Authect Privacy Policy

In accordance with the regulations in force in the United Arab Emirates on the protection of personal data and in particular in accordance with Federal Decree-Law No. (45) of 2021 Concerning the Protection of Personal Data (UAE PDPL) and its implementing regulations, and, when applicable, because it affects data subjects located in the European Economic Area or because processing is carried out subject to the Regulation (EU) 2016/679, General Data Protection (GDPR), users are informed that the website www.authect.com (hereinafter, the "Website") is owned by AUTHECT - FZCO (hereinafter, "AUTHECT"), with the following identification data:

This Privacy Policy regulates the processing of personal data that users provide or that may be collected through the Website and the different channels associated with it, including contact forms, requests for information, subscription to newsletters, participation in selection processes, downloads of content, participation in events or any other interaction with AUTHECT.

Access to and use of the Website implies knowledge and acceptance of this Policy, as well as the provisions of the Legal Notice and the Cookies Policy.

Any additional information beyond this website regarding the collection and processing of personal data is provided in each case in a clear and accessible manner, and is regulated in the corresponding forms, contracts, assignments or specific conditions that may apply.

AUTHECT will process personal data in accordance with the principles set out in the applicable regulations in the United Arab Emirates (UAE) on the protection of personal data (UAE PDPL and implementing regulations) and, where applicable, in accordance with the principles of Article 5 of Regulation (EU) 2016/679 (GDPR). In particular:

• Lawfulness, fairness and transparency: Each processing is based on a valid legal basis, also depending on the applicable regulations in either the UAE or the EU, and you are informed of its purposes, recipients and rights before data collection. In any case, information will be provided on the purposes, possible recipients and applicable rights before the data is collected or at the appropriate time.
• Purpose limitation: The data is collected for specific, explicit and legitimate purposes and is not further processed in a manner incompatible with those purposes. If the purpose changes, the interested party will be informed and, where appropriate, new consent will be obtained.
• Data minimisation: Adequate, pertinent and limited data will be processed in relation to what is strictly necessary in relation to each purpose.
• Accuracy: Reasonable measures will be taken to ensure that the data are accurate and up-to-date; channels are enabled for rectification or updating.
• Limitation of the storage period: The data will be retained for the strictly necessary periods and, once the purposes or legal obligations have been fulfilled, they will be kept for limited purposes, anonymised and/or deleted.
• Integrity and confidentiality: AUTHECT applies appropriate technical and organisational measures to guarantee the security of data and prevent its alteration, loss, processing or unauthorised access.

These principles also govern the relationship with processors (suppliers who process data on behalf of AUTHECT), who will be subject to equivalent obligations through the relevant contract or applicable contractual obligation, including documented instructions, confidentiality, security measures and conditions for subcontracting, where applicable.

AUTHECT processes personal data for the purposes indicated below, in accordance with the regulations applicable in the United Arab Emirates (UAE PDPL and implementing regulations) and, where applicable because it affects data subjects located in the European Economic Area or because processing is carried out subject to the GDPR, in accordance with art. 6 GDPR.

In general, according to the UAE PDPL, the processing will be carried out on the basis of the consent of the data subject, unless any of the exceptions provided for by law (e.g. necessity for the performance of a contract or the adoption of pre-contractual measures, compliance with legal obligations, protection of the interests of the data subject, public interest, or formulation, exercise or defense of claims).

4.1. Data we collect

• Identification and contact: name, email, telephone number.
• Professionals: company, position, area/sector (when applicable).
• Project interactions and data: location/country, available budget, project schedule, service of interest, message content, and communication preferences.
• Use of the website: Cookies, IP and technical logs linked to the operation of the Website. You can obtain more information through our Cookies Policy.
• Applications (HR): CV, cover letter and social networks or professional links.

Personal data is provided directly by the data subject; technical data (IP and minimum logs) is generated by the server when using the website in accordance with the provisions of our Cookies Policy.

