whether their personal data is being processed and access the following: the fact of processing, categories of data processed, purposes and legal bases of processing, intended retention periods, and the recipients of data, including third parties and international transferees.

9.3. The data subject has the right to request the correction, update, or clarification of their personal data if it is inaccurate, incomplete, outdated, or misleading. The Company shall make the necessary changes within a reasonable period upon receipt of a justified request with supporting information.

9.4. The data subject may request the deletion of their personal data if the purposes for which it was collected are no longer applicable; if consent is withdrawn and no other lawful basis applies; if the data subject objects to processing based on legitimate interest and no overriding grounds exist; if data was processed unlawfully; or if deletion is required by law.

9.5. The data subject may request restriction of processing where: the accuracy of data is contested (pending verification); the processing is unlawful and deletion is opposed; the Company no longer requires the data but the subject needs it for legal claims; or the subject has objected and the Company is evaluating its legitimate grounds.

9.6. The data subject has the right to data portability, meaning they may obtain the personal data they provided to the Company in a structured, commonly used, and machine-readable format and transfer it to another controller where technically feasible and without infringing the rights of others.

9.7. The data subject has the right to object to processing carried out on the grounds of the Company’s legitimate interest or the performance of a task carried out in the public interest. The Company will cease processing unless it demonstrates compelling legitimate grounds.

9.8. The data subject has the right not to be subject to decisions based solely on automated processing, including profiling, which produce legal or similarly significant effects, unless required by law or based on the subject’s explicit consent.

9.9. The data subject has the right to lodge a complaint with the competent supervisory authority of the UAE if they believe their personal data is being processed in violation of applicable law.

9.10. To exercise any of the above rights, the data subject may submit a written request to the Company’s email: buroneginskiy@gmail.com. The Company shall respond within the timeframe required by applicable law. For security and identity verification purposes, the Company reserves the right to request documentation confirming the identity of the requester.

10. DATA SECURITY MEASURES

10.1. The Company applies adequate technical, organizational, and legal measures to protect personal data from unauthorized access, use, disclosure, alteration, loss, damage, destruction, or other unlawful forms of processing. These measures are proportionate to the nature of the data processed, the level of potential risks, the Company’s technical capabilities, and the requirements of UAE data protection legislation.

10.2. Personal data is stored in digital management and accounting systems, including CRMs and cloud platforms, secured with multi-layered protection. Access to such systems is strictly limited to authorized employees and representatives who have received training and possess formally granted access rights based on a need-to-know basis. All activities are subject to logging and audit.

10.3. Physical documents containing personal data are stored in locked safes or cabinets at the Company’s premises. Access is limited to a designated group of trusted employees. Internal policies govern the storage, access, duplication, destruction, and accounting of such documents.

10.4. All digital data is hosted on servers and cloud platforms equipped with certified security systems protecting against unauthorized access, malicious interference, loss, or alteration. Access is provided strictly as necessary for work duties and is monitored via access controls and logs, which can be reviewed in case of an incident.

10.5. The Company may use external services and cloud technologies, including providers located outside the UAE, provided they ensure an adequate level of information security and confidentiality. The Company conducts due diligence on such providers and enters into binding agreements with data protection clauses. By providing their personal data, the data subject consents to such external hosting under the terms of this Policy and applicable law.

10.6. The Company ensures mandatory training for employees with access to personal data on information security, incident response, handling confidential information, access rules, and compliance standards. Such personnel are required to adhere to internal policies and are held accountable for violations.

10.7. The Company regularly audits and updates its security measures, including technical tools, policies, and procedures. If new threats are identified or regulations change, the Company promptly updates its protective framework to minimize risks and prevent incidents.

10.8. In the event of a data breach, damage, destruction, or other compromise, the Company shall promptly initiate an internal investigation, implement mitigation measures, notify relevant authorities if required, and inform affected data subjects in a timely manner if there is a significant risk to their rights.

11. DATA RETENTION AND STORAGE PERIODS

11.1. The Company retains personal data for the period necessary to fulfill the processing purposes outlined in this Policy, as well as for the timeframes required by applicable laws of the United Arab Emirates, other regulatory acts, licensing and compliance obligations, the Company’s internal policies, and/or the provisions of contracts entered into with clients, partners, or employees. Where legal, contractual, or operational grounds exist, the retention period may be extended.

