Dalil AI CRM logo

3 reasons to choose Dalil

Resources

Contact

Pricing

Login

Sign up

Dalil AI CRM logo
Dalil AI CRM logo

Privacy

Privacy

Privacy Policy

This Privacy Policy describes Our policies and procedures on the collection, use and disclosure of Your information when You use the Service and tells You about Your privacy rights and how the law protects You.

Last updated: December 24, 2025

Save everything on CloudCraft for free.

Upgrade for unlimited storage, end-to-end security, web editorand dedicated enterprise features.

Dalil AI ("Company"), a company registered in the Dubai International Financial Centre (DIFC), is committed to safeguarding the privacy and personal data of all individuals and entities with whom it interacts, including but not limited to employees, founders, shareholders, clients, contractors, partners, and stakeholders. This commitment extends to ensuring compliance with UAE Federal Data Protection Law No. 45 of 2021, DIFC Data Protection Law No. 5 of 2020, and the General Data Protection Regulation (GDPR) where applicable. 


1. Objectives 


The primary objectives of this Data Protection and Privacy Policy are to: 

1.1 Legal Compliance: Ensure full compliance with UAE Federal Data Protection Law No. 45 of 2021, DIFC Data Protection Law No. 5 of 2020, GDPR, and other relevant data protection laws and regulations. 

1.2 Personal Data Protection: Protect the personal data and privacy rights of all stakeholders, including employees, clients, shareholders, and partners. 

1.3 Transparency: Promote transparency in data processing activities by providing clear, accurate, and accessible information to data subjects regarding how their data is collected, used, stored, and shared. 

1.4 Training and Resources: Provide the necessary training, resources, and support to employees to ensure they understand their responsibilities under this policy and applicable data protection laws. 


2. Scope 


This policy applies to all personal data processed by the Company, including data collected, processed, stored, and shared in any form or medium. This policy covers all individuals and entities associated with the Company, including but not limited to employees, founders, shareholders, contractors, clients, suppliers, and any third parties who may have access to personal data through their relationship with the Company. 


3. Responsibilities 


3.1 Management: The Company's management is responsible for ensuring the implementation and enforcement of this policy, allocating adequate resources for data protection and privacy management, and regularly monitoring and reviewing data protection performance. 

3.2 Data Protection Officer (DPO): The DPO is responsible for developing, implementing, and reviewing data protection policies and procedures, ensuring compliance with applicable data protection laws and regulations, providing data protection training to all employees, and investigating and responding to data breaches and incidents. 

3.3 Employees: Employees must comply with data protection and privacy procedures, report any data breaches or privacy incidents to the DPO immediately, and participate in data protection training and initiatives. Employees are also responsible for safeguarding personal data they handle in the course of their duties. 

3.4 Third Parties: Third parties who process personal data on behalf of the Company must adhere to the Company's data protection and privacy policies and applicable laws. The Company will ensure that appropriate data processing agreements are in place with such third parties. 


4. Data Collection 


4.1 Lawful Basis: The Company will collect personal data only for specified, explicit, and legitimate purposes and will ensure that a lawful basis for data collection is established in accordance with applicable data protection laws, including GDPR. Lawful bases may include consent, performance of a contract, legal obligation, vital interests, public task, and legitimate interests. 

4.2 Minimization: The Company will collect only the minimum amount of personal data necessary to achieve the specified purposes. 

4.3 Consent: Where consent is required for the collection and processing of personal data, the Company will obtain explicit, informed, and unambiguous consent from data subjects. Data subjects will be informed of their right to withdraw consent at any time. 

4.4 Children's Data: The Company will not knowingly collect or process personal data of individuals under the age of 18 without verifiable parental consent, in compliance with applicable laws. 

4.5 Special Categories of Data: The Company will only collect and process special categories of personal data (such as health data, racial or ethnic origin, political opinions, religious beliefs, etc.) where strictly necessary and with appropriate legal bases and safeguards in place. 


5. Data Processing 


5.1 Purpose Limitation: Personal data will be processed only for the purposes for which it was collected, unless the data subject has provided additional consent or the processing is otherwise permitted by law. 

5.2 Data Integrity and Confidentiality: The Company will implement appropriate technical and organizational measures to ensure that personal data is processed in a manner that ensures its integrity and confidentiality. 

5.3 Automated Decision-Making and Profiling: The Company will inform data subjects if their data is subject to automated decision-making or profiling, and provide them with the opportunity to contest such decisions and request human intervention. 

5.4 Data Anonymization and Pseudonymization: Where feasible, the Company will anonymize or pseudonymize personal data to reduce the risks associated with processing. 

5.5 International Data Transfers: Personal data will not be transferred outside the UAE, DIFC, or the European Economic Area (EEA) unless appropriate safeguards are in place, such as standard contractual clauses, binding corporate rules, or an adequacy decision. 


6. Data Storage 


6.1 Security: The Company will store personal data securely using appropriate technical and organizational measures to prevent unauthorized access, loss, or damage. Measures may include encryption, access controls, secure backups, and regular security assessments. 

