1. Introduction

These Website Terms and Conditions ("Terms") govern your access to and use of the website where these Terms are published (the "Website").

The Website is provided by Onicore Technologies Ltd (together with its permitted successors and assigns, "Onicore", "we", "us", "our").

These Terms are intended to be readable and practical. They cover:

• your rights to view and use the Website,
• what you may and may not do when using it,
• intellectual property, disclaimers, and liability,
• how we handle submissions and enquiries,
• governing law and dispute resolution.

If you do not agree to these Terms, do not use the Website.

‍

2. Company details and contact information

Onicore Technologies Ltd

DIFC License No.: CL11444

Principal place of business: IH-00-01-02-OF-01, Level 2, Innovation Hub 05, Dubai International Financial Centre, Dubai, United Arab Emirates

Telephone: +971 54 201 3311

Email: info@onicore.ae

‍

3. Structure of these Terms

For convenience, these Terms are split into sections. However, all sections form part of a single agreement between you and Onicore.

Some sections apply more strongly depending on how you use the Website. For example:

• If you only browse, Sections 5 to 8 may be most relevant.
• If you submit forms or request information, Sections 9 and 10 become important.
• If you link to our content or use our brand, Sections 8 and 12 matter.

‍

4. Definitions 

In these Terms:

• Content means all text, images, video, audio, code snippets, design elements, layouts, documents, and other materials on the Website, including content we provide and content provided by third parties that appears on the Website.
• Services means products, software, APIs, hosted services, and professional services that Onicore may provide under a separate written agreement. Services are not provided under these Website Terms unless we expressly state otherwise.
• User or you means any person who accesses or uses the Website, including visitors, prospects, customers, partners, suppliers, and job applicants.
• We, us, our, or Onicore means Onicore Technologies Ltd.
• DIFC means the Dubai International Financial Centre.

‍

5. Acceptance, changes, and how the contract is formed

5.1 Acceptance

By accessing or using the Website, you confirm that:

• you have read these Terms,
• you understand them, and
• you agree to be bound by them.

If you use the Website on behalf of an organisation, you confirm that you have authority to bind that organisation.

‍

5.2 Changes to these Terms

We may update these Terms from time to time to reflect:

• changes to the Website,
• changes to our business,
• changes to law or guidance, or
• improvements to clarity.

When we update these Terms, we will update the "Last updated" date where displayed. Your continued use of the Website after a change means you accept the updated Terms.

If changes are material, we may also provide additional notice on the Website.

5.3 Relationship to other documents

These Terms sit alongside our:

• Cookies Policy, and
• Privacy Statement.

If you become a customer and sign a contract with us, that contract governs the Services and will generally override these Website Terms for the specific Service relationship.

‍

6. Website access, availability, and permitted use

6.1 General permission

We grant you a limited, non-exclusive, non-transferable, revocable licence to access and use the Website for lawful purposes and in accordance with these Terms.

6.2 Availability and maintenance

We aim to keep the Website available, but we do not guarantee uninterrupted access.

The Website may be unavailable due to:

• planned maintenance,
• emergency maintenance,
• network issues,
• service provider outages,
• security incidents,
• force majeure events.

We may change or discontinue parts of the Website at any time.

6.3 Geographic availability

The Website is available globally, but not all content or services described may be available in every location. We may restrict access in some circumstances (for example, to comply with sanctions, export controls, or legal restrictions).

6.4 Your responsibilities when using the Website

You agree to:

• use the Website only for lawful purposes,
• ensure any information you provide is accurate (to the best of your knowledge),
• keep any credentials confidential if the Website includes account features,
• respect the rights of other users.

‍

7. Acceptable use rules 

We designed the Website to share information about our company and offerings. You must not use it in ways that harm us, our users, or others.

7.1 You must not misuse the Website

You must not:

• attempt to gain unauthorised access to the Website, servers, or connected systems;
• probe, scan, or test vulnerability without permission;
• bypass or attempt to bypass security or access controls;
• interfere with the normal operation of the Website (for example, by flooding it with requests);
• introduce malware, viruses, trojans, worms, or other harmful code;
• scrape or harvest data from the Website at scale (including through bots) without our consent;
• copy the Website design or structure in a way that competes unfairly or infringes our rights;
• use the Website to send spam or unsolicited marketing messages;
• use the Website to impersonate Onicore or misrepresent your affiliation.

7.2 Fair use of public content

We understand that visitors may:

• bookmark pages,
• share links,
• quote short passages for commentary,
• use screenshots for internal evaluation.

That is generally permitted if it is fair and does not infringe our rights or mislead others.

If you want to reproduce substantial parts of the Website, use our trademarks, or republish our content, you need our written permission unless a legal exception applies.

7.3 Respect for law and third parties

You agree not to use the Website in a way that:

• violates any applicable law,
• violates any third party rights (including intellectual property and privacy rights),
• encourages unlawful activity,
• promotes hate, harassment, or discrimination.

7.4 Automated access and bots

We may allow search engines and certain automation for legitimate purposes, but you must not:

• run aggressive crawlers that degrade performance,
• bypass robots.txt where it is present,
• access restricted areas using automated means.

If you need structured access (for example, for integration evaluation), contact us to discuss options.

7.5 Security reporting and responsible disclosure

If you believe you have found a security vulnerability, see Section 14 (Security and vulnerability reporting). Do not exploit it.

‍

8. Intellectual property and brand

8.1 Ownership of Website content

Unless stated otherwise, the Website and its Content are owned by Onicore or licensed to us.

This includes:

• text, graphics, logos, and designs,
• code and scripts used to operate the Website,
• downloadable documents, whitepapers, and guides (where published).

8.2 Limited licence for personal and business viewing

You may:

• view the Website for your own evaluation,
• print or save a reasonable number of pages for internal review.

You may not:

• republish content for commercial purposes,
• build derivative works from our content,
• remove copyright, trademark, or proprietary notices.

8.3 Trademarks

"Onicore", our logo, and other marks displayed on the Website may be our trademarks or the trademarks of third parties.

Nothing in these Terms grants you a licence to use our trademarks without prior written consent.

8.4 Open-source components

The Website or associated materials may reference open-source software. Open-source components are governed by their own licences. Where we provide open-source notices, they should be respected.

‍

9. Enquiries, submissions, and user-provided information

9.1 General rule: be careful what you send

The Website may allow you to submit information through:

• contact forms,
• demo requests,
• feedback forms,
• job application forms (if present),
• chat or messaging tools.

You should not send:

• confidential information that you do not want shared,
• sensitive personal data,
• information that violates third-party rights.

9.2 Accuracy of submissions

If you submit information, you confirm it is accurate to the best of your knowledge and that you have the right to submit it.

