1. About this policy
This privacy policy explains how Brocode Solutions handles personal data across brocode.ae, any customer engagement where Brocode acts as controller, and any candidate-processing operation we run. It is structured to satisfy three audiences at once: a Data Protection Officer reviewing a Data Processing Agreement, an end-user visitor of the website, and a regulator requesting evidence of accountability. Every operative section carries a small marginal cross-reference to the relevant article in UAE PDPL, GDPR, UK GDPR, and DIFC DP Law. The effective date is 1 January 2026; the current version is v3.2; the next scheduled review is 14 November 2026.
Cross-reference key: PDPL = UAE Federal Decree-Law No. 45 of 2021. GDPR = Regulation (EU) 2016/679. UK GDPR = the UK version of GDPR. DIFC DP Law = DIFC Data Protection Law No. 5 of 2020. ADGM DPR = ADGM Data Protection Regulations 2021.
2. Who we are, and how to contact us
Brocode Solutions FZ-LLC is a company incorporated in the United Arab Emirates with its registered office at Al Maryah Island, Abu Dhabi Global Market (ADGM), Abu Dhabi. The trade licence number is on file with our DPO and is supplied on request to data subjects, regulators, and contracting counterparties. We are the controller of personal data described in this policy. For customer engagements where we act as processor, the engagement-level Data Processing Agreement names the parties and roles for that work.
For data subjects in the EEA, our representative under GDPR Article 27 is appointed in the Republic of Ireland and is reachable through the DPO mailbox below. For data subjects in the UK, our representative under UK GDPR Article 27 is appointed in London and is reachable through the same mailbox. Contact our Data Protection Officer directly at dpo@brocode.ae (see section 14 for credentials and postal address).
PDPL Art. 3; GDPR Art. 4(7); UK GDPR Art. 4(7); DIFC DP Law Art. 5.
3. The personal data we process
We process personal data in the following categories. Each category corresponds to a documented processing purpose and a lawful basis (see section 4).
- Website visitors: IP address, browser type, device identifiers, referring URL, pages viewed. See the cookie policy for technical detail.
- Prospective customers: name, work email, organisation, role, and the free-text content of your enquiry.
- Customers and their authorised users: account credentials, engagement contact details, billing data, support tickets, and audit logs. Where Brocode processes personal data on behalf of a customer (e.g. model training data), that processing is governed by the engagement-level DPA, not by this policy.
- Candidates: CV, cover letter, interview notes, references, right-to-work documentation, and the outcome of any assessment exercise.
- Suppliers and contractors: contact details, banking details for payment, and the records required by UAE accounting and AML law.
- Marketing audiences: name, work email, organisation, and consent status for newsletters, events, and webinars.
PDPL Art. 1 (definitions), Art. 2 (scope); GDPR Art. 4(1); DIFC DP Law Art. 8.
4. Lawful bases
We rely on the following lawful bases for processing. The table below maps each operational purpose to the applicable article under UAE PDPL and GDPR. Where a special category (PDPL Art. 6; GDPR Art. 9) is involved — typically for candidate processing such as health or accessibility — additional safeguards apply and are documented in the underlying record of processing.
| Purpose | UAE PDPL article | GDPR article |
|---|---|---|
| Responding to enquiries and serving content you request | Art. 4(1) — consent | Art. 6(1)(a) / (f) |
| Performance of services under a customer contract | Art. 4(2) — performance of contract | Art. 6(1)(b) |
| Compliance with UAE tax, AML and accounting law | Art. 4(3) — legal obligation | Art. 6(1)(c) |
| Security monitoring and fraud prevention | Art. 4(6) — legitimate interest | Art. 6(1)(f) |
| Marketing communications to opted-in contacts | Art. 4(1) — consent | Art. 6(1)(a) |
| Recruitment processing | Art. 4(2) / Art. 4(1) | Art. 6(1)(b) / (a) |
| Aggregated analytics and product improvement | Art. 4(6) — legitimate interest | Art. 6(1)(f) |
PDPL Art. 4; GDPR Art. 6 (and Art. 9 for special categories); DIFC DP Law Arts. 10–11.
5. How we use your data
We use personal data to respond to enquiries you initiate, to deliver the services agreed under contract, to operate and improve the website, to send the marketing communications you have opted into, to recruit for open roles, to monitor for security incidents and fraud, and to meet our legal and regulatory obligations as a UAE registered entity. We do not sell personal data, we do not engage in cross-context behavioural advertising, and we do not maintain Brocode-branded foundation models. Customer-supplied training data is handled under the engagement DPA and is only ever used to train or evaluate the bespoke model we build for that customer — never re-used across customers or recycled into shared assets.
PDPL Arts. 4, 8; GDPR Arts. 5(1)(b), 6, 22; DIFC DP Law Arts. 9–10.
7. International transfers
Where personal data is transferred outside the United Arab Emirates, we rely on the appropriate mechanism for the destination. For transfers to a country with a UAE Data Office adequacy designation, we rely on that adequacy. For other destinations, we put in place the appropriate safeguards required by UAE PDPL Article 22 and, where the data subject is in the EEA or UK, the European Commission Standard Contractual Clauses (2021/914) Modules 2 and 3, supplemented by a transfer impact assessment. A copy of the relevant TIA is available to data subjects and to contracting counterparties on request to the DPO. Transfers under derogations (PDPL Art. 23; GDPR Art. 49) are not used as a routine basis.
