01Who we are
This privacy policy is issued by Entegrix FZC, a free-zone company registered in the Ajman Free Zone, United Arab Emirates, with registered address at Office C1, 1F, SF7579, Ajman Free Zone C1 Building, Ajman, UAE. Together with our UK presence in London, we operate under the trading name Entegrix (referred to in this policy as "Entegrix", "we", "us" or "our").
Entegrix is a chartered accountancy practice serving cross-border founders, with services delivered from both UK and UAE jurisdictions. We act as the data controller for personal data we collect through our website, contact forms, email, telephone and any direct engagement with clients or prospects.
Data controller details
Entity: Entegrix FZC
Registered address: Office C1, 1F, SF7579, Ajman Free Zone C1 Building, Ajman, UAE
UK presence: London, United Kingdom
Contact for data matters: [email protected]
Telephone: +971 52 622 8731
02What data we collect
We collect personal data only where we have a clear reason to. The categories below describe what we collect and at what point.
2.1 Information you give us directly
- Contact and enquiry data. Name, email address, telephone number, company name, country of residence, and the content of any enquiry you submit through our contact form, by email, or by phone.
- Booking data. When you book a consultation, the date and time chosen, your time zone, and any context you provide about your business needs.
- Engagement data. If we proceed to an engagement, we collect identity documents (passport, Emirates ID, UK passport or driving licence), proof of address, company documents, ultimate beneficial owner information, and tax identification numbers as required by UK and UAE anti-money-laundering law.
- Financial data. Bank account details, payment card last-four (cards themselves are tokenised by our payment processor), invoicing records, and accounting records we process on your behalf as part of the engagement.
2.2 Information we collect automatically
- Technical data. IP address, browser type and version, operating system, device type, screen resolution, and approximate geographic location derived from IP.
- Usage data. Pages viewed on entegrix.com, time on page, referring URL, exit pages, scroll depth and clicks. Collected via Google Analytics 4 with IP anonymisation enabled.
- Marketing attribution. The LinkedIn Insight Tag records conversion events when you arrive from a LinkedIn campaign. This allows us to measure ad performance without identifying you individually to us.
2.3 Information from third parties
- Public registries. Companies House (UK), UAE Ministry of Economy registers, and Free Zone authority public records when verifying corporate identity during onboarding.
- Sanctions and PEP screening. Names and identifiers checked against UK OFSI, UN, EU and UAE sanctions lists, and politically-exposed-person databases, via our compliance providers.
03Why we collect it
We collect personal data for the following purposes:
- To respond to your enquiry and arrange an initial consultation.
- To deliver the services you have engaged us for, including UAE company setup, ongoing accounting, VAT and Corporate Tax filing, payroll processing, AML compliance and advisory services.
- To comply with our legal obligations under UK and UAE law, including HMRC, UAE Federal Tax Authority (FTA), Companies House, free zone authorities, and AML/CFT regulations.
- To send service updates about your engagement (filing deadlines, invoice reminders, statutory changes that affect you).
- To improve our website and services, using anonymised aggregate data from analytics.
- To send marketing communications about new services or insights, only where you have opted in or where you are an existing client and have not opted out.
04Lawful bases (UK GDPR Article 6)
UK GDPR requires us to identify a lawful basis for every processing activity. The table below sets out which basis applies to which activity.
| Activity | Lawful basis (UK GDPR Art. 6) | PDPL equivalent |
|---|---|---|
| Responding to your enquiry | 6(1)(b), steps prior to entering a contract | Art. 5(1)(c) |
| Delivering engaged services | 6(1)(b), performance of a contract | Art. 5(1)(c) |
| AML and KYC checks | 6(1)(c), legal obligation | Art. 5(1)(b) |
| HMRC and FTA submissions | 6(1)(c), legal obligation | Art. 5(1)(b) |
| Website analytics | 6(1)(a), consent (cookie banner) | Art. 5(1)(a) |
| Marketing emails to prospects | 6(1)(a), consent | Art. 5(1)(a) |
| Service updates to clients | 6(1)(f), legitimate interest (client communication) | Art. 5(1)(e) |
| Fraud and sanctions screening | 6(1)(c), legal obligation; 6(1)(f), legitimate interest | Art. 5(1)(b), 5(1)(e) |
| Defending legal claims | 6(1)(f), legitimate interest (legal defence) | Art. 5(1)(e) |
Where we rely on legitimate interests, we have completed a Legitimate Interests Assessment balancing our interest against your rights and freedoms. A copy is available on request by emailing [email protected].