9.3 Ownership and licence of submissions

Where you submit feedback, ideas, suggestions, or proposals (excluding personal data protected by privacy laws), you agree that we may use that feedback to improve our products and services without a duty to compensate you, unless a separate agreement states otherwise.

This does not mean we will publicly disclose your confidential business information; it means that high-level feedback can inform product development.

9.4 No guarantee of response

We aim to respond to enquiries, but we do not guarantee:

• response times,
• that we will accept every request,
• that we will engage in a commercial relationship.

‍

10. Product, service, and technical information on the Website

10.1 Informational nature

Content on the Website is provided for general information. It may describe products, features, roadmaps, and concepts.

Because products and technology evolve, Website information may be incomplete or outdated.

10.2 No binding offer

Unless we expressly state otherwise in writing, the Website does not constitute:

• an offer to sell,
• a binding quote,
• a promise of availability,
• a commitment to deliver a feature by a certain date.

Any binding commitments must be set out in a written agreement signed by Onicore.

10.3 Beta, preview, and roadmap features

If we describe beta or preview features:

• they may change or be withdrawn,
• they may not be available to all users,
• they may be subject to additional terms.

Roadmaps are statements of intent, not contractual promises.

10.4 Customer testimonials and case studies

Testimonials, metrics, and case studies are examples and do not guarantee that all users will achieve the same outcomes.

Outcomes depend on many factors, including customer configuration and compliance obligations.

‍

11. No regulated services, no advice, and no solicitation

11.1 Technology provider, not advice

The Website is not intended to provide:

• legal advice,
• compliance advice,
• accounting advice,
• financial advice,
• investment advice.

If we provide professional advice services, it will be under a separate agreement and may require additional disclosures.

11.2 No offer of securities or financial products

Nothing on the Website is an offer, invitation, or solicitation to:

• buy or sell securities,
• invest in a fund,
• acquire financial products.

11.3 Regulatory perimeter and DIFC context

Onicore is incorporated in the DIFC. Some financial services activities in DIFC are regulated by the Dubai Financial Services Authority (DFSA). Onicore does not represent through this Website that it is authorised by DFSA to carry on any regulated activity, unless we explicitly state this with proper licensing information.

If you are evaluating Onicore for use in regulated activities (for example, payments, digital assets, financial services), you must perform your own regulatory assessment and obtain appropriate professional advice.

11.4 Digital assets and crypto-related content

If the Website includes content about digital assets, tokens, or blockchain technology:

• it is provided for informational and technical discussion,
• it is not a recommendation to transact,
• it does not consider your objectives or risk profile.

Digital assets can be volatile and risky. You should obtain professional advice before making decisions.

‍

12. Third-party websites, content, and tools

12.1 Links to third parties

The Website may include links to third-party websites. We provide links for convenience and do not control third-party sites.

We are not responsible for:

• third-party content,
• third-party privacy practices,
• third-party terms of service,
• third-party availability.

12.2 Embedded tools and integrations

We may embed or integrate tools such as:

• video players,
• map services,
• analytics tools,
• customer support chat widgets,
• form providers.

These tools may have their own terms and privacy notices. Use of such tools may result in data being processed by those third parties as independent controllers.

12.3 Third-party intellectual property

All third-party marks and content remain the property of their owners.

‍

13. Confidentiality and non-disclosure expectations

13.1 Website content is public

Most Website content is public and not confidential.

13.2 When confidentiality may apply

Confidentiality may apply where:

• we exchange information under a non-disclosure agreement (NDA),
• we provide you access to non-public documentation, demos, or portals.

If confidentiality matters, do not rely on Website Terms alone. Ask for an NDA.

13.3 Confidentiality in demo or proposal conversations

We understand that demo and proposal discussions can involve sensitive business context. We generally treat such information responsibly, but formal confidentiality obligations must be in writing.

‍

14. Security, testing, and vulnerability reporting

We care about security. If you believe you have found a security issue relating to the Website:

• Do not exploit the vulnerability, access data that is not yours, or disrupt the Website.
• Report it to info@onicore.ae with sufficient detail to reproduce the issue.
• Allow a reasonable time for investigation and remediation.

We may choose to run a responsible disclosure programme. Unless we explicitly authorise it in writing, you must not perform:

• penetration tests,
• automated vulnerability scans,
• denial-of-service tests,
• social engineering of our staff.

Any unauthorised security testing may be unlawful and may expose you to liability.

‍

15. Disclaimer of warranties

To the maximum extent permitted by law:

• the Website and Content are provided "as is" and "as available";
• we do not warrant that the Website is error-free or uninterrupted;
• we do not warrant that Content is complete, accurate, or up to date;
• we do not warrant that the Website is free of viruses or harmful components (although we take security seriously).

Some jurisdictions do not allow certain warranty exclusions. In those cases, exclusions apply only to the extent permitted.

‍

16. Limitation of liability

16.1 General limitation

To the maximum extent permitted by applicable law, Onicore will not be liable for:

• indirect or consequential loss,
• loss of profits,
• loss of revenue,
• loss of business opportunity,
• loss of goodwill,
• loss of data (except where liability cannot be excluded by law).

16.2 Reasonable allocation of risk

The Website is an informational service. We provide it without charge. It is reasonable to allocate risk in this way.

If you need commercial commitments, reliability guarantees, or indemnities, those must be in a separate written agreement for Services.

16.3 Liability cap (where applicable)

Where liability cannot be excluded, our total aggregate liability for claims arising out of or in connection with the Website and these Terms may be limited to an amount that is reasonable in the circumstances (for example, the amount you paid to us for Services in the 12 months before the claim, if any). If you paid nothing, the cap may be a nominal amount.

The exact cap can vary depending on applicable law and the nature of the claim.

16.4 Nothing limits liability that cannot be limited

Nothing in these Terms excludes or limits liability to the extent it cannot be excluded or limited under applicable law.

‍

17. Indemnity

To the extent permitted by law, you agree to indemnify and hold Onicore harmless against claims, liabilities, damages, losses, and expenses arising from:

• your misuse of the Website,
• your breach of these Terms,
• your infringement of third-party rights,
• your unlawful activity.

This indemnity is subject to any mandatory legal limits.

‍

18. Suspension and termination

We may suspend or terminate your access to the Website if:

• you breach these Terms,
• we reasonably suspect misuse or security risk,
• we need to protect the Website, our users, or third parties,
• we are required to do so by law.

Suspension may be temporary or permanent.

‍

19. Privacy and cookies

Your use of the Website is also governed by our:

• Cookies Policy and
• Privacy Statement.

If you submit personal data through the Website, our Privacy Statement explains how it is handled.

