Data Protection Policy

Exec X AI Ltd, registered in the Dubai International Financial Centre (DIFC) under DIFC registration number CL-10474, acts as the data controller for the personal data described in this policy. Exec X AI Ltd is the parent company of Exec x AI UKS02 Ltd, a majority-owned subsidiary (95%) registered in England and Wales (company number 16535629) which operates as our principal go-to-market sales channel.

Exec X AI Ltd owns, configures, secures and licenses to Exec x AI UKS02 Ltd the IT systems through which the group's personal data is collected, used, stored and transmitted. As the owner and lessor of those IT systems, Exec X AI Ltd determines the means by which personal data is processed at the infrastructure layer and is therefore a controller in respect of that processing under Article 11 of the DIFC Data Protection Law No. 5 of 2020 (the "DP Law 2020").

We comply with the DP Law 2020 and, where applicable to onward processing in the United Kingdom and European Economic Area, with the UK Data Protection Act 2018, the UK GDPR and the EU GDPR.

We process personal data lawfully, fairly and transparently. We collect it for specified purposes and keep it only as long as those purposes require. We protect it with appropriate technical and organisational measures. We are accountable for demonstrating compliance with each of those obligations.

Exec X AI Ltd and its UK subsidiary Exec x AI UKS02 Ltd act as joint controllers for personal data processed through the group's shared IT systems, with each entity accountable for the processing carried out within its own jurisdiction. Where you have a question or wish to exercise a right, you may contact either entity using the details set out in this policy and your request will be routed to the appropriate controller.

Exec X AI Ltd has voluntarily appointed a Data Protection Officer (DPO). Although Exec X AI Ltd does not engage in High Risk Processing as defined in Schedule 1, Article 3 of the DP Law 2020, the appointment has been made for governance reasons and to provide a single, accountable point of contact for data subjects, regulators and counterparties who may wish to submit subject access requests or enquire how their data is used.

Contact the DPO if you have questions about how your data is handled, wish to exercise your rights, or have concerns about our practices.

Exec X AI Ltd collects personal data through the IT systems it owns and licenses to its UK subsidiary. Those systems include the corporate website (www.execxai.com), corporate email (Microsoft 365), the recruitment platform (Navero), Microsoft Teams, and underlying cloud-hosting infrastructure. Personal data enters those systems when individuals submit web-form enquiries, send us email, participate in Teams meetings, apply for employment, or communicate with us through our CRM.

4.1 Recruitment and employment data

When you apply for a position with the group or during the course of your employment, we collect: contact details; date of birth for identity and right-to-work verification; identification documents including passport and driving licence; employment history; education history; right-to-work documentation; and criminal conviction data where legally permitted and relevant to the role.

We use this data to assess suitability for employment, verify identity, conduct pre-employment screening, maintain employment records, communicate throughout the recruitment process, comply with health and safety requirements, and administer payroll and benefits.

4.2 Client and business partner data

When you engage with the group as a client or business partner, we collect: contact information including names, job titles, business addresses, telephone numbers and business email addresses; professional information; communication records; financial information; and project information.

We use this data to deliver our consulting and advisory services, manage client relationships, process payments, maintain financial records, improve our services, comply with legal and regulatory requirements, and, where you have consented or we have a legitimate interest, market our services.

4.3 Website and digital communications data

When you visit www.execxai.com or interact with our digital communications, we collect: technical information including IP addresses, browser types, device information and operating systems; usage data including pages visited and navigation patterns; communication preferences; and cookies as described in our Cookie Policy.

We use this data to provide and improve our website, analyse performance, deliver relevant content, ensure security, and comply with legal obligations.

4.4 Marketing and communications data

With your consent or where we have a legitimate interest, we collect: contact preferences; marketing engagement data; event participation records; and professional interests. We use this data to send relevant communications, invite you to events, share industry insights, and improve our marketing effectiveness.

Exec X AI Ltd's primary lawful basis for processing personal data is consent under Article 10(a) of the DP Law 2020. Data subjects provide their data directly through our IT systems (for example by completing a contact form, replying to an email, or accepting a meeting invitation), and that submission constitutes a clear affirmative act of consent for the purposes set out in this policy.

