Last updated: [12 April 2026]GFH Partners Limited, a subsidiary of GFH Financial Group B.S.C (hereafter referred to as “we”, “our”, “us” or “GFH”) is an organization incorporated in the Dubai International Financial Centre (DIFC) and regulated by the Dubai Financial Services Authority (DFSA). We value your data privacy and are required to comply with the DIFC Authority’s Data Protection Law, DIFC Law No. 5 of 2020 (the “DIFC DP Law”). For certain types of Personal Data Processing, we may also be subject to other Applicable Law.
For the Processing described in this Privacy Notice (“Notice”), GFH Partners Limited acts as the Controller, unless stated otherwise. In this Notice, “you” or “your” refers to Data Subjects (including customers, website visitors, agents, vendor representatives, partners, and other third parties) whose Personal Data we Process.

We encourage you to read this Notice carefully, as it explains who we are, what categories of Personal Data we collect, why we use your Personal Data and the lawful bases under the DIFC DP Law, with whom we share it, whether we transfer it outside the DIFC and the safeguards applied, how long we retain it, and the rights available to you under the DIFC DP Law.

The details on what Personal Data will be Processed and which method will be used depend significantly on the services applied for or agreed upon.

 

Definitions

For ease of understanding, the following terms have the meanings set out below. These definitions are aligned with the DIFC DP Law.

Applicable Law – all laws, regulations, rules, directives, and official guidance applicable within the Dubai International Financial Centre (DIFC), including those issued by the DIFC Authority, the DIFC Registrar of Companies, and the Dubai Financial Services Authority (DFSA), as well as any other regulatory requirements, decisions, or codes of practice that govern or relate to the subject matter of this Notice.

Data Controller – a person who, either alone or jointly with other persons, determines the purposes and means of Processing of Personal Data.

Data Subject – an identified or identifiable Natural Person to whom Personal Data relates.

DFSA – the Dubai Financial Services Authority.

DIFC – the Dubai International Financial Centre.

DIFC DP Law – the Data Protection Law, DIFC Law No. 5 of 2020, as may be amended, supplemented, or re-enacted from time to time, including any regulations, rules or guidance issued thereunder.

DPO – the data protection officer appointed by a Controller or Processor to independently oversee relevant data protection operations.

Group company (Group) –  includes a holding company, subsidiary, associate company (including a joint venture company) and a subsidiary of a holding company to which the company is also a subsidiary.

Identifiable Natural Person  –  a natural living person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to their biological, physical, biometric, physiological, mental, genetic, economic, cultural or social identity.

Joint Controller  –  any Controller that jointly determines the purposes and means of Processing with another Controller.

Personal Data  –  any information referring to an identified or Identifiable Natural Person.

Processing  –  any operation or set of operations performed upon Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage and archiving, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, transfer or otherwise making available, alignment or combination, restricting (i.e., the marking of stored Personal Data with the aim of limiting Processing of it in the future), erasure or destruction, but excluding operations or sets of operations performed on Personal Data by:

  1. a natural person in the course of a purely personal or household activity that has no connection to a commercial purpose; or
  2. law enforcement authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including safeguarding against and preventing threats to public security.

Special Category of Personal Data – Personal Data revealing or concerning (directly or indirectly) racial or ethnic origin, communal origin, political affiliations or opinions, religious or philosophical beliefs, criminal record, trade-union membership and health or sex life and including genetic data and biometric data where such data is used for the purpose of uniquely identifying a natural person.

If you have any questions or concerns about our Processing of your Personal Data, you may contact our Data Protection Officer (DPO) at dpo@gfhpartners.com or via the form available on our “Contact Us” page. We will respond to you as soon as practicable.

 

What Personal Data do we collect?

The types of Personal Data we collect depend on your relationship with us and the context of your interaction with GFH (for example, whether you are a customer, website visitor or business partner). The categories of Personal Data we may collect include:

Identity Data – such as full name, birth certificate, gender, marriage certificate, photographs, voice and video recordings, nationality or citizenship, visas or residence permits, passport or Emirates ID details (including number and copy where required), signature, job title or function.

