Privacy Policy

This Privacy Policy describes how Authect FZCO ("we," "our," or "us") collects, uses, and protects your information when you use our website at authect.com and our digital services.

Authect FZCO is a technology services company legally registered as Trade License 70505 under the International Free Zone Authority (IFZA). Our registered office is located at Building A1, Dubai Digital Park, Dubai Silicon Oasis, Dubai, United Arab Emirates. The company is directed by Pranas Mickevicius and can be reached at +971 50 246 5223 or via email at info@authect.com.

We are committed to protecting your privacy and ensuring transparency about our data practices. This policy applies to all visitors, users, and clients of our technology and digital solutions services. By using our website or services, you acknowledge and agree to the practices described in this Privacy Policy.

We design our services with privacy by design and privacy by default principles. This policy was last updated on November 17, 2025.

We act as **data controller** for our own website, marketing, and business operations. We act as **data processor** when providing services where you determine how data is used (development, CRM, hosting, AI services). In some cases, we may jointly determine processing with you, and we'll establish clear agreements for these situations.

When we're the processor, you (as controller) must ensure lawful basis for processing, provide processing instructions, and handle data subject rights requests (we'll assist you).

We follow data minimization principles, collecting only what's necessary.

Personal & Business Information

We collect your name, email, phone number, company details, and communication preferences when you contact us or use our services. We use this to respond to inquiries, deliver services, send updates, manage relationships, and process payments.

Legal basis: Contract performance (GDPR Art. 6(1)(b)) and Legitimate interests (GDPR Art. 6(1)(f)) for business relationships.

Website Analytics

We collect IP address (anonymized), browser type, device info, pages visited, and usage patterns. This helps us improve website performance and user experience.

Legal basis: Consent (GDPR Art. 6(1)(a)) for analytics cookies and Legitimate interests (GDPR Art. 6(1)(f)) for essential functionality. You can object anytime through cookie settings.

Cookies

We obtain your explicit consent BEFORE placing non-essential cookies. Essential cookies (session, security) are placed automatically as they're strictly necessary. Analytics and marketing cookies require your prior consent through our cookie banner.

Service-Specific Data

For AI services: conversation logs (may include profiling for personalization - you can object). For marketing: campaign metrics (may include engagement profiling). For development/CRM: project files and customer data you provide. For automation: workflow configurations.

Payment Information

We collect payment details, billing address, and tax information. Card information is processed by Stripe/PayPal (not stored by us). We retain this for invoicing, tax compliance (7 years UAE law), and fraud prevention.

Legal basis: Contract performance and Legal obligation (GDPR Art. 6(1)(c)).

Communications

We maintain records of emails, support tickets, calls (with consent), and messages for 3 years. Used for support, documentation, quality improvement, and dispute resolution.

We partner with Microsoft Clarity and Microsoft Advertising to capture how you use and interact with our website through behavioral metrics, heatmaps, and session replay to improve and market our products/services.

**Data Storage:** Website usage data is captured and stored by Microsoft on their Azure cloud infrastructure. Data is retained for 13 months from the time of recording. We have access to this data for up to 30 days from the time of recording.

**Privacy & Compliance:** By using our website with analytics consent, you agree that we and Microsoft can collect and use this data. For more information about how Microsoft collects and uses your data, visit the Microsoft Privacy Statement at privacy.microsoft.com/privacystatement.

**Your Controls:** You can withdraw consent for Clarity tracking at any time through our cookie banner. Clarity also respects browser Do-Not-Track (DNT) signals and Global Privacy Control (GPC) where supported.

**EEA/UK/Switzerland Users:** We communicate your consent status directly to Microsoft Clarity via their consent API to ensure proper compliance with local data protection regulations.

We work with carefully selected service providers under strict data protection agreements.

Third-Party Services

When we're a processor, we maintain a current sub-processor list and notify you 30 days before changes.

When We Share

We share data only with your consent, for legal obligations, fraud prevention, with service providers under DPAs, in business transfers (with notice), or with professional advisors bound by confidentiality.

What We Never Do

We never sell your data, share without safeguards, use for unauthorized marketing, transfer internationally without protection (SCCs/TIAs), or provide to authorities without legal basis.

All our processors sign comprehensive DPAs before accessing data. We use 2021 EU Commission-approved Standard Contractual Clauses for EU transfers and implement adequate measures for UAE transfers. We conduct Transfer Impact Assessments (TIAs) for international flows.

For US transfers, we rely on the EU-US Data Privacy Framework (July 10, 2023 adequacy decision) where providers are certified, or SCCs with Schrems II supplementary measures otherwise.

Need a DPA? Contact dpo@authect.com or privacy@authect.com - we provide within 5 business days. Available in English and Arabic.

We maintain GDPR Article 30 records of processing activities and conduct Data Protection Impact Assessments (DPIAs) for high-risk processing.

We obtain explicit consent BEFORE placing non-essential cookies.

We may use profiling for personalization. You can object anytime. We don't use automated decision-making with legal effects without human intervention.