Where consent is withdrawn we cease the relevant processing immediately. Withdrawal does not affect processing that took place while consent was in force.

Where additional lawful bases under Article 11 of the DP Law 2020 apply to specific processing carried out by Exec x AI UKS02 Ltd in the United Kingdom, those bases are set out in the UK subsidiary's privacy notice published at www.execxai.com/privacy-policy and include performance of contract, legal obligation and legitimate interests.

We do not process Special Category Personal Data as defined in Schedule 1, Article 3 of the DP Law 2020. We do not knowingly collect personal data about children, persons of determination or other vulnerable individuals.

6.1 Group companies

Exec X AI Ltd shares personal data with its wholly-owned UK subsidiary Exec x AI UKS02 Ltd. The two entities operate under a written intra-group Data Sharing Agreement and an IT Services and Licensing Agreement. Exec X AI Ltd makes the IT systems and the personal data within them available to Exec x AI UKS02 Ltd as a go-to-market sales channel for the group's consulting services, and the UK subsidiary uses the data to deliver those services to clients in the United Kingdom and the European Economic Area.

6.2 Employer of record services

Where the group recruits personnel in jurisdictions in which it does not have a direct legal presence, recruitment and employment data is shared with RemoFirst, Inc., our employer-of-record service provider. RemoFirst's privacy policy is available at remofirst.com/legal/privacypolicy. RemoFirst may share your details with in-country partners as necessary for specific employment arrangements.

6.3 Professional service providers

If you submit a request to establish a communications channel with the group via email, video call, telephone, social media or messaging, your details are processed in Pipedrive, Inc., the group's customer relationship management platform. We also share data with legal advisors, accountants, IT and cloud-hosting providers, marketing agencies, recruitment and background-check providers, insurance providers, and banking and payment processors. All such processors are subject to written agreements that incorporate the requirements of Articles 23 and 24 of the DP Law 2020.

6.4 Regulatory and legal authorities

We may share your data with the DIFC Commissioner of Data Protection, the UK Information Commissioner's Office, the Dubai Financial Services Authority, courts, tax authorities and other public bodies where required by law, where necessary to comply with regulatory obligations, where needed to protect our rights or safety, or where required for the administration of justice.

6.5 Business transfers

In a merger, acquisition or asset sale, your data may transfer to the relevant parties. Any such transfer will comply with the DP Law 2020 and include appropriate safeguards.

Personal data collected in our IT systems is transferred outside the DIFC for the purposes of intra-group operation, cloud hosting, customer relationship management and employer-of-record services. The geographies covered include the United Kingdom, the European Economic Area, the United States, the wider Middle East and Africa.

We rely on Article 27(1)(a) of the DP Law 2020 (the controller has provided appropriate safeguards in a legally binding instrument) as our principal transfer mechanism. Each cross-border transfer is supported by a written contract incorporating either the DIFC standard contractual clauses, the UK International Data Transfer Agreement (UK IDTA) and Addendum to the EU SCCs, or the EU Standard Contractual Clauses, as appropriate to the importer jurisdiction.

Additional due diligence is applied prior to each transfer, including completion of a transfer impact assessment using the DIFC Ethical Data Management Risk Index (EDMRI) and EDMRI+ tools where available, and supplementary technical and organisational safeguards where the importing jurisdiction lacks an adequacy assessment under Article 26 of the DP Law 2020.

You may request copies of the safeguards in place for any particular transfer by emailing compliance@execxai.com.

We retain personal data in accordance with our internal Data Retention Schedule, which sets retention periods that are necessary to fulfil the purposes for which the data was collected, comply with legal obligations, resolve disputes and enforce agreements.

Indicative retention periods are: general correspondence — one year from the date of last interaction; employment records — duration of employment plus seven years; client records — duration of engagement plus seven years; financial records — seven years from the end of the relevant financial year; marketing data — until consent is withdrawn or three years from last interaction, whichever is earlier; Microsoft Teams meeting recordings — six months. Longer periods may apply where necessary to establish, exercise or defend legal claims.

When data is no longer required, we securely delete or destroy it through automated deletion routines configured at the system level, supplemented by manual deletion for non-automated stores. Deletion events are logged.