Contact Data – including email address, home address, correspondence address (where different from your home address), telephone numbers and similar contact details.

Financial Data – such as bank statements, bank details, bank remittances, credit card details, salary slips, property ownership, utility bills, VAT numbers, and financial statements.

Technical Data – such as Internet Protocol (IP) address, browser type, operating system, log data and information collected through cookies or similar technologies. Please see our Cookie Policy [Insert hyperlink] for more details.

Profile Data –  such as your interests, preferences, feedback, and survey responses.

Usage Data – including information about how you use our websites, emails, text messages, products and services, and the features you access or click on.

Marketing and Communications Data – if you choose to subscribe to our marketing communications, we will Process information relating to your subscription, your preferences, and your responses to campaigns, surveys, or reviews. If you do not subscribe, we do not collect Personal Data for direct marketing purposes.

Aggregated Data – We also collect, use and share aggregated data such as statistical or demographic data for internal analysis or to improve our services. Aggregated data may be derived from your Personal Data, but is not considered Personal Data under Applicable Law, as it does not directly or indirectly reveal your identity. For example, we may aggregate your usage data to calculate the percentage of users accessing a specific website feature. If we combine or connect aggregated data with your Personal Data so that it can directly or indirectly identify you, we treat the combined data as Personal Data which will be used in accordance with this Notice.

Special Category of Personal Data – we may sometimes collect Special Categories of Personal Data. In such cases, we will inform you of the reason, the lawful basis for Processing, and, where required, seek your explicit consent.

The Special Categories may include:

  1. Data revealing (directly or indirectly) an individual’s communal origin, including information about nationality;
  2. Any criminal records in relation to you; and
  3. Affiliation/membership to unions.

At the point of collection, you will be informed if any other categories of Personal Data are required that are not listed above.

When do we collect your Personal Data?

We collect Personal Data in the following ways, depending on your relationship with us:

Directly from you

You may provide us with Personal Data when you:

  1. correspond with us by phone, email, post or through any other communication channel;
  2. enter into agreements with us or apply to become a customer, vendor, agent or business partner;
  3. provide feedback, submit inquiries or raise complaints;
  4. complete forms to request information, brochures or documents about GFH products and investments;
  5. interact with us through our official pages on social media platforms (e.g. LinkedIn, Facebook, Instagram).
  6. subscribe to our newsletter or any other online medium or communication channel;
  7. register for or attend GFH events, webinars, meetings or workshops.

Automatic collection

When you interact with our websites, platforms, or online services, we automatically collect certain technical information through digital tools. This helps us ensure security, improve functionality, and understand how our services are used. Such information may include:

  1. Log Files: technical data such as your IP (Internet Protocol) address, browser type, referring/exit pages, operating system, date/time stamps, and related data;
  2. Cookies: small data files placed on your device when you access our websites or online services. You may be able to configure your browser to reject cookies, to accept only certain types, or to prompt you before accepting a cookie.

For more information about the types of cookies we use and how to manage your preferences, please see our Cookie Policy .

Other sources

We may receive Personal Data about you from various third parties as mentioned below:

  1. analytics and advertising providers (e.g. Google, Facebook);
  2. social media platforms (e.g. LinkedIn, Twitter/X, Instagram, Facebook); and
  3. publicly available directories, websites, or registers.

How and why do we use your Personal Data?

We will only use your Personal Data when permitted by the DIFC DP Law and/or any other Applicable Law.  The main legal grounds we rely on are:

  1. Consent: Where you have provided consent (and where we Process Special Categories of Personal Data, your explicit consent);
  2. Performance of Contract: Where Processing is necessary to perform a contract we have entered into with you, or to take steps before entering into such contract;
  3. Compliance with Applicable Law: Where Processing is necessary for us to comply with Applicable Law that we are subject to;
  4. Vital Interest: Where Processing is necessary in order to protect your life or that of another natural person;
  5. Public Interest: Where the Processing is necessary for reasons of substantial public interest or for official purposes;
  6. Legitimate Interest: Where Processing your Personal Data is necessary for the legitimate interests of our business to give you the best service or product, (or those of a third party to whom the Personal Data has been made available) and where your interests and fundamental rights do not override those interests. We always balance our legitimate interests against any potential impact on your rights before pursuing any Processing of Personal Data for our Legitimate Interest. We shall not use your Personal Data where our interests are overridden by the impact on you, unless we have your consent or are required or permitted to do so by Applicable Law.

