Personal Data & Cookie Policy

Terms & Definitions

1. “Policy” — this Personal Data and Cookies Policy, available online at serdar.ae/terms.
2. “We”, “Our”, “Us”, as well as the “Operator” — SERDAR PROPERTIES Limited Liability Company (Broker ORN: 30683, Address: Office 1306, Westbury Office Tower, Business Bay, Dubai, UAE, e-mail: info@serdar.ae).
3. “You”, “Yours”, as well as the “Personal Data Subject” — our counterparty under the User Agreement, which may be an individual who uses the Site in the manner and on the terms established by the User Agreement.
4. “User Agreement” — an offer regulating the use of the Site by Users, available at serdar.ae/privacy-policy.
5. “Personal Data” — any information that relates to an identified or identifiable natural person. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
6. “Personal Data Processing” or “Processing” — any action (operation) or set of actions (operations) performed with or without the use of automation tools with Personal Data, including collection, recording, systematisation, accumulation, storage, clarification (updating, changing), extraction, use, transfer (distribution, provision, access), depersonalisation, blocking, deletion and destruction of Personal Data. Personal Data Processing is carried out through mixed (including automated) processing.
7. “Automated Personal Data Processing” — Personal Data Processing performed using computer technology.
8. “Confidentiality of Personal Data” — the mandatory requirement for Us, or any other person who has gained access to Personal Data, not to allow its distribution without the consent of the Personal Data Subject or other legal grounds.
9. “Personal Data Depersonalisation” — actions performed to make it impossible, without the use of additional information, to determine whether Personal Data belongs to a specific Personal Data Subject.
10. “Site” — our website at serdar.ae.
11. “Cookies” — small text files placed by the Site system on your computer or device when, for example, you visit specific sections of the Site or use certain Site features.
12. “GDPR” or “Regulation” — General Data Protection Regulation 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of natural persons concerning the processing of their Personal Data and on the free movement of such data, repealing Directive 95/46/EC, as amended by subsequent amendments, changes and additions included in the national legislation of participating countries.
13. “CalOPPA” — the California Online Privacy Protection Act.
14. “CCPA” — the California Consumer Privacy Act, the first comprehensive privacy law in the United States, passed in late June 2018, introducing various privacy rights to California consumers.
15. “UPA” — the U.S. Privacy Act 1974, which governs the handling of Personal Data of U.S. citizens and residents.
16. “PECR” — Privacy and Electronic Communications Regulations (EU Directive) 2003.
17. “UAE data protection and privacy laws” — all laws and regulations governing Personal Data Processing, including but not limited to: (1) Dubai Data Protection and Privacy Law, (2) Federal Data Protection Law (Law No. 45 of 2021), effective January 2, 2022, (3) Constitution of the United Arab Emirates (Federal Law No. 1 of 1971), (4) Crime and Punishment Law (Federal Law No. 31 of 2021 repealing Federal Law No. 3 of 1987), (5) Cybercrime Law (Federal Law No. 5 of 2012 on Combating Information Technology Crimes, as amended by Federal Law No. 12 of 2016 and Federal Decree-Law No. 2 of 2018), (6) Communications Regulation Law (Federal Law under Decree 3 of 2003, as amended), together with regulations and policies adopted by the State Telecommunications and Digital Regulatory Authority (TDRA) concerning the protection of telecommunications consumer data in the UAE.

Subject & Grounds for Personal Data Processing

Subject

The provisions of this Policy apply to our Processing of your Personal Data arising out of your use of the Site, performed based on your acceptance of the User Agreement.

Grounds

The basis for processing your Personal Data is always your consent. Without agreeing to the terms of this Policy, we will not be able to fully ensure the fulfilment of obligations under the agreements concluded with you (including, but not limited to, the User Agreement).

Policy Acceptance

In this section you can learn about the actions entailing your consent to the Processing of your Personal Data (“Processing Consent”).