11.2. The specific retention period is determined based on the data category, the nature of the service, the data subject’s role (e.g., client, partner, applicant), the legal grounds for processing, and the risks associated with the need to protect the Company’s rights and interests. In certain cases, personal data may be retained beyond the service period to comply with legal obligations, regulatory reporting, tax and accounting requirements, dispute resolution, or protection of the Company’s rights before public authorities.

11.3. At its discretion and where there are operational, legal, or regulatory justifications, the Company may retain personal data for a reasonable period after the end of contractual, employment, or other relationships with the data subject. Such retention may be required to respond to regulatory inquiries, conduct audits, resolve pre-litigation matters, maintain archives, preserve evidence, handle complaints, and fulfill other legitimate business interests.

11.4. Upon the expiration of the retention period as set out in clauses 11.1 to 11.3, the Company shall securely delete, destroy, or anonymize the personal data, unless continued retention is legally required or permitted due to requests by public authorities or ongoing legal or administrative proceedings. Deletion shall be carried out in accordance with the Company’s internal policies ensuring confidentiality, security, and control over all stages of the personal data lifecycle.

11.5. If a data subject submits a request for deletion of their personal data before the expiration of the mandatory retention period, the Company reserves the right to refuse full deletion where a legal or contractual obligation to retain the data exists. In such cases, the Company undertakes to restrict processing solely to the minimum extent required for legal or operational compliance. This restriction shall not be interpreted as an obligation to delete the data prematurely.

12. DATA RETENTION AND STORAGE PERIODS

12.1. The Company acts as a data controller and assumes full responsibility for ensuring the lawful, secure, transparent, and compliant processing, storage, protection, and transfer of personal data in accordance with the applicable laws of the United Arab Emirates, including Federal Decree-Law No. 45 of 2021 (Personal Data Protection Law, PDPL), as well as the provisions of this Policy. All processing activities are conducted within the UAE or through lawful cross-border transfers aligned with legal requirements and the Company’s internal policies.

12.2. If the data subject has any questions, concerns, objections, or wishes to exercise any of the rights provided by this Policy or applicable law, they may submit a written request to the Company via email at: buroneginskiy@gmail.com. All inquiries are handled by authorized personnel of the Company, subject to proper identification of the requester. The Company reserves the right to request additional documentation to verify the requester’s identity and authority. A response shall be provided within the timeframe set by applicable law, or within a reasonable period if no specific deadline is prescribed.

12.3. The Company prioritizes amicable pre-litigation resolution of all disputes, complaints, or claims related to personal data processing and undertakes to review and address all submissions in good faith and within the prescribed procedure.

12.4. The data subject agrees to first notify the Company directly and allow a reasonable timeframe for rectification or clarification before escalating the issue to a governmental authority, including the UAE Data Office. This constitutes a mandatory step prior to submitting a formal complaint.

12.5. If resolution cannot be achieved amicably, the data subject retains the right to file a complaint with the UAE Data Office or another competent authority in a relevant jurisdiction, provided the processing falls under the scope of applicable data protection laws.

13. CHILDREN’S DATA

13.1. The Company does not intentionally collect, store, or otherwise process personal data of children under the age of 18, except in strictly limited cases where such processing is necessary in connection with the provision of services to clients acting in the best interest of the minor. Any such processing is carried out only to the extent required to fulfill legitimate purposes and is strictly subject to the applicable laws of the United Arab Emirates, including Federal Decree-Law No. 45 of 2021 (PDPL), and is accompanied by documented and verifiable consent of the child’s legal guardian.

13.2. If personal data of a minor is provided in connection with real estate transactions (e.g., for the purposes of visa processing, title registration, family composition confirmation), the Company reserves the right to request supporting documents such as birth certificates, proof of relationship, notarized powers of attorney, court orders, or any other official legal authorizations confirming the representative’s authority. The Company shall not be held liable for any consequences arising from the submission of incomplete, false, or fraudulent documentation.

13.3. The Company shall not be liable for any instances where a child’s personal data is provided without the knowledge, consent, or authorized involvement of their legal representative. Upon identifying such cases, the Company reserves the right to suspend processing, request verification documents, and/or delete the data if further processing would breach applicable law or internal policies.

