POLICY FOR THE PROTECTION AND PROCESSING OF PERSONAL DATA OF CLIENTS, CONTRACTORS AND WEBSITE USERS

  1. GENERAL PROVISIONS
1.1. This policy for the protection and processing of personal data of clients, contractors, and website users (hereinafter – the Policy) is drawn up in accordance with the legislation of the United Arab Emirates and defines the procedure for processing personal data and measures to ensure the security of personal data adopted by the organization SIMPLE BN DMCC, registered and operating in accordance with the laws of the UAE with its main office located at: UAE, Dubai, JLT, Cluster M, HDS Business center, Office 501, license number DMCC-854785 (hereinafter – the Operator).
1.2. The Operator sets as its most important goal and condition for the implementation of its activities the observance of human and civil rights and freedoms when processing their personal data, including the protection of rights to privacy, personal and family secrets.
1.3. This Policy applies to all information that the Operator may receive about visitors to the website https://innovate-identity.com/en/shop (hereinafter – the Site). The Site does not control and is not responsible for third-party websites to which the User can go by links available on the Site https://innovate-identity.com/en/shop.
1.4. The use of the Site's services implies the unconditional consent of the User with this Policy and the terms of processing their personal information specified therein. In case of disagreement with these terms, the User must refrain from using the services.
  1. TERMS USED IN THE POLICY
2.1. Automated processing of personal data – processing of personal data using computer technology.
2.2. Blocking of personal data – temporary cessation of processing of personal data (except in cases where processing is necessary to clarify personal data).
2.3. Site – a set of graphic and informational materials, as well as programs for electronic computers and databases ensuring their availability on the Internet at the network address https://innovate-identity.com/en/shop.
2.4. Information system of personal data – a set of personal data contained in databases and ensuring their processing with the use of information technologies and technical means.
2.5. Anonymization [SN1] of personal data – actions as a result of which it is impossible to determine without the use of additional information the belonging of personal data to a specific User or other subject of personal data.
2.6. Processing of personal data – any action (operation) or set of actions (operations) performed with or without the use of automation tools with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (distribution, provision, access), anonymization, blocking, deletion, destruction of personal data.
2.7. Operator – a state body, municipal body, legal or natural person, independently or together with other persons organizing and (or) performing the processing of personal data, as well as determining the purposes of processing personal data, the composition of personal data to be processed, actions (operations) performed with personal data.
2.8. Personal data – any information related directly or indirectly to a specific or identifiable User of the Site https://innovate-identity.com/en/shop.
2.9. Personal data allowed by the subject of personal data for dissemination – personal data, access to an unlimited number of persons to which is provided by the subject of personal data by giving consent to the processing of personal data allowed by the subject of personal data for dissemination (hereinafter – personal data allowed for dissemination).
2.10. User – any visitor to the Site https://innovate-identity.com/en/shop.
2.11. Provision of personal data – actions aimed at disclosing personal data to a specific person or a specific circle of persons.
2.12. Dissemination of personal data – any actions aimed at disclosing personal data to an indefinite number of persons (transfer of personal data) or to familiarize with the personal data of an unlimited number of persons, including publication of personal data in the media, placement in information and telecommunications networks, or providing access to personal data in any other way.
2.13. Cross-border transfer of personal data – transfer of personal data to the territory of a foreign state, to a foreign authority, a foreign natural or foreign legal person.
2.14. Destruction of personal data – any actions as a result of which personal data are destroyed irretrievably with the impossibility of further restoration of the content of personal data in the information system of personal data and (or) material carriers of personal data are destroyed.
  1. RIGHTS AND OBLIGATIONS OF THE OPERATOR
3.1. The Operator has the right to:
– receive from the subject of personal data reliable information and/or documents containing personal data;
– in case of withdrawal by the subject of personal data of consent to the processing of personal data, the Operator has the right to continue processing personal data without the consent of the subject of personal data in the presence of grounds;
– independently determine the composition and list of measures necessary and sufficient to ensure the fulfillment of duties.
