Privacy statement

Effective date: 25 January 2026
Last updated: 25 January 2026

1. Overview and purpose

This Privacy Statement describes how Onicore Technologies Ltd ("Onicore", "we", "us", "our") collects, uses, shares, and protects personal data when you:

  • visit or use our Website;
  • contact us (for example, by email, webform, chat, phone, or social media);
  • request a demo, proposal, or information about our products or services;
  • subscribe to newsletters or event updates (if offered);
  • apply for a job or engage with us in a recruitment process; or
  • otherwise interact with us in a business context.

We aim to be clear and specific. However, privacy is inherently contextual: the exact data we process depends on what you do (for example, whether you fill in a form, open an email, or request a meeting).

If you are an end user of a service provided by one of our customers, the customer is usually the controller for that service and should provide its own privacy notice. In that context, we may act as a processor or sub-processor under contract. If you are unsure, contact us and we will point you in the right direction.

2. Who we are 

Controller (for Website and direct communications): Onicore Technologies Ltd

DIFC License No.: CL11444

Principal place of business: IH-00-01-02-OF-01, Level 2, Innovation Hub 05, Dubai International Financial Centre, Dubai, United Arab Emirates

Telephone: +971 54 201 3311

Email: info@onicore.ae

2.1 How to reach us about privacy

If you have a privacy question or want to exercise a data subject right, email info@onicore.ae with:

  • your name and preferred contact details,
  • the relationship you have with us (visitor, prospect, customer, partner, applicant),
  • the specific request you are making, and
  • any supporting details that help us locate the relevant data.

We may ask for reasonable additional information to verify identity before responding, especially for requests relating to access, deletion, or portability.

3. Scope and what this statement covers

This Privacy Statement covers personal data processing by Onicore in these contexts:

  1. Website use: pages, forms, cookies, logs, and security monitoring.
  2. Business communications: emails, calls, meetings, and records of commercial discussions.
  3. Marketing and events: newsletters, event invitations, and marketing communications.
  4. Recruitment: job applications and hiring processes (if applicable).
  5. Customer and partner operations: onboarding, account management, support, and relationship management for business customers and partners.

This Privacy Statement does not replace contractual terms such as:

  • a customer master agreement,
  • a data processing agreement (DPA),
  • standard contractual clauses for international transfers (if applicable), or
  • a product-specific privacy notice.

Where a contract applies, the contract may allocate roles and responsibilities differently (for example, controller vs processor).

4. Key definitions 

For convenience, we use the following definitions:

  • Personal Data: information relating to an identified or identifiable individual (for example, name, email, phone number, IP address when it can be linked to you).
  • Special Category Data / Sensitive Data: data that receives higher protection under many privacy frameworks (for example, health data, biometric identifiers, racial or ethnic origin). We do not intentionally seek to collect this through the Website.
  • Processing: any operation performed on personal data (collection, storage, use, disclosure, deletion).
  • Controller: the party that determines the purposes and means of processing.
  • Processor: the party that processes personal data on behalf of a controller.
  • Data Subject: the individual to whom the personal data relates.
  • DIFC: Dubai International Financial Centre.

These terms are used broadly, consistent with the DIFC data protection framework.

5. Legal framework and sources we rely on

Because we are incorporated in the DIFC, DIFC rules are the primary legal framework for our DIFC-based processing.

5.1 DIFC data protection framework

  • DIFC Data Protection Law, DIFC Law No. 5 of 2020 (as amended).
  • DIFC Laws Amendment Law, DIFC Law No. 1 of 2025, which includes amendments to the Data Protection Law 2020 and clarifies, among other things, scope, data sharing and certain remedies.
  • DIFC Data Protection Regulations (Consolidated Version No. 2, in force on 1 September 2023), including Regulation 10 on processing personal data through autonomous and semi-autonomous systems (for example, AI systems).

DIFC publishes guidance and tools through the Commissioner of Data Protection. Guidance is not law, but it can help interpret obligations and best practices.

5.2 UAE federal laws 

Depending on the specific activity, UAE federal laws may also apply.

Examples include:

  • Federal Decree-Law No. (34) of 2021 concerning the Countering Rumors and Cybercrimes (cybercrime and misuse of information systems).
  • Federal Law No. (15) of 2020 concerning Consumer Protection (where relevant to consumer-facing interactions).
  • Federal Decree-Law No. (46) of 2021 on Electronic Transactions and Trust Services (electronic communications and trust services).
  • Cabinet Resolution No. (56) of 2024 concerning the Telemarketing Regulations (rules for marketing calls and marketing messages via telephone and social media applications, including the Do Not Call Register).

