Vaf Compliance Ltd Privacy Notice

Last Updated: 31 March 2022

  • Privacy at VAF Compliance

    At VAF Compliance Ltd (“we”, “us”), we routinely collect and use personal data about individuals, including our customers, business partners and service provider representatives (“you”). We are aware of our responsibilities to handle your personal data with care, to keep it secure and comply with applicable privacy and data protection laws, including the Dubai International Financial Centre (“DIFC”) Data Protecton Law No. 5 of 2020 (“DPL”).
  • Purpose of this Privacy Notice

    The purpose of this Privacy Notice (“Notice”) is to provide a clear explanation of when, why and how we collect and use information which may relate to you (“personal data”) including, but not limited to, personal data collected via our website ( (the “Site”). Do read this Notice carefully. It provides important information about how we use personal data and explains your statutory rights. This Notice is not intended to override the terms of any contractual agreement you have with us, nor rights you might have available under applicable data protection laws, including the DPL. We may update this Notice from time to time. Please ensure that you visit the Site regularly to ensure that you are familiar with the most current version of this Notice.
  • Contact information

    If you have any questions regarding this Notice, or how we use your personal data, you can contact us by email at: You can also contact us by writing to us at: VAF Compliance Ltd Unit L29-06 Level 29 ICD Brookfield Place Dubai International Financial Centre, Dubai United Arab Emirates
  • How do we obtain your personal data and what do we use it for?

    Most of the personal data we process is provided to us directly by you over email, telephone, at an event we attend or sponsor, or via the “Book a Demo” link on our Site. On occasion, we may also:
    • receive personal data from banks and other financial institutions;
    • collect information via your LinkedIn profile
    • receive your contact details from an event organiser, where we have sponsored the event.
    We may use your personal data for the following reasons:
    • to provide you with information with respect to our services, if you are a prospective client;
    • to verify your identity, if you are a client, or if you have given your permission for us to verify your identity in order for us to provide our services to another client;
    • to provide you with our services, if you are a client;
    • to provide a third party with our services, where you are an actual or potential customer of that third party;
    • to manage our relationship with you, if you are a representative of a business partner, service provider or professional advisor;
    • for security and identification purposes, if you visit our offices;
    • to contact you following an event which we hostor attend.
    We also may receive personal data indirectly, from the following sources in the following scenarios:
    • from our clients, where you have given your permission for them to share that with us; and
    • from national credit reporting agencies or other third parties, where necessary in connection with our services.
  • What personal data do we collect?

    We collect and process the following personal data:
    • name;
    • contact details (email address, physical address, telephone number).
    If you are a client (or if you are an actual or potential customer of one of our clients and have given permission for us to collect the information below, at the request of our client), we may also collect the following personal data, to the extent necessary to provide our services:
    • passport copy;
    • bank statement or tax record;
    • CV
    • copies of your utility bills;
    • details relating to your cryptocurrency wallet. Whilst we may provide details of your cryptocurrency wallet to the third party software provider we rely on in connection with certain services, we would not provide any other personal data to that third party software provider which would enable them to identify you.
  • Who do we share your personal data with?

    We may share your personal data with:
    • our service providers (including IT service providers);
    • our professional advisers;
    • law enforcement and governmental agencies, to the extent we are legally required to do so;
    • a potential or actual purchaser or investor, in the event that we were to sell our business; and /or
    • any third party you instruct us to share your personal data with in relation to the provision of our services, including our clients.
    Whilst we may use aggregated (non-personal) data for analysis purposes, and may permit third parties to do the same, we will never sell your personal data to third parties.
  • Direct Marketing

    We may use your personal data to send you direct marketing communications about our products and services. This may be in the form of email, post, SMS, telephone or targeted online advertisements. In most cases our processing of your personal data for marketing purposes is based on our legitimate interests to provide information in relation to our services that may be of interest to you, although in some cases (such as where required by law) it may be based on your consent. You have a right to prevent direct marketing of any form at any time by contacting us using the details set out in Section ‎3. We take steps to limit direct marketing to a reasonable and proportionate level, and to send you communications which we believe may be of interest or relevance to you, based on the information we have about you.
  • International transfers

    From time to time we may need to share your personal data with third parties who may be based outside of the DIFC, such as our service providers. We will always take steps to ensure that any international transfer of information is carefully managed to protect your rights and interests. We will only transfer your personal data to countries which are recognised as providing an adequate level of legal protection or where we can be satisfied that alternative arrangements are in place to protect your privacy rights, such as contractual commitments which meet the requirements of the DPL. We may also, under limited circumstances and further to seeking legal advice as to the necessity and lawfulness of such disclosures, make other disclosures of your personal data overseas, for example if we receive a legal or regulatory request from a foreign law enforcement body. To the extent legally permissible, we will always inform you before making such a disclosure. You have the right to ask us for more information about the safeguards we have put in place as mentioned above. Contact us using the details provided under Section ‎3 if you would like further information.
  • Which lawful bases for processing do we rely on?

    Under the DP Law, the lawful bases we rely on for processing your personal data are:
    • our use of your personal data is necessary to perform a contract or take steps to enter into a contract with you (e.g. to provide you with our services, if you are a customer, or to onboard you and pay your invoices, if you are a supplier), or
    • our use of your personal data is necessary to comply with a relevant legal or regulatory obligation that we have (e.g. To comply with DIFC regulatory requirements), or
    • our use of your personal data is necessary to support ‘legitimate interests’ that we have as a business (for example, to improve our products and services, or to provide certain services to our clients, where you are aware of the provision of those services and have given your permission for those services to be provided, to the extent they relate to you), provided it is conducted at all times in a way that is proportionate, and that respects your privacy rights.
    Generally, we do not rely on your consent as the basis for processing your personal data, but will make it clear that we are doing so in any limited circumstances that we do so.
  • How long do we keep your personal data for?

    We will retain your personal data for as long as is reasonably necessary for the purposes listed in Section ‎4 of this Notice. In some circumstances we may retain your personal data for longer periods of time, for instance where we are required to do so in accordance with legal, regulatory, tax or accounting requirements. In specific circumstances we may also retain your personal data for longer periods of time so that we have an accurate record of your dealings with us in the event of any complaints or challenges, or if we reasonably believe there is a prospect of litigation relating to your personal data or dealings. Where your personal data is no longer required we will ensure it is securely deleted.
  • Your data protection rights

    You have a number of rights in relation to your personal data. You may request access to your data, correction of any mistakes in our files, erasure of records where no longer required, restriction on the processing of your data, objection to the processing of your data, data portability and various information in relation to any automated decision making and profiling or the basis for international transfers. More information about each of these rights can be found in the below. To exercise your rights you may contact us as set out in Section ‎3.
    Right What this means
    Access You can ask us to:
    • confirm whether we are processing your personal data;
    • give you a copy of that data;
    • provide you with other information about your personal data such as what data we have, what we use it for, who we disclose it to, whether we transfer it abroad and how we protect it, how long we keep it for, what rights you have, how you can make a complaint, where we got your data from, to the extent that information has not already been provided to you in this Notice.
    Rectification You can ask us to rectify inaccurate personal data. We may seek to verify the accuracy of the data before rectifying it.
    Erasure You can ask us to erase your personal data, but only where:
    • It is no longer needed for the purposes for which it was collected; or
    • You have withdrawn your consent (where the data processing was based on consent); or
    • Following a successful right to object (see ‘Objection’ below); or
    • It has been processed unlawfully; or
    • To comply with a legal obligation to which we are subject.
    We are not required to comply with your request to erase your personal data if the processing of your personal data is necessary:
    • For compliance with a legal obligation; or
    • For the establishment, exercise or defence of legal claims;
    There are certain other circumstances in which we are not required to comply with your erasure request, although these two are the most likely circumstances in which we would deny that request.
    Restriction You can ask us to restrict (i.e. keep but not use) your personal data, but only where:
    • Its accuracy is contested (see Rectification), to allow us to verify its accuracy; or
    • The processing is unlawful, but you do not want it erased; or
    • it is no longer needed for the purposes for which it was collected, but we still need it to establish, exercise or defend legal claims; or
    • You have exercised the right to object, and verification of overriding grounds is pending.
    We can continue to use your personal data following a request for restriction, where:
    • we have your consent; or
    • to establish, exercise or defend legal claims; or
    • To protect the rights of another natural or legal person; or
    • For reasons of substantial public interest.
    Portability You can ask us to provide your personal data to you in a structured, commonly used, machine-readable format, or you can ask to have it ‘ported’ directly to another data controller, but in each case only where:
    • The processing is based on your consent or on the performance of a contract with you; and
    • The processing is carried out by automated means.
    Objection You can object to any processing of your personal data which has our ‘legitimate interests’ as its legal basis, if you believe your fundamental rights outweigh our legitimate interests. Once you have objected, we have an opportunity to demonstrate that we have compelling legitimate interests which override your rights. You can also object to our use of your personal data for direct marketing purposes at any time
    Automated Decision Making We not undertake any Automated Decision Making. You can ask not to be subject to a decision which is based solely on automated processing, but only where that decision:
    • produces legal effects concerning you (such as the rejection of a claim); or
    • otherwise significantly affects you.
    In such situations, you can also obtain human intervention in the decision making, and we will ensure measures are in place to allow you to express your point of view, and/or contest the automated decision. Your right not to be subject to automated decision making does not apply where the decision which is made:
    • is necessary for entering into or performing a contract with you;
    • is authorised by law and there are suitable safeguards for your rights and freedoms (including any DIFC law concerning fraud, counter-terrorism, money laundering, and tax-evasion monitoring and prevention which requires processing of your personal data); or
    • is based on your explicit consent.
    However, in these situations you can still obtain human intervention in the decision making, and we will ensure measures are in place to allow you to express your point of view, and/or contest the automated decision.
    Non-Discrimination You have the right not to be discriminated against as a result of your exercise any of the aforementioned rights, including by: (a) being denied access to any of our services; (b) being charged a different price for any of our services as a result of your exercising of such rights; (c) being offered any of our services on less favourable terms; or (d) us suggesting that (b) or (c) might occur. Should you be concerned that this is the case, please do not hesitate to let us know.
    International Transfers You can ask to obtain a copy of, or reference to, the safeguards under which your personal data is transferred outside of the DIFC. We may redact data transfer agreements or related documents (i.e. obscure certain information contained within these documents) for reasons of commercial sensitivity.
    Identity We take the confidentiality of all records containing personal data seriously, and reserve the right to ask you for proof of your identity if you make a request in respect of such records.
    Fees We will not ask for a fee to exercise any of your rights in relation to your personal data, unless your request for access to information is unfounded, repetitive or excessive, in which case we will charge a reasonable amount in the circumstances. We will let you know of any charges before completing your request.
    Timescales We aim to respond to any valid requests within one month unless it is particularly complicated or you have made several requests, in which case we aim to respond within three months. We will let you know if we are going to take longer than one month. We might ask you if you can tell us what exactly you want to receive or are concerned about. This will help us to action your request more quickly.
    Third Party Rights We do not have to comply with a request where it would adversely affect the rights of other data subjects.
  • How to complain

    If you have any concerns about our use of your personal data, you can make a complaint to us using the contact information provided at Section ‎3. If you have a complaint or concern about how we use your personal data, please contact us in the first instance and we will attempt to resolve the issue as soon as possible. You also have a right to lodge a complaint the DIFC Commissioner for Data Protection at any time at