13.4. The Company implements technical, organizational, and legal safeguards to prevent unauthorized or unintentional processing of children’s personal data and applies reasonable efforts to minimize associated risks. Children’s data is not used for purposes of direct marketing, advertising, profiling, behavioral analytics, automated decision-making, or cross-border transfers, unless explicitly permitted by law and accompanied by the documented consent of the legal guardian.

13.5. Clients bear full responsibility for the legality, accuracy, and validity of any personal data of minors they provide, including securing all necessary consents and legal authority to transfer and authorize the processing of such data on behalf of the minor.

14. USE OF COOKIES AND TRACKING TECHNOLOGIES

14.1. To ensure proper operation of the website, enhance information security, analyze user behavior, optimize content, personalize interface, conduct marketing campaigns, and improve the quality of services, the Company uses cookies and other tracking technologies, including but not limited to: pixels, web beacons, JavaScript, local storage, analytics scripts, advertising identifiers, and third-party plugins.

14.2. Upon the user’s first visit to the website, a notification is displayed offering the opportunity to consent to the use of cookies, except for strictly necessary cookies that enable essential technical functions of the site. Users may withdraw or modify their consent at any time via browser settings, the site’s cookie banner interface, or by submitting a written request to the Company. The Company is not liable for any limited functionality resulting from the user’s decision to disable cookies.

14.3. Cookies may be placed either directly by the Company or by authorized third-party service providers (such as analytics, CRM, retargeting, marketing automation, and hosting platforms) acting on behalf of the Company. These cookies may process technical data including IP address, geolocation, device type, OS version, browser settings, interface language, timestamps, navigation history, session duration, click paths, and other anonymized metadata.

14.4. The Company provides users with the ability to manage cookie preferences via a dedicated cookie banner and/or browser settings. The user’s refusal to accept optional cookies does not affect the operation of strictly necessary cookies. Users may change or revoke their consent at any time without limitation.

14.5. The user acknowledges that refusal of cookies other than strictly necessary ones may result in reduced availability of certain features, interfaces, content, or personalized options. The Company shall not be held liable for any errors, limitations, or reduced quality of user experience caused by such restrictions.

14.6. By continuing to use the website without modifying cookie settings or without actively managing consent preferences, the user is deemed to have accepted the use of cookies and tracking technologies for the purposes specified in this Privacy Policy. Additional information on cookie categories, retention periods, purposes, and providers is available upon written request.

14.7. The Company implements reasonable technical, organizational, and contractual measures to protect data collected via cookies and requires all engaged providers to comply with applicable data protection and information security standards.

15. AMENDMENTS AND UPDATES TO THE POLICY

15.1 The Company reserves the right to amend, supplement, or fully revise the provisions of this Privacy Policy at any time, if such actions are necessary due to changes in legislation, regulatory requirements, official practices, case law, internal data processing procedures, or in order to enhance the level of personal data protection and processing transparency.

15.2 All amendments shall take effect upon their approval by the Company and official publication of the updated Policy on its official website or upon notification of the data subject by any other permissible means — including but not limited to email, messengers, printed copies, or digital system interfaces. The Company may refrain from sending individual notices unless otherwise required by obligations towards a specific client or by applicable law.

15.3 If the proposed amendments affect the conditions of personal data processing previously consented to and such changes require new consent under applicable law, the Company shall suspend the processing of the affected data until proper, documented consent is obtained from the data subject, unless otherwise provided by law.

15.4 The data subject has the right to request the current version of this Privacy Policy from the Company at any time, in writing or via email, and is responsible for monitoring updates independently, unless otherwise provided by the individual service terms, agreement, or contract between the parties.

15.5 The use of the website, services, or continued interaction with the Company after the amendments come into force shall be deemed acceptance of the updated Policy, unless separate, express consent is required by law.

15.6 The data subject acknowledges and agrees that the Company is entitled to make changes to this Privacy Policy without prior individual notice, except in cases expressly required by law. Use of the website, services, or continued interaction with the Company following the publication of such amendments shall constitute confirmation of the data subject’s awareness of the updated version and acceptance of its terms.

16. GOVERNING LAW AND JURISDICTION

16.1 This Privacy Policy shall be governed by and construed exclusively in accordance with the laws of the United Arab Emirates, including but not limited to: Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL), Federal Decree-Law No. 20 of 2018 (AML/CFT), the regulations of the UAE Central Bank, DLD, RERA, and any other applicable legal and regulatory acts in force in the Emirate of Dubai.