Purpose / activity, type of data and lawful basis for Processing

We have set out below, in table format, a description of all the ways we use your Personal Data, and which of the legal bases we rely on to do so. We have also identified our legitimate interests, where appropriate.

Note that we may Process your Personal Data for more than one lawful basis for a particular activity (for example, we may Process your Personal Data both to perform a contract and to meet a regulatory requirement). If you would like further details about the lawful basis we rely on in a specific situation, you can contact our DPO at dpo@gfhpartners.com.

 

Purpose/Activity

Type of data

Lawful basis for Processing

Managing our relationship with you (responding to queries, notifying you of changes, feedback, surveys, social media interactions)

Identity Data
Contact Data
Profile Data

Marketing & Communications Data

Performance of a contract
Legal obligation
Legitimate interest (maintaining accurate records; responding to enquiries)
Consent (for optional surveys or marketing communications)

Administering and protecting our business, systems and websites (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)

Identity Data
Contact Data
Technical Data

Usage Data

Aggregated Data

Legitimate interest (for running our business, providing administration and IT services, network security, to prevent fraud and in the context of a business reorganization or group restructuring exercise)
Legal obligation

Delivering relevant website content and measuring effectiveness of communications (content personalization, analytics, performance measurement)

Identity Data
Contact Data
Profile Data
Usage Data
Technical Data

Aggregated Data

Legitimate interest (understanding user interaction; improving services)

Consent (for non-essential cookies/analytics)

Conducting data analytics to improve our website, services, marketing, and customer experience

Technical Data
Usage Data
Aggregated Data

Legitimate interest (service optimization and analytics)

Consent (where analytics require cookies or tracking)

Making suggestions and recommendations about services that may be of interest to you

Identity Data
Contact Data
Technical Data
Usage Data
Profile Data
Aggregated Data

Marketing & Communications Data

Legitimate interest (service development)

Consent (for direct marketing communications)

Ensuring cybersecurity, detecting fraud, and protecting our systems

Identity Data

Contact Data
Technical Data
Usage Data

Legitimate interest (fraud prevention, IT security).

Legal obligation

Performing services and managing contracts (client service delivery, partner engagements, vendor contracts, processing invoices/payments

Identity Data

Contact Data

Financial Data

Marketing & Communications Data

Performance of a contract

Legal obligation

Legitimate interest (business operations and service delivery)

To perform onboarding, due diligence, and KYC/AML compliance (including identity verification, sanctions screening, and regulatory reporting)

Identity Data

Contact Data

Financial Data

Technical Data (for verification, logs)

Profile Data

Special Category of Personal Data (only where required by law, e.g., criminal records)

Legal obligation

Public interest /official purposes (AML/CTF regulatory requirements)

To comply with health, safety and security obligations and manage access to our premises (e.g., maintaining visitor logs at reception and coordinating with the building operator’s security/CCTV systems at our premises)

Identity Data (CCTV, where applicable and operated by building management)

Contact Data

Technical Data

 

Legal obligation

Legitimate interest (premises security and safety)

Procurement and vendor lifecycle management (onboarding, due diligence, monitoring, payments, document review)

Identity Data

Contact Data

Financial Data

Special Category of Personal Data (only if legally required, e.g., criminal record checks related to due diligence)

Performance of a contract

Legal obligation

Legitimate interest (vendor evaluation and contract management)

Communications with regulators and ARC reporting (DFSA, DIFC Authority, or other competent authorities)

