Privacy Policy

Effective Date: October 24, 2024

GDPR Compliant | UAE Data Protection Law | Last Updated: October 24, 2024

1. Introduction

FreeZone Global ("we," "our," "us") is committed to protecting your privacy and handling your personal data transparently and securely. This Privacy Policy explains how we collect, use, share, and protect your information when you use our website at https://freezone.global and our related services.

Who We Are

Company Name: FreeZone Global
Company Number: 13259001 (United Kingdom)
Data Controller: FreeZone Global
Privacy Contact: [email protected]

What We Do

FreeZone Global is an independent comparison and marketplace platform for UAE company formation. We help international entrepreneurs:

• Compare Dubai and UAE freezones
• Find verified formation agencies
• Form companies safely with optional escrow protection
• Track formation progress through our platform

Data Controller

FreeZone Global acts as the data controller for all personal data collected through our platform. This means we determine how and why your data is processed.

Scope

This Privacy Policy applies to:

• All visitors to our website
• Registered users and customers
• Formation agencies applying for partnerships
• Freezone authorities partnering with us
• Anyone who contacts us or uses our services

Important: By using our platform, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

We collect different types of information depending on how you interact with our platform.

2.1 Information You Provide Directly to Us

Browsing Without an Account (Anonymous Visitors)

When you use our comparison tools and marketplace without creating an account:

• Freezone Comparison Selections: Saved temporarily in your browser
• Agency Browsing Activity: Which agencies you view (not linked to your identity)
• Contact Forms: Name, email, phone number, message
• Consultation Booking: Name, email, phone, preferred consultation date/time

Creating an Account (Hands-Off Service Customers)

When you register for our Hands-Off Service:

Account Credentials:

• Email address
• Password (encrypted and never stored in plain text)
• Phone number

Business Information:

• Business type and industry
• Company name options (3 preferred names)
• Business activity description
• Chosen freezone and formation agency

Personal Information Required for UAE Company Formation:

• Full legal name (as on passport)
• Date of birth, nationality
• Mother's full name
• Contact details (mobile, address outside UAE)
• Religion (if required by chosen freezone)
• Education level, marital status

Note: This personal information is required by UAE freezone authorities for company registration. We only collect what is legally necessary.

Sensitive Documents:

• Passport copy (color scan or clear photo)
• Passport-sized photograph (biometric quality, white background)
• UAE entry stamp (if applicable)
• Proof of address (utility bill or bank statement)

Important: These documents contain sensitive personal data. We encrypt all documents at rest and in transit, and only share them with your chosen formation agency and relevant freezone authority.

Payment Information

When you purchase our Hands-Off Service:

• Billing name and address
• Payment card details (processed and stored by Stripe - we never see full card numbers)
• Transaction history

Secure: All payment data is processed by Stripe, a PCI-DSS compliant payment processor.

DIY Path Users (Free Request Form)

When you submit a DIY formation request, we share your information with relevant formation agencies.

Agency Partnership Applications

Formation agencies provide company details, services offered, and pricing information.

2.2 Information Collected Automatically

Technical Information

• IP Address: Used for security, fraud prevention, and regional content
• Browser Type and Version: To optimize website experience
• Device Information: Operating system, screen size, device type
• Pages Visited: Which pages you view on our site
• Geolocation Data: Approximate location based on IP (country/city level)

Analytics Data - Privacy-First Approach

We use Plausible Analytics, a privacy-friendly analytics service that:

• Does not use cookies
• Does not track individual users across websites
• Does not collect personal data
• Is fully GDPR compliant
• Provides aggregate statistics only

3. How We Use Your Information

We use the information we collect for the following purposes:

To Provide and Improve Our Services

• Display personalized freezone comparisons
• Connect you with verified formation agencies
• Process your company formation requests
• Track formation progress and status updates
• Provide customer support and respond to inquiries
• Improve our platform based on usage patterns and feedback

To Fulfill Legal and Contractual Obligations

• Submit required documentation to UAE freezone authorities
• Comply with UAE company formation regulations
• Process payments and maintain transaction records
• Verify identities to prevent fraud
• Comply with legal and regulatory requirements

To Communicate With You

• Send order confirmations and formation status updates
• Provide consultation booking confirmations and reminders
• Respond to your support requests and inquiries
• Send important platform updates (required)
• Send marketing emails (with your consent - you can opt out anytime)

For Security and Fraud Prevention

• Detect and prevent fraudulent activity
• Protect against unauthorized access to accounts
• Monitor for security threats and abuse
• Verify agency credentials and legitimacy
• Ensure platform integrity and user safety

For Analytics and Business Intelligence

• Understand how users interact with our platform (aggregated data only)
• Identify popular freezones and services
• Improve user experience and website performance
• Develop new features based on user needs
• Generate aggregate statistics (no individual tracking)

Legal Basis for Processing (GDPR)

We process your data under the following legal bases:

• Contractual Necessity: To fulfill our agreement with you
• Legal Obligation: To comply with UAE company formation laws
• Consent: For marketing communications (you can withdraw anytime)
• Legitimate Interest: For fraud prevention, security, and platform improvement

Important Note: We will never sell your personal data to third parties. We only share data as described in this policy to provide our services, comply with legal obligations, or with your explicit consent.