The UAE also has a federal Personal Data Protection Law (Federal Decree-Law No. (45) of 2021). It includes an exclusion for entities located in free zones that have special personal data protection legislation. DIFC is such a free zone. Even where the UAE PDPL does not directly apply to DIFC-based processing, we aim to align with recognised privacy principles and treat privacy as a core operational value.

5.3 International best practices 

We also align our approach with internationally recognised standards and best practices, such as:

  • the principles of transparency, minimisation, and security;
  • privacy-by-design and privacy-by-default where appropriate; and
  • vendor due diligence and accountable processing.

6. Our privacy principles 

We apply these practical principles when we design features, choose vendors, or respond to requests:

  • Lawfulness and fairness: we avoid collecting or using data in ways people would not reasonably expect.
  • Transparency: we explain what we do in clear language and keep notices accessible.
  • Purpose limitation: we use data for the purposes we explain, and we avoid "scope creep".
  • Data minimisation: we ask only for data that is relevant to the purpose.
  • Accuracy: we aim to keep data accurate and allow updates.
  • Storage limitation: we do not keep data forever; we apply retention periods.
  • Security: we use technical and organisational safeguards.
  • Accountability: we document our processing, assess risk, and review vendors.

7. What personal data we collect

We collect personal data in several ways: directly from you, automatically through your device, and sometimes from third parties.

7.1 Data you provide to us

Depending on how you interact with the Website and with us, you may provide:

  • Identity data: name, surname, professional title.
  • Contact data: email address, phone number, business address.
  • Organisation data: company name, role, industry, company size (if provided), country.
  • Communication data: message content, meeting notes, call records (where recorded and disclosed), support tickets.
  • Commercial data: information about your interest in our products, requested features, procurement requirements, and timelines.
  • Verification data: where needed, information required to verify identity for a rights request.

7.2 Data collected automatically 

When you use the Website, we may collect:

  • Device and browser data: browser type, operating system, device type, language settings.
  • Log and usage data: pages visited, links clicked, time spent, referrer URL, timestamps.
  • Network data: IP address, approximate location derived from IP (typically at city or region level), network provider.
  • Cookie and identifier data: cookie IDs and similar identifiers, subject to your cookie preferences.

We use these data types to operate the Website, secure it, and understand how it is used.

7.3 Data from third parties

In a B2B context, we may receive personal data from:

  • business partners and referral sources,
  • public sources (for example, company websites, professional directories),
  • event organisers (where you attend an event and choose to share your details), and
  • recruitment platforms (where you apply).

We do not buy large, unsolicited marketing lists as a default practice. Where we use third-party lists, we aim to ensure the source and legal basis are appropriate and that opt-out controls are respected.

7.4 Special category data and sensitive information

We do not intentionally request special category data through the Website.

Please do not include sensitive information in:

  • general contact forms,
  • chat messages, or
  • demo requests.

If you provide sensitive information voluntarily, we will handle it carefully and, where relevant, may minimise, redact, or delete it depending on the context and legal basis.

7.5 Children and minors

Our Website and services are not directed to children. We do not knowingly collect personal data from children through the Website. If you believe a child has provided personal data to us, contact us and we will take appropriate steps.

8. Why we use personal data and our lawful bases

We process personal data only where we have a lawful basis to do so.

Depending on context, lawful bases may include:

  • your consent (for example, for optional cookies or certain marketing preferences),
  • performance of a contract or steps prior to entering a contract (for example, responding to a request for a proposal),
  • compliance with legal obligations (for example, responding to lawful requests, maintaining required records),
  • legitimate interests (for example, securing the Website, preventing fraud, improving services), where these interests are not overridden by your rights.

8.1 Processing activities (detailed)

Below is a practical overview of common processing activities. The exact details may differ depending on your interaction with us.

A) Website operation, security, and fraud prevention

  • Purpose: Operate the Website, keep it available, detect abuse, and maintain security.
  • Data categories: IP address, device data, logs, cookie preferences, security event logs.
  • Lawful basis: legitimate interests; and, where required, compliance with legal obligations.
  • Typical retention: logs are retained for a limited period consistent with security needs and legal requirements, then deleted or anonymised.

B) Responding to enquiries and providing information

  • Purpose: Respond to requests you send through forms, email, phone, or chat.
  • Data categories: name, email, phone, company, message content, meeting notes.
  • Lawful basis: legitimate interests; pre-contract steps; consent (where you request a specific type of communication).
  • Typical retention: maintained while the conversation is active, then retained for a reasonable period for audit and relationship continuity.

C) Sales, proposals, and account management (B2B)

  • Purpose: Build proposals, manage accounts, onboard customers, manage relationships.
  • Data categories: business contact details, role, procurement preferences, communications, contract history.
  • Lawful basis: contract; legitimate interests; legal obligations (where recordkeeping is required).
  • Typical retention: retained for the duration of the commercial relationship plus a defined post-termination retention period.