PDPL Arts. 22–23; GDPR Arts. 44–49; UK GDPR Arts. 44–49; DIFC DP Law Arts. 26–28.
8. Retention schedule
We retain personal data for the periods set out below. Where the law mandates a longer period (notably UAE accounting and AML law for customer billing records), the statutory period prevails. The retention windows below are cross-checked against the actual configured retention in the underlying production systems annually.
| Category | Lawful basis | Retention window | Deletion mechanism |
|---|---|---|---|
| Website enquiry data | Legitimate interest (GDPR Art. 6(1)(f); PDPL Art. 4) | 24 months | Quarterly purge job; manual on rights request |
| Marketing consent (newsletters, events) | Consent (GDPR Art. 6(1)(a); PDPL Art. 4(1)) | Until withdrawn + 12 months audit trail | CRM auto-suppression on unsubscribe |
| Customer account + billing | Contract + legal obligation (GDPR Art. 6(1)(b)/(c)) | 7 years post-engagement (UAE accounting) | Archive vault with restricted access |
| Support ticket and engagement records | Contract (GDPR Art. 6(1)(b)) | 6 years post-engagement | Ticketing system retention policy |
| Candidate / recruitment data | Consent + legitimate interest | 12 months unless extended on candidate request | ATS auto-deletion |
| Model training data (customer-supplied) | Per signed DPA Annex II | Engagement term + 30 days return / deletion | Cryptographic erase under DPA |
| Telemetry & error logs (scrubbed) | Legitimate interest | 13 months | Log rotation; PII scrubbed in pipeline |
| Authentication logs | Legal obligation + security | 12 months hot, 24 months cold | SIEM retention policy |
PDPL Art. 5(3); GDPR Art. 5(1)(e); DIFC DP Law Art. 9(1)(e).
9. Your rights and how to exercise them
You have the right to access the personal data we hold about you, to correct inaccuracies, to request deletion, to restrict or object to certain processing, to receive your data in a portable format, and to withdraw consent at any time without affecting the lawfulness of processing already carried out. You may also lodge a complaint with the UAE Data Office or, if you are in the EEA or UK, with your local supervisory authority. Requests should be sent to dpo@brocode.ae with enough information for us to identify you and your request; we respond within 30 calendar days and will explain any extension required for complex requests.
If you are not satisfied with our response, you may appeal in writing to the same address; the appeal is reviewed by a second senior officer who was not involved in the original decision. The audit trail of every rights request is retained for 12 months for accountability purposes (PDPL Art. 7; GDPR Art. 5(2)).
PDPL Arts. 13–18; GDPR Arts. 15–22, 77; DIFC DP Law Arts. 33–42.
10. Security and technical & organisational measures
Our security controls are described on the security and compliance page. In summary: we are ISO/IEC 27001:2022 certified, hold an annual SOC 2 Type II report, hold ISO/IEC 27701 for privacy information management, and hold ISO/IEC 42001:2023 for the AI management system. The TOMs documented in our DPA Annex II are kept current with the live production environment and are auditable on request.
PDPL Art. 20; GDPR Art. 32; DIFC DP Law Arts. 14–15.
11. Children's data
Brocode services and content are directed at business and professional audiences. We do not knowingly collect personal data from children. If you believe a child has provided personal data to us, contact the DPO and we will delete the data without undue delay and review the route by which it was collected.
PDPL Art. 6; GDPR Arts. 8, 9.
13. Changes to this policy
We review this policy at least every six months and whenever a material change occurs. Material changes are reflected in the changelog in section 15, and the effective date and version at the top of this page are updated. We notify identified data subjects by email where the change materially affects their existing relationship with us; non-material changes are notified through the website only.
PDPL Art. 7 (accountability); GDPR Art. 5(2).
14. Contact the Data Protection Officer
Named DPO
Layla Al Mansoori
ISO/IEC 27701 Lead Implementer · CIPP/E · IAPP member
Email: dpo@brocode.ae
Postal address: Data Protection Officer, Brocode Solutions FZ-LLC, Al Maryah Island, ADGM, Abu Dhabi, UAE.
Direct booking: 30-minute Microsoft Teams slot via the DPO calendar link, supplied on email request.
Or message us on WhatsApp — useful for a short, scoped question.
15. Changelog
Append-only. Substantive changes only. Non-material edits (typography, broken links) are not listed here but are tracked in the underlying version control.
| Version | Date | Substantive change |
|---|---|---|
| v3.2 | 14 May 2026 | Added EU representative under GDPR Art. 27; updated sub-processor cross-reference; clarified candidate-data retention. |
| v3.1 | 12 February 2026 | Updated DIFC DP Law cross-reference numbering; added GPC handling in cookies section. |
| v3.0 | 1 January 2026 | Effective date of the current legal entity migration; full article-level cross-walk to UAE PDPL added. |
| v2.4 | 21 October 2025 | Retention schedule re-mapped to live production systems; recruitment retention shortened from 24 to 12 months. |
| v2.3 | 03 August 2025 | EU SCCs 2021/914 Module 3 wording aligned to recent EDPB guidance. |
| v2.2 | 15 May 2025 | Named DPO update; DPO credentials block added. |
