RD PrivacyWatch

RD Privacy Global LLC FTZ

Privacy Notice

Consulting Services · RD Privacy Academy · RD Privacy Watch

Last updated: 2026-05-18

This notice explains how RD Privacy Global LLC FTZ ("RD Privacy", "we", "us") processes personal data across three activities:

  • Consulting services: contact and correspondence received through our website or by email from prospective and current consulting clients.
  • RD Privacy Academy: registration for and participation in our training courses and educational programmes.
  • RD Privacy Watch: subscription to our weekly newsletter digest on data protection developments.

Please also read our Cookie Policy.

1. Who Is the Controller?

RD Privacy Global LLC FTZ is the data controller for all personal data described in this notice.

  • Registered address: Dubai Science Park, Tower South, 13th floor, Dubai, UAE
  • Contact email: info@rdprivacy.com
  • Website: rdprivacy.com
  • EU representative (Art. 27 GDPR): Research and Development Privacy Consultancy S.L.; Calle José Abascal 44, 4th floor, 28003 Madrid – Spain

RD Privacy Global LLC FTZ is established in Dubai, UAE, and is subject to UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (UAE PDPL) and its implementing regulations. Because we offer consulting, Academy, and newsletter services to individuals in the European Economic Area (EEA), EU GDPR also applies to our processing of EEA individuals' data under Art. 3(2) GDPR. Where this notice refers to GDPR legal bases, those apply specifically to EEA individuals; UAE PDPL governs all other processing.

2. At a Glance

The table below summarises how we process data across our three activities. Full detail follows in Section 3.

ActivityWho is affectedKey dataPrimary legal basis
ConsultingProspective and current clientsName, email, organisation, correspondenceLegitimate interests / contract (GDPR Art. 6(1)(f) and (b))
AcademyCourse registrants and learnersName, email, payment info, course recordsContract; consent for marketing (Art. 6(1)(b) and (a))
Watch newsletterNewsletter subscribersEmail, preferences, engagement metadataConsent via double opt-in (Art. 6(1)(a))

3. Data We Collect and Why — By Activity

3.1 Consulting Services

Data we collect

  • Enquiry and correspondence: the content of any message you send us and any information you choose to include — typically your name, organisation, role, and contact details.
  • Email and form metadata: standard technical information necessary to receive and respond to your communication, such as email headers and form submission timestamps.

We collect only what you actively provide. We do not require or seek sensitive personal data through our consulting contact channels.

Why we use it and the legal basis

  • Responding to your enquiry: legitimate interests (Art. 6(1)(f) GDPR / UAE PDPL) — our legitimate interest in handling inbound business communications. You would reasonably expect a response when you contact us.
  • Progressing a pre-contractual or contractual engagement: performance of or steps toward a contract (Art. 6(1)(b) GDPR / UAE PDPL) — where your enquiry develops into a formal consulting engagement.
  • Sending you information about our services: legitimate interests (Art. 6(1)(f) GDPR) for existing contacts in relation to directly relevant services, subject to your right to object at any time; or consent (Art. 6(1)(a) GDPR) where required.
  • Meeting legal and professional obligations: legal obligation (Art. 6(1)(c) GDPR / UAE law) — retaining records as required by applicable law.

3.2 RD Privacy Academy

Data we collect

  • Registration details: name, email address, organisation, job title, and country.
  • Payment information: billing details processed through our secure payment processor. We do not store full card numbers.
  • Course and attendance records: modules enrolled, attendance, completion status, assessment results where applicable, and certificates issued.
  • Communications: messages or queries you send us about a course, including support requests.

Why we use it and the legal basis

  • Delivering the course and fulfilling our contract: performance of a contract (Art. 6(1)(b) GDPR / UAE PDPL) — processing your registration, issuing access to course materials, tracking completion, issuing certificates, and processing payment.
  • Sending essential course communications: contract basis (Art. 6(1)(b) GDPR) — joining instructions, schedule changes, post-course materials, and responses to your queries.
  • Marketing future Academy courses: your consent (Art. 6(1)(a) GDPR) where you opt in; or for past participants, legitimate interests (Art. 6(1)(f) GDPR) in informing you of directly related new offerings, subject to your right to object at any time.
  • Issuing and verifying certificates: legitimate interests (Art. 6(1)(f) GDPR) in maintaining accurate records of qualifications awarded.
  • Meeting legal and financial obligations: legal obligation (Art. 6(1)(c) GDPR / UAE law) — retaining financial records as required by applicable tax and accounting law.

3.3 RD Privacy Watch Newsletter

Data we collect

  • Email address: mandatory — used to deliver the digest.
  • Name and title: provided at sign-up to personalise the digest and communications.
  • Optional preferences: country and/or topic filters you choose, if any.
  • Subscription metadata: timestamp of sign-up, IP address used at sign-up, double opt-in confirmation timestamp, and unsubscribe timestamp.
  • Engagement data: whether confirmation and digest emails are opened and which links are clicked, used in aggregate to improve the newsletter.

Why we use it and the legal basis

  • Delivering the weekly digest: your explicit consent via double opt-in (Art. 6(1)(a) GDPR / consent under UAE PDPL). You may withdraw consent at any time using the unsubscribe link in every email.
  • Confirming your subscription: necessary to take steps at your request before providing the service (Art. 6(1)(b) GDPR) and to demonstrate valid consent (Art. 7 GDPR).
  • Measuring aggregate engagement: legitimate interests (Art. 6(1)(f) GDPR) in improving editorial quality. We do not build individual profiles for advertising purposes.
  • Legal obligations: where applicable (Art. 6(1)(c) GDPR / UAE law).

4. What We Do Not Do

Across all three activities:

  • We do not sell or rent your personal data.
  • We do not share your data with third-party advertisers.
  • We do not use your data for profiling or automated decisions with legal or similarly significant effects.
  • We do not use data from one activity (e.g. newsletter subscriptions) to market unrelated services from another without a separate, appropriate legal basis.
  • We do not use the editorial AI pipeline — which processes publicly available news content — in a way that involves your personal data.

5. Recipients and Processors

We share your data only where necessary, with processors acting under documented data-processing agreements:

  • Hosting and cloud infrastructure: Microsoft OneDrive and associated cloud services, used to store correspondence, course materials, and operational data across all three activities.
  • Email delivery: transactional email provider used to send consulting correspondence, course communications, and the weekly digest.
  • Payment processor: secure third-party payment processor for Academy course fees.
  • Learning management system (LMS): platform used to host and deliver Academy course materials and track completion.

We will update this notice when we add new categories of processors.

6. International Transfers

6.1 Transfers of EEA individuals' data

Where we process data of EEA individuals, any transfer outside the EEA — including to our UAE operations — is protected by appropriate safeguards under Chapter V GDPR, typically the European Commission's Standard Contractual Clauses (SCCs), supplemented where necessary by additional technical and organisational measures. Details are available on request.

6.2 Transfers under UAE PDPL

Cross-border data transfers from our UAE operations are conducted in accordance with UAE PDPL requirements, including ensuring the destination offers an adequate level of protection or that appropriate contractual safeguards are in place.

7. Retention

Consulting

  • Enquiries not leading to an engagement: deleted within 12 months of the last substantive communication, unless there is a legal reason to retain them longer.
  • Engagements: retained for the duration of the engagement and for such period thereafter as required by applicable legal, tax, or professional obligations.

Academy

  • Learner records: retained for the duration of your engagement with us and for a reasonable period afterwards to handle queries and issue replacement certificates.
  • Payment and financial records: retained for the period required by applicable tax and accounting law (typically 5–7 years).
  • Marketing preferences: retained until you withdraw consent or object, after which we keep a minimal suppression record.

Watch newsletter

  • Confirmed subscribers: email and preferences kept until you unsubscribe or request deletion.
  • Unconfirmed sign-ups: deleted within 30 days if double opt-in is not completed.
  • Suppression records: a minimal record (email in hashed form) kept after unsubscription to ensure we do not contact you again.
  • Engagement logs: aggregated after 12 months; individual open/click records are then deleted.

8. Your Rights

8.1 EEA individuals (GDPR)

Subject to the conditions in the GDPR, you have the right to:

  • access your personal data and obtain a copy;
  • rectify inaccurate or incomplete data;
  • erase your data (right to be forgotten);
  • restrict or object to processing, including where we rely on legitimate interests;
  • data portability (for data processed on the basis of consent or contract);
  • withdraw consent at any time, without affecting the lawfulness of prior processing; and
  • lodge a complaint with your national EEA supervisory authority.

8.2 UAE and other individuals

If you are located in the UAE or another jurisdiction with applicable data protection rights, you may have rights to access, correct, and request deletion of your personal data under UAE PDPL or other applicable local law.

To exercise any of these rights, email info@rdprivacy.com. Watch newsletter subscribers may also use the one-click unsubscribe link in every digest. We will respond within one month (extendable by a further two months for complex requests, with notice).

9. Security

We apply technical and organisational measures appropriate to the risk across all three activities, including encryption in transit (TLS), access controls, least-privilege access to data, and logging of administrative actions.

10. Cookies and Website Tracking

Our website uses only cookies and local storage strictly necessary to operate the site. We do not deploy advertising or cross-site tracking cookies. See our Cookie Policy for details.

11. Children

Our services are not directed to children under 16 (or under 18 where local law requires a higher threshold). We do not knowingly process personal data of children. If you believe a child has submitted an enquiry, registered for a course, or subscribed to the newsletter, please contact us immediately.

12. Changes to This Notice

We may update this notice from time to time. The "Last updated" date at the top reflects the current version. Material changes will be communicated to affected individuals by email before they take effect.

13. Contact