D) Customer support and service communications

  • Purpose: Provide support, handle incidents, maintain service continuity.
  • Data categories: contact details, support tickets, diagnostic logs, communications.
  • Lawful basis: contract; legitimate interests; legal obligations where relevant.
  • Typical retention: support records are retained in line with operational needs and legal requirements.

E) Marketing communications 

  • Purpose: Send updates, insights, product announcements, and invitations.
  • Data categories: name, email, phone, company, marketing preferences, engagement data (opens/clicks where tracked).
  • Lawful basis: consent where required; legitimate interests for B2B marketing where permitted; compliance with opt-out rules.
  • Typical retention: until you unsubscribe or we decide the contact is no longer active, plus suppression-list retention to respect opt-outs.

F) Events, webinars, and community participation

  • Purpose: Manage registrations, attendance, and follow-ups.
  • Data categories: name, email, company, event preferences, attendance status.
  • Lawful basis: consent; contract (where you register); legitimate interests.
  • Typical retention: retained for a defined period after the event for reporting and follow-up.

G) Recruitment and hiring (if applicable)

  • Purpose: Evaluate candidates, manage interviews, make hiring decisions.
  • Data categories: CV, contact details, employment history, qualifications, references (if provided).
  • Lawful basis: legitimate interests; consent (where required); compliance with employment-related obligations.
  • Typical retention: retained for the recruitment cycle and then deleted or retained for a limited period for future opportunities (if permitted).

H) Compliance, legal claims, and dispute management

  • Purpose: Comply with law, respond to lawful requests, establish or defend legal claims.
  • Data categories: relevant communications, logs, account data, transaction records where applicable.
  • Lawful basis: legal obligation; legitimate interests; establishment, exercise, or defence of legal claims.
  • Typical retention: retained as long as needed for legal and regulatory purposes.

I) Corporate transactions

  • Purpose: If we enter into a merger, acquisition, financing, or reorganisation, we may share limited personal data as part of due diligence.
  • Data categories: business contact information, relationship history.
  • Lawful basis: legitimate interests; legal obligations.
  • Typical retention: limited to transaction needs and recordkeeping.

8.2 Legitimate interests

When we rely on legitimate interests, we consider:

  • what the interest is (for example, security or improving the Website),
  • whether processing is necessary for that interest, and
  • whether your rights and expectations override our interest.

You can object to processing based on legitimate interests in certain circumstances. See Section 14.

9. Cookies and similar technologies

We use cookies and similar technologies as described in our Cookies Policy.

Where cookies are optional, we provide choices and respect your preferences where feasible.

10. Marketing and communications

We may communicate with you about:

  • requested information and proposals,
  • service updates where you are a customer or partner,
  • marketing updates, where appropriate and permitted.

10.1 Email marketing

If you receive marketing emails from us, you can opt out at any time using the unsubscribe link (where provided) or by emailing info@onicore.ae.

10.2 Phone calls, SMS, and messaging apps (including WhatsApp)

If we contact you by phone, SMS, or messaging apps for marketing purposes, we aim to comply with applicable rules, including the UAE Telemarketing Regulations.

This includes practical commitments such as:

  • making marketing calls only within permitted time windows (for example, 9:00 am to 6:00 pm under Cabinet Resolution No. 56 of 2024),
  • checking relevant "Do Not Call" lists where required,
  • identifying ourselves and the purpose at the beginning of a call,
  • asking whether you want to continue the call before marketing begins, and
  • respecting refusals and not repeatedly calling after rejection.

If you tell us you do not want marketing calls or messages, we will record that preference and stop.

10.3 Suppression lists and recordkeeping

When you opt out, we may retain limited information on a suppression list to ensure we honour your preference in the future. This is a standard compliance practice.

11. Sharing and disclosure of personal data

We share personal data only as needed for the purposes described above.

11.1 Categories of recipients

We may share personal data with:

  • service providers (processors) such as hosting, analytics, security, email delivery, CRM and customer support tools;
  • professional advisers such as lawyers, auditors, and insurers;
  • business partners where you request an integration or referral;
  • authorities where we are legally required to do so; and
  • successors in a corporate transaction (merger, acquisition, sale of assets).

11.2 Vendor and processor controls

When we use processors, we aim to put in place contractual measures and due diligence such as:

  • confidentiality and security obligations,
  • instructions on processing,
  • restrictions on sub-processing,
  • breach notification requirements, and
  • audit or assurance rights where proportionate.

The actual contract terms may vary depending on the vendor and the risk profile.

11.3 Public authority and government data requests

If we receive a request from a public authority for personal data, we aim to:

  • verify validity and proportionality,
  • share only what is necessary for the stated purpose,
  • apply safeguards such as minimisation or redaction where possible, and
  • document the request and our response.