1. Content of the Processing Consent. By submitting the Processing Consent, you confirm that you have fully read and agree with the User Agreement, Personal Data and Cookies Policy, and you provide specific, substantive, informed, conscious and unambiguous Processing Consent.
2. Please note that Processing Consent means that you express your consent to the Automated Processing of your Personal Data, as well as non-automated Processing, under the conditions set out herein and in the Personal Data Processing Consent.
3. Callback Order. If you order a callback using the relevant functionality of the Site, you are deemed to have given your Processing Consent at the moment you click the “Order a Call” button (or equivalent).
4. Outgoing Call. By making a call to the Operator and continuing the conversation with the Operator’s employee, you provide your Processing Consent.
5. Messaging. If you send us a message via a messenger, including via the corresponding functionality of the Site, your Processing Consent is deemed granted at the moment of sending the first message.
6. Site Browsing. If you simply browse the Site, you are deemed to have given us your Processing Consent to the extent set out herein (technical data, cookies), unless a different consent procedure for the processing of cookies is implemented on the Site.
7. Retention of Consent Information. Please note that we may retain data about your actions (through a system of logging your actions or an analog) confirming your Processing Consent as specified in this section for three (3) years after you have given your consent to the Policy, unless a different period is provided by law.

Term of Policy and Personal Data Processing

1. Validity of the Policy. After accepting the terms of the Policy, the Policy is valid indefinitely. However, this does not affect the period for processing your Personal Data established by this Policy.
2. Personal Data Processing Period. As a general rule, we process your Personal Data until we contact you at your request, as well as within three (3) years thereafter, unless a different period is established by applicable law, the User Agreement, or another agreement related to the use of the Site or the Processing of your Personal Data. We will stop processing your Personal Data if you object to such Processing or withdraw your previously given consent, subject to the terms of this Policy and applicable law.
3. Policy Amendment. We may amend this Policy at any time. Amendments may be caused by changes in our business processes, external factors, or other reasons. Upon amending, we immediately publish the new Policy on the Site so that you can study it. Your use of the Site after the latest version is published will be unconditionally interpreted as your acceptance of the amended Policy.

Legal Basis, Goals & Principles

1. Legal Basis. The Policy has been developed based on the following laws: GDPR, CalOPPA, CCPA, PECR, Federal Data Protection laws, the Laws of the UAE on data protection and privacy, as well as other laws and by-laws that determine the cases and features of the Personal Data Processing.
2. Goals. This Policy pursues the following objectives:
   1. Ensuring the requirements for the protection of the rights and freedoms of a person and citizen in the Personal Data Processing, including the protection of the rights to privacy, personal and family secrets.
   2. Exclusion of unauthorised actions (illegal or accidental access) of any third parties to your Personal Data, as well as the destruction, modification, blocking, copying and distribution of Personal Data.
   3. Ensuring the legal and regulatory regime of confidentiality and control of your Personal Data.
   4. Protecting the constitutional rights of citizens to personal secrecy and preventing possible threats to your security.
3. Thus, the primary purpose of the Policy is to provide you with a complete and transparent understanding of the legal basis for the collection and processing of your Personal Data, the categories of Personal Data we may collect, what happens to it, where we process it, how long we keep it, with whom we may share it, and your rights as a Personal Data Subject.
4. Principles. We pursue the following principles of Personal Data Processing:
   1. Processing must be carried out on a lawful and fair basis.
   2. Processing must be limited to the achievement of specific, predetermined and legitimate purposes. Processing incompatible with the purposes of collecting Personal Data is not allowed.
   3. The content and scope of the processed Personal Data must correspond to the stated purposes of processing and must not be excessive.
   4. During processing, we safeguard the accuracy, sufficiency, and relevance of Personal Data in relation to the purposes of its processing.
   5. Personal Data is stored no longer than required by the purposes of processing, unless a different storage period is provided by this Policy.

Range of Personal Data Collected

1. Callback Request. You can request a callback by leaving the following data through a special form on the Site: (1) mobile phone number, (2) name. By providing the data of third parties, you agree to comply with the guarantees specified in this Policy.
2. Messengers Data. On our Site, it is possible to write to us via WhatsApp, Telegram, or other messengers (if available). The Site has special URL links enabling you to send us a message through a selected messenger. When you send such a message, we receive the address of your account in that messenger and other data you have made publicly available.
3. Technical Data. While using the Site, we automatically collect some of your Personal Data. Such data includes, for example, technical information including IP address, login information, browser type and version, time zone setting, browser plug-in types and versions, operating system, platform, and information about your visits to the Site.
4. Other Data. In exceptional cases, we may ask you to provide additional Personal Data. We will notify you in advance and request your additional consent before processing.
5. Third-Party Data. If you provide us with the Personal Data of third parties, you warrant that you have obtained all the necessary consents from those persons (including their consent to the transfer of Personal Data). You are responsible for the accuracy of any third-party Personal Data you provide.