16.2 Any disputes, claims, controversies, demands, losses, or legal consequences arising in connection with the processing of personal data, interpretation, performance, enforcement, or breach of this Policy, as well as the Company’s actions related to personal data protection, shall be subject to the exclusive jurisdiction of the competent civil courts of the Emirate of Dubai, United Arab Emirates, unless otherwise expressly provided by law or by a written agreement between the parties. Such courts shall constitute the agreed jurisdiction.

16.3 This Policy may be used by the Company as standalone evidence of proper notice to the data subject, receipt of consent, fulfillment of data protection obligations, and as a legal basis for protecting the interests of the Company, its employees, clients, and contractors in any pre-litigation, administrative, arbitration, or judicial proceedings in any jurisdiction, provided such use complies with applicable law.

16.4 The parties acknowledge the legal force of this Policy in both paper and electronic form, including where provided through official digital resources, email, messengers, digital platforms, or CRM systems. The data subject’s signature under a separate consent form shall constitute confirmation that the terms of this Policy have been fully communicated and accepted without objection.

16.5 In the event of any discrepancies between the Russian and English versions of this Policy, the English version shall prevail. It shall be deemed the official version and shall be interpreted exclusively in accordance with the laws of the United Arab Emirates.

17. DISCLAIMER OF LIABILITY

17.1 This Privacy Policy is provided for informational purposes only and shall not constitute a contract, public offer, or legal obligation beyond the requirements imposed by the applicable laws of the United Arab Emirates. No provision of this Policy shall be interpreted as creating any additional obligation for the Company unless such obligation is expressly required by law or a written agreement between the parties.

17.2 The Company shall not be liable for any damages, losses, reputational harm, regulatory consequences, fines, or legal outcomes resulting from the provision of false, incomplete, outdated, or misleading information by the client or any third party, or from the client’s violation of this Policy, the terms of service, applicable law, or instructions communicated by the Company.

17.3 The Company does not guarantee absolute technical or legal invulnerability of its information systems and shall not be held liable for any harm resulting from unauthorized access, cyberattacks, malware, technical failures, vulnerabilities, data leaks, communication interruptions, hardware or software errors, acts of third parties, or any other circumstances beyond the Company’s reasonable control, including force majeure events.

17.4 The Company shall not be responsible for any actions, omissions, violations, or failures caused by third-party providers of cloud or digital services, advertising platforms, legal or technical consultants, or other contractors acting as independent data controllers or under their own policies and terms of service, even if such parties were mentioned, recommended, or used by the Company.

17.5 The Company shall not be liable for any consequences of unlawful, unauthorized, incorrect, or fraudulent actions committed by the client, its agents, representatives, or third parties, including breaches of confidentiality, misleading actions, or violations of third-party rights or applicable laws, unless such consequences were directly caused by proven misconduct on the part of the Company.

18. OBLIGATIONS OF THE DATA SUBJECT

18.1 The data subject is obligated to provide the Company with accurate, complete, up-to-date, and legally correct information necessary for the fulfillment of service conditions and for achieving the purposes of processing set out in this Policy. In case of any changes to the provided information, the data subject must promptly notify the Company in writing or through official communication channels. The Company shall not be held liable for any damages, consequences, or service limitations resulting from the data subject’s failure to timely update such information.

18.2 The data subject undertakes not to submit any personal data of third parties to the Company without their prior, express, and documented consent, or without another valid legal basis as required under applicable law. In case of breach of this obligation, the data subject shall bear full legal, administrative, and civil liability for all consequences, including sanctions, claims, and losses incurred by the Company or third parties.

18.3 The data subject is strictly prohibited from using any forms, electronic communication tools, messaging apps, email, digital platforms, or any other channels to transmit false, distorted, fraudulent, defamatory, unlawful, or misleading information to the Company. If the Company has reasonable grounds to suspect the provision of inaccurate data or a breach of applicable law, it reserves the right to suspend data processing, deny services, and report the incident to the competent authorities.

18.4 The data subject agrees to refrain from any actions aimed at interfering with data processing operations, compromising information security measures, unauthorized access to the Company’s secured systems, hacking attempts, or unlawful dissemination of personal data obtained through interactions with the Company without a valid legal basis, as well as any acts that may compromise the confidentiality, integrity, or legality of data processing.

