This Data Protection and Information Security Policy sets out the principles, controls, and safeguards adopted by FINLINEBUSINESS SERVICES FZCO (referred to in this Policy as the "Company") to ensure the secure, lawful, and responsible processing of personal data, financial data, corporate records, tax information, and confidential business information obtained through its website, digital platforms, services, and business operations. Given the nature of the Company's activities within the financial technology, professional accounting, business consultancy and related services sector, the Company recognises that regularly processes highly sensitive financial documents, KYC (Know Your Customer) data, and proprietary business intelligence, and accordingly applies enhanced data protection and security standards consistent with applicable laws and industry best practices.
This Policy applies to all personal data and information processed by the Company, including data relating to customers, prospective customers, business partners, platform users, merchants, vendors, and other identifiable individuals, whether such data is processed electronically, digitally, or in physical form. It also applies to all employees, consultants, contractors, technology partners, and third-party service providers who access or process data on behalf of the Company.
The Company processes personal data strictly in accordance with the principles of lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, confidentiality, and accountability. Personal data is collected and processed only where there is a legitimate business purpose, legal obligation, contractual necessity, or valid consent, and is not used in a manner that is incompatible with the purpose for which it was collected. For accounting services, data is primarily processed for the performance of a professional service agreement.
In addition to general personal data, the Company may process financial information, transaction-related data, onboarding information, verification data, tax identification numbers, payroll records, bank statements, and corporate legal documents, and other information necessary to provide technology-enabled, accounting, consultancy, and related services. Such data is handled with heightened care and subject to enhanced access controls, security monitoring, and internal governance oversight to mitigate risks of unauthorised access, misuse, professional negligence, or financial crime.
In compliance with UAE Federal Decree-Law No. 20 of 2018 on Anti-Money Laundering, the Company may be required, depending on the nature of the engagement and applicable regulatory obligations, to collect and verify client identity information. This data is processed specifically to meet regulatory "Know Your Customer" (KYC) requirements and is stored separately from general marketing data.
The Company maintains a structured information security framework designed to protect data against unauthorised access, disclosure, alteration, loss, or destruction. This framework includes secure system architecture, controlled access based on role and business necessity, authentication mechanisms, secure hosting environments, network security controls, monitoring of systems for vulnerabilities, and periodic review of security controls. Where appropriate, encryption and secure communication protocols are used to protect data in transit and at rest. The Company discourages the transmission of sensitive financial documents via unencrypted email. Clients are encouraged to use the Company's Secure Client Portal for all document exchanges. Access to this portal is protected by individual user credentials and Multi-Factor Authentication (MFA) or equivalent access security controls, as implemented from time to time.
Access to personal and financial data is restricted to authorised personnel who require such access for legitimate operational, compliance, or support purposes. Access rights are granted on a least-privilege basis and are reviewed periodically to ensure they remain appropriate. Personnel with access to sensitive or financial data are subject to confidentiality obligations and internal data handling protocols.
Where the Company engages third-party technology providers, cloud service providers, payment processors, compliance service providers, or other vendors who may process data on its behalf, such engagements are governed by written agreements that impose data protection, confidentiality, and information security obligations consistent with this Policy. The Company undertakes reasonable due diligence to ensure that such third parties maintain adequate security standards and do not process data beyond the Company's documented instructions.
Given the regulatory sensitivity of professional consultancy services, the Company maintains internal procedures for identifying, managing, and responding to data security incidents and breaches. In the event of a suspected or actual data breach that is likely to result in a risk to the rights and freedoms of affected data subjects, the Company will take immediate steps to contain the incident, assess its scope and impact, preserve evidence, and implement corrective and preventive measures. Where required by applicable law, contractual obligation, or regulatory expectation, the Company will notify relevant authorities, partners, or affected individuals within the prescribed timelines. Where required under applicable law, including the UAE Personal Data Protection Law, the Company will notify the UAE Data Office within the prescribed statutory timeframe.
Personal data and financial data are retained only for as long as necessary to fulfil the purposes for which they were collected, including legal, regulatory, compliance, audit, and dispute resolution requirements. Retention periods are determined based on applicable laws and the nature of the services provided. In accordance with UAE Commercial and Tax Laws, certain accounting records may be retained for a minimum of five (5) to ten (10) years. Upon expiry of the retention period, data is securely deleted, anonymised, or rendered inaccessible in a manner that prevents unauthorised recovery or use.
Where personal data is transferred outside the United Arab Emirates, including for cloud hosting, technical support, analytics, or service delivery, the Company ensures that such transfers are conducted in compliance with applicable data protection laws. Appropriate safeguards are implemented to ensure that transferred data continues to receive a level of protection consistent with UAE legal requirements and industry standards.
The Company recognises that trust is fundamental to its FinTech operations and therefore treats data protection and information security as an ongoing governance priority. This Policy is reviewed periodically to reflect changes in law, regulatory guidance, business operations, technology infrastructure, and risk exposure, and may be updated from time to time accordingly.
Any questions, concerns, or requests relating to this Data Protection and Information Security Policy or the Company's data handling practices may be addressed to FINLINEBUSINESS SERVICES FZCO at [email protected] or at its registered address. You can also contact us.