Controller
The party responsible for the processing of personal information described in this notice — the “controller” within the meaning of Article 1 of Federal Decree-Law No. 45/2021 and Article 4(7) GDPR — is Three [Online] Services FZE, a Free Zone Establishment registered with the UAQ Free Trade Zone Authority, Umm Al Quwain, United Arab Emirates.
- Controller
- Three [Online] Services FZE
- Responsible person
- David Dreier — Manager
- Written enquiries
- info@ThreeOnlineServices.com
- Postal address
- One UAQ, UAQ FTZ, Al Barqaa, UAE
The firm has not appointed a statutory data-protection officer as neither Article 10 PDPL nor Article 37 GDPR mandates one for the processing described below; the responsible person named above handles all enquiries personally.
Categories of personal data processed
The firm processes the following categories of personal data:
- Contact-form submissions: name, email address, organisation (optional), free-text message content, and the date and time of submission.
- Correspondence: the content of subsequent email or written correspondence exchanged with the sender in connection with the original enquiry.
- Counterparty data: where an engagement is concluded, the contact details and role of the individual representatives of the counterparty necessary to perform the contract.
- Technical request metadata: IP address, user-agent string, referrer, and request timestamp are processed transiently by the hosting infrastructure for the sole purposes of delivering the requested page, mitigating abuse, and producing aggregate, non-identifying server logs that are retained for no longer than is necessary for that purpose.
The firm does not knowingly collect or process special categories of personal data within the meaning of Article 9 GDPR or sensitive personal data within the meaning of Article 15 PDPL. Senders are asked not to include such data in unsolicited enquiries.
Purposes & lawful basis
The purposes for which personal data are processed, and the corresponding lawful bases, are as follows:
- Answering enquiries
- Reading, assessing and responding to inbound business enquiries.
Basis: Art. 6(1)(a) and 6(1)(f) GDPR · Art. 5 PDPL — consent and legitimate interest in handling business correspondence. - Performance of contract
- Performing engagements that have been concluded in writing, and the steps taken at the request of the counterparty prior to entering into such an engagement.
Basis: Art. 6(1)(b) GDPR · Art. 5 PDPL. - Legal & regulatory
- Complying with applicable legal, regulatory, tax, and audit obligations to which the firm is subject.
Basis: Art. 6(1)(c) GDPR · Art. 5 PDPL. - Defence of claims
- Establishing, exercising, or defending legal claims; and preserving records that may be required for that purpose.
Basis: Art. 6(1)(f) GDPR · Art. 5 PDPL.
No marketing, no profiling, no automated decisions
Personal data submitted to the firm are not used for marketing purposes. The firm does not build behavioural profiles of website visitors, does not segment visitors for advertising, and does not sell or rent personal data to any third party.
The firm does not take decisions that produce legal effects concerning the visitor, or similarly significantly affect the visitor, on the basis of automated processing within the meaning of Article 22 GDPR or Article 16 PDPL.
Recipients & processors
Personal data are accessed by authorised personnel of the firm on a need-to-know basis. The firm engages a limited number of service providers (“processors”) under written instructions and appropriate contractual safeguards. As at the effective date of this notice, these are:
- Form delivery
- EmailJS, Inc. (United States) — transactional delivery of contact-form submissions to the firm's mailbox.
- Email & calendar
- Operated under a commercial business-productivity subscription; mail flows are encrypted in transit and at rest.
- Hosting infrastructure
- Pages are served from a globally distributed edge network with TLS termination and standard DDoS mitigation.
Personal data are otherwise disclosed only where the firm is required to do so by applicable law, by an order of a competent authority, or where disclosure is necessary to establish, exercise, or defend a legal claim.
International transfers
The firm is established in the United Arab Emirates. Some of the processors named in clause 5 are established outside the UAE and outside the European Economic Area. Where personal data are transferred to a recipient in a country that has not been the subject of an adequacy decision under Article 22 PDPL or Article 45 GDPR, the firm relies on appropriate safeguards, including, as applicable, the European Commission’s Standard Contractual Clauses (Decision 2021/914), supplementary measures where required, and the contractual confidentiality and data-protection commitments of the recipient.
Retention
Personal data are retained only for as long as is necessary for the purposes for which they were collected, and thereafter for any period required by applicable law or necessary for the establishment, exercise, or defence of legal claims. Indicative retention periods are:
- Unsolicited enquiries
- Up to 24 months from the date of receipt
- Active correspondence
- For the duration of the matter, plus 24 months
- Concluded engagements
- 10 years from the end of the engagement (tax, commercial-law, and limitation considerations)
- Server access logs
- Aggregated or deleted within 30 days
Security
The firm maintains appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction, or damage. These measures include transport encryption (TLS), encryption at rest where personal data are stored, restricted administrative access on a need-to-know basis, regular review of access rights, and structured incident-response procedures. No method of transmission or storage is, however, absolutely secure.
Your rights
Subject to the limits and exceptions provided by applicable law, individuals whose personal data the firm processes have the following rights:
- Access — to obtain confirmation as to whether personal data concerning them are being processed, and a copy of those data.
- Rectification — to have inaccurate or incomplete data corrected.
- Erasure — to have data deleted, where the conditions for erasure are met.
- Restriction & objection — to restrict, or object to, processing on the basis of legitimate interests.
- Portability — to receive data in a structured, commonly used, machine-readable format.
- Withdrawal of consent — where processing is based on consent, to withdraw that consent at any time, without affecting the lawfulness of processing carried out before withdrawal.
- Complaint — to lodge a complaint with a competent supervisory authority (see clause 11).
Requests are addressed in writing to info@ThreeOnlineServices.com. The firm responds within the period prescribed by applicable law (and in any event without undue delay), and may need to verify the identity of the requester before complying.
Cookies & analytics
This website operates without optional cookies. No analytics collectors, advertising pixels, or cross-site tracking tags are embedded in the pages served from this domain. A small number of strictly necessary, transient cookies may be set by the hosting edge for the sole purpose of routing traffic and mitigating abuse; these do not require consent under Article 5(3) of Directive 2002/58/EC.
Supervisory authorities
Senders in the United Arab Emirates may refer matters to the UAE Data Office, established under Federal Decree-Law No. 44 of 2021, which is the federal authority responsible for the supervision of personal-data protection in the UAE.
Senders ordinarily resident in the European Economic Area, the United Kingdom, or Switzerland may refer matters to the supervisory authority of their place of habitual residence, place of work, or place of the alleged infringement.
Children
The services described on this site are directed exclusively at businesses and their authorised representatives. The firm does not knowingly collect personal data of individuals under the age of 18. If you believe that personal data of a minor have been submitted through this site, please contact the firm so that the data can be deleted.
Changes to this notice
The firm may amend this notice from time to time to reflect changes in its processing activities, in applicable law, or in regulatory guidance. The version in force is the version published at this URL, identified by the effective date in the header above. Material changes are communicated, where appropriate, to active counterparties in writing.