Back to Home
Our Commitment to Data Protection
InveGlobe is committed to protecting your personal data and respecting your privacy rights. We implement robust technical and organizational measures to ensure the security, confidentiality, and integrity of your personal information in accordance with applicable data protection laws.
1. Data Protection Overview
Data protection is fundamental to our business operations and customer relationships. We recognize that personal data is one of your most valuable assets and treat it with the highest level of care and security.
1.1 Our Data Protection Principles
- Lawfulness and Fairness: We process data lawfully, fairly, and transparently
- Purpose Limitation: Data is collected for specific, legitimate purposes
- Data Minimization: We collect only necessary and relevant data
- Accuracy: We maintain accurate and up-to-date information
- Storage Limitation: Data is retained only as long as necessary
- Security: Appropriate technical and organizational measures protect data
- Accountability: We demonstrate compliance with data protection principles
1.2 Scope of Data Protection
This data protection framework applies to:
- All personal data processed by InveGlobe
- Website visitors and mobile app users
- Customers and prospective customers
- Property owners and developers
- Business partners and service providers
- Employees and contractors
2. Legal Framework and Compliance
2.1 Applicable Laws and Regulations
Our data protection practices comply with:
| Regulation |
Jurisdiction |
Application |
Key Requirements |
| UAE Federal Law No. 45 of 2021 |
United Arab Emirates |
Primary data protection law |
Consent, data subject rights, security |
| GDPR |
European Union |
EU residents and data transfers |
Strict consent, data portability, DPO |
| DIFC Data Protection Law |
Dubai International Financial Centre |
DIFC property transactions |
Enhanced protection standards |
| RERA Regulations |
Dubai |
Real estate data handling |
Professional standards, confidentiality |
2.2 Compliance Framework
We maintain compliance through:
- Data Protection Impact Assessments (DPIAs): For high-risk processing activities
- Privacy by Design: Incorporating privacy into system development
- Regular Audits: Internal and external data protection audits
- Staff Training: Ongoing education on data protection requirements
- Policy Updates: Regular review and update of policies and procedures
2.3 Regulatory Oversight
We are subject to oversight by:
- UAE Data Protection Authority: Primary regulatory body
- DIFC Commissioner of Data Protection: For DIFC operations
- European Data Protection Authorities: For EU data subjects
- RERA: For real estate-specific data handling
3. Data Collection Practices
3.1 Types of Personal Data Collected
| Data Category |
Examples |
Collection Method |
Legal Basis |
| Identity Data |
Name, passport/ID number, nationality |
Registration forms, KYC verification |
Legal obligation, contract |
| Contact Data |
Email, phone, address |
Website forms, direct communication |
Consent, legitimate interest |
| Financial Data |
Income, bank details, credit history |
Mortgage applications, transactions |
Consent, contract |
| Property Preferences |
Budget, location, property type |
Search filters, saved preferences |
Legitimate interest |
| Technical Data |
IP address, browser, device info |
Automatic collection, cookies |
Legitimate interest |
| Usage Data |
Page views, search history, interactions |
Website analytics, app usage |
Consent, legitimate interest |
3.2 Data Collection Methods
- Direct Collection: Forms, surveys, direct communication
- Automated Collection: Cookies, analytics, tracking technologies
- Third-Party Sources: Credit agencies, public records, partners
- Publicly Available: Social media, public directories
3.3 Special Categories of Data
Sensitive Personal Data
We may collect special categories of personal data only when necessary and with explicit consent:
- Biometric Data: For identity verification (e.g., fingerprints)
- Location Data: For property recommendations (with consent)
- Health Data: Only if relevant for accessibility requirements
Note: Special category data receives enhanced protection and is processed only when legally permitted.
4. Data Processing and Use
4.1 Purposes of Processing
We process personal data for the following purposes:
Primary Business Purposes
- Property search and recommendations
- Transaction facilitation and management
- Customer service and support
- Account management and authentication
- Payment processing and financial services
Secondary Purposes
- Marketing and communications
- Service improvement and development
- Analytics and market research
- Fraud prevention and security
- Legal compliance and reporting
4.2 Legal Basis for Processing
| Legal Basis |
Description |
Examples of Use |
Data Subject Rights |
| Consent |
Freely given, specific agreement |
Marketing emails, analytics cookies |
Withdraw consent anytime |
| Contract |
Necessary for contract performance |
Property transactions, service delivery |
Access, rectification, portability |
| Legal Obligation |
Required by law or regulation |
AML checks, tax reporting |
Limited withdrawal rights |
| Legitimate Interest |
Necessary for business operations |
Security, service improvement |
Object to processing |
4.3 Automated Decision Making
We may use automated processing for:
- Property Recommendations: AI-driven property matching
- Risk Assessment: Fraud detection and prevention
- Credit Scoring: Financial eligibility assessment
- Price Estimates: Automated property valuations
Rights Regarding Automated Processing
You have the right to:
- Request human intervention in automated decisions
- Express your point of view regarding automated processing
- Contest automated decisions that significantly affect you
- Receive information about the logic involved
5. Data Security Measures
Comprehensive Security Framework
We implement industry-leading security measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction.
5.1 Technical Security Measures
Encryption and Protection
- Data in Transit: TLS 1.3 encryption
- Data at Rest: AES-256 encryption
- Database Security: Encrypted databases with access controls
- Backup Security: Encrypted backups with versioning
Access Controls
- Multi-Factor Authentication: Required for all admin access
- Role-Based Access: Principle of least privilege
- Regular Audits: Access reviews and monitoring
- Session Management: Automatic timeout and logging
5.2 Organizational Security Measures
- Staff Training: Regular data protection and security training
- Background Checks: Screening for personnel with data access
- Confidentiality Agreements: Binding confidentiality obligations
- Incident Response: Procedures for security incidents
- Vendor Management: Due diligence on third-party providers
5.3 Infrastructure Security
- Cloud Security: AWS/Azure with security certifications
- Network Security: Firewalls, intrusion detection systems
- Physical Security: Secure data centers with controlled access
- Monitoring: 24/7 security monitoring and alerting
- Vulnerability Management: Regular security assessments
5.4 Security Certifications and Standards
Our security framework is aligned with:
- ISO 27001 Information Security Management
- SOC 2 Type II Compliance
- GDPR Technical and Organizational Measures
- UAE Cybersecurity Standards
- PCI DSS for payment processing
- NIST Cybersecurity Framework
6. Data Retention and Deletion
6.1 Retention Principles
We retain personal data only for as long as necessary to:
- Fulfill the purposes for which it was collected
- Comply with legal and regulatory requirements
- Resolve disputes and enforce agreements
- Protect our legitimate business interests
6.2 Retention Periods by Data Type
| Data Category |
Retention Period |
Legal Basis |
Deletion Triggers |
| Account Information |
Account lifetime + 7 years |
Legal obligation, contract |
Account closure request |
| Transaction Records |
10 years from completion |
Legal obligation (RERA, tax) |
Legal requirement expiry |
| Marketing Data |
3 years or consent withdrawal |
Consent |
Opt-out, inactivity |
| Website Analytics |
26 months maximum |
Legitimate interest |
Automatic expiry |
| Support Communications |
5 years from last contact |
Legitimate interest |
Issue resolution |
| Financial Records |
7 years from transaction |
Legal obligation |
Regulatory requirement |
6.3 Data Deletion Process
Secure Data Disposal
When data reaches the end of its retention period:
- Automated Deletion: System-triggered removal processes
- Secure Erasure: Cryptographic deletion and overwriting
- Backup Removal: Deletion from all backup systems
- Audit Trail: Logging of all deletion activities
- Verification: Confirmation of complete removal
6.4 Exceptions to Deletion
Data may be retained beyond standard periods for:
- Ongoing legal proceedings or investigations
- Regulatory requirements or official requests
- Fraud prevention and detection
- Tax and accounting obligations
- Insurance and liability purposes
7. Your Data Rights
Comprehensive Data Subject Rights
Under applicable data protection laws, you have extensive rights regarding your personal data. We are committed to facilitating the exercise of these rights.