Personal Data Subject Rights

1. Receiving Information. You have the right to obtain information about us, our location, whether we hold your Personal Data, and to access such Personal Data.
2. Clarification. You have the right to request clarification, blocking or destruction of your Personal Data if it is incomplete, outdated, inaccurate, illegally obtained, or not necessary for the stated purpose of processing — and to take legal measures to protect your rights.
3. Submission Form. Information about whether we have Personal Data will be provided in an accessible form and will not contain Personal Data of other Personal Data Subjects.
4. Access Order. You may access your Personal Data in person or by written request. Requests can be sent electronically. We must respond to your request within thirty (30) days of receipt, extendable up to sixty (60) days depending on the complexity and number of requests.
5. Response Content. In response to a request for access to Personal Data, you are entitled to receive information regarding our Processing, including: (1) confirmation of the fact of Processing and its purpose, (2) the Personal Data processed, (3) the name and location of the Operator and persons with access, (4) the list of processed Personal Data and its source, (5) Processing terms including storage periods, (6) information about legal consequences for the Personal Data Subject that may be caused by the Processing.
6. Consent Withdrawal. You have the right to withdraw consent to Personal Data Processing, limit the methods and forms of Processing, and prohibit the transfer of your Personal Data without relevant permission.
7. Right to Contest. You have the right to contest our actions or omissions to the authorised body for the protection of the rights of Personal Data Subjects, or in court.
8. Right to Protection. You have the right to protect your rights and legitimate interests, including compensation for damages and compensation for moral damage in court.

Data Subject Rights (GDPR)

If you are a citizen of a member state of the European Economic Area or the United Kingdom (or if you legally provide us with such a person’s Personal Data), you also have the following rights. You can exercise them by sending an appropriate e-mail to our contact address.

1. Right to Be Informed (Arts. 12–14 GDPR). You have the right to be informed about the collection and use of your Personal Data — in particular, the purposes of processing, retention periods, and the parties it will be shared with. This information must be provided when we collect your Personal Data. If we receive Personal Data from another source, we will notify you within a reasonable time, and no later than one month.
2. Right to Access (Art. 15 GDPR). You have the right to receive confirmation from the Operator as to whether Personal Data concerning you is being processed and, where applicable, access to that Personal Data and related information, including the purposes of processing, categories of data, recipients, envisaged retention period, the existence of your other rights, the right to lodge a complaint with a supervisory authority, and information about any automated decision-making including profiling.
3. Right to Rectification (Art. 16 GDPR). You have the right to have inaccurate Personal Data corrected, and to complete incomplete Personal Data — including by providing a supplementary statement.
4. Right to Erasure / “Right to be Forgotten” (Art. 17 GDPR). You have the right to request deletion of your Personal Data when: it is no longer necessary for the purposes for which it was collected; you withdraw your consent and there is no other legal ground for processing; you object to processing and there are no overriding legitimate grounds; the Personal Data has been processed illegally; or deletion is necessary to comply with a legal obligation.
5. Right to Restrict Processing (Art. 18 GDPR). You have the right to request the restriction of processing in the cases listed in Art. 18 of the Regulation, in which case such Personal Data will be stored but not further processed.
6. Right to Data Portability (Art. 20 GDPR). You have the right to obtain and reuse your Personal Data for your own purposes across different services. You can move, copy or transfer Personal Data from one environment to another, securely and without affecting its usability.
7. Right to Object (Art. 21 GDPR). You have the right to object to the processing of your Personal Data at any time on grounds relating to your particular situation. If your Personal Data is processed for direct marketing purposes, you have the right to object at any time, including to profiling related to such marketing.
8. Rights Related to Automated Decision-Making (Art. 22 GDPR). You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects on you or similarly significantly affects you. This right is not absolute and only applies under certain circumstances. You may withdraw your consent at any time; withdrawal only applies to the future.