Identity Data

Contact Data

Financial Data (if part of regulatory submissions)

Special Category of Personal Data (only if explicitly required by Applicable Law)

Legal obligation

Legitimate interest (corporate governance and compliance)

Management reporting, business operations and internal governance

Identity Data

Contact Data

Financial Data

Aggregated Data

Legitimate interest (managing the business, internal governance)

Legal obligation (audit and record-keeping)

Event management (corporate events, meetings, stakeholder activities)

Identity Data (Photographs, Voice, Video Recordings)

Contact Data

Marketing & Communications Data (if follow-up messages are sent)

Legitimate interest (event organization, internal communications)

Consent (if photos/videos are used for external promotional materials)

Responding to legal claims, investigations, or exercising legal rights

Identity Data

Contact Data

Financial Data

Profile Data

Special Category of Personal Data (only where strictly required)

Legal obligation

Legitimate interest (establishing, exercising or defending legal rights)

If we ask you to provide any other Personal Data not listed above, we will explain the reasons at the point of collection.

We may also use your Personal Data for other purposes permitted by Applicable Law (such as archiving, purposes in the public interest, scientific or historical research, or statistical purposes), provided that such use is compatible with the original purpose and where this is permitted by Applicable Law.

Change of purpose

We will only use your Personal Data for the purposes for which it was collected, unless we reasonably determine that we need to use it for another reason and that reason is compatible with the original purpose.

If we need to use your Personal Data for an unrelated purpose, we will explain the legal basis for doing so.

Who do we share your Personal Data with?

We may share your Personal Data with the parties set out below for the specific purposes, only on a need-to-know basis and with appropriate contractual and security safeguards.

Internal recipients (within our Group)

Entities, subsidiaries and businesses within our Group. For example, we will share information from our website with internal third parties to provide you with the same high-quality experience for the services we provide.

External recipients

  1. Service providers: We use third-party service providers to support our operations. These may include IT hosting and cloud providers, cybersecurity and fraud-prevention tools, website analytics and digital marketing platforms, communications and collaboration platforms, KYC/AML and sanctions screening tools, document and records management systems, HR and payroll processors, auditors, and archival vendors. These service providers Process Personal Data only on our instructions, are bound by Data Processing Agreements, and must implement appropriate technical and organizational security measures.
  2. Professional advisers (independent controllers in most cases): We may share Personal Data with auditors, lawyers, bankers, insurers, consultants, or other advisers acting as independent controllers in order to obtain professional advice, manage disputes, or address risk/insurance management needs. These advisers are subject to professional secrecy and their own legal obligations when handling Personal Data.
  3. Regulators and competent authorities: We may disclose Personal Data to regulators and competent authorities where disclosure is required or permitted by law. This includes responding to lawful requests (e.g., subpoenas, investigations, court orders, or regulatory inquiries). In certain circumstances, such disclosures may also involve authorities in other jurisdictions where the GFH Group operates or is regulated.
  4. Any content or comments you send to us on the GFH official media pages will be shared under the terms of the relevant social media platform (e.g. Facebook, Twitter and LinkedIn) on which they’re written, which are outside our control, and could be made public. Any posts or review you may make on community forums or blogs, may also be visible to other members of that service and the general public. You are responsible for ensuring that any comments you make on these services, and on social media, comply with any relevant policy on acceptable use of those services.
  5. Third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. In the event of a change to our business, new owners or partners may use your Personal Data in the same way as set out in this Notice. All third parties are required to handle Personal Data in accordance with the Applicable Law.

International transfers

Your Personal Data may be shared within the Group on a need-to-know basis, subject to confidentiality obligations mentioned herein. This may involve transferring your data outside the DIFC.

Data transfers to legal entities in countries outside the DIFC (known as third countries) can take place provided that:

  1. The third country has been determined by the DIFC Commissioner as a jurisdiction providing an adequate level of protection under the DIFC DP Law;
  2. We have provided appropriate safeguards under the DIFC DP Law (such as a legally binding instrument between public authorities, Binding Corporate Rules, standard data protection clauses as adopted by the Commissioner, codes of conduct and certification mechanisms), and enforceable Data Subject rights and effective legal remedies for Data Subjects are available;
  3. One of the specific derogations under Article 27(3) of the DIFC DP Law applies (including, but not limited to where you have explicitly consented to the proposed transfer; where the transfer is necessary for the performance of a contract or to take steps at your request prior to entering into a contract; where the transfer is required for reasons of substantial Public Interest; where it is necessary for the establishment, exercise or defence of legal claims; or where it is required to protect your Vital Interest); or
  4. The limited circumstances under Article 27(4) of the DIFC DP Law apply, that is, where the transfer is non-repetitive, concerns only a limited number of Data Subjects, is necessary to pursue compelling legitimate interests that are not overridden by the rights or interests of the affected Data Subjects, and is supported by a documented assessment demonstrating that appropriate safeguards have been put in place.

We also require our Processors and partners to implement onward-transfer protections consistent with the above.

You can request more information on these international transfers, including a copy of the appropriate or suitable safeguards mentioned above, by directly contacting us at dpo@gfhpartners.com.

How do we protect your Personal Data?

We use appropriate technical, organizational and physical measures to protect the Personal Data we collect and Process. These measures are designed to maintain a level of security appropriate to the risks associated with the Processing and the nature of the Personal Data involved.

When Personal Data is transmitted electronically, we apply safeguards to protect data in transit, including encryption and network security controls. We also use firewalls, network access management, and other security technologies to help detect and prevent unauthorized access or malware-based threats.

Access to Personal Data is limited to individuals who need it to perform their responsibilities and who are subject to confidentiality obligations. We maintain policies and procedures for data protection and information security, provide regular staff training, and require our service providers to implement security measures consistent with our standards and Applicable Law. We also apply “Data Protection by Design and by Default” principles when developing or adopting systems and processes that involve Personal Data.

Although no system can guarantee absolute security, we continually review and enhance our safeguards to protect Personal Data against loss, misuse, unauthorized access, disclosure, or alteration.

How long will we keep your Personal Data?

We only retain your Personal Data for as long as necessary to fulfil the purposes for which we collected it, including to satisfy legal, regulatory, accounting or reporting requirements.

After that, we will either delete it or anonymize it so that it cannot be linked back to you, or place it beyond further use.

Retention periods may differ depending on your relationship with us:

Clients and investors: we are required by Applicable Law (including anti-money laundering and financial services regulations) to keep basic customer information (such as identity and contact data, and records of transactions) for a necessary period after the end of the client relationship.

Contractors, vendors and service providers: we keep contract and payment records for the duration of the engagement and thereafter as required by accounting, tax, or other Applicable Law.

Website visitors and marketing contacts: we retain technical and marketing data for as long as necessary to provide services, maintain security, or until you withdraw your consent (where consent is the lawful basis).

In determining appropriate retention periods, we take into account the nature and sensitivity of the data, the potential risk of harm from unauthorized use or disclosure, the purposes for which we Process it, and applicable legal or regulatory requirements.

What are your Data Protection Rights?

We are committed to ensuring that you can exercise your rights under the DIFC DP Law. These rights may vary depending on the lawful basis for Processing and the circumstances of your request. We also ensure transparency by providing you with the information required under Applicable Law when we collect or receive your Personal Data.

Your duty to inform us of changes

It is important that the Personal Data we hold about you is accurate and current. Please keep us informed if your Personal Data changes. You can update your details by contacting our DPO at dpo@gfhpartners.com or using the channels available on our website https://gfhpartners.com/

Your rights in connection with Personal Data

Under certain circumstances, by law, you have the right to:

  1. Be provided with information relating to the name and contact details of the controller, the purposes for which data is Processed, and any further information necessary to ensure fair Processing of your Personal Data.
  2. Request access to your Personal Data. This enables you to receive a copy of the Personal Data we hold about you and to check that we are lawfully Processing it.
  3. Request rectification of the Personal Data that we hold about you. This enables you to request the correction of any incomplete or inaccurate information that we may hold about you. We may need to verify the accuracy of any new data you provide to us.
  4. Request erasure of your Personal Data. This enables you to ask us to delete or remove Personal Data where there is no good reason for us continuing to Process it. You also have the right to ask us to delete or remove your Personal Data where you have exercised your right to object to Processing, where we may have Processed your information unlawfully or where we are required to erase your Personal Data to comply with local law. We may not always be able to comply with your request because of legal or regulatory reasons which we will explain to you at the time of your request.
  5. Object to Processing of your Personal Data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to Processing on this ground. You also have the right to object where we are Processing your Personal Data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to Process your information, which means we can continue to Process your Personal Data.
  6. Request the restriction of Processing of your Personal Data. This enables you to ask us to suspend the Processing of your Personal Data in the following scenarios:
  7. if you want us to establish the data’s accuracy;
  8. where our use of the data is unlawful, but you do not want us to erase it;
  • where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or
  1. You have objected to our use of your data, but we need to verify whether we have overriding legitimate grounds to use it.
  2. Request portability of your Personal Data to another party. We will provide to you, or a third party you have chosen, your Personal Data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
  3. Withdraw consent at any time where we are relying on consent to Process your Personal Data. However, this will not affect the lawfulness of any Processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
  4. The right to non-discrimination: We will not discriminate against you for exercising any rights, including by denying any goods or services, by charging different prices or rates for services, including through the use of discounts or other benefits or imposing penalties providing a less favorable level or quality of services; or suggesting that you will receive a less favorable price or rate for services or a less favorable level or quality of services.
  5. Right to object to any decision based solely on Automated Processing (including profiling) that produces legal or similarly significant effects. This right does not apply where the decision is necessary to perform a contract with you, is authorized by law with appropriate safeguards, or is based on your explicit consent.
  6. Right to lodge a complaint with the Authority: In case you consider that the Processing of your Personal Data infringes any of your rights or provisions related to the laws and regulations in scope.

Automated Decision Making

Automated decisions are decisions concerning you which are made automatically on the basis of a computer determination (using software algorithms), without human intervention. We do not make decisions that have legal or similarly significant effects on you based solely on Automated Processing. If this changes, we will inform you in advance and explain the logic involved, the potential consequences, and your rights under the DIFC DP Law.

Fees for excessive or unreasonable requests

You will not normally have to pay a fee to exercise your data protection rights. We may charge a reasonable fee if your request is clearly unfounded or excessive. In such cases, we may refuse to comply with the request, in line with the DIFC DP Law.

Time limit to respond

We aim to respond to all legitimate requests within the time required by the DIFC DP Law. Occasionally, it may take us longer if your request is particularly complex or you have submitted multiple requests. In this case, we will notify you and keep you updated.

What we may need from you

To protect your Personal Data, we may need to confirm your identity before fulfilling your request. We may also contact you to request additional information to clarify your request and help us respond more quickly. These steps are necessary to ensure that Personal Data is not disclosed to anyone who is not entitled to receive it.

 Changes to this Notice

We may update this Notice from time to time in response to legal, regulatory, technical, contractual, or business developments. When we make changes, we will update the “last updated” date at the top of this Notice. Where changes are significant, or where required by law, we will take appropriate measures to inform you, and obtain your consent to any material changes if and where this is required by Applicable Law.

How to contact us

If you have any questions about this Notice or how we handle your Personal Data, or if you wish to exercise any of your rights, you may contact us through the form available on our website or by using the following details:

Data Protection Officer (DPO)

Email: dpo@gfhpartners.com.

Company Details

GFH Partners Limited
Unit 401, Level 4,
Precinct Building 3, Gate District,
Dubai International Financial Centre,
Dubai, United Arab Emirates

T: +971 4 3651 500
F: +971 4 3637324

https://gfhpartners.com/cookie-notice/

https://gfhpartners.com/cookie-notice/