Privacy Policy

1. Scope & Purpose

We provide software development, penetration testing, auditing and cyber-risk testing services (the “Services”). This Policy applies to personal data processed in relation to our Services, business contacts, prospective clients, and other individuals we interact with in the course of our operations.

2. Personal Data We Collect

We collect only personal data necessary to provide the Services and to comply with legal obligations. Typical categories include:

• Identity & contact data: name, business email, business phone number, employer, job title.
• Contracting & billing data: engagement letters, purchase orders, invoices, acceptance certificates, tax/registration identifiers (where required).
• Project materials and evidence: documents, reports, logs and artifacts you provide for the engagement.
• Compliance & request records: records of requests (access, deletion, etc.) and our responses.

We do not collect special categories of personal data (e.g., health, biometric, racial/ethnic origin) as part of our standard Services.

3. No Tracking, No Sale/Sharing

• We do not use tracking technologies for analytics, advertising, or cross-site behavioral profiling (no cookies, pixels, analytics beacons related to user tracking).
• We do not sell or share personal data for cross-context behavioral advertising. We honor browser-based opt-out signals such as Global Privacy Control (GPC) where applicable.

4. Lawful Bases for Processing

Depending on the jurisdiction and purpose, we rely on one or more lawful bases for processing personal data, including:

• Performance of a contract (to provide Services);
• Legal obligation (e.g., accounting/record-keeping — including retention of invoices and acceptance certificates as required by UAE law);
• Legitimate interests (Article 6(1)(f) GDPR / UK GDPR) — where we rely on legitimate interests we conduct and document a Legitimate Interest Assessment (LIA). The LIA identifies the interest pursued, assesses necessity, and balances our interests against the rights and freedoms of data subjects. Our documented LIA is available to data protection authorities on request and we will provide a summary on request when required by law;
• Consent when explicitly required (e.g., verifiable parental/guardian consent for individuals under 18, or specific cross-border transfers where local law requires consent).

5. Children’s Data

We do not provide Services to individuals under 18 years old unless we have received verifiable written parental or guardian consent. In the United States, our Services are not directed to children under 13 and we do not knowingly collect personal data from children under 13 (COPPA compliance).

6. Data Retention

• Project materials and engagement-related documents: retained for 2 years after project completion, unless you request earlier deletion and no legal retention obligations apply.
• Accounting, invoicing, acceptance certificates and other records required by law: retained as required by UAE law (and any applicable local legal requirements).
• Deletion requests: upon receiving a verified request, we will take reasonable steps to complete deletion within 30 calendar days, subject to legal exceptions.

7. Data Security & Storage

• Primary storage: Personal data is stored offline only on company-controlled systems and devices.
• Backups: If backups are created, they are encrypted using AES-256. The encryption/decryption key is stored on a physical medium and controlled exclusively by our CEO.
• Access controls: Access to personal data is restricted to authorized personnel on a need-to-know basis.
• Physical transfers: On occasion, encrypted physical media (e.g., an encrypted drive) may be moved to another country in connection with project work or employee travel. Such transfers are performed under strict controls and only when necessary for business purposes.

8. Third-Party Service Providers

We minimize online processing but use a limited set of reputable providers as processors where necessary. All processors are contractually bound to protect personal data and not to sell/share it. Current providers include:

• Payment processing: Stripe (payments). See Stripe Privacy Policy. We do not accept payments directly and do not retain raw card numbers on our systems.
• Email: ProtonMail. See Proton Privacy Policy.
• Messaging: Signal. See Signal Privacy Policy.
• Messaging: SimpleX. See SimpleX Privacy Policy.

9. International Transfers & Cross-Border Processing

Data is primarily stored and processed in the UAE (offline). We do not routinely transfer personal data to other countries. Where cross-border transfers are necessary, we implement specific legal mechanisms and safeguards as required by applicable law:

• Transfers from the EEA: where personal data is transferred from the European Economic Area (EEA) to a country without an adequacy decision, we will rely on the European Commission’s Standard Contractual Clauses (SCCs) (as adopted/amended) and implement appropriate supplementary technical and organisational measures when required to ensure an essentially equivalent level of protection.
• Transfers from the United Kingdom: where transfers originate in the UK, we will rely on the UK-approved transfer mechanisms such as the International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs as issued by the UK Information Commissioner’s Office, and apply additional safeguards as required.
• Transfers from UAE / MENA: we will comply with UAE PDPL requirements and other local transfer rules, applying contractual safeguards or relying on local legal bases/authorisations as required by law.
• Transfers involving Japan: where APPI obligations apply we will provide required notices and obtain consent or implement recognized safeguards.
• Transfers involving India: for transfers subject to India’s DPDP or relevant rules, we will adopt required safeguards and local compliance measures.
• Transfers involving mainland China (PIPL): for processing or transfer of personal data of individuals located in mainland China, we will (i) conduct a cross-border data transfer risk assessment in accordance with PIPL requirements; (ii) where required by PIPL and relevant regulations, submit the transfer to the Cyberspace Administration of China (CAC) for security assessment or follow any other PIPL-prescribed procedure (such as standard contracts or certification) prior to transfer; and (iii) obtain data subject consent where required. We will document the assessment outcomes and safeguards applied.

10. Data Breach Notifications

We maintain procedures to identify, assess, and respond to personal data breaches. Where required by law:

• EU/UK GDPR: notify the relevant supervisory authority within 72 hours of becoming aware, and affected data subjects without undue delay if the breach is likely to result in high risk.
• UAE PDPL / MENA: notify the UAE Data Office or relevant regulator, and affected subjects if harm is likely.
• China PIPL: promptly adopt remedial measures and notify data subjects and the competent authority (e.g., CAC) if required.
• Singapore PDPA: notify the PDPC and affected individuals in the event of significant harm or large-scale breaches.
• India DPDP: notify the Data Protection Board of India where required.
• US: comply with applicable state breach notification laws (timelines vary).

All breach notifications will include the nature of the incident, categories of data affected, likely consequences, and measures taken or proposed.

11. Your Rights & How to Exercise Them

Depending on your jurisdiction, you may have the right to: access, correction, deletion, restriction of processing, objection, portability, and to withdraw consent where processing is based on consent. California and other US state rights (access, deletion, opt-out of sale/sharing) will be honored where applicable; we will not discriminate for exercising any rights. We honor browser-based opt-out signals such as GPC where applicable.

To exercise your rights, email legal@pwn-all.net. We will verify identity (and the authority of any authorized agent) before responding. We aim to respond within 30 days or within the statutory period applicable to your jurisdiction and will communicate any necessary extension.

If your jurisdiction provides a supervisory authority, you may lodge a complaint with that authority (e.g., an EU Supervisory Authority or the UK ICO). For India (DPDP), grievance redressal is available via legal@pwn-all.net.

12. Changes to This Policy

We may update this Policy to reflect legal, regulatory, or operational changes. We will post updates here with a revised Effective Date.

13. Contact Us

PWN-ALL Auditing, Reviewing & Testing Cyber Risks CO. L.L.C
145, Al Mustaqbal street, Iris Bay Tower 2101-11, Business Bay, Dubai, United Arab Emirates
Email: legal@pwn-all.net