Privacy Policy

CC Agency ("CC Agency", "we", "us", or "our") respects your privacy and is committed to protecting the personal data we process about you. This Privacy Policy explains how we collect, use, disclose, store, and otherwise process personal data you provide when you visit https://ccagency.ae (the "Website") or otherwise interact with us, and describes the rights available to you under applicable data protection law — principally Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data ("UAE PDPL") and, where relevant, the EU General Data Protection Regulation (GDPR) and the UK GDPR.

Please read this Policy carefully. By using the Website or submitting personal data through it, you confirm that you have read and understood the practices described below.

1. Identity of the Data Controller

The data controller responsible for the processing of your personal data is:

• Name: Amity and Co L.L.C-FZ (operating the CC Agency brand)
• Licence number: 2532998.01
• Registered address: Meydan Grandstand, 6th floor, Meydan Road, Nad Al Sheba, Dubai, U.A.E.
• Email: hello@ccagency.ae
• Telephone / WhatsApp: +971 50 267 0424

For any matter relating to this Policy or the processing of your personal data, please contact us using the details set out in Section 16 (Contact and Complaints).

2. Scope of this Policy

This Policy applies to personal data processed by CC Agency in connection with:

• your visit to and use of the Website;
• your submission of an enquiry through the contact form on the Website;
• your communication with us by email, WhatsApp, telephone, or other channels referenced on the Website; and
• commercial communications, proposals, and engagement-related correspondence prior to the conclusion of any service agreement.

This Policy does not govern personal data processed under a separate written services agreement, where the agreement, the corresponding statement of work, or a bespoke data processing addendum will prevail.

3. Definitions

Personal Data

Any information relating to an identified or identifiable natural person, as defined in Article 1 of the UAE PDPL.

Processing

Any operation performed on personal data, including collection, recording, storage, retrieval, use, disclosure, erasure, or destruction.

Data Subject

The natural person to whom the personal data relates — typically you, the visitor or enquirer.

Controller

The entity that determines the purposes and means of processing personal data — in this case, CC Agency.

Processor

A third party that processes personal data on behalf of the Controller under documented instructions.

Sensitive Personal Data

Categories of personal data that, by their nature, warrant heightened protection — including data revealing racial or ethnic origin, political opinions, religious beliefs, health, biometric, or genetic data. CC Agency does not solicit Sensitive Personal Data through the Website.

4. Categories of Personal Data We Collect

We collect only the personal data necessary for the limited purposes set out in Section 6. The categories are as follows:

4.1 Information you provide directly

• Contact form submissions: name, email address, the content of your enquiry, and any other information you choose to include in the message field.
• Direct communications: any personal data you voluntarily share with us via email, WhatsApp, telephone, or in person — such as your full name, telephone number, company affiliation, project brief, and budget indications.

4.2 Information collected automatically

• Technical data: when you visit the Website, our hosting and content-delivery providers automatically receive limited request metadata, including your IP address, browser user-agent string, referring URL, requested resource, response status, and approximate geographic location derived from the IP address. This data is processed for security, abuse prevention, and aggregate diagnostics only.
• Cookies and similar technologies: the Website does not set first-party analytics or marketing cookies. Strictly necessary cookies may be set by our infrastructure provider (Cloudflare) for security, bot mitigation, and load balancing — see Section 11.

We do not knowingly collect Sensitive Personal Data through the Website and ask that you do not include such information in any enquiry.

5. Sources of Personal Data

We obtain personal data from the following sources only:

• directly from you, when you submit an enquiry, send us a message, or otherwise communicate with us;
• automatically, through standard web request metadata as described in Section 4.2; and
• occasionally, through publicly available business directories, press coverage, or professional networks (for example, LinkedIn) where such data has been made publicly accessible by you and where we have a legitimate business interest in contacting you regarding a potential commercial engagement.

We do not purchase personal data from third-party data brokers.

6. Purposes of Processing and Legal Bases

We process your personal data only where a lawful basis under Article 5 of the UAE PDPL (and, where applicable, Article 6 GDPR) supports the processing. The principal purposes and corresponding legal bases are:

1. To respond to your enquiries — including answering questions, sending proposals, and arranging discovery calls.
   Legal basis: performance of a contract or steps taken at your request prior to entering into a contract; alternatively, our legitimate interest in responding to commercial enquiries.
2. To deliver and administer our services — once an engagement is signed, we may continue to process your personal data to perform our obligations under that contract.
   Legal basis: performance of a contract.
3. To operate, secure, and improve the Website — including detecting and mitigating abuse, malicious traffic, and security incidents.
   Legal basis: our legitimate interest in maintaining a secure and functional service; compliance with legal obligations.
4. To comply with legal, regulatory, and tax obligations — including obligations arising under UAE commercial, tax, and anti-money-laundering legislation.
   Legal basis: compliance with a legal obligation.
5. To establish, exercise, or defend legal claims — where necessary to protect our rights or those of third parties.
   Legal basis: our legitimate interest in the proper conduct of legal proceedings.
6. To send marketing communications — where you have explicitly subscribed to receive them, we may send you newsletters, service updates, and occasional commercial offers via email through our marketing platform (HubSpot). You may unsubscribe at any time using the link provided in every marketing email or by contacting us directly.
   Legal basis: your consent.

Where we rely on consent (in particular for marketing communications), we will obtain that consent expressly and you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal. The Website does not currently deploy marketing or analytics pixels.

7. Disclosure of Personal Data

We do not sell, rent, or trade your personal data. We disclose personal data only as follows:

7.1 Service providers acting as data processors

We engage carefully selected third parties to process personal data on our behalf, under written agreements that impose confidentiality and security obligations consistent with applicable law. The principal categories of processor are:

7.2 Professional advisers

We may disclose personal data to our legal counsel, auditors, accountants, and insurers where strictly necessary and under duties of professional confidentiality.

7.3 Competent authorities

We may disclose personal data to UAE regulatory, tax, judicial, or law-enforcement authorities where required by applicable law, court order, or binding regulatory instruction.

7.4 Business transactions

If we are involved in a merger, acquisition, restructuring, or sale of assets, personal data may be transferred as part of that transaction. We will notify you and seek required consents where the law so requires.

8. International Transfers of Personal Data

Some of the processors listed in Section 7 are located outside the United Arab Emirates. Where personal data is transferred outside the UAE, we rely on one or more of the lawful transfer mechanisms recognised under the UAE PDPL and Council of Ministers Resolution implementing it, including:

• transfers to jurisdictions recognised by the UAE Data Office as providing an adequate level of protection;
• contractual safeguards imposing data-protection obligations on the recipient consistent with the UAE PDPL;
• your explicit consent to the transfer, where applicable; or
• transfers necessary for the performance of a contract between you and CC Agency, or for the establishment, exercise, or defence of legal claims.

You may request further information on the safeguards applied to international transfers by contacting us at hello@ccagency.ae.

9. Retention of Personal Data

We retain personal data for no longer than is necessary for the purposes for which it was collected, after which it is securely deleted or anonymised. Indicative retention periods are:

• Contact-form submissions and prospect correspondence: up to 24 months from the date of last meaningful interaction, unless an engagement results, in which case the data is retained as part of the client record under Section 9 below.
• Client records, contracts, and project files: for the duration of the engagement and for a further period of 5 years from termination, in line with UAE commercial and tax record-keeping requirements (Federal Decree-Law No. 32 of 2021 on Commercial Companies and Federal Decree-Law No. 47 of 2022 on the Taxation of Corporations and Businesses, as applicable).
• Server and security logs: typically 7 to 30 days at the edge layer, retained where required for incident investigation.

Where a longer retention period is required by law, regulation, or to assert or defend a legal claim, we will retain the relevant personal data for that longer period.

10. Security Measures

We apply technical and organisational measures appropriate to the risk presented by the processing, including:

• Transport Layer Security (TLS 1.3) and HTTP Strict Transport Security (HSTS preload) for all Website traffic;
• a hardened Content Security Policy and security headers (X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy);
• edge-level bot, denial-of-service, and intrusion mitigation through Cloudflare;
• access controls, multi-factor authentication, and the principle of least privilege for personnel with access to client data;
• periodic review of processor arrangements and security posture; and
• a documented response process for personal-data breaches, including notification to the UAE Data Office and affected Data Subjects where the PDPL requires it.

No transmission over the Internet is fully secure. While we apply commercially reasonable measures, we cannot guarantee absolute security and you submit personal data at your own risk.

11. Cookies and Similar Technologies

The Website does not use first-party analytics, advertising, profiling, or behavioural tracking cookies. Strictly necessary cookies and tokens may be set by Cloudflare for security and bot mitigation; these are essential to the operation of the Website and do not require consent under prevailing guidance. If we introduce non-essential cookies in the future, we will update this Policy and present a consent mechanism in compliance with applicable law.

12. Your Rights as a Data Subject

Subject to the conditions and exceptions set out in the UAE PDPL (Articles 13 to 17), you have the following rights in relation to your personal data:

• Right to be informed — to receive clear information about how we process your personal data (this Policy fulfils that obligation).
• Right of access — to obtain confirmation of whether we process your personal data and, if so, a copy of that data.
• Right to rectification — to have inaccurate or incomplete personal data corrected.
• Right to erasure — to request deletion of your personal data, subject to our legal and contractual retention obligations.
• Right to restrict processing — to request that we limit the processing of your personal data in defined circumstances.
• Right to data portability — to receive your personal data in a structured, commonly used, machine-readable format and, where technically feasible, to have it transmitted to another controller.
• Right to object — to object to processing carried out on the basis of our legitimate interests, including profiling.
• Right to withdraw consent — where processing is based on consent, to withdraw that consent at any time.
• Right not to be subject to automated decision-making — including profiling that produces legal or similarly significant effects. CC Agency does not currently engage in such automated decision-making.
• Right to lodge a complaint — with the UAE Data Office or, where applicable, with another competent supervisory authority.

13. How to Exercise Your Rights

To exercise any of the rights set out in Section 12, please write to us at hello@ccagency.ae with the subject line "Data Subject Request". We may need to verify your identity before acting on your request, and we will respond within the periods prescribed by the UAE PDPL — typically not later than 30 calendar days from the date of receipt of a complete request, with one extension of a further 30 days where the request is complex or numerous, in which case we will inform you of the extension and the reasons for it.

Exercising these rights is free of charge, save where the law expressly permits us to charge a reasonable fee for manifestly unfounded, excessive, or repetitive requests, or to refuse to act on the request.

14. Children's Privacy

The Website is not intended for, and is not directed to, persons under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has provided personal data to us, please contact us at hello@ccagency.ae and we will take appropriate steps to delete that data without undue delay.

15. Third-Party Links

The Website may contain links to third-party websites, social media platforms, and services that are not operated or controlled by CC Agency (including, without limitation, Facebook, Instagram, TikTok, YouTube, LinkedIn, and WhatsApp). We are not responsible for the privacy practices of those third parties. We encourage you to review the privacy notices of any third-party platform before providing personal data to it.

16. Contact and Complaints

For questions, requests, or complaints relating to this Policy or our processing of your personal data, please contact us:

• Email: hello@ccagency.ae
• Postal address: Meydan Grandstand, 6th floor, Meydan Road, Nad Al Sheba, Dubai, U.A.E.
• Telephone / WhatsApp: +971 50 267 0424

If you are not satisfied with our response, you have the right to lodge a complaint with the UAE Data Office (the supervisory authority established under the UAE PDPL) or, where applicable, with the supervisory authority of your country of residence, place of work, or place of the alleged infringement.

17. Updates to this Policy

We may update this Policy from time to time to reflect changes in our practices, legal or regulatory developments, or operational requirements. The "Last updated" date at the top of this Policy indicates when the most recent revision was published. Where the changes are material, we will take reasonable steps to bring them to your attention, for example by posting a prominent notice on the Website or by direct communication where appropriate.

We encourage you to review this Policy periodically. Your continued use of the Website following the publication of an updated Policy constitutes your acknowledgement of the updated terms, to the extent permitted by applicable law.

18. Governing Law and Jurisdiction

This Privacy Policy is governed by, and shall be construed in accordance with, the laws of the United Arab Emirates as applicable in the Emirate of Dubai. The competent courts of Dubai shall have exclusive jurisdiction to settle any dispute arising out of or in connection with this Policy, subject to any mandatory provisions of law that confer jurisdiction elsewhere.