18.5 When submitting a request to exercise rights under applicable UAE data protection law or this Policy (including requests for access, rectification, deletion, restriction, withdrawal of consent, or data portability), the data subject must verify their identity and authority in accordance with the procedure established by the Company and provide all required supporting documents. The Company reserves the right to deny the request where there are insufficient legal grounds or reasonable suspicion of abuse of rights.

18.6 The data subject acknowledges and accepts that they bear full, unconditional, and personal responsibility for complying with the terms of this Policy and applicable UAE laws when interacting with the Company, including liability for any actions performed on their behalf using their contact information, digital identifiers, devices, or user accounts.

19. POLICY ON BIOMETRIC AND SENSITIVE PERSONAL DATA

19.1 The Company reserves the right, in exceptional, justified, and documented cases, to process special categories of personal data, including but not limited to information on racial or ethnic origin, religious or philosophical beliefs, health status, biometric data, criminal records, sexual orientation, and other sensitive personal information. Such processing is strictly limited to what is legally permitted under the applicable legislation of the United Arab Emirates, including Federal Decree-Law No. 45 of 2021, and shall only be carried out on the basis of a valid legal ground and to the extent necessary to achieve a specific and lawful purpose.

19.2 The processing of biometric data, including facial images, fingerprints, iris scans, photo and video recordings, and other unique identifiers, is permitted only where it is required for identity verification, compliance with KYC/AML obligations, fraud prevention, or regulatory requirements. Processing is allowed solely based on a separate, explicit, voluntary, informed, and documented consent from the data subject, or another lawful basis as stipulated by the laws of the UAE.

19.3 The Company implements enhanced technical, procedural, and organizational safeguards for the protection of sensitive and biometric data, including access restrictions, encryption, segregated storage, logging of all processing operations, a prohibition on processing without prior authorization by a designated officer, and ongoing internal monitoring. These measures are consistent with the principles of necessity, data minimization, legality, transparency, accountability, and confidentiality.

19.4 The data subject confirms that the provision of biometric and sensitive data is voluntary and limited to what is necessary for identification, contract execution, or the Company’s legal obligations. The data subject acknowledges that failure to provide such data may restrict access to certain services requiring legally significant identification or compliance with statutory obligations.

19.5 The Company does not engage in automated decision-making, profiling, behavioral analysis, reputation scoring, creditworthiness assessment, or any similar processing based on sensitive or biometric data unless expressly required by law or clearly consented to in writing by the data subject. Such data shall not be disclosed to third parties unless explicitly required by law, upon an official request from a competent authority, or based on the data subject’s written consent.

19.6 All sensitive and biometric data processed by the Company shall be used exclusively for the purposes for which it was collected, shall not be transferred to other jurisdictions without a valid legal basis, and shall be retained only for as long as necessary. Upon expiration of the retention period, such data shall be securely deleted or anonymized in accordance with the Company’s internal policies and procedures that ensure irreversible destruction or de-identification.

20. POLICY ON INTERACTIONS WITH GOVERNMENT AUTHORITIES

20.1 The Company interacts with governmental, quasi-governmental, regulatory, and law enforcement authorities in the United Arab Emirates and other jurisdictions where the Company operates strictly in accordance with the procedures, forms, and scope permitted by applicable national and international laws, including but not limited to AML/CFT regulations, PDPL, corporate, immigration, tax, land, and other relevant regulatory frameworks.

20.2 The Company reserves the right to disclose personal data of data subjects solely upon the request of competent governmental or judicial authorities where such disclosure is required to comply with official directives, court rulings, law enforcement or regulatory inquiries, or in the context of mandatory KYC, tax reporting, due diligence, or AML/CFT obligations, and strictly limited to the minimum information necessary and requested.

20.3 All personal data disclosed to government authorities is transmitted exclusively through official, secure, and verified communication channels, with mandatory registration in the Company’s internal log of the disclosure event, including the contents of the request, legal basis, and scope of the information shared. The Company maintains continuous auditing and internal oversight to ensure compliance with applicable information security and data protection laws.