5. Data Security

We take the security of your personal information very seriously and implement industry-standard measures to protect it.

Encryption

• In Transit: All data transmitted using TLS/SSL (HTTPS)
• At Rest: Sensitive documents and personal data encrypted in database
• Payment Data: Processed by Stripe with end-to-end encryption
• Passwords: Hashed using bcrypt (one-way encryption)

Access Controls

• Only authorized employees have access to personal data (need-to-know basis)
• Multi-factor authentication (MFA) required for all admin accounts
• Role-based access control (RBAC) limits what each user can view
• All access to sensitive data is logged and monitored
• Regular security audits and access reviews

Infrastructure Security

• EU-Based Servers: Primary database hosted in EU (Supabase EU region)
• DDoS Protection: Cloudflare shields platform from attacks
• Regular Backups: Automated daily backups with encryption
• Firewall Protection: Network-level security controls
• Security Monitoring: 24/7 automated threat detection

Application Security

• Secure coding practices following OWASP Top 10 guidelines
• Input validation to prevent injection attacks
• CSRF protection tokens
• XSS prevention with Content Security Policy (CSP) headers
• Regular dependency scanning and updates

Employee Training & Policies

• All employees sign confidentiality agreements (NDAs)
• Regular security awareness training
• Clear data handling policies and procedures
• Immediate access revocation upon termination

Incident Response Plan

In the unlikely event of a data breach:

• We will investigate and contain the breach immediately
• Affected users will be notified within 72 hours (GDPR requirement)
• Relevant authorities will be informed as required by law
• We will provide guidance on protective measures you can take
• Full transparency about what data was affected and remediation steps

Important: While we implement robust security measures, no system is 100% secure. You can help by using a strong password, enabling two-factor authentication, and not sharing your account credentials.

6. Data Retention

We retain your personal information only as long as necessary to fulfill the purposes for which it was collected or as required by law.

Active Account Data

While your account is active:

• We retain your account information and formation history
• You can access, update, or delete your data anytime
• We keep records of your transactions and communications

After Account Closure

When you request account deletion:

• Personal Data: Deleted within 30 days
• Formation Documents: Retained for 7 years (legal requirement)
• Transaction Records: Retained for 7 years (tax and financial regulations)
• Support Communications: Retained for 3 years (legal defense)
• Anonymized Data: May be retained for analytics (cannot identify you)

Legal Retention Requirements

Some data must be retained by law:

• Company Formation Records: 7 years (UAE and UK company law)
• Financial Transactions: 7 years (tax regulations)
• Anti-Money Laundering (AML) Records: 5-7 years (financial regulations)
• Dispute/Legal Hold: Until resolution (if involved in legal proceedings)

Retention Periods by Data Type

• Website Visitors (No Account): Aggregated only, no personal data stored
• Contact Form Submissions: 2 years or until request fulfilled
• Consultation Bookings: 3 years for follow-up
• Formation Service Customers: Personal data 7 years, Documents 7 years
• Email Marketing Lists: Removed immediately upon unsubscribe
• Security Logs: 1 year

Backup Data

Regarding system backups:

• Deleted data may remain in backups for up to 90 days
• Backups are encrypted and stored securely
• Backup data is not accessible for operational purposes
• Old backups are automatically purged after 90 days

Your Control: You can request deletion of your account and personal data at any time (subject to legal retention requirements). Contact us at [email protected]

7. Your Privacy Rights

Under GDPR, UAE Data Protection Law, and other regulations, you have the following rights regarding your personal data:

Right to Access

You can request a copy of all personal data we hold about you.

• What data we collect
• How we use it
• Who we share it with
• How long we retain it

How: Email [email protected] - we'll respond within 30 days

Right to Rectification

You can request correction of inaccurate or incomplete data.

• Update your account details anytime in your dashboard
• Request corrections via email for locked data

Right to Erasure ("Right to be Forgotten")

You can request deletion of your personal data.

• We'll delete your data within 30 days
• Some data must be retained for legal compliance (7 years for formation records)
• Data in system backups may persist for up to 90 days

Right to Restrict Processing

You can request that we limit how we use your data in certain situations:

• While we verify data accuracy
• When processing is unlawful but you don't want deletion
• When you need data for legal claims
• While we verify our legitimate interest grounds

Right to Data Portability

You can receive your data in a structured, machine-readable format to transfer to another service.