**Your Controls:** Manage cookies through our banner anytime. Browser settings to block/delete cookies. Opt out of Google Analytics: tools.google.com/dlpage/gaoptout. Opt out of ads: optout.aboutads.info or youronlinechoices.eu (EU).

We comply with UAE Federal Law No. 45 of 2021 on Personal Data Protection and IFZA/Dubai/TDRA regulations.

**Minors (UAE):** Under 21 years requires parental/guardian consent. We don't knowingly process under-21 data without verified parental consent.

**Exercising Rights:** Email privacy@authect.com or dpo@authect.com with Emirates ID/passport copy. Response within 30 days (aim for 15 days).

**Contact:** DPO: Pranas Mickevicius (dpo@authect.com, +971 50 246 5223) Hours: Sunday-Thursday, 9 AM-6 PM GST

For EU residents, we comply with GDPR in addition to UAE law.

**EU to UAE Transfers:** Standard Contractual Clauses (2021 version), Transfer Impact Assessments, documented safeguards available on request.

**Breach Notification:** Supervisory authority within 72 hours (Art. 33). Affected individuals notified without undue delay if high risk (Art. 34).

**Response Time:** 1 month (extendable to 3 months for complex requests) per GDPR Art. 12(3).

**Data Storage:** UAE servers (Dubai/Abu Dhabi) for regional clients. EU servers (Frankfurt/Amsterdam/Dublin) for EU clients. Multi-region redundancy while maintaining primary location per your residence.

**Safeguards:** TLS/SSL encryption in transit (256-bit), AES-256 at rest, contractual obligations, access controls, staff training, regular audits.

**Your Rights:** Be informed of transfers, receive safeguard information, obtain SCC copies, object to transfers, complain to authorities.

**Security Measures:** TLS/SSL encryption (256-bit) in transit, AES-256 at rest, MFA for all staff access, role-based access controls, annual security audits and penetration testing, intrusion detection/prevention, encrypted backups in separate locations, staff security training and confidentiality agreements.

**Secure Disposal:** DoD 5220.22-M standards (3-pass minimum), certified shredding of physical media, removal from all backups, deletion certificates available.

**Breach Response:** Incident team activated immediately, containment within 24 hours, UAE/EU authorities notified within 72 hours if required, affected individuals notified without undue delay if high risk exists.

**AI Services:** Conversations analyzed for quality improvement (anonymized where possible). Profiling for personalization - you can object. Human review of sensitive conversations requires explicit consent. Models audited for bias. Opt-out available. DPIAs conducted for high-risk AI processing.

Services intended for business/professional use. Immediate deletion if underage data discovered without proper consent.

**Sensitive Data:** We generally don't collect sensitive data (racial origin, political opinions, religious beliefs, health, biometric, genetic, sex life data). If necessary: explicit consent required, enhanced security, DPIAs, strict access controls, opt-out available.

**Automated Decisions:** No fully automated decision-making with legal effects without human intervention. Where automated tools used: human oversight present, right to human intervention, right to contest, logic explanation provided.

**Contact:** privacy@authect.com or dpo@authect.com, +971 50 246 5223

**Your Rights:** Access (get copy), Rectify (correct errors), Erase (delete), Restrict (pause processing), Port (receive in machine-readable format), Object (stop processing), Withdraw Consent (anytime).

**Response Times:** EU: 1 month (extendable to 3). UAE: 30 days (aim 15). Corrections: 7 days. Erasure: 30 days (backups: 90 days).

**Identity Verification:** Emirates ID/passport copy required. Additional verification for high-risk requests.

**Fees:** Free unless request is manifestly unfounded/excessive or you request additional copies.

**Refusals:** We may refuse if we can't verify identity, request is unfounded/excessive, legal obligations prevent deletion, or legitimate grounds override interests.

**Complaints:** Contact us first. UAE: TDRA (www.tdra.gov.ae), IFZA (regulatory@ifza.ae). EU: Local supervisory authority (edpb.europa.eu/about-edpb/members_en).

**Policy Changes:** Material changes communicated 30 days before taking effect. Continued use constitutes acceptance unless explicit consent required.

**Contact:** Authect FZCO, Trade License 70505 (IFZA) Building A1, Dubai Digital Park, Dubai Silicon Oasis, Dubai, UAE

DPO: Pranas Mickevicius Email: dpo@authect.com (urgent: 48hr response), privacy@authect.com (72hr response) Phone: +971 50 246 5223 Hours: Sunday-Thursday, 9 AM-6 PM GST

**Governing Law:** UAE Federal Law No. 45 of 2021, IFZA/Dubai/TDRA regulations. GDPR applies for EU residents. Dubai Courts and DIFC Courts have jurisdiction (EU residents may use local courts per GDPR Art. 79).

**Documentation Available:** DPAs, SCCs, TIA summaries, DPIA summaries, Article 30 records, sub-processor lists. Request at dpo@authect.com (fulfilled within 10 business days).