‍

20. Governing law and jurisdiction

These Terms are governed by the laws of the Dubai International Financial Centre (DIFC), without regard to conflict of laws principles that would require the application of other laws.

Subject to any mandatory rights, disputes arising out of or in connection with these Terms or the Website shall be subject to the exclusive jurisdiction of the DIFC Courts.

If you are a consumer, mandatory consumer protection rules may grant you additional rights in your home jurisdiction. These Terms do not limit such mandatory rights.

‍

21. Dispute resolution

Before filing a formal claim, we encourage you to contact us so we can attempt to resolve the issue informally.

A practical escalation route:

• Email info@onicore.ae with details of the issue.
• Allow reasonable time for review and response.
• If not resolved, the matter may proceed through formal channels under Section 20.

‍

22. Compliance commitments (sanctions, export, AML/CTF, anti-corruption)

22.1 Sanctions and restricted parties

You agree not to use the Website or any related Services if doing so would violate applicable sanctions laws or regulations.

We may restrict access where necessary to comply with sanctions regimes, including those applicable in the UAE and internationally.

22.2 Export controls

Technology can be subject to export controls. You agree not to export, re-export, or transfer any Content or Services in violation of applicable export control laws.

22.3 Anti-bribery and corruption

You agree not to offer, promise, or provide anything of value to improperly influence anyone in connection with your relationship with Onicore.

If we enter into a commercial relationship, you may be asked to comply with specific anti-corruption clauses and policies.

22.4 Anti-money laundering and counter-terrorist financing

If we provide services that touch financial crime compliance, we may:

• run due diligence checks,
• request information to satisfy compliance obligations,
• refuse or terminate a relationship where risk is unacceptable.

These measures may be required to align with applicable legal and regulatory frameworks and with customer requirements.

‍

23. Notices and communications

23.1 How to send notices to us

You can contact us by email at info@onicore.ae.

If a formal notice is required (for example, for legal disputes), we may ask you to provide it in writing and with sufficient detail.

23.2 How we may contact you

We may contact you through:

• the email address you provide,
• phone number you provide,
• notices posted on the Website.

‍

24. Miscellaneous

24.1 Entire agreement

These Terms, together with the Cookies Policy and Privacy Statement, form the entire agreement between you and us regarding Website use.

24.2 Severability

If any part of these Terms is found unlawful or unenforceable, the remainder remains in effect.

24.3 Waiver

If we do not enforce a term immediately, that does not mean we waive the right to enforce it later.

24.4 Assignment

We may assign these Terms in connection with a corporate transaction. You may not assign your rights without our written consent.

24.5 No third-party rights

These Terms do not create rights enforceable by third parties except where required by law.

24.6 Language

These Terms are written in English. If translated, the English version prevails in the event of inconsistency, unless a mandatory law requires otherwise.

‍

25. Legal references 

These Terms are drafted with reference to common DIFC legal principles and relevant UAE laws, including laws relating to:

• electronic transactions,
• consumer protection,
• cybercrime,
• intellectual property,
• contractual obligations and remedies.

A consolidated list with official sources is included in Appendix A.

‍

‍

Appendix A: Legal and regulatory references 

A.1 How to read this appendix

This appendix lists the key laws, regulations, and official guidance materials referenced by this pack.

Notes:

• This list is not exhaustive and is not a substitute for legal advice.
• Laws change over time. Always check the most recent consolidated text on official sources.
• Where English translations are provided, the original Arabic or official text may prevail in interpretation, depending on the issuing authority and the specific instrument.

‍

A.2 DIFC laws and DIFC guidance 

A.2.1 DIFC Data Protection

Data Protection Law, DIFC Law No. 5 of 2020 (as amended)
Official DIFC legal database page (includes download link):
https://www.difc.com/business/laws-and-regulations/legal-database/difc-laws/data-protection-law-difc-law-no-5-2020

‍

DIFC Laws Amendment Law No. 1 of 2025 (includes amendments impacting DIFC Data Protection Law and other DIFC laws)
Official DIFC news and enactment information:
https://www.difc.ae/newsroom/news/difc-introduces-laws-amendment-law
Official PDF (Annex A - Amendment Law No. 1 of 2025):
https://assets.difc.com/loader/annex-a_amendment-law-no-1-of-2025.pdf

‍

Data Protection Regulations (Consolidated Version No. 2), in force 1 September 2023
Official PDF:
https://assets.difc.com/loader/data-protection-regulation.pdf

‍

Regulation 10 (Autonomous and semi-autonomous systems/AI systems)
Official DIFC Commissioner of Data Protection page:
https://www.difc.com/business/registrars-and-commissioners/commissioner-of-data-protection/regulation-10

‍

DIFC Commissioner of Data Protection guidance
https://www.difc.com/business/registrars-and-commissioners/commissioner-of-data-protection/guidance

‍

A.2.2 DIFC intellectual property, technology and contracting framework

Intellectual Property Law, DIFC Law No. 4 of 2019
https://www.difc.com/business/laws-and-regulations/legal-database/difc-laws/intellectual-property-law-difc-law-no-4-of-2019

‍

Digital Assets Law, DIFC Law No. 2 of 2024
https://www.difc.com/business/laws-and-regulations/legal-database/difc-laws/digital-assets-law-difc-law-no-2-2024

‍

Electronic Transactions Law, DIFC Law No. 2 of 2017
https://www.difc.com/business/laws-and-regulations/legal-database/difc-laws/electronic-transactions-law-difc-law-no-2-2017

‍

Contract Law, DIFC Law No. 6 of 2004
https://www.difc.com/business/laws-and-regulations/legal-database/difc-laws/contract-law-difc-law-no-6-of-2004

‍

Implied Terms in Contracts and Unfair Terms Law, DIFC Law No. 6 of 2005
https://www.difc.com/business/laws-and-regulations/legal-database/difc-laws/implied-terms-contracts-and-unfair-terms-law-difc-law-no-6-2005

‍

Law of Damages and Remedies, DIFC Law No. 7 of 2005
https://www.difc.com/business/laws-and-regulations/legal-database/difc-laws/law-damages-and-remedies-difc-law-no-7-2005

‍

DIFC Court Law, DIFC Law No. 10 of 2004
https://www.difc.com/business/laws-and-regulations/legal-database/difc-laws/difc-court-law-difc-law-no-10-of-2004

‍

Companies Law, DIFC Law No. 5 of 2018
https://www.difc.com/business/laws-and-regulations/legal-database/difc-laws/companies-law-difc-law-no-5-2018

‍

Operating Law, DIFC Law No. 7 of 2018
https://www.difc.com/business/laws-and-regulations/legal-database/difc-laws/operating-law-difc-law-no-7-2018

‍

DIFC Legal Database
https://www.difc.com/business/laws-and-regulations/legal-database

‍

A.3 UAE federal laws and UAE regulators 

A.3.1 UAE data protection

Federal Decree-Law No. (45) of 2021 Concerning the Protection of Personal Data ("UAE PDPL")
Official download:
https://uaelegislation.gov.ae/en/legislations/1972/download

Practical note: The UAE PDPL includes an exclusion for entities located in UAE free zones that have special personal data protection legislation. DIFC is such a free zone. The UAE PDPL may still be relevant where processing occurs outside DIFC, where required by counterparties, or where other fact patterns bring the processing into scope.