AUTHECT does not, in general, process special categories of data through the Website. The user guarantees that the data provided is true, accurate and up-to-date, and undertakes to communicate any modification.

If the User provides personal data of third parties, he/she declares and guarantees that he/she has his/her authorization and undertakes to inform them of this Privacy Policy before communicating his/her data to us.

4.2. Purposes of processing

Where the processing is subject to the GDPR and is based on legitimate interest, AUTHECT will have carried out the appropriate balancing to ensure that the rights and freedoms of individuals do not prevail, and you may object at any time.

AUTHECT does not execute automated decisions that produce legal or significantly similar effects on the user, nor do we carry out profiling with such effects. In the event that, in the future, they are implemented, they will be informed in advance and the guarantees required in accordance with the applicable regulations will be applied.

AUTHECT does not sell personal data. Data may be communicated only when necessary, in accordance with the regulations applicable in the United Arab Emirates (UAE PDPL and implementing regulations) and, where applicable, with the GDPR, to:

• a. Providers providing services on behalf of AUTHECT (acting as processors): web/CDN hosting and site platform, maintenance and security, forms and corporate mail management, collaboration and file storage tools and, where applicable, HR/application screening services. With all of them, AUTHECT formalizes contractual agreements that include documented instructions, confidentiality obligations, security measures, and, where applicable, conditions on subcontracting and assistance in the fulfillment of applicable obligations.
• b. Administrations and authorities when there is an applicable legal obligation or it is necessary to meet requirements from authorities, or to formulate, exercise or defend claims.
• c. Third-party cookies and similar technologies, only if the user accepts them, according to the Cookie Policy (these third parties may act as independent controllers of their own processing or as processors, depending on the provider).

Apart from the above cases, AUTHECT will not communicate data to third parties. In the event that, in order to provide a specific service or activate any functionality of the Website, additional communication is necessary, the user will be informed of the recipients and the purpose, requesting their consent where appropriate or indicating that the communication is necessary for the execution of the service or functionality requested.

AUTHECT is an entity established in Dubai, United Arab Emirates, so depending on the location of the user and the providers used, international transfers of personal data may be necessary.

In particular:

• In accordance with the United Arab Emirates (UAE PDPL) regulations, when transfers of personal data are made outside the UAE, AUTHECT will adopt the measures and safeguards required by such regulations, including, where appropriate, verifying that the destination country offers an adequate level of protection or implementing appropriate contractual and technical safeguards (and/or applying the legally provided exceptions for specific transfers).
• Where the GDPR is applicable (because it affects data subjects located in the European Economic Area or because it is processing subject to said regulation), if the provision of certain services requires the use of providers or infrastructures located outside the European Economic Area (e.g. email, analytics, CRM or cloud storage services), AUTHECT will adopt the guarantees required by the GDPR, such as the signing of Standard Contractual Clauses approved by the European Commission, the verification of adequacy decisions and, where appropriate, the implementation of complementary measures. In addition, where required under the GDPR, AUTHECT will appoint a representative in the European Union.

In any case, AUTHECT will ensure that any international transfer is carried out safely and with an adequate level of protection, in accordance with the applicable regulations in each case.

We keep the data only for as long as necessary to fulfil the purpose for which it was collected. Once fulfilled, the data will be kept only for the time necessary to (i) comply with applicable legal obligations and/or (ii) the formulation, exercise or defense of claims. After this, the data will be deleted or anonymized and, where appropriate, access to them will be limited for the period strictly necessary for these legal purposes.

