GDPR & Data Protection

Data Controller Information

Kaelo Global Limited ("Kaelo Global," "we," "us," or "our") is the data controller for the personal data described in this policy. Kaelo Global Limited is incorporated in Meydan Free Zone, Dubai and is subject to the UAE data protection regulations. Where we process personal data of individuals located in the European Economic Area (EEA) or the United Kingdom, we do so in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the UK GDPR, as applicable.

Our affiliated entities in Singapore and Seychelles may also act as data controllers in respect of personal data processed in those jurisdictions. The Singapore entity processes personal data in accordance with the Personal Data Protection Act 2012 (PDPA). The Seychelles entity processes personal data in accordance with the Data Protection Act of Seychelles. References to "Kaelo Global" in this policy include all affiliated entities unless the context requires otherwise.

Our registered address is: Kaelo Global Limited, Dubai, Dubai, United Arab Emirates. Our Data Protection Officer can be contacted at dpo@kaeloglobal.com.

Personal Data We Collect

We collect and process the following categories of personal data, depending on the nature of your relationship with us:

Website Visitors. When you visit our website, we may collect your IP address (anonymised for analytics purposes), browser type and version, operating system, referring URL, pages visited and time spent on each page, and cookie consent preferences. This information is collected through cookies and similar technologies as described in our Cookie Policy.

Enquiry and Contact Form Submissions. When you submit an enquiry through our website or contact us by email, we collect your name, email address, telephone number (if provided), company name (if provided), and the content of your message.

Clients and Prospective Clients. In the course of providing advisory services, we may collect: full name, nationality, date of birth, and identification document details; professional information including title, employer, and business contact details; financial information including source of funds and source of wealth documentation; due diligence information including politically exposed person (PEP) screening results, sanctions screening results, and adverse media screening results; and transaction-related information necessary for the provision of our services.

Employees and Candidates. We collect personal data about employees and job candidates as necessary for employment, recruitment, and workforce management purposes. This data is processed in accordance with the employment laws of each jurisdiction in which we operate and is described in detail in our internal Employee Privacy Notice.

Legal Bases for Processing

We process personal data only where we have a lawful basis for doing so. The legal bases on which we rely include:

Contractual Necessity. Processing that is necessary for the performance of a contract to which you are a party, or in order to take steps at your request prior to entering into a contract. This applies to the processing of client data in connection with advisory engagements and to the processing of employee data in connection with employment contracts.

Legal Obligation. Processing that is necessary for compliance with a legal obligation to which we are subject. This includes processing required by anti-money laundering regulations, sanctions compliance requirements, tax reporting obligations (including FATCA and CRS), and regulatory reporting requirements in each jurisdiction where we operate.

Legitimate Interests. Processing that is necessary for the purposes of the legitimate interests pursued by Kaelo Global, except where such interests are overridden by your fundamental rights and freedoms. Our legitimate interests include: managing and improving our business operations; communicating with clients and prospective clients about our services; maintaining the security of our systems and data; and conducting business development activities.

Consent. Where we rely on consent as the legal basis for processing (for example, for the placement of non-essential cookies or for the sending of marketing communications), you have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

Data Subject Rights

Depending on the applicable data protection law and your jurisdiction of residence, you may have the following rights in relation to your personal data:

Right of Access. You have the right to request confirmation of whether we process your personal data and, if so, to obtain a copy of the personal data we hold about you, together with information about the purposes of processing, the categories of data, the recipients or categories of recipients, and the retention period.

Right to Rectification. You have the right to request the correction of inaccurate personal data and the completion of incomplete personal data.

Right to Erasure. You have the right to request the deletion of your personal data in certain circumstances, including where the data is no longer necessary for the purposes for which it was collected, where you withdraw consent (and consent is the sole legal basis), or where the data has been unlawfully processed. This right is subject to exceptions, including where retention is required for compliance with legal obligations.

Right to Restriction of Processing. You have the right to request the restriction of processing in certain circumstances, including where you contest the accuracy of the data, where processing is unlawful but you oppose erasure, or where we no longer need the data but you require it for the establishment, exercise, or defence of legal claims.

Right to Data Portability. Where processing is based on consent or contractual necessity and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit it to another controller without hindrance.

Right to Object. You have the right to object to processing based on legitimate interests or for direct marketing purposes. Where you object to processing for direct marketing, we will cease processing without exception. Where you object to processing based on legitimate interests, we will cease processing unless we can demonstrate compelling legitimate grounds that override your rights.

International Data Transfers

As a multi-jurisdictional firm operating in the Dubai, Singapore, and Seychelles, personal data may be transferred between our offices and to service providers located in different jurisdictions. Where personal data originating in the EEA, the United Kingdom, or the DIFC is transferred to a jurisdiction that does not provide an adequate level of data protection as determined by the relevant authority, we implement appropriate safeguards to ensure that the transfer complies with applicable data protection law.

These safeguards include: Standard Contractual Clauses (SCCs) approved by the European Commission (for transfers from the EEA) or the UK Information Commissioner's Office (for transfers from the UK); the DIFC Standard Contractual Clauses (for transfers from the DIFC); binding corporate rules where applicable; and supplementary measures including encryption, pseudonymisation, and access controls assessed on a transfer-by-transfer basis through Transfer Impact Assessments. You may request a copy of the safeguards we have implemented by contacting our Data Protection Officer.

Data Protection Officer

Kaelo Global has appointed a Data Protection Officer (DPO) responsible for overseeing the firm's data protection strategy and compliance. The DPO is the primary point of contact for data protection enquiries from data subjects, regulatory authorities, and internal stakeholders.

You may contact the DPO at any time for any matter related to the processing of your personal data, to exercise your data subject rights, or to submit a complaint about our data protection practices. The DPO can be reached at: dpo@kaeloglobal.com, or by post to: Data Protection Officer, Kaelo Global Limited, Dubai, Dubai, United Arab Emirates. We will respond to all data subject requests within the timeframes required by applicable law — thirty days under applicable data protection law, with provision for extension in complex cases subject to notification.

Data Retention Periods

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, to comply with our legal and regulatory obligations, and to establish, exercise, or defend legal claims. Our retention periods are determined by the following factors: the nature of the personal data and the sensitivity of the data; the purposes for which the data is processed; the applicable legal and regulatory retention requirements; and the applicable limitation periods for legal claims.

As a general guide: website analytics data is retained in anonymised form for twenty-four months; contact form submissions are retained for twelve months unless a business relationship is established; client engagement records are retained for a minimum of six years following the conclusion of the engagement, or longer where required by regulatory obligations (AML/CTF record retention requirements in the Dubai and Singapore mandate minimum five-year and six-year retention periods respectively); employee records are retained for the duration of employment plus six years; and recruitment records for unsuccessful candidates are retained for twelve months.

When personal data is no longer required, it is securely deleted or anonymised in accordance with our data disposal procedures. Deletion is verified and logged. Where data is anonymised rather than deleted, the anonymisation process is irreversible and the resulting data cannot be linked back to an identified or identifiable individual.

DIFC Data Protection Law Alignment

Kaelo Global voluntarily adheres to UAE data protection regulations, which is broadly aligned with the GDPR. Our internal data protection framework that includes principles of lawfulness, fairness, and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability.

We have registered with the Commissioner of Data Protection in the DIFC as required by the DIFC Data Protection Law. Our registration details are available on the Commissioner's public register. We comply with the Commissioner's guidance on data protection impact assessments, personal data breach notification (within seventy-two hours of becoming aware of a breach that is likely to result in a risk to the rights and freedoms of data subjects), and the maintenance of records of processing activities.

Where the DIFC Data Protection Law and the GDPR impose overlapping obligations, we apply the more protective standard. This approach ensures that all data subjects — regardless of their jurisdiction of residence — benefit from a level of protection that meets or exceeds the requirements of the GDPR. If you believe that our processing of your personal data infringes applicable data protection law, you have the right to lodge a complaint with the Commissioner of Data Protection in the DIFC, the Information Commissioner's Office in the United Kingdom, or the relevant supervisory authority in the EEA member state of your habitual residence or place of work.

Data Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction. These measures include: encryption of personal data in transit and at rest; multi-factor authentication for access to systems containing personal data; role-based access controls with the principle of least privilege; regular penetration testing and vulnerability assessments by independent security firms; security awareness training for all personnel; incident response procedures tested through regular simulations; and physical security controls at all office locations. Our data security programme is reviewed and updated annually, and our cybersecurity posture is audited as part of our regulatory compliance programme. While no security system is impenetrable, we are committed to maintaining a data security posture commensurate with the sensitivity of the data we process and the expectations of our clients, regulators, and data subjects.

Updates to This Policy

We may update this policy from time to time to reflect changes in our data processing activities, applicable laws, or regulatory guidance. The date of the most recent revision is indicated at the top of this page. Where changes are material, we will provide notice through appropriate channels, which may include a notice on our website or direct communication to affected data subjects. We encourage you to review this policy periodically. Continued use of our website or services following the posting of changes constitutes acceptance of those changes. For questions about this policy, please contact our Data Protection Officer at dpo@kaeloglobal.com.