‍

A.3.2 UAE cybercrime and information security

Federal Decree-Law No. (34) of 2021 On Countering Rumors and Cybercrimes
Official download:
https://uaelegislation.gov.ae/en/legislations/1526/download

‍

A.3.3 UAE electronic transactions and trust services

Federal Decree-Law No. (46) of 2021 on Electronic Transactions and Trust Services
Official federal legislation entry (includes executive regulation link):
https://uaelegislation.gov.ae/en/legislations/2585
Official download:
https://tdra.gov.ae/-/media/About/Trust-Services/Laws-and-regulations/Federal-Decree-Law-No-46-OF-2021-On-Electronic-Transactions-and-Trust-Services-EN.ashx

‍

Cabinet Resolution No. (28) of 2023 Regarding the Executive Regulation of the Federal Decree-Law No. (46) of 2021
Official download:
https://uaelegislation.gov.ae/en/legislations/2199/download

‍

A.3.4 UAE consumer protection and telemarketing

Federal Law No. (15) of 2020 on Consumer Protection
Official download:
https://uaelegislation.gov.ae/en/legislations/1455/download

‍

Cabinet Resolution No. (56) of 2024 Concerning the Telemarketing Regulations
Official download :
https://uaelegislation.gov.ae/en/legislations/2519/download

‍

Cabinet Resolution No. (57) of 2024 Concerning Administrative Violations and Penalties related to Telemarketing (penalty schedule)
Official download:
https://uaelegislation.gov.ae/en/legislations/2520/download

‍

A.3.5 UAE anti-spam and communications (TDRA)

TDRA Regulatory Policy: Unsolicited Electronic Communications
Official download :
https://tdra.gov.ae/-/media/About/regulations-and-ruling/EN/cellular-phone-spam-regulatory-policy-English.ashx

Practical note: TDRA policies are often directed at telecom licensees, but they shape the compliance environment for senders and are widely used as a baseline for acceptable marketing practices.

‍

A.3.6 UAE AML/CTF framework 

Federal Decree-Law No. (20) of 2018 On Anti-Money Laundering, Combating the Financing of Terrorism and Financing of Illegal Organisations
Official download:
https://uaelegislation.gov.ae/en/legislations/1016/download

‍

Cabinet Resolution No. (10) of 2019 Concerning the Executive Regulations of Federal Decree-Law No. (20) of 2018
Official download:
https://uaelegislation.gov.ae/en/legislations/1015/download

‍

Cabinet Resolution No. (24) of 2022 (amending some provisions of Cabinet Resolution No. (10) of 2019)
Central Bank rulebook page:
https://rulebook.centralbank.ae/en/rulebook/cabinet-resolution-no-24-2022-amending-some-provisions-cabinet-resolution-no-10-2019

‍

A.4 DIFC financial services regulation 

If Onicore provides technology to regulated entities in the DIFC, those entities may be subject to DFSA requirements. Onicore may be asked to support customer compliance, but compliance responsibility remains with the regulated entity unless a contract states otherwise.

‍

DFSA Rulebook: Anti-Money Laundering, Counter-Terrorist Financing and Sanctions Module (AML)
Official DFSA rulebook entry point:
https://dfsaen.thomsonreuters.com/rulebook/anti-money-laundering-aml

‍

A.5 Additional references that may be relevant depending on facts

Depending on your operations and offerings, additional DIFC, Dubai, UAE, and international laws may be relevant, including but not limited to:

• sector-specific financial services and payment regulations,
• employment and labour laws (if recruitment processing is in scope),
• sanctions regulations and export controls,
• intellectual property enforcement rules,
• consumer advertising standards.

‍

If you operate globally or market into other jurisdictions, you may also need to consider local privacy and consumer laws where users are located.

‍

‍

Appendix B: Glossary and practical definitions

‍

This glossary is intended to reduce confusion when reading legal documents. It does not override statutory definitions, but it aims to explain terms in everyday language.

‍

B.1 Cookies and web technology

Cookie

A small text file stored by your browser. Cookies can store preferences or identifiers. Some cookies are essential for a website to work.

‍

First-party cookie

A cookie set by the website domain you are visiting.

‍

Third-party cookie

A cookie set by another domain, often because a third-party tool (analytics, video, social media widget) is embedded in the page.

‍

Session cookie

A cookie that exists only until you close your browser.

‍

Persistent cookie

A cookie that remains until it expires or you delete it.

‍

Local storage/session storage

Browser storage that can store small amounts of information. Unlike cookies, local storage is not automatically sent with every web request.

‍

Pixel/beacon/tag

A technique that notifies a server that a page was visited or an action occurred. Often used for analytics or marketing measurement.

‍

SDK (Software Development Kit)

A package of code used to add features such as analytics or messaging to an application. On websites, similar code is often loaded as scripts.

‍

CDN (Content Delivery Network)

A network of servers that deliver website content quickly by serving it from a location near the visitor.

‍

CMP (Consent Management Platform)

A tool that shows a cookie banner, records consent, and allows visitors to manage cookie preferences.

‍

B.2 Data protection concepts

Personal Data

Information about an identified or identifiable person. A person can be identifiable even without a name if other identifiers can link the data to them.

‍

Special Category Data/Sensitive Data

Data that receives additional protection. Depending on the legal framework, this can include health data, biometric identifiers, religious beliefs, and similar categories.

‍

Processing

Any action on personal data: collecting, storing, using, sharing, deleting, and more.

‍

Controller

The party that decides why and how personal data is processed.

‍

Processor

The party that processes personal data on behalf of a controller, following the controller’s instructions.

‍

Sub-processor

A processor engaged by another processor (for example, a cloud hosting provider used by a SaaS vendor).

‍

Data Subject

The person whose personal data is being processed.

‍

Data Protection Officer (DPO)

A role required in some circumstances. A DPO advises on compliance and acts as a contact point for regulators and individuals.

‍

Record of Processing Activities (ROPA)

A structured record that lists processing activities, the purposes, the categories of data and recipients, transfers, retention, and security measures.

‍

Data Protection Impact Assessment (DPIA)

A risk assessment used when processing may create high risks for individuals. DPIAs help identify risks and mitigation steps.