3.2. The Operator is obliged to:
- provide the subject of personal data, at their request, with information concerning the processing of their personal data;
- organize the processing of personal data in accordance with the procedure established by the current legislation of the United Arab Emirates;
- respond to inquiries and requests from subjects of personal data and their legal representatives in accordance with the requirements of the current legislation of the United Arab Emirates;
- inform the authorized body for the protection of the rights of subjects of personal data, at the request of this body, of the necessary information within 10 (ten) working days from the date of receipt of such a request;
- publish or otherwise provide unrestricted access to this Policy regarding the processing of personal data;
- take legal, organizational, and technical measures to protect personal data from unlawful or accidental access, destruction, modification, blocking, copying, provision, dissemination of personal data, as well as from other unlawful actions concerning personal data;
- stop the transfer (dissemination, provision, access) of personal data, stop processing, and destroy personal data in the manner and in cases provided for by the current legislation of the United Arab Emirates;
- fulfill other duties provided for by the Personal Data Law.

  1. RIGHTS AND OBLIGATIONS OF PERSONAL DATA SUBJECTS
4.1. Subjects of personal data have the right to:
- receive information concerning the processing of their personal data, except in cases provided for by the current legislation of the United Arab Emirates. Information is provided to the subject of personal data by the Operator in an accessible form, and it should not contain personal data related to other subjects of personal data, except in cases where there are legal grounds for disclosing such personal data;
- demand from the operator to clarify their personal data, block or destroy them if the personal data are incomplete, outdated, inaccurate, illegally obtained, or not necessary for the stated purpose of processing, as well as take measures provided by law to protect their rights;
- set the condition of prior consent when processing personal data to promote goods, works, and services on the market;
- withdraw consent to the processing of personal data;
- appeal against unlawful actions or inaction of the Operator in the processing of their personal data to the authorized body for the protection of the rights of subjects of personal data or in court;
- exercise other rights provided for by the legislation of the United Arab Emirates.
4.2. Subjects of personal data are obliged to:
- provide the Operator with reliable data about themselves;
- inform the Operator about the clarification (updating, modification) of their personal data.
4.3. Persons who transferred unreliable information about themselves to the Operator or information about another subject of personal data without the consent of the latter are liable in accordance with the legislation of the United Arab Emirates.
  1. LIST OF PERSONAL DATA OF THE USER THAT CAN BE PROCESSED BY THE OPERATOR
5.1. Last name, first name.
5.2. Email address, social media accounts, websites.
5.3. Phone numbers.
5.4. Year, month, date, and place of birth.
5.5. Photos and videos.
5.6. Place of work, position.
5.7. The site collects and processes anonymized data about visitors (including cookies) using internet statistics services and will be processed in compliance with UAE data protection regulations.
5.8. The above data are hereinafter referred to as "Personal Data."
5.9. Processing of special categories of personal data related to racial or ethnic origin, political opinions, religious or philosophical beliefs, personal life is not carried out by the Operator.
5.10. The User provides consent for the processing of personal data directly to the Operator. 5.11. The transfer (dissemination, provision, access) of personal data allowed by the subject of personal data for dissemination must be stopped at any time at the request of the subject of personal data. This request must include the last name, first name, contact information (phone number, email address, or postal address) of the subject of personal data, and a list of personal data for the processing of which it is necessary to stop. The personal data specified in this request may be processed only by the Operator to whom it is addressed.
5.12. Consent to the processing of personal data allowed for dissemination ceases to be valid from the moment the Operator receives the request specified in paragraph 5.11 of this Policy regarding the processing of personal data.
6. PRINCIPLES OF PERSONAL DATA PROCESSING
6.1. Processing of personal data is carried out on a legal and fair basis.
6.2. Processing of personal data is limited to achieving specific, pre-determined, and legitimate purposes. It is not allowed to process personal data incompatible with the purposes of collecting personal data.
6.3. Combining databases containing personal data, processing of which is carried out for purposes incompatible with each other, is not allowed.
6.4. Only personal data that meet the purposes of their processing are subject to processing.
6.5. The content and volume of processed personal data correspond to the stated purposes of processing. Redundancy of processed personal data concerning the stated purposes of their processing is not allowed.
6.6. When processing personal data, the accuracy of personal data, their sufficiency, and, if necessary, relevance concerning the purposes of processing personal data are ensured. The Operator takes the necessary measures or ensures their adoption to delete or clarify incomplete or inaccurate data.
6.7. Storage of personal data is carried out in a form that allows determining the subject of personal data, no longer than required by the purposes of personal data processing unless the storage period of personal data is established by law, an agreement to which the subject of personal data is a party, beneficiary, or guarantor. The processed personal data are destroyed or anonymized upon achieving the processing purposes or in case of the loss of necessity to achieve these purposes, unless otherwise provided by law.
7. PURPOSES OF PERSONAL DATA PROCESSING
7.1. The purpose of processing the User's personal data is to inform the User by sending emails; providing the User with access to services, information, and/or materials contained on the website.
7.2. The Operator also has the right to send notifications to the User about new products and services, special offers, and various events. The User can always refuse to receive informational messages by sending the Operator an email to the specified email address with the note "Refusal of notifications about new products and services and special offers."
7.3. Anonymized User data collected using internet statistics services are used to collect information about the Users' actions on the website, improve the quality of the website and its content.
8. LEGAL BASES FOR PROCESSING PERSONAL DATA
8.1. The legal basis for the processing of personal data by the operator are:
- The operator's statutory (founding) documents;
- The laws of the United Arab Emirates, other regulatory legal acts in the field of personal data protection;
- Users' consent to the processing of their personal data, for processing personal data permitted for dissemination.
8.2. The operator processes the user's personal data only if they are filled in and/or sent by the user independently through special forms located on the site https://innovate-identity.com/en/shop or sent to the operator via email, messages in messengers, and social media accounts. By filling in the relevant forms and/or sending their personal data to the operator, the user expresses their consent to this policy.
8.3. The operator processes anonymized user data if it is allowed in the user's browser settings (the storage of cookies and the use of JavaScript technology are enabled).
8.4. The subject of personal data independently decides to provide their personal data and gives consent freely, by their will, and in their interest.
9. CONDITIONS FOR PERSONAL DATA PROCESSING AND TRANSFER TO THIRD PARTIES
9.1. The site stores users' personal information following the internal regulations of specific services. Processing of personal data is carried out with the consent of the subject of personal data to the processing of their personal data.
9.2. Users' personal information remains confidential, except in cases where the user voluntarily provides information about themselves for general access to an unlimited number of persons. When using certain services, the user agrees that some of their personal information becomes publicly available.
9.3. Processing of personal data is necessary for the execution of a contract, where the subject of personal data is a party, beneficiary, or guarantor, as well as for the conclusion of a contract at the initiative of the subject of personal data or a contract under which the subject of personal data will be a beneficiary or guarantor.
9.4. The site has the right to transfer the user's personal information to third parties in the following cases:
9.4.1. The user has expressed consent to such actions.
9.4.2. The transfer is necessary for the user to use a specific service or for the execution of a particular agreement or contract with the user.
9.4.3. The transfer is provided by applicable UAE law within the established legal procedure.
9.4.4. In the event of the sale of the site, the acquirer receives all obligations to comply with the terms of this policy regarding the received personal information.
9.5. Personal data processing is carried out without time limitation by any legal means, including in personal data information systems with or without automation tools. Users' personal data is processed per UAE law.
9.6. In case of loss or disclosure of personal data, the operator informs the user about the loss or disclosure of personal data.
9.7. The operator takes necessary organizational and technical measures to protect the user's personal information from unlawful or accidental access, destruction, alteration, blocking, copying, distribution, and other unlawful actions by third parties.
9.8. The operator, together with the user, takes all necessary measures to prevent losses or other adverse consequences caused by the loss or disclosure of the user's personal data.
10. PROCEDURE FOR COLLECTING, STORING, TRANSFERRING, AND OTHER TYPES OF PERSONAL DATA PROCESSING
10.1. The security of personal data processed by the operator is ensured through the implementation of legal, organizational, and technical measures necessary to fully comply with the requirements of the current legislation in the field of personal data protection.
10.2. The operator ensures the safety of personal data and takes all possible measures to prevent unauthorized access to personal data. Anonymized data will be processed in compliance with UAE data protection regulations. The Operator shall ensure that any data anonymization processes are irreversible and that no individual can be identified from the anonymized data. Users will be informed of the types of anonymized data collected and the purposes for its processing.
10.3. The user's personal data will never be transferred to third parties under any circumstances, except in cases related to the execution of current legislation, or if the subject of personal data has given consent to the operator to transfer data to a third party to fulfill obligations under a civil contract.
10.4. The period for processing personal data is determined by achieving the purposes for which the personal data was collected unless a different period is provided by contract or current legislation. The user can withdraw their consent to the processing of personal data at any time[SN3] by sending a notification to the operator via email to the operator's email address support@innovate-identity.com with the note "Withdrawal of consent to personal data processing". However, the withdrawal of consent does not affect the legality of the data processing carried out based on consent before its withdrawal. Furthermore, the Operator reserves the right to continue processing the User's personal data if necessary to fulfill contractual obligations or comply with legal requirements."
10.5. All information collected by third-party services, including payment systems, communication facilities, and other service providers, is stored and processed by these persons (operators) following their user agreement and privacy policy. The subject of personal data and/or the user is obliged to independently and timely familiarize themselves with these documents. The operator is not responsible for the actions of third parties, including the service providers mentioned in this paragraph. The Operator is not responsible for the actions of third-party service providers, including payment systems, communication facilities, and other service providers, concerning the storage and processing of personal data. The User acknowledges and agrees that their interaction with these third parties is governed by the third parties' respective privacy policies and terms of service.
10.6. The prohibitions set by the subject of personal data on the transfer (except for granting access), as well as on the processing or conditions for processing (except for obtaining access) personal data permitted for dissemination, do not apply in cases of processing personal data in state, public and other public interests defined by UAE law.
10.7. When processing personal data, the operator ensures the confidentiality of personal data.
10.8. The operator stores personal data in a form that allows identifying the subject of personal data no longer than required by the purposes of personal data processing unless the storage period of personal data is established by law, a contract, in which the subject of personal data is a party, beneficiary, or guarantor. Personal data shall be retained by the Operator only for as long as necessary to fulfill the purposes outlined in this Policy, or as required by applicable law. Upon the achievement of these purposes, or upon the expiration of the legally mandated retention period, the Operator shall securely delete or anonymize the personal data, unless otherwise required by law.
10.9. The condition for terminating the processing of personal data may be the achievement of the purposes of personal data processing, the expiration of the consent of the subject of personal data, the withdrawal of consent by the subject of personal data, as well as the detection of unlawful processing of personal data.
10.10. In accordance with UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection (PDPL), data subjects have the right to:
  • Access their personal data and obtain information about how it is processed.
  • Request correction or deletion of their personal data if it is inaccurate or processed in violation of the law.
  • Object to the processing of their personal data on legitimate grounds.
  • Request the restriction of processing of their personal data in certain circumstances.
  • Receive their personal data in a structured, commonly used, and machine-readable format (data portability).
  • Withdraw their consent to the processing of their personal data at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
To exercise any of these rights, data subjects may contact support@innovate-identity.com.