20.4 Upon receiving a request from a government authority, the Company conducts a mandatory review of the authority's legal competence, the legitimacy of the request, and its compliance with applicable laws. Any response is prepared in accordance with the Company’s internal regulations, observing the principle of proportionality and maintaining a balance between the Company’s legal interests, the rights of data subjects, and regulatory requirements.

20.5 The Company reserves the right not to inform data subjects about the disclosure or transfer of their personal data to government authorities where such notification is expressly prohibited by applicable law, may interfere with an ongoing investigation, contradicts the nature of the inquiry, or undermines the intent of official legal, administrative, or fiscal procedures.

20.6 All employees, contractors, and other authorized representatives of the Company are required to strictly follow the established procedures for interacting with governmental entities, including identity verification, internal registration, documentation, reporting, and to ensure adherence to the principles of confidentiality, non-disclosure, and professional conduct.

20.7 In case of reasonable doubt regarding the legality of a government request or potential violation of the rights of a data subject, the Company may suspend the disclosure of information until it receives official clarification, a legal opinion, or written confirmation of the legitimacy of the request, including consultation with the requesting authority or an independent legal advisor.

21. CONFIRMATION OF CONSENT TO THE POLICY

21.1 By signing this document, the data subject confirms that they have received complete, accurate, and clearly understandable information regarding the purposes, legal grounds, scope, duration, and procedures for the processing of their personal data, including cross-border transfers, provision to third parties, use of biometric and sensitive data, actions in digital systems, as well as information about their rights and the legal means to exercise them under the laws of the United Arab Emirates.

21.2 By signing this Policy, the data subject gives their explicit, specific, unambiguous, and voluntary consent to the processing, storage, transfer, disclosure, and other lawful actions with their personal data for the purposes defined herein, in accordance with Federal Decree-Law No. 45 of 2021 of the United Arab Emirates (PDPL), and any other applicable legal provisions in the jurisdictions where the Company operates.

21.3 The data subject confirms that they have read this Policy carefully, fully understand the legal consequences of providing or withholding their personal data, are aware of their rights and obligations, and voluntarily accept the terms of processing, including the possibility of restricted access to services in the event of refusal.

21.4 The consent provided by the data subject remains valid throughout the duration of data processing, including storage, as governed by applicable laws, the Company’s internal regulations, or contractual obligations, and may only be withdrawn in writing, submitted to the Company’s official address. The data subject acknowledges that withdrawal of consent may result in the inability to receive some or all of the Company’s services.

21.5 By signing this Policy, the data subject confirms the legal validity of this document and agrees that it may be used as evidence of consent, proper notification, awareness, and voluntariness in any administrative, claim-related, or judicial proceeding, including for the protection of the Company’s interests, its employees, and/or clients.

22. RELATION TO OTHER POLICIES AND PROCEDURES

22.1 This Privacy Policy constitutes an integral part of the Company’s internal regulatory framework and shall be applied in conjunction with other current policies, procedures, and agreements, including but not limited to: the Anti-Money Laundering and Counter-Terrorist Financing Policy (AML/CFT), the Know Your Customer Policy (KYC), the Information Security Policy, the Employee Data Protection Policy, the Client Complaint Handling Regulations, internal ethics and compliance standards, and any contracts or agreements concluded with clients, counterparties, or employees, whether in oral, written, or electronic form.

22.2 In the event of any inconsistencies, contradictions, or discrepancies between versions of this Policy translated into different languages, the official English version shall prevail and have legal force. The English version shall be interpreted and applied in accordance with the laws of the United Arab Emirates and shall be used in any judicial, administrative, arbitral, or regulatory proceedings conducted within the jurisdictions where the Company operates.

22.3 The Company reserves the right to apply the provisions of this Policy in conjunction with other internal regulations, local and international standards, and prevailing enforcement practices, for the purposes of fulfilling its legal, regulatory, contractual, and ethical obligations, ensuring transparency, managing risks, and protecting the rights and interests of all parties involved in its operations.

23. PROCEDURE FOR EXERCISING DATA SUBJECT RIGHTS

23.1 The data subject shall have the right to submit a written request to the Company to exercise their rights under this Policy and applicable legislation, including but not limited to: the right of access, rectification, erasure, restriction of processing, withdrawal of consent, objection to processing, and data portability. Requests may be submitted via email, postal address, or any other official communication channel provided by the Company and listed in the current version of this Policy.