7.1 Right of Access
You have the right to:
- Obtain confirmation of whether we process your personal data
- Access your personal data and receive a copy
- Receive information about processing purposes and recipients
- Know the retention period or criteria for determining it
- Understand your other data subject rights
7.2 Right to Rectification
You can request correction of:
- Inaccurate personal data
- Incomplete personal data
- Outdated information
- Misleading records
7.3 Right to Erasure ("Right to be Forgotten")
You may request deletion when:
- Personal data is no longer necessary for original purposes
- You withdraw consent and no other legal basis exists
- Data has been unlawfully processed
- Erasure is required for legal compliance
- You object to processing and no overriding legitimate grounds exist
7.4 Right to Restrict Processing
You can limit our use of your data when:
- You contest the accuracy of the data
- Processing is unlawful but you prefer restriction over erasure
- We no longer need the data but you need it for legal claims
- You object to processing pending verification of legitimate grounds
7.5 Right to Data Portability
For data processed based on consent or contract, you can:
- Receive your data in a structured, machine-readable format
- Transmit data directly to another service provider
- Request transfer without hindrance from us
7.6 Right to Object
You may object to processing based on:
- Legitimate interests (including profiling)
- Direct marketing purposes
- Scientific, historical, or statistical purposes
7.7 Rights Regarding Automated Decision-Making
You have the right to:
- Not be subject to solely automated decision-making
- Request human intervention in automated processes
- Express your view on automated decisions
- Contest automated decisions
8. International Data Transfers
8.1 Transfer Locations
Your personal data may be transferred to and processed in:
- UAE: Primary data processing location
- European Union: For EU data subjects and GDPR compliance
- United States: Cloud infrastructure and service providers
- Other Countries: As required for specific services
8.2 Transfer Safeguards
We ensure appropriate safeguards for international transfers:
| Safeguard Type |
Description |
Application |
Protection Level |
| Adequacy Decisions |
EU Commission adequacy findings |
Transfers to adequate countries |
Equivalent to EU protection |
| Standard Contractual Clauses |
EU-approved contract terms |
Third-country transfers |
Contractual guarantees |
| Binding Corporate Rules |
Internal data protection rules |
Intra-group transfers |
Comprehensive protection |
| Certification Schemes |
Industry-standard certifications |
Certified service providers |
Standardized protection |
8.3 Third-Country Risk Assessment
Before transferring data to third countries, we assess:
- Local laws and government access powers
- Data protection framework and enforcement
- International agreements and cooperation
- Practical considerations and additional safeguards
9. Data Breach Procedures
Incident Response Commitment
We maintain comprehensive incident response procedures to quickly identify, contain, and respond to data breaches while minimizing impact on data subjects.
9.1 Breach Detection and Response
Our incident response process includes:
- Detection: 24/7 monitoring and automated alerting
- Assessment: Immediate risk and impact evaluation
- Containment: Swift action to limit breach scope
- Investigation: Thorough analysis of causes and extent
- Remediation: Corrective actions and security improvements
9.2 Notification Timelines
| Notification Type |
Timeline |
Recipients |
Information Included |
| Regulatory Notification |
72 hours of awareness |
Data protection authorities |
Nature, scope, impact, measures |
| Individual Notification |
Without undue delay |
Affected data subjects |
Clear language, impact, measures |
| Partner Notification |
As contractually required |
Business partners |
Relevant scope and impact |
9.3 High-Risk Breach Criteria
We notify individuals without undue delay when breaches are likely to result in high risk, including:
- Identity theft or fraud potential
- Financial loss or damage
- Unauthorized disclosure of sensitive data
- Significant physical, material, or non-material damage
10. Complaints and Enforcement
10.1 Internal Complaint Process
If you have concerns about our data processing:
- Contact our DPO: First point of contact for data protection issues
- Formal Investigation: We will investigate your complaint thoroughly
- Response and Resolution: Written response within 30 days
- Escalation: Senior management review if unsatisfied
10.2 Regulatory Complaints
You have the right to lodge complaints with data protection authorities:
UAE Data Protection Authority
Email: [DPA Email]
Phone: [DPA Phone]
Website: [DPA Website]
EU Data Protection Authorities
Contact your local DPA
Or the lead supervisory authority
Find contacts: ec.europa.eu/info/law
10.3 Judicial Remedies
You may seek judicial remedies for:
- Violations of data protection rights
- Damages resulting from unlawful processing
- Non-compliance with regulatory decisions