‍

Privacy by design / privacy by default

A practice of considering privacy early in product design and choosing privacy-friendly settings as defaults where appropriate.

‍

Anonymisation

A process that removes the ability to identify a person. True anonymisation is hard and must be assessed carefully.

‍

Pseudonymisation

Replacing identifiers with a pseudonym (for example, replacing a name with a random ID). Pseudonymised data can still be personal data if re-identification is possible.

‍

Data minimisation

Collecting only the data you need for a specific purpose.

‍

Purpose limitation

Using data only for the purpose that was explained, unless another lawful basis applies.

‍

Retention

How long data is kept. Retention should be driven by purpose, legal obligations, and risk.

‍

International transfer

Sending, storing, or allowing access to personal data in another country. Transfers can happen even if data stays in one place but is accessed from another.

‍

Adequacy

A legal concept where a jurisdiction is recognised as providing an acceptable level of data protection.

‍

Contractual safeguards

Transfer mechanisms based on contractual commitments and enforceable rights (for example, clauses requiring security, access controls, and transparency).

‍

B.3 Marketing and communications terms

Direct marketing

Communications that promote products or services. It can include email newsletters, calls, SMS, and messaging apps.

‍

Opt-in

A model where marketing messages are sent only after explicit consent.

‍

Opt-out

A model where marketing may be sent until the recipient unsubscribes or objects, subject to legal limits.

‍

Suppression list

A list used to ensure a person who opted out is not contacted again. It typically stores minimal identifiers (such as email address) and the opt-out date.

‍

DNCR (Do Not Call Register)

A register used to stop unwanted marketing phone calls under UAE telemarketing rules.

‍

B.4 Security and operations terms

Authentication

Verifying identity (for example, logging in with a password or multi-factor authentication).

‍

Authorisation

Determining what an authenticated user is allowed to do.

‍

Least privilege

Giving users and systems the minimum access they need to do their job.

‍

Encryption in transit

Protecting data as it moves over networks, for example using HTTPS/TLS.

‍

Encryption at rest

Protecting stored data, for example in databases or backups.

‍

Incident

A security event that could affect confidentiality, integrity, or availability. Not all incidents become reportable breaches.

‍

Breach

A security incident that results in accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access to personal data.

‍

B.5 Commercial and legal terms

B2B (Business-to-business)

An arrangement where products or services are offered to businesses.

‍

B2C (Business-to-consumer)

An arrangement where products or services are offered to individual consumers.

‍

Limitation of liability

A clause that limits the types or amount of damages one party can recover.

‍

Indemnity

A promise to compensate another party for certain losses or claims.

‍

Force majeure

An event outside reasonable control (for example, natural disasters, major outages) that prevents performance.

‍

Governing law

The legal system that applies to the contract.

‍

Jurisdiction

Which courts have authority to resolve disputes.

‍

‍

Appendix C: Template registers and practical compliance checklists 

This appendix contains example templates that can help keep the Cookies Policy and Privacy Statement accurate over time. The templates are illustrative and should be adapted to your actual tools, products, and data flows.

C.1 Cookie register template 

C.1.1 Why a cookie register matters

Cookie banners and policies are most accurate when they reflect:

• what cookies are actually being set,
• what category each cookie belongs to, and
• how long each cookie lasts.

A cookie register is a practical bridge between legal transparency and technical reality.

C.1.2 Suggested fields

A practical cookie register may include:

• Cookie / storage key name
• Provider (first-party or third-party, including vendor name)
• Domain (where it is set)
• Purpose description (plain language, specific)
• Category (necessary / functional / analytics / marketing)
• Duration (session or a set period)
• Type (cookie, local storage, pixel, SDK, server log identifier)
• Data elements (what values are stored, at a high level)
• Whether it involves cross-site tracking (yes/no/unknown)
• Whether it is optional (yes/no)
• Notes (configuration, consent trigger, special settings)

C.1.3 Example cookie register entries 

The following are examples only. Your actual cookie list should come from your website configuration and a technical scan.

Entry 1

• Cookie name: cookie_preferences
• Provider: Onicore (first-party)
• Purpose: store cookie category choices
• Category: strictly necessary
• Duration: 6 to 12 months
• Notes: set only after visitor interacts with cookie banner

Entry 2

• Cookie name: session_id
• Provider: Onicore (first-party)
• Purpose: maintain secure session for logged-in portal (if used)
• Category: strictly necessary
• Duration: session
• Notes: HttpOnly and Secure where feasible

Entry 3

• Storage key: analytics_consent
• Provider: consent management platform
• Purpose: stores analytics consent signal
• Category: strictly necessary
• Duration: 6 to 12 months
• Notes: used to control whether analytics script loads

Entry 4

• Cookie name: analytics_id
• Provider: analytics tool
• Purpose: measure page views and events
• Category: analytics
• Duration: varies by tool
• Notes: ensure IP anonymisation or reduced data settings where supported

‍

C.2 Data retention schedule template

C.2.1 Retention principles

A retention schedule should:

• link each data category to a purpose,
• define a standard retention period,
• identify legal or contractual drivers,
• specify how deletion or anonymisation happens.

Retention should be realistic and operational: a retention schedule that cannot be implemented will quickly drift away from reality.

C.2.2 Example retention schedule 

This example is not legal advice and must be adapted.

Website access logs

• Purpose: security, troubleshooting, performance monitoring
• Typical retention: 30 to 180 days (depending on security needs)
• Notes: longer retention may be needed during incident investigation

Cookie preference records

• Purpose: compliance and preference management
• Typical retention: 6 to 24 months, then refreshed or deleted
• Notes: keep minimal data; store only what is needed to respect choices

Enquiry and contact form submissions

• Purpose: respond to enquiries, business development
• Typical retention: 12 to 36 months after last meaningful interaction
• Notes: delete earlier where not needed; archive only key context

CRM lead records (B2B)

• Purpose: relationship management, proposals, account development
• Typical retention: while active plus 2 to 6 years after last interaction (business decision)
• Notes: retain opt-out status longer to respect suppression

Customer account contacts

• Purpose: contract performance and support
• Typical retention: contract term plus 6 to 10 years (often driven by limitation periods and audit needs)
• Notes: retention can differ by jurisdiction and contract type

Support tickets and incident records

• Purpose: service delivery, troubleshooting, audits
• Typical retention: 2 to 7 years depending on customer and regulatory expectations
• Notes: security incident records may be retained longer

Marketing mailing lists

• Purpose: marketing communications
• Typical retention: until unsubscribe or inactivity period (for example, 12 to 24 months)
• Notes: suppression list retention may be longer for compliance

Recruitment records

• Purpose: hiring decisions
• Typical retention: 6 to 24 months after hiring decision (varies)
• Notes: keep only what is necessary; document retention basis

Accounting and invoicing records (if applicable)

• Purpose: tax and accounting compliance
• Typical retention: as required by applicable tax and accounting laws
• Notes: financial records often have mandatory minimum periods

C.2.3 Deletion and anonymisation practices

Practical approaches include:

• automatic deletion rules in CRM and ticketing systems,
• periodic reviews for long-lived shared folders,
• secure deletion for backups on expiry (where feasible),
• anonymisation of analytics datasets.