6.2 Access Control: Access to personal data will be restricted to authorized personnel who require access to perform their job functions. Access rights will be reviewed regularly. 

6.3 Data Retention: Personal data will be retained only for as long as necessary to fulfill the purposes for which it was collected, or as required by law. The Company will implement a data retention policy to ensure compliance with this principle. 

6.4 Data Destruction: Personal data that is no longer needed will be securely destroyed in accordance with the Company's data retention and destruction policies. 


7. Data Sharing 


7.1 Third-Party Sharing: The Company will share personal data with third parties only for legitimate business purposes and where there is a lawful basis for doing so. Third parties may include service providers, business partners, regulatory authorities, and other entities as required by law. 

7.2 Third-Party Compliance: The Company will ensure that third parties with whom personal data is shared are contractually obligated to comply with data protection and privacy regulations. This may include entering into data processing agreements that specify the obligations of the third party with respect to data protection. 

7.3 Cross-Border Data Transfers: The Company will ensure that any cross-border transfers of personal data comply with applicable laws and regulations, including GDPR and DIFC data protection requirements. 

7.4 Data Subject Consent: Where required by law, the Company will obtain explicit consent from data subjects before sharing their personal data with third parties. 


8. Data Breach Response 


8.1 Immediate Reporting: All data breaches, whether suspected or confirmed, must be reported immediately to the DPO. 

8.2 Investigation and Response: The DPO will promptly investigate all reported data breaches and take appropriate action to mitigate the impact of the breach. This may include containing the breach, recovering data, and preventing further unauthorized access. 

8.3 Notification: The Company will notify affected individuals and relevant authorities of data breaches as required by law. Notifications will be made in a timely manner and will include details of the breach, its potential impact, and the actions taken to address it. 

8.4 Corrective Actions: Following a data breach, the Company will implement corrective actions to prevent future breaches. This may include revising policies, improving security measures, and providing additional training to employees. 


9. Data Subject Rights 


9.1 Right of Access: Data subjects have the right to request access to their personal data held by the Company. The Company will provide a copy of the data in a structured, commonly used, and machine-readable format. 

9.2 Right to Rectification: Data subjects have the right to request the correction of inaccurate or incomplete personal data. The Company will make the necessary corrections promptly. 

9.3 Right to Erasure ("Right to be Forgotten"): Data subjects have the right to request the deletion of their personal data where there is no longer a legal basis for its processing. The Company will comply with such requests unless it is legally required to retain the data. 

9.4 Right to Restriction of Processing: Data subjects have the right to request the restriction of processing of their personal data under certain conditions, such as when the accuracy of the data is contested or the processing is unlawful. 

9.5 Right to Data Portability: Data subjects have the right to request the transfer of their personal data to another data controller. The Company will provide the data in a structured, commonly used, and machine-readable format. 

9.6 Right to Object: Data subjects have the right to object to the processing of their personal data on grounds relating to their particular situation. The Company will cease processing unless it has compelling legitimate grounds to continue. 

9.7 Right to Withdraw Consent: Data subjects have the right to withdraw their consent to data processing at any time. The withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal. 

9.8 Right to Complain: Data subjects have the right to lodge a complaint with a supervisory authority if they believe that their rights have been violated or that their personal data has been processed unlawfully. 


10. Training and Awareness 


10.1 Onboarding Training: The Company will provide comprehensive data protection and privacy training to all new employees during their onboarding process. This training will cover the Company's data protection policies, legal obligations, and the importance of safeguarding personal data. 

10.2 Ongoing Training: The Company will offer regular training sessions to keep employees updated on data protection practices, regulatory changes, and emerging risks. This may include refresher courses, workshops, and e-learning modules. 

10.3 Specialized Training: Employees with specific responsibilities for data protection, such as the DPO and IT staff, will receive specialized training tailored to their roles. 

10.4 Training Records: The Company will maintain records of all training activities, including attendance, topics covered, and materials used. These records will be reviewed regularly to ensure the effectiveness of the training program. 


11. Compliance and Continuous Improvement 


11.1 Policy Review: This policy will be reviewed annually, or more frequently if necessary, to ensure compliance with current laws, regulations, and best practices. The review will be conducted by the DPO in consultation with legal experts and senior management. 

11.2 Audits: The Company will conduct regular audits to monitor compliance with data protection policies and procedures. Audits may include reviewing data processing activities, security measures, and records of data breaches. 

11.3 Legal Consultation: The Company will consult with legal experts to ensure that its data protection practices are legally compliant and to stay informed of any changes in the legal landscape. 

11.4 Performance Metrics: The Company will establish and monitor data protection performance metrics, such as the number of data breaches, data subject requests, and training completion rates. These metrics will be used to assess the effectiveness of the Company's data protection program. 

11.5 Continuous Improvement: Based on audit findings, performance metrics, and regulatory changes, the Company will update its data protection policies, procedures, and practices to continuously improve its data protection management system. 