The following deadlines are indicative and may vary depending on the regulations applicable in the United Arab Emirates (UAE PDPL and sectoral regulations) and, where applicable, the GDPR, as well as the nature of the service, the relationship maintained and the existence of complaints or requirements from authorities:

Indicative deadlines by purpose:

• Consultations, support and proposals (4.2-I): while the request is being managed and, at most, 12 months from the last interaction.
• Newsletters and commercial communications (4.2-II): as long as you remain subscribed or until the user objects. Consent/opposition records will be retained with limited access for the time periods necessary to prove compliance.
• Download of resources (4.2-III): until the submission and related follow-up are completed for a maximum of 12 months, unless you object. If the user is transferred to the communications list, the deadlines in the previous point apply.
• Applications – HR (4.2-IV): during the selection process; if you are not selected, 12 months from the close of the process or until consent is withdrawn.
• Basic segmentation in CRM (4.2-V): as long as there is an active relationship or demonstrated interest; in the absence of activity, up to 12 months from the last interaction, or sooner if the user opposes or withdraws their consent, as appropriate.
• Security and technical operation (4.2-VI): IP and logs minimum up to 12 months. In the event of security incidents, the time necessary to investigate, mitigate the incident and comply with applicable obligations will be retained on a limited basis.
• Legal Compliance and Defense (4.2-VII): During applicable statutes of limitations under applicable law. Where the processing is subject to the GDPR, standard periods such as: 4 years for tax obligations, 6 years for commercial documentation and up to 5 years for certain personal actions, as well as longer periods when required by specific regulations (e.g. prevention of money laundering and terrorist financing) may be applied. In any case, the longest period that corresponds will be applied in accordance with the specific obligation and the applicable legal regime.
• Cookies and analytics: according to the duration indicated in the Cookies Policy; your preferences/consents are kept as long as you do not modify them and the time necessary to prove their management. In any case, we will keep the Cookies for a period of 1 year from the last entry to the website. After this period, AUTHECT will again obtain the user's consent.

As a data subject, you may at any time exercise the rights recognised by the regulations applicable in the United Arab Emirates (UAE PDPL and implementing regulations) and, where applicable, the GDPR. In particular, subject to the limits and exceptions provided for by law, you may request:

• Right to information and access: to know what personal data is being processed and for what purpose.
• Right to rectification: request the correction of inaccurate or incomplete data.
• Right to erasure (erasure): request the deletion of your data when it is no longer needed or when you withdraw your consent.
• Right to object: to object to the processing of your data on grounds related to your particular situation.
• Right to restriction of processing: request that processing be suspended in certain cases.
• Right to data portability: receive your data in a structured format and transmit it to another controller, where applicable.
• Right to withdraw consent: where processing is based on your consent, you may withdraw your consent at any time.

Where applicable, you may request human intervention or challenge decisions based solely on automated processing under the terms provided for by law.

You can exercise these rights by sending a written request, together with a copy of your ID card or identification document, to:

If you believe that the processing of your data violates applicable regulations, you can lodge a complaint with the UAE Data Office (UAE's federal supervisory authority for data protection), in accordance with the procedures it establishes.

Where the GDPR applies, you may also lodge a complaint with the competent supervisory authority in the EU.

AUTHECT has implemented appropriate technical and organisational measures to guarantee a level of security appropriate to the risk, aimed at preserving the confidentiality, integrity, availability and resilience of personal information and data, as well as preventing unauthorised access, loss, alteration or destruction.

By way of example and without being exhaustive, AUTHECT applies technical and organisational controls appropriate to the risk in terms of secure communications, identity and access management, protection and encryption of information, continuity and backups and registration and traceability of activities.

AUTHECT regularly reviews and updates its policies and controls to keep them aligned with the risks identified and with technological and regulatory developments, and requires its suppliers to apply equivalent measures through the corresponding processing contracts.

This website is not directed to minors. In the event that AUTHECT becomes aware that personal data of a minor has been collected without authorization, it will proceed with its immediate deletion.

AUTHECT may modify this Privacy Policy to adapt it to legal requirements, changes in processing, improvements to the service or internal criteria. Where there are material changes, we will communicate this via the Website and, where appropriate, through direct channels, indicating the date of entry into force.

The new version will be applicable from its publication. If the changes involve new purposes or legal bases that require the User's consent, AUTHECT will request it before applying such changes.