• Export in JSON, CSV, or PDF format
• Includes all data you've provided to us

Right to Object

You can object to processing based on legitimate interests:

• Marketing: Unsubscribe anytime (link in every email)
• Analytics: We use privacy-friendly Plausible (no cookies, no tracking)
• Profiling: We don't engage in automated decision-making

Right to Withdraw Consent

Where we process data based on your consent, you can withdraw it anytime:

• Unsubscribe from marketing emails instantly
• Update communication preferences in your account
• Withdrawing consent doesn't affect prior lawful processing

Right to Lodge a Complaint

If you believe we've violated your privacy rights, you can:

• Contact us first: [email protected]
• File a complaint with the UK Information Commissioner's Office (ICO)
• Contact your local data protection authority (if in EU/EEA)

UK ICO: ico.org.uk

How to Exercise Your Rights

To exercise any of these rights:

1. Email us at [email protected]
2. Specify which right you want to exercise
3. Provide enough information to verify your identity
4. We'll respond within 30 days (or explain any delay)

Free of Charge: We don't charge fees for legitimate requests (unless they're excessive or unfounded).

8. Cookies & Analytics

We believe in privacy-first analytics. Unlike most websites, we minimize cookie usage and don't track you across the internet.

Our Minimal Cookie Approach

We use very few cookies, and only for essential purposes:

Essential Cookies (Strictly Necessary)

These cookies are required for the website to function:

• session_token - Keeps you logged in (30 days)
• csrf_token - Prevents cross-site attacks (Session)
• NEXT_LOCALE - Remembers your language preference (1 year)

Functional Cookies (Optional)

• freezone_comparison - Saves your freezone comparison selections (7 days)
• theme_preference - Remembers dark/light mode preference (1 year)

Privacy-First Analytics

We use Plausible Analytics - a privacy-focused alternative to Google Analytics:

Why Plausible is Different:

• No cookies: Doesn't use cookies or local storage
• No tracking: Doesn't track you across websites
• No personal data: Doesn't collect IP addresses or identifiable information
• GDPR compliant: No consent banner needed
• Lightweight: Less than 1KB script

What Plausible Collects:

• Page URL (which pages you visit)
• HTTP Referer (where you came from)
• Browser and Operating System
• Device type (desktop, mobile, tablet)
• Country (based on IP, but IP is not stored)

All data is aggregated and cannot identify individual users.

What We DON'T Use

• No Google Analytics: We don't use invasive tracking
• No Facebook Pixel: We don't track you for ads
• No Third-Party Advertising Cookies: We don't show targeted ads
• No Cross-Site Tracking: We don't follow you around the internet
• No Fingerprinting: We don't use device fingerprinting

Managing Cookies

You can control cookies through your browser settings:

• Chrome: Settings → Privacy and security → Cookies
• Firefox: Preferences → Privacy & Security → Cookies
• Safari: Preferences → Privacy → Cookies
• Edge: Settings → Privacy, search, and services

Note: Blocking essential cookies may prevent you from logging in or using certain features.

Good News: Because we use privacy-friendly analytics (Plausible), you don't need to accept a cookie banner for analytics. The only cookies we use are strictly necessary for the website to work.

9. Third-Party Services

We work with trusted third-party services to operate our platform. All providers are carefully vetted and contractually bound to protect your data.

Stripe (Payment Processing & Escrow)

• Purpose: Process payments and hold funds in escrow
• Data Shared: Payment card details, billing address, transaction amounts
• Location: United States (GDPR-compliant via Standard Contractual Clauses)
• Privacy Policy: stripe.com/privacy
• Security: PCI-DSS Level 1 certified

Supabase (Database & Authentication)

• Purpose: Store user data, documents, and handle authentication
• Location: European Union (Frankfurt, Germany)
• Privacy Policy: supabase.com/privacy
• GDPR Compliance: Fully GDPR-compliant, EU servers, encryption at rest and in transit

Postmark (Transactional Emails)

• Purpose: Send order confirmations, formation updates, password resets
• Data Shared: Email address, name, email content
• Privacy Policy: postmarkapp.com/privacy-policy

ActiveCampaign (Marketing Emails & CRM)

• Purpose: Send newsletters and marketing emails (with your consent)
• Privacy Policy: activecampaign.com/privacy-policy
• Opt-Out: Unsubscribe link in every email

Calendly (Consultation Scheduling)

• Purpose: Schedule free consultations
• Privacy Policy: calendly.com/privacy

Plausible Analytics (Website Analytics)

• Purpose: Understand website usage (aggregated statistics only)
• Location: European Union
• Privacy Policy: plausible.io/privacy
• Privacy-First: GDPR compliant, no cookies, no tracking, no personal data

Cloudflare (CDN & Security)

• Purpose: Content delivery, DDoS protection, security
• Privacy Policy: cloudflare.com/privacypolicy

Railway (Hosting Infrastructure)

• Purpose: Host our web application
• Location: European Union servers
• Privacy Policy: railway.app/legal/privacy

Our Commitment: All third-party providers are contractually bound to protect your data. We only share the minimum data necessary for each service and regularly review our service providers.

