Privacy Notice
- Effective:
- 25 June 2026
- Version:
- 1.0 (draft)
This Privacy Notice explains how Exec X AI Ltd (DIFC 10474) collects, uses and shares personal data through the regulation10.ae marketing website. It is written to meet our obligations under the DIFC Data Protection Law No. 5 of 2020, as amended by DIFC Law No. 1 of 2025 (the "DPL"), and is aligned with the EU General Data Protection Regulation (GDPR) and the UK GDPR / Data Protection Act 2018 for visitors in those jurisdictions.
1. Who we are (the controller)
Exec X AI Ltd, registered in the Dubai International Financial Centre (DIFC) under number 10474, registered office Dubai International Financial Centre, Dubai, UAE, is the Controller (DPL Art. 8) of the personal data processed through this website (the "Site"). We decide why and how that data is processed.
We have not appointed a statutory Data Protection Officer (DPO) under DPL Art. 16 because we do not currently meet the High Risk Processing Activities threshold for the marketing Site. Our Appointed Senior Officer (ASO), Khaled Shivji, is the point of contact for all data-protection matters and can be reached at privacy@regulation10.ae. If our processing changes such that a DPO becomes mandatory, we will appoint one and update this notice.
2. What this notice covers
This notice covers the regulation10.ae marketing website only. Personal data processed inside the authenticated platform at https://app.regulation10.ae is governed by a separate platform privacy notice and a written Data Processing Agreement (see our Data Processing Addendum) between us and each customer.
3. Personal data we collect
- Contact form submissions: name, work email, company name, and the contents of your message, together with a record of your consent and the submission timestamp.
- Data-subject requests: where you exercise a right via our data request channel, the identity and contact details you provide and the nature of your request.
- Technical and usage data: IP address, browser type, device type, referring URL, and pages visited. We use this only for security, fraud prevention, and to understand which content is useful. Our analytics provider, Plausible, is cookieless and does not collect cross-site identifiers — see our Cookie Notice.
We do not knowingly collect Special Categories of Personal Data (DPL Art. 9 — e.g. health, biometric, or data revealing religious or political belief), nor data from individuals under 18, through the Site.
4. How and why we use your personal data (purposes and lawful basis)
Under DPL Art. 10, we may only process personal data where a lawful basis applies. The table below sets out each purpose, the data used, and the basis we rely on.
| Purpose | Data used | Lawful basis (DPL Art. 10 / GDPR) |
|---|---|---|
| Responding to your enquiry | Contact form fields | Consent (DPL Art. 10(1)(a) / GDPR Art. 6(1)(a)) |
| Handling a data-subject rights request and verifying your identity | Identity and contact details, request details | Legal obligation (DPL Art. 10(1)(c) / GDPR Art. 6(1)(c)) |
| Sending you follow-up information you asked for | Email address, company | Legitimate interests (DPL Art. 10(1)(f) / GDPR Art. 6(1)(f)) |
| Securing the Site against fraud and abuse | IP address, technical data | Legitimate interests |
| Complying with legal, regulatory or audit obligations | Records of consent, request logs | Legal obligation |
Where we rely on legitimate interests, we have carried out a balancing assessment and will provide a summary on request.
5. Automated processing and profiling (DPL Art. 22)
We do not make decisions about you on the marketing Site that are based solely on automated processing, including profiling, that produce legal effects or similarly significantly affect you. We do not use your contact-form data to build marketing profiles. Should we ever introduce such processing, we will tell you in advance, explain the logic involved and the likely consequences, and give you the right to obtain human intervention, express your view, and contest the decision, as required by DPL Art. 22.
6. Who we share personal data with (recipients)
- Service providers (Processors): the third parties listed on our sub-processors page — including our email infrastructure (Resend), workflow automation (n8n), hosting (Azure and Vercel) and payments (Stripe, platform only). Each is bound by a written processing agreement under DPL Art. 24.
- Group companies: where another entity in the Exec X AI Ltd group helps respond to your enquiry, we share only what is needed.
- Regulators, auditors and legal advisors: where required by law, including under the DPL cooperation duties owed to the DIFC Commissioner of Data Protection.
We do not sell personal data and do not share it for third-party direct-marketing purposes.
7. International transfers (DPL Part 5)
Our regulated platform residency is Azure UAE North (Dubai). UAE North is outside the DIFC and is not currently on the list of jurisdictions recognised as providing an adequate level of protection by the DIFC Commissioner of Data Protection. Marketing-Site processing (contact-form delivery, hosting logs, email delivery and workflow automation) may also involve recipients in other jurisdictions.
Where a transfer is to a jurisdiction that has not been recognised as adequate under DPL Art. 26, we put one of the appropriate safeguards in DPL Art. 27 in place — in practice, the DIFC Standard Contractual Clauses (SCCs) supported by a transfer impact assessment, or your explicit consent under DPL Art. 28. The same DIFC SCCs apply to transfers of regulated data to Azure UAE North. A copy of the safeguards in place is available on request via privacy@regulation10.ae. The detailed sub-processor table and transfer mechanism for each provider is on our sub-processors page.
8. How long we keep personal data
- Contact-form enquiries: 12 months, or until you become a customer unless converted into a customer account.
- Data-subject request records: 6 years to evidence compliance.
- Server access logs: 90 days.
- Records of consent: for the duration of the relationship plus six years.
We keep personal data only for as long as necessary for the purpose it was collected for, or as required by law, consistent with the DPL principle of storage limitation.
9. Your rights (DPL Art. 32–43)
Subject to the conditions in the DPL, you have the right to:
- be informed about our processing (this notice);
- access the personal data we hold about you (DPL Art. 33);
- have inaccurate data rectified (DPL Art. 34);
- have your data erased in certain circumstances (DPL Art. 35);
- restrict our processing (DPL Art. 36);
- data portability where processing is by automated means under consent or contract (DPL Art. 38);
- object to processing based on our legitimate interests or to direct marketing (DPL Art. 37);
- not be subject to a decision based solely on automated processing that significantly affects you (DPL Art. 22); and
- withdraw consent at any time, without affecting the lawfulness of prior processing.
To exercise any of these rights, use our data request form or email privacy@regulation10.ae. We will respond within one month (30 days), extendable by two further months for complex or numerous requests as permitted by the DPL, in which case we will tell you and explain why.
10. Complaints to the Commissioner
If you believe we have mishandled your personal data, please contact us first so we can put things right. You also have the right to lodge a complaint with the DIFC Commissioner of Data Protection under DPL Art. 60 (difc.com, commissioner@dp.difc.ae), or with the supervisory authority in your EU/UK place of residence, work, or where the alleged infringement occurred.
11. Security
As required by DPL Art. 14, we apply appropriate technical and organisational measures to protect personal data, including TLS 1.2+ in transit, encryption at rest, access controls under a least-privilege model, and audit logging. No transmission over the internet is ever fully secure; please do not send us regulated or special-category data via the contact form.
12. Changes to this notice
We may update this notice from time to time. Material changes will be signalled by an updated "Effective" date and, where required, prior notice to registered contacts. The current version is always available at this URL.
13. Contact
Email privacy@regulation10.ae or write to the ASO, Khaled Shivji, c/o Exec X AI Ltd, Dubai International Financial Centre, Dubai, UAE.