Where we rely on consent, you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
05How long we keep data
We keep personal data only as long as we need it for the purpose collected, or as long as we are legally required to.
| Category | Retention period | Reason |
|---|---|---|
| Enquiry data (no engagement) | 24 months | Follow-up window; then deleted |
| Engagement records, accounting files, working papers | 7 years from end of engagement | HMRC requirement (UK), FTA requirement (UAE), ACCA / Chartered Accountant practice rules |
| AML/KYC documentation | 5 years from end of engagement (UAE); 5 years from end of relationship (UK) | UK Money Laundering Regulations 2017; UAE AML Federal Decree-Law No. 20 of 2018 |
| Tax returns and supporting evidence | 7 years | HMRC and FTA statutory minimum |
| Marketing list (prospects) | 2 years from last engagement | Operational relevance window |
| Marketing list (clients) | For duration of engagement plus 12 months | Continued service relevance |
| Website analytics (Google Analytics 4) | 14 months | Default GA4 retention; configured to the minimum |
| Cookie consent records | 12 months from grant | Re-prompt cadence |
| CCTV (where applicable, UAE office) | 30 days | Operational security; UAE PDPL guidance |
After the retention period, we delete personal data securely or, where deletion is not technically practical (for example, server-level backups), we isolate it from active processing and ensure it is overwritten in the normal backup cycle.
06Who we share data with
We do not sell personal data. We share it only with the parties below and only to the extent necessary.
6.1 Statutory authorities
- HM Revenue and Customs (HMRC), for UK tax filings, VAT, PAYE and Corporation Tax submissions on behalf of UK-domiciled clients.
- UAE Federal Tax Authority (FTA), for UAE Corporate Tax, VAT and Excise Tax filings.
- Companies House (UK), for confirmation statements, accounts filings and director changes.
- UAE Free Zone authorities (IFZA, DMCC, Meydan, RAKEZ, Shams, Ajman Free Zone and others), for licence administration, renewals and amendments.
- Ministry of Economy and Ministry of Finance (UAE), where filings or beneficial-ownership disclosures require it.
- Financial Intelligence Unit (UAE) and the National Crime Agency (UK), where we are required to file Suspicious Activity Reports under AML law.
6.2 Data processors
We use carefully selected third-party providers to deliver our services. Each is bound by a written data processing agreement that requires equivalent protections to those we provide.
- Zoho Corporation (CRM, email, document storage, accounting platform). Data residency: India and UAE data centres.
- Google Workspace (email, calendar, document collaboration). Data residency: EU and global.
- Stripe (payment processing). Payment card data is collected directly by Stripe and tokenised; we do not store card numbers.
- Microsoft 365 (selected document workflows). Data residency: EU.
- WordPress and our managed hosting provider (website infrastructure).
- Calendly (consultation scheduling).
- Sanctions and PEP screening provider (named on request, used for compliance checks at onboarding).
6.3 Professional advisers
Where strictly necessary, we may share specific data with our own lawyers, insurers, auditors or external consultants under duties of confidentiality. We do not give them more than they need to advise us.
6.4 Court orders and legal demands
We will disclose data to courts, regulators and law enforcement where compelled by a valid order, summons or statutory power.
07International transfers
Because we operate across the UK and UAE, personal data is routinely transferred between these jurisdictions. We also use cloud providers whose infrastructure may be located in the European Economic Area, India and the United States.
7.1 UK to UAE transfers
At the time of writing, the UAE is not the subject of a UK adequacy regulation. Where we transfer personal data from the UK to the UAE (for example, when we hold UK-client files in our UAE office systems), we rely on the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses (SCCs) as the transfer mechanism, together with a Transfer Risk Assessment.
7.2 UAE to UK and to other jurisdictions
Under UAE PDPL, cross-border transfers are permitted to jurisdictions that the UAE Data Office considers to provide adequate protection, or where the data subject has consented, or where appropriate safeguards are in place. We rely on contractual safeguards equivalent to the SCCs and obtain explicit consent where required.
7.3 Transfers to the United States
Some of our processors host data on infrastructure operated by US-headquartered companies (for example, Google Workspace). For transfers to US-based recipients, we rely on the EU-US Data Privacy Framework where the processor is certified, the UK Extension to the Data Privacy Framework, and SCCs where neither applies.
08Your rights
Under UK GDPR and UAE PDPL you have the following rights in relation to your personal data. Some rights are absolute; others are qualified by exceptions.