Where applicable under DIFC law, we may consult with the DIFC Commissioner of Data Protection regarding such requests.

12. International transfers and cross-border processing

Our teams, vendors, and infrastructure may be located in multiple countries.

If personal data is transferred outside the DIFC or outside the UAE, we aim to use safeguards consistent with the DIFC data export framework.

Safeguards may include:

  • transferring to jurisdictions recognised as providing adequate protection (where applicable),
  • using contractual safeguards (such as appropriate clauses for cross-border transfers),
  • conducting risk assessments for transfers where appropriate, and
  • applying technical measures (for example, encryption in transit and at rest).

International transfers are a complex area, and safeguards may differ depending on where data is sent and why.

13. Data retention 

We keep personal data only for as long as necessary for the purpose for which it was collected, including for:

  • contractual performance,
  • operational continuity,
  • security and fraud prevention,
  • legal and regulatory obligations, and
  • resolving disputes.

Retention periods may be influenced by:

  • the type of data,
  • the sensitivity and risk level,
  • the nature of the relationship,
  • limitation periods for legal claims, and
  • statutory retention requirements.

A practical example retention schedule is included in Appendix C.

14. Security 

We implement technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.

Examples of measures include:

  • access controls and least-privilege practices,
  • encryption in transit (HTTPS/TLS) and, where appropriate, at rest,
  • logging and monitoring for security events,
  • secure development and change management processes,
  • backups and resilience measures,
  • vendor security assessments,
  • training and awareness for personnel.

No method of transmission or storage is completely secure, but we aim to apply controls appropriate to risk.

15. Your rights

Depending on the circumstances and applicable law, you may have rights relating to your personal data, such as:

  • right to access your personal data,
  • right to correct inaccurate data,
  • right to delete / erase data in certain cases,
  • right to restrict processing in certain cases,
  • right to object to processing in certain cases,
  • right to withdraw consent (where processing is based on consent),
  • right to data portability in certain cases,
  • rights relating to automated decision-making where applicable.

15.1 How we handle rights requests

We aim to:

  • acknowledge requests promptly,
  • verify identity where needed,
  • respond within applicable timelines,
  • document the request and outcome.

Some requests may be refused or limited where:

  • we have legal obligations to retain data,
  • the request would adversely affect others' rights, or
  • the request is manifestly unfounded or excessive.

If we cannot fulfil a request, we will explain why, to the extent allowed by law.

16. Automated decision-making and AI systems (including Regulation 10)

We may use automated or semi-automated tools to support business operations, such as:

  • detecting security threats and abuse,
  • prioritising support tickets,
  • analysing website performance, or
  • assisting with drafting and summarisation for internal productivity.

Where such tools process personal data, we aim to apply safeguards, which may include:

  • human oversight for significant decisions,
  • testing for accuracy and fairness,
  • minimisation of data used for model inputs,
  • access controls and logging,
  • vendor risk reviews for third-party AI tools.

If we use autonomous or semi-autonomous systems in a way that materially affects individuals, we will assess the risks, document decisions, and provide meaningful information where required.

17. Recruitment and applicant data

If you apply for a role with us:

  • we use your information to assess suitability and manage the recruitment process,
  • we may share your information with interviewers and recruitment service providers,
  • we may retain information for a limited period after the process, and
  • we will not use applicant data for unrelated marketing without a separate basis.

18. Business contact data

In a B2B context, we process business contact information to:

  • communicate with customers, partners, and suppliers,
  • manage contracts and invoices,
  • maintain relationship history.

Where you provide contact details as part of your professional role, we treat those details responsibly and provide opt-out options for marketing.

19. Third-party websites and links

The Website may include links to third-party sites. We are not responsible for the privacy practices of third parties. If you use a third-party site, review its privacy notice and cookie policy.

20. Changes to this Privacy Statement

We may update this Privacy Statement from time to time. We will update the "Last updated" date at the top.

If changes are material, we may also provide additional notice on the Website.

21. Complaints and regulators

21.1 Contact us first

If you have a concern, we encourage you to contact us first so we can try to resolve it.

21.2 DIFC Commissioner of Data Protection

Where applicable, you may have the right to lodge a complaint with the DIFC Commissioner of Data Protection.

21.3 Other authorities

Depending on circumstances (for example, where you are located or where processing occurs), other authorities may also be relevant.

22. Legal references

A consolidated list of the key laws, regulations, and guidance materials referenced in this Privacy Statement, with official sources, is provided in Appendix A.

Contacts
info@onicore.ae+971 54 201 3311
Linkedin
Pages
ProductsAbout
Terms
Cookies policyPrivacy statementTerms & Conditions
Cookies Preferences
Onicore Technologies Ltd
©2026 All rights reserved
DIFC
Innovation Hub