10. International Data Transfers

As a UK-based company serving international customers and working with UAE freezone authorities, we may transfer your data across borders. We ensure all transfers comply with GDPR and data protection laws.

Transfers Within the European Economic Area (EEA)

• Services: Supabase (database), Plausible (analytics), Railway (hosting)
• Protection: Full GDPR protection applies within EEA
• Safe: Data transfers within EEA are considered safe and don't require additional safeguards under GDPR

Transfers to the United Kingdom

• Services: FreeZone Global (our servers)
• Protection: UK GDPR (equivalent to EU GDPR)
• Adequate Protection: The UK has been granted adequacy decision by the EU

Transfers to the United Arab Emirates

• Recipients: UAE freezone authorities, formation agencies
• Data Shared: Personal identification documents, company registration information
• Why Necessary: Required by UAE law for company registration
• Protection: UAE Federal Data Protection Law (Federal Decree-Law No. 45 of 2021)
• Safeguards: Data Processing Agreements with all agencies, secure encrypted transmission

Transfers to the United States

• Services: Stripe (payment processing), ActiveCampaign (marketing)
• Protection Mechanisms: Standard Contractual Clauses (SCCs) - EU-approved contracts that ensure GDPR-level protection
• Stripe: Certified under PCI-DSS Level 1 (highest payment security standard)
• ActiveCampaign: GDPR-compliant with Data Processing Agreement

How We Protect International Transfers

• Standard Contractual Clauses (SCCs): EU-approved contracts with all non-EU service providers
• Data Processing Agreements (DPAs): Contractual commitments to protect your data
• Encryption: All data encrypted in transit (TLS/SSL) and at rest
• Adequacy Decisions: We prioritize countries with EU adequacy decisions (UK)
• Regular Reviews: We continuously monitor legal developments and update safeguards

Important: If there are any changes to international data transfer regulations (like the EU-US Data Privacy Framework), we will update our safeguards and notify you accordingly.

11. Children's Privacy

Age Restriction

Our services are not intended for individuals under 18 years of age. Company formation requires legal capacity to enter into contracts, which is typically 18+ years.

We Do Not Knowingly Collect Data from Children:

• We do not knowingly collect personal information from anyone under 18
• Our registration process requires users to confirm they are 18+
• Company formation in UAE requires individuals to be of legal age (18+)

If We Discover a Child's Data:

• If we learn that we've collected data from someone under 18, we will delete it immediately
• The account will be closed and all associated data removed
• Parents/guardians can contact us if they believe their child has provided us with personal information

Parents & Guardians:

If you believe your child has provided us with personal information, please contact us immediately at [email protected], and we will take prompt action to remove the information and close the account.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service offerings.

How We Notify You of Changes

• Minor Changes: We'll update the "Last Updated" date at the top of this policy
• Material Changes: We'll notify you via email to your registered email address, prominent notice on our website, and in-app notification (if you're logged in)
• Notice Period: Material changes will take effect 30 days after notification

What Constitutes a "Material Change"

We consider the following to be material changes that require notification:

• New categories of personal data collected
• New purposes for using your data
• Changes to data retention periods (shorter or longer)
• New third-party service providers with access to your data
• Changes to international data transfer arrangements
• Reduction in your privacy rights or protections

Your Rights When We Change This Policy

• Right to Object: If you disagree with material changes, you can object or withdraw consent
• Right to Close Account: You can close your account and request data deletion within the 30-day notice period
• Continued Use = Acceptance: If you continue using our services after the effective date, you accept the updated policy

Version History

Version 1.0 - Effective October 24, 2024 - Initial privacy policy release

Previous versions of this policy are available upon request. Email [email protected]

How to Stay Informed

• Check the "Last Updated" date at the top of this page periodically
• Ensure your email address is up to date in your account settings
• Watch for email notifications about important privacy changes
• Bookmark this page and review it when you see it's been updated

Our Commitment: We will never make changes that significantly reduce your privacy rights without giving you clear notice and the opportunity to object or close your account.

13. Contact Us

We're here to answer your privacy questions and address any concerns.

Privacy Team

For privacy-specific questions, data requests, or complaints:

[email protected]

Response Time: Within 30 days (usually faster)

General Support

For general questions or support: