Политика обработки персональных данных
28 ноября 2025 г.
EXPANUM DESIGN – FZCO
License No 73692
IFZA Business Park, Dubai Digital Park (DDP), PO Box 342001, Dubai, United Arab Emirates
info@expanumdesign.com
What is this policy about?
The Policy sets out information on how the Operator collects, uses, discloses and protects personal data of data subjects in accordance with the requirements of the legislation of the United Arab Emirates, including Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data). Data, hereinafter referred to as "UAE PDPL").
The Policy is publicly available on the Operator's official online resources, including its website, social networks, online platforms, services, and other digital channels under its control.
The Policy explains what personal data we collect, how we use it, who we can share it with, and what rights you are granted under the UAE PDPL.
Terms and definitions
Personal data — any information related directly or indirectly to a specific or identifiable individual (subject of personal data). This can include a user's name, email address, phone number, IP address, location information, and other identifying information.
Personal data subject — an individual whose personal data is processed by the Operator. For example, if you subscribe to a newsletter or communicate with us via the feedback form, you are such a subject.
Personal data operator (Operator) — a person who independently or jointly with other persons organizes and / or performs the processing of personal data, as well as determines the purposes and composition of the processed data.
Processing of personal data — any action or set of actions performed with personal data, including the collection, recording, systematization, accumulation, storage, clarification, extraction, use, transfer (including the assignment of processing to third parties), depersonalization, blocking, deletion and destruction of personal data.
Confidentiality of personal data — the obligation of the Operator and other persons who have obtained access to personal data not to disclose such data to third parties without the consent of the subject or without any other legal basis.
Operator resources — the website, accounts and pages in social networks, instant messengers, email newsletters, as well as other channels through which the Operator collects or processes personal data.
Cookies are pieces of data that a website stores in the user's browser. They allow the site to "remember" information about you (for example, settings, shopping cart contents, authorization, etc.) and are used to improve the user experience, analytics, and marketing.
IP address — the unique network address of the user's device on the Internet. It can be used for traffic analysis, geolocation, and site protection.
Personal data processor — a third party that processes personal data on behalf of the Operator, on the basis of a contract or other agreement concluded with it. For example, it can be CRM systems, email services, or payment providers.
CRM system — software for managing customer interaction, which can store and process personal data transmitted by users through the site or other channels.
Personal data base — an ordered set of personal data that is accessed using information technologies.
Automated processing of personal data — processing using computer technology, for example, through a website or application.
What is personal data?
Personal data is any information about a person (the subject of personal data) by which it can be determined.
The Operator processes only those personal data that are listed in the Policy and that characterize you as a user of Resources.
You can consent to the processing of personal data when using Resources, filling out feedback forms on Resources, and using other methods provided for in the Policy.
Grounds and principles of personal data processing
We process your personal data only legally, within the scope of the stated purposes and in accordance with the requirements of the legislation of the United Arab Emirates, including Federal Decree-Law No. 45 of 2021 "On the Protection of Personal Data" (UAE PDPL).
Data processing is based on the following principles set out in Articles 5-8 of the UAE PDPL:
1. Lawfulness, Fairness and Transparency — we do not collect or use your data without a legal basis, and we tell you how and why it is used.
2. Purpose Limitation — data is collected only for specific, legitimate and clearly defined purposes.
3. Data Minimization — we process only the data that is necessary to achieve the processing goal.
4. Accuracy — we ensure that the data is up-to-date and correct when necessary.
5. Storage Limitation — we do not store data for any longer than is necessary for the purposes for which it was collected, or in accordance with legal requirements.
6. Integrity and Confidentiality — we take technical and organizational measures to protect your data from unauthorized access, loss or leakage.
Legal basis for processing
In accordance with Article 4 (1) and Article 6 of the UAE PDPL, we process personal data only if one of the following legal grounds exists:
1. Consent of the data subject
You voluntarily consent to the processing of personal data, including when filling out forms, subscribing to the newsletter, using the site, participating in surveys, or accepting cookies.
Basis: Article 4(1)(a) and Article 6(1) UAE PDPL.
2. Performance of the contract (Contractual Necessity)
Processing is necessary for the conclusion or performance of a contract to which you are a party.
Basis: Article 4 (1) (b) UAE PDPL.
3. Fulfillment of legal obligations
We may process your data in order to comply with the requirements of UAE legislation, including accounting, tax reporting, and responding to government requests.
Basis: Article 4 (1) (c) UAE PDPL.
4. Protection of Legitimate Interests
We process data to protect our legitimate interests, including ensuring the security of the platform, preventing fraud, resolving disputes, and transferring data to third parties to provide related services (for example, payment services or hosting providers).
Basis: Article 4 (1) (f) UAE PDPL.
Your rights under the UAE PDPL
At any time when the Operator has your personal data, you can exercise the rights provided for in Articles 13-18 of the Federal Decree Law No. 45 of 2021 " On the Protection of Personal Data "(UAE PDPL).
Data Subject's Right | Description (UAE PDPL) |
Right of Access | You can request confirmation of whether your data is being processed, get a copy of this data, as well as information about the purposes and timing of their processing. Basis: Article 13 (1) (a–b) UAE PDPL. |
Right to Rectification | If your personal data is outdated, incomplete, or inaccurate, you can request that it be updated or corrected. Foundation: Article 14 UAE PDPL. |
Right to Erasure | You can request the deletion of personal data if the purpose of processing is achieved, consent is revoked, the data is processed illegally or is no longer needed. An exception is when the law requires them to be preserved. Foundation: Article 15 (1) UAE PDPL. |
Right to Restriction of Processing | You may request that processing be temporarily restricted, for example, for a period of verification of the accuracy of the data or the legality of the processing. Foundation: Article 16 UAE PDPL. |
Right to Withdraw Consent | You can withdraw your consent to processing at any time, and the Operator will stop processing, unless there is another legal basis. Basis: Article 6(6) and Article 13(1)(c) UAE PDPL. |
Right to Object | If the processing is based on the legitimate interests of the Operator, you can object, and we are obliged to stop processing if we do not prove that there are priority legal grounds. Foundation: Article 17 UAE PDPL. |
Right Not to Be Subject to Automated Decision-Making | You can request a review of decisions made solely on the basis of automated processing (including profiling) if they have a legal or other significant impact. Foundation: Article 18 UAE PDPL. |
Right to Lodge a Complaint | You can file a complaint with the UAE Data Office (Ministry of Artificial Intelligence and Digital Economy)if you believe that your rights have been violated. Foundation: Article 27 UAE PDPL. |
How does the Operator process personal data?
We process your personal data either manually or using automated systems, depending on where and how you interact with us: through the website, social networks, or, for example, messenger.
All actions with personal data are carried out strictly within the framework of the purposes described in this Policy.
In this case, the Operator is limited to the following actions:
Collecting | and receiving data directly from you (for example, through forms) |
Record and organize | data Capture in our systems, CRM, analytics services |
Accumulation and storage | Secure data storage until goals are achieved or consent is revoked |
Clarification (update, change) | Data refinement, for example, if you have provided a new e-mail |
Extraction and usage | Data can be used to contact you, arrange delivery, grant access to your account, etc. |
Transfer (provision, access) | Transfer to third parties, if necessary (for example, payment systems or CRM), and only on the basis of a contract |
Blocking | Temporary termination of processing (at your request or in case of verification) |
Deletion or destruction | At the end of the storage period or at your request, if processing is no longer required. |
We do not share your data outside of the cases that are explicitly specified in this Policy, and when transferring it, we make sure that contractors comply with the level of protection not lower than ours.
For what purposes does the Operator process your personal data?
Subject of personal data | Purpose of processing | Processed data | Processing period | Order of destruction |
Site visitors | Ensuring the correct operation of the site, analytics, protection against attacks | IP address, location data, device and browser type, cookies | until the goal is achieved or consent to processing is withdrawn | deletion from the Operator's database |
Users who have agreed to an advertising newsletter | Distribution of information and communication technologies advertising materials | Full name, e-mail, phone number, messenger id (if provided) | before the goal is reached or consent to processing is withdrawn | deletion from the Operator's database |
Users who left requests or messages | Communication with the user at his request | Full name, e-mail, phone number, message content | before the goal is reached or consent to processing is withdrawn | deletion from the Operator's database |
Users who issued a refund/complaint | Refund processing, legal reporting | Full name, e-mail, phone, bank details | until the goal is achieved or consent to processing is withdrawn | deletion from the Operator's database |
Users who wish to use the services provided/use the Operator's services | Preparation, conclusion and execution of an agreement (offer) | Full name, e-mail, phone number, residential address | until the goal is achieved or consent to processing is withdrawn | deletion from the Operator's database |
Users who agreed to publish reviews | Publishing reviews on the Operator's resources | Name, e-mail, phone number, id in messengers (if provided), photos/videos | until the goal is achieved or consent to processing is withdrawn | deletion from the Operator's database |
Use of cookies
The operator uses cookies and similar technologies (pixels, web beacons, local browser storage) to ensure the correct operation of the site, personalize content and improve the user experience.
Cookies can be:
● technical (necessary) — ensure the operation of the site and do not require the user's consent.
● analytical and statistical data-help you understand how users interact with the site.
● marketing — used for personalized advertising.
You can revoke your consent to the use of optional cookies at any time by changing your browser settings or using the consent banner on the site.
Using Google Analytics
To analyze user activity and optimize the site, we may use the Google Analytics service provided by Google LLC (USA).
Google Analytics uses cookies to analyze your use of the website. The information collected through these cookies (including your IP address, device, browser type, and website activity) is transmitted to Google servers and processed in accordance with Google's Privacy Policy.
The transfer of such data outside the UAE is subject to the requirements of Article 23 of the UAE PDPL on cross-border transfer of personal data, including the availability of an adequate level of protection or contractual guarantees with Google LLC.
The user can opt out of Google Analytics by installing the Google Analytics Opt-Out browser add-in.
Transfer of personal data to third parties
The Operator may transfer personal data to third parties to the extent necessary to achieve the goals specified in this Policy. Such transfer is carried out only in cases stipulated by law or if it is necessary for the provision of services to the user.
The Operator uses the services of third parties that process personal data on its behalf, on the basis of concluded agreements on confidentiality and processing of personal data. This is acceptable if the following persons:
● provide sufficient data protection,
● don't use them for their own purposes,
● they act strictly within the scope of the order.
These recipients can be:
● payment solution providers - for accepting payments.
● suppliers of CRM systems and email and push mailing platforms;
● hosting providers and persons providing technical support for the site.
● persons providing legal protection to the Operator or third parties in case of violation of their rights or threat of violation of their rights, including violation of laws or regulatory documents;
● persons who provide users with access to Resources.
The operator does not receive or store payment data (card number, CVV code, etc.). Such data is transmitted directly to the relevant payment provider in compliance with the requirements of PCI DSS and other standards.
In case of disputes, threats of violation of the rights or legitimate interests of the Operator or third parties, personal data may be transferred to lawyers, representatives, judicial and law enforcement agencies – within the framework of the procedure established by law.
Transfer of personal data to third parties and government agencies
The transfer of personal data to third parties or government agencies can only be carried out in accordance with the requirements of Federal Decree Law No. 45 of 2021 "On the Protection of Personal Data" (UAE PDPL) and other applicable regulations of the United Arab Emirates.
We may only disclose personal data in the following cases:
1. Based on the current UAE legislation — at the official request of the competent government authorities, including courts, prosecutor's offices, police, tax and regulatory authorities, if such disclosure is expressly provided for by law.
Basis: Article 22(1)(a) and Article 23(1)(a) UAE PDPL.
2. With the consent of the data subject — if you have explicitly authorized the transfer of your personal data to a specific third party or outside the UAE.
Basis: Article 22 (1) (b) UAE PDPL.
3. For contract performance — if data transfer is necessary for the performance of the contract between you and the Operator or for fulfilling obligations at the request of the data subject.
Basis: Article 22 (1) (c) UAE PDPL.
4. In order to protect rights, security, and the rule of law — if disclosure is required to protect the legitimate interests of the Operator, prevent fraud, ensure information security, or protect the rights of data subjects.
Foundation: Article 22 (1)(d) UAE PDPL.
All cases of data transfer are carried out in compliance with the principles of minimization, confidentiality and targeted restriction established by Articles 5-8 of the UAE PDPL.
How the Operator ensures the security of personal data
The Operator takes all necessary legal, organizational and technical measures aimed at ensuring the protection of personal data from unauthorized access, modification, disclosure, loss, damage, destruction, as well as other security violations, in accordance with the requirements of Federal Decree Law No. 45 of 2021 " On Personal Data Protection "(UAE PDPL). and Cabinet Decision No. 32 of 2022 (Executive Regulations to the PDPL).
Basic data security measures (Articles 9-11 of the PDPL):
● restriction of access to personal data exclusively to authorized employees who have been trained in confidentiality requirements;
● applying the principle of "least privilege access";
● use of encryption tools, multi-factor authentication, and secure data transmission channels.
● regularly update your antivirus and security software.
● keeping records of requests and changes in information systems where personal data is stored;
● entering into confidentiality and data protection agreements with employees and contractors (NDA / DPA);
● conduct internal audit and information security testing on a regular basis.
Actions in case of security incidents (Article 9 (3) of the PDPL):
In case of loss, unauthorized access or other incident affecting personal data, the Operator is obliged to:
1. Notify the UAE Data Office immediately, but not later than 72 hours from the moment of detection, UAE Data Office of a data security breach.
2. Conduct an internal investigation to assess the scale and impact of the incident.
3. Inform the affected data subjects if the violation may result in damage to their rights or legitimate interests, in a simple and understandable manner.
What does the Operator not check?
The Operator assumes that the personal data provided relates to the user who:
● has full legal capacity and the right to dispose of their data;
● provides reliable information.
● acts in good faith and within the framework of the current legislation.
The Operator does not verify the accuracy of the data provided, except in cases where such verification is necessary to fulfill obligations to the subject or is provided for by law.
How do I contact the Operator?
If you have any questions regarding the processing of personal data, please contact the Operator by e-mail info@expanumdesign.com.
When contacting us, enter your name and contact details for feedback.
The operator will respond to your request no later than 10 business days after receiving it.
Changing the Policy
This Policy may be changed or updated by the Operator in the following cases:
● Amendments to the legislation of the United Arab Emirates in the field of personal data protection (including Federal Decree-Law No. 45 of 2021 and Cabinet Resolution No. 32 of 2022);
● introduction of new technologies, products or methods of processing personal data;
● changes in the organizational structure, business processes, or composition of the Operator (including outsourcing and transfer of functions to data processors).
● updating the structure or functionality of the site, mobile app, or other digital services.
● receive official recommendations, instructions or clarifications from the UAE Data Office or the relevant regulatory body in the field of personal data;
● results of an internal or external audit of the data protection system;
● tracking user requests, complaints, and suggestions.
The Operator undertakes to make the current version of the Policy publicly available on the official website and indicate the date of the last update.
Using the Operator's online resources after the updated version of the Policy is published means that the user agrees to the new version of the Policy.