23.2 The Company undertakes to consider each request in good faith, on a case-by-case basis, and within the timeframes established by the applicable laws of the United Arab Emirates, including Federal Decree-Law No. 45 of 2021 (PDPL). If necessary, the response period may be extended for objective reasons, provided that the data subject is duly notified in advance.

23.3 To prevent unauthorized access to personal data and ensure proper identification, the Company reserves the right to request identity verification from the applicant. Such verification may include a copy of a valid identification document (passport or Emirates ID), details of prior interactions, or documents confirming legal authority when acting on behalf of another person.

23.4 The Company shall not deny the exercise of data subject rights without sufficient, specific, and lawful grounds explicitly provided by applicable legislation. A refusal may be issued only if: (a) fulfillment of the request would infringe upon the rights and freedoms of others; (b) the request obstructs the course of justice, investigations, or official procedures; or (c) disclosure would breach legally protected confidentiality, trade secrets, or other privileged information.

23.5 In the event of a refusal, the Company shall provide the applicant with a written response, clearly stating the reasons for refusal, references to the relevant legal grounds, and an explanation of the data subject's available remedies, including the right to lodge a complaint with the UAE Data Office.

23.6 The exercise of data subject rights shall be provided free of charge. However, where a request is manifestly unfounded, excessive, or repetitive, the Company reserves the right to: (a) charge a reasonable administrative fee covering actual costs, or (b) decline the request based on appropriate legal grounds, with formal notification to the data subject.

23.7 The Company maintains an internal log and audit trail of all requests related to the exercise of data subject rights, including the date of receipt, request details, actions taken, reasons for refusal (if any), and date of fulfillment. This information shall be retained for the period specified by internal policies and applicable law and may be used during inspections, audits, or legal proceedings.

24. USE OF DATA FOR MARKETING AND ADVERTISING PURPOSES

24.1 The Company is entitled to use the personal data of data subjects, including name, contact information, preferences, interaction, and behavioral data, to provide information about products, services, special offers, promotions, events, surveys, research, updates, news, and other content which, in the Company’s reasonable opinion, may be of interest, benefit, or relevance to the data subject. Such processing is carried out either based on prior explicit consent or on the Company’s legitimate interest, to the extent expressly permitted by applicable law.

24.2 The Company may conduct such marketing communications via any lawful channels, including but not limited to: email, phone calls, messaging applications, push notifications, SMS, targeted and contextual ads, online chats, personalized banners, social media publications, and other forms of electronic communication.

24.3 The data subject has the right to opt out of receiving marketing and promotional messages at any time by using the opt-out mechanism included in the message (e.g., “unsubscribe” link), or by submitting a written request to the Company via the official communication channels provided. The Company shall cease sending such messages within a reasonable period after receipt of the request, but no later than the time limit prescribed by applicable law, subject to proper receipt of the request.

24.4 The Company does not transfer personal data to third parties for their own marketing purposes without the data subject’s prior, separate, and explicit consent. In the case of joint or partner campaigns, such processing and transfers are permitted only if the purpose, scope, and terms have been clearly communicated and accepted by the data subject, and subject to appropriate contractual and legal confidentiality safeguards with such partners.

24.5 The Company may use anonymized, aggregated, or statistical data that does not directly or indirectly identify the data subject for the purposes of internal analytics, segmentation, personalization, testing, automation, and optimization of marketing and advertising activities, including use of external platforms and service providers, provided such activities do not breach applicable law or require additional consent.

25. POLICY ON AUDIO AND VIDEO RECORDINGS RETENTION

25.1 The Company reserves the right to make audio and video recordings of telephone calls, digital communications, online consultations, meetings, in-person interactions, events, and any other engagements involving data subjects, where such recordings are carried out in connection with service provision, fulfillment of contractual obligations, marketing activities, quality assurance, internal control, or compliance with legal or regulatory requirements.

25.2 Such recordings may be used for the purpose of dispute resolution, verification of agreements, protection of the Company’s rights and interests, employee performance review, enforcement of corporate standards, internal investigations, audits, or upon request by competent authorities including, but not limited to, DLD, RERA, the Central Bank of the UAE, law enforcement agencies, or courts of law.