Articles 32 to 40 of the DP Law 2020 give you the following rights in relation to your personal data.

Right to information and access. You may request confirmation of whether we process your data, a copy of it, and information about how we use it, who we share it with and how long we keep it.

Right to rectification. You may request that we correct inaccurate or incomplete data.

Right to erasure. You may request deletion where the data is no longer necessary, you withdraw consent and no other lawful basis applies, you object and no overriding legitimate grounds exist, the data has been unlawfully processed, or deletion is required by law.

Right to restrict processing. You may request restriction in the circumstances set out in Article 36.

Right to object. You may object to processing based on legitimate interests or for direct marketing. Where you object to direct marketing we will stop processing immediately.

Right to data portability. Where we process your data based on consent or contract using automated means, you may receive it in a structured, machine-readable format.

Right to withdraw consent. Where we rely on consent, you may withdraw it at any time.

Right not to be subject to a decision based solely on automated processing. See Section 10 below.

Right to complain to the DIFC Commissioner of Data Protection. See Section 15 below.

To exercise any of these rights, contact compliance@execxai.com. We will respond within one month of receipt. In complex cases we may extend this by a further two months and will inform you of the extension and reasons. We may request information to verify your identity. We will not charge a fee unless a request is manifestly unfounded or excessive.

Exec X AI Ltd uses artificial-intelligence and other emerging technologies to operate the IT systems described in this policy. Automated tools assist with website analytics, fraud and abuse detection, document classification, drafting assistance and the personalisation of marketing communications. In all cases these tools are subject to human oversight in accordance with the group's Responsible AI Policy.

Where automated decision-making produces legal or similarly significant effects, we will provide you with meaningful information about the logic involved, its significance and likely consequences. You will have the right to obtain human review of the decision, express your point of view and contest the outcome.

Where legally permitted and relevant to the role or engagement, we may conduct criminal background checks. This includes Disclosure and Barring Service (DBS) checks in England and Wales, Access NI checks in Northern Ireland, Disclosure Scotland checks in Scotland, equivalent UAE Ministry of Interior good-conduct certificate checks in the UAE, and equivalent checks in other jurisdictions.

We conduct such checks only where they are legally permitted, necessary and proportionate for the specific role, supported by a lawful basis, and where you have been informed of the check and its scope. Results are retained only as long as necessary and in accordance with our Data Retention Schedule.

To maintain service quality and support professional accountability, the group may record and transcribe Microsoft Teams calls with clients, candidates and other participants.

Before any Teams call commences where recording or transcription is intended, we activate Microsoft Teams' "Require participant agreement for recording and transcription" feature. Participants receive an in-meeting notification and are asked to consent before any recording begins. If you do not wish to be recorded or transcribed, you may opt for a view-only meeting at which no recording or transcription will take place.

Recording is not activated for every meeting. It is enabled only where there is a specific purpose, such as quality assurance, action-item capture or professional development. Meeting recordings are retained for six months and deleted automatically at the end of that period.

The legal basis for processing personal data through Teams recordings is consent under Article 10(a) of the DP Law 2020. You may object by contacting compliance@execxai.com.

Exec X AI Ltd uses cookies and similar technologies on www.execxai.com to improve your experience, understand how the site is used and support our communications. For full details of which cookies we use, their purposes and how to manage your preferences, see our Cookie Policy.

We update this policy when our practices, technology or legal obligations change. The effective date at the top of this policy reflects the current version. Significant changes will be communicated by posting the updated policy on our website with a new effective date and, where appropriate, by email notification.

If you have questions, concerns or complaints about this policy or our data-protection practices, contact:

We take all privacy concerns seriously and aim to respond within one month of receipt. If you are not satisfied with our response, you may complain to a supervisory authority:

DIFC: Commissioner of Data Protection, Dubai International Financial Centre Authority, Level 14, The Gate Building. Telephone +971 4 362 2222. Email commissioner@dp.difc.ae.

United Kingdom: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF. Telephone 0303 123 1113. Website ico.org.uk/makeacomplaint.

European Union: details of your local supervisory authority are at edpb.europa.eu/about-edpb/board/members_en.