11. LIST OF ACTIONS CARRIED OUT BY THE OPERATOR WITH USERS' PERSONAL DATA
11.1. The operator collects, records, systematizes, accumulates, stores, clarifies (updates, changes), extracts, uses, transfers (distributes, provides access), anonymizes, blocks, deletes, and destroys personal data.
11.2. The operator carries out automated processing of personal data with obtaining and/or transmitting the received information via information and telecommunication networks or without them.
12. TRANSBORDER TRANSFER OF PERSONAL DATA
12.1. Before the start of the cross-border transfer of personal data, the operator shall use its efforts to ensure that the foreign country to which the transfer of personal data is intended provides reliable protection of the rights of personal data subjects.
12.2. Cross-border transfer of personal data to foreign countries that do not meet the safety requirements may be carried out only with the written consent of the personal data subject to the cross-border transfer of their personal data and/or for the execution of a contract to which the personal data subject is a party.[SN4]
13. CONFIDENTIALITY OF PERSONAL DATA
13.1. The operator and other persons who have gained access to personal data are obliged not to disclose or disseminate personal data to third parties without the consent of the personal data subject, unless otherwise provided by the law of the United Arab Emirates.
14. INDEMINITY
14.1. The User agrees to indemnify, defend, and hold harmless the Operator, its affiliates, officers, directors, employees, agents, and representatives from and against any and all claims, demands, liabilities, damages, losses, costs, and expenses, including but not limited to legal fees and court costs, arising out of or related to:
  • The User's breach of any provision of this Policy, including but not limited to any unauthorized use, disclosure, or processing of personal data;
  • Any claims or actions brought against the Operator by third parties as a result of the User's violation of applicable laws or regulations, including but not limited to data protection and privacy laws;
  • Any inaccuracies or omissions in the personal data provided by the User to the Operator, and any damages resulting from the Operator's reliance on such data;
  • The User's failure to obtain any necessary consents, permissions, or authorizations required for the lawful processing of personal data by the Operator as described in this Policy;
  • Any unauthorized access to or use of the User's account, passwords, or other security measures, unless such access or use is caused by the Operator's gross negligence or willful misconduct;
  • The User's use of the Operator's services in a manner that is illegal, unethical, or that infringes on the rights of any third party; and
  • Any cross-border transfer of personal data initiated by the Operator in accordance with Clause 12.1, including but not limited to any breach of data protection regulations, unauthorized access, or misuse of personal data by third parties or foreign authorities, provided that the Operator has complied with its obligations under this Policy.
This indemnity shall apply to any claims, liabilities, or damages, whether direct, indirect, incidental, consequential, or punitive, and shall survive the termination or expiration of this Agreement.
DISPUTE RESOLUTION
14.1. Before going to court with a lawsuit regarding disputes arising from the relationship between the site user and the operator, it is mandatory to file a claim (a written proposal for voluntary settlement of the dispute).
14.2. The recipient of the claim shall notify the claimant in writing of the results of the claim review within 15 (fifteen) business days from the date of receipt of the claim.
14.3. If no agreement is reached, the dispute shall be referred to Dubai court following the applicable laws of the United Arab Emirates. Compliance with the pre-trial settlement procedure by the customer is mandatory before going to Dubai court.
14.4. This privacy policy and the relationship between the user and the operator are governed by the current legislation of the United Arab Emirates.
15. ADDITIONAL TERMS
15.1. The operator has the right to make changes to this policy without the user's consent.
15.2. The new policy comes into force from the moment it is posted on the site unless otherwise provided by the new edition of the policy.
15.3. The current privacy policy is posted on the page at: https://innovate-identity.com/politics.
15.4. This privacy policy is an integral part of the service offer posted on the page at: https://innovate-identity.com/oferta.
15.5. In case of disagreement between the English and Russian versions of this document, the English version of the document posted on this web resource shall prevail.