C.3 Record of processing activities (ROPA) 

C.3.1 Suggested fields

A controller-focused ROPA may include:

• Processing activity name (for example, "Website analytics")
• Purpose(s)
• Categories of data subjects (website visitors, prospects, customers)
• Categories of personal data
• Categories of recipients
• International transfers (to which countries, safeguards)
• Retention period
• Security measures
• Legal basis (or lawful ground)
• Responsible owner (department / role)
• Processors and sub-processors (where relevant)
• DPIA required (yes/no)

Links to relevant policies (privacy notice, cookie notice)

C.3.2 Example activity entries 

Activity: Website security logs

• Purpose: detect and prevent abuse, maintain availability
• Data: IP address, user agent, timestamps, URL paths, error logs
• Recipients: hosting provider, security monitoring provider
• Transfers: depends on hosting region and team access
• Retention: 30 to 180 days standard, longer for incidents

Activity: Business communications

• Purpose: respond to enquiries, negotiate contracts
• Data: name, email, phone, message content, meeting notes
• Recipients: CRM provider, email provider
• Retention: contract negotiation cycle plus defined period

C.4 International transfer register

International transfers can occur when:

• your cloud hosting region is outside DIFC/UAE,
• your vendors process data in other countries,
• your team accesses data from other countries.

A transfer register can list:

• the data categories,
• the transfer destination,
• the vendor/entity,
• the reason for transfer,
• the safeguard used (contractual, technical, adequacy, etc),
• a review date.

C.5 AI and autonomous systems register 

If you use AI systems that process personal data, consider maintaining a simple register:

• name of system/tool,
• purpose and benefits,
• whether the tool is autonomous or semi-autonomous,
• personal data inputs and outputs,
• risk assessment summary (accuracy, fairness, security),
• human oversight controls,
• vendor terms and data usage settings,
• retention and deletion approach for prompts, logs, and outputs.

C.6 Telemarketing and marketing communications checklist

If you use phone calls or messaging apps for marketing, a practical checklist may include:

• Confirm the legal basis for contacting the person (consent or lawful basis under applicable marketing rules).
• Check the Do Not Call Register (DNCR) for marketing phone calls where required.
• Call only within permitted hours (for example, 9:00 am to 6:00 pm for marketing calls under Cabinet Resolution No. 56 of 2024).
• Ensure the caller identifies:
  - the company,
  - the purpose (marketing),
  - and confirms willingness to continue.
• Respect objections and opt-outs and update suppression lists promptly.
• Avoid repeated unwanted calls and messages.
• Keep records of consent, call outcomes, and opt-outs for audit purposes.

‍

‍

Appendix D: Acceptable Use Policy 

This Acceptable Use Policy ("AUP") expands on Section 7 of the Website Terms and Conditions. It is designed to be specific and operational. If there is any inconsistency between this AUP and the Website Terms, the Website Terms take priority.

D.1 Purpose of the AUP

The Website is intended to:

• provide information about Onicore and what we do,
• allow visitors to contact us,
• share content such as articles, announcements, or documentation (where published).

The AUP exists to protect:

• Website availability and performance,
• Website security and integrity,
• the privacy and rights of users,
• Onicore’s intellectual property and brand.

D.2 General conduct standards

When using the Website, you must:

• act lawfully,
• act honestly and in good faith,
• respect others,
• avoid interfering with the Website or its users.

You must not use the Website in any way that is deceptive, harmful, or abusive.

D.3 Security and technical integrity

D.3.1 No unauthorised access

You must not attempt to:

• access restricted areas without permission,
• obtain data you are not authorised to access,
• bypass authentication or authorisation controls.

Examples of prohibited activity:

• guessing passwords or tokens,
• using leaked credentials,
• exploiting misconfigurations to view hidden pages.

D.3.2 No probing, scanning, or vulnerability testing without permission

Security testing can be valuable, but it must be coordinated.

Without our express written permission, you must not:

• run automated scanners against the Website,
• perform penetration tests,
• exploit a suspected vulnerability,
• publish vulnerability details.

If you find a vulnerability, report it to info@onicore.ae and wait for our response.

D.3.3 No disruption or interference

You must not:

• overload the Website,
• conduct denial-of-service attacks,
• interfere with traffic routing,
• attempt to degrade performance intentionally.

Even well-intentioned automated tools can cause harm if they generate high traffic. If you need to access the Website programmatically, contact us first.

D.3.4 No malware or harmful code

You must not upload, transmit, or otherwise introduce:

• viruses,
• trojans,
• ransomware,
• malicious scripts,
• keyloggers,
• any code designed to compromise security or privacy.

This includes attempts to inject scripts through input fields.

D.3.5 No reverse engineering of protected areas

If the Website includes protected areas (for example, a portal), you must not:

• reverse engineer security controls,
• attempt to extract source code beyond what is publicly delivered to your browser.

Publicly delivered code is visible to browsers, but copying it to replicate the Website or to bypass restrictions may violate these Terms and applicable laws.

‍

D.4 Scraping, crawling, and automated collection

D.4.1 Reasonable browsing is fine

Normal browsing, caching by your browser, and standard search indexing are generally acceptable.

D.4.2 Prohibited scraping and harvesting

You must not scrape or harvest:

• email addresses,
• phone numbers,
• contact details,
• personal data,
• commercial information,

at scale or for spam purposes.

You must not use bots to collect content in a way that competes with the Website or harms performance.

D.4.3 Rate limits and robots controls

We may implement:

• robots.txt rules,
• rate limits,
• bot detection.

You agree not to bypass these measures.

D.5 Misrepresentation and brand misuse

You must not:

• impersonate Onicore or our staff,
• claim endorsement or partnership without permission,
• use our logo or trademarks in a way that implies affiliation.

If you want to announce a partnership, request written approval for brand usage.

D.6 Content restrictions (legal and ethical)

You must not use the Website to:

• upload or transmit unlawful content,
• infringe intellectual property,
• harass, abuse, or threaten others,
• distribute hate speech,
• promote violence or discrimination,
• distribute obscene or illegal material,
• encourage criminal activity.

Even where the Website does not provide "posting" features, this applies to content you submit through forms, chat, or files.