25.3 All recordings are stored on technically secure physical or encrypted cloud-based storage with access restricted on a need-to-know basis. The retention period is determined in accordance with the purpose of the recording and shall not exceed the limits prescribed by applicable UAE law, internal Company policies, or contractual terms with the client. Upon expiry of the retention period, recordings shall be securely deleted or destroyed.

25.4 The Company ensures confidentiality of all audio and video recordings, including a strict prohibition on unauthorized access, duplication, transmission, or use by third parties, except as expressly required by law, court order, or pursuant to a written agreement with the data subject.

25.5 Audio and video recordings may be used as evidence in administrative, pre-litigation, or judicial proceedings, and for the protection of the Company’s, employees’, or clients’ legitimate interests, including but not limited to: contractual disputes, misconduct, attempted fraud, breaches of professional ethics, or violations of applicable laws.

26. CONDITIONS RELATED TO REMOTE SERVICES AND CLOUD PROVIDERS

26.1 The Company is entitled to use remote digital services, cloud storage, SaaS, PaaS, and IaaS platforms, as well as external technological solutions, for the storage, processing, analysis, and transfer of personal data solely to the extent necessary for fulfilling its contractual obligations, ensuring business continuity, complying with regulatory requirements, and protecting the legitimate interests of the Company.

26.2 All third-party cloud and remote service providers granted access to personal data by the Company are required to comply with applicable data protection laws, including Federal Decree-Law No. 45 of 2021 (PDPL), and international security standards (including but not limited to ISO/IEC 27001, SOC 2, GDPR where applicable), unless otherwise provided by contract or law.

26.3 Prior to the transfer of personal data to such providers, the Company conducts comprehensive legal, technical, and operational due diligence, including mandatory review of the data processing agreement (DPA), evaluation of security controls, backup systems, physical and logical access segregation, presence of data localization and cross-border transfer provisions, and breach notification procedures.

26.4 Access to personal data stored in remote or cloud environments is strictly limited to authorized employees or designated representatives of the Company on a need-to-know basis and subject to internal approval. The Company applies robust access control measures, activity logging, multi-factor authentication, encryption of data at rest and in transit, and continuous security monitoring.

26.5 In cases where cloud storage or services are located outside the jurisdiction of the UAE, the Company undertakes to ensure an equivalent or higher level of personal data protection compared to that required under UAE law. Such cross-border transfers shall be carried out only based on a valid legal ground, including the data subject’s explicit consent, adequacy of the recipient country’s laws, or other legal safeguards provided under applicable regulations.

27. EFFECTIVE DATE AND REVIEW OF THE POLICY

27.1 This Policy becomes effective on the date of its approval by an authorized representative of the Company and remains valid until it is officially replaced, revoked, or rendered void in accordance with the established procedure. The Company reserves the unconditional right to review, amend, or supplement the Policy unilaterally in order to comply with changes in legislation, regulatory requirements, internal procedures, data processing practices, or service delivery conditions.

27.2 The Policy shall be reviewed at least once every twelve (12) months or immediately upon the enactment of significant regulatory changes, including the adoption of new laws, regulations, decrees, or official guidance from regulatory authorities affecting the processing of personal data.

27.3 The updated version of the Policy shall enter into force upon its publication, delivery to the data subject, placement on the official Company resources, or any other form of proper notification to the data subject. If material changes are made to the scope, purposes, or legal bases of processing, the Company may require separate confirmation of the data subject’s consent to the revised version of the Policy.

27.4 Data subjects are solely responsible for familiarizing themselves with the current version of the Policy. Upon written request by the data subject, the Company undertakes to provide the latest approved version in written or electronic form, including when signing documents related to the provision of services.

27.5 Effective date of this version: 15 July 2025. All prior versions of this Policy shall be deemed null and void as of the above date, except where such prior versions must be applied for legal assessment of actions taken during their period of validity.

28. CONTACT INFORMATION

For any matters related to the processing of personal data, the exercise of data subject rights, or to submit inquiries, notifications, or requests, the data subject may contact the Company using the following details:

NEGINSKIY BUREAU REAL ESTATE L.L.C
Business Bay, Bay Square, Building 02, Office P05, Dubai, UAE
Mailing address: United Arab Emirates, Dubai, P.O. Box 416493
Landline: +971 4 238 0871
Mobile: +971 52 685 04 75
Email: buroneginskiy@gmail.com