This Privacy Policy explains how Catalyst (DIFC) Services Limited (“Catalyst,” “we,” “our,” or “us”) collects, processes, and safeguards personal data in compliance with the DIFC Data Protection Law No. 5 of 2020. Catalyst is committed to protecting individuals’ privacy and takes data protection seriously in delivering corporate services to private individuals, family offices, institutional clients, and corporate entities.

1. Who We Are

Catalyst (DIFC) Services Limited is a Corporate Services Provider registered within the Dubai International Financial Centre (DIFC). We provide a full range of structuring, incorporation, administration, and compliance services across the UAE and other global jurisdictions. In the course of delivering these services, Catalyst acts as a data controller, determining the purposes and means of processing your personal data.

2. Scope of This Policy

This Privacy Policy applies to individual clients receiving services in their personal capacity; persons connected with corporate clients such as directors, shareholders, ultimate beneficial owners, employees, and officers; professional advisers, suppliers, regulators, and other stakeholders we interact with; as well as individuals visiting our website, contacting us through social media, or applying for employment.

3. Purpose of Data Protection

Data protection laws aim to safeguard individuals’ fundamental rights and freedoms, especially their right to privacy. “Personal Data” means any information relating to an identifiable natural person, and “processing” includes collecting, storing, using, disclosing, or deleting such data.

4. Our Approach to Data Protection

We adopt a risk-based, principle-driven approach to data protection based on the sensitivity of the data and the nature of its processing. Personal data is collected and processed only when there is a lawful basis, such as contractual necessity, legal obligation, or explicit consent. We collect only what is necessary and relevant for clearly defined purposes. Personal data is used strictly for legitimate purposes aligned with service delivery and regulatory responsibilities. Data is retained only as long as necessary and disposed of securely following DIFC regulations. We embed security throughout our processes with physical, technical, and procedural safeguards to prevent unauthorized access, misuse, or loss.

5. Categories of Personal Data We Collect

Depending on our engagement with you, we may collect and process various categories of personal data. This includes identity and contact information such as full name, addresses, email, phone number, nationality, and birth details. We also collect regulatory and due diligence data like identification documents, tax residency details, source of wealth and funds, employment details, and sanctions or politically exposed person (PEP) status where legally allowed. Professional and transactional information such as job titles, business affiliations, investment structures, shareholdings, and records of correspondence may be gathered.

6. Sources of Data

We obtain data directly from you via forms, communications, and documentation. We may also receive data from your employer or authorized representatives, publicly available sources such as registries and media and regulatory, tax, or government authorities when applicable.

7. Sharing Your Personal Data

Your data may be shared with jurisdictional registries for entity registration or compliance purposes. It may also be shared with our group entities, affiliates, trusted third-party service providers like banks, tax advisers, auditors, and professional advisors, as well as IT service providers managing secure cloud storage and compliance systems. In some cases, data may be shared with regulatory authorities such as the DFSA or UAE Central Bank as required by law. We ensure all recipients comply with confidentiality and security standards.

8. International Data Transfers

Due to the international nature of our services, your data will be transferred to countries outside the DIFC. We ensure documentary assessment of all the circumstances surrounding the data transfer and provide suitable safeguards with regard to the protection of Personal Data.

9. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, including legal, regulatory, and business obligations. Typically, client due diligence records, contracts, and financial documents are retained for six years after the end of the client relationship or service. HR-related data is also kept for up to six years after employment ends, while marketing consent records are held for two years after the last interaction or until consent is withdrawn. In certain cases, we may retain data longer if required for legal, regulatory, or legitimate business reasons. Once the retention period ends, data is securely deleted to protect privacy.

10. Your Data Protection Rights

Under the DIFC Data Protection Law, you may have the right to access your data, correct inaccuracies, request erasure (“right to be forgotten”), object to processing or marketing, restrict processing, and data portability, subject to certain conditions. You also have the right to lodge a complaint with the DIFC Commissioner of Data Protection. To exercise these rights, please contact us as provided below.

11. Data Security

We implement robust physical, technical, and organizational security measures to protect your personal data from unauthorized access, loss, misuse, or alteration. Our systems include secure servers, role-based access controls, and ongoing staff training.

12. Updates to This Policy

We may update this Privacy Policy periodically to reflect changes in laws, regulations, or business practices. The latest version will always be accessible on our website.

13. Contact Us

For further information about how we handle your personal data or to make a data-related request, please contact us at
seo@catalystdifc.com or visit our office at Office 409, Level 4, Park Towers – A, DIFC, PO Box: 507379, Dubai, UAE.