D.7 Privacy and personal data of others

D.7.1 Do not submit personal data you do not have the right to share

If you submit a message to us, you must not include:

• personal data of third parties unless you have authority,
• sensitive personal data unless it is strictly necessary and lawful,
• large lists of individuals.

If you are a business customer providing contact details of colleagues, ensure you have permission or a lawful basis.

D.7.2 No collection or surveillance

You must not use the Website to:

• track individuals in a covert way,
• build profiles using automated means,
• attempt to re-identify anonymised data.

D.8 Use of forms, chat, and support channels

D.8.1 No spam and no bulk messages

You must not use contact forms or chat to:

• send spam,
• send chain messages,
• send marketing messages to our staff.

D.8.2 No abuse of support channels

If we provide support channels, you must not:

• submit false reports,
• submit repeated requests designed to disrupt operations,
• threaten or harass support personnel.

We may block abusive traffic.

D.8.3 File uploads 

If the Website allows file uploads:

• scan your files for malware before upload,
• do not upload illegal or infringing content,
• do not upload sensitive information unless requested through a secure channel.

D.9 Competitive use and unfair behaviour

You must not:

• use the Website to create a competing product by copying substantial parts,
• use the Website to misappropriate confidential information,
• systematically extract product documentation for competitive intelligence.

We understand that competitors may visit our Website. Normal competitive research is common, but automated extraction and misuse is not.

D.10 Consequences of breach

If you breach this AUP, we may:

• restrict or block your access,
• take legal action where appropriate,
• report unlawful activity to relevant authorities.

We may take immediate action if the breach creates security risks or harms users.

‍

‍

Appendix E: Practical privacy and security operations 

This appendix provides operational context that supports the commitments made in the Cookies Policy and Privacy Statement. It is written in a practical style so it can also function as an internal checklist.

E.1 Roles and accountability

E.1.1 Who owns privacy and security

In practice, privacy and security are not owned by one team. They are shared responsibilities across:

• management (risk ownership and resourcing),
• product and engineering (design and implementation),
• operations (day-to-day handling of data),
• sales and marketing (communication practices and consent handling),
• legal and compliance (interpretation and governance),
• vendors (processors and sub-processors).

E.1.2 Data protection officer and points of contact

Under some data protection frameworks, a Data Protection Officer (DPO) may be required in certain circumstances. Whether or not a formal DPO appointment is required, we aim to have:

• a clearly identified internal owner for privacy compliance,
• a channel for data subject requests and privacy questions (info@onicore.ae),
• internal escalation routes for incidents.

E.1.3 Documentation and evidence

Privacy compliance is hard to demonstrate without records. Practical documents and evidence can include:

• records of processing activities (ROPA),
• DPIAs where needed,
• vendor contracts and due diligence records,
• training records,
• security policies and change control records,
• incident logs and post-incident reviews.

E.2 Security measures (more detail)

The specific controls we implement depend on our systems, risk profile, and vendors. The aim is to match controls to risk.

E.2.1 Identity and access management

Common practices include:

• unique user accounts for personnel,
• role-based access controls,
• multi-factor authentication for high-risk systems,
• privileged access management for admin roles,
• periodic access reviews.

E.2.2 Secure configuration and patching

Operational practices may include:

• maintaining an inventory of systems and dependencies,
• applying security patches within a defined timeframe,
• tracking critical vulnerabilities and remediation status,
• secure baseline configuration for cloud resources.

E.2.3 Secure development practices

Engineering practices may include:

• code reviews and peer review,
• automated testing,
• dependency scanning and SCA (software composition analysis),
• secret management (avoiding secrets in code repositories),
• environment separation (dev, staging, production),
• logging and monitoring.

E.2.4 Encryption and key management

Common safeguards include:

• HTTPS/TLS for data in transit,
• encryption at rest for sensitive datasets,
• controlled access to encryption keys,
• secure key rotation where appropriate.

E.2.5 Backups and resilience

Security is not only confidentiality. It is also availability and integrity.

Resilience practices may include:

• regular backups,
• tested restore procedures,
• business continuity and disaster recovery planning,
• redundancy for critical services.

E.2.6 Vendor security assurance

When using third-party vendors, practical controls may include:

• reviewing certifications (for example, ISO 27001, SOC 2) where available,
• reviewing security documentation and incident history,
• ensuring contracts include appropriate security and breach notification terms,
• understanding where data is stored and who can access it.

E.3 Personal data breach and incident response

E.3.1 What counts as an incident

Incidents can include:

• unauthorised access to a system,
• malware infection,
• misdirected emails with personal data,
• accidental publication of data,
• loss of a device containing data.

Not every incident becomes a reportable breach, but every incident should be evaluated.

E.3.2 Incident response phases

A structured incident response process often includes:

Detect and triage - identify the event, gather facts, stabilise systems.

Contain and mitigate - stop the spread, revoke credentials, isolate affected systems.

Assess impact - what data was involved, how many individuals, what harm could occur.

Notify where required
- notify customers under contract if relevant,
- notify regulators where required,
- notify individuals where required.

Remediate and recover - fix root cause, restore services, validate security.

Learn and improve - post-incident review, update controls, training.

E.3.3 Communications discipline

During an incident:

• keep communications factual and documented,
• limit internal speculation,
• ensure external communications are coordinated,
• avoid releasing personal data in incident reports.

E.3.4 Logging and evidence preservation

For incident handling and potential legal obligations, it is often important to:

• preserve relevant logs,
• preserve evidence appropriately,

 document decisions and timelines.

E.4 Data subject rights request procedure 

When a data subject makes a request (access, deletion, objection, etc), an operational procedure can include:

Receive and log the request - record date, channel, request type, requester identity details.

Verify identity - verify in proportion to risk (avoid collecting excessive new data to verify).

Clarify scope where needed - for example, "Which email address did you use?" or "Which interaction are you referring to?"

Locate data - search relevant systems (email, CRM, support tools, analytics where applicable).

Assess applicability and exceptions - legal retention, impact on others, confidentiality, privilege.

Respond - provide data or confirm action, or explain limitations.

Update suppression lists (if marketing-related) - ensure opt-out is respected across systems.

Close and archive - retain minimal evidence that the request was handled (for accountability).

E.5 Vendor, sub-processor, and procurement governance

E.5.1 Vendor onboarding checklist 

A practical vendor checklist may include:

• What personal data will the vendor process?
• Is the vendor a processor or a controller in this context?
• Where is data stored and accessed from?
• Does the vendor use sub-processors?
• What security controls and certifications exist?
• What are the breach notification timelines?
• How does deletion work at end of contract?
• Does the vendor use data for its own purposes (training, analytics, advertising)?

