file · L-02 / data protection noticerev · 2026.q3
LEGALthree [online] services fze · uaq

Privacy notice

This notice describes how Three [Online] Services FZE collects, uses, retains, and discloses personal information processed in connection with this website and the firm's commercial engagements. It is drafted with reference to UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL) and, where international correspondents are concerned, to Regulation (EU) 2016/679 (GDPR).

document
data protection notice
effective
From 02 July 2026
jurisdiction
UAE · UAQ FTZ
§ 1

Controller

The party responsible for the processing of personal information described in this notice — the “controller” within the meaning of Article 1 of Federal Decree-Law No. 45/2021 and Article 4(7) GDPR — is Three [Online] Services FZE, a Free Zone Establishment registered with the UAQ Free Trade Zone Authority, Umm Al Quwain, United Arab Emirates.

Controller
Three [Online] Services FZE
Responsible person
David Dreier — Manager
Postal address
One UAQ, UAQ FTZ, Al Barqaa, UAE

The firm has not appointed a statutory data-protection officer as neither Article 10 PDPL nor Article 37 GDPR mandates one for the processing described below; the responsible person named above handles all enquiries personally.

§ 2

Categories of personal data processed

The firm processes the following categories of personal data:

  • Contact-form submissions: name, email address, organisation (optional), free-text message content, and the date and time of submission.
  • Correspondence: the content of subsequent email or written correspondence exchanged with the sender in connection with the original enquiry.
  • Counterparty data: where an engagement is concluded, the contact details and role of the individual representatives of the counterparty necessary to perform the contract.
  • Technical request metadata: IP address, user-agent string, referrer, and request timestamp are processed transiently by the hosting infrastructure for the sole purposes of delivering the requested page, mitigating abuse, and producing aggregate, non-identifying server logs that are retained for no longer than is necessary for that purpose.

The firm does not knowingly collect or process special categories of personal data within the meaning of Article 9 GDPR or sensitive personal data within the meaning of Article 15 PDPL. Senders are asked not to include such data in unsolicited enquiries.

§ 3

Purposes & lawful basis

The purposes for which personal data are processed, and the corresponding lawful bases, are as follows:

Answering enquiries
Reading, assessing and responding to inbound business enquiries.
Basis: Art. 6(1)(a) and 6(1)(f) GDPR · Art. 5 PDPL — consent and legitimate interest in handling business correspondence.
Performance of contract
Performing engagements that have been concluded in writing, and the steps taken at the request of the counterparty prior to entering into such an engagement.
Basis: Art. 6(1)(b) GDPR · Art. 5 PDPL.
Legal & regulatory
Complying with applicable legal, regulatory, tax, and audit obligations to which the firm is subject.
Basis: Art. 6(1)(c) GDPR · Art. 5 PDPL.
Defence of claims
Establishing, exercising, or defending legal claims; and preserving records that may be required for that purpose.
Basis: Art. 6(1)(f) GDPR · Art. 5 PDPL.
§ 4

No marketing, no profiling, no automated decisions

Personal data submitted to the firm are not used for marketing purposes. The firm does not build behavioural profiles of website visitors, does not segment visitors for advertising, and does not sell or rent personal data to any third party.

The firm does not take decisions that produce legal effects concerning the visitor, or similarly significantly affect the visitor, on the basis of automated processing within the meaning of Article 22 GDPR or Article 16 PDPL.

§ 5

Recipients & processors

Personal data are accessed by authorised personnel of the firm on a need-to-know basis. The firm engages a limited number of service providers (“processors”) under written instructions and appropriate contractual safeguards. As at the effective date of this notice, these are:

Form delivery
EmailJS, Inc. (United States) — transactional delivery of contact-form submissions to the firm's mailbox.
Email & calendar
Operated under a commercial business-productivity subscription; mail flows are encrypted in transit and at rest.
Hosting infrastructure
Pages are served from a globally distributed edge network with TLS termination and standard DDoS mitigation.

Personal data are otherwise disclosed only where the firm is required to do so by applicable law, by an order of a competent authority, or where disclosure is necessary to establish, exercise, or defend a legal claim.

§ 6

International transfers

The firm is established in the United Arab Emirates. Some of the processors named in clause 5 are established outside the UAE and outside the European Economic Area. Where personal data are transferred to a recipient in a country that has not been the subject of an adequacy decision under Article 22 PDPL or Article 45 GDPR, the firm relies on appropriate safeguards, including, as applicable, the European Commission’s Standard Contractual Clauses (Decision 2021/914), supplementary measures where required, and the contractual confidentiality and data-protection commitments of the recipient.

§ 7

Retention

Personal data are retained only for as long as is necessary for the purposes for which they were collected, and thereafter for any period required by applicable law or necessary for the establishment, exercise, or defence of legal claims. Indicative retention periods are:

Unsolicited enquiries
Up to 24 months from the date of receipt
Active correspondence
For the duration of the matter, plus 24 months
Concluded engagements
10 years from the end of the engagement (tax, commercial-law, and limitation considerations)
Server access logs
Aggregated or deleted within 30 days
§ 8

Security

The firm maintains appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction, or damage. These measures include transport encryption (TLS), encryption at rest where personal data are stored, restricted administrative access on a need-to-know basis, regular review of access rights, and structured incident-response procedures. No method of transmission or storage is, however, absolutely secure.

§ 9

Your rights

Subject to the limits and exceptions provided by applicable law, individuals whose personal data the firm processes have the following rights:

  • Access — to obtain confirmation as to whether personal data concerning them are being processed, and a copy of those data.
  • Rectification — to have inaccurate or incomplete data corrected.
  • Erasure — to have data deleted, where the conditions for erasure are met.
  • Restriction & objection — to restrict, or object to, processing on the basis of legitimate interests.
  • Portability — to receive data in a structured, commonly used, machine-readable format.
  • Withdrawal of consent — where processing is based on consent, to withdraw that consent at any time, without affecting the lawfulness of processing carried out before withdrawal.
  • Complaint — to lodge a complaint with a competent supervisory authority (see clause 11).

Requests are addressed in writing to info@ThreeOnlineServices.com. The firm responds within the period prescribed by applicable law (and in any event without undue delay), and may need to verify the identity of the requester before complying.

§ 10

Cookies & analytics

This website operates without optional cookies. No analytics collectors, advertising pixels, or cross-site tracking tags are embedded in the pages served from this domain. A small number of strictly necessary, transient cookies may be set by the hosting edge for the sole purpose of routing traffic and mitigating abuse; these do not require consent under Article 5(3) of Directive 2002/58/EC.

§ 11

Supervisory authorities

Senders in the United Arab Emirates may refer matters to the UAE Data Office, established under Federal Decree-Law No. 44 of 2021, which is the federal authority responsible for the supervision of personal-data protection in the UAE.

Senders ordinarily resident in the European Economic Area, the United Kingdom, or Switzerland may refer matters to the supervisory authority of their place of habitual residence, place of work, or place of the alleged infringement.

§ 12

Children

The services described on this site are directed exclusively at businesses and their authorised representatives. The firm does not knowingly collect personal data of individuals under the age of 18. If you believe that personal data of a minor have been submitted through this site, please contact the firm so that the data can be deleted.

§ 13

Changes to this notice

The firm may amend this notice from time to time to reflect changes in its processing activities, in applicable law, or in regulatory guidance. The version in force is the version published at this URL, identified by the effective date in the header above. Material changes are communicated, where appropriate, to active counterparties in writing.