Personal Data Storage

Personal Data Localisation. If you are a citizen of a member state of the European Economic Area, the United Kingdom, or another country whose Personal Data laws require that Personal Data be processed in the territory of such country, your Personal Data is collected and processed in the territory of the European Economic Area or such country, respectively.

Principles & Measures for Personal Data Protection

1. Protection Principles. We apply legal, organisational, administrative, technical and physical measures to protect Personal Data and ensure its security.
2. Protective Measures. Measures to ensure the security of Personal Data during processing are planned and implemented to comply with legislation in the field of Personal Data protection. We safeguard your Personal Data through, among other measures:
   1. Limiting and specifying the Operator’s employees who have access to Personal Data.
   2. Appointing a person responsible for organising Personal Data Processing.
   3. Developing and implementing local acts on Personal Data processing issues.
   4. Identifying threats to the security of Personal Data during processing in Personal Data information systems.
   5. Applying organisational and technical measures to ensure the security of Personal Data.
   6. Using information security tools that have passed conformity assessment in accordance with established procedure.
   7. Accounting for electronic storage media.
   8. Establishing rules for access to Personal Data.
   9. Restricting access to premises where technical means processing Personal Data are located.
   10. Detecting facts of unauthorised access and taking preventive measures.
   11. Including Personal Data (not publicly available) in the list of the Operator’s confidential information.
   12. Obtaining a non-disclosure obligation from all employees involved in Processing.
   13. Restoring Personal Data modified or destroyed due to unauthorised access.
   14. Familiarising employees involved in Processing with applicable legislation and local acts.
   15. Exercising control over the measures taken to ensure the security of Personal Data.

Cookies

1. Use of Cookies. The Site uses cookies. When you visit the Site, your Internet browser transmits certain information to our server: (1) date and time of visit, (2) browser type, (3) language settings, (4) operating system. This information is stored in connection logs for a limited time (from a season to a year) to ensure the security and proper operation of the Site and collect statistical information.
2. Functional Cookies. There are different groups of Cookies used on the Site.

   The first group is functional and technical Cookies. Their main function is to allow the Site server to obtain information about your session, language, browser and similar — and to ensure the full operation of the Site. These cookies are needed to recognise you when you revisit the Site, allowing us to personalise content and remember your preferences.

   The second group is analytical cookies. They allow us to evaluate and count the number of visitors and understand how they navigate the Site. This helps us improve the Site’s operation — for example by optimising the search for desired sections. You have the right to refuse analytical cookies by making the appropriate settings in your web browser.

3. Cookies Storage Period. When stored on users’ devices, Cookies are divided into Persistent Cookies and Session Cookies.
   • Session Cookies are stored on your device until you close your browser.
   • Persistent Cookies are stored on your device until they expire or you delete them.
4. Disabling Cookies. You can accept or decline cookies on all websites you visit by changing your browser settings. Each browser has its own settings to change and delete cookies. Certain Site features may not be available if you disable Cookies. For more information, please refer to your browser’s instructions or visit aboutcookies.org or allaboutcookies.org. If you use different devices to access the Site, ensure that each browser on each device is set according to your cookie preferences.

Legally Significant Communication

1. Parties Details. In the course of fulfilling obligations under this Policy and/or other obligations as a Personal Data Operator, there may be (and in some cases must be) an exchange of legally significant messages between us. Such exchange occurs through the Parties’ official contacts, both in writing and in electronic form. Our details are indicated in the Legal Notice at the bottom of this document. You indicate your data when you leave a callback request or send us a message through a messenger or other channel. Please remember that you bear all the risks associated with keeping your communication data up to date.
2. Correspondence Exchange. The exchange of correspondence is possible only using the Parties’ data as determined by the rules of this Policy.

Miscellaneous

Divisibility clause. If one or more provisions of this Policy are declared invalid or unenforceable, such provisions will be replaced by valid provisions as close as possible in meaning to the originals. The Policy cannot be invalidated in full under any circumstances.

Legal Notice