E.5.2 Contract terms that often matter

Depending on the risk level, key terms can include:

• processing instructions,
• confidentiality,
• security measures,
• breach notification and cooperation,
• sub-processing controls,
• audit rights,
• deletion and return of data,
• international transfer safeguards.

E.6 International transfers

For cross-border processing, practical steps may include:

• mapping which vendors and teams access data from which countries,
• identifying the transfer mechanism or safeguard used,
• ensuring contracts include transfer clauses where required,
• applying encryption and access controls,
• documenting review dates.

E.7 AI and autonomous systems governance (Regulation 10 support)

If AI systems are used in a way that processes personal data, practical governance may include:

• Purpose definition: define what the AI tool is for and what it is not for.
• Data minimisation: avoid feeding unnecessary personal data into models.
• Accuracy and quality: test outputs for errors and biases relevant to the use case.
• Human oversight: ensure material decisions are reviewed by humans.
• Security: control access to prompts, outputs, and logs.
• Vendor settings: where third-party AI is used, confirm settings about data retention and model training.
• Transparency: provide meaningful information about significant automated processing where required.
• Auditability: keep records of model versions, prompts templates, and decision logic where relevant.

E.8 Periodic reviews and continuous improvement

Privacy and security are not one-time tasks. Practical review routines may include:

• quarterly review of cookie and tracking tools,
• periodic refresh of vendor lists and sub-processors,
• annual review of retention schedule,
• periodic security risk assessment,
• testing incident response procedures.

‍

‍

Appendix F: Frequently asked questions (FAQ) and practical examples

This FAQ is provided to make the legal documents easier to use. It is not a substitute for the binding Terms, Cookies Policy, or Privacy Statement.

F.1 Cookies and tracking FAQ

Q1: Do I have to accept cookies to use the Website?

No. In many cases, you can use the Website with only strictly necessary cookies. However, if you reject optional cookies:

• some features may be less convenient (for example, preferences may reset),
• we may have less visibility into performance and usage, which can slow improvement.

Q2: What happens if I accept analytics cookies?

If you accept analytics cookies (where offered), we may collect information such as:

• which pages are viewed,
• how long pages take to load,
• what links are clicked,
• error events.

We use this to improve the Website. We aim to avoid unnecessary identification and we use settings that reduce data collection where feasible.

Q3: What happens if I accept marketing cookies?

Marketing cookies can support:

• campaign measurement (for example, whether a visitor came from a specific campaign),
• conversion measurement (for example, whether a "Request a demo" action occurred),
• in some cases, remarketing (showing follow-up ads on other platforms).

If you do not want this, you can decline marketing cookies through the cookie banner or settings.

Q4: Are cookies always personal data?

Not always. Some cookies store purely technical settings. However, many cookie identifiers and device identifiers can become personal data when they can be linked to an individual. We treat cookie data cautiously and in line with our Privacy Statement.

Q5: How do I change my cookie choices later?

Typically, you can:

• use the cookie settings tool (if available), and/or
• delete cookies in your browser and revisit the Website.

Deleting cookies can reset your consent record, so you may see the cookie banner again.

Q6: Do you track me across other websites?

Our intent is to use tracking only where it supports legitimate purposes and only where enabled through preferences, where required. Third-party embedded tools may have their own tracking behaviour, which is why we recommend reviewing third-party notices and using cookie controls.

‍

F.2 Privacy FAQ

Q1: What data do you collect if I only browse the Website?

Browsing can create:

• server logs (IP address, user agent, timestamps),
• cookie preference data,
• optional analytics data (if enabled).

You do not need to provide your name or email to browse most public pages.

Q2: What data do you collect if I fill out a contact form?

A typical contact form submission may include:

• name, email, phone number (if provided),
• company name and job title (if provided),
• the message you send.

We use it to respond. We may store a record of the conversation for continuity and audit.

Q3: Do you sell personal data?

We do not sell personal data as a standard business practice. We share personal data with service providers only to the extent needed to operate the Website and manage communications.

Q4: Do you share personal data with authorities?

We may share personal data with authorities only when required by law or where necessary for legal claims and protection. We aim to validate requests, minimise disclosures, and document our decisions.

Q5: Where is my data stored?

Storage depends on the systems involved (hosting, email, CRM, support tools). Some systems may store or process data outside DIFC/UAE. Where personal data is transferred internationally, we apply safeguards described in the Privacy Statement.

Q6: How long do you keep my data?

We keep personal data for as long as needed for the purpose, plus as needed for legal and security reasons. Retention differs by data type. Appendix C provides example retention periods.

Q7: How do I request access or deletion?

Email info@onicore.ae with your request. We may ask for verification. We will respond in line with applicable law and may explain if an exception applies (for example, legal retention obligations).

Q8: Do you use AI tools with my data?

We may use automation and AI tools to improve security, operations, or productivity. Where such tools process personal data, we aim to use safeguards such as minimisation and human oversight. For significant automated processing, we will assess risks and provide information where required.

F.3 Website Terms FAQ

Q1: Can I copy content from the Website into my own website or marketing materials?

Not without permission, unless a legal exception applies. You can usually:

• share links,
• quote short extracts with attribution,
• use content internally.

If you want to reproduce substantial parts, request written consent.

Q2: Can I use your logo to say I work with Onicore?

Only with permission. Brand use should be agreed in writing to avoid confusion.

Q3: Is the Website an offer to provide services?

No. The Website is informational. Any binding commitment requires a written contract signed by Onicore.

Q4: Can I rely on the Website to make compliance decisions?

No. The Website does not provide legal, compliance, or financial advice. If you are operating in a regulated industry, get professional advice.

Q5: What should I do if I find a security issue?

Do not exploit it. Report it to info@onicore.ae with details. We may ask for additional information. Do not publish details without permission.

Q6: What happens if I breach the Terms?

We may block access or take other action to protect the Website and our users. Serious breaches (for example, hacking attempts) may be reported to authorities where required.

F.4 Practical scenarios

Scenario 1: A prospect requests a demo and later asks to be deleted

We may delete the prospect’s information where appropriate, but we may retain minimal suppression information to respect the opt-out and limited records needed for compliance.

Scenario 2: A visitor rejects cookies and the Website behaves differently

If optional cookies are rejected, some convenience features may not work, and analytics may be limited. The Website should still function with essential cookies.

Scenario 3: A business contact receives a marketing email and unsubscribes

We will process the unsubscribe request and place the contact on a suppression list so they do not receive marketing emails again. We may still send operational emails if there is an active customer relationship and the message is not marketing.

Scenario 4: A third-party embeds content on our pages and sets cookies

Embedded third-party content can create third-party cookies and additional data flows. Where feasible, we provide transparency and control through cookie settings and by limiting unnecessary embeds.

‍