12. Record of Processing Activities (RoPA) 


12.1 Documentation: The Company will maintain a detailed Record of Processing Activities (RoPA) as required by GDPR and DIFC data protection laws. The RoPA will document all data processing activities, including the purposes of processing, categories of data subjects, types of personal data processed, recipients of the data, and retention periods. 

12.2 Review and Update: The RoPA will be reviewed and updated regularly to reflect any changes in the Company's data processing activities. 


13. Data Protection Impact Assessments (DPIA) 


13.1 Assessment Requirement: The Company will conduct Data Protection Impact Assessments (DPIAs) for any processing activities that are likely to result in a high risk to the rights and freedoms of data subjects, such as the processing of special categories of data or large-scale data processing. 

13.2 DPIA Process: The DPIA process will include identifying and assessing the risks associated with the proposed data processing, considering measures to mitigate those risks, and consulting with the DPO and, if necessary, data subjects and supervisory authorities. 

13.3 Documentation: The results of DPIAs will be documented and maintained as part of the Company's compliance records. 


14. Data Transfers and Third-Party Processors 


14.1 Data Transfer Agreements: The Company will ensure that all data transfers to third parties, including transfers outside the UAE, DIFC, or EEA, are governed by legally binding agreements that include appropriate data protection clauses. 

14.2 Due Diligence: The Company will conduct due diligence on third-party processors to ensure they have adequate data protection measures in place. This may include reviewing their data protection policies, security practices, and previous breach history. 

14.3 Monitoring: The Company will regularly monitor third-party processors to ensure ongoing compliance with data protection requirements. 


15. Third-Party Access and Use of Personal Data 


15.1 Vendor and Service Provider Contracts: All contracts with vendors and service providers who have access to personal data must include data protection clauses that meet or exceed the requirements of this policy and applicable laws. 

15.2 Restrictions on Use: Third parties are prohibited from using personal data for any purpose other than the specific purposes for which the data was shared, as outlined in the contract. 

15.3 Sub-processors: Third parties must obtain the Company’s prior written consent before engaging any sub-processors to process personal data. The third party must ensure that sub-processors are bound by the same data protection obligations. 


16. Data Security 


16.1 Technical and Organizational Measures: The Company will implement appropriate technical and organizational measures to ensure the security of personal data. These measures may include encryption, secure data storage, access controls, and regular security assessments. 

16.2 Incident Response Plan: The Company will maintain an incident response plan to address data breaches and other security incidents. The plan will outline the steps to be taken in the event of a breach, including containment, investigation, notification, and remediation. 

16.3 Regular Security Audits: The Company will conduct regular security audits to identify and address vulnerabilities in its data protection infrastructure. 


17. Data Protection by Design and Default 


17.1 Privacy by Design: The Company will integrate data protection principles into the design of new systems, processes, and products. This may include minimizing data collection, using anonymization techniques, and ensuring robust access controls. 

17.2 Privacy by Default: The Company will ensure that, by default, only the minimum amount of personal data necessary for each specific purpose is processed. This principle will be applied to all systems and processes that involve personal data. 


18. Data Subject Access Requests (DSARs) 


18.1 Handling DSARs: The Company will establish and maintain procedures for handling Data Subject Access Requests (DSARs) in compliance with applicable laws. These procedures will include verifying the identity of the requestor, responding within the required time frame, and providing the requested information in a clear and understandable format. 

18.2 Exemptions and Refusals: The Company may refuse to fulfill a DSAR where it is legally permitted to do so, such as when the request is manifestly unfounded or excessive. In such cases, the Company will inform the data subject of the reasons for the refusal. 


19. Communication and Transparency 


19.1 Privacy Notices: The Company will provide clear and accessible privacy notices to data subjects, outlining the purposes of data processing, the legal basis for processing, data subject rights, and contact information for the DPO. 

19.2 Communication Channels: The Company will establish and maintain communication channels for data subjects to ask questions, submit DSARs, or lodge complaints related to data protection. 

19.3 Transparency Reports: The Company will publish regular transparency reports detailing its data processing activities, including the types of personal data processed, the purposes of processing, and any significant changes to its data protection practices. 


20. Annual Policy Review 


20.1 Annual Review: This Data Protection and Privacy Policy will be reviewed annually by the DPO and senior management to ensure it remains current and effective. The review will consider changes in legislation, industry best practices, and the results of audits and performance metrics. 

20.2 Policy Amendments: Any amendments to this policy will be documented, communicated to all relevant parties, and implemented promptly. 


21. Enforcement 


21.1 Non-Compliance: Non-compliance with this policy may result in disciplinary action, up to and including termination of employment or engagement. The Company will take appropriate legal action against any individual or entity found to be in breach of this policy. 

21.2 Legal Consequences: Violations of data protection laws can result in significant penalties and legal consequences. The Company is committed to cooperating fully with regulatory authorities and will take all necessary steps to ensure compliance. 


22. Contact Information 


For any inquiries or notices under this Data Protection and Privacy Policy, the Company can be contacted at its principal place of business located in the DIFC, Dubai, UAE, or via email at the address provided by the Company.