- Right of access. You may ask us to confirm whether we hold your personal data and to provide a copy. Free of charge for the first request; reasonable fee for subsequent or excessive requests.
- Right to rectification. You may ask us to correct inaccurate or incomplete personal data we hold about you.
- Right to erasure ("right to be forgotten"). You may ask us to delete your personal data. This is qualified by our statutory retention obligations (engagement records and tax filings cannot be erased before the statutory minimum has elapsed).
- Right to restrict processing. You may ask us to stop actively processing your data in certain circumstances, for example while you contest its accuracy.
- Right to data portability. Where we process data by automated means on the basis of consent or contract, you may ask us to provide it in a structured, commonly-used, machine-readable format.
- Right to object. You may object to processing based on legitimate interests or for direct marketing. We will stop processing for marketing on receipt of any objection.
- Rights regarding automated decision-making and profiling. We do not make solely automated decisions that produce legal or similarly significant effects.
- Right to withdraw consent. Where processing is based on consent, you may withdraw it at any time.
- Right to lodge a complaint. See Contact and complaints below.
09How to exercise your rights
To exercise any of the rights above, email [email protected] with the subject line "Data subject request" and tell us which right you are exercising. We may ask you for identity verification before we act.
We will respond within one calendar month. If your request is complex or you have submitted several requests, we may extend this by a further two months and will tell you within the first month if we do so.
If we decline a request (for example, because a statutory retention rule prevents erasure), we will explain why and tell you how to challenge the decision.
10Cookies and tracking
Our website uses three categories of cookies. We ask for your consent at first visit via a cookie banner.
10.1 Strictly necessary cookies
Required for the website to function (session, security, load balancing). Cannot be disabled because the site will not operate without them. No consent required under UK PECR or UAE PDPL.
10.2 Analytics cookies
We use Google Analytics 4 with IP anonymisation enabled. GA4 sets cookies (typically _ga, _ga_*) that record pseudonymised usage data. Data is retained for 14 months. You may opt out by declining the analytics category on our cookie banner, or by installing the Google Analytics opt-out browser add-on.
10.3 Marketing cookies
We use the LinkedIn Insight Tag to measure conversions from LinkedIn advertising campaigns. The tag sets cookies that allow LinkedIn to attribute conversions to specific campaigns. You may opt out via the cookie banner, via your LinkedIn account settings, or via the Your Online Choices portal.
10.4 Changing your preferences
You can change your cookie preferences at any time by clicking "Cookie preferences" in the website footer, or by clearing cookies from your browser, which will re-trigger our consent banner.
11Children's data
Our services are not directed at, intended for, or designed to attract individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, email [email protected] and we will delete it.
12Security
We apply technical and organisational measures appropriate to the risk, including:
- Encryption in transit (TLS 1.2 or higher) for all data exchanged with our website and our processors.
- Encryption at rest on Zoho, Google Workspace and Microsoft 365 platforms (AES-256).
- Multi-factor authentication on all staff accounts that can access client data.
- Role-based access controls and the principle of least privilege.
- Staff data-protection training at onboarding and annually thereafter.
- Documented incident response and breach notification procedures.
- Regular review of third-party processors and their security posture.
Despite these measures, no system is perfectly secure. If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the UK Information Commissioner's Office and the UAE Data Office (as applicable) within 72 hours, and we will notify you directly without undue delay if the risk is high.
13Changes to this policy
We may update this policy from time to time. The "Last updated" date at the top of this page reflects the most recent change. Material changes will be communicated to active clients by email. We recommend reviewing this page periodically.
14Contact and complaints
For any privacy matter, including data subject requests, questions about this policy, or concerns about how we handle your data, contact us:
Privacy contact
Email: [email protected]
Telephone: +971 52 622 8731
Post (UAE): Entegrix FZC, Office C1, 1F, SF7579, Ajman Free Zone C1 Building, Ajman, UAE
Mark your enquiry "Data privacy" so we can route it correctly.
14.1 Right to complain to a supervisory authority
If you are not satisfied with our response, you have the right to complain to a data protection supervisory authority.
- In the United Kingdom: Information Commissioner's Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF. Helpline: 0303 123 1113. Website: ico.org.uk.
- In the United Arab Emirates: UAE Data Office, via the Federal Authority for Identity, Citizenship, Customs and Port Security portal. Website: u.ae.
- DIFC-related matters: DIFC Commissioner of Data Protection. Website: difc.com.
This policy was last updated on 21 May 2026. Version 2.0. Aligned with UK GDPR, the